pin to a trivy version that does not detect the built image as spiced…

…b 0.0.1 Trivy recently started inferring the version of the binary as of 0.51.0, see aquasecurity/trivy#6564 The version used generated by go releaser is 0.0.1-next, and trivy detects that as version 0.0.1 of SpiceDB, and flags that as having CVEs, even though it's not really version 0.0.1.
authzed · May 3, 2024 · 1225fa9 · 1225fa9
1 parent b2b560a
commit 1225fa9
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -73,4 +73,4 @@ jobs:
       - name: "Obtain container image to scan"
         run: 'echo "IMAGE_VERSION=$(jq .version dist/linux_amd64/metadata.json --raw-output)" >> $GITHUB_ENV'
       - name: "run trivy on release image"
-        run: "docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/spicedb:v${{ env.IMAGE_VERSION }}-amd64"
+        run: "docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:0.50.4 image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/spicedb:v${{ env.IMAGE_VERSION }}-amd64"