From 3b07dfdb78cb1ad35117627996f39b76e52564b6 Mon Sep 17 00:00:00 2001
From: Santiago Mola <santiago.mola@datadoghq.com>
Date: Wed, 23 Oct 2024 14:24:05 +0200
Subject: [PATCH 1/5] Use docker login before Trivy action

---
 .github/workflows/analyze-changes.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/analyze-changes.yaml b/.github/workflows/analyze-changes.yaml
index 3a36cba0a62..083b02658e4 100644
--- a/.github/workflows/analyze-changes.yaml
+++ b/.github/workflows/analyze-changes.yaml
@@ -131,6 +131,14 @@ jobs:
           cp -RP "${MVN_LOCAL_REPO}/com/datadoghq" ./workspace/.trivy/
           ls -laR "./workspace/.trivy"
 
+      # NOTE: This avoids rate limits when pulling Trivy
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Run Trivy security scanner
         uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
         with:

From 03c62bf66950fb6fab6477c38085b5f154431c0b Mon Sep 17 00:00:00 2001
From: Santiago Mola <santiago.mola@datadoghq.com>
Date: Wed, 23 Oct 2024 15:15:41 +0200
Subject: [PATCH 2/5] Set GITHUB_TOKEN env var for Trivy

---
 .github/workflows/analyze-changes.yaml | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/analyze-changes.yaml b/.github/workflows/analyze-changes.yaml
index 083b02658e4..9aeee2fa8b8 100644
--- a/.github/workflows/analyze-changes.yaml
+++ b/.github/workflows/analyze-changes.yaml
@@ -131,14 +131,6 @@ jobs:
           cp -RP "${MVN_LOCAL_REPO}/com/datadoghq" ./workspace/.trivy/
           ls -laR "./workspace/.trivy"
 
-      # NOTE: This avoids rate limits when pulling Trivy
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Run Trivy security scanner
         uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
         with:
@@ -148,6 +140,9 @@ jobs:
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
           limit-severities-for-sarif: true
+        env:
+          # NOTE: This avoids rate limits when pulling Trivy
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6

From ed89a8dc57b99bd11958e13d03e91da6516059f0 Mon Sep 17 00:00:00 2001
From: Santiago Mola <santiago.mola@datadoghq.com>
Date: Wed, 23 Oct 2024 15:48:33 +0200
Subject: [PATCH 3/5] Upgrade to trivy-action v0.28.0

---
 .github/workflows/analyze-changes.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/analyze-changes.yaml b/.github/workflows/analyze-changes.yaml
index 9aeee2fa8b8..d351adfec40 100644
--- a/.github/workflows/analyze-changes.yaml
+++ b/.github/workflows/analyze-changes.yaml
@@ -132,7 +132,7 @@ jobs:
           ls -laR "./workspace/.trivy"
 
       - name: Run Trivy security scanner
-        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
         with:
           scan-type: rootfs
           scan-ref: './workspace/.trivy/'

From ff4ae00c6fdb0dfaa13496c579a72f2df5ec0001 Mon Sep 17 00:00:00 2001
From: Santiago Mola <santiago.mola@datadoghq.com>
Date: Wed, 23 Oct 2024 15:53:40 +0200
Subject: [PATCH 4/5] Pin setup-trivy

---
 .github/workflows/analyze-changes.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/analyze-changes.yaml b/.github/workflows/analyze-changes.yaml
index d351adfec40..ab839abc060 100644
--- a/.github/workflows/analyze-changes.yaml
+++ b/.github/workflows/analyze-changes.yaml
@@ -131,11 +131,19 @@ jobs:
           cp -RP "${MVN_LOCAL_REPO}/com/datadoghq" ./workspace/.trivy/
           ls -laR "./workspace/.trivy"
 
+      - name: Install Trivy
+        uses: aquasecurity/setup-trivy@eadb05c36f891dc855bba00f67174a1e61528cd4 # v0.2.0
+        with:
+          version: v0.56.2
+          cache: true
+
       - name: Run Trivy security scanner
         uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
         with:
           scan-type: rootfs
           scan-ref: './workspace/.trivy/'
+          # NOTE: Skip builtin setup-trivy, we use our own pinned call above.
+          skip-setup-trivy: true
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'

From afe860cc7bf60015872951646203bd0e1fcf6a25 Mon Sep 17 00:00:00 2001
From: Santiago Mola <santiago.mola@datadoghq.com>
Date: Wed, 23 Oct 2024 16:26:35 +0200
Subject: [PATCH 5/5] Pin trivy-action to main

---
 .github/workflows/analyze-changes.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/analyze-changes.yaml b/.github/workflows/analyze-changes.yaml
index ab839abc060..50201f06990 100644
--- a/.github/workflows/analyze-changes.yaml
+++ b/.github/workflows/analyze-changes.yaml
@@ -132,13 +132,13 @@ jobs:
           ls -laR "./workspace/.trivy"
 
       - name: Install Trivy
-        uses: aquasecurity/setup-trivy@eadb05c36f891dc855bba00f67174a1e61528cd4 # v0.2.0
+        uses: aquasecurity/setup-trivy@eadb05c36f891dc855bba00f67174a1e61528cd4 # v0.2.1
         with:
           version: v0.56.2
           cache: true
 
       - name: Run Trivy security scanner
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
+        uses: aquasecurity/trivy-action@fc1500abdcdc9fc681e98d8912a52fa70dbc67de # main
         with:
           scan-type: rootfs
           scan-ref: './workspace/.trivy/'