fix(ci): repair the SCA self-scan Trivy install (pinned 0.72.0 deb)#475
Merged
Conversation
The nightly SCA self-scan has failed at the "Install Trivy" step on every run
for over a week, leaving the README badge red — with no CVE involved. Root
cause: aquasecurity/setup-trivy@v0.2.6 fetches Trivy's contrib/install.sh from
Trivy's default branch (a MOVING ref) and executes it. Trivy commit 75c4dc0
("add client option to install script", #9962) changed that script, breaking
the invocation the pinned action makes — the step exits 1 immediately after
resolving v0.58.0.
This is the second breakage of the same class (the curl | sh installer broke
the same way in 2026-05, which is why we moved to the action). Fix the class,
not the instance: download the pinned Trivy release tarball directly and verify
it with `sha256sum -c` against the published checksums file. No moving ref, no
GitHub-API tag lookup / rate-limit surface, and it matches the supply-chain
integrity posture TRUSCA itself ships.
Verified the grep + `sha256sum -c` pipeline isolates the correct asset line and
rejects a tampered file; YAML + actionlint clean.
The first attempt hard-coded trivy_<v>_Linux-64bit.tar.gz, which 404s for v0.58.0 — Trivy's asset naming has varied. Enumerate the immutable pinned release's assets via the API (token-auth, no rate limit) and match the Linux amd64 tarball + checksums by pattern, then verify with sha256sum -c. Still fully pinned on TRIVY_VERSION; no moving ref, no filename guess.
Real root cause: the previously pinned Trivy v0.58.0 GitHub *release* was removed upstream — the git tag remains but its assets 404, so both setup-trivy (which resolved 0.58.0 then failed to download it) and the direct-download attempt failed. Trivy is now at 0.72.0. Install the exact version the worker image ships (0.72.0) from the upstream per-arch .deb, verified against the SHA-256 already vetted in apps/backend/Dockerfile.worker. No runtime version resolution, no moving ref, and the self-scan now dog-foods the same scanner end users run.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Symptom
The SCA self-scan badge in the README has been red for over a week — every nightly run failed at the Install Trivy step, with no CVE involved.
Root cause
aquasecurity/setup-trivy@v0.2.6pinned Trivy v0.58.0, whose GitHub release was removed upstream — the git tagv0.58.0still exists, but its release assets now 404 (Trivy is at 0.72.0). The action resolved the version via the tags API and then failed downloading the vanished asset, exiting 1 immediately.(The first diagnosis — a moving-ref
install.shchange — was wrong; verified on the runner thatrepos/aquasecurity/trivy/releases/tags/v0.58.0itself 404s while the git tag resolves.)Fix
Install the same Trivy the worker image ships (0.72.0) from the upstream per-arch
.deb, verified against the SHA-256 already vetted inapps/backend/Dockerfile.worker:.deb+sha256sum -c→ no runtime version resolution, no moving ref, no anon rate-limit surface.TRIVY_VERSIONin lockstep with the worker image (the image-scan gate drives those bumps).Verification
Dispatched the workflow on this branch (run
28836722022) — full pipeline green: Install Trivy → SBOM scan → parse → 0 Critical, and the stale-issue-close path ran clean. Locally verified the checksum pipeline and YAML + actionlint.