alt Hacker NewsFWICT, it pulls the latest version of trivy by default. If that latest tag is a mutable pointer (and it typically is), then it exhibits the problem.
FWICT, it pulls the latest version of trivy by default. If that latest tag is a mutable pointer (and it typically is), then it exhibits the problem.
Then why do they hard code the trivy version and create PRs to bump it?
https://github.com/aquasecurity/trivy-action/blob/57a97c7e78...
https://github.com/aquasecurity/trivy-action/pull/519
Edit: ah, I see you are referring to the setup-trivy action rather than the trivy-action. Yeah, that looks like a bad default, although to be fair it is a setting that they document quite prominently, and direct usage of the setup-trivy action is a bit atypical as-is.