From 415ca6097e2467f432338fdf7f063d68e3fecf0e Mon Sep 17 00:00:00 2001
From: James Wallace <92064306+jwallace94@users.noreply.github.com>
Date: Wed, 1 Apr 2026 08:36:49 +1100
Subject: [PATCH] Pin Trivy to safe version

---
 .github/workflows/vulnerabilities.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml
index d8ac5199c..0a0c2859d 100644
--- a/.github/workflows/vulnerabilities.yml
+++ b/.github/workflows/vulnerabilities.yml
@@ -16,7 +16,7 @@ on:
 jobs:
 
   vulnerabilities:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     defaults:
       run:
         working-directory: .
@@ -24,7 +24,7 @@ jobs:
     - name: Checkout pygeoapi
       uses: actions/checkout@master
     - name: Scan vulnerabilities with trivy
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@v0.35.0
       with:
         scan-type: fs
         exit-code: 1
@@ -36,7 +36,7 @@ jobs:
       run: |
         docker buildx build -t ${{ github.repository }}:${{ github.sha }} --platform linux/amd64 --no-cache -f Dockerfile .
     - name: Scan locally built Docker image for vulnerabilities with trivy
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@v0.35.0
       env:
         TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
         TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
@@ -46,4 +46,4 @@ jobs:
         ignore-unfixed: true
         severity: CRITICAL,HIGH
         vuln-type: os,library
-        image-ref: '${{ github.repository }}:${{ github.sha }}'
+        image-ref: '${{ github.repository }}:${{ github.sha }}'
\ No newline at end of file