fix(ci): use image digest for Trivy scan instead of full SHA tag

2026-04-21 13:37:53 +00:00 · 2026-04-05 11:48:49 -04:00 · 2026-04-05 11:48:49 -04:00 · 94b11ff982
commit 94b11ff982
parent 3619d3db88
1 changed files with 2 additions and 1 deletions
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@ -52,6 +52,7 @@ jobs:
            type=sha

      - name: Build and push Docker image
+        id: build
        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
        with:
          context: .
@ -68,7 +69,7 @@ jobs:
        if: github.event_name != 'pull_request'
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
        with:
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'