From 459a15295a53970bf46db6ff799f13c0b3b15bc0 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 20 Mar 2026 17:59:37 +0000
Subject: [PATCH 1/3] Initial plan


From d94b1600b56d7c3b1fdf51773bf2f69e00cba4bb Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 20 Mar 2026 18:08:07 +0000
Subject: [PATCH 2/3] security: document Trivy action pin to verified safe
 v0.35.0

Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/8dfc743a-3903-4f62-95df-460aa036583d
---
 .github/workflows/security-scan.yml                  | 4 ++++
 scratchpad/github-actions-security-best-practices.md | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index bbe096f0d27..88351d75491 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -74,6 +74,10 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Run Trivy filesystem scan
+        # SECURITY: Pinned to v0.35.0 (SHA: 57a97c7e7821a5776cebc9bb87c984fa69cba8f1), a verified safe version.
+        # aquasecurity/trivy-action v0.69.4 was confirmed compromised (supply chain attack).
+        # Only v0.35.0 and v0.2.6 are currently verified as safe. Do NOT upgrade without
+        # confirming the new version is free of compromise.
         uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           scan-type: 'fs'
diff --git a/scratchpad/github-actions-security-best-practices.md b/scratchpad/github-actions-security-best-practices.md
index eadb1f35645..48196c7b7e0 100644
--- a/scratchpad/github-actions-security-best-practices.md
+++ b/scratchpad/github-actions-security-best-practices.md
@@ -434,7 +434,9 @@ jobs:
       - uses: actions/checkout@sha
       
       - name: Run Trivy
-        uses: aquasecurity/trivy-action@sha
+        # SECURITY: Pin to a verified safe version. v0.69.4 was confirmed compromised.
+        # Only v0.35.0 (57a97c7e7821a5776cebc9bb87c984fa69cba8f1) and v0.2.6 are verified safe.
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           scan-type: 'fs'
           scan-ref: '.'

From 705af83980403517efc011b8f1d4d787baae55a4 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 20 Mar 2026 18:24:39 +0000
Subject: [PATCH 3/3] security: remove Trivy action due to supply chain
 compromise

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/732e779b-8e41-49d9-82e2-a821d7c43a18
---
 .github/workflows/security-scan.yml           | 27 -------------------
 .../github-actions-security-best-practices.md | 23 +---------------
 2 files changed, 1 insertion(+), 49 deletions(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 88351d75491..54a26c7e5c0 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -66,30 +66,3 @@ jobs:
           sarif_file: govulncheck-results.sarif
           category: govulncheck
 
-  trivy:
-    name: Trivy Vulnerability Scanner
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Run Trivy filesystem scan
-        # SECURITY: Pinned to v0.35.0 (SHA: 57a97c7e7821a5776cebc9bb87c984fa69cba8f1), a verified safe version.
-        # aquasecurity/trivy-action v0.69.4 was confirmed compromised (supply chain attack).
-        # Only v0.35.0 and v0.2.6 are currently verified as safe. Do NOT upgrade without
-        # confirming the new version is free of compromise.
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
-        with:
-          scan-type: 'fs'
-          scan-ref: '.'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'HIGH,CRITICAL'
-          exit-code: '1'
-
-      - name: Upload Trivy SARIF
-        uses: github/codeql-action/upload-sarif@4248455a6f2335bc3b7a8a62932f000050ec8f13 # v3
-        if: always()
-        with:
-          sarif_file: trivy-results.sarif
-          category: trivy
diff --git a/scratchpad/github-actions-security-best-practices.md b/scratchpad/github-actions-security-best-practices.md
index 48196c7b7e0..bfdf3560335 100644
--- a/scratchpad/github-actions-security-best-practices.md
+++ b/scratchpad/github-actions-security-best-practices.md
@@ -419,28 +419,7 @@ permissions:
 
 ### Dependency Scanning
 
-```yaml
-# ✅ RECOMMENDED: Regular dependency scanning
-name: Security Scan
-on:
-  schedule:
-    - cron: '0 0 * * 0'  # Weekly
-  workflow_dispatch:
-
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@sha
-      
-      - name: Run Trivy
-        # SECURITY: Pin to a verified safe version. v0.69.4 was confirmed compromised.
-        # Only v0.35.0 (57a97c7e7821a5776cebc9bb87c984fa69cba8f1) and v0.2.6 are verified safe.
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
-        with:
-          scan-type: 'fs'
-          scan-ref: '.'
-```
+Use language-native tools (`govulncheck` for Go, `npm audit` for Node.js, etc.) to scan for known vulnerabilities in dependencies.
 
 ### Maintaining Pinned Actions