From db1acafbcc6a8cb8965153766ed3df7607d8b2fd Mon Sep 17 00:00:00 2001
From: Jeremy Bernard <jeremy.bernard@iex.ec>
Date: Mon, 2 Mar 2026 14:06:29 +0100
Subject: [PATCH 1/2] fix(docker-build): update trivy-action to v0.34.1 and
 trivy to v0.69.2

---
 .github/workflows/docker-build.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 58bdd30..77cc870 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -121,13 +121,15 @@ jobs:
       - name: Run Trivy vulnerability scanner
         id: trivy
         if: ${{ inputs.security-scan }}
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.34.1
         with:
           image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
           format: ${{ (inputs.security-report == 'sarif' && 'sarif') || 'table' }}
           vuln-type: "os,library"
           hide-progress: true
           output: ${{ (inputs.security-report == 'sarif' && 'trivy-results.sarif') || 'trivy.txt' }}
+          # following https://github.com/aquasecurity/trivy/discussions/10265
+          version: v0.69.2
 
       - name: Read Trivy report file
         id: read_trivy
@@ -217,7 +219,7 @@ jobs:
 
       - name: Fail build on CRITICAL or HIGH vulnerabilities
         if: ${{ inputs.security-scan }}
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.34.1
         with:
           image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
           format: table
@@ -231,7 +233,7 @@ jobs:
       - name: Push Docker image
         if: ${{ inputs.push }}
         run: docker push "$OCI_IMAGE"
-      
+
       - name: Compute checksum of the Docker image
         id: checksum
         run: |
@@ -239,7 +241,7 @@ jobs:
           INSPECT=$(docker image inspect "$OCI_IMAGE")
           DIGEST=$(echo "$INSPECT" | jq -r 'if .[0].RepoDigests[0] then .[0].RepoDigests[0] | split("@sha256:")[1] else .[0].Id | split(":")[1] end')
           echo "checksum=0x${DIGEST}" >> "$GITHUB_OUTPUT"
-    
+
       - name: Cleanup files
         if: always()
         run: |

From 554f8d87c62d8a7e5b46d109bfc31086586b1e0a Mon Sep 17 00:00:00 2001
From: Jeremy Bernard <jeremy.bernard@iex.ec>
Date: Mon, 2 Mar 2026 15:06:11 +0100
Subject: [PATCH 2/2] feat(docker-build): add workflow input to configure Trivy
 version

---
 .github/workflows/docker-build.yml | 6 +++++-
 docker-build/README.md             | 5 +++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 77cc870..b96e837 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -39,6 +39,10 @@ on:
         description: 'Security Report Mode (`"sarif"` | `"comment"`; ignored if `security-scan: false`)'
         default: "sarif"
         type: string
+      trivy-version:
+        description: "Trivy security scanner version"
+        default: "v0.69.2"
+        type: string
       hadolint:
         description: "Enable Hadolint"
         default: true
@@ -129,7 +133,7 @@ jobs:
           hide-progress: true
           output: ${{ (inputs.security-report == 'sarif' && 'trivy-results.sarif') || 'trivy.txt' }}
           # following https://github.com/aquasecurity/trivy/discussions/10265
-          version: v0.69.2
+          version: ${{ inputs.trivy-version }}
 
       - name: Read Trivy report file
         id: read_trivy
diff --git a/docker-build/README.md b/docker-build/README.md
index 8d47eb6..c57ba52 100644
--- a/docker-build/README.md
+++ b/docker-build/README.md
@@ -19,9 +19,9 @@ Perfect for teams looking to streamline their containerization workflow with min
 
 > [!IMPORTANT]
 > Due to a limitation on Trivy analysis, the workflow targets a single platform.
-> A workflow instance should be configured for each intended targeted platform.
+> A workflow instance should be configured for each targeted platform.
 
-## ⚙️ Inputs
+## ⚙️  Inputs
 
 | Name              | Description                                                                        | Required | Default         |
 | ----------------- | ---------------------------------------------------------------------------------- | -------- | --------------- |
@@ -36,6 +36,7 @@ Perfect for teams looking to streamline their containerization workflow with min
 | `registry`        | Docker Registry                                                                    | No       | `"docker.io"`   |
 | `security-report` | Security Report Mode (`"sarif"` \| `"comment"`; ignored if `security-scan: false`) | No       | `"sarif"`       |
 | `security-scan`   | Enable Trivy Security Scan                                                         | No       | `true`          |
+| `trivy-version`   | Override Trivy security scanner version                                            | No       | `v0.69.2`       |
 
 ## 🔐 Secrets