FlowFuse · hardillb · Mar 2, 2026 · Mar 2, 2026 · Mar 2, 2026 · Mar 2, 2026
diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml
@@ -36,25 +36,26 @@ jobs:
           fetch-depth: 0
 
       - name: Cache vulnerability database
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: .cache/trivy
           key: ${{ runner.os }}-trivy-db-${{ github.run_id }}
           restore-keys: |
             ${{ runner.os }}-trivy-db-
 
       - name: Perform SAST scan
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1
         with:
           scan-type: 'fs'
           scan-ref: '.'
           trivy-config: '.github/trivy.yaml'
           output: 'trivy-results.sarif'
+          version: 'v0.69.2' # https://github.com/aquasecurity/trivy-action/issues/512
         env:
           TRIVY_FAIL_ON_SEVERITY: ${{ inputs.fail_on_severity }}
 
       - name: Upload scan results to GitHub
-        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         if: ${{ inputs.upload_results_to_ghas }}
         with:
           sarif_file: 'trivy-results.sarif'