fix(ci): use Trivy's official install script instead of fragile wget pipe

haasonsaas · claude · haasonsaas · commit 14967894c0b5 · 2026-03-30T22:08:28.000-07:00
The previous wget-to-tar pipe silently produced corrupt archives on
network hiccups. The official install script handles retries and
checksum verification.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -24,10 +24,7 @@ jobs:
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
 
       - name: Install Trivy
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y wget
-          sudo wget -qO- https://github.com/aquasecurity/trivy/releases/latest/download/trivy_Linux-64bit.tar.gz | tar -xz --strip-components=1 -C /usr/local/bin trivy
+        run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
 
       - name: Run security scan script
         run: ./scripts/security-scan.sh
