scanning-containers-with-trivy-in-cicd

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The CI workflows include runtime "uses" and image pulls that fetch and execute external code — for example the GitHub Action at https://github.com/aquasecurity/trivy-action (used as aquasecurity/trivy-action@0.28.0) and the Trivy Docker image (aquasec/trivy:latest) which are downloaded and run during workflow execution and are required by the skill.