docs: fix markdown formatting, tweak phrasing

lelia · lelia · commit 087788ac540b · 2026-04-13T19:41:48.000-04:00
Signed-off-by: lelia &lt;2418071+lelia@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -65,31 +65,20 @@ jobs:
 
 Socket Basics can also run locally or in other CI/CD environments:
 
-> [!NOTE]
-> Container and Dockerfile scanning remain part of Socket Basics, but the current
-> GitHub Action and pre-built image paths have Trivy-backed support temporarily
-> disabled while we complete additional security review of the underlying scanner
-> dependency path. If container or Dockerfile scanning is a near-term
-> requirement, the [native installation path](docs/local-installation.md) remains
-> available as a temporary workaround while the pre-built path is under
-> additional review. Review the upstream install path and artifacts carefully
-> before adopting it in production CI.
-
 > [!IMPORTANT]
-> Interim Trivy guidance outside Socket Basics: the current Socket Basics
-> recommendation is to pin independent Trivy usage to `v0.69.3` while we work to
-> restore bundled support safely. Aqua's final incident report lists the
-> known-safe Trivy binary range as `v0.69.2` to `v0.69.3`; the corresponding
-> Docker image tags are `0.69.2` to `0.69.3` without the `v` prefix. We
-> standardize on the latest known-safe version, `v0.69.3` / Docker tag `0.69.3`.
+> The supported pre-built GitHub Action and Docker image paths currently ship
+> _without_ Trivy while we evaluate the safest way to bundle it with Basics
+> again.
+> If you need Trivy in the meantime, use the native/manual path and pin to
+> `v0.69.3` or Docker tag `0.69.3`.
+> [Aqua's final incident report](https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/)
+> lists the known-safe Trivy binary range as `v0.69.2` to `v0.69.3`; we
+> standardize on the latest known-safe version.
 > Do not use `v0.69.4`, and audit any cached Docker Hub images for `0.69.5` and
 > `0.69.6`.
-> If you use Aqua's own GitHub Actions directly outside Socket Basics, Aqua's
-> published safe versions are `aquasecurity/trivy-action@v0.35.0` and
-> `aquasecurity/setup-trivy@v0.2.6`, and those should still be pinned to full
-> commit SHAs.
-> Reference:
-> https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
+> See [Local Installation](docs/local-installation.md#trivy-container-scanning)
+> for the detailed version guidance, installation options, and the
+> corresponding Aqua action versions.
 
 - **[Pre-Commit Hook](docs/pre-commit-hook.md)** — Catch issues before they're committed
 - **[Local Docker Installation](docs/local-install-docker.md)** — Run in Docker with no tool installation required
diff --git a/docs/github-action.md b/docs/github-action.md
@@ -231,20 +231,22 @@ Include these in your workflow's `jobs.<job_id>.permissions` section.
 - uses: SocketDev/socket-basics@v2.0.2
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
-    # Trivy-backed container scanning is temporarily not available in the
-    # pre-built GitHub Action image. Use a native install if you need it today.
-    # See docs/local-installation.md.
+    # The supported pre-built GitHub Action path currently ships without
+    # Trivy while we evaluate the safest way to bundle it with Basics again.
+    # Use a native install if you need container scanning today.
+    # See docs/local-installation.md#trivy-container-scanning.
 ```
 
 > [!NOTE]
-> Container and Dockerfile scanning remain part of Socket Basics, but the current
-> GitHub Action and pre-built image paths have Trivy-backed support temporarily
-> disabled while we complete additional security review of the underlying scanner
-> dependency path. If container or Dockerfile scanning is a near-term
-> requirement, the [native installation path](local-installation.md) remains
-> available as a temporary workaround while the pre-built path is under
-> additional review. Review the upstream install path and artifacts carefully
-> before adopting it in production CI.
+> The supported pre-built GitHub Action and Docker image paths currently ship
+> _without_ Trivy while we evaluate the safest way to bundle it with Basics
+> again.
+> If you need container or Dockerfile scanning today, use the
+> [native installation path](local-installation.md). See
+> [Trivy (Container Scanning)](local-installation.md#trivy-container-scanning)
+> for the current version guidance and install options, and review the upstream
+> install path and artifacts carefully before adopting that path in production
+> CI.
 
 **Socket Tier 1 Reachability:**
 ```yaml
@@ -483,35 +485,16 @@ jobs:
 
 ### Container Security Pipeline
 
-> [!NOTE]
-> Container and Dockerfile scanning remain part of Socket Basics, but the current
-> pre-built GitHub Action path has Trivy-backed support temporarily disabled while
-> we complete additional security review of the underlying scanner dependency path.
-> If container or Dockerfile scanning is a near-term requirement, the
-> [native installation path](local-installation.md) remains available as a
-> temporary workaround while the pre-built path is under additional review.
-> Review the upstream install path and artifacts carefully before adopting it in
-> production CI.
-
-> [!WARNING]
-> This fallback path relies on upstream Trivy installation material outside the
-> pinned pre-built distribution model. Review the upstream install path and
-> artifacts carefully before using it in production CI.
-
 > [!IMPORTANT]
-> Customer guidance while Trivy is disabled in the Socket Basics GitHub Action:
-> if you must keep using Trivy independently in the same workflow, Socket's
-> interim recommendation is to pin the Trivy binary to `v0.69.3`.
-> Aqua's final incident report lists `v0.69.2` to `v0.69.3` as the
-> known-safe binary range; the corresponding Docker image tags are `0.69.2` to
-> `0.69.3` without the `v` prefix. We standardize on `v0.69.3` / Docker tag
-> `0.69.3` in our examples.
+> The supported pre-built GitHub Action path currently ships _without_ Trivy
+> while we evaluate the safest way to bundle it with Basics again.
+> If you need Trivy in the meantime, install and run it independently in the
+> workflow, pin to `v0.69.3` or Docker tag `0.69.3`, and review the upstream
+> install path and artifacts carefully.
 > Do not use `v0.69.4`, and audit any Docker Hub use of `0.69.5` and `0.69.6`.
-> If you use Aqua's own actions directly outside Socket Basics, use
-> `aquasecurity/trivy-action@v0.35.0` and `aquasecurity/setup-trivy@v0.2.6`, and
-> pin them to full commit SHAs.
-> Reference:
-> https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
+> See [Local Installation](local-installation.md#trivy-container-scanning) for
+> the detailed version guidance, corresponding Aqua action versions, and install
+> options.
 
 ```yaml
 name: Container Security
@@ -549,11 +532,6 @@ jobs:
           trivy config --exit-code 1 --severity HIGH,CRITICAL Dockerfile
 ```
 
-If you replace the manual install step with Aqua-maintained actions in your own
-workflow outside Socket Basics, Aqua's published safe versions are
-`aquasecurity/trivy-action@v0.35.0` and `aquasecurity/setup-trivy@v0.2.6`.
-Pin those to full SHAs rather than mutable tags.
-
 ### Dockerfile Auto-Discovery
 
 For repositories with multiple Dockerfiles across different directories, you can automatically discover them instead of manually listing each path.
@@ -609,8 +587,9 @@ jobs:
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           # Dockerfile discovery remains useful context for future container
-          # scanning support, but the current pre-built action image does not
-          # execute Trivy-backed scans.
+          # scanning support, but the current pre-built action path currently
+          # ships _without_ Trivy while we evaluate the safest way to bundle it
+          # with Basics again.
           verbose: 'true'
 ```
 
@@ -719,10 +698,12 @@ See [`action.yml`](../action.yml) for the complete list of inputs.
 
 > [!NOTE]
 > These inputs remain part of the action interface, but the current pre-built
-> GitHub Action path has Trivy-backed support temporarily disabled while we
-> complete additional security review of the underlying scanner dependency path.
-> Use the [native installation path](local-installation.md) if container scanning
-> is a near-term requirement.
+> GitHub Action path currently ships _without_ Trivy while we evaluate the
+> safest way to bundle it with Basics again.
+> Use the [native installation path](local-installation.md) if container
+> scanning is a near-term requirement. See
+> [Trivy (Container Scanning)](local-installation.md#trivy-container-scanning)
+> for the current version guidance and install options.
 
 **Notifications (Enterprise Required):**
 - `slack_webhook_url` — Slack webhook
@@ -779,10 +760,12 @@ permissions:
 
 **Solutions:**
 > [!NOTE]
-> The current pre-built GitHub Action path has Trivy-backed support temporarily
-> disabled while the underlying scanner dependency path remains under additional
-> security review. If container scanning is a near-term requirement, switch to a
-> native Trivy install in the workflow.
+> The current pre-built GitHub Action path ships _without_ Trivy while we
+> evaluate the safest way to bundle it with Basics again. If container scanning
+> is a near-term requirement, switch to a native Trivy install in the workflow.
+> See
+> [Trivy (Container Scanning)](local-installation.md#trivy-container-scanning)
+> for the current version guidance and install options.
 
 1. For private images, add authentication:
 ```yaml
diff --git a/docs/github-pr-comment-guide.md b/docs/github-pr-comment-guide.md
@@ -15,9 +15,10 @@ All scanners share the same UX enhancements for a consistent, professional exper
 
 > [!NOTE]
 > Container-scanning UX is still supported by Socket Basics, but the current
-> pre-built GitHub Action image does not emit Trivy-backed container findings
-> while we complete additional security review of the underlying scanner
-> dependency path.
+> pre-built GitHub Action image currently ships _without_ Trivy while we
+> evaluate the safest way to bundle it with Basics again. For the current Trivy
+> status, version guidance, and temporary self-service path, see
+> [Local Installation](local-installation.md#trivy-container-scanning).
 
 ## 🎯 Quick Start
 
diff --git a/docs/local-install-docker.md b/docs/local-install-docker.md
@@ -55,28 +55,15 @@ docker inspect ghcr.io/socketdev/socket-basics:2.0.2 \
 # }
 ```
 
-> [!NOTE]
-> Container and Dockerfile scanning remain part of Socket Basics, but the current
-> pre-built image path has Trivy-backed support temporarily disabled while we
-> complete additional security review of the underlying scanner dependency path.
-> If container or Dockerfile scanning is a near-term requirement, the
-> [native installation path](local-installation.md) remains available as a
-> temporary workaround while the pre-built path is under additional review.
-> Review the upstream install path and artifacts carefully before adopting it in
-> production CI.
-
 > [!IMPORTANT]
-> Socket Basics does not currently publish a pre-built Docker image with Trivy
-> enabled. If you need Trivy in the meantime, run it separately from Socket
-> Basics and pin the independent Trivy image or binary to `v0.69.3`.
-> Aqua's final incident report lists `v0.69.2` to `v0.69.3` as the
-> known-safe Trivy binary range; the corresponding Docker image tags are
-> `0.69.2` to `0.69.3` without the `v` prefix. Socket's interim recommendation is
-> the latest known-safe version, `v0.69.3` / Docker tag `0.69.3`.
+> The supported pre-built Docker image currently ships _without_ Trivy while we
+> evaluate the safest way to bundle it with Basics again.
+> If you need Trivy in the meantime, run it separately from Socket Basics and
+> pin to `v0.69.3` or Docker tag `0.69.3`.
 > Do not use `v0.69.4`, and audit any Docker Hub pulls or caches for `0.69.5`
 > and `0.69.6`.
-> Reference:
-> https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
+> See [Local Installation](local-installation.md#trivy-container-scanning) for
+> the detailed version guidance and install options.
 
 ### Registries
 
@@ -380,20 +367,15 @@ docker run --rm \
 
 ### Container Scanning Status
 
-> [!NOTE]
-> Container and Dockerfile scanning remain part of Socket Basics, but the current
-> pre-built Docker image path has Trivy-backed support temporarily disabled while
-> we complete additional security review of the underlying scanner dependency path.
-> If container or Dockerfile scanning is a near-term requirement, the
-> [native installation path](local-installation.md) remains available as a
-> temporary workaround while the pre-built path is under additional review.
-> Review the upstream install path and artifacts carefully before adopting it in
-> production CI.
-
-For customers who still need Trivy before it returns to the Socket Basics image,
-the interim recommendation is to run a separate `aquasec/trivy:0.69.3` step or a
-host-native `trivy` install pinned to `v0.69.3`, rather than rebuilding the
-Socket Basics image and re-enabling Trivy ad hoc.
+> [!IMPORTANT]
+> The supported pre-built Docker image currently ships _without_ Trivy while we
+> evaluate the safest way to bundle it with Basics again.
+> If you need Trivy before it returns to the image, run a separate
+> `aquasec/trivy:0.69.3` step or a host-native `trivy` install pinned to
+> `v0.69.3`, rather than rebuilding the Socket Basics image and re-enabling
+> Trivy ad hoc.
+> See [Local Installation](local-installation.md#trivy-container-scanning) for
+> the detailed version guidance.
 
 ### Save Results to File
 
diff --git a/docs/local-installation.md b/docs/local-installation.md
@@ -38,10 +38,12 @@ trufflehog --version
 ```
 
 > [!NOTE]
-> If container or Dockerfile scanning is a near-term requirement, the native
-> installation path remains available as a temporary workaround while the
-> pre-built path is under additional review. Review the upstream install path and
-> artifacts carefully before adopting it in production CI.
+> The supported pre-built GitHub Action and Docker image paths currently ship
+> _without_ Trivy while we evaluate the safest way to bundle it with Basics
+> again.
+> If you need container or Dockerfile scanning today, use the native/manual
+> installation guidance below and review the upstream install path and artifacts
+> carefully before adopting it in production CI.
 
 For detailed installation instructions, continue reading below.
 
@@ -187,36 +189,25 @@ export SOCKET_SECURITY_API_KEY="your-api-key"
 
 **Required for:** Container image and Dockerfile vulnerability scanning
 
-> [!NOTE]
-> Trivy-backed container and Dockerfile scanning remain part of Socket Basics,
-> but the current pre-built GitHub Action and Docker image paths have that
-> support temporarily disabled while the underlying scanner dependency path
-> remains under additional review. This native installation path remains
-> available as a temporary workaround if container scanning is a near-term
-> requirement.
-
-> [!WARNING]
-> This fallback path pulls installation material directly from upstream. Even when
-> you pin the Trivy version, the installer or repository path is a separate trust
-> decision. This is one reason Socket Basics has moved toward pre-built, pinned
-> container-based distribution where possible. Review the upstream install path
-> and artifacts carefully before using this in production CI.
-
 > [!IMPORTANT]
-> Socket's interim recommendation for customers who still need Trivy is to pin
-> the binary or Docker image to `v0.69.3`.
-> Aqua's final incident report lists the known-safe Trivy binary range as
-> `v0.69.2` to `v0.69.3`; the corresponding Docker image tags are `0.69.2` to
-> `0.69.3` without the `v` prefix. We standardize on `v0.69.3` / Docker tag
-> `0.69.3` because it is the latest version Aqua still classifies as known-safe.
-> Do not use `v0.69.4`, and audit any cached Docker Hub images for `0.69.5` and
-> `0.69.6`.
-> If you use Aqua's own GitHub Actions independently of Socket Basics, Aqua's
-> published safe versions are `aquasecurity/trivy-action@v0.35.0` and
-> `aquasecurity/setup-trivy@v0.2.6`; pin those by full commit SHA rather than by
-> tag.
-> Reference:
-> https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
+> The supported pre-built GitHub Action and Docker image paths currently ship
+> _without_ Trivy while we evaluate the safest way to bundle it with Basics
+> again.
+>
+> If you need Trivy before it formally returns to Socket Basics:
+> - Pin the binary to `v0.69.3` or the Docker image to
+>   `aquasec/trivy:0.69.3`.
+> - Do not use `v0.69.4` of the binary.
+> - Audit any cached Docker Hub images for `0.69.5` and `0.69.6`.
+>
+> [Aqua's final incident report](https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/)
+> lists the known-safe Trivy binary range as `v0.69.2` to `v0.69.3`; the
+> corresponding Docker image tags are `0.69.2` to `0.69.3` without the `v`
+> prefix. We standardize on `v0.69.3` / Docker tag `0.69.3`.
+>
+> If you use Aqua's own GitHub Actions independently of Socket Basics, pin
+> `aquasecurity/trivy-action@v0.35.0` and `aquasecurity/setup-trivy@v0.2.6` by
+> full commit SHA rather than by tag.
 
 **Installation:**
 
diff --git a/docs/parameters.md b/docs/parameters.md
@@ -296,12 +296,14 @@ socket-basics --secrets --show-unverified
 > [!NOTE]
 > These parameters remain part of the Socket Basics interface for container
 > scanning. In the current pre-built GitHub Action and Docker image paths,
-> Trivy-backed support is temporarily disabled while we complete additional
-> security review of the underlying scanner dependency path. The parameters still
-> apply for the [native installation path](local-installation.md) as a temporary
-> workaround, and for future container scanner support in the pre-built paths.
+> Socket Basics currently ships _without_ Trivy while we evaluate the safest way
+> to bundle it with Basics again. The parameters still apply for the
+> [native installation path](local-installation.md) as a temporary workaround,
+> and for future container scanner support in the pre-built paths.
 > Review the upstream install path and artifacts carefully before adopting that
-> workaround in production CI.
+> workaround in production CI. See
+> [Trivy (Container Scanning)](local-installation.md#trivy-container-scanning)
+> for the current version guidance and installation options.
 
 ### `--images IMAGES`
 Comma-separated list of container images to scan (auto-enables image scanning).
diff --git a/docs/pre-commit-hook.md b/docs/pre-commit-hook.md
@@ -204,6 +204,10 @@ See [Local Installation Guide](local-installation.md) for detailed instructions
 - OpenGrep
 - TruffleHog
 
+The Trivy section in that guide also covers the current Basics status and the
+recommended self-service version pins:
+[Trivy (Container Scanning)](local-installation.md#trivy-container-scanning).
+
 ### Setup Steps
 
 **1. Create pre-commit hook:**
