docs: add explicit Trivy versioning guidance for interim use

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

README.md

@@ -75,6 +75,22 @@ Socket Basics can also run locally or in other CI/CD environments:
 > additional review. Review the upstream install path and artifacts carefully
 > before adopting it in production CI.
 
+> [!IMPORTANT]
+> Interim Trivy guidance outside Socket Basics: the current Socket Basics
+> recommendation is to pin independent Trivy usage to `v0.69.3` while we work to
+> restore bundled support safely. Aqua's final incident report lists the
+> known-safe Trivy binary range as `v0.69.2` to `v0.69.3`; the corresponding
+> Docker image tags are `0.69.2` to `0.69.3` without the `v` prefix. We
+> standardize on the latest known-safe version, `v0.69.3` / Docker tag `0.69.3`.
+> Do not use `v0.69.4`, and audit any cached Docker Hub images for `0.69.5` and
+> `0.69.6`.
+> If you use Aqua's own GitHub Actions directly outside Socket Basics, Aqua's
+> published safe versions are `aquasecurity/trivy-action@v0.35.0` and
+> `aquasecurity/setup-trivy@v0.2.6`, and those should still be pinned to full
+> commit SHAs.
+> Reference:
+> https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
+
 - **[Pre-Commit Hook](docs/pre-commit-hook.md)** — Catch issues before they're committed
 - **[Local Docker Installation](docs/local-install-docker.md)** — Run in Docker with no tool installation required
 - **[Local Installation](docs/local-installation.md)** — Install security tools natively on your machine

docs/github-action.md

@@ -498,6 +498,21 @@ jobs:
 > pinned pre-built distribution model. Review the upstream install path and
 > artifacts carefully before using it in production CI.
 
+> [!IMPORTANT]
+> Customer guidance while Trivy is disabled in the Socket Basics GitHub Action:
+> if you must keep using Trivy independently in the same workflow, Socket's
+> interim recommendation is to pin the Trivy binary to `v0.69.3`.
+> Aqua's final incident report lists `v0.69.2` to `v0.69.3` as the
+> known-safe binary range; the corresponding Docker image tags are `0.69.2` to
+> `0.69.3` without the `v` prefix. We standardize on `v0.69.3` / Docker tag
+> `0.69.3` in our examples.
+> Do not use `v0.69.4`, and audit any Docker Hub use of `0.69.5` and `0.69.6`.
+> If you use Aqua's own actions directly outside Socket Basics, use
+> `aquasecurity/trivy-action@v0.35.0` and `aquasecurity/setup-trivy@v0.2.6`, and
+> pin them to full commit SHAs.
+> Reference:
+> https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
+
 ```yaml
 name: Container Security
 on:
@@ -534,6 +549,11 @@ jobs:
           trivy config --exit-code 1 --severity HIGH,CRITICAL Dockerfile
 ```
 
+If you replace the manual install step with Aqua-maintained actions in your own
+workflow outside Socket Basics, Aqua's published safe versions are
+`aquasecurity/trivy-action@v0.35.0` and `aquasecurity/setup-trivy@v0.2.6`.
+Pin those to full SHAs rather than mutable tags.
+
 ### Dockerfile Auto-Discovery
 
 For repositories with multiple Dockerfiles across different directories, you can automatically discover them instead of manually listing each path.

docs/local-install-docker.md

@@ -65,6 +65,19 @@ docker inspect ghcr.io/socketdev/socket-basics:2.0.2 \
 > Review the upstream install path and artifacts carefully before adopting it in
 > production CI.
 
+> [!IMPORTANT]
+> Socket Basics does not currently publish a pre-built Docker image with Trivy
+> enabled. If you need Trivy in the meantime, run it separately from Socket
+> Basics and pin the independent Trivy image or binary to `v0.69.3`.
+> Aqua's final incident report lists `v0.69.2` to `v0.69.3` as the
+> known-safe Trivy binary range; the corresponding Docker image tags are
+> `0.69.2` to `0.69.3` without the `v` prefix. Socket's interim recommendation is
+> the latest known-safe version, `v0.69.3` / Docker tag `0.69.3`.
+> Do not use `v0.69.4`, and audit any Docker Hub pulls or caches for `0.69.5`
+> and `0.69.6`.
+> Reference:
+> https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
+
 ### Registries
 
 | Registry | Image |
@@ -377,6 +390,11 @@ docker run --rm \
 > Review the upstream install path and artifacts carefully before adopting it in
 > production CI.
 
+For customers who still need Trivy before it returns to the Socket Basics image,
+the interim recommendation is to run a separate `aquasec/trivy:0.69.3` step or a
+host-native `trivy` install pinned to `v0.69.3`, rather than rebuilding the
+Socket Basics image and re-enabling Trivy ad hoc.
+
 ### Save Results to File
 
 Mount a volume to save scan results:

docs/local-installation.md

@@ -202,6 +202,22 @@ export SOCKET_SECURITY_API_KEY="your-api-key"
 > container-based distribution where possible. Review the upstream install path
 > and artifacts carefully before using this in production CI.
 
+> [!IMPORTANT]
+> Socket's interim recommendation for customers who still need Trivy is to pin
+> the binary or Docker image to `v0.69.3`.
+> Aqua's final incident report lists the known-safe Trivy binary range as
+> `v0.69.2` to `v0.69.3`; the corresponding Docker image tags are `0.69.2` to
+> `0.69.3` without the `v` prefix. We standardize on `v0.69.3` / Docker tag
+> `0.69.3` because it is the latest version Aqua still classifies as known-safe.
+> Do not use `v0.69.4`, and audit any cached Docker Hub images for `0.69.5` and
+> `0.69.6`.
+> If you use Aqua's own GitHub Actions independently of Socket Basics, Aqua's
+> published safe versions are `aquasecurity/trivy-action@v0.35.0` and
+> `aquasecurity/setup-trivy@v0.2.6`; pin those by full commit SHA rather than by
+> tag.
+> Reference:
+> https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
+
 **Installation:**
 
 ```bash
@@ -232,6 +248,12 @@ docker pull aquasec/trivy:0.69.3
 trivy --version
 ```
 
+For this interim path, `trivy --version` should report `Version: 0.69.3`, and a
+container-based install should use image tag `aquasec/trivy:0.69.3`. If your
+package manager or container reference resolves to some other version, treat
+that as a separate review decision rather than assuming it matches the current
+Socket Basics guidance.
+
 **Documentation:** https://github.com/aquasecurity/trivy
 
 ### OpenGrep (SAST)