fix: vulnerability scan w/trivy

We should setup the latest go before loading trivy,
otherwise an older go version installed on the runner is checked.

Also: specified a more up to date trivy version than the default
used by the action.

Signed-off-by: Frederic BIDON <fredbi@yahoo.com>

Author: fredbi

.github/workflows/scanner.yml

@@ -30,6 +30,12 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
+      -
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          go-version: stable
+          check-latest: true
+          cache: true
       -
         name: Vulnerability scan by trivy
         uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
@@ -39,6 +45,7 @@ jobs:
           hide-progress: false
           output: trivy-code-report.sarif
           scanners: vuln,secret
+          trivy-version: v0.68.0
           exit-code: 0
       -
         name: Upload trivy findings to code scanning dashboard