from aquasecurity/trivy-db#251:

There does not currently appear to be any way to run Trivy using an older version of the DB.
Example use case: check how many vulnerabilities would have been detected by Trivy in a given image 30 days ago.
There is additional work to do in the CLI to change the tag to something other that "2" (for example --db-tag=2022091512). However, until these tags start to be published, there is no reliable way to obtain this data other than by scrubbing through the GitHub Actions logs, locating the digest published by oras, and following the air-gap instructions.