Compromised aquasecurity/trivy-action detected in GitHub Actions workflows #194
Description
Compromised aquasecurity/trivy-action detected in workflow run(s)
Our automated platform at StepSecurity has detected that this repository used a compromised version of aquasecurity/trivy-action in its GitHub Actions workflows during the recent Trivy incident. I have also manually confirmed that the affected workflow run(s) indeed used the compromised action.
What happened?
The aquasecurity/trivy-action GitHub Action was compromised, and a malicious version (v0.69.4) was published. Workflow runs in this repository executed a compromised SHA of this action, which may have exposed sensitive information such as secrets, environment variables, or build artifacts.
For more details on the incident, see StepSecurity Blog: Trivy Compromised a Second Time.
Compromised SHAs detected
aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1(e6c2c5e321ed9123bda567646e2f96565e34abe1)aquasecurity/trivy-action@91e7c2c36dcad14149d8e455b960af62a2ffb275(0.33.1)
Affected workflow runs
| # | Workflow Run | Build Log (compromised step) |
|---|---|---|
| 1 | 23323328909 | View compromised action step |
Current workflow status
The workflow in this repository is still referencing the action using a mutable tag rather than a pinned SHA: View current workflow.
Recommended actions
- Review the compromised workflow job run(s) and identify if the job had access to any secrets. If yes, consider them exfiltrated and rotate them immediately
- Pin GitHub Actions to full-length commit SHAs to prevent future tag-based supply chain attacks. You can use StepSecurity Secure Repo to automatically pin GitHub Actions