[Tracking] Repositories requiring trivy-action security update

[Priyankasaggu11929]

This is a tracking issue for the security update of aquasecurity/trivy-action across Kubernetes organization repositories.

Ref: aquasecurity/trivy#10425

---

Recommended fix: update all references to use SHA-pinned version:

uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0

---

ref: https://cs.k8s.io/?q=(trivy-action%7Csetup-trivy)%40(v0%7Cmaster)&i=nope&literal=nope&files=.github%2Fworkflows%2F*&excludeFiles=&repos=

Across our 5 Kubernetes orgs (kubernetes, kubernetes-sigs, kubernetes-csi, kubernetes-client, etcd-io), the following repos are using trivy scanner in github action workflows.

Among them, following two already use SHA-pinned trivy-action:

• kubernetes-sigs/cloud-provider-azure
• kubernetes-sigs/cluster-api-operator

And rest of the following need to be updated:

• kubernetes-csi/csi-driver-iscsi - security: Update trivy-action to use sha for v0.35.0 kubernetes-csi/csi-driver-iscsi#398
• kubernetes-csi/csi-driver-nfs - security: Update trivy-action to use sha for v0.35.0 kubernetes-csi/csi-driver-nfs#1075
• kubernetes-csi/csi-driver-smb - security: Update trivy-action to use sha for v0.35.0 kubernetes-csi/csi-driver-smb#1047
• kubernetes-csi/csi-driver-smb-GHSA-rmg6-rh96-c9wx - https://github.com/kubernetes-csi/csi-driver-smb-ghsa-rmg6-rh96-c9wx/pull/1
• kubernetes-csi/csi-lib-iscsi - security: Update trivy-action to use sha for v0.35.0 kubernetes-csi/csi-lib-iscsi#76
• kubernetes-csi/csi-release-tools - security: Update trivy-action to use sha for v0.35.0 kubernetes-csi/csi-release-tools#295
• kubernetes-csi/external-snapshot-metadata - security: Update trivy-action to use sha for v0.35.0 kubernetes-csi/external-snapshot-metadata#228
• kubernetes-csi/external-snapshotter - security: Update trivy-action to use sha for v0.35.0 kubernetes-csi/external-snapshotter#1402
• kubernetes-csi/livenessprobe - security: Update trivy-action to use sha for v0.35.0 kubernetes-csi/livenessprobe#405
• kubernetes-csi/node-driver-registrar - security: Update trivy-action to use sha for v0.35.0 kubernetes-csi/node-driver-registrar#562
• kubernetes-sigs/aws-ebs-csi-driver - security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/aws-ebs-csi-driver#2898
• kubernetes-sigs/azuredisk-csi-driver - security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/azuredisk-csi-driver#3557
• kubernetes-sigs/azurefile-csi-driver - security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/azurefile-csi-driver#3032
• kubernetes-sigs/azurelustre-csi-driver - security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/azurelustre-csi-driver#265
• kubernetes-sigs/blob-csi-driver - security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/blob-csi-driver#2383
• kubernetes-sigs/descheduler - security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/descheduler#1854
• kubernetes-sigs/hydrophone - security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/hydrophone#298
• kubernetes-sigs/lws - security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/lws#785
• kubernetes-sigs/sig-storage-local-static-provisioner - security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/sig-storage-local-static-provisioner#547

---

• chore: fix trivy-action version comment from master to v0.35.0 kubernetes-sigs/cloud-provider-azure#10071
• [release-4.13] security: Update trivy-action to use sha for v0.35.0 kubernetes-csi/csi-driver-nfs#1076
• [release-1.20] security: Update trivy-action to use sha for v0.35.0 kubernetes-csi/csi-driver-smb#1048
• [release-1.27] security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/blob-csi-driver#2384
• [release-1.26] security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/blob-csi-driver#2385
• [release-1.35] security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/azurefile-csi-driver#3033
• [release-1.33] security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/azurefile-csi-driver#3034
• [release-1.34] security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/azurefile-csi-driver#3035
• [release-1.34] security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/azuredisk-csi-driver#3558
• [release-1.33] security: Update trivy-action to use sha for v0.35.0 kubernetes-sigs/azuredisk-csi-driver#3559

---

Please note - below repos need a git submodule update once the respective PR for release-tools repo is merged kubernetes-csi/csi-release-tools#295

• kubernetes-csi/csi-driver-iscsi
• kubernetes-csi/csi-driver-nfs
• kubernetes-csi/csi-driver-smb
• kubernetes-csi/csi-lib-iscsi
• kubernetes-csi/external-snapshot-metadata
• kubernetes-csi/external-snapshotter
• kubernetes-csi/livenessprobe
• kubernetes-csi/csi-driver-host-path
• kubernetes-csi/csi-driver-nvmf
• kubernetes-csi/csi-lib-utils
• kubernetes-csi/csi-proxy
• kubernetes-csi/csi-test
• kubernetes-csi/external-attacher
• kubernetes-csi/external-health-monitor
• kubernetes-csi/external-provisioner
• kubernetes-csi/external-resizer
• kubernetes-csi/lib-volume-populator
• kubernetes-csi/volume-data-source-validator

[Priyankasaggu11929]

cc: @dims

[dims]

thanks @Priyankasaggu11929 !

[Priyankasaggu11929]

cc: @kubernetes/owners

Also cc: @kubernetes/sig-storage-leads - could you please take a look at the above PRs and help merge them on an emergency priority basis. Most of the above listed repos are owened by SIG storage.

[PushkarJ]

Thank you @Priyankasaggu11929

For all the owners of the repos, reiterating the original guidance on trivy discussion, if it applies to your use of trivy GitHub action in addition to merging the PR

treat all pipeline secrets as compromised and rotate immediately.

[Priyankasaggu11929]

@kubernetes/sig-storage-leads - could you please merge this one on priority - kubernetes-csi/csi-release-tools#295

and if possible also help with the respective git submodule updates in the above listed repos.

[Priyankasaggu11929]

jfyi - @kubernetes/sig-security-admins

[Priyankasaggu11929]

@xing-yang, @andyzhangx - is it ok if I create PRs to bump the csi-release-tools git submodule version in all affected repos?

If so, is there a process I need to follow?
I'm looking at this PR for an example - kubernetes-csi/csi-driver-iscsi#396

[andyzhangx]

@xing-yang, @andyzhangx - is it ok if I create PRs to bump the csi-release-tools git submodule version in all affected repos?

If so, is there a process I need to follow? I'm looking at this PR for an example - kubernetes-csi/csi-driver-iscsi#396

the trivy action change referenced in csi-release-tools is not used in dependent csi repos, so I don't think it's necessary to update now.

[Priyankasaggu11929]

the trivy action change referenced in csi-release-tools is not used in dependent csi repos, so I don't think it's necessary to update now.

Thanks for the confirmation.

So, just to confirm, when the next git submodule version updates happen, the gh action changes (change - pinned sha commits) will be applied to all the above listed repos right?

Even if its not used, I suggest we change the floating tags soon.

[andyzhangx]

the trivy action change referenced in csi-release-tools is not used in dependent csi repos, so I don't think it's necessary to update now.

Thanks for the confirmation.

So, just to confirm, when the next git submodule version updates happen, the gh action changes (change - pinned sha commits) will be applied to all the above listed repos right?

Even if its not used, I suggest we change the floating tags soon.

correct, while that's not urgent now