Trivy ecosystem supply chain briefly compromised

Who Should Read

DevSecOps engineers and backend developers using Trivy to scan container images or code for vulnerabilities in CI/CD pipelines — especially teams using aquasecurity/trivy-action or aquasecurity/setup-trivy in GitHub Actions.

Core Mechanics

• The attack compromised Trivy's official GitHub releases and replaced 76 Git tags pointing to GitHub Actions with malicious versions containing credential-stealing code.
• The malicious code targeted CI/CD environment variables — specifically cloud provider credentials, API keys, and secrets stored in GitHub Actions secrets.
• Since many pipelines reference Trivy Actions by tag (e.g., @v0.20.0) rather than commit hash, they automatically pulled the malicious version on the next run without any code changes.
• The attack was discovered relatively quickly, but any pipeline that ran Trivy Actions between the attack and the fix may have had credentials exfiltrated.
• Mitigation: immediately rotate any secrets that were accessible in pipelines running Trivy Actions, and pin all GitHub Actions to specific commit SHAs rather than tags.

Evidence

• The Aqua Security team published a detailed incident report confirming the attack vector, the scope (76 tags), and the timeline.
• Security researchers noted this follows a well-established pattern: attackers target trusted security tools specifically because they have broad access and are used in privileged CI/CD contexts.
• Several teams shared postmortems in the comments, with some discovering they'd rotated credentials only to find the attacker had already used them in the hours between compromise and rotation.
• The broader discussion centered on the GitHub Actions security model — tag pinning vs. SHA pinning is a known security gap that this incident made viscerally real for many teams.

How to Apply

• Immediately: if your pipelines used aquasecurity/trivy-action or aquasecurity/setup-trivy in the affected window, rotate all secrets those pipelines had access to.
• Switch all GitHub Actions references from tag-based (e.g., @v1.2.3) to SHA-based (e.g., @abc123def...) pinning. Tags are mutable; commit SHAs are immutable.
• Implement automated dependency scanning for your GitHub Actions workflows — tools like Dependabot or StepSecurity's Harden-Runner can flag outdated or compromised Actions.
• Apply least-privilege to CI/CD secrets: pipelines that only need read access shouldn't have write credentials. Compartmentalize so a single compromised pipeline can't access all secrets.

Code Example

# Unsafe approach (using tags - vulnerable to attacks)
- uses: aquasecurity/trivy-action@master
- uses: aquasecurity/trivy-action@v0.34.0

# Safe approach 1: Use patched version tag
- uses: aquasecurity/trivy-action@v0.35.0

# Safe approach 2: Pin to SHA hash (most recommended)
# First, check the commit SHA: https://github.com/aquasecurity/trivy-action/commits/main
- uses: aquasecurity/trivy-action@<full-commit-sha>

# Reference container images by digest (defends against tag substitution attacks)
# Using tag (vulnerable)
docker pull aquasecurity/trivy:0.69.4

# Using digest (safe)
docker pull aquasecurity/trivy@sha256:<digest>

# Check installed trivy version
trivy --version
# output: Version: 0.69.4 -> immediate replacement required in this case
# output: Version: 0.69.3 -> safe

Terminology

Related Resources

• Official Security Advisory (GHSA-69fq-xp46-6x23)
• Socket.dev: Trivy Attack Technique Analysis - GitHub Actions Tag Hijacking Details
• Socket.dev: Previous Breach Incident - Unauthorized AI Agent Execution Code
• Slashdot: Trivy Supply Chain Attack Spread Coverage