Skip to content

[security] Trivy compromised for several hours #107

Description

@pkopac

I strongly recommend to lock down what versions (by hash) you use internally (in the script). If not specified by action options, latest is used now, which can be vulnerable to supply chain attacks...

This action might have been compromised, so I recommend to investigate to all users of this action:

the compromised aqua-bot service account triggered release automation to publish a malicious Trivy binary designated v0.69.4.

See the article: https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions