aquasecurity/trivy-action is compromised

[ashishkurmi]

It looks like all the tags starting from 0.34.2 are pointing to a malicious commit which is dumping process memory to steal credential. Please update all release tags to point them to original commit.

Please refer to our blog for more details: https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release#indicators-of-compromise

For example, 0.34.2 is pointing to
ddb9da4

[hi-artem]

Yep it is compromised https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release

[DmitriyLewen]

Hello all!

Important

The 0.35.0 version that we created after the first incident is safe and wasn't compromised.

What happened:

All tags before 0.35.0 in this repository were pointing to malicious commits. We have restored all tags to their original, safe commits.

What we did:

• We identified all compromised tags by comparing remote tag hashes against our local trusted copies
• All tags from v0.0.1 to v0.34.0 have been re-created with v-prefix pointing (e.g. 0.34.0 -> v.0.34.0 )to the correct, verified commits
• We verified that every restored tag hash matches the original trusted source
• All tags without the v prefix have been removed

What you should do:

• If you're using version 0.35.0 - no action is needed.
• If you're using an older version - update to the safe 0.35.0.
• If it's important for you to use a previous version - use the sha commit of the tag, they are safe now.

[Fabian4Jupus]

What you should do:

As hard as it may be: do not use Trivy anymore for now.

[ABGEO]

@DmitriyLewen, @ashishkurmi, can you please confirm exactly which version was compromised?

[Fabian4Jupus]

@DmitriyLewen, @ashishkurmi, can you please confirm exactly which version was compromised?

The malicious commit is from Jan 15

[drew-viles]

So my concerns are, has everyone that has been using this action had secrets scraped from their pipelines? Kinda feels like that is the case here, no?

If this is the case, the actual advice should be to tell everyone to roatate every single secret that this action might have stood near.