Trivy Security Incident Affects GitHub Secrets

This title was summarized by AI from the post below.

View organization page for The Apache Software Foundation

81,367 followers

1mo

A security incident involving Trivy (v0.69.4) has been reported, with indications that the release may have included malicious code capable of accessing credentials in GitHub Secrets. Related GitHub Actions (trivy-action and trivy-setup) are also believed to be affected. In response, ASF Infrastructure and Security teams have: -- Disabled previously allowed “verified creator” GitHub Actions -- Initiated an investigation into potential exposure of secrets and repositories -- Noted that some builds may fail due to these precautionary measures Projects using affected workflows may need to request approvals for required actions. More details: https://buff.ly/1IjyOlz #opensource

2 Comments

Lari Hotari 1mo

Link to blog post (it changed): https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release

1 Reaction

Joe Schaefer 1mo

UGH

See more comments

To view or add a comment, sign in

More Relevant Posts

Abraham Reyes, CISSP, CCSP
1mo
Report this post
"#Trivy, the widely-used open source vulnerability scanner, was compromised for the second time in three weeks on March 19th , a malicious v0.69.4 release was published with binaries phoning home to a typosquat C2 domain, the original incident disclosure was deleted, and spam bots flooded the replacement discussion thread to slow the response. If you're running Trivy in CI, update to v0.69.3+ and if you're using the setup-trivy GitHub Action, move to v0.2.6 immediately." #aquasecurity #cybsecurity #cloudsecurity #appsec #github https://lnkd.in/gmTi9tg6

Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised - StepSecurity stepsecurity.io
Like Comment
To view or add a comment, sign in
Kashyap Tatmiya
2w
Report this post
Ensuring the security of our CI/CD pipelines is crucial in today's digital landscape. This offer for a free software supply chain security assessment is a great opportunity to identify potential vulnerabilities. How do you manage your CI/CD security?
Endor Labs

17,743 followers
3w Edited

Do you know what's running in your GitHub Actions today? We're offering a free software supply chain security assessment to help teams assess and harden their CI/CD workflows. Here's what's included: ✅ A scan of your open source dependencies for vulnerabilities and malicious packages ✅ A CI/CD audit to surface compromised Actions, unpinned dependencies, and risky configurations Request your free consultation here: https://lnkd.in/gNC_WU-A #SupplyChainSecurity #GitHubActions #AppSec #DevSecOps #CICDSecurity #Trivy #TeamPCP
Like Comment
To view or add a comment, sign in
Alexander Roebuck
2w
Report this post
Understanding your software supply chain is more critical than ever. This offer for a CI/CD security assessment is a step forward in identifying vulnerabilities before they become liabilities. A must-consider for any proactive team with recent and ongoing attacks.
Endor Labs

17,743 followers
3w Edited

Do you know what's running in your GitHub Actions today? We're offering a free software supply chain security assessment to help teams assess and harden their CI/CD workflows. Here's what's included: ✅ A scan of your open source dependencies for vulnerabilities and malicious packages ✅ A CI/CD audit to surface compromised Actions, unpinned dependencies, and risky configurations Request your free consultation here: https://lnkd.in/gNC_WU-A #SupplyChainSecurity #GitHubActions #AppSec #DevSecOps #CICDSecurity #Trivy #TeamPCP
Like Comment
To view or add a comment, sign in
Endor Labs

17,743 followers
3w Edited
Report this post
Do you know what's running in your GitHub Actions today? We're offering a free software supply chain security assessment to help teams assess and harden their CI/CD workflows. Here's what's included: ✅ A scan of your open source dependencies for vulnerabilities and malicious packages ✅ A CI/CD audit to surface compromised Actions, unpinned dependencies, and risky configurations Request your free consultation here: https://lnkd.in/gNC_WU-A #SupplyChainSecurity #GitHubActions #AppSec #DevSecOps #CICDSecurity #Trivy #TeamPCP
Like Comment
To view or add a comment, sign in
Naresh Devasani
2w
Report this post
How certain are you around what's running in your GitHub Actions today? Things have been pretty wild lately, so we're offering a free software supply chain security assessment to help teams assess and harden their CI/CD workflows. Here's what's included: 🔍 A scan of your open source dependencies for vulnerabilities and malicious packages ⚒️ A CI/CD audit to surface compromised Actions, unpinned dependencies, and risky configurations You can learn more and request your free consultation here: https://lnkd.in/gUhrhjaS #SupplyChainSecurity #GitHubActions #AppSec #DevSecOps #CICDSecurity #Trivy #TeamPCP
Like Comment
To view or add a comment, sign in
Jackson Marnalse
2w
Report this post
How certain are you around what's running in your GitHub Actions today? Things have been pretty wild lately, so we're offering a free software supply chain security assessment to help teams assess and harden their CI/CD workflows. Here's what's included: 🔍 A scan of your open source dependencies for vulnerabilities and malicious packages ⚒️ A CI/CD audit to surface compromised Actions, unpinned dependencies, and risky configurations You can learn more and request your free consultation here: https://lnkd.in/di92RGmU #SupplyChainSecurity #GitHubActions #AppSec #DevSecOps #CICDSecurity #Trivy #TeamPCP
Like Comment
To view or add a comment, sign in
Shivaprakash K
2w
Report this post
How certain are you around what's running in your GitHub Actions today? Things have been pretty wild lately, so we're offering a free software supply chain security assessment to help teams assess and harden their CI/CD workflows. Here's what's included: 🔍 A scan of your open source dependencies for vulnerabilities and malicious packages ⚒️ A CI/CD audit to surface compromised Actions, unpinned dependencies, and risky configurations You can learn more and request your free consultation here: https://lnkd.in/dhzhEfBU #SupplyChainSecurity #GitHubActions #AppSec #DevSecOps #CICDSecurity #Trivy #TeamPCP
Like Comment
To view or add a comment, sign in
Brett Carriere
2w
Report this post
How certain are you around what's running in your GitHub Actions today? Things have been pretty wild lately, so we're offering a free software supply chain security assessment to help teams assess and harden their CI/CD workflows. Here's what's included: 🔍 A scan of your open source dependencies for vulnerabilities and malicious packages ⚒️ A CI/CD audit to surface compromised Actions, unpinned dependencies, and risky configurations You can learn more and request your free consultation here: https://lnkd.in/eMUihUDY #SupplyChainSecurity #GitHubActions #AppSec #DevSecOps #CICDSecurity #Trivy #TeamPCP
Like Comment
To view or add a comment, sign in
Matthew Helfrich
2w
Report this post
How certain are you around what's running in your GitHub Actions today? Things have been pretty wild lately, so we're offering a free software supply chain security assessment to help teams assess and harden their CI/CD workflows. Here's what's included: 🔍 A scan of your open source dependencies for vulnerabilities and malicious packages ⚒️ A CI/CD audit to surface compromised Actions, unpinned dependencies, and risky configurations You can learn more and request your free consultation here: https://lnkd.in/ebZEhdsi #SupplyChainSecurity #GitHubActions #AppSec #DevSecOps #CICDSecurity #Trivy #TeamPCP
Like Comment
To view or add a comment, sign in
Endor Labs

17,743 followers
3w Edited
Report this post
How certain are you around what's running in your GitHub Actions today? Things have been pretty wild lately, so we're offering a free software supply chain security assessment to help teams assess and harden their CI/CD workflows. Here's what's included: 🔍 A scan of your open source dependencies for vulnerabilities and malicious packages ⚒️ A CI/CD audit to surface compromised Actions, unpinned dependencies, and risky configurations You can learn more and request your free consultation here: https://lnkd.in/gr8_EYmD #SupplyChainSecurity #GitHubActions #AppSec #DevSecOps #CICDSecurity #Trivy #TeamPCP
Like Comment
To view or add a comment, sign in

81,367 followers

View Profile Follow

LinkedIn respects your privacy

Trivy Security Incident Affects GitHub Secrets

Explore content categories