fix(ci): pin trivy-action to SHA after supply chain attack#8
Merged
Conversation
supply chain compromise - Replace @0.28.0 refs with v0.35.0 SHA (57a97c7e) in ci.yml (3) and docker-build.yml (2) - Tags v0.0.1-v0.34.2 were force-pushed with malicious code on 2026-03-19 - No secrets leaked, no CI ran after compromise timestamp Impact: CI no longer references compromised action tags
Collaborator
Author
|
🎉 This PR is included in version 3.27.6 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
aquasecurity/trivy-actionwas compromised on 2026-03-19 (~19:00 UTC)masterentrypoint.shexfiltrates CI secrets to attacker-controlled infrastructure@0.28.0(5 occurrences acrossci.ymlanddocker-build.yml) — in compromised rangeChanges
Pin all 5
aquasecurity/trivy-actionreferences from@0.28.0to the SHA of v0.35.0 (57a97c7e), the only tag left untouched by attackers. SHA pinning prevents future tag-based attacks.Files modified
.github/workflows/ci.yml— 3 occurrences.github/workflows/docker-build.yml— 2 occurrencesTest plan
@0.28.0or other version-tag references remain:grep -r "trivy-action" .github/