Triage Logo
Back to all articles
ThreatBrief Application SecurityCloud SecurityCI/CD Security

Security incident involving open-source Trivy components and CI/CD environments

An unauthorized party compromised specific open-source components of the Trivy security scanner, modifying existing GitHub Action tags to collect sensitive CI/CD secrets. Organizations using affected Trivy components during the exposure window should immediately audit their pipelines and rotate accessible credentials.

Triage Security Media Team
3 min read

A recent software supply chain security incident involving the open-source Trivy security scanner resulted in unauthorized modifications designed to collect sensitive secrets from automated enterprise software build and deployment pipelines. The unauthorized party targeted cloud credentials, SSH keys, authentication tokens, and other sensitive data.

Trivy is an open-source scanner widely used to identify vulnerabilities in container images, code repositories, and infrastructure configurations. Because many organizations integrate Trivy deeply into their continuous integration and continuous delivery (CI/CD) pipelines, the tool operates with elevated privileges. Aqua Security, the primary maintainer of Trivy, offers a separate commercial version of the scanner, which the company states does not appear to have been impacted by this incident.

Multistage software supply chain incident

The security incident began in February when a misconfiguration in Trivy’s GitHub Action component allowed an unauthorized party to obtain a privileged access token. This token provided access to Trivy's repository automation and release environment.

The Trivy team discovered the initial unauthorized access and disclosed it on March 1. The team executed a credential rotation; however, the threat actor managed to retain access to the environment and capture newly rotated secrets.

On March 19, the threat actor used those credentials to force-push unauthorized code to 76 of the 77 previously released versions of trivy-action, the GitHub Action that organizations use to run Trivy scans inside their automated CI/CD pipelines. A CI/CD pipeline referencing any of those mutable version tags would have downloaded and executed the compromised code instead of the legitimate original.

The unauthorized party also altered all seven versions in the setup-trivy repository. Additionally, the threat actor used a compromised automated service account, aqua-bot, to publish a compromised version of Trivy, v0.69.4, and manipulate its GitHub Action tags.

In a March 22 security update, Aqua Security noted that the threat actor modified existing version tags associated with trivy-action to introduce unauthorized code into workflows that organizations were already running. Because many automated CI/CD pipelines rely entirely on version labels without verifying code integrity through commit hashes, the pipelines continued running without detecting the modifications.

In a subsequent update on March 23, Aqua disclosed that the threat actor used the compromised automated service account to publish two compromised Docker images, v0.69.5 and v0.69.6, distributing the unauthorized code through Trivy's trusted release channels.

Credential harvesting mechanism

The Trivy security team and Aqua Security analyzed the unauthorized code, describing it as a credential-harvesting mechanism. It scans over 50 filesystem locations for SSH keys; cloud provider credentials for AWS, Google Cloud, and Azure; Kubernetes authentication tokens; Docker configuration files; environment variable files; database credentials; and cryptocurrency wallets.

The analysis shows the script uses AES-256-CBC with RSA-4096 hybrid encryption to secure and transmit collected data to external infrastructure controlled by the threat actor. If external transmission fails, the code initiates a fallback mechanism: it creates a public GitHub repository named tpcp-docs on the affected organization's account and uploads the collected data there.

According to Aqua Security, this combination of credential compromise, abuse of trusted release channels, and silent execution within CI/CD pipelines illustrates the mechanics of a modern software supply chain incident.

This incident reflects a broader pattern of threat actors focusing on trusted security tools and vendors. Earlier this month, Outpost24 reported an incident involving a sophisticated seven-stage phishing chain aimed at obtaining credentials from a C-level executive. While that specific attempt was unsuccessful, these events demonstrate ongoing efforts to compromise security products that organizations rely on and grant extensive environmental access.

Organizations that used any affected version of Trivy, trivy-action, or setup-trivy during the exposure windows must treat all secrets accessible to those pipelines as compromised and rotate them immediately. Based on guidance from Aqua Security and the Trivy maintainers, we recommend the following actions:

  • Audit Trivy versions: Review systems to determine if they pulled or executed the compromised Trivy v0.69.4, v0.69.5, or v0.69.6 versions from any source, and remove them immediately.

  • Update to known-safe versions: Ensure all workflows are running verified safe versions, such as Trivy binary v0.69.2 or v0.69.3, trivy-action v0.35.0, and setup-trivy v0.2.6.

  • Review GitHub Action references: Check all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy for signs of compromise, specifically reviewing run logs from March 19 and 20.

  • Search for exfiltration artifacts: Inspect GitHub organizations for the presence of a repository named tpcp-docs, which indicates the fallback exfiltration mechanism was triggered.

  • Pin GitHub Actions to full SHA hashes: To prevent exposure to mutable tag modifications in the future, organizations should configure CI/CD pipelines to pin GitHub Actions to full, immutable commit SHA hashes rather than version tags.

Sources & References