9 points | by mmsc 13 hours ago ago
5 comments
More details here: https://www.stepsecurity.io/blog/trivy-compromised-a-second-...
Current GitHub discussion (the old discussion was removed by the attacker): https://github.com/aquasecurity/trivy/discussions/10420
The offending commit seems to be: https://github.com/aquasecurity/trivy/commit/1885610c6a34811... which updates the action to `actions/checkout@70379aad1a8b40919ce8b382d3cd7d0315cde1d0 # v6.0.2`. https://github.com/actions/checkout/commit/70379aad1a8b40919... is not actually in `actions/checkout` but a fork, and it pulls malicious code from the typo-squatted "scan.aquasecurtiy.org" (note the _tiy_).
Any system with Trivy 0.69.4 on it (and being run) can be assumed to be compromised.
Any recommendations for Trivy alternatives to use while Aqua rebuilds their reputation?
Grype, Clair
More details here: https://www.stepsecurity.io/blog/trivy-compromised-a-second-...
Current GitHub discussion (the old discussion was removed by the attacker): https://github.com/aquasecurity/trivy/discussions/10420
The offending commit seems to be: https://github.com/aquasecurity/trivy/commit/1885610c6a34811... which updates the action to `actions/checkout@70379aad1a8b40919ce8b382d3cd7d0315cde1d0 # v6.0.2`. https://github.com/actions/checkout/commit/70379aad1a8b40919... is not actually in `actions/checkout` but a fork, and it pulls malicious code from the typo-squatted "scan.aquasecurtiy.org" (note the _tiy_).
Any system with Trivy 0.69.4 on it (and being run) can be assumed to be compromised.
Any recommendations for Trivy alternatives to use while Aqua rebuilds their reputation?
Grype, Clair