A number of parts backdoored
Trivy, developed by Aqua Safety, is likely one of the most generally used open-source vulnerability scanners, with over 32,000 GitHub stars and greater than 100 million Docker Hub downloads. Builders use it to detect vulnerabilities and uncovered secrets and techniques of their CI/CD pipelines and container pictures.
The attackers compromised three parts of the Trivy mission: trivy-action, the official GitHub Motion for working Trivy scans in CI/CD workflows; setup-trivy, a helper motion for putting in the scanner; and the Trivy binary itself. Backdoored artifacts have been revealed to GitHub releases, Docker Hub, the GitHub Container Registry, and the Amazon Elastic Container Registry.
In response to Socket, 75 of 76 model tags in trivy-action have been overwritten with malicious code, together with seven tags in setup-trivy. The one unaffected trivy-action tag was model 0.35.0. The compromised tags embody broadly used variations resembling 0.34.2, 0.33.0, and 0.18.0.
