A number of elements backdoored
Trivy, developed by Aqua Safety, is likely one of the most generally used open-source vulnerability scanners, with over 32,000 GitHub stars and greater than 100 million Docker Hub downloads. Builders use it to detect vulnerabilities and uncovered secrets and techniques of their CI/CD pipelines and container photographs.
The attackers compromised three elements of the Trivy challenge: trivy-action, the official GitHub Motion for operating Trivy scans in CI/CD workflows; setup-trivy, a helper motion for putting in the scanner; and the Trivy binary itself. Backdoored artifacts had been revealed to GitHub releases, Docker Hub, the GitHub Container Registry, and the Amazon Elastic Container Registry.
Based on Socket, 75 of 76 model tags in trivy-action had been overwritten with malicious code, together with seven tags in setup-trivy. The one unaffected trivy-action tag was model 0.35.0. The compromised tags embrace extensively used variations reminiscent of 0.34.2, 0.33.0, and 0.18.0.
