Trivy Security Scanner Hit by Major Supply-Chain Attack

The Scanner Became the Threat

Trivy is a security tool. Organizations use it specifically to protect their software development pipelines by scanning container images and code repositories for known vulnerabilities and hardcoded secrets. With 33,200 stars on GitHub, it is among the most widely deployed security scanning tools in the DevSecOps ecosystem. That reach made it an exceptionally high-value target.

Itay Shakury, a Trivy maintainer at Aqua Security, confirmed that threat actors used stolen credentials to force-push malicious dependencies into virtually all tagged versions of two core GitHub Actions components: trivy-action and setup-trivy. The attack began in the early hours of a Thursday morning and was not detected for hours, during which automated CI/CD pipelines worldwide may have pulled and executed the compromised code.

What Force-Pushing Means

A force-push is a git operation that overrides the safety mechanisms protecting existing commits from being overwritten. For GitHub Actions specifically, this is particularly dangerous. When developers pin their CI/CD workflows to a specific Trivy action tag — a common security practice intended to ensure reproducibility — they trust that the tag points to the same code it always did. Force-pushing malicious commits into those tags breaks this assumption silently: the pipeline configuration looks unchanged but now executes attacker-controlled code with whatever permissions the CI/CD environment provides.

What the Malicious Code Did

Analysis of the compromised tags indicated that attackers substituted Trivy's legitimate dependencies with malicious replacements designed to execute code within the CI/CD runner environment. The goal was access to secrets — API tokens, cloud credentials, signing keys, and other sensitive values that developers routinely pass into pipelines.

A compromised Trivy action running in a GitHub Actions workflow has access to whatever the workflow has access to, which in many organizations includes production deployment credentials, cloud provider authentication, artifact signing keys, and source code repositories. The potential blast radius of a single exfiltration can cascade into cloud infrastructure compromise, data breaches, and insertion of malicious code into production software.

Response and Broader Context

Aqua Security moved quickly once the compromise was confirmed, rotating credentials and restoring the legitimate code to all affected tags. The team advised all users to treat any pipeline that ran Trivy actions during the compromise window as potentially affected and to rotate all accessible secrets immediately.

The security community consensus: pin GitHub Actions to specific commit SHA hashes rather than mutable tag names. Tags can be force-pushed; commit hashes cannot be silently replaced without detection. This known best practice has seen lagging adoption, and this incident will likely accelerate organizational CI/CD policy changes. The attack is the latest entry in a lengthening list of supply-chain compromises targeting the open-source tooling that underpins modern software development — a trend that shows no sign of slowing.

This article is based on reporting by Ars Technica. Read the original article.