A number of elements backdoored
Trivy, developed by Aqua Safety, is without doubt one of the most generally used open-source vulnerability scanners, with over 32,000 GitHub stars and greater than 100 million Docker Hub downloads. Builders use it to detect vulnerabilities and uncovered secrets and techniques of their CI/CD pipelines and container photographs.
The attackers compromised three elements of the Trivy mission: trivy-action, the official GitHub Motion for operating Trivy scans in CI/CD workflows; setup-trivy, a helper motion for putting in the scanner; and the Trivy binary itself. Backdoored artifacts have been revealed to GitHub releases, Docker Hub, the GitHub Container Registry, and the Amazon Elastic Container Registry.
In accordance with Socket, 75 of 76 model tags in trivy-action have been overwritten with malicious code, together with seven tags in setup-trivy. The one unaffected trivy-action tag was model 0.35.0. The compromised tags embrace extensively used variations resembling 0.34.2, 0.33.0, and 0.18.0.
