Trivy, a popular open-source tool used for scanning container images and filesystems for vulnerabilities, has been compromised again with the release of version v0.69.4. This is the second incident in a month, indicating a serious issue within the development and distribution pipeline of Trivy. The malicious code embedded in this version could potentially compromise security checks performed by users, leading to false negatives or even executing arbitrary commands on affected systems. Given that Trivy integrates with CI/CD pipelines and DevOps tooling through GitHub Actions like aquasecurity/setup-trivy and aquasecurity/trivy-action, the potential impact spans across numerous organizations relying on these tools for their security assessments. Engineers and sysadmins need to take immediate steps to verify their current versions of Trivy and ensure they are using a secure version.
- Trivy v0.69.4
- GitHub Actions: aquasecurity/setup-trivy
- GitHub Actions: aquasecurity/trivy-action
- Uninstall Trivy version v0.69.4 using the command `sudo apt-get remove trivy` or equivalent for your package manager.
- Install a secure version of Trivy from a verified source, e.g., `curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.69.5`
- Verify the installation by running `trivy -v` to ensure version is not 0.69.4.
- Review and update CI/CD pipeline configurations that use GitHub Actions aquasecurity/setup-trivy or aquasecurity/trivy-action, ensuring they specify a secure Trivy version.
This compromise has direct impact on homelab stacks using Docker images for security scanning. Specifically, any configuration files like `.trivy.yaml` used with Trivy must be reviewed and updated to avoid the compromised versions.