How to Detect and Remediate the Trivy GitHub Actions Supply Chain Attack

In the evolving landscape of cybersecurity threats, the concept of "trust" is both our greatest asset and our most significant vulnerability. Security teams and developers rely heavily on open-source tools to automate vulnerability scanning and secure their code. However, when those trusted tools are compromised, the very defenses we put in place can turn into vectors for attack.

Recently, Aqua Security’s popular vulnerability scanner, Trivy, was compromised for the second time in a month. This breach targeted GitHub Actions, specifically the aquasecurity/trivy-action and aquasecurity/setup-trivy repositories. Attackers hijacked 75 tags to inject malicious code designed to steal sensitive CI/CD secrets. For organizations using these tools, this isn't just a software bug; it is an active supply chain attack that requires immediate incident response and remediation.

Technical Analysis

This incident represents a classic yet sophisticated supply chain attack leveraging the trust model of GitHub Actions.

• Attack Vector: The attackers utilized a technique known as "tag hijacking." In Git, tags are often used to mark specific versions of software. The attackers managed to create or push malicious updates to 75 distinct tags within the Trivy GitHub Actions repositories.
• Mechanism: When CI/CD pipelines are configured to pull a specific version of an action (e.g., uses: aquasecurity/trivy-action@v0.x.x), they download the code associated with that tag. The hijacked tags contained tampered code that included a secret-stealing payload.
• Objective: The malicious code was designed to exfiltrate sensitive environment variables—specifically the GITHUB_TOKEN and other secrets—available to the GitHub Actions runner during execution. By stealing these tokens, attackers could potentially move laterally within the organization's GitHub infrastructure, access private repositories, or poison the supply chain further downstream.
• Affected Products: The breach specifically impacts:
  • aquasecurity/trivy-action
  • aquasecurity/setup-trivy
• Severity: The severity is Critical. Unlike a vulnerability that might allow a Denial of Service (DoS), this attack results in the theft of credentials (secrets), providing an attacker with high-privileged access to the victim's software development lifecycle.

Defensive Monitoring

Detecting a supply chain attack requires visibility into both your codebase and your runtime environments. Below are scripts and queries to help your security team identify if your workflows have interacted with the compromised tags or if secrets are being exfiltrated.

1. Scan Workflows for Affected Action Usage (Bash)

This script scans your local repositories for references to the affected Aqua Security actions. It checks workflow files (*.yml, *.yaml) to see if they utilize the compromised actions.

#!/bin/bash

# Define the affected actions
AFFECTED_ACTIONS=("aquasecurity/trivy-action" "aquasecurity/setup-trivy")

# Find all workflow files
echo "Scanning for Aqua Security Trivy actions in GitHub workflows..."
find . -name ".github" -type d | while read -r dir; do
  workflow_dir="$dir/workflows"
  if [ -d "$workflow_dir" ]; then
    for action in "${AFFECTED_ACTIONS[@]}"; do
      if grep -rq "$action" "$workflow_dir"; then
        echo "[!] FOUND: $action referenced in $workflow_dir"
        grep -rn "$action" "$workflow_dir"
      fi
    done
  fi
done

echo "Scan complete."

2. Hunt for Potential Exfiltration via KQL (Microsoft Sentinel)

If you are ingesting GitHub Audit Logs or Windows/Linux Sysmon logs from your build runners into Microsoft Sentinel, use the following KQL query to detect suspicious outbound network connections or script execution related to the Trivy breach.

Note: This query looks for anomalous network connections from processes associated with CI/CD runners, which may indicate the payload beaconing out stolen secrets.

// Hunt for suspicious network traffic from build agents
// related to Trivy or GitHub Actions processes
DeviceNetworkEvents
| where Timestamp >= ago(7d)
// Filter for common runner user agents or processes
| where InitiatingProcessFileName in ("node", "bash", "powershell", "pwsh", "python") 
    or InitiatingProcessCommandLine contains "trivy"
// Look for connections to non-standard domains or high ports often used in C2
| where RemotePort !in (80, 443, 22) 
    or NetworkCommunicationDirection == "Outbound"
// Exclude known legitimate GitHub domains (adjust based on your environment)
| where RemoteUrl !contains "github.com" 
    and RemoteUrl !contains "githubusercontent.com"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| summarize count() by DeviceName, RemoteUrl, RemoteIP
| where count_ > 5 // Filter for repetitive beaconing
| sort by count_ desc

3. Verify GitHub Actions Logs (Bash/GH CLI)

If you have the GitHub CLI (gh) installed, you can inspect recent workflow runs to verify if any jobs utilized specific compromised tag versions (you will need to cross-reference the specific tags from the Aqua Security advisory).

#!/bin/bash

# List recent workflow runs for the current repo
echo "Fetching recent workflow runs..."
gh run list --limit 20 -- databaseId,headBranch,conclusion,createdAt,event,name --jq '.[] | "\(.databaseId) \(.name) \(.conclusion) \(.createdAt)"'

# Prompt user to inspect logs for a specific run ID
read -p "Enter a Run ID to inspect for 'aquasecurity' setup steps: " RUN_ID

echo "Searching logs for 'aquasecurity' references in run $RUN_ID..."
# Note: This requires 'gh run view' and might require admin permissions depending on log retention
gh run view "$RUN_ID" --log | grep -i "aquasecurity" || echo "No references found in logs."

Remediation

To protect your organization and secure your CI/CD pipelines against this and future supply chain threats, implement the following remediation steps immediately:

1. Identify and Rotate Exposed Secrets: Assume that any secrets available to the compromised workflows (GITHUB_TOKEN, AWS keys, Azure credentials, etc.) during the breach window have been stolen. Immediately rotate these credentials. Do not simply disable the compromised action; the secrets may already be in the hands of the attacker.

2. Update to Patched Versions:

    Update your GitHub Actions workflows to point to the latest, verified, patched versions of `aquasecurity/trivy-action` and `aquasecurity/setup-trivy`. Check the [Aqua Security GitHub repository](https://github.com/aquasecurity) for the latest release announcements and specific commit hashes.

3. Pin Actions to Commit SHAs: To prevent future tag-hijacking attacks, pin your GitHub Actions to a specific full-length commit SHA (Secure Hash Algorithm) rather than a tag (e.g., v0.1.0) or a branch (e.g., main). This ensures that even if an attacker pushes a malicious tag, your pipeline will continue to execute the known-good code.

   Bad Practice: yaml

   • uses: aquasecurity/trivy-action@master

   Good Practice: yaml

   • uses: aquasecurity/trivy-action@8f4b7ac46d1234567890abcdef1234567890abcdef

4. Audit Workflow Permissions: Review the permissions granted to your GitHub Actions (contents: read, issues: write, etc.). Apply the principle of least privilege. Ensure that workflows scanning images do not have write access to the repository unless absolutely necessary.

5. Implement Dependency Pinning in Code: Extend the practice of pinning to your application dependencies as well. Use lock files (e.g., package-lock., yarn.lock, requirements.txt) to ensure reproducible builds.

6. Enable Required Checks: Configure branch protection rules to require status checks from security tools. While this doesn't prevent the tool itself from being malicious, it adds a layer of governance that can be paused if a vendor breach is announced.

The Trivy breach serves as a stark reminder that security is a continuous process, not a product. By monitoring your supply chain, pinning your dependencies, and preparing for rapid credential rotation, you can transform these incidents from catastrophic breaches into manageable security events.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub