Compromised aquasecurity/trivy-action detected in GitHub Actions workflows

### Compromised `aquasecurity/trivy-action` detected — potential secret leak (`DEVELOCITY_ACCESS_KEY`)

Our automated platform at [StepSecurity](https://www.stepsecurity.io) has detected that this repository used a **compromised version of `aquasecurity/trivy-action`** in its GitHub Actions workflows during the recent Trivy incident. Our analysis shows that the impacted workflow job had access to secrets (`DEVELOCITY_ACCESS_KEY`) that **may have been leaked** during the compromised run. I have also manually confirmed that the affected workflow run(s) indeed used the compromised action.

#### What happened?

The `aquasecurity/trivy-action` GitHub Action was compromised, and a malicious version (`v0.69.4`) was published. Workflow runs in this repository executed a compromised SHA of this action, which may have exposed sensitive information such as secrets, environment variables, or build artifacts.

For more details on the incident, see [StepSecurity Blog: Trivy Compromised a Second Time](https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release).

#### Compromised SHAs detected

- `aquasecurity/trivy-action@b7252377a3d82c73d497bfafa3eabe84de1d02c4` (v0.26.0)
- `aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1`

#### Secrets exposure assessment

Our analysis shows that the impacted workflow job (`Build Pulsar alpine docker image` in `pulsar-ci.yaml`) had access to the following secrets that **may have been leaked** during the compromised run:

| Secret Name | Description |
|------------|-------------|
| [`DEVELOCITY_ACCESS_KEY`](https://github.com/apache/pulsar/blob/a8fa7800f0ccea9564b45c61b59cd213f1444549/.github/workflows/pulsar-ci.yaml#L217) | Develocity (Gradle Enterprise) access key |

#### Affected workflow runs

| # | Workflow Run | Build Log (compromised step) | Secrets Accessible |
|---|-------------|------------------------------|-------------------|
| 1 | [23330354895](https://github.com/apache/pulsar/actions/runs/23330354895) | [View compromised action step](https://github.com/apache/pulsar/actions/runs/23330354895/job/67861043672#step:1:47) | [`DEVELOCITY_ACCESS_KEY`](https://github.com/apache/pulsar/blob/a8fa7800f0ccea9564b45c61b59cd213f1444549/.github/workflows/pulsar-ci.yaml#L217) |
| 2 | [23319540170](https://github.com/apache/pulsar/actions/runs/23319540170) | [View compromised action step](https://github.com/apache/pulsar/actions/runs/23319540170/job/67828310544#step:1:47) | [`DEVELOCITY_ACCESS_KEY`](https://github.com/apache/pulsar/blob/a8fa7800f0ccea9564b45c61b59cd213f1444549/.github/workflows/pulsar-ci.yaml#L217) |
| 3 | [23319076147](https://github.com/apache/pulsar/actions/runs/23319076147) | [View compromised action step](https://github.com/apache/pulsar/actions/runs/23319076147/job/67827240522#step:1:47) | [`DEVELOCITY_ACCESS_KEY`](https://github.com/apache/pulsar/blob/a8fa7800f0ccea9564b45c61b59cd213f1444549/.github/workflows/pulsar-ci.yaml#L217) |
| 4 | [23318725583](https://github.com/apache/pulsar/actions/runs/23318725583) | [View compromised action step](https://github.com/apache/pulsar/actions/runs/23318725583/job/67825747305#step:1:47) | [`DEVELOCITY_ACCESS_KEY`](https://github.com/apache/pulsar/blob/a8fa7800f0ccea9564b45c61b59cd213f1444549/.github/workflows/pulsar-ci.yaml#L217) |
| 5 | [23312714678](https://github.com/apache/pulsar/actions/runs/23312714678) | [View compromised action step](https://github.com/apache/pulsar/actions/runs/23312714678/job/67805723850#step:1:47) | [`DEVELOCITY_ACCESS_KEY`](https://github.com/apache/pulsar/blob/a8fa7800f0ccea9564b45c61b59cd213f1444549/.github/workflows/pulsar-ci.yaml#L217) |

#### Recommended actions

1. **Rotate the `DEVELOCITY_ACCESS_KEY` secret** immediately
2. Review the [compromised action step logs](#affected-workflow-runs) linked above for any signs of data exfiltration
3. Audit any systems that the compromised secret provides access to for unauthorized activity
4. Pin GitHub Actions to full-length commit SHAs to prevent future tag-based supply chain attacks

#### References

- [StepSecurity Blog: Trivy Compromised a Second Time](https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Compromised aquasecurity/trivy-action detected in GitHub Actions workflows #25382

Compromised `aquasecurity/trivy-action` detected — potential secret leak (`DEVELOCITY_ACCESS_KEY`)

What happened?

Compromised SHAs detected

Secrets exposure assessment

Affected workflow runs

Recommended actions

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

#	Workflow Run	Build Log (compromised step)	Secrets Accessible
1	23330354895	View compromised action step	`DEVELOCITY_ACCESS_KEY`
2	23319540170	View compromised action step	`DEVELOCITY_ACCESS_KEY`
3	23319076147	View compromised action step	`DEVELOCITY_ACCESS_KEY`
4	23318725583	View compromised action step	`DEVELOCITY_ACCESS_KEY`
5	23312714678	View compromised action step	`DEVELOCITY_ACCESS_KEY`

Compromised aquasecurity/trivy-action detected in GitHub Actions workflows #25382

Description

Compromised aquasecurity/trivy-action detected — potential secret leak (DEVELOCITY_ACCESS_KEY)

What happened?

Compromised SHAs detected

Secrets exposure assessment

Affected workflow runs

Recommended actions

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Compromised `aquasecurity/trivy-action` detected — potential secret leak (`DEVELOCITY_ACCESS_KEY`)