Skip to content

[fix][sec] Upgrade Trivy GitHub Action to 0.35.0#25372

Open
merlimat wants to merge 3 commits intoapache:masterfrom
merlimat:fix/upgrade-trivy-action
Open

[fix][sec] Upgrade Trivy GitHub Action to 0.35.0#25372
merlimat wants to merge 3 commits intoapache:masterfrom
merlimat:fix/upgrade-trivy-action

Conversation

@merlimat
Copy link
Copy Markdown
Contributor

@merlimat merlimat commented Mar 20, 2026

Motivation

The aquasecurity/trivy-action repository was compromised in a supply chain attack where an attacker force-pushed malicious payloads to 75 out of 76 version tags. Version 0.35.0 is the first safe release after the incident.

References:

Modifications

Upgrade aquasecurity/trivy-action from 0.26.0 to 0.35.0 in CI workflow.

Documentation

  • doc-not-needed

Matching PR in forked repository

No response

Label checklist

  • ready-to-test
  • area/test

@merlimat
[fix][sec] Upgrade Trivy GitHub Action to 0.35.0
dfcbb2b 
The trivy-action repository was compromised in a supply chain attack
where an attacker force-pushed malicious payloads to 75 out of 76
version tags.

References:
- aquasecurity/trivy-action#541
- https://github.com/aquasecurity/trivy-action/releases/tag/v0.35.0
- https://github.com/aquasecurity/trivy/discussions/10265
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Mar 20, 2026
@merlimat merlimat requested a review from lhotari March 20, 2026 16:15
@lhotari
Copy link
Copy Markdown
Member

lhotari commented Mar 20, 2026
edited
Loading

We need to get the action allowed by ASF in the https://github.com/apache/infrastructure-actions repository first. I created apache/infrastructure-actions#546 to handle that. After that, we could use aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1.

@lhotari
Copy link
Copy Markdown
Member

lhotari commented Mar 20, 2026

aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 is now approved. We could merge #25373 first and then enable trivy again. #25373 contains a required change to use docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392.

@lhotari
Copy link
Copy Markdown
Member

lhotari commented Mar 21, 2026

Trivy was blocked again by ASF: apache/infrastructure-actions@b6d723b

@lhotari lhotari mentioned this pull request Mar 23, 2026
Closed
@merlimat merlimat closed this Mar 23, 2026
@merlimat merlimat reopened this Mar 23, 2026
@lhotari
Copy link
Copy Markdown
Member

lhotari commented Mar 23, 2026

@merlimat Trivy action is blocked by ASF. It was first approved, but after that it was blocked by apache/infrastructure-actions@b6d723b . I don't know the reason for this (yet). I'll request it again.

@lhotari
Copy link
Copy Markdown
Member

lhotari commented Mar 23, 2026

Asked in apache/infrastructure-actions#548 (comment)

lhotari
lhotari reviewed Mar 23, 2026
View reviewed changes
@merlimat @lhotari
Update .github/workflows/pulsar-ci.yaml
4011739 
Co-authored-by: Lari Hotari <lhotari@users.noreply.github.com>
@lhotari
Copy link
Copy Markdown
Member

lhotari commented Mar 23, 2026

Waiting for apache/infrastructure-actions#573 to be approved and merged.

@lhotari
Copy link
Copy Markdown
Member

lhotari commented Mar 24, 2026

I created https://github.com/lhotari/sandboxed-trivy-action so that we would be able to harden the security and continue to use trivy. I'm testing it in lhotari#219.
One option is to include it in https://github.com/apache/pulsar-test-infra so that we could immediately start using it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lhotari lhotari lhotari approved these changes

@dao-jun dao-jun dao-jun approved these changes

Assignees

No one assigned

Labels

area/test doc-not-needed Your PR changes do not impact docs ready-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@merlimat @lhotari @dao-jun