[
Date Prev][Date Next][
Thread Prev][Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[tractusx-dev] Trivy & Trivy
|
- From: Mathias Brunkow Moser <mathias.moser@xxxxxxxxxxxx>
- Date: Fri, 20 Mar 2026 14:19:05 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=catena-x.net; dmarc=pass action=none header.from=catena-x.net; dkim=pass header.d=catena-x.net; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xrI8sf5Cx0lZ7ybAAtCRE7v4EfvghkQJXFo6bLnsvXg=; b=BUZjBIaJLRGvhXhBA7c/81j4qHLgLRmVzLbvQjmzpxMDAbyN6Ua4PkFjKjf4WUm92F1pVpVD2a7tNykc2d/ystDtMcN1kVvLanXjroKoDoyIbJSdSzogSaM7sCccFQ28cIzjuzY0ML+5SJ7gR54t5wa3P95NkHBJc7l3jnVOfWszzYwK7dYJWmz+CEVzhV6/DM/AATRt2DViXqxi6bvNvhiNUo0dPJFnvcECC+XO5G3giQUKGzTS/0Hxu3cOuxqhvV46afxGFs6BWc/nPjr3abWg1tU3ecNXpkk8jK5pYuuXYt67bPSA0EMmQxQ6lrVT6mro7+R9pxksvAiyD+h8yQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PPkLy/WiLSOfPJGmUlkcgWb+Ppw2JD8PXUDMxr2EmXUw4Kf6nH+ZIyZGtIMelN0SiLtH7l5FdMUZm3Pdaq1UPdYgVV0Fa3u03Z2iCCJD62BxXVbVS17ys73om46vSfSJkdKzj7yc8HzDFIfI0CNXZAAJIJU+4Pnj7id6DaOupEr8pUE/XLL1H+fMib5J4rzqhAvHOVaIYMZx9gzC/Z2yuiRq4C6p4hmFvcSQxxNcdpIeDhCXO2iALID8cjwpDqqrzCAGnEXwmXR4KOAHOfdujCwkVA6I8goSWKjWYalHbM2LQ8a0BGA4rHPXihALTsovRUj3VZA98ZeBTXtQwdo3sg==
- Delivered-to: tractusx-dev@xxxxxxxxxxx
- List-archive: <https://www.eclipse.org/mailman/private/tractusx-dev/>
- List-help: <mailto:tractusx-dev-request@eclipse.org?subject=help>
- List-subscribe: <https://www.eclipse.org/mailman/listinfo/tractusx-dev>, <mailto:tractusx-dev-request@eclipse.org?subject=subscribe>
- List-unsubscribe: <https://www.eclipse.org/mailman/options/tractusx-dev>, <mailto:tractusx-dev-request@eclipse.org?subject=unsubscribe>
- Thread-index: AQHcuHN1Ypt2BdJ8hU+ho7JXnvwGCQ==
- Thread-topic: Trivy & Trivy
Dear Eclipse Tractus-X Community,
We have disabled all the Trivy github actions.
There was an attack which was executed not long ago in the trivy version 0.69.4.
Can be found here:
Apparently, it may affect us, so we as committers have decided to be cautious and disable all the Trivy workflows in GITHUB. Until we can confirm if we’re affected or not. Please also check if you have a "fork" if you have executed it with this version or
the trivy-actions without the hash.
Here is the story:
Remember when we said you **must** indicate the commit hash into the workflow. THIS was one of the reasons why. However we have identified that this rule was not followed in several repositories.
What we have not yet identified if we are affected (which did not specify a hashed version) or if there was a run of trivy since monday which was executed via "trivy-actions" which contained a version with malware.
We have identified that the following repositories are not using the “hashed” workflow version (which may have run since monday a version with the malware):
We have check most and it looks like it has not happened, but we still need to check it deeper.
Also archived repos have no hash, but they are out of scope:
So, this is a call for all committers to NOT enable their Trivy workflow
GitHub Actions until we have
sorted this out, discussed a way forward and estimated the impact.
Please make sure to update your workflows in the future to use the “hash” and not the “version” of a package, not only for Trivy example:
Since in this way if the tag is replaced by an attacker, they still will never be able to replace the git commit.
Please take a look on your forks and see if you are also affected in your organization, also internally. Since the impact observed is that the GitHub Actions Secrets may have been leaked.
Thank you for all the persons which supported us and reported this vulnerability.
Stay safe,
Your Eclipse Tractus-X Project Leads
