Trivy, Aqua Security's open-source vulnerability scanner, was compromised on March 19, 2026. Version 0.69.4 contained malicious code capable of stealing credentials from GitHub Secrets, and the trivy-action and trivy-setup GitHub Actions were also affected. The Apache Software Foundation (ASF) reports that a small number of ASF projects use the trivy GitHub Action in their build workflows. In response, ASF Infrastructure and Security disabled all previously allowed 'verified creator' actions pending investigation, which may cause build failures. Projects needing to re-enable actions must go through the Infra GHA approval process. An investigation is ongoing to determine if any ASF project secrets or Git repositories were compromised.
Sort: