Compromised aquasecurity/setup-trivy detected — potential secret leak (DOCKERHUB_USERNAME, DOCKERHUB_TOKEN)
Our automated platform at StepSecurity has detected that this repository used a compromised version of aquasecurity/setup-trivy in its GitHub Actions workflows during the recent Trivy incident. Our analysis shows that the impacted workflow job had access to secrets (DOCKERHUB_USERNAME, DOCKERHUB_TOKEN) that may have been leaked during the compromised run. I have also manually confirmed that the affected workflow run(s) indeed used the compromised action.
What happened?
The aquasecurity/setup-trivy GitHub Action was compromised as part of the broader aquasecurity/trivy-action supply chain compromise, and a malicious version was published. Workflow runs in this repository executed a compromised SHA of this action, which may have exposed sensitive information such as secrets, environment variables, or build artifacts.
For more details on the incident, see StepSecurity Blog: Trivy Compromised a Second Time.
Compromised SHA detected
aquasecurity/setup-trivy@8afa9b9f9183b4e00c46e2b82d34047e3c177bd0 (v0.2.5)
Secrets exposure assessment
Our analysis shows that the impacted workflow job (ConfigBaker Image Matrix Build in container_maintenance.yml) had access to the following secrets that may have been leaked during the compromised run. This job logs into Docker Hub using docker/login-action with these credentials:
Affected workflow runs
Recommended actions
- Rotate the
DOCKERHUB_TOKEN secret immediately
- Review Docker Hub access logs for the associated account for any unauthorized image pushes or pulls during and after the compromise window (2026-03-19 17:00 UTC to 2026-03-20 06:00 UTC)
- Review the compromised action step logs linked above for any signs of data exfiltration
- Pin GitHub Actions to full-length commit SHAs to prevent future tag-based supply chain attacks
References
Compromised
aquasecurity/setup-trivydetected — potential secret leak (DOCKERHUB_USERNAME,DOCKERHUB_TOKEN)Our automated platform at StepSecurity has detected that this repository used a compromised version of
aquasecurity/setup-trivyin its GitHub Actions workflows during the recent Trivy incident. Our analysis shows that the impacted workflow job had access to secrets (DOCKERHUB_USERNAME,DOCKERHUB_TOKEN) that may have been leaked during the compromised run. I have also manually confirmed that the affected workflow run(s) indeed used the compromised action.What happened?
The
aquasecurity/setup-trivyGitHub Action was compromised as part of the broaderaquasecurity/trivy-actionsupply chain compromise, and a malicious version was published. Workflow runs in this repository executed a compromised SHA of this action, which may have exposed sensitive information such as secrets, environment variables, or build artifacts.For more details on the incident, see StepSecurity Blog: Trivy Compromised a Second Time.
Compromised SHA detected
aquasecurity/setup-trivy@8afa9b9f9183b4e00c46e2b82d34047e3c177bd0(v0.2.5)Secrets exposure assessment
Our analysis shows that the impacted workflow job (
ConfigBaker Image Matrix Buildincontainer_maintenance.yml) had access to the following secrets that may have been leaked during the compromised run. This job logs into Docker Hub usingdocker/login-actionwith these credentials:DOCKERHUB_USERNAMEDOCKERHUB_TOKENAffected workflow runs
DOCKERHUB_USERNAME,DOCKERHUB_TOKENRecommended actions
DOCKERHUB_TOKENsecret immediatelyReferences