Skip to content

fix: update composite action to remediate Trivy supply chain attack#126

Merged
derrix060 merged 2 commits intoNethermindEth:mainfrom
abdul-abdi:fix/trivy-supply-chain-remediation
Mar 24, 2026
Merged

fix: update composite action to remediate Trivy supply chain attack#126
derrix060 merged 2 commits intoNethermindEth:mainfrom
abdul-abdi:fix/trivy-supply-chain-remediation

Conversation

@abdul-abdi
Copy link
Copy Markdown
Contributor

@abdul-abdi abdul-abdi commented Mar 23, 2026
edited
Loading

Summary

Updates the github-action-image-build-and-push composite action reference to remediate the March 19 Trivy supply chain attack.

What happened

On March 19, 2026, a threat actor force-pushed 75 of 76 tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy to credential-stealing malware. The current composite action ref (b59fa5c2) uses trivy-action@e368e328 (v0.34.1), which is one of the compromised versions. This causes all Docker image builds using this reusable workflow to fail when the Trivy binary cache is cold.

The fix

The composite action at fefef12a (March 11 Dependabot bump) already updated to trivy-action@57a97c7e (v0.35.0) — the recommended safe version, protected by GitHub's immutable releases feature.

- uses: NethermindEth/github-action-image-build-and-push@b59fa5c2f2416973d34123c7cac63965209ed492
+ uses: NethermindEth/github-action-image-build-and-push@fefef12a2baef6d339fb4b244b4cd45c40146161

Verified dependency chain

Layer SHA Version Status
trivy-action 57a97c7e v0.35.0 Safe — immutable release, not compromised
setup-trivy e6c2c5e3 v0.2.4 Safe — SHA-pinned inside trivy-action
composite action fefef12a latest Uses safe trivy-action v0.35.0

Impact

  • All repos using docker-build-push-jfrog.yaml with Trivy scanning enabled are affected
  • yokai-dash dev image builds have been failing since March 19 (~3 weeks)

Merge order

This is PR 1 of 2. Follow this sequence:

  1. Merge this PR (fix: update composite action to remediate Trivy supply chain attack #126)
  2. Tag the merge commit as v1.11.5: 
    git tag v1.11.5 && git push origin v1.11.5
  3. Share the tag's full commit SHA — PR 2 (yokai-dash#2317) will pin to this SHA instead of the tag, per SonarCloud supply chain hardening (githubactions:S7637): 
    gh api repos/NethermindEth/github-workflows/git/refs/tags/v1.11.5 --jq '.object.sha'
  4. Merge PR 2 — NethermindEth/yokai-dash#2317 (will be updated to use the full SHA)

Test plan

  • Composite action SHA fefef12a2baef6d339fb4b244b4cd45c40146161 exists and resolves
  • Composite action uses trivy-action@57a97c7e (v0.35.0 — confirmed safe)
  • trivy-action v0.35.0 internally uses setup-trivy@e6c2c5e3 (v0.2.4 — SHA-pinned, safe)
  • v0.35.0 tag confirmed as immutable release (created March 4, before March 19 attack)
  • All existing workflow inputs remain backward-compatible (no breaking changes)
  • After merge + tag: yokai-dash build jobs pass (verified via PR 2)

References

@abdul-abdi
fix: update composite action to remediate Trivy supply chain attack
30e577d 
The March 19, 2026 Trivy supply chain attack (GHSA-69fq-xp46-6x23)
force-pushed 75 of 76 tags in aquasecurity/trivy-action to
credential-stealing malware. The composite action at b59fa5c2 uses
trivy-action v0.34.1 (compromised).

The composite action at fefef12a (March 11 Dependabot bump) uses
trivy-action v0.35.0 (SHA 57a97c7e), which is the recommended safe
version — protected by GitHub's immutable releases feature.

Ref: GHSA-69fq-xp46-6x23
@abdul-abdi abdul-abdi force-pushed the fix/trivy-supply-chain-remediation branch from 2fb2df7 to 30e577d Compare March 23, 2026 21:06
PraveenNethermind
PraveenNethermind approved these changes Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown

@PraveenNethermind PraveenNethermind left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

derrix060
derrix060 reviewed Mar 24, 2026
View reviewed changes
Comment thread .github/workflows/docker-build-push-jfrog.yaml
@abdul-abdi
fix: also update composite action ref in dockerhub workflow
a77aa14 
Same broken SHA — applies the same trivy-action v0.35.0 remediation
to the DockerHub build workflow.
@derrix060 derrix060 merged commit 619371e into NethermindEth:main Mar 24, 2026
@github-actions github-actions bot mentioned this pull request Mar 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@derrix060 derrix060 derrix060 approved these changes

+1 more reviewer

@PraveenNethermind PraveenNethermind PraveenNethermind approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@abdul-abdi @derrix060 @PraveenNethermind