ashishkurmi opened a new issue, #25382: URL: https://github.com/apache/pulsar/issues/25382
### Compromised `aquasecurity/trivy-action` detected — potential secret leak (`DEVELOCITY_ACCESS_KEY`) Our automated platform at [StepSecurity](https://www.stepsecurity.io) has detected that this repository used a **compromised version of `aquasecurity/trivy-action`** in its GitHub Actions workflows during the recent Trivy incident. Our analysis shows that the impacted workflow job had access to secrets (`DEVELOCITY_ACCESS_KEY`) that **may have been leaked** during the compromised run. I have also manually confirmed that the affected workflow run(s) indeed used the compromised action. #### What happened? The `aquasecurity/trivy-action` GitHub Action was compromised, and a malicious version (`v0.69.4`) was published. Workflow runs in this repository executed a compromised SHA of this action, which may have exposed sensitive information such as secrets, environment variables, or build artifacts. For more details on the incident, see [StepSecurity Blog: Trivy Compromised a Second Time](https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release). #### Compromised SHAs detected - `aquasecurity/trivy-action@b7252377a3d82c73d497bfafa3eabe84de1d02c4` (v0.26.0) - `aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1` #### Secrets exposure assessment Our analysis shows that the impacted workflow job (`Build Pulsar alpine docker image` in `pulsar-ci.yaml`) had access to the following secrets that **may have been leaked** during the compromised run: | Secret Name | Description | |------------|-------------| | [`DEVELOCITY_ACCESS_KEY`](https://github.com/apache/pulsar/blob/a8fa7800f0ccea9564b45c61b59cd213f1444549/.github/workflows/pulsar-ci.yaml#L217) | Develocity (Gradle Enterprise) access key | #### Affected workflow runs | # | Workflow Run | Build Log (compromised step) | Secrets Accessible | |---|-------------|------------------------------|-------------------| | 1 | [23330354895](https://github.com/apache/pulsar/actions/runs/23330354895) | [View compromised action step](https://github.com/apache/pulsar/actions/runs/23330354895/job/67861043672#step:1:47) | [`DEVELOCITY_ACCESS_KEY`](https://github.com/apache/pulsar/blob/a8fa7800f0ccea9564b45c61b59cd213f1444549/.github/workflows/pulsar-ci.yaml#L217) | | 2 | [23319540170](https://github.com/apache/pulsar/actions/runs/23319540170) | [View compromised action step](https://github.com/apache/pulsar/actions/runs/23319540170/job/67828310544#step:1:47) | [`DEVELOCITY_ACCESS_KEY`](https://github.com/apache/pulsar/blob/a8fa7800f0ccea9564b45c61b59cd213f1444549/.github/workflows/pulsar-ci.yaml#L217) | | 3 | [23319076147](https://github.com/apache/pulsar/actions/runs/23319076147) | [View compromised action step](https://github.com/apache/pulsar/actions/runs/23319076147/job/67827240522#step:1:47) | [`DEVELOCITY_ACCESS_KEY`](https://github.com/apache/pulsar/blob/a8fa7800f0ccea9564b45c61b59cd213f1444549/.github/workflows/pulsar-ci.yaml#L217) | | 4 | [23318725583](https://github.com/apache/pulsar/actions/runs/23318725583) | [View compromised action step](https://github.com/apache/pulsar/actions/runs/23318725583/job/67825747305#step:1:47) | [`DEVELOCITY_ACCESS_KEY`](https://github.com/apache/pulsar/blob/a8fa7800f0ccea9564b45c61b59cd213f1444549/.github/workflows/pulsar-ci.yaml#L217) | | 5 | [23312714678](https://github.com/apache/pulsar/actions/runs/23312714678) | [View compromised action step](https://github.com/apache/pulsar/actions/runs/23312714678/job/67805723850#step:1:47) | [`DEVELOCITY_ACCESS_KEY`](https://github.com/apache/pulsar/blob/a8fa7800f0ccea9564b45c61b59cd213f1444549/.github/workflows/pulsar-ci.yaml#L217) | #### Recommended actions 1. **Rotate the `DEVELOCITY_ACCESS_KEY` secret** immediately 2. Review the [compromised action step logs](#affected-workflow-runs) linked above for any signs of data exfiltration 3. Audit any systems that the compromised secret provides access to for unauthorized activity 4. Pin GitHub Actions to full-length commit SHAs to prevent future tag-based supply chain attacks #### References - [StepSecurity Blog: Trivy Compromised a Second Time](https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
