Security Incident Report: aquasecurity/trivy-action Supply Chain Compromise (2026-03-19)

[CybotTM]

Security Incident Report: aquasecurity/trivy-action Supply Chain Compromise

Date of incident: 2026-03-19
Date of detection: 2026-03-19 (StepSecurity Harden-Runner)
Date of remediation: 2026-03-20 – 2026-03-21
Status: Resolved
Reference: netresearch/ofelia#535

---

1. Executive Summary

On March 19, 2026, the GitHub Action aquasecurity/setup-trivy was compromised via a tag force-push attack. Malicious code was injected that exfiltrated GitHub Actions runner memory (containing secrets) to an attacker-controlled domain. One workflow run in our org was affected. The exposure was limited to a short-lived, read-only GITHUB_TOKEN. No secret rotation was required.

In response, we hardened all 68 repositories across the netresearch GitHub organization with SHA-pinned actions, Dependabot configuration, and org-level enforcement — completing a comprehensive supply chain security overhaul within 48 hours.

---

2. Incident Details

2.1 What Happened

Detail	Value
Compromised action	aquasecurity/setup-trivy@v0.2.1 (tag force-pushed with malicious code)
Attack vector	Tag force-push — mutable tag references resolved to attacker-controlled code
Malicious behavior	Bundled runner worker memory into tarball, POST'd to scan.aquasecurtiy.org (typosquatted)
Compromise window	~18:07 – 18:11 UTC, March 19, 2026
Detection	StepSecurity Harden-Runner (audit mode) logged DNS resolution and outbound connection to 45.148.10.212:443
Reference	https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release

2.2 Our Exposure

1 workflow run was compromised across the entire org:

Repo	Run	Branch	Time (UTC)	Evidence
netresearch/ofelia	#23309867575	main	2026-03-19 18:11	Malicious curl to scan.aquasecurtiy.org confirmed in logs

Root cause of exposure: The workflow used trivy-action@915b19b... (v0.28.0) which internally referenced setup-trivy@v0.2.1 by tag (not SHA). When the tag was force-pushed, the malicious code executed.

All other repos were protected because they used trivy-action@57a97c7... (v0.35.0) which SHA-pins setup-trivy internally.

2.3 Secrets Exposure Assessment

Secret	In scope?	Permissions	Risk
GITHUB_TOKEN	Yes	contents: read, security-events: write	Low — short-lived, read-only on public repo
secrets.GITLEAKS_KEY	No	Different job, different runner	None
Docker/GHCR credentials	No	Different job	None
Cosign/OIDC signing tokens	No	Different job	None
Org-level secrets	No	Not referenced in trivy job	None

Verdict: No secret rotation required. Verified no malicious SARIF uploads occurred.

---

3. Remediation Actions

3.1 Org-Level Enforcement

Setting	Before	After
sha_pinning_required	false	true

GitHub's org-level sha_pinning_required setting enforces that all GitHub Actions must be referenced by immutable commit SHA. Reusable workflows (@main, @tag) are explicitly exempt from this enforcement, allowing internal shared workflows to continue using branch references.

3.2 Repository Hardening

81 pull requests were created across the org:

Category	Count
Merged	71
Closed (forks not maintained)	9
Auto-merge pending	1

Merged PRs (71)

Repository	PR	Additional fixes
composer-patches-plugin	#69	—
concourse-ci-skill	#13	—
context7-skill	#16	—
data-tools-skill	#6	—
dcind	#6	—
docker-development-skill	#12	—
docker-ftp-server	#80, #81	Initial trivy pin + full hardening
docker-mariadb	#26	—
docker-validator-w3c	#108	Merge conflict resolved
enterprise-readiness-skill	#31	—
file-search-skill	#6	—
git-workflow-skill	#20	—
github-project-skill	#40	—
go-cron	#348	Updated trivy-action v0.31→v0.35 (v0.31 had unpinned internal deps)
go-development-skill	#23	—
ldap-manager	#502	Fixed go.sum for templ v0.3.1001 transitive deps
maint	#16	—
matrix-skill	#16	—
molecule_http_docker_demo	#27	—
moodle-docker	#28, #29	Initial trivy pin + full hardening
netresearch-branding-skill	#17	—
netresearch.github.io	#13	—
node-magento-eqp	#503	Branch updated
node-red-contrib-magento-eqp	#373	Branch updated
nr-landingpage	#2	PHPStan fixes, CGL fixes, functional test fix (missing setUpBackendUser)
ofelia	#536	—
pagerangers-skill	#20	—
php-modernization-skill	#20	—
pipeline-factory	#20	—
postdirekt-autocomplete-monorepo	#132	—
raybeam	#174	—
sdk-api-central-station	#18	Pinned unpinned actions in workflow
sdk-eu-vat	#18	Pinned unpinned actions, bumped phpunit for CVE-2026-24765
skill-repo-skill	#35	—
t3x-cowriter	#109	—
t3x-nr-image-optimize	#44	PHPStan fixes, migrated to shared PHP-CS-Fixer config
t3x-nr-image-sitemap	#29	Migrated to shared PHP-CS-Fixer config, added labeler.yml, fixed allow-plugins
t3x-nr-saml-auth	#76	Added labeler.yml
t3x-nr-temporal-cache	#57	TYPO3 v12/v13/v14 compat (IconSize), PHPStan fixes, missing translation key, functional test fixes
t3x-nr-textdb	#88	Migrated to shared PHP-CS-Fixer config, added labeler.yml
t3x-nr-xliff-streaming	#7	Added labeler.yml
t3x-scheduler	#26	Removed strict_types from ext_emconf.php, Rector fix (ThrowWithPreviousExceptionRector), inlined CGL config for TYPO3 12 compat
t3x-sync	#37	Removed strict_types from ext_emconf.php, migrated CGL config, inlined for TYPO3 12 compat
t3x-universal-messenger	#37	Migrated to shared PHP-CS-Fixer config, added labeler.yml
terraform-provider-ad	#11	—
timetracker	#265	—
ttefsl	#49	—
typo3-ci-workflows	#28	—
typo3-ckeditor5-skill	#15	—
typo3-conformance-skill	#26	—
typo3-core-contributions-skill	#13	—
typo3-ddev-skill	#22	—
typo3-docs-ci-workflows	#2	—
typo3-docs-skill	#27	—
typo3-extension-upgrade-skill	#15	—
typo3-project-upgrade-skill	#2	Trimmed SKILL.md, fixed plugin.json, composer.json license
typo3-testing-skill	#30	—
typo3-typoscript-ref-skill	#3	Dual license migration, README markdown lint, ruff formatting
agent-rules-skill	#20	Condensed SKILL.md to 447 words
ansible-role-gitlab-runner	#10	—
ansible-role-monitoring-server	#45	Replaced ansible-lint action with direct pip install
ansible_role_client_base	#95	Pinned remaining unpinned actions, added .yamllint.yml
ansible_role_docker_containers	#13, #14	Fixed molecule DinD with storage-driver: vfs
assetpicker	#54	—
automated-assessment-skill	#15	—
claude-coach-plugin	#14	Created composer.json, fixed plugin.json, 48 ruff fixes
cli-tools-skill	#17	—
composer-agent-skill-plugin	#31	—
composer-audit-responsibility	#9	—

Closed PRs (9 — forks not maintained)

Repository	PR	Reason
containers	#1	Fork of bitnami/containers
docker-node-webserver	#18	Fork of tobilg/docker-mini-webserver
guides	#2	Fork of phpDocumentor/guides
matrix-docker-ansible-deploy	#1	Fork of spantaleev/matrix-docker-ansible-deploy
news_importicsxml	#1	Fork of georgringer/news_importicsxml
orocommerce	#1	Fork of mollie/orocommerce
pforum	#2	Fork of jweiland-net/pforum
typo3-mcp-server	#4	Fork, upstream PRs only
codesnippet	#5	Fork, not maintained

3.3 Additional Fixes (resolved during hardening)

Beyond SHA-pinning and Dependabot, the following pre-existing issues were discovered and fixed:

Issue	Repos affected	Fix
ext_emconf.php with declare(strict_types=1)	t3x-scheduler, t3x-nr-image-sitemap, t3x-sync	Removed — TER cannot parse it
Local PHP-CS-Fixer config not excluding ext_emconf.php	t3x-nr-image-sitemap, t3x-sync, t3x-nr-textdb, t3x-scheduler, t3x-nr-image-optimize, t3x-universal-messenger	Migrated to shared config from typo3-ci-workflows
Missing .github/labeler.yml	9 t3x-* repos	Added standard labeler config
CVE-2026-24765 in phpunit	sdk-eu-vat	Bumped phpunit to ^10.5.62
TYPO3 v12/v13/v14 IconSize compat	t3x-nr-temporal-cache	Added class_exists fallback
Missing translation key causing functional test failures	t3x-nr-temporal-cache	Added button.view_content to locallang
Functional tests missing backend user setup	nr-landingpage	Added setUpBackendUser(1)
Rector: ThrowWithPreviousExceptionRector	t3x-scheduler	Passed $exception as previous
Docker-in-Docker overlay mount failure	ansible_role_docker_containers	Switched inner Docker to vfs storage driver
typo3-ci-workflows composer dep incompatible with TYPO3 12	t3x-scheduler, t3x-sync	Inlined CGL config, pinned phpstan-typo3 ^1.0

---

4. Prevention Measures

4.1 Implemented

Measure	Scope	Impact
sha_pinning_required=true	Org-wide	All actions must use immutable SHA refs; reusable workflows exempt
SHA-pinned all third-party actions	68 repos	Tags/branches can no longer resolve to compromised code
Dependabot for github-actions	All repos	Automatic PRs for action version updates with SHA pins
StepSecurity Harden-Runner	19 repos (audit mode)	Detects malicious outbound connections

4.2 Recommended Future Improvements

Measure	Priority	Impact
Switch Harden-Runner from audit to block mode with domain allowlists	High	Would have prevented the data exfiltration
Expand Harden-Runner to remaining repos	Medium	Broader detection/prevention coverage
Upgrade to GitHub Team plan	Medium	Enables org-wide rulesets for branch protection

---

5. Tools & Methodology

Tool	Purpose
pin-github-action (npm)	Batch SHA-pinning with --allow "netresearch/*" to preserve internal workflow refs
gh CLI	PR creation, merge, status checks, API operations
StepSecurity Harden-Runner insights	Malicious connection detection and forensics
GitHub org-level sha_pinning_required API	Org-wide enforcement of immutable action references

---

6. Timeline

Time (UTC)	Event
2026-03-19 ~18:07	aquasecurity/setup-trivy tags force-pushed with malicious code
2026-03-19 18:11	ofelia CI run executes compromised code; Harden-Runner logs malicious connection
2026-03-19 ~18:15	Compromised tags removed by aquasecurity
2026-03-20 08:33	ofelia workflow updated to safe trivy-action v0.35.0
2026-03-20 10:07	StepSecurity files issue #535
2026-03-20 ~19:30	Investigation complete: 1 compromised run, low-risk exposure
2026-03-20 19:32	sha_pinning_required=true enabled org-wide
2026-03-20 19:45–21:00	Batch hardening: 59 PRs created across org
2026-03-20 21:00–23:30	CI fixes: pre-existing issues resolved across 20+ repos
2026-03-21 00:00	68/68 repos green, all PRs merged
2026-03-21 00:03	Issue #535 closed
2026-03-21 ~00:30	Team notified via Matrix #it channel

---

Report generated 2026-03-21. Contact: Sebastian Mendel

[CybotTM]

Skill Enhancements — Lessons Learned Codified

The following skill repositories were enhanced with learnings from this incident. All PRs reviewed, CI verified green, and merged.

New references and checkpoints added

Skill	PR	What was added
security-audit-skill	#30	Supply chain incident response playbook (detection, triage, remediation, communication templates). Updated all trivy-action refs to SHA-pinned.
github-project-skill	#41	Org security settings (sha_pinning_required, pin-github-action tool, action allow-lists). Reusable workflow security guide (internal vs external, transitive dependency risks, audit checklist).
enterprise-readiness-skill	#32	Harden-Runner operational guide (audit→block migration, domain allowlists by job type). New checkpoint ER-27: Harden-Runner configured.
docker-development-skill	#13	Docker-in-Docker testing patterns (overlay-on-overlay problem, VFS storage driver fix, systemd in containers, troubleshooting table).
typo3-testing-skill	#31	TYPO3 CI config patterns (ext_emconf.php strict_types exclusion, shared PHP-CS-Fixer config factory, labeler.yml template, composer allow-plugins).

These enhancements ensure the team knowledge from this incident is reusable across all future projects.