Agua Security’s open-source vulnerability scanner, Trivy, recently encountered a security incident on March 19, 2026. The details of this incident can be found on stepsecurity.io.
According to ASF Infrastructure and ASF Security, Trivy version 0.69.4 was found to contain malicious code that had the potential to steal credentials stored in GitHub Secrets. Additionally, the trivy-action GitHub Action and trivy-setup were also compromised.
This security breach has had an impact on a small number of ASF projects that utilize the trivy GitHub Action in their build workflows. As a response to this incident, ASF Infra and ASF Security have decided to disable all previously allowed “verified creator” actions while the investigation is ongoing. This may result in build failures for projects and they may need to request the re-approval of newly failed actions through the Infra GHA approval process.
Furthermore, Infra and the Security team are currently investigating whether any secrets and Git repositories of ASF projects have been compromised as a result of this incident.
If you are part of an ASF project that has been affected by this situation, you can reach out by opening a Jira ticket for Infra or joining the discussion in the #asfinfra channel in the the-asf space on Slack. You can also contact users@infra.apache.org for further information.
For more details on this incident, you can refer to the incident report on the Apache Infrastructure blog.
This incident serves as a reminder of the importance of maintaining the security of open-source software and the need for constant vigilance to protect sensitive information from malicious actors. It is crucial for organizations to stay informed about potential security threats and take proactive measures to safeguard their data and systems.
For more Information, Refer to this article.
