Skip to content

Update trivy-action to 0.34.2 and fix template injections#2

Open
omuraaa wants to merge 1 commit intomainfrom
fix/trivy-action-update-and-template-injections
Open

Update trivy-action to 0.34.2 and fix template injections#2
omuraaa wants to merge 1 commit intomainfrom
fix/trivy-action-update-and-template-injections

Conversation

@omuraaa
Copy link

@omuraaa omuraaa commented Mar 5, 2026

Summary

  • Update aquasecurity/trivy-action from @0.33.1 to SHA-pinned @97e0b3872f55f89b95b2f65b3dbab56962816478 (0.34.2)
  • Fix 19 template injection findings by moving all ${{ }} expressions out of run: and script: blocks into env: blocks

Context

trivy-action version

@0.33.1 is flagged by two advisories:

  1. Trivy repository compromise (2026-03-01): An attacker exploited a pull_request_target workflow to steal a maintainer PAT, deleted releases 0.27.0-0.69.1, and published a malicious VSCode extension. The trivy-action code itself was not tampered with, but @0.33.1 predates the post-incident hardening.

  2. CVE-2026-26189: Command injection in entrypoint.sh -- user-supplied action inputs are written to trivy_envs.txt without shell escaping, then sourced. Affects 0.31.0-0.34.0, patched in 0.34.1.

Template injections

This reusable workflow (workflow_call) used ${{ inputs.* }} and ${{ steps.*.outputs.* }} directly in run: blocks (11 sites) and actions/github-script inline JS (8 sites). While the workflow_call trigger limits the attack surface to internal callers, these patterns are unsafe and set a bad example as the org's canonical security scanning template.

All 19 injection sites are fixed by passing values through environment variables:

  • run: blocks: ${{ inputs.image-name }} -> env: IMAGE_NAME + "${IMAGE_NAME}"
  • actions/github-script: '${{ inputs.image-name }}' -> process.env.IMAGE_NAME

What changed

  1. aquasecurity/trivy-action@0.33.1 -> @97e0b3872f55... (0.34.2)
  2. "Pull Docker image from registry" step: inputs moved to env:
  3. "Add Trivy summary to run" step: inputs moved to env:
  4. "Sanitize image name for artifact" step: inputs moved to env:
  5. "Check vulnerabilities and determine actions" step: all step outputs and inputs moved to env:
  6. "Create issue for vulnerabilities" step: all ${{ }} expressions in script: moved to env: + process.env

No behavioral changes. All values are identical -- they're just passed through environment variables instead of being interpolated directly into shell/JS.

Test plan

  • Reusable workflow can still be called by existing caller workflows
  • docker pull step works correctly in registry mode
  • Vulnerability counting and GITHUB_STEP_SUMMARY output is unchanged
  • Artifact naming (sanitize step) produces same output
  • Issue creation works when vulnerabilities are found
  • Image push logic (push/skip decision) is unchanged

@omuraaa
Update trivy-action to 0.34.2 and fix 19 template injections
82750aa 
Pin aquasecurity/trivy-action to SHA (0.34.2), fixing CVE-2026-26189.
Move all ${{ }} expressions from run:/script: blocks to env: blocks,
eliminating template injection risk in the reusable scan workflow.
@omuraaa omuraaa requested a review from grams March 5, 2026 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grams grams Awaiting requested review from grams

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@omuraaa