This affects Jena in the "Apache Jena UI" GH workflow.
It uses cypress-io/github-action@v7.
-------- Forwarded Message --------
Subject: [ANNOUNCE] ASF Response to potential Trivy security breach
Date: Fri, 20 Mar 2026 17:57:10 -0300
From: Andrew Wetmore <[email protected]>
Reply-To: [email protected]
To: [email protected]
Trivy, Agua Security's open-source vulnerability scanner, appears to have
experienced a security incident March 19, 2026, based on the details
available here:
https://stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release
ASF Infrastructure and ASF Security have provided the following summary
based on what we believe to be true:
- Trivy version 0.69.4 contained malicious code that could potentially
steal credentials present in GitHub Secrets.
- The trivy-action GitHub Action and trivy-setup were also compromised.
Impact on ASF projects
- A small number of ASF projects include the trivy GitHub Action in
their
build workflows.
Infra response
- ASF Infra and ASF Security agreed to disable all previously allowed
"verified creator" actions while the incident is being investigated
- This may cause build failures, and require projects request
newly-failed actions be added via the Infra GHA approval process:
github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list
<http://github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list>
- Infra and the Security team are investigating if any secrets and Git
repositories of ASF projects may have been compromised.
For further information:
If you are involved in an ASF project that is impacted by this situation,
you can open a Jira ticket for Infra. You can also join the conversation in
the #asfinfra channel in the the-asf space on Slack, or send an email to
users AT infra.apache.org <http://infra.apache.org>.
Andrew Wetmore
Technical Writer-Editor, Infra
