Trivy under attack again: Widespread GitHub Actions tag compromise secrets

Posted by jicea 1 day ago

Trivy under attack again: Widespread GitHub Actions tag compromise secrets(socket.dev)

90 points | 32 commentspage 2

ashishb 3 hours ago|

I always run such tools inside sandboxes to limit the blast radius.

PunchyHamster 2 hours ago||

The sandbox will need internet access (to update data) and you will need to send code to test into it; so compromise already equals leaking all your code, without even breaking the sandboxing

ashishb 2 hours ago|||

> The sandbox will need internet access (to update data) and you will need to send code to test into it; so compromise already equals leaking all your code, without even breaking the sandboxing

Compromising all code in one directory is bad. Compromising all my data in all other directories, including mounted cloud drives, is worse.

I restrict most dev tools to access only the current directory.

staticassertion 1 hour ago|||

You only need internet access to grab the image, I don't think trivy requires internet access itself. All of my image scanning tools run in isolation.

wswin 3 hours ago||

I don't think it would help here, they were stealing credentials

tux1968 2 hours ago|||

Whenever possible, credentials shouldn't be inside the sandbox either. Credential proxying, or transparent credential injection, for example with Sandcat: https://github.com/VirtusLab/sandcat

ashishb 1 hour ago|||

> I don't think it would help here, they were stealing credentials

So, stealing credentials in the current directory and in all other directories are the same thing?

yieldcrv 3 hours ago||

fatiguing

Pahacker 2 hours ago||

ohsecurity 1 hour ago||

[dead]

Pahacker 2 hours ago|

[flagged]