Skip to content

fix: bump Trivy to v0.69.2 following supply chain incident#22896

Merged
Vad1mo merged 1 commit intogoharbor:mainfrom
Aloui-Ikram:fix/bump-trivy-v0.69.2
Mar 3, 2026
Merged

fix: bump Trivy to v0.69.2 following supply chain incident#22896
Vad1mo merged 1 commit intogoharbor:mainfrom
Aloui-Ikram:fix/bump-trivy-v0.69.2

Conversation

@Aloui-Ikram
Copy link
Copy Markdown
Contributor

@Aloui-Ikram Aloui-Ikram commented Mar 2, 2026
edited
Loading

What this PR does

Bumps TRIVYVERSION from v0.69.1 to v0.69.2 in the Makefile.

Why

On March 1st 2026, the aquasecurity/trivy repository was targeted by
a supply chain attack. A bot exploited a misconfigured GitHub Actions
workflow to obtain a write-scoped token, which was used to permanently
delete all GitHub Releases between v0.27.0 and v0.69.1.

As a result, Harbor's current TRIVY_DOWNLOAD_URL returns HTTP 404,
breaking any build that uses TRIVYFLAG=true.

Aqua Security responded quickly they patched the vulnerable workflow,
recovered the repository, and published v0.69.2 as an emergency release
on the same day.

Full incident report from the Trivy maintainers:
https://github.com/aquasecurity/trivy/discussions/10265

Fixes #22895
Fixes #22898

  • Well Written Title and Summary of the PR
  • Label the PR as needed. "release-note/ignore-for-release, release-note/new-feature, release-note/update, release-note/enhancement, release-note/community, release-note/breaking-change, release-note/docs, release-note/infra, release-note/deprecation"
  • Accepted the DCO. Commits without the DCO will delay acceptance.
  • Made sure tests are passing and test coverage is added if needed.
  • Considered the docs impact and opened a new docs issue or PR with docs changes if needed in website repository.

fix: bump Trivy to v0.69.2 following supply chain incident
ffc008a 
All GitHub Releases from v0.27.0 to v0.69.1 were permanently deleted
on 2026-03-01 as part of a supply chain attack on aquasecurity/trivy.
Update to v0.69.2, the emergency patch release published by Aqua Security.

Verified: curl -sI https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz returns HTTP/2 302

Fixes goharbor#22895
Ref: https://github.com/aquasecurity/trivy/discussions/10265

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>
@Aloui-Ikram Aloui-Ikram requested a review from a team as a code owner March 2, 2026 00:56
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 2, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.00%. Comparing base (c8c11b4) to head (ffc008a).
⚠️ Report is 680 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff             @@
##             main   #22896       +/-   ##
===========================================
+ Coverage   45.36%   66.00%   +20.63%     
===========================================
  Files         244     1074      +830     
  Lines       13333   116417   +103084     
  Branches     2719     2937      +218     
===========================================
+ Hits         6049    76838    +70789     
- Misses       6983    35329    +28346     
- Partials      301     4250     +3949
Flag Coverage Δ
unittests 66.00% <ø> (+20.63%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 989 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Vad1mo Vad1mo added the release-note/update Update or Fix label Mar 2, 2026
@Vad1mo Vad1mo enabled auto-merge (squash) March 2, 2026 09:12
@Vad1mo Vad1mo merged commit 96de2bc into goharbor:main Mar 3, 2026
13 of 14 checks passed
chlins pushed a commit that referenced this pull request Mar 4, 2026
@Aloui-Ikram
fix: bump Trivy to v0.69.2 following supply chain incident (#22896) (#…
06ce0f7 
…22911)

All GitHub Releases from v0.27.0 to v0.69.1 were permanently deleted
on 2026-03-01 as part of a supply chain attack on aquasecurity/trivy.
Update to v0.69.2, the emergency patch release published by Aqua Security.

Verified: curl -sI https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz returns HTTP/2 302

Fixes #22895
Ref: https://github.com/aquasecurity/trivy/discussions/10265

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>
Signed-off-by: wang yan <yan-yw.wang@broadcom.com>
Co-authored-by: Ikram ALOUI <109230617+Aloui-Ikram@users.noreply.github.com>
Co-authored-by: Aloui-Ikram <ikram@container-registry.com>
@wy65701436 wy65701436 mentioned this pull request Mar 4, 2026
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Vad1mo Vad1mo Vad1mo approved these changes

@stonezdj stonezdj stonezdj approved these changes

Assignees

@wy65701436 wy65701436

@OrlinVasilev OrlinVasilev

@MinerYang MinerYang

Labels

release-note/update Update or Fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Failed to download trivy adapter in the build https://github.com/aquasecurity/trivy/------------ is gone

6 participants

@Aloui-Ikram @Vad1mo @stonezdj @wy65701436 @OrlinVasilev @MinerYang