starred/docker-netbootxyz

Fork 0

mirror of https://github.com/netbootxyz/docker-netbootxyz.git synced 2026-04-24 22:45:49 +03:00

[PR #121] Update aquasecurity/trivy-action action to v0.34.0 [SECURITY] #224

New issue

Open

opened 2026-03-01 18:33:54 +03:00 by kerem · 0 comments

kerem commented

2026-03-01 18:33:54 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netbootxyz/docker-netbootxyz/pull/121
Author: @renovate[bot]
Created: 2/27/2026
Status: 🔄 Open

Base: master ← Head: renovate/github-tags-aquasecurity-trivy-action-vulnerability

📝 Commits (1)

b9c9d98 Update aquasecurity/trivy-action action to v0.34.0 [SECURITY]

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 .github/workflows/build.yml (+1 -1)

📄 Description

This PR contains the following updates:

Package	Type	Update	Change
aquasecurity/trivy-action	action	minor	`0.33.1` → `0.34.0`

GitHub Vulnerability Alerts

CVE-2026-26189

Command Injection in aquasecurity/trivy-action via Unsanitized Environment Variable Export

A command injection vulnerability exists in aquasecurity/trivy-action due to improper handling of action inputs when exporting environment variables. The action writes export VAR=<input> lines to trivy_envs.txt based on user-supplied inputs and subsequently sources this file in entrypoint.sh.

Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., $(...), backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context.

Severity:

Moderate

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Impact:

Successful exploitation may lead to arbitrary command execution in the CI runner environment.

Affected Versions:

Versions >= 0.31.0 and <= 0.33.1
Introduced in commit 7aca5ac

Affected Conditions:

The vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to trivy_envs.txt. Access to user input is required by the malicious actor.

A representative exploitation pattern involves incorporating untrusted pull request metadata into an action parameter. For example:

- uses: aquasecurity/trivy-action@0.33.1
  with:
    output: "trivy-$.sarif"

If the pull request title contains shell syntax, it may be executed when the generated environment file is sourced.

Not Affected:

Workflows that do not pass attacker-controlled data into trivy-action inputs
Workflows that upgrade to a patched version that properly escapes shell values or eliminates the source ./trivy_envs.txt pattern
Workflows where user input is not accessible.

Call Sites:

action.yaml:188 — set_env_var_if_provided writes unescaped export lines
entrypoint.sh:9 — sources ./trivy_envs.txt

Release Notes

aquasecurity/trivy-action (aquasecurity/trivy-action)

`v0.34.0`

Compare Source

What's Changed

ci: use setup-bats in bump-trivy workflow by @nikpivkin in #494
chore: update README by @nikpivkin in #493
ci: install trivy in bump-trivy workflow and update tests by @nikpivkin in #495
chore(deps): Update trivy to v0.68.1 by @aqua-bot in #496
ci: use checks bundle v2 in sync workflow by @nikpivkin in #505
chore(deps): Update trivy to v0.69.1 by @aqua-bot in #506

Full Changelog: https://github.com/aquasecurity/trivy-action/compare/0.33.1...0.34.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netbootxyz/docker-netbootxyz/pull/121 **Author:** [@renovate[bot]](https://github.com/apps/renovate) **Created:** 2/27/2026 **Status:** 🔄 Open **Base:** `master` ← **Head:** `renovate/github-tags-aquasecurity-trivy-action-vulnerability` --- ### 📝 Commits (1) - [`b9c9d98`](https://github.com/netbootxyz/docker-netbootxyz/commit/b9c9d9808d0eb0b4c0854a518d8e2b1096e12d65) Update aquasecurity/trivy-action action to v0.34.0 [SECURITY] ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/build.yml` (+1 -1) </details> ### 📄 Description This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [aquasecurity/trivy-action](https://redirect.github.com/aquasecurity/trivy-action) | action | minor | `0.33.1` → `0.34.0` | ### GitHub Vulnerability Alerts #### [CVE-2026-26189](https://redirect.github.com/aquasecurity/trivy-action/security/advisories/GHSA-9p44-j4g5-cfx5) Command Injection in aquasecurity/trivy-action via Unsanitized Environment Variable Export A command injection vulnerability exists in `aquasecurity/trivy-action` due to improper handling of action inputs when exporting environment variables. The action writes `export VAR=<input>` lines to `trivy_envs.txt` based on user-supplied inputs and subsequently sources this file in `entrypoint.sh`. Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., `$(...)`, backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context. **Severity:** Moderate CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) **Impact:** Successful exploitation may lead to arbitrary command execution in the CI runner environment. **Affected Versions:** * Versions >= 0.31.0 and <= 0.33.1 * Introduced in commit `7aca5ac` **Affected Conditions:** The vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to `trivy_envs.txt`. Access to user input is required by the malicious actor. A representative exploitation pattern involves incorporating untrusted pull request metadata into an action parameter. For example: ```yaml - uses: aquasecurity/trivy-action@0.33.1 with: output: "trivy-$.sarif" ``` If the pull request title contains shell syntax, it may be executed when the generated environment file is sourced. **Not Affected:** * Workflows that do not pass attacker-controlled data into `trivy-action` inputs * Workflows that upgrade to a patched version that properly escapes shell values or eliminates the `source ./trivy_envs.txt` pattern * Workflows where user input is not accessible. **Call Sites:** * `action.yaml:188` — `set_env_var_if_provided` writes unescaped `export` lines * `entrypoint.sh:9` — sources `./trivy_envs.txt` --- ### Release Notes <details> <summary>aquasecurity/trivy-action (aquasecurity/trivy-action)</summary> ### [`v0.34.0`](https://redirect.github.com/aquasecurity/trivy-action/releases/tag/0.34.0) [Compare Source](https://redirect.github.com/aquasecurity/trivy-action/compare/0.33.1...0.34.0) #### What's Changed - ci: use setup-bats in bump-trivy workflow by [@nikpivkin](https://redirect.github.com/nikpivkin) in [#494](https://redirect.github.com/aquasecurity/trivy-action/pull/494) - chore: update README by [@nikpivkin](https://redirect.github.com/nikpivkin) in [#493](https://redirect.github.com/aquasecurity/trivy-action/pull/493) - ci: install trivy in bump-trivy workflow and update tests by [@nikpivkin](https://redirect.github.com/nikpivkin) in [#495](https://redirect.github.com/aquasecurity/trivy-action/pull/495) - chore(deps): Update trivy to v0.68.1 by [@aqua-bot](https://redirect.github.com/aqua-bot) in [#496](https://redirect.github.com/aquasecurity/trivy-action/pull/496) - ci: use checks bundle v2 in sync workflow by [@nikpivkin](https://redirect.github.com/nikpivkin) in [#505](https://redirect.github.com/aquasecurity/trivy-action/pull/505) - chore(deps): Update trivy to v0.69.1 by [@aqua-bot](https://redirect.github.com/aqua-bot) in [#506](https://redirect.github.com/aquasecurity/trivy-action/pull/506) **Full Changelog**: <https://github.com/aquasecurity/trivy-action/compare/0.33.1...0.34.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/netbootxyz/docker-netbootxyz).  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>