In the world of cloud-native security, software supply chain integrity is paramount. Recently, a security incident involving Trivy, the widely-used vulnerability scanner, highlighted the sophisticated nature of modern supply chain attacks.
We are publishing this post to provide transparency regarding the incident and to confirm that Bitnami Secure Images remain unaffected.
Understanding the Incident: Pipeline vs. Source
According to the official discussion within the Trivy community and the GHSA-69fq-xp46-6x23, the security breach was not a traditional code injection. The malware payload was injected at the CI/CD build pipeline level rather than being embedded as literal strings in the Go source code.
This meant that while the source code on GitHub appeared clean, the pre-compiled "official" binaries distributed through certain channels contained malicious code. Specifically, the compromised commit was identified as "1885610c6a34811c8296416ae69f568002ef11ec".
Why Bitnami Secure Images are Safe
The reason Bitnami images were not compromised lies in our fundamental build philosophy: we build from source.
While the upstream incident affected pre-compiled binaries, Bitnami’s automated pipeline compiles the Trivy binaries directly from the verified source code within our own secure environment. Because the malicious payload was injected into the upstream build process and not the code itself, our compilation process never "saw" or included the malware.
Our Response Timeline
Upon learning of the incident, the Bitnami team took immediate action to protect our users while we conducted a thorough investigation.
March 20th: Immediate Mitigation
As soon as the incident was disclosed, our team moved into an emergency response phase:
-
Customer Notification: Within approximately 3 hours of the disclosure, we informed all customers who had added the Trivy image to their catalogs.
-
Pipeline Freeze: We immediately disabled the release of Trivy images from our pipelines to ensure no new versions were published until we could verify their integrity.
March 21st: Verification and Conclusion
Our security engineers performed a deep-dive analysis of the build components:
-
Source Code Audit: We confirmed that the source code used for our compilation did not contain any references to the malicious domain scan[.]aquasecurtiy[.]org, the associated malicious IP, or the logic found in the compromised upstream binaries.
-
Status Confirmed: Based on this investigation, we concluded that Bitnami-built Trivy binaries are unaffected and secure for use.
Our Commitment to Security
This incident serves as a powerful reminder of why "building from source" is a critical security practice. By maintaining control over the compilation process and not relying on external binaries, Bitnami provides an additional layer of insulation against supply chain compromises.
We remain committed to transparency and the rapid protection of our users. If you have any questions regarding your Bitnami Secure Images, please reach out to our support team.