Secure-by-default: Chainguard customers unaffected by the Trivy supply chain attack
On March 19, 2026, a supply chain attack using previously stolen credentials resulted in malicious releases of the Trivy vulnerability scanner (v0.69.4), trivy-action, and setup-trivy being published to official channels.
No action is required from Chainguard customers: Chainguard-built images and packages were not affected by the malicious release workflow. We recommend, however, that you follow the guidance below as malicious releases may have reached your systems via other distribution methods. If you are not yet a Chainguard customer, we are making our Trivy images available free of charge for the next 12 months.
What happened
Aqua Security, the maintainer of Trivy, published a Security Incident advisory disclosing that a threat actor used compromised credentials to publish malicious versions of Trivy and related tooling. The incident was a follow-on from a prior security event on March 1, 2026, in which credentials were exfiltrated. Aqua Security has acknowledged that their containment of the first incident was incomplete: secrets were rotated, but the process was not atomic and attackers were able to obtain refreshed tokens.
The malicious releases affected Trivy v0.69.4, trivy-action, and setup-trivy. Aqua Security has since removed the affected artifacts from public package registries, reverted to the last known unaffected release (v0.69.3), and deleted the Git release tag for v0.69.4.
Why this matters
Trivy is one of the most widely used open source vulnerability scanners in the container ecosystem. It is deeply embedded in CI/CD pipelines across the industry, meaning a compromised release has the potential to expose pipeline secrets, inject malicious code, or provide a foothold for lateral movement — all within environments that are designed to be trusted. Any organization that pulled the compromised version should treat all pipeline secrets as compromised and rotate them immediately.
This incident is a reminder that supply chain security extends well beyond your own code. Even trusted, well-maintained open source tools can become vectors for attack when upstream build and release infrastructure is compromised.
Why Chainguard customers were automatically protected
Chainguard confirmed that the known malicious changes were not included in Chainguard-built images or packages. Here's why:
Chainguard's Factory builds Trivy directly from application source code, and we do not consume pre-built upstream Trivy artifacts. Because the Trivy application source code itself was not compromised — only the build and release workflow was — Chainguard's independent build pipeline produced a clean image.
Chainguard did build an image tagged v0.69.4, as our automation detected the upstream release and built from source as expected. However, since the version number is now flagged across the industry as compromised, we took the following steps out of an abundance of caution:
Withdrew the v0.69.4 package and image tag from all customer registries
Rebuilt the image so that the:latest tag points to v0.69.3
Removed the v0.69.4 tag from both our main repository and all customer image repositories
These actions were completed on March 20, 2026. No Chainguard customer was exposed to the malicious payload. If your scanner flags a Chainguard-built Trivy image as compromised based on the v0.69.4 version number, this is a false positive — the Chainguard image was built from clean source code using our own secure pipeline.
What you should do
If you are a Chainguard customer, no immediate action is required. To keep your environment clean, we recommend:
Removing any cached or locally stored copies of the v0.69.4 image or packages (e.g., installed by brew) to avoid false positive flags from security scanners;
Confirming that your environment is now pulling v0.69.3, which is the current :latest tag;
Review your artifact manager logs to see where non-Chainguard images may have been downloaded or distributed;
For your own projects: deploy secure versions of GitHub Actions such as Chainguard Actions.
If you are not yet using Chainguard images, this incident illustrates the value of a build pipeline that is independent from upstream release infrastructure. Chainguard images are built from source, signed, and accompanied by provenance attestations and SBOMs — giving you verifiable confidence in what's running in your environment.
How to get started
Swapping to Chainguard's Trivy image is straightforward. You can find our Trivy image in the Chainguard Images directory and start pulling it into your pipelines today. For customers who need FIPS-compliant variants, Chainguard also offers a Trivy-FIPS image.
If you'd like to learn more about how Chainguard's build pipeline protects you from upstream supply chain attacks, or if you have questions about this incident, reach out to your account team or contact us.
Share this article
Articles connexes
- security
Going deep: Upstream distros and hidden CVEs
Chainguard Research
- security
Chainguard + Second Front: A faster, more secure path into government markets
Ben Prouty, Principal Partner Sales Manager, Chainguard, and Veronica Lusetti, Senior Manager of Partnerships, Second Front
- security
This Shit is Hard: The life and death of a CVE in the Chainguard Factory
Patrick Smyth, Principal Developer Relations Enginee
- security
npm’s update to harden their supply chain, and points to consider
Adam La Morre, Senior Solutions Engineer
- security
Protect your AI workloads from supply chain attacks
Anushka Iyer, Product Marketing Manager
- security
Applying SOC 2 with Chainguard: A practical guide for DevOps and engineering leaders
Sam Katzen, Staff Product Marketing Manager