Trivy Supply Chain Security: Complete Implementation Guide

What Is Trivy and Why the Trivy Supply Chain Attack Matters

Trivy is an open-source security scanner built by Aqua Security. It checks container images, file systems, and code for known flaws. Thousands of teams use it inside their CI/CD pipelines to catch bugs before code goes live.

The tool runs as a GitHub Action. In other words, it plugs right into your build process. As a result, every time you push code, Trivy scans it and flags problems. As a result, it's fast, free, and widely trusted — which also made it a prime target for the Trivy supply chain attack.

Importantly, here's why that trust matters. Clearly, when a tool sits inside your pipeline, it has access to your secrets — API keys, cloud tokens, SSH keys, and more. In short, if someone poisons that tool, they don't need to break in. Instead, they inherit your trust.

How the Trivy Supply Chain Attack Happened

The attack started weeks before the main breach. In late February 2026, an AI bot called hackerbot-claw scanned GitHub for weak workflow configs. It found one in Trivy's repo that used a risky event trigger called pull_request_target.

In particular, this trigger runs code in the base repo's context — not the fork's. The bot submitted a pull request with hidden code that stole a Personal Access Token (PAT). As a result, with that token, the attacker gained full write access to Trivy's repo.

The Trivy Supply Chain Attack: Tag Poisoning Explained

On March 19, 2026, TeamPCP used those stolen credentials to rewrite 75 of 76 version tags in the trivy-action repo. In Git, a tag is just a pointer to a commit. Similarly, if you have write access, you can force-push a tag to point at different code.

However, the release page on GitHub didn't change. Same name, same date, same description. Nevertheless, the code behind each tag now contained a credential stealer. Anyone who ran a pipeline referencing those tags got hit — silently.

What the Trivy Supply Chain Attack Payload Did

The injected code ran before the real Trivy scan. As a result, your pipeline looked normal — it completed without errors. However, in the background, two Python scripts were stealing data.

The first script dumped secrets from the GitHub Actions runner's process memory. It grabbed tokens, environment variables, and anything stored in the runner's context. The second script targeted the local file system — SSH keys, cloud tokens for AWS, Azure, and GCP, Docker configs, and even crypto wallets.

Both scripts sent the stolen data to a fake domain: scan.aquasecurtiy[.]org (note the typo — that's the attacker's typosquat). Alternatively, if that failed, the data went to a public GitHub repo as a backup. Because GitHub traffic looks routine in dev setups, most teams didn't notice.

Who Is Affected by the Trivy Supply Chain Attack

If your pipeline ran aquasecurity/trivy-action between March 19 at 17:43 UTC and March 20 at about 05:40 UTC, your secrets may be exposed. In other words, that's roughly a 12-hour window.

The safe versions are trivy v0.69.3, trivy-action v0.35.0, and setup-trivy v0.2.6. Anything outside those versions during the attack window should be treated as compromised.

The impact goes beyond Trivy itself. Stolen tokens from the first breach were then used to poison Checkmarx's GitHub Action as well. As a result, the Trivy supply chain attack cascaded — one compromised tool led to another, then another.

Sysdig's threat research team confirmed the connection. They found the same credential stealer from the Trivy supply chain attack running inside Checkmarx's AST Action just four days later. The pattern was identical — same code, different domain name to avoid detection.

How to Check If the Trivy Supply Chain Attack Affected You

To begin with, search your workflow files for any reference to trivy-action:

Grep -r "aquasecurity/trivy-action" .github/workflows/
grep -r "aquasecurity/setup-trivy" .github/workflows/

Next, if you find matches, check your workflow run logs from March 19–20. Look for any calls to tpcp.tar.gz, aquasecurtiy (with the typo), or checkmarx.zone.

Search your GitHub org for a repo named tpcp-docs. If it exists, the attacker successfully sent your data through the backup channel.

5 Steps to Guard Against the Trivy Supply Chain Attack

Regardless of whether you use Trivy or not, these steps apply to every team that runs GitHub Actions.

1. Pin Actions to Full Commit SHAs

Importantly, version tags can be rewritten. However, commit SHAs cannot be rewritten. Replace tag-based references with full 40-character SHA hashes. For example, instead of @v2, use @a1b2c3d4.... This is the single most effective defense against tag poisoning.

2. Rotate All Pipeline Secrets right away

If you ran an affected version during the attack window, rotate every secret that was accessible to your runners. For example, that includes GitHub PATs, AWS keys, Azure service principal credentials, and any tokens in your repo or org settings.

3. Audit pull_request_target Workflows

Any workflow that uses this trigger and also checks out PR code is high risk. The attacker used this exact pattern to steal the initial token. Separate trusted workflows from untrusted code, or remove the trigger entirely.

4. Apply Least Privilege to Runner Tokens

Most pipelines give the GITHUB_TOKEN far more permission than needed. Lock it down. For instance, if your workflow only reads code, don't give it write access. As a result, fewer permissions mean less damage if a tool gets compromised.

5. Monitor Runner Behavior at Runtime

However, network-level tools alone won't catch these attacks. The attacker's domains were too new to appear on blocklists. Instead, watch for unusual behavior — like a CI runner making POST requests with binary data to external domains.

❌

Using Version Tags Instead of SHAs

Tags can be silently rewritten. Similarly, a tag that pointed to safe code yesterday can point to malware today. Always pin to full commit SHAs.

❌

Trusting "Immutable Release" Badges

GitHub's immutable badge didn't prevent this attack. The attacker may have locked the malicious state in place. Do not rely on badges alone.

❌

Skipping Secret Rotation After a Breach

A stolen token opens the door to cascading attacks. If any tool in your pipeline was compromised, rotate every credential it could access.

❌

Ignoring pull_request_target Risks

This trigger runs in the base repo's context with full secret access. As a result, if it also checks out PR code, any fork can steal your secrets.

The Attack Is Still Expanding

Importantly, this is not a one-and-done breach. After the initial Trivy compromise, TeamPCP kept going. For example, on March 22, malicious Docker Hub images appeared — versions 0.69.5 and 0.69.6 — with the same infostealer code baked in.

By March 24, the campaign had also spread to PyPI. Packages for LiteLLM (versions 1.82.7 and 1.82.8) were poisoned with identical malware. The attackers even moved into the npm ecosystem using a self-spreading worm called CanisterWorm.

In other words, the stolen credentials from one tool unlocked access to many others. Each new breach fed the next one. In short, this is what makes supply chain attacks so dangerous — they don't stop at one target.

Step-by-Step Trivy Supply Chain Attack Recovery Plan

Speed matters more than perfection during a Trivy supply chain attack response. the first 24 hours after detection define how much damage spreads. So, here is the exact playbook security teams used to recover from this incident.

Step 1: Freeze Affected Pipelines right away

The first move is to halt every workflow that calls the Trivy GitHub Action. In short, disable the workflow file or comment out the step. You stop the bleeding while you investigate. Log the freeze time so your incident timeline stays accurate.

Step 2: Rotate Every Exposed Secret

Then, rotate all repository secrets, deployment tokens, and cloud credentials touched by the pipeline. For example, AWS keys, GCP service accounts, npm tokens, and SSH deploy keys all need fresh values. Likewise, revoke OAuth grants tied to the compromised job. As a result, stolen tokens become useless before attackers can use them.

Step 3: Audit GitHub Audit Logs

Next, pull the GitHub audit log for the affected repos. Look for unusual workflow_run events between March 19 and March 20. Check for outbound traffic to scan.aquasecurtiy[.]org in your network logs. That single typosquat domain is the smoking gun.

Step 4: Verify Build Integrity

After that, rebuild any artifact produced during the attack window. Treat those builds as untrusted because malware could have injected payloads. Sign new artifacts with a fresh key and republish to your registry. Customers running your software stay safe.

Step 5: Document and Share Lessons

Finally, write a post-incident report and share it with your team. For instance, note what worked, what failed, and what you would do differently. Share findings with the wider community so others can defend faster. Sadly, supply chain attacks repeat when lessons stay private.

Trivy Supply Chain Attack Prevention Checklist for 2026

Prevention is cheaper than recovery in any Trivy supply chain attack. bake these controls into every CI/CD pipeline you maintain.

• Pin to commit SHAs — never trust mutable tags or version aliases.
• Use OIDC short-lived tokens — kill long-lived static secrets.
• Restrict workflow permissions — set permissions: read-all by default.
• Enable secret scanning alerts — catch leaks before attackers do.
• Run dependency review on every PR — block risky third-party updates.
• Monitor outbound traffic — flag unknown domains from runner IPs.

No checklist removes risk fully. Still, layered defenses raise the cost of attack and give your team time to react. As a result, your pipeline becomes a hard target rather than a soft one.

Why This Matters If You're Studying Cybersecurity

The Trivy supply chain attack is a textbook example of what the CEH and Security+ exams call "third-party risk." you did not write the bad code. Similarly, you did not misconfigure anything. However, you just used a popular tool — and that was enough.

If you are preparing for a security cert, study this incident closely. It covers real-world concepts like supply chain risk, least privilege, credential management, and incident response. These are no longer abstract exam topics. Instead, they are headlines.

Even if you do not use Trivy, the patterns here apply everywhere. In particular, any tool in your pipeline that has access to secrets is a potential attack vector. As a result, learning how to audit, lock down, and monitor those tools is a skill that sets you apart from other beginners.