As of 2026-05-10T17:04:50Z UTC, the GitHub API still shows Trivy as a live, heavily used project: 34,925 stars, 356 forks, 256 open issues, and push activity as recent as 2026-05-08T23:24:04Z.[5] The latest stable release is v0.70.0, published on 2026-04-17.[4] That matters because the right 2026 reading of Trivy is not "great scanner before March, dead scanner after March." The better reading is narrower and harder: Trivy remains a broad, useful security scanner, but the March 2026 compromise showed that scanner coverage and release trust are different products.[1][3][4]

The advisory makes the failure mode uncomfortably clear. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits.[1] The exposure windows were short and still ugly: about 3 hours for the malicious trivy release, about 12 hours for trivy-action, about 4 hours for setup-trivy, and about 10 hours for malicious Docker Hub images v0.69.5 and v0.69.6 on March 22.[1] That is why this is worth reading as an OSS incident report rather than as a one-version caution. The problem was not that Trivy suddenly forgot how to find vulnerabilities. The problem was that a security tool sat inside release channels and CI references that many teams were still treating as softer trust surfaces than they really were.[1][2]

Image context: the cover uses Itay Shakury's real GitHub profile portrait because the article's center of gravity is maintainership and recovery procedure, not user-interface output. In March 2026 the decisive question was who controlled the release path, how tags were repaired, and what consumers had pinned in CI.[2][7]

What actually failed

The official advisory points to two linked failures.[1] First, compromised credentials let the attacker publish malicious artifacts into normal distribution channels. Second, mutable references let that compromise travel farther than a single bad binary. The attacker did not merely slip one poisoned file into an obscure mirror. They altered the ordinary places teams use to install Trivy, wire it into GitHub Actions, and pull "latest enough" scanner behavior into pipelines.[1]

The root-cause note matters here. The advisory says the March 19 attack continued a late-February 2026 supply-chain incident because credential rotation was not atomic: not all secrets were revoked at the same moment, which left room for newly rotated secrets to be exfiltrated during the recovery window.[1] That detail turns the story from "one credential leak" into "recovery procedure is part of the product." A security scanner inherits the same operational truth as any other delivery system: if incident containment is partial, the release pipeline remains part of the blast radius.

There is a useful contrast with Trivy's normal product shape. The project README still describes one unusually broad scanner surface: container images, filesystems, remote Git repositories, VM images, and Kubernetes on the target side; SBOM-aware package discovery, vulnerability detection, misconfiguration checks, secret detection, and license scanning on the issue side.[3] None of that capability disappeared in March. The compromise happened one layer earlier, where teams decide which binary, container image, or Action reference they are actually trusting.[1][3]

Why mutable tags were the real trap

This incident is easiest to misunderstand if you read it as a "bad release" story only. The advisory and GitHub's own Actions security guidance point to the sharper lesson.[1][6] In GitHub Actions, pinning to a full-length commit SHA is the only way to treat an action reference as immutable.[6] Many teams know that rule abstractly and still keep using version tags because they are readable and convenient. The Trivy incident showed why that convenience becomes operational debt the moment an attacker can move tags.

That is why the trivy-action part of the incident deserves as much attention as the malicious v0.69.4 binary.[1] A scanner that runs inside CI often runs near registry credentials, cloud credentials, SARIF upload tokens, or other secrets with enough scope to matter. Once the action reference becomes mutable, "we only scan in CI" stops sounding like a safety argument. It starts sounding like an admission that the scanner sits on a privileged machine.[1][6]

The patched version numbers in the advisory make the recovery lane concrete: setup-trivy moved to 0.2.6, trivy-action to 0.35.0, and the malicious standalone Trivy release was isolated to v0.69.4.[1] That is a good short-term checklist. The longer-term point is stricter. A team that consumes third-party Actions by floating tag is not merely outsourcing convenience. It is delegating immutability to a reference format GitHub explicitly documents as non-immutable.[6]

Why the project still matters after cleanup

A weaker readout would stop at "security tool got hacked, therefore replace security tool." That is too shallow. Trivy still solves a real 2026 problem because many teams do want one scanner that can inspect container images, filesystem trees, repos, VMs, and Kubernetes while checking for CVEs, misconfigurations, secrets, licenses, and package inventory in one operating vocabulary.[3] The April v0.70.0 release and current repository activity show a project that is still shipping and still being maintained in public after the March event.[4][5]

The better conclusion is that Trivy belongs in a tighter trust model, not in a romantic one. Use it because the scan surface is broad and the operator ergonomics are good. Do not use it as though "security tool" were a magical category exempt from supply-chain discipline. The incident did not prove Trivy is unusable. It proved that scanners themselves are supply-chain dependencies and therefore deserve the same version pinning, provenance checks, and runner isolation you would apply to any other privileged build component.[1][3][6]

What safe use looks like in 2026

The practical operating model is not complicated, but it has to be followed literally.

• Pin aquasecurity/trivy-action and aquasecurity/setup-trivy to full commit SHAs, not movable tags, and verify the SHA belongs to the upstream repository.[1][6]
• If you install the standalone Trivy binary or image directly, pin an exact version and avoid unaudited "latest" pulls in privileged CI lanes.[1][4]
• Keep scanning jobs away from deployment credentials, signing keys, and broad cloud secrets. A scanner job should not also be the job that can publish production artifacts.
• Treat incident recovery as a first-class dependency concern: if a scanner vendor says revoke, re-pin, or re-pull, assume the release path itself is under question until those steps are done.[1][2]

That last point is the one teams skip because it sounds procedural. In this incident, procedure was the whole boundary. The advisory included not just version guidance but audit instructions, search targets for exfiltration artifacts, and a reminder to pin Actions to immutable SHAs.[1] In other words, the maintainers were telling users that the trust failure sat in delivery mechanics as much as in code.

Best-fit boundary

Trivy remains strongest for teams that want one open-source scanner across multiple artifact types and are willing to own version pinning and CI hygiene themselves.[3][4] It is a good fit when your organization already has a disciplined dependency-intake process and wants scanning to stay close to the build.

The mismatch starts when teams want "security tool" to mean "trust problem solved upstream." March 2026 showed that this category error is expensive. If you need stronger centralized controls, curated distribution guarantees, or a thinner self-managed runner boundary, you need to add those controls around Trivy or buy them elsewhere. The scanner's breadth is real. It is simply not the same thing as release-path immunity.[1][3][6]

Sources

1. GitHub Security Advisory, "Trivy ecosystem supply chain temporarily compromised" - incident windows, affected components, patched action versions, root-cause note, and mitigation checklist.
2. Trivy GitHub Discussion #10425, "Trivy Security incident 2026-03-19" - maintainer incident thread and operational updates.
3. aquasecurity/trivy README - current scan targets and scanner types.
4. Trivy release v0.70.0 - current post-incident stable release published on April 17, 2026.
5. GitHub API snapshot for aquasecurity/trivy - stars, forks, open issues, and recent push time as of article creation.
6. GitHub Docs, "Secure use reference" - why pinning an action to a full-length commit SHA is the only immutable GitHub Actions release reference.
7. GitHub profile for Itay Shakury - profile portrait used as the article cover.