Trivy (a very widely-used security scanner) was recently compromised. Anyone who installed the aquasecurity/trivy-action dependency by tag rather than by sha during a 3 hour period on March 19 was likely compromised. There is a Github security advisory at https://github.com/aquasecurity/trivy/security/advisories/GH...

6 separate people have tried to submit this to HN. All of the submissions are marked as [dead]. I am unsure whether this is a malicious action taken by the actors who compromised trivy or whether it's just the result of prior spam under github.com/aquasecurity, but regardless it is probably not ideal for security advisories to be auto-marked as [dead].

Please just email us ([email protected]) when something like this happens.

Moderators didn't see these submissions or if we did, we didn't know why this project or incident was significant or important.

Now we've seen it, we've boosted the first submission of the incident onto the front page, and updated the URL and title to the most up-to-date/complete page about the incident.

The reason the submissions were being killed is that the GitHub account's address had been banned on HN due to previously being submitted by spam bots.