Chris Adams

Anyone who thinks hash pinning is a solution for supply chain attacks should look at what happened to #AquaSecurity’s #Trivy: pinning the hash was arguably key to the attack succeeding by making the payload blend in, with a hefty assist from the design flaw in #GitHub allowing commits to be referenced through a repo which doesn’t contain them.

Immutable tags are becoming table stakes.

https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23

#GitHubActions

Trivy ecosystem supply chain briefly compromised

## Summary On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credent...

GitHub
Mar 24 at 12:28amWeb
Show threadTristan Colgate-McFarlane1d ago
@acdha the word "briefly" in that particular announcement turns out to have been in the rather broader sense of the word (as in, "dinosaurs existed for a brief period")
Show threadChris Adams1d ago
@tmcfarlane sure was tempting fate…