Secure-by-default: Chainguard customers unaffected by the Trivy supply chain attack

On March 19, 2026, a supply chain attack using previously stolen credentials resulted in malicious releases of the Trivy vulnerability scanner (v0.69.4), trivy-action, and setup-trivy being published to official channels.

No action is required from Chainguard customers: Chainguard-built images and packages were not affected by the malicious release workflow. We recommend, however, that you follow the guidance below as malicious releases may have reached your systems via other distribution methods. If you are not yet a Chainguard customer, we are making our Trivy images available free of charge for the next 12 months. We're also offering three free months of Chainguard Libraries and Actions (waitlist may apply) to new sign-ups to Chainguard, with no paid commitment required.

Get 3 months of Chainguard for free:

What happened

Aqua Security, the maintainer of Trivy, published a Security Incident advisory disclosing that a threat actor used compromised credentials to publish malicious versions of Trivy and related tooling. The incident was a follow-on from a prior security event on March 1, 2026, in which credentials were exfiltrated. Aqua Security has acknowledged that their containment of the first incident was incomplete: secrets were rotated, but the process was not atomic and attackers were able to obtain refreshed tokens.

The malicious releases affected Trivy v0.69.4, trivy-action, and setup-trivy. Aqua Security has since removed the affected artifacts from public package registries, reverted to the last known unaffected release (v0.69.3), and deleted the Git release tag for v0.69.4.

Why this matters

Trivy is one of the most widely used open source vulnerability scanners in the container ecosystem. It is deeply embedded in CI/CD pipelines across the industry, meaning a compromised release has the potential to expose pipeline secrets, inject malicious code, or provide a foothold for lateral movement — all within environments that are designed to be trusted. Any organization that pulled the compromised version should treat all pipeline secrets as compromised and rotate them immediately.

This incident is a reminder that supply chain security extends well beyond your own code. Even trusted, well-maintained open source tools can become vectors for attack when upstream build and release infrastructure is compromised.

Why Chainguard customers were automatically protected

Chainguard confirmed that the known malicious changes were not included in Chainguard-built images, packages, or actions. Here's why:

Chainguard's Factory builds Trivy directly from application source code, and we do not consume pre-built upstream Trivy artifacts. Because the Trivy application source code itself was not compromised — only the build and release workflow was — Chainguard's independent build pipeline produced a clean image.

Chainguard did build an image tagged v0.69.4, as our automation detected the upstream release and built from source as expected. However, since the version number is now flagged across the industry as compromised, we took the following steps out of an abundance of caution:

• Withdrew the v0.69.4 package and image tag from all customer registries

• Rebuilt the image so that the:latest tag points to v0.69.3

• Removed the v0.69.4 tag from both our main repository and all customer image repositories

These actions were completed on March 20, 2026. No Chainguard customer was exposed to the malicious payload. If your scanner flags a Chainguard-built Trivy image as compromised based on the v0.69.4 version number, this is a false positive — the Chainguard image was built from clean source code using our own secure pipeline. The trivy-action and setup-trivy Chainguard Actions were also not impacted, as all of our actions are hardened to prevent the tag hijacking that impacted the public upstream versions.

This attack also expanded to litellm, a popular AI library with ~97 million monthly downloads. Fortunately, Chainguard Libraries customers were not impacted here either, as Chainguard Libraries are built only from verified source code. The litellm releases here had no source.

What you should do

If you are a Chainguard customer, no immediate action is required. To keep your environment clean, we recommend:

• Removing any cached or locally stored copies of the v0.69.4 image or packages (e.g., installed by brew) to avoid false positive flags from security scanners;

• Confirming that your environment is now pulling v0.69.3, which is the current :latest tag; 

• Review your artifact manager logs to see where non-Chainguard images may have been downloaded or distributed;

• For your own projects: deploy secure versions of GitHub Actions such as Chainguard Actions.

If you are not yet using Chainguard Containers (or Chainguard Libraries and Chainguard Actions, which you can get started with today), this incident illustrates the value of a build pipeline that is independent from upstream release infrastructure. Chainguard Containers are built from source, signed, and accompanied by provenance attestations and SBOMs — giving you verifiable confidence in what's running in your environment.

How to get started

Swapping to Chainguard's Trivy image is straightforward. You can find our Trivy image in the Chainguard Images directory and start pulling it into your pipelines today. For customers who need FIPS-compliant variants, Chainguard also offers a Trivy-FIPS image.

If you'd like to learn more about how Chainguard's build pipeline protects you from upstream supply chain attacks, or if you have questions about this incident, reach out to your account team or contact us.

To help teams get protected now, we're offering three free months of Chainguard Libraries and Actions (waitlist may apply) to new sign-ups to Chainguard, with no paid commitment required. This offer is available until May 31, 2026. Sign up here to get started.