Из ленты dev.to devops — кратко, чтобы не потерять.
What happens when the security scanner meant to protect your pipeline turns into the malware that steals your secrets? On March 19, 2026, that is exactly what happened to Trivy (aquasecurity). Trivy is the most widely adopted open-source vulnerability scanner in the cloud-native ecosystem, embedded in thousands of CI/CD pipelines as the aquasecurity/trivy-action GitHub Action — and by design it has access to pipeline secrets . Compromise a tool like that, and the attacker doesn’t just get code: they get cloud credentials, SSH keys, and Kubernetes tokens — everything the pipeline touches. This post breaks down the official advisory GHSA-69fq-xp46-6x23 (CVE-2026-33634, Critical) as the primary source: what happened, how the payload worked, and the SHA-pinning-based remediation ManoIT applied
Полный текст и контекст у первоисточника: https://dev.to/x4nent/inside-the-trivy-supply-chain-compromise-cve-2026-33634-76-hijacked-tags-runnerworker-memory-l1j