Back to Blog
Security
March 23, 2026
13 min read
Pantoja Digital

The Tool That Finds Vulnerabilities Just Got Hacked — Twice. Who's Scanning the Scanners?

Trivy, the world's most popular open-source vulnerability scanner, was supply-chain attacked for the second time. Here's what it means for your business security.

Share

Imagine hiring a security guard to protect your business. They show up on time, check every door, and hand you a clean report every morning.

Then you find out someone's been stealing from your safe for months — through the security guard.

That's essentially what just happened to thousands of companies using Trivy, the world's most popular open-source vulnerability scanner. The tool that's supposed to find security holes? It just became one. For the second time.

What Is Trivy, and Why Should You Care?

If you're not a developer, you've probably never heard of Trivy. But there's a very good chance your development team — or the agency that built your website — is using it right now.

Trivy is the most widely-used open-source vulnerability scanner in the world. Built by Aqua Security, it's used by thousands of companies to scan their code, containers, and infrastructure for known security vulnerabilities. It's free, it's fast, and it integrates directly into the automated pipelines (called CI/CD) that companies use to build and deploy software.

Think of it like a spell-checker, but for security. Every time a developer pushes new code, Trivy automatically scans it and flags anything dangerous.

Major enterprises, startups, and government agencies all rely on Trivy. It has over 24,000 stars on GitHub — a measure of popularity in the developer world — and it's embedded in thousands of automated workflows that run every single day.

When Trivy says "all clear," companies move forward with confidence. When Trivy gets compromised, that confidence becomes a liability.

What Happened: The Attack, Explained Simply

In March 2026, security researchers discovered that Trivy's GitHub Actions — the automated workflows companies use to run Trivy in their build pipelines — had been compromised through a supply chain attack.

Here's how it worked, in plain English:

Step 1: Poisoning the Pipeline

GitHub Actions are reusable automation scripts that developers reference by "tags" — version labels like v1 or latest. When you set up Trivy in your pipeline, you tell it to use a specific tag of the official Trivy Action.

The attackers found a way to modify the code behind those tags without changing the tag itself. It's like someone replacing the pills in a medicine bottle without breaking the seal. The label says "Trivy v1," but the code inside is now something else entirely.

Step 2: Exfiltrating Secrets

When companies ran their normal build pipelines — which they do dozens or hundreds of times per day — the compromised Trivy Action executed the attacker's code alongside the legitimate scan. That code was designed to do one thing: steal secrets.

API keys. Authentication tokens. Cloud credentials. Database passwords. Anything stored as a "secret" in the CI/CD environment was silently exfiltrated to attacker-controlled servers.

Step 3: Silent Extraction at Scale

The beauty of supply chain attacks — from the attacker's perspective — is scale. The attackers didn't need to break into each company individually. They compromised one tool, and every company using that tool in their automated pipelines became a victim simultaneously.

One attack. Thousands of potential victims. Zero alerts triggered.

This Already Happened Before

Here's the part that makes this story worse: this is the second time Trivy has been hit through its GitHub Actions supply chain.

The first incident followed the same pattern — compromised Action tags, exfiltrated secrets, widespread exposure. The security community raised alarms. Patches were issued. Companies rotated their secrets. Lessons were supposedly learned.

And then it happened again.

The story hit 156 points on Hacker News and drew widespread coverage across the security community. The reaction wasn't just concern — it was a fundamental questioning of how much trust we place in our security tooling.

Why This Matters for YOUR Business

You might be thinking: "We're a small business. We don't use Trivy. This doesn't affect us."

Think again. Here's why this matters for every business, regardless of size:

Your Developers Might Be Using It Without You Knowing

Most business owners don't know the specific tools their developers or agencies use. If you hired a firm to build your website, set up your AI chatbot, or manage your cloud infrastructure, there's a reasonable chance Trivy — or a similar open-source tool — is part of their pipeline.

You trust your vendor. Your vendor trusts Trivy. Trivy got compromised. That's a trust chain, and the weakest link just broke.

Supply Chain Attacks Are the Fastest-Growing Threat

Attackers have figured out something important: why attack thousands of companies individually when you can attack one tool they all share?

Supply chain attacks increased by over 300% between 2023 and 2025. The SolarWinds attack in 2020 was the wake-up call. The Log4j vulnerability in 2021 was the alarm. The Trivy incidents in 2025 and 2026 are the pattern becoming undeniable.

Attackers don't break into your front door anymore. They compromise the tools you trust — the security scanner, the logging library, the CI/CD plugin — and walk right through the door you opened for them.

The Security Guard Analogy

You wouldn't hire a security guard who's been robbed twice. You wouldn't trust a locksmith whose own shop has been broken into. And you shouldn't place unconditional trust in a security scanner that's been supply-chain attacked — twice.

This isn't about blaming Trivy. It's an excellent tool, and the team behind it responded quickly both times. But the incidents reveal a deeper problem: our entire approach to security has a single-point-of-failure problem.

The Deeper Problem: Blind Trust in Security Tools

Here's the uncomfortable truth that most businesses don't want to hear:

Running a vulnerability scanner doesn't mean you're secure. It means you've checked a box.

Scanners Follow Checklists. Attackers Don't.

Automated scanners like Trivy are designed to check for known vulnerabilities — things that have been discovered, cataloged, and assigned a CVE number. They're pattern matchers. They compare your software against a database of known issues and flag matches.

That's valuable. It catches a lot of real problems. But it has fundamental limitations:

  • They can't find what they don't know to look for. Zero-day vulnerabilities, novel attack techniques, and creative exploitation chains are invisible to checklist-based scanners.
  • They don't think like attackers. A scanner checks if your front door is locked. An attacker checks the windows, the garage, the dog door, and whether your smart doorbell has a known firmware exploit.
  • They don't understand context. A scanner might flag a medium-severity vulnerability that's actually critical in your specific deployment, or miss a combination of low-severity issues that together create a devastating attack path.

The Green Checkmark Problem

There's a dangerous psychology at play. When a scan comes back clean — green checkmarks across the board — businesses feel safe. They move on. They deploy.

But that green checkmark only means: "We didn't find any of the specific things we were looking for."

It doesn't mean there are no vulnerabilities. It doesn't mean an attacker can't get in. It especially doesn't mean your AI chatbot isn't leaking customer data through prompt injection — because most scanners don't even test for that.

A company can run Trivy, get a clean report, deploy their AI agent, and have a hacker extract their entire system prompt, customer database access credentials, and internal business logic through a carefully crafted conversation. The scanner would never know. The green checkmark would still be green.

AI Has Changed the Game — Scanners Haven't Caught Up

The rise of AI agents, chatbots, and LLM-powered tools has introduced entirely new categories of vulnerabilities that traditional scanners were never designed to detect:

  • Prompt injection — tricking an AI into executing attacker instructions
  • Jailbreaking — bypassing safety guardrails to make an AI do things it shouldn't
  • System prompt extraction — stealing the confidential instructions that define how an AI behaves
  • Data exfiltration through conversation — using natural language to make an AI reveal sensitive information
  • Indirect prompt injection — hiding attack instructions in documents or web pages the AI processes

None of these show up in a traditional vulnerability scan. None of them have CVE numbers. And all of them are being actively exploited in the wild right now.

What Real Security Testing Looks Like

If scanners aren't enough, what is? The answer isn't to stop using scanners — it's to stop using only scanners.

Defense in Depth: Layers, Not Silver Bullets

Real security has always been about layers. A castle doesn't rely on just a moat. It has walls, gates, guards, towers, and a keep. Each layer exists because the ones before it might fail.

Your security posture should work the same way:

  1. Automated scanners (like Trivy) catch known vulnerabilities — they're your first filter
  2. Adversarial testing probes your systems the way real attackers do — finding what scanners miss
  3. Continuous monitoring detects new vulnerabilities as they emerge over time
  4. Incident response planning ensures you're prepared when something does get through

Most businesses have layer one. Almost none have layers two through four. That's the gap where breaches happen.

Thinking Like an Attacker

Adversarial testing — sometimes called penetration testing or red teaming — means deliberately trying to break your systems using the same techniques attackers use. It's not about checking boxes on a list. It's about creative, adaptive probing that follows the path of least resistance, just like a real attacker would.

NullShield was built for exactly this. We test over 500 attack patterns across AI agents, websites, and APIs — including the AI-specific attack vectors that traditional scanners completely miss. We don't just check if your front door is locked. We try every window, every vent, every creative entry point we can think of.

When we test an AI chatbot, we don't scan its code for known CVEs. We talk to it. We try to extract its system prompt. We attempt prompt injection attacks. We probe for data leakage. We test whether its guardrails actually hold up under pressure. We do what hackers do — because that's the only way to know if your defenses actually work.

The Difference Is Methodology

A scanner asks: "Does this match a known vulnerability pattern?"

NullShield asks: "Can I break this? How? What can I access if I do?"

That difference in approach is the difference between compliance theater and actual security.

The "Scanning the Scanners" Approach

The Trivy incident teaches us something important: even security tools need to be tested. Trust, but verify. Then verify the verification.

What This Looks Like in Practice

Regular testing, not one-and-done. A security scan from six months ago is ancient history. New vulnerabilities are discovered daily. Your systems change. Your threat landscape changes. Monthly or quarterly testing catches what a single annual assessment misses.

Multiple perspectives, not one tool. No single tool — no matter how good — catches everything. Layer automated scanning with adversarial testing. Use different tools. Get outside perspectives. If your only security measure is running one scanner, you have one layer. One layer is not defense in depth.

Human-guided AI testing. This is where NullShield stands out. We combine AI-powered automation with human expertise to test your systems adaptively. Our testing engine doesn't just follow a script — it learns, adapts, and explores based on what it finds. When it hits a potential vulnerability, it digs deeper. When a guardrail blocks one approach, it tries another.

Continuous monitoring for emerging threats. The security landscape changes constantly. A system that was secure last month might be vulnerable today because of a newly discovered attack technique or a dependency update that introduced a flaw. Monthly monitoring catches these emerging threats before attackers do.

What You Should Do Right Now

The Trivy supply chain attack is a wake-up call, but it's also an opportunity. Most of your competitors will read the headline, think "that's a developer problem," and move on. You can do better.

1. Audit Your Security Tools

Find out what security tools your development team or agency is using. Ask specifically:

  • What scanners are in our CI/CD pipeline?
  • Are we using GitHub Actions from third parties?
  • How do we verify the integrity of our tooling?
  • When was the last time we rotated our secrets and credentials?

If your developers use Trivy through GitHub Actions, ensure they've updated to verified, pinned versions (using commit SHA hashes, not mutable tags) and have rotated all secrets that may have been exposed.

2. Stop Relying Solely on Automated Scanners

Automated scanners are valuable. Keep using them. But recognize them for what they are: one layer of a multi-layer strategy. They catch the known, the obvious, the cataloged. They miss the novel, the creative, the AI-specific.

If your entire security strategy is "we run a scanner," your entire security strategy has a single point of failure — as Trivy's users just learned the hard way.

3. Get an Independent Security Assessment

You need someone who thinks like an attacker — not like a checklist. An independent assessment that probes your AI agents, websites, and APIs using real-world attack techniques will show you what your scanners can't.

This isn't about finding fault. It's about finding vulnerabilities before someone with bad intentions does. Every finding is a problem you get to fix before it becomes a breach, a lawsuit, or a headline.

4. Implement Continuous Security Monitoring

Security isn't a project. It's a process. One assessment, no matter how thorough, becomes outdated the moment your system changes. Monthly monitoring ensures you stay ahead of emerging threats and catch new vulnerabilities as they appear.

The Bottom Line

The Trivy supply chain attack is a clear signal: the tools we trust to keep us safe are themselves targets. Relying on any single tool, any single scanner, any single layer of defense is a bet you will eventually lose.

Real security means testing your systems the way attackers actually attack them. It means layers, not silver bullets. It means regular testing, not annual checkboxes. And it means having someone on your side who thinks like a hacker — not like an auditor.

Your scanner can be hacked. Your AI can be jailbroken. Your trust can be exploited.

The question isn't whether your systems have vulnerabilities. They do. The question is whether you'll find them first — or whether someone else will.

Ready to find out what your scanners are missing? NullShield tests AI agents, websites, and APIs using 500+ attack patterns — including the AI-specific threats that automated scanners don't even know to look for.

<a href="/buy?service=nullshield-full" className="inline-flex items-center gap-2 rounded-lg bg-red-500 px-6 py-3 font-semibold text-white hover:bg-red-600 transition-colors">Book a NullShield Scan — We Test What the Scanners Miss →</a>

Share

Get AI Security Insights Weekly

Join our newsletter for the latest in AI security, automation tips, and industry insights.

Ready to get started?

Book a free discovery call and let's build your AI strategy together.

Book a Discovery Call