I strongly recommend to lock down what versions (by hash) you use internally (in the script). If not specified by action options, latest is used now, which can be vulnerable to supply chain attacks...
This action might have been compromised, so I recommend to investigate to all users of this action:
the compromised aqua-bot service account triggered release automation to publish a malicious Trivy binary designated v0.69.4.
See the article: https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html
I strongly recommend to lock down what versions (by hash) you use internally (in the script). If not specified by action options,
latestis used now, which can be vulnerable to supply chain attacks...This action might have been compromised, so I recommend to investigate to all users of this action:
See the article: https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html