Trivy ecosystem supply chain briefly compromised
Summary
A threat actor compromised credentials to release a malicious Trivy v0.69.4 and tamper with GitHub Actions workflows, affecting Trivy, trivy-action, and setup-trivy. The advisory documents exposure windows, attack details, affected components, and recommended mitigations, emphasizing supply chain risk in CI/CD pipelines.