How the Trivy supply chain attack harvested credentials from secrets managers
Summary
The article documents a critical supply-chain compromise of Trivy that exfiltrated plaintext API keys via compromised binaries and GitHub Actions. It argues that secrets managers alone cannot prevent exposure when keys exist in runtime environments, and presents VaultProof's split-key approach as a way to eliminate plaintext credentials in CI/CD pipelines.