In a dazzling demonstration of poetic irony, Trivy, an open-source vulnerability scanner, was once again breached, this time to prove that you can have your vulnerabilities and scan them too. The breach, affectionately dubbed ‘Remember When We Scanned for Malice?’, involved hijacking 75 tags to filch CI/CD secrets, because who doesn’t love a good secret, especially of the continuous integration and delivery variety?

Trivy, proudly maintained by Aqua Security, forgot to secure the security scanner—a classic blunder only slightly less known than ‘never get involved in a land war in Asia’. One might say they took their role as open-source as literally as possible, opening the doors to hackers like a Black Friday sale at the Vulnerability-a-palooza!

The breach affected GitHub Actions ‘aquasecurity/trivy-action’ and ‘aquasecurity/setup-trivy’, both used to ensure Docker images were scanned for vulnerabilities as fiercely as a middle child rooting out candy stashes. Users are now advised to scan their scanners with more scanners to ensure their scanners are secure. A simple solution, really, just triple your security budget, or switch careers to something less dangerous, like shark wrestling.