According to a recent LinkedIn post from Chainguard, the company is highlighting a recent software supply chain attack that led to malicious releases of the Trivy vulnerability scanner using previously stolen credentials. The post indicates that Chainguard-built Trivy images and packages were not impacted, citing its practice of building directly from application source code rather than consuming pre-built upstream artifacts.
Claim 30% Off TipRanks
- Unlock hedge fund-level data and powerful investing tools for smarter, sharper decisions
- Discover top-performing stock ideas and upgrade to a portfolio of market leaders with Smart Investor Picks
The post notes that the compromise reportedly targeted the build and release workflow via a malicious GitHub Action, while the upstream Trivy source itself was not affected. Chainguard’s emphasis on its own Factory build process and reliance on source code suggests a differentiated security posture in the software supply chain segment.
According to the LinkedIn content, Chainguard is recommending that customers continue to follow Aqua Security’s guidance, acknowledging that malicious Trivy releases may still have entered networks through other channels. This alignment with an external security vendor’s recommendations underscores the broader industry impact of the incident beyond Chainguard’s own product set.
The post also indicates that Chainguard is making its secure Trivy images available free of charge for the next 12 months to users who are not currently customers. For investors, this move could represent both a customer acquisition strategy and a brand-building effort, potentially expanding Chainguard’s user base while showcasing its secure build infrastructure in response to a high-visibility supply chain event.