Confirm MSDO Trivy distribution is unaffected by supply chain attack

[ekbaramundi]

On March 19, 2026, malicious Trivy versions 0.69.4–0.69.6 were published to Docker Hub and GitHub Releases (see aquasecurity/trivy#10425)

Is the SecDevTools NuGet feed confirmed unaffected?
Is the NuGet package built from verified source, or repackaged from GitHub Releases?
Does MSDO have integrity checks that would prevent a compromised upstream binary from entering the feed?
Environment: MSDO CLI 0.215.0, MicrosoftSecurityDevOps@1, Azure DevOps hosted agents (Windows)

[DimaBir]

Hi @ekbaramundi, thank you for raising this — completely valid questions given the severity of the incident.

TL;DR: MSDO users are confirmed unaffected by the Trivy supply chain attack.

To address each of your questions directly:

Is the SecDevTools NuGet feed confirmed unaffected?

Yes. The malicious Trivy versions (0.69.4–0.69.6) were never published to our feed. The latest Trivy version in our registry is v0.69.3, which was installed before the March 19 attack. Since MSDO resolves Trivy from this Microsoft-managed feed — not directly from Aqua's GitHub Releases or Docker Hub — the compromised binaries never entered our distribution pipeline.

Is the NuGet package built from verified source, or repackaged from GitHub Releases?

Trivy is preinstalled into our registry from verified upstream sources. The key point is that this is a manual, controlled process — new versions are not automatically synced from Aqua's release pipeline. This means even during the ~3-hour window when v0.69.4 was live on GitHub Releases and Docker Hub, our feed continued serving the clean v0.69.3.

Does MSDO have integrity checks that would prevent a compromised upstream binary from entering the feed?

The primary protection in this case was the registry-based distribution model itself — new Trivy versions do not flow automatically from upstream into our feed. This architectural separation is what prevented exposure. We are actively working on additional automated monitoring that will check upstream advisories and vulnerability databases (OSV.dev, GitHub Advisory Database, NVD, CISA KEV) before any new tool version is ingested into our registry.

Summary:

• ✅ v0.69.3 (safe) is what all MSDO users resolve, regardless of whether they pin a version or use the default
• ❌ v0.69.4–0.69.6 (malicious) never entered the SecDevTools feed
• ✅ No IOCs observed — no connections to scan.aquasecurtiy[.]org (45.148.10.212), no tpcp-docs repository artifacts
• ✅ No action required from MSDO users for this specific incident

We are tracking the broader Trivy situation via aquasecurity/trivy#10425 and will update this issue if anything changes.

For reference, the safe upstream versions confirmed by Aqua Security are:

• Trivy CLI: v0.69.3
• trivy-action: v0.35.0 (SHA: 57a97c7e7821a5776cebc9bb87c984fa69cba8f1)
• setup-trivy: v0.2.6

[alles60]

I would then advise that a change be applied to the README. It currently says:

Installs the latest Microsoft and 3rd party security tools

According to @DimaBir , it should probably specify that validated versions are installed, not latest.

[DimaBir]

CC: @jbrotsos