How to Detect and Recover From a Compromised Container Scanner

So you're running Trivy in your CI/CD pipeline, scanning every image before it hits production, feeling pretty good about your security posture. Then you wake up to a PSA on Reddit telling you the scanner itself was compromised. Yeah, that happened. This is the nightmare scenario for supply chain security — the tool you trust to find vulnerabilities becomes the vulnerability. Let me walk you through what happened, how to check if you're affected, and how to harden your setup so you're not caught flat-footed next time. What Actually Happened The compromise targeted Trivy's vulnerability database — the OCI artifact that Trivy pulls down to know what CVEs to scan for. An attacker managed to push a malicious database update to the public registry. When Trivy automatically fetched its latest vulnerability definitions (which it does by default on every run), affected users pulled down a poisoned database. This is particularly nasty because Trivy didn't need to be "hacked" in the traditional