Aqua Security
An Israeli cloud-native security vendor and publisher of the Trivy open-source vulnerability scanner.
Last refreshed: 20 May 2026 · Appears in 1 active topic
Aqua Security sells supply-chain security tools; how does it explain Trivy becoming a supply-chain attack vector?
Timeline for Aqua Security
Mentioned in: UNC6780 takes Cisco AI Defense source code
Cybersecurity: Threats and Defences- What is Aqua Security and what happened to their Trivy scanner?
- Aqua Security is an Israeli cloud-native security company that publishes Trivy, a widely used open-source vulnerability scanner. In March 2026 a supply-chain vulnerability in Trivy (CVE-2026-33634) was exploited by UNC6780 to steal credentials from enterprise CI/CD pipelines, eventually enabling the theft of over 300 private Cisco GitHub repositories.Source: GTIG / SANS ISC
- Did Aqua Security acknowledge the Trivy supply-chain attack?
- Aqua Security had not published its own scope assessment or attribution analysis of CVE-2026-33634 at the time of GTIG's May 2026 report. The attack chain analysis came from GTIG and SANS ISC rather than Aqua.Source: GTIG
Background
Aqua Security is an Israeli cloud-native security company founded in 2015, specialising in container security, cloud workload protection, and software supply-chain security. It publishes the Trivy open-source vulnerability and configuration scanner, one of the most widely deployed container and code security tools in enterprise CI/CD pipelines. Aqua Security's commercial products include Aqua Platform, a cloud-native application protection platform used by enterprises and regulated-sector organisations globally.
The March 2026 supply-chain compromise of Trivy via CVE-2026-33634 is the most significant incident directly implicating Aqua Security's open-source tooling. The vulnerability allowed UNC6780 to harvest credentials from Trivy-audited pipelines, ultimately enabling the theft of Cisco's private GitHub repositories. Aqua Security had not published its own scope assessment or attribution analysis of the CVE-2026-33634 exploitation at the time of GTIG's May 2026 report; the technical analysis of the attack chain came from GTIG and SANS ISC rather than Aqua.
The Trivy incident places Aqua Security in a reputationally sensitive position: a company whose commercial offering is software supply-chain security had its marquee open-source product used as the upstream entry point in a high-profile supply-chain attack. The incident underscores that supply-chain security tooling itself is not immune to supply-chain risk, a structural argument Aqua Security's own commercial products make about customer software.
