How the Trivy supply chain attack harvested credentials from secrets managers

The internet is losing it over the Trivy mess — attackers slipped credential‑stealing code into the popular security scanner, and automated build systems (think robot scripts that ship your app) happily ran it. Because most “secret keepers” put your key back into the system as a plain text value, the malware just grabbed it. Scans looked clean. Keys walked out the door. Cue maximum drama.

Right away, the author behind VaultProof jumped in: “keys in plain text are the real villain,” pitching its split‑key approach where no full key ever exists in the build. Some applauded the clarity, others rolled their eyes — “ad, thinly veiled as an article,” snapped one commenter, adding that rival tools like OneCli already do this. The “we told you so” crowd piled on too: veterans claimed everyone knew that secrets sitting in the build environment were an accident waiting to happen, and bragged they already fork every third‑party GitHub Action. Meanwhile, pragmatists offered fixes: dump common secret interfaces, use short‑lived tokens fetched just‑in‑time (no permanent keys!), and pin versions to unchangeable hashes instead of “tags” that can be swapped under your feet.

Memes flew: “CI/See‑Ya Keys,” “Trust Me Bro v0.69.4,” and screenshots of environment variables with dramatic red circles. Under the jokes, the vibe is clear: the attack worked because the keys were there to steal, and the community is torn between buy a new tool, do better hygiene, or both. Either way, nobody’s trusting their robots without receipts anymore.