This is embarrassing. Trivy is a product I've recommended to a lot of people, and have even included it in my book on Terraform, but it's going to be very difficult recommending it going forward if they are going to continue to fail to protect their own artifacts and distribution chains.
I don't expect my security tools to introduce back doors to my own build processes, and I especially don't expect to see it twice in three weeks.
I don't expect my security tools to introduce back doors to my own build processes, and I especially don't expect to see it twice in three weeks.