Comment by h4kunamata

Still compromised: https://socket.dev/blog/trivy-under-attack-again-github-acti...

This is a very old vulnerability, and to see companies falling for it is mental.

The year is 2026 and companies are still using tag over hash. It is well known that you can release different code under the same tag without alerting users.