ZAP security in the light of Trivy hacks

17 views
Skip to first unread message

Jernej Rus

unread,
Mar 25, 2026, 3:44:13 AM (7 days ago) Mar 25
to ZAP User Group
Hello. This might interest you. Trivy, a popular vulnerability scanner, has been hacked twice, on 2026-03-01 and on 2026-03-19. The second hack is ongoing and has an ID CVE-2026-33634. The hackers used GitHub Actions to compromise the binary, image, and more. The hack has spread to two Checkmarx GitHub Actions.

Given that ZAP provides GitHub Actions and is maintained by Checkmarx, is there a possibility that it might also be or become compromised?

Simon Bennetts

unread,
Mar 25, 2026, 5:26:06 AM (7 days ago) Mar 25
to ZAP User Group
Hiya,

Yes, we do know of this attack and have performed due dilligence.
The ZAP team maintains a completely separate infrastructure to Checkmarx - all of our repos are in the GitHub zaproxy org and all of the key ones are public.
I think its fair to say that ZAP is maintained by the ZAP team, most of whom are employed by Checkmarx :)

We do not use trivy anywhere in our infrastructure and are not affected by this hack.

Cheers,

Simon

Jernej Rus

unread,
Mar 25, 2026, 5:28:34 AM (7 days ago) Mar 25
to ZAP User Group
Great, thank you for clarifying.
Reply all
Reply to author
Forward
0 new messages