Skip to content

DEPRECATED — 2026-05-02. Consolidated into docs/adr/security/APPSEC/APPSEC-0001-supply-chain-scanning.md per ADR-0047. This file is retained for cross-reference continuity only.

ADR-0003: Grype over Trivy for container image scanning

Status

Accepted — 2026-03-31

Context

Container image scanning is required in all CI/CD pipelines before deployment. In March 2026, the TeamPCP group compromised the Trivy supply chain, injecting a credential stealer into the trivy-action GitHub Action and the trivy binary at version v0.69.4.

This decision was made after direct observation during homelab build work in March 2026.

Decision

All container image scanning on the Archon platform uses Grype (by Anchore) as a replacement for Trivy.

Trivy is currently avoided across all pipelines, scripts, Ansible roles, and manual workflows. This is a risk-based temporary decision, not a permanent ban.

Trivy will be reassessed when the upstream project publicly resolves the incident and community trust is restored. A superseding ADR must be created before Trivy may be reintroduced.

Alternatives Considered

Trivy — Supply chain compromise March 2026 by TeamPCP. Credential stealer injected into trivy-action and trivy binary at v0.69.4. Avoided until upstream resolves.

Snyk — SaaS dependency, not self-hostable without enterprise license. Excluded for cost and vendor lock-in.

Clair — More complex to operate, less actively maintained. Lower priority than Grype.

Consequences

  • All existing references to Trivy in scripts or docs must be replaced with Grype
  • Grype DB must be kept updated (grype db update)
  • Trivy status should be periodically reviewed for upstream resolution
  • A new ADR is required before any reintroduction of Trivy

References

  • https://github.com/anchore/grype
  • Observation date: March 2026
  • Incident: TeamPCP supply chain compromise of trivy-action and trivy binary v0.69.4