Migration note: Consolidated from ADR-0003 and ADR-0040 on 2026-05-02 per ADR-0047. Original files retained at
docs/adr/0003-grype-over-trivy.mdanddocs/adr/0040-aikido-security-scanner.mdwith deprecation banners.
APPSEC-0001: Supply Chain Scanning — Grype + Aikido¶
Sources¶
- ADR-0003: Grype over Trivy for container image scanning (2026-03-31)
- ADR-0040: Aikido Security Scanner Evaluation (2026-04-26)
| Field | Value |
|---|---|
| ID | APPSEC-0001 |
| Date | 2026-04-26 |
| Status | Accepted |
| Author | Ben Peries |
| Phases | 2, 3 |
| ADO WI | WI-324 |
| Class | security/APPSEC |
Context¶
TeamPCP Supply Chain Incident — March 2026¶
In March 2026, the TeamPCP group compromised the Trivy supply chain, injecting a credential stealer into the trivy-action GitHub Action and the trivy binary at version v0.69.4. This decision was made after direct observation during homelab build work in March 2026.
As a result, Grype (by Anchore) replaced Trivy as the platform's standard container image scanner. All container image scanning on the Archon platform uses Grype. Trivy is currently avoided across all pipelines, scripts, Ansible roles, and manual workflows.
Trivy reassessment gate: Trivy will be reassessed when the upstream project publicly resolves the incident and community trust is restored. A superseding ADR must be created before Trivy may be reintroduced.
Scanning Gap Inventory (as of ADR-0040)¶
Grype covers container image CVE detection and open-source dependency vulnerabilities. The remaining gap inventory at the time of ADR-0040:
| Category | Tool | Status |
|---|---|---|
| Container image / SCA | Grype | Covered (ADR-0003) |
| SAST | None | Gap |
| Secrets detection | None | Gap |
| IaC scanning | None | Gap |
| CSPM (cloud posture) | None | Gap |
| DAST | None | Gap |
The platform has six active repos (archon-platform, archon-apps, archon-docs, archon-cloud, archon-pipelines, archon-web), Terraform in archon-cloud, Ansible in archon-platform, and an Azure subscription with Cloudflare.
Solo Operator Constraint¶
The platform is operated by a single person. Any security tooling must be low-overhead: ideally a single pane of glass, minimal per-scanner config, and a free tier that fits the homelab scale (under 10 repos active at any one time, single cloud account, no enterprise budget).
Decision¶
Option B: Aikido augments Grype (scope split).
Grype remains the container image and SCA scanner for ADO pipeline gates, unchanged. Aikido is adopted as the supplemental scanner covering SAST, secrets detection, IaC scanning, and CSPM.
Scope Split¶
| Category | Tool | Pipeline integration |
|---|---|---|
| Container image CVEs | Grype | ADO pipeline step (existing) |
| Open-source SCA (primary) | Grype | ADO pipeline step (existing) |
| SAST | Aikido | Aikido CI extension or local scanner |
| Secrets detection | Aikido | Aikido CI extension or local scanner |
| IaC scanning | Aikido | Aikido CI extension or local scanner |
| Open-source SCA (secondary) | Aikido | Dashboard triage (not blocking gate) |
| CSPM | Aikido | Continuous (Azure subscription linked) |
| DAST | Aikido | Future (scoped to public-facing endpoints) |
When Aikido and Grype produce conflicting SCA findings for the same dependency, Grype is authoritative for pipeline blocking decisions. Aikido SCA findings are triaged in the dashboard as informational context.
Options Considered¶
Option A: Aikido replaces Grype¶
Aikido becomes the single scanner for all categories; Grype removed from pipelines; ADR-0003 superseded.
Rejected because: eliminates a proven local, zero-egress tool for container scanning in favour of a SaaS dependency on the critical build path. Aikido cloud scanning sends built container layers to external infrastructure — a worse risk profile than the current one. Supply chain trust concern: Anchore (US, enterprise-focused, SOC 2 Type II) is in a higher trust tier than a Belgian startup.
Option B: Aikido augments Grype (selected)¶
Grype stays for container scanning; Aikido fills SAST/secrets/IaC/CSPM gaps with a clean scope split.
Selected because: blast radius is limited if Aikido has a supply chain incident (container gate stays intact under Grype); data residency risk is lower (Grype never egresses container layers; Aikido local scanner keeps source code on-premises); ADR-0003 and Trivy reassessment logic are unchanged.
Option C: Status quo (Grype only)¶
Accept SAST, secrets, IaC, and CSPM gaps as out of scope.
Rejected because: SAST and secrets gaps are not theoretical; a platform that presents itself as security-capable but has no SAST or secrets detection is not credible at a CIO or CISSP level.
Aikido Data Egress Model¶
Aikido offers two deployment modes for code scanning:
-
Cloud-connected (default): Aikido performs a read-only git clone in an ephemeral container on their infrastructure. Source code is not retained after analysis. Findings (file paths, line numbers, snippet context) are stored in the Aikido platform.
-
Local scanner: Scans run inside the operator's environment. Source code does not leave the premises. Findings (not code) are uploaded to Aikido's dashboard. This mode satisfies the code residency requirement.
The local scanner is used for SAST/secrets/IaC. CSPM requires cloud account read permissions granted to Aikido's SaaS — this is standard for any CSPM tool and is accepted given the Azure subscription contains no production customer data.
Tool Comparison¶
| Tool | SAST | SCA | Secrets | Container | IaC | CSPM | Free tier | Notes |
|---|---|---|---|---|---|---|---|---|
| Aikido | Yes | Yes | Yes | Yes | Yes | Yes | 10 repos, 1 cloud | Local scanner option |
| Snyk | Partial | Yes | Partial | Yes | Yes | No | 200 tests/month | Test limit hits fast |
| Semgrep | Yes | No | No | No | No | No | 50 repos, Pro rules | SAST only |
| Grype | No | Yes | No | Yes | No | No | Unlimited (local) | Current standard |
Consequences¶
Positive¶
- SAST, secrets, IaC, and CSPM coverage added with a single free-tier account
- Grype pipeline gates are unaffected; no regression risk on container scanning
- If Aikido has a supply chain incident, container scanning remains intact
- Portfolio posture: six-category coverage is demonstrably more credible than Grype-only
Negative / Risks¶
- Aikido is a SaaS dependency. SAST and secrets findings are stored on Aikido's platform. Grype-only remains the fallback if Aikido has an incident or changes pricing.
- Overlapping SCA findings require a documented triage policy.
- CSPM requires Azure read permissions granted to Aikido's SaaS; scope to read-only and review annually.
- ADO pipeline integration adds a step. Aikido Marketplace extension must be vetted before adding.
Neutral¶
- Trivy reassessment status is unchanged — ADR-0003's open clause remains. This ADR does not affect the Trivy reassessment timeline.
- All Aikido API tokens must be stored in Infisical (IAM-0001) and never hardcoded.
Implementation Notes¶
- Create an Aikido free account linked to the ADO organisation.
- Connect the six repos to Aikido. Priority: archon-platform, archon-pipelines, archon-cloud, archon-apps, archon-docs, archon-web.
- Configure the local scanner for code scanning so source code does not leave the premises.
- Link the Azure subscription for CSPM. Grant read-only scope only.
- Add the Aikido CI step to archon-platform and archon-pipelines ADO pipelines. Vet the Marketplace extension; local scanner CLI is an acceptable alternative.
- Store the Aikido API token in Infisical under the archon-platform project (prod environment) before adding to any pipeline.
- Triage the initial finding backlog. Create ADO work items for confirmed issues; suppress false positives at the Aikido dashboard level.
- Document the Grype/Aikido SCA triage policy as a platform runbook entry.
References¶
- Grype (Anchore)
- Aikido Security
- Aikido local scanner documentation
- TeamPCP supply chain compromise of Trivy, March 2026 (observation date: March 2026; incident: trivy-action and trivy binary v0.69.4)
- APPSEC-0002: Public docs DLP controls
- SECOPS-0001: Purple team tooling (references Grype for simulation infrastructure scanning)
- WI-324 — ADR-0040 Aikido Security Scanner Evaluation