SHA Pinning Is Not Enough

The post discusses a recent incident where the Trivy ecosystem was compromised and turned into a credential stealer. The author previously advocated for "pinning by SHA" as a security measure, a recommendation echoed by supply chain security guides, GitHub Actions hardening documentation, and online communities. However, the Trivy attack demonstrated that SHA pinning alone may not be sufficient for security. The author suggests a need to re-evaluate this approach.