Is Qlty Software down?

Status: Identified We are currently investigating delays in Code Coverage processing. Coverage uploads that require mapping commits to pull requests may be delayed due to degraded performance in GitHub’s Pull Requests and Search APIs. This can impact the timely delivery of coverage statuses and comments on pull requests. Analysis processing is not affected. The issue is limited to coverage ingestion and reporting. We are actively monitoring the situation and will provide updates as GitHub recovers. For more information, see GitHub’s status page: https://www.githubstatus.com/: https://www.githubstatus.com/?utm_source=chatgpt.com Affected components Code Coverage (Degraded performance)

Status: Resolved This incident has been resolved. Affected components Code Coverage (Operational)

Status: Monitoring Security Status Report: Trivy v0.69.4 Compromise Severity: Critical (upstream supply chain compromise) Status: Monitoring What Happened On March 19, 2026, a threat actor used a previously stolen service account credential to push a backdoored release of Trivy: https://github.com/aquasecurity/trivy (v0.69.4). The poisoned release distributed malicious binaries through GitHub Releases, Homebrew, AWS ECR, and rewrote 75 of 76 version tags on the trivy-action GitHub Action. The malware payload functions as an infostealer — targeting CI runner memory, SSH keys, and cloud credentials (AWS, GCP, Azure, and Kubernetes service account tokens). This is the second significant Trivy supply chain compromise in less than a month, and represents a meaningful escalation in both sophistication and reach from the first. Full technical details have been published by Boost Security Labs. The poisoned release (v0.69.4) has since been removed. The known-safe version is v0.69.3. Impact on Qlty Customers Qlty supports Trivy as an optional plugin. We have assessed our exposure across two customer segments: Qlty Cloud Customers — Not Impacted We queried all recorded Trivy plugin invocations across Qlty Cloud and found zero executions of v0.69.4. Qlty Cloud customers were not impacted by this compromise. CLI-Only Customers — Likely Not Impacted Qlty does not automatically pull new plugin releases. Customers who have enabled the Trivy plugin without customizing its version are running v0.69.2 — which predates the compromised release and is unaffected. However, Qlty's plugin system allows version overrides in your .qlty/qlty.toml file. If you manually specified v0.69.4 as your Trivy version, Qlty would have downloaded and executed the compromised binary. If you are a CLI-only user and are unsure whether you overrode this version, please check your .qlty/qlty.toml now. What We're Doing This is the second critical Trivy supply chain compromise in under a month. After the first incident, we removed Trivy from Qlty's recommended plugins during onboarding. Given this repeated pattern, and given that a supply chain compromise of this nature can be the leading edge of a broader attack campaign, we believe the responsible path forward is to recommend disabling the plugin. As with any static analysis tool, users are ultimately responsible for choosing which tools to run in their environment — Qlty operates under a shared responsibility model, and we want to give you the information you need to make that call. Recommended Action To disable the Trivy plugin, remove the Trivy entry from the [plugin] section of your .qlty/qlty.toml file: # Remove or comment out the following block: [[plugin]] name = "trivy" We will communicate when we are confident it is safe to re-enable Trivy. Questions If you have questions about your specific environment or believe you may have been impacted, please reach out to us at [email protected]: mailto:[email protected].

Status: Resolved This incident has been resolved.

Status: Investigating Commit statuses on PRs are currently delayed. We are actively investigating and will update this page when resolved. Affected components Code Analysis (Partial outage) Code Coverage (Partial outage)

Status: Monitoring We've scaled up additional capacity and the backlog of analysis results being pushed to GitHub has now cleared. We're continuing to monitor while we investigate the underlying cause of the earlier delays. Affected components Code Analysis (Degraded performance) Code Coverage (Degraded performance)

Status: Resolved This incident has been resolved. Affected components Code Coverage (Operational) Code Analysis (Operational)

Status: Identified A recent update has caused format builds to fail during Qlty Cloud analysis. We've identified the issue and are actively working on a fix. In the meantime, as a workaround, you can format your code locally (using `qlty fmt`) and push your changes as usual. Affected components Code Analysis (Partial outage)

Status: Monitoring We have remediated the source of the incident and are monitoring. Affected components Code Analysis (Partial outage)

Status: Resolved This incident has been resolved. Affected components Code Analysis (Operational)