Build failures for projects with Trivy enabled

Update timeline

1. identified Mar 02, 2026, 03:31 PM UTC

   Status: Identified Trivy experienced a security incident on 2026-03-01, which resulted in GitHub releases between v0.27.0 and v0.69.1 being deleted, causing build failures for any project using an affected version of the Trivy plugin. Workarounds: • Pin Trivy to v0.69.2 in your .qlty/qlty.toml • Or temporarily disable the Trivy plugin until the situation is resolved For more details on the upstream incident, see the Trivy security incident report: https://github.com/aquasecurity/trivy/discussions/10265. Affected components Code Analysis (Partial outage)

2. monitoring Mar 02, 2026, 05:16 PM UTC

   Status: Monitoring CLI v0.615.0 has been released with the following fixes: • Trivy is no longer enabled by default when generating a new qlty.toml • Unpinned Trivy usage will now automatically use v0.69.2, the latest available release If you have Trivy pinned to a specific version in your .qlty/qlty.toml, you will need to either update it to 0.69.2 or disable the plugin until the upstream situation is resolved. For more details on the upstream incident, see the Trivy security incident report: https://github.com/aquasecurity/trivy/discussions/10265 Affected components Code Analysis (Partial outage)

3. resolved Mar 03, 2026, 02:52 PM UTC

   Status: Resolved We've released a fix for this issue. Here's what you need to know: • No action needed if you don't have Trivy pinned to a specific version — Qlty will now automatically use the latest available release today (0.69.2). • If you have Trivy pinned in your qlty.toml, you can remove the pinned version or update it to 0.69.2 to restore builds immediately. • If you'd prefer not to change your config, you can temporarily disable the Trivy plugin to unblock your builds. You can track Trivy's resolution progress here: https://github.com/aquasecurity/trivy/discussions/10265 Affected components Code Analysis (Operational)