Date: April 2, 2026
Overview
In response to the recently disclosed supply chain vulnerability affecting certain versions of Trivy, our Security Operations and Engineering teams immediately initiated a comprehensive internal analysis. This advisory serves to inform Cumulocity customers and partners that all necessary investigative and remediation actions have been completed.
Ref: Trivy ecosystem supply chain temporarily compromised · Advisory · aquasecurity/trivy · GitHub
Our Response Actions
To ensure the integrity of all the components of Cumulocity and the security of our customers, the following measures were taken:
-
Workflow Audit: We conducted a review of our component repositories and pipelines to identify any instances of the affected Trivy components.
-
Forensic Verification: For any instance identified as using the vulnerable versions during the exploit window, we performed deep-level hash verification of all pulled assets. This confirmed that no malicious code was introduced into our environments.
-
Proactive Remediation: As a precautionary measure, we have completed a full rotation of all organizational secrets and API keys associated with our scanning and compliance workflows.
Conclusion
Based on our detailed impact analysis, we have confirmed that all the cumulocity components, and our software offerings remain entirely unaffected by this supply chain attack.
No action is required from our customers. We remain committed to maintaining the highest standards of security. We will continue to monitor the situation and update our security protocols as necessary to defend against evolving supply chain threats.
Cumulocity Security team