Catching the KICS push:what happened,
and the case for open, fast collaboration
In the past few weeks we’ve worked through two supply chain
compromises on Docker Hub with a similar shape:first Trivy, now
Checkmarx KICS.In both cases, stolen publisher credentials were
used to push malicious images through legitimate publishing
flows.In both cases, Docker’s infrastructure was not breached.And
in both cases, the software supply chain of everyone who pulled the
compromised tags was briefly exposed. This is our account of what
happened
