There is a question circling the industry right now, and it is one worth sitting with rather than answering too quickly: does AI in the development pipeline actually make the things we ship more secure, or does it mostly just give the bad actors a better toolkit?
The honest answer is probably both. Which is not a satisfying thing to say, but it happens to be true.
I do not remember exactly when it changed because things like this never happen all at once and maybe that is why it becomes so difficult to notice while it is happening, because one year becomes another and life keeps moving and work keeps demanding things from you and suddenly you wake up one morning with medication beside the coffee machine and realize that somewhere along the way your body stopped quietly cooperating with the life you built around stress, bad sleep, too much sitting still and the constant idea that you would eventually take care of yourself later when there was more time.
I have spent the past week trying to piece together what actually happened with Trivy. Reading advisories, cross-referencing timelines, digging through GitHub issues and incident discussions, trying to separate confirmed facts from speculation. The more I read, the less comfortable I got. Not because the details were unclear, but because they were clear, and the implications kept getting worse.
The tool you run to find vulnerabilities in your container images was the one stealing your cloud credentials. That is what happened on March 19, 2026, when Aqua Security's Trivy scanner and its GitHub Actions integration were compromised in one of the more targeted supply chain attacks I have seen against the DevSecOps ecosystem.
If you have been running aquasecurity/trivy-action in a CI/CD pipeline over the past few months, read this carefully.
There is a moment, somewhere around the third hour, when you realize you have mass-produced an entire ecosystem and you are no longer sure what half of it does.
It started with a small thing. A script, maybe. A helper tool. Something you could describe in two sentences. And then the machine responded, and it was good, and your brain lit up like a pinball machine. So you asked for more. And more. And suddenly you are not building one thing anymore, you are conducting an orchestra of twenty invisible workers who are all extremely eager to please and not one of them will ever tell you to slow down.
On Christmas Day I woke up deaf in one ear. No warning. No gradual degradation. Just silence. The experience mirrors what happens in cybersecurity when sensors fail. The lesson is uncomfortable but clear: when visibility is gone, hesitation is the real threat.