The irony of a security scanner being the supply chain attack vector is exactly the kind of thing that should keep every DevSecOps team up at night. Security tooling runs with elevated privileges by design — it needs to read configs, scan filesystems, access container registries. That makes it a high-value target for supply chain compromise. The Trivy case is a good reminder that your security tools are part of your attack surface, not outside it. Verifying signatures and pinning versions for security dependencies should be treated with the same rigor as production code dependencies, if not more.