We've released a fix for this issue. Here's what you need to know:

• No action needed if you don't have Trivy pinned to a specific version — Qlty will now automatically use the latest available release today (0.69.2).

• If you have Trivy pinned in your qlty.toml, you can remove the pinned version or update it to 0.69.2 to restore builds immediately.

• If you'd prefer not to change your config, you can temporarily disable the Trivy plugin to unblock your builds.

You can track Trivy's resolution progress here: https://github.com/aquasecurity/trivy/discussions/10265

CLI v0.615.0 has been released with the following fixes:

• Trivy is no longer enabled by default when generating a new qlty.toml

• Unpinned Trivy usage will now automatically use v0.69.2, the latest available release

If you have Trivy pinned to a specific version in your .qlty/qlty.toml, you will need to either update it to 0.69.2 or disable the plugin until the upstream situation is resolved.

For more details on the upstream incident, see the Trivy security incident report: https://github.com/aquasecurity/trivy/discussions/10265