#2 — RSAC 2026 Opens: AI Agent Security Dominates, Trivy Compromised Twice

AppSec Santa Weekly is a weekly newsletter that tracks new AppSec tools and the latest releases from 196+ existing ones. Each issue covers what shipped, what changed, and why it matters.

This week I counted six vendors launching “AI agent security” products at RSAC. I lost track of the press releases after the third one.

Meanwhile, a security scanner got weaponized against its own users — for the second time in three weeks. Busy week.

This Week at a Glance

25 releases across 5 active categories this week.

• SCA (12) — Renovate 5 releases, FOSSA 3 releases, Grype v0.110 APK matching fix, Snyk CLI adds agent red-teaming
• IaC Security (6) — Mondoo v13.1–13.2 adds SageMaker + F5 checks, Checkov TLS fix, Kubescape, Conftest, KubeArmor
• Mobile (3) — MobSF v4.4.6 patches SQLi in its own code, Ostorlab adds 2FA
• ASPM (3) — Harbor v2.15.0, NeuVector v5.5.0, DefectDojo 2.56.3
• SAST (1) — TruffleHog v3.94.0 Datadog verification fix

Quiet this week: DAST, IAST, RASP, AI Security, API Security

But the real action was at RSAC 2026 and in supply chain attacks. Read on.

New on the Radar

RSAC 2026 and the AI agent security rush — Every major vendor launched agent security at RSAC this week. Here’s who shipped what:

• Snyk — Agent Security : MCP server governance (Agent Scan), red-teaming via CLI --profile flag, Snyk Studio for Claude Code/Cursor/Devin (300+ enterprise deployments)
• CrowdStrike — Falcon AI Runtime Protection + Shadow AI Discovery; already detects 1,800+ AI apps on enterprise devices
• Microsoft — Zero Trust for AI (ZT4AI) framework + Agent 365 (GA May 1)
• SentinelOne — Prompt AI Agent Security with MCP governance
• Palo Alto — Prisma AIRS 3.0 + Cortex Cloud (merging Prisma Cloud and Cortex CDR)
• Geordie AI — Won the Innovation Sandbox; London-based agent security startup

My take: Six vendors, six “MCP governance” announcements. But here’s what I keep wondering: how many of these actually parse the MCP protocol and inspect tool calls versus just flagging “MCP detected” as a checkbox? The difference between real protocol-level inspection and a glorified inventory scan is the difference between a firewall and a clipboard. I’d love to see someone publish a benchmark. Until then, I’d weight Snyk’s approach (they actually ship a CLI you can test today) over announcements with a “GA Q3 2026” footnote.

Trivy GitHub Action compromised — again — Aqua Security’s trivy-action, a popular GitHub Action for container vulnerability scanning, was compromised for the second time in March 2026.

On March 19, attacker “TeamPCP” force-pushed 75 of 76 tags and published a malicious binary that exfiltrated AWS/GCP/Azure credentials, SSH keys, and Kubernetes tokens from CI/CD pipelines.

Root cause: incomplete credential rotation from the March 1 incident . Over 10,000 GitHub workflow files referenced the compromised action.

If your CI pipeline uses trivy-action@v1 or any mutable tag, check your pipeline logs and rotate any credentials that ran through affected workflows.

The Datadog State of DevSecOps report published the same week found that 71% of organizations never pin their GitHub Actions to commit hashes. That stat hits different now.

Semgrep Multimodal launches — Semgrep Multimodal is a new SAST approach that combines AI reasoning with deterministic rule-based analysis. Semgrep announced it on March 20 , claiming 8x more true positives with 50% fewer false positives versus base models alone.

The practical question is whether this holds outside of benchmarks — AI-assisted SAST has a history of impressive demos that don’t survive contact with real codebases. But multiple zero-days reportedly found at customer sites during the preview period suggests this might be different.

Also launched Custom Workflows (private beta) for autonomous code security.

Notable Updates

• MobSF v4.4.6 — Patched an SQL injection in its own SQLite DB viewer (changelog ). Yes, a security tool with its own SQLi. 20.7K stars, most-starred mobile security framework on GitHub.
• Harbor v2.15.0 — Tag deletion in GC, upstream registry connection limits, backend storage improvements (release notes ). At ~28K stars, one of the most-starred CNCF security projects.
• Grype v0.110.0 — Suppresses false GHSA matches on language packages in fixed APKs, cuts noise for Alpine-based container scanning. Now uses Syft for CPE decoding, pulling Anchore’s two tools closer together (release notes ).
• NeuVector v5.5.0 — Improved vulnerability reporting and Rancher SSO auth fix (changelog ). If you’re on SUSE Rancher, the SSO fix alone is worth the upgrade.
• Mondoo v13.1–13.2 — 9 new SageMaker checks, plus Ubiquiti UniFi and F5 BIG-IP policies. Mondoo is pushing beyond cloud-native into network infrastructure. v13.2 fixes an identity timeout bug (changelog ).
• TruffleHog v3.94.0 — Datadog detector verification fix and Filesystem source refactor (release notes ).

SCA

SCA leads for the second straight week with 12 releases across the SCA category .

Renovate shipped 5 releases (43.87.0 through 43.89.0), adding Packer support for mise and OpenTelemetry PHP monorepo presets. The volume is normal for Renovate — this tool ships more frequently than any other in our tracking.

FOSSA shipped three releases: Elixir production dependency resolution with MIX_ENV=prod (v3.16.3), a macOS dynamic linking fix (v3.16.4), and a pnpm v9 devDependency classification fix (v3.16.5). The pnpm fix matters — incorrectly classifying dev dependencies as production creates false compliance violations.

Snyk CLI v1.1303.2 introduces “Agent Red Teaming” with attack profiles (fast, security, safety) via the --profile flag.

This landed the same week Snyk launched their broader Agent Security platform at RSAC, with Agent Scan for MCP governance and Snyk Studio integration with Claude Code, Cursor, and Devin. Over 300 enterprises are reportedly using Snyk Studio.

IaC Security

Mondoo keeps shipping fast post-funding with two releases. v13.1.1 adds 9 SageMaker security checks, plus Ubiquiti UniFi and F5 BIG-IP security policies. v13.2.0 fixes an identity timeout bug and adds nftables support for policy scoping.

Checkov 3.2.510 updated three Terraform checks: modern TLS security policies for AWS CloudFront (CKV_AWS_206), current EKS Kubernetes versions (CKV_AWS_339), and Postgres 18 for GCP Cloud SQL (CKV_GCP_79). Small changes, but keeping checks aligned with current cloud service versions prevents false positives.

SAST

The only GitHub release was TruffleHog v3.94.0 (Datadog detector fix), but the bigger SAST news came from RSAC. Semgrep launched Multimodal (covered above).

Harness launched Secure AI Coding — a SAST capability that scans code at generation time, integrating with Cursor, Windsurf, and Claude Code. And ZeroPath, an AI-native engine replacing traditional SAST+SCA+Secrets stacks, was an RSAC Innovation Sandbox finalist.

Quiet This Week

No GitHub releases from DAST , IAST , RASP , AI Security , or API Security . Plenty of RSAC announcements though, just no shipping code.

Deals & Funding

Five deals worth tracking this week, including the largest acquisition of a venture-backed startup in history.

• Google completes $32B Wiz acquisition — Completed March 11, 2026. Wiz joins Google Cloud and will keep its brand across all cloud environments. This is the largest-ever acquisition of a venture-backed startup.
• Bold Security emerges from stealth with $40M — AI-native endpoint protection, led by Bessemer Venture Partners with Picture Capital and Red Dot Capital Partners.
• Fig Security launches with $38M — Founded by the former head of Google Cloud Security architecture and ex-Cymulate veterans; traces data flows through security stacks.
• BlueFlag Security raises $16.5M Series A — Developer identity security, treating each developer and their tools as an identity.
• Geordie AI wins RSAC Innovation Sandbox — Each of the 10 finalists received $5M in investment. Geordie’s agent security platform won against 9 other finalists including ZeroPath (AI-native SAST) and Token Security (machine identity).

Star Watch

GitHub star movements worth noting:

• Harbor ~28K — Up from ~24K at issue #1; one of the most-starred CNCF security projects
• TruffleHog 25.2K — Keeps growing without splashy releases; the secret detection category leader
• Renovate 21.1K — Still the most-starred dedicated dependency update tool on GitHub
• MobSF 20.7K — Approaching 21K; most-starred mobile security framework
• Grype 11.8K — Approaching the 12K milestone
• Kubescape 11.3K — Growing in the Kubernetes security space

Quick Hits

• Checkov 3.2.510 updated AWS TLS policies and GCP Postgres version checks
• SCANOSS v1.50.0 fixed dependency decoration requirement field loss
• FOSSA v3.16.4 fixed macOS dynamic linking issue
• Syft v1.42.3 fixed .NET dependency evidence in OTel demo images
• Conftest v0.67.1 fixed linux_amd64 release build
• KubeArmor v1.6.15 fixed kernel headers path detection
• Kubescape v4.0.3 dependency updates
• Ostorlab v1.15.0–1.15.1 added 2FA support and agent service labels
• DefectDojo 2.56.3 added Twistlock packagePath parsing

On AppSec Santa This Week

Updated this week:

• Trivy Added March 19 supply chain compromise details (second incident in a month)
• Snyk Added RSAC 2026 Agent Security launch and Evo AI-SPM GA
• MobSF

Updated to v4.4.6 with SQL injection fix details

• Harbor Updated to v2.15.0 with GC tag deletion and connection limiting
• NeuVector Updated to v5.5.0 with improved vulnerability reporting
• Mondoo Updated to v13.2 with SageMaker, UniFi, and F5 BIG-IP policies

Most read this week: Semgrep , Snyk , Trivy , Burp Suite , Nuclei

If you spot anything outdated or wrong on a tool page, reply to this email — I update pages based on reader feedback.

Worth Reading

• Datadog State of DevSecOps 2026 — The number that stuck with me: only 18% of “critical” vulnerabilities remain critical after applying runtime context. Also: 87% of orgs have at least one exploitable vuln, and 71% never pin GitHub Actions to commit SHAs.

• Inside the Trivy-Action Supply Chain Compromise (Wiz) — Deep-dive on how incomplete credential rotation after the March 1 incident enabled the March 19 re-compromise. If you run any security tools in CI, read this.

• Latio 2026 Application Security Market Report — James Berthoty’s annual analyst report. Recognizes Legit Security, Aikido, Contrast Security, Socket, and Apiiro. Key thesis: “runtime is the source of truth in AppSec.”

• ProjectDiscovery State of AppSec 2026 — Makes the case that verification — not scanning — is the real constraint. Worth reading if you’re drowning in scan results with no proof of exploitability.

• OWASP GenAI Security Frameworks — Pre-RSAC Update — New agentic red teaming taxonomy and GenAI data security risks guide. Useful if you’re building AI security policies and need a framework to start from.

Wrapping Up

That’s issue #2. 25 releases tracked, but the bigger story is RSAC 2026 and everyone racing to ship AI agent security. MCP governance went from niche to must-have in a single week.

I track 69 GitHub repos, 91 vendor blogs, and industry news sources every week. If a tool ships a release, changes its pricing, or gains traction — it’ll show up here.

If you found this useful, forward it to a colleague who’d benefit.

And if I missed something or got something wrong, just reply — I read every response.

See you next Tuesday.

AppSec Santa Weekly covers new tools and the latest releases from 196+ AppSec tools. Browse all tools or subscribe for weekly updates.