feat: add HTTP request/response tracing support (#9125)

Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
2025-12-12 15:50:15 -08:00 · 2025-07-10 10:48:19 +04:00
parent 0ecfed6ea7
commit aa5b32a19f
19 changed files with 984 additions and 58 deletions
--- a/docs/docs/advanced/telemetry-flags.md
+++ b/docs/docs/advanced/telemetry-flags.md
@@ -35,6 +35,7 @@
 --slow
 --tf-exclude-downloaded-modules
 --timeout
--trace
+--trace-http
+--trace-rego
 --vuln-severity-source
 ```
--- a/docs/docs/references/configuration/cli/trivy_config.md
+++ b/docs/docs/references/configuration/cli/trivy_config.md
@@ -76,7 +76,7 @@ trivy config [flags] DIR
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
 ```

--- a/docs/docs/references/configuration/cli/trivy_filesystem.md
+++ b/docs/docs/references/configuration/cli/trivy_filesystem.md
@@ -135,7 +135,7 @@ trivy filesystem [flags] PATH
      --tf-vars strings                   specify paths to override the Terraform tfvars files
      --token string                      for authentication in client/server mode
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
--- a/docs/docs/references/configuration/cli/trivy_image.md
+++ b/docs/docs/references/configuration/cli/trivy_image.md
@@ -156,7 +156,7 @@ trivy image [flags] IMAGE_NAME
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --token string                      for authentication in client/server mode
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
--- a/docs/docs/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -144,7 +144,7 @@ trivy kubernetes [flags] [CONTEXT]
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tolerations strings               specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
--- a/docs/docs/references/configuration/cli/trivy_repository.md
+++ b/docs/docs/references/configuration/cli/trivy_repository.md
@@ -134,7 +134,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --tf-vars strings                   specify paths to override the Terraform tfvars files
      --token string                      for authentication in client/server mode
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
--- a/docs/docs/references/configuration/cli/trivy_rootfs.md
+++ b/docs/docs/references/configuration/cli/trivy_rootfs.md
@@ -136,7 +136,7 @@ trivy rootfs [flags] ROOTDIR
      --tf-vars strings                   specify paths to override the Terraform tfvars files
      --token string                      for authentication in client/server mode
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
--- a/docs/docs/references/configuration/config-file.md
+++ b/docs/docs/references/configuration/config-file.md
@@ -504,7 +504,7 @@ rego:
  # Same as '--skip-check-update'
  skip-check-update: false

-  # Same as '--trace'
+  # Same as '--trace-rego'
  trace: false

 ```
--- a/docs/docs/references/troubleshooting.md
+++ b/docs/docs/references/troubleshooting.md
@@ -267,6 +267,25 @@ $ brew install aquasecurity/trivy/trivy
 ```


+## Debugging
+### HTTP Request/Response Tracing
+
+For debugging network issues, connection problems, or authentication failures, you can enable HTTP request/response tracing using the `--trace-http` flag.
+
+!!! danger "Security Warning"
+    While Trivy attempts to redact known sensitive information such as authentication headers and common secrets, the `--trace-http` flag may still expose sensitive data in HTTP requests and responses.
+    
+    **Never use this flag in production environments or CI/CD pipelines.**
+    This flag is automatically disabled in CI environments for security.
+
+```bash
+# Enable HTTP tracing for debugging registry issues
+$ trivy image --trace-http registry.example.com/my-image:latest
+
+# HTTP tracing with other debugging options
+$ trivy image --trace-http --debug --insecure my-image:tag
+```
+
 ## Others
 ### Unknown error

--- a/docs/docs/scanner/misconfiguration/custom/debug.md
+++ b/docs/docs/scanner/misconfiguration/custom/debug.md
@@ -1,13 +1,13 @@
 # Debugging checks
 When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied.
-For this purpose you can use the `--trace` flag.
+For this purpose you can use the `--trace-rego` flag.
 This will output a large trace from Open Policy Agent like the following:

 !!! tip
    Only failed checks show traces. If you want to debug a passed check, you need to make it fail on purpose.

 ```shell
-$ trivy config --trace configs/
+$ trivy config --trace-rego configs/
 2022-05-16T13:47:58.853+0100	INFO	Detected config files: 1

 Dockerfile (dockerfile)