feat(repo): add git repository metadata to reports (#9252)

Co-authored-by: knqyf263 <knqyf263@users.noreply.github.com> Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
2025-12-12 15:50:15 -08:00 · 2025-07-29 15:49:58 +04:00
parent b4193d0d31
commit f4b2cf10e9
8 changed files with 165 additions and 36 deletions
--- a/docs/docs/target/repository.md
+++ b/docs/docs/target/repository.md
@@ -109,6 +109,26 @@ $ trivy repo --scanners license (REPO_PATH | REPO_URL)
 Trivy can generate SBOM for code repositories.
 See [here](../supply-chain/sbom.md) for the detail.

+## Git Metadata
+When scanning git repositories (both local and remote), Trivy automatically extracts and includes git metadata in the scan results.
+This metadata provides context about the scanned repository.
+
+The metadata includes information such as:
+
+- Repository URL
+- Branch name
+- Tags
+- Commit details (hash, message, commiter)
+- Author information
+
+This feature works automatically for any git repository.
+When using JSON format output, the git metadata will be included in the `Metadata` field.
+For detailed information about the available fields, please refer to the JSON output of your scan results.
+
+```bash
+$ trivy repo --format json <repo-name>
+```
+
 ## Scan Cache
 When scanning git repositories, it stores analysis results in the cache, using the latest commit hash as the key.
 Note that the cache is not used when the repository is dirty, otherwise Trivy will miss the files that are not committed.