release: v0.59.1 [release/v0.59] (#8334 )

fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349 )
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
2025-12-22 07:10:41 -08:00 · 2025-02-05 06:13:48 +00:00 · 2025-02-04 11:27:18 +00:00 · 2025-02-04 06:52:15 +00:00 · 2025-02-03 09:04:49 +00:00 · 2025-02-03 05:55:46 +00:00
535 changed files with 17924 additions and 15501 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -15,8 +15,8 @@ pkg/cloud/                           @simar7 @nikpivkin
 pkg/iac/                             @simar7 @nikpivkin

 # Helm chart
-helm/trivy/ @afdesk
+helm/trivy/ @afdesk @simar7

 # Kubernetes scanning
-pkg/k8s/                         @afdesk
-docs/docs/target/kubernetes.md   @afdesk
+pkg/k8s/                         @afdesk @simar7
+docs/docs/target/kubernetes.md   @afdesk @simar7
--- a/.github/workflows/auto-update-labels.yaml
+++ b/.github/workflows/auto-update-labels.yaml
@@ -6,7 +6,7 @@ on:
    branches:
      - main
 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
 jobs:
  deploy:
    name: Auto-update labels
--- a/.github/workflows/cache-test-images.yaml
+++ b/.github/workflows/cache-test-images.yaml
@@ -29,7 +29,7 @@ jobs:
        run: |
          source integration/testimages.ini
          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      ## We need to work with test image cache only for main branch
@@ -70,7 +70,7 @@ jobs:
        run: |
          source integration/testimages.ini
          IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags | sort' | sha256sum | cut -d' ' -f1)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      ## We need to work with test VM image cache only for main branch
--- a/.github/workflows/mkdocs-dev.yaml
+++ b/.github/workflows/mkdocs-dev.yaml
@@ -22,7 +22,7 @@ jobs:
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip setuptools wheel
-          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
+          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git@9.5.44-insiders-4.53.14
          pip install -r docs/build/requirements.txt
        env:
          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
--- a/.github/workflows/mkdocs-latest.yaml
+++ b/.github/workflows/mkdocs-latest.yaml
@@ -24,7 +24,7 @@ jobs:
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip setuptools wheel
-          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
+          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git@9.5.44-insiders-4.53.14
          pip install -r docs/build/requirements.txt
        env:
          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
--- a/.github/workflows/release-pr-check.yaml
+++ b/.github/workflows/release-pr-check.yaml
@@ -0,0 +1,19 @@
+name: Backport PR Check
+
+on:
+  pull_request:
+    branches:
+      - 'release/v*'
+
+jobs:
+  check-pr-author:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check PR author
+        id: check_author
+        run: |
+          if [ "${{ github.actor }}" != "aqua-bot" ]; then
+            echo "::error::This branch is intended for automated backporting by bot. Please refer to the documentation:"
+            echo "::error::https://trivy.dev/latest/community/maintainer/backporting/"
+            exit 1
+          fi
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -14,7 +14,7 @@ on:

 env:
  GH_USER: "aqua-bot"
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'

 jobs:
  release:
@@ -28,7 +28,7 @@ jobs:
      contents: read  # Not required for public repositories, but for clarity
    steps:
      - name: Cosign install
-        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
--- a/.github/workflows/spdx-cron.yaml
+++ b/.github/workflows/spdx-cron.yaml
@@ -0,0 +1,33 @@
+name: SPDX licenses cron
+on:
+  schedule:
+    - cron: '0 0 * * 0' # every Sunday at 00:00
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Check if SPDX exceptions
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4.1.6
+
+      - name: Check if SPDX exceptions are up-to-date
+        run: |
+          mage spdx:updateLicenseExceptions
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'mage spdx:updateLicenseExceptions' and push it"
+            exit 1
+          fi        
+
+      - name: Microsoft Teams Notification
+        ## Until the PR with the fix for the AdaptivCard version is merged yet
+        ## https://github.com/Skitionek/notify-microsoft-teams/pull/96
+        ## Use the aquasecurity fork
+        uses: aquasecurity/notify-microsoft-teams@master
+        if: failure()
+        with:
+          webhook_url: ${{ secrets.TRIVY_MSTEAMS_WEBHOOK }}
+          needs: ${{ toJson(needs) }}
+          job: ${{ toJson(job) }}
+          steps: ${{ toJson(steps) }}
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -12,7 +12,7 @@ on:
  workflow_dispatch:

 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
 jobs:
  test:
    name: Test
@@ -40,9 +40,9 @@ jobs:

      - name: Lint
        id: lint
-        uses: golangci/golangci-lint-action@v6.0.1
+        uses: golangci/golangci-lint-action@v6.1.1
        with:
-          version: v1.59
+          version: v1.61
          args: --verbose --out-format=line-number
        if: matrix.operating-system == 'ubuntu-latest'

@@ -93,7 +93,7 @@ jobs:
        run: |
          source integration/testimages.ini
          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      - name: Restore test images from cache
@@ -151,7 +151,7 @@ jobs:
        run: |
          source integration/testimages.ini
          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      - name: Restore test images from cache
@@ -190,7 +190,7 @@ jobs:
        run: |
          source integration/testimages.ini
          IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags | sort' | sha256sum | cut -d' ' -f1)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      - name: Restore test VM images from cache
--- a/.gitignore
+++ b/.gitignore
@@ -26,6 +26,7 @@ thumbs.db
 coverage.txt
 integration/testdata/fixtures/images
 integration/testdata/fixtures/vm-images
+internal/gittest/testdata/test-repo

 # SBOMs generated during CI
 /bom.json
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -68,6 +68,7 @@ linters-settings:
    excludes:
      - G101
      - G114
+      - G115
      - G204
      - G304
      - G402
@@ -80,6 +81,17 @@ linters-settings:
      - licence
      - optimise
      - simmilar
+  perfsprint:
+    # Optimizes even if it requires an int or uint type cast.
+    int-conversion: true
+    # Optimizes into `err.Error()` even if it is only equivalent for non-nil errors.
+    err-error: true
+    # Optimizes `fmt.Errorf`.
+    errorf: true
+    # Optimizes `fmt.Sprintf` with only one argument.
+    sprintf1: false
+    # Optimizes into strings concatenation.
+    strconcat: false
  revive:
    ignore-generated-header: true
  testifylint:
@@ -99,6 +111,7 @@ linters:
    - govet
    - ineffassign
    - misspell
+    - perfsprint
    - revive
    - tenv
    - testifylint
@@ -108,7 +121,7 @@ linters:
    - usestdlibvars

 run:
-  go: '1.22'
+  go: '1.23'
  timeout: 30m

 issues:
@@ -139,5 +152,8 @@ issues:
      linters:
        - gocritic
      text: "importShadow:"
+    - linters:
+        - perfsprint
+      text: "fmt.Sprint"
  exclude-use-default: false
  max-same-issues: 0
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1 +1 @@
-{".":"0.57.0"}
+{".":"0.59.1"}
--- a/.vex/trivy.openvex.json
+++ b/.vex/trivy.openvex.json
@@ -540,6 +540,65 @@
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path",
      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3321",
+        "name": "GO-2024-3321",
+        "description": "Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto",
+        "aliases": [
+          "CVE-2024-45337",
+          "GHSA-v778-237x-gjrc"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/crypto",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/crypto"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3333",
+        "name": "GO-2024-3333",
+        "description": "Non-linear parsing of case-insensitive content in golang.org/x/net/html",
+        "aliases": [
+          "CVE-2024-45338"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/net",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/net"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
    }
  ]
 }
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,108 @@
 # Changelog

+## [0.59.1](https://github.com/aquasecurity/trivy/compare/v0.59.0...v0.59.1) (2025-02-04)
+
+
+### Bug Fixes
+
+* **misconf:** do not log scanners when misconfig scanning is disabled [backport: release/v0.59] ([#8349](https://github.com/aquasecurity/trivy/issues/8349)) ([412c690](https://github.com/aquasecurity/trivy/commit/412c690924d4414ef6d8a5f37b293969bc245d32))
+* **python:** add `poetry` v2 support [backport: release/v0.59] ([#8335](https://github.com/aquasecurity/trivy/issues/8335)) ([1741fdd](https://github.com/aquasecurity/trivy/commit/1741fddbe07d166dffbfb9b6f768940e52d08487))
+* **sbom:** preserve OS packages from multiple SBOMs [backport: release/v0.59] ([#8333](https://github.com/aquasecurity/trivy/issues/8333)) ([3fd8e27](https://github.com/aquasecurity/trivy/commit/3fd8e2785b2b838327a80cdc8b489583c3664944))
+
+## [0.59.0](https://github.com/aquasecurity/trivy/compare/v0.58.0...v0.59.0) (2025-01-30)
+
+
+### Features
+
+* add `--distro` flag to manually specify OS distribution for vulnerability scanning ([#8070](https://github.com/aquasecurity/trivy/issues/8070)) ([da17dc7](https://github.com/aquasecurity/trivy/commit/da17dc72782cd68b5d2c4314a67936343462b75e))
+* add a examples field to check metadata ([#8068](https://github.com/aquasecurity/trivy/issues/8068)) ([6d84e0c](https://github.com/aquasecurity/trivy/commit/6d84e0cc0d48ae5c490cad868bb4e5e76392241c))
+* add support for registry mirrors ([#8244](https://github.com/aquasecurity/trivy/issues/8244)) ([4316bcb](https://github.com/aquasecurity/trivy/commit/4316bcbc5b9038eed21214a826981c49696bb27f))
+* **fs:** use git commit hash as cache key for clean repositories ([#8278](https://github.com/aquasecurity/trivy/issues/8278)) ([b5062f3](https://github.com/aquasecurity/trivy/commit/b5062f3ae20044d1452bf293f210a24cd1d419b3))
+* **image:** prevent scanning oversized container images ([#8178](https://github.com/aquasecurity/trivy/issues/8178)) ([509e030](https://github.com/aquasecurity/trivy/commit/509e03030c36d17f9427ab50a4e99fb1846ba65a))
+* **image:** return error early if total size of layers exceeds limit ([#8294](https://github.com/aquasecurity/trivy/issues/8294)) ([73bd20d](https://github.com/aquasecurity/trivy/commit/73bd20d6199a777d1ed7eb560e0184d8f1b4b550))
+* **k8s:** improve artifact selections for specific namespaces ([#8248](https://github.com/aquasecurity/trivy/issues/8248)) ([db9e57a](https://github.com/aquasecurity/trivy/commit/db9e57a34e460ac6934ee21dffaa2322db9fd56b))
+* **misconf:** generate placeholders for random provider resources ([#8051](https://github.com/aquasecurity/trivy/issues/8051)) ([ffe24e1](https://github.com/aquasecurity/trivy/commit/ffe24e18dc3dca816ec9ce5ccf66d5d7b5ea70d6))
+* **misconf:** support for ignoring by inline comments for Dockerfile ([#8115](https://github.com/aquasecurity/trivy/issues/8115)) ([c002327](https://github.com/aquasecurity/trivy/commit/c00232720a89df659c6cd0b56d99304d5ffea1a7))
+* **misconf:** support for ignoring by inline comments for Helm ([#8138](https://github.com/aquasecurity/trivy/issues/8138)) ([a0429f7](https://github.com/aquasecurity/trivy/commit/a0429f773b4f696fc613d91f1600cd0da38fb2c8))
+* **nodejs:** respect peer dependencies for dependency tree ([#7989](https://github.com/aquasecurity/trivy/issues/7989)) ([7389961](https://github.com/aquasecurity/trivy/commit/73899610e8eece670d2e5ddc1478fcc0a2a5760d))
+* **python:** add support for poetry dev dependencies ([#8152](https://github.com/aquasecurity/trivy/issues/8152)) ([774e04d](https://github.com/aquasecurity/trivy/commit/774e04d19dc2067725ac2e18ca871872f74082ab))
+* **python:** add support for uv ([#8080](https://github.com/aquasecurity/trivy/issues/8080)) ([c4a4a5f](https://github.com/aquasecurity/trivy/commit/c4a4a5fa971d73ae924afcf2259631f15e96e520))
+* **python:** add support for uv dev and optional dependencies ([#8134](https://github.com/aquasecurity/trivy/issues/8134)) ([49c54b4](https://github.com/aquasecurity/trivy/commit/49c54b49c6563590dd82007d52e425a7a4e07ac0))
+
+
+### Bug Fixes
+
+* CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass ([#8088](https://github.com/aquasecurity/trivy/issues/8088)) ([d7ac286](https://github.com/aquasecurity/trivy/commit/d7ac286085077c969734225a789e6cc056d5c5f5))
+* CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field ([#8207](https://github.com/aquasecurity/trivy/issues/8207)) ([670fbf2](https://github.com/aquasecurity/trivy/commit/670fbf2d81ea20ea691a86e4ed25a7454baf08e5))
+* de-duplicate same `dpkg` packages with different filePaths from different layers ([#8298](https://github.com/aquasecurity/trivy/issues/8298)) ([846498d](https://github.com/aquasecurity/trivy/commit/846498dd23a80531881f803147077eee19004a50))
+* enable err-error and errorf rules from perfsprint linter ([#7859](https://github.com/aquasecurity/trivy/issues/7859)) ([156a2aa](https://github.com/aquasecurity/trivy/commit/156a2aa4c49386828c0446f8978473c8da7a8754))
+* **flag:** skip hidden flags for `--generate-default-config` command ([#8046](https://github.com/aquasecurity/trivy/issues/8046)) ([5e68bdc](https://github.com/aquasecurity/trivy/commit/5e68bdc9d08f96d22451d7b5dd93e79ca576eeb7))
+* **fs:** fix cache key generation to use UUID ([#8275](https://github.com/aquasecurity/trivy/issues/8275)) ([eafd810](https://github.com/aquasecurity/trivy/commit/eafd810d7cb366215efbd0ab3b72c4651d31c6a6))
+* handle `BLOW_UNKNOWN` error to download DBs ([#8060](https://github.com/aquasecurity/trivy/issues/8060)) ([51f2123](https://github.com/aquasecurity/trivy/commit/51f2123c5ccc4f7a37d1068830b6670b4ccf9ac8))
+* improve conversion of image config to Dockerfile ([#8308](https://github.com/aquasecurity/trivy/issues/8308)) ([2e8e38a](https://github.com/aquasecurity/trivy/commit/2e8e38a8c094f3392893693ab15a605ab0d378f9))
+* **java:** correctly overwrite version from depManagement if dependency uses `project.*` props ([#8050](https://github.com/aquasecurity/trivy/issues/8050)) ([9d9f80d](https://github.com/aquasecurity/trivy/commit/9d9f80d9791f38a0b4c727152166ae4d237a83a9))
+* **license:** always trim leading and trailing spaces for licenses ([#8095](https://github.com/aquasecurity/trivy/issues/8095)) ([f5e4291](https://github.com/aquasecurity/trivy/commit/f5e429179df1637de96962ab9c19e4336056bb5d))
+* **misconf:** allow null values only for tf variables ([#8112](https://github.com/aquasecurity/trivy/issues/8112)) ([23dc3a6](https://github.com/aquasecurity/trivy/commit/23dc3a67535b7458728b2939514a96bd3de3aa81))
+* **misconf:** correctly handle all YAML tags in K8S templates ([#8259](https://github.com/aquasecurity/trivy/issues/8259)) ([f12054e](https://github.com/aquasecurity/trivy/commit/f12054e669f9df93c6322ba2755036dbccacaa83))
+* **misconf:** disable git terminal prompt on tf module load ([#8026](https://github.com/aquasecurity/trivy/issues/8026)) ([bbc5a85](https://github.com/aquasecurity/trivy/commit/bbc5a85444ec86b7bb26d6db27803d199431a8e6))
+* **misconf:** handle heredocs in dockerfile instructions ([#8284](https://github.com/aquasecurity/trivy/issues/8284)) ([0a3887c](https://github.com/aquasecurity/trivy/commit/0a3887ca0350d7dabf5db7e08aaf8152201fdf0d))
+* **misconf:** use log instead of fmt for logging ([#8033](https://github.com/aquasecurity/trivy/issues/8033)) ([07b2d7f](https://github.com/aquasecurity/trivy/commit/07b2d7fbd7f8ef5473c2438c560fffc8bdadf913))
+* **oracle:** add architectures support for advisories ([#4809](https://github.com/aquasecurity/trivy/issues/4809)) ([90f1d8d](https://github.com/aquasecurity/trivy/commit/90f1d8d78aa20b47fafab2c8ecb07247f075ef45))
+* **python:** skip dev group's deps for poetry ([#8106](https://github.com/aquasecurity/trivy/issues/8106)) ([a034d26](https://github.com/aquasecurity/trivy/commit/a034d26443704601c1fe330a5cc1f019f6974524))
+* **redhat:** check `usr/share/buildinfo/` dir to detect content sets ([#8222](https://github.com/aquasecurity/trivy/issues/8222)) ([f352f6b](https://github.com/aquasecurity/trivy/commit/f352f6b66355fe3636c9e4e9f3edd089c551a81c))
+* **redhat:** correct rewriting of recommendations for the same vulnerability ([#8063](https://github.com/aquasecurity/trivy/issues/8063)) ([4202c4b](https://github.com/aquasecurity/trivy/commit/4202c4ba0d8fcff4b89499fe03050ef4efd37330))
+* respect GITHUB_TOKEN to download artifacts from GHCR ([#7580](https://github.com/aquasecurity/trivy/issues/7580)) ([21b68e1](https://github.com/aquasecurity/trivy/commit/21b68e18188f91935ac1055a78ee97a7f35a110d))
+* **sbom:** attach nested packages to Application ([#8144](https://github.com/aquasecurity/trivy/issues/8144)) ([735335f](https://github.com/aquasecurity/trivy/commit/735335f08f84936f3928cbbc3eb71af3a3a4918d))
+* **sbom:** fix wrong overwriting of applications obtained from different sbom files but having same app type ([#8052](https://github.com/aquasecurity/trivy/issues/8052)) ([fd07074](https://github.com/aquasecurity/trivy/commit/fd07074e8033530eee2732193b00e59f27c73096))
+* **sbom:** scan results of SBOMs generated from container images are missing layers ([#7635](https://github.com/aquasecurity/trivy/issues/7635)) ([f9fceb5](https://github.com/aquasecurity/trivy/commit/f9fceb58bf64657dee92302df1ed97e597e474c9))
+* **sbom:** use root package for `unknown` dependencies (if exists) ([#8104](https://github.com/aquasecurity/trivy/issues/8104)) ([7558df7](https://github.com/aquasecurity/trivy/commit/7558df7c227c769235e5441fbdd3f9f7efb1ff84))
+* **spdx:** use the `hasExtractedLicensingInfos` field for licenses that are not listed in the SPDX ([#8077](https://github.com/aquasecurity/trivy/issues/8077)) ([aec8885](https://github.com/aquasecurity/trivy/commit/aec8885bc7f7e3c5a2a68214dca9aff28accd122))
+* **suse:** SUSE - update OSType constants and references for compatility ([#8236](https://github.com/aquasecurity/trivy/issues/8236)) ([ae28398](https://github.com/aquasecurity/trivy/commit/ae283985c926ca828b25b69ad0338008be31e5fe))
+* Updated twitter icon ([#7772](https://github.com/aquasecurity/trivy/issues/7772)) ([2c41ac8](https://github.com/aquasecurity/trivy/commit/2c41ac83a95e9347605d36f483171a60ffce0fa2))
+* wasm module test ([#8099](https://github.com/aquasecurity/trivy/issues/8099)) ([2200f38](https://github.com/aquasecurity/trivy/commit/2200f3846d675c64ab9302af43224d663a67c944))
+
+
+### Performance Improvements
+
+* avoid heap allocation in applier findPackage ([#7883](https://github.com/aquasecurity/trivy/issues/7883)) ([9bd6ed7](https://github.com/aquasecurity/trivy/commit/9bd6ed73e5d49d52856c76124e84c268475c5456))
+
+## [0.58.0](https://github.com/aquasecurity/trivy/compare/v0.57.0...v0.58.0) (2024-12-02)
+
+
+### Features
+
+* add `workspaceRelationship` ([#7889](https://github.com/aquasecurity/trivy/issues/7889)) ([d622ca2](https://github.com/aquasecurity/trivy/commit/d622ca2b1fe40a0eb588478ba9e15d3bd8471a78))
+* add cvss v4 score and vector in scan response ([#7968](https://github.com/aquasecurity/trivy/issues/7968)) ([e0f2054](https://github.com/aquasecurity/trivy/commit/e0f2054f9d12dce87e8a0226350f6317f7167195))
+* **go:** construct dependencies in the parser ([#7973](https://github.com/aquasecurity/trivy/issues/7973)) ([bcdc0bb](https://github.com/aquasecurity/trivy/commit/bcdc0bbf1f63777ff79d3ecadb8d4f916f376b7d))
+* **go:** construct dependencies of `go.mod` main module in the parser ([#7977](https://github.com/aquasecurity/trivy/issues/7977)) ([5448ba2](https://github.com/aquasecurity/trivy/commit/5448ba2a5c1ee36cbcf74ee1c2e83409092c5715))
+* **k8s:** add default commands for unknown platform ([#7863](https://github.com/aquasecurity/trivy/issues/7863)) ([b1c7f55](https://github.com/aquasecurity/trivy/commit/b1c7f5516fc39c6cbb76cbeae5c8677ccc9ce5dd))
+* **misconf:** log causes of HCL file parsing errors ([#7634](https://github.com/aquasecurity/trivy/issues/7634)) ([e9a899a](https://github.com/aquasecurity/trivy/commit/e9a899a3cfe41a622202808a0241b7f40b54d338))
+* **oracle:** add `flavors` support ([#7858](https://github.com/aquasecurity/trivy/issues/7858)) ([b9b383e](https://github.com/aquasecurity/trivy/commit/b9b383eb2714e88357af75900c856db2900b83ec))
+* **secret:** Add built-in secrets rules for Private Packagist ([#7826](https://github.com/aquasecurity/trivy/issues/7826)) ([132d9df](https://github.com/aquasecurity/trivy/commit/132d9dfa19a8835c94f332c6939ab7f64641ee5f))
+* **suse:** Align SUSE/OpenSUSE OS Identifiers ([#7965](https://github.com/aquasecurity/trivy/issues/7965)) ([45d3b40](https://github.com/aquasecurity/trivy/commit/45d3b40044202dec91384847ce2b50a7271f5977))
+* Update registry fallbacks ([#7679](https://github.com/aquasecurity/trivy/issues/7679)) ([5ba9a83](https://github.com/aquasecurity/trivy/commit/5ba9a83a447c4f9e577ae6235c315df71f50b452))
+
+
+### Bug Fixes
+
+* **alpine:** add `UID` for removed packages ([#7887](https://github.com/aquasecurity/trivy/issues/7887)) ([07915da](https://github.com/aquasecurity/trivy/commit/07915da4816d4d9ec8a6c5e4cba17be2a0f4ad65))
+* **aws:** change CPU and Memory type of ContainerDefinition to a string ([#7995](https://github.com/aquasecurity/trivy/issues/7995)) ([aeeba70](https://github.com/aquasecurity/trivy/commit/aeeba70d15c11443d9fe7c26f90fc7d9dcc7f92c))
+* **cli:** Handle empty ignore files more gracefully ([#7962](https://github.com/aquasecurity/trivy/issues/7962)) ([4cfb2a9](https://github.com/aquasecurity/trivy/commit/4cfb2a97b27923182ab45c178544542ec65981d4))
+* **debian:** infinite loop ([#7928](https://github.com/aquasecurity/trivy/issues/7928)) ([d982e6a](https://github.com/aquasecurity/trivy/commit/d982e6ab89967629f71ec09100cdc61e30a27c63))
+* **fs:** add missing defered Cleanup() call to post analyzer fs ([#7882](https://github.com/aquasecurity/trivy/issues/7882)) ([ab32297](https://github.com/aquasecurity/trivy/commit/ab32297e0a8220a427fa330025f8625281e02275))
+* Improve version comparisons when build identifiers are present ([#7873](https://github.com/aquasecurity/trivy/issues/7873)) ([eda4d76](https://github.com/aquasecurity/trivy/commit/eda4d7660d8908705bc08a6edc55d8144d02806a))
+* **k8s:** check all results for vulnerabilities ([#7946](https://github.com/aquasecurity/trivy/issues/7946)) ([797b36f](https://github.com/aquasecurity/trivy/commit/797b36fbad90b8e7f04e16e2cf08d6bdc0255ac7))
+* **misconf:** do not erase variable type for child modules ([#7941](https://github.com/aquasecurity/trivy/issues/7941)) ([de3b7ea](https://github.com/aquasecurity/trivy/commit/de3b7ea24c282bce22ce9cacb49a43d8d90e2bde))
+* **misconf:** handle null properties in CloudFormation templates ([#7813](https://github.com/aquasecurity/trivy/issues/7813)) ([99b2db3](https://github.com/aquasecurity/trivy/commit/99b2db3978562689cef956a71281abb84ff0ce47))
+* **misconf:** load full Terraform module ([#7925](https://github.com/aquasecurity/trivy/issues/7925)) ([fbc42a0](https://github.com/aquasecurity/trivy/commit/fbc42a04ea24e2246f81491434a965846d55ed69))
+* **misconf:** properly resolve local Terraform cache ([#7983](https://github.com/aquasecurity/trivy/issues/7983)) ([fe3a897](https://github.com/aquasecurity/trivy/commit/fe3a8971b6697d896c1ec30b5326a10c20349d14))
+* **misconf:** Update trivy-checks default repo to `mirror.gcr.io` ([#7953](https://github.com/aquasecurity/trivy/issues/7953)) ([9988147](https://github.com/aquasecurity/trivy/commit/9988147b8b0e463464fe494122bfcc66ccdf04e0))
+* **misconf:** wrap AWS EnvVar to iac types ([#7407](https://github.com/aquasecurity/trivy/issues/7407)) ([54130dc](https://github.com/aquasecurity/trivy/commit/54130dcc1d775506d34b83a558952176fc549914))
+* **redhat:** don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files ([#7912](https://github.com/aquasecurity/trivy/issues/7912)) ([38775a5](https://github.com/aquasecurity/trivy/commit/38775a5ed985eefe2b410e72407c454cdad3d075))
+* **report:** handle `git@github.com` schema for misconfigs in `sarif` report ([#7898](https://github.com/aquasecurity/trivy/issues/7898)) ([19aea4b](https://github.com/aquasecurity/trivy/commit/19aea4b01f3ce5a3cd05d5a1091da5b0b3ba4af6))
+* **sbom:** Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details ([#7871](https://github.com/aquasecurity/trivy/issues/7871)) ([461a68a](https://github.com/aquasecurity/trivy/commit/461a68afd60b77dd67e91047b3b4d558fa5bd2ec))
+* **terraform:** set null value as fallback for missing variables ([#7669](https://github.com/aquasecurity/trivy/issues/7669)) ([611558e](https://github.com/aquasecurity/trivy/commit/611558e4ce61818330118684274534f26b1fda99))
+
 ## [0.57.0](https://github.com/aquasecurity/trivy/compare/v0.56.0...v0.57.0) (2024-10-31)


--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.20.3
+FROM alpine:3.21.0
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -1,4 +1,4 @@
-FROM alpine:3.20.0
+FROM alpine:3.21.0
 RUN apk --no-cache add ca-certificates git

 # binaries were created with GoReleaser
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.22
+FROM --platform=linux/amd64 golang:1.23

 # Set environment variable for protoc
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
--- a/README.md
+++ b/README.md
@@ -21,7 +21,6 @@ Targets (what Trivy can scan):
 - Git Repository (remote)
 - Virtual Machine Image
 - Kubernetes
- AWS

 Scanners (what Trivy can find there):

@@ -108,7 +107,7 @@ trivy k8s --report summary cluster
 ## Want more? Check out Aqua

 If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
-You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).  
+You can find a high level comparison table specific to Trivy users [here](https://trivy.dev/commercial/comparison).  
 In addition check out the <https://aquasec.com> website for more information about our products and services.
 If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>

--- a/aqua.yaml
+++ b/aqua.yaml
@@ -5,6 +5,6 @@ registries:
 - type: standard
  ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
 packages:
- name: tinygo-org/tinygo@v0.31.1
+- name: tinygo-org/tinygo@v0.33.0
 - name: WebAssembly/binaryen@version_112
 - name: magefile/mage@v1.14.0
--- a/cmd/trivy/main.go
+++ b/cmd/trivy/main.go
@@ -21,6 +21,12 @@ func main() {
 		if errors.As(err, &exitError) {
 			os.Exit(exitError.Code)
 		}
+
+		var userErr *types.UserError
+		if errors.As(err, &userErr) {
+			log.Fatal("Error", log.Err(userErr))
+		}
+
 		log.Fatal("Fatal error", log.Err(err))
 	}
 }
--- a/contrib/junit.tpl
+++ b/contrib/junit.tpl
@@ -44,5 +44,15 @@
    </testsuite>
 {{- end }}

+{{- if .Secrets }}
+    {{- $secrets := len .Secrets }}
+    <testsuite tests="{{ $secrets }}" failures="{{ $secrets }}" name="{{ .Target }}" time="0">{{ range .Secrets }}
+        <testcase classname="{{ .RuleID }}" name="[{{ .Severity }}] {{ .Title }}">
+            <failure message="{{ .Title }}" type="description">{{ escapeXML .Match }}</failure>
+        </testcase>
+    {{- end }}
+    </testsuite>
+{{- end }}
+
 {{- end }}
 </testsuites>
--- a/docs/assets/css/trivy_v1_homepage.min.css
+++ b/docs/assets/css/trivy_v1_homepage.min.css
--- a/docs/assets/css/trivy_v1_homepage.scss
+++ b/docs/assets/css/trivy_v1_homepage.scss
@@ -0,0 +1,693 @@
+/* trivy homepage */
+
+//aqua brand colors
+$aq-royal-blue: #1904da;
+$aq-legacy-blue: #08b1d5;
+$aq-coral-red: #ff445f;
+$aq-starfish-yellow: #ffc900;
+$aq-dark-abyss: #07242d;
+$aq-deep-sea-blue: #183278;
+$aq-ocean-ash: #405a75;
+$aq-sea-foam: #00ffe4;
+
+$aq-neo-background: #ebf3fa;
+$aq-neo-background-hover: #f0f8ff;
+
+
+$aq-royal-blue-dark: #1503ba;
+
+$aq-trivy-dark: #0a0b23;
+
+
+$weight-normal: 400;
+$weight-semibold: 600;
+$weight-bold: 700;
+
+
+
+$gap: 32px;
+// 960, 1152, and 1344 have been chosen because they are divisible by both 12 and 16
+$tablet: 769px;
+
+// 960px container + 4rem
+$desktop: 960px + 2 * $gap;
+
+// 1152px container + 4rem
+$widescreen: 1152px + 2 * $gap;
+$widescreen-enabled: true;
+
+// 1344px container + 4rem
+$fullhd: 1344px + 2 * $gap;
+$fullhd-enabled: true;
+
+
+
+body {
+
+	font-family: "Inter", sans-serif;
+}
+
+.trivy_v1_homepage_wrap {
+	position: relative;
+ 	z-index: 3;
+
+	* {
+		transition: all 0.2s ease !important;
+	}
+
+	.container {
+		width: 100%;
+		margin: 0 auto;
+		max-width: 1440px;
+
+		@media screen and (max-width: $tablet), print { //769
+			padding: 0 24px;
+			max-width: $tablet; //769
+		} //until tablet
+	}
+
+	.button {
+	
+		background-color: #ebf3fa;
+		border: 1px solid #dbdbdb;
+		border-width: 1px;
+		color: #363636;
+		cursor: pointer;
+		justify-content: center;
+		padding-bottom: calc(.5em - 1px);
+		padding-left: 1em;
+		padding-right: 1em;
+		padding-top: calc(.5em - 1px);
+		text-align: center;
+		white-space: nowrap;
+		border-radius: 4px;
+		transition: all .2s ease;
+		font-size: 16px;
+		display: inline-block;
+		font-weight: 700;
+		
+		&.is-seafoam {
+			background-color: $aq-sea-foam;
+			border-color: $aq-sea-foam;
+			color: $aq-dark-abyss;
+
+
+			&.is-outlined {
+				background-color: rgba(0,0,0,0);
+				border-color: $aq-sea-foam;
+				color: $aq-sea-foam;
+				border-width: 2px;
+
+				&:hover {
+					background-color: $aq-sea-foam;
+					color: $aq-dark-abyss;
+				}
+			} //is-outlines
+			
+		} //is-seafoam
+
+		&.large_btn {
+			font-size: 22px;
+			padding: 16px 27px;
+			margin-right: 12px;
+
+			@media screen and (max-width: $tablet), print {
+				font-size: 18px;
+			} //until tablet
+		}
+		
+
+
+		&.solidseafoamarrowbutton {
+			
+			background-color: $aq-sea-foam;
+			font-weight: 700;
+			border: 2px solid $aq-sea-foam;
+			font-size: 22px; //1.375rem; //1.125rem;
+			padding: 16px 27px;
+			color: $aq-dark-abyss;
+
+
+			&:after {
+					content: "";
+					border: solid $aq-dark-abyss;
+					border-width: 0 2px 2px 0;
+					display: inline-block;
+					padding: 4px;
+					transform: rotate(-45deg);
+					margin-left: 30px;
+					vertical-align: middle;
+					transition: all .2s;
+			}
+		} //solidseafoamarrowbutton
+
+	} //button
+
+	.margin-bottom-20 {
+		margin-bottom: 20px;
+	}
+
+	.hero_wrap {
+		background-color: $aq-trivy-dark;
+		background-image: radial-gradient(1600px at 70% 120%, #031145 10%, $aq-trivy-dark 100%);
+		min-height: 1050px;
+		position: relative;
+		z-index: 10;
+
+
+
+		
+
+
+		.homepage_background_image_wrap {
+			position: absolute;
+			left: 0px;
+			top: 0px;
+			width: 100%;
+			height: 100%;
+			z-index: 1;
+			pointer-events: none;
+
+
+			.stars_wrap {
+				position: absolute;
+				left: 0px;
+				top: 0px;
+				width: 100%;
+				height: 100%;
+				z-index: 1;
+				overflow: hidden;
+				
+				.stars_bg {
+					position: absolute;
+					width: 400vw;
+					height: 400vh;
+					top: 50%;
+					left: 50%;
+					margin-top: -200vh;
+					margin-left: -200vw;
+					animation: stars_ani 240s linear infinite;
+					background-size: 240px;
+					backface-visibility: visible;
+					background-image:url(../images/homepage_hero_stars_02.svg);
+					background-repeat: repeat;
+					
+				}
+
+
+				@keyframes stars_ani {
+					0% { transform: rotate(0deg); }
+					100% { transform: rotate(360deg); }
+				}
+
+			} //stars_wrap
+
+			.terrain_wrap {
+				position: absolute;
+				left: 0px;
+				bottom: 0px;
+				width: 100%;
+				height: 680px;
+				background-image:url(../images/homepage_hero_terrain_08.svg);
+				background-repeat: no-repeat;
+				background-position: center top;
+				background-size: cover;
+				z-index: 2;
+			} // terrain_wrap
+
+
+			.beams_wrap {
+				position: absolute;
+				left: 0px;
+				bottom: 0px;
+				width: 100%;
+				height: 100%;
+				z-index: 3;
+				overflow: hidden;
+
+				.beam {
+					position: absolute;
+					right: 200px;
+					top: 270px;
+					width: 3px;
+					height: 350%;
+					background: rgba(#3eabff,0.6);
+					box-shadow: 0px 0px 55px 0px rgba(#3eabff,1);
+					transform-origin: 0 0;
+					animation: beam_ani 10s infinite;
+					
+					&.num2 {animation: beam_ani 11s infinite;}
+					&.num3 {animation: beam_ani 12s infinite;}
+					&.num4 {animation: beam_ani 13s infinite;}
+				} //beam
+							
+				@keyframes beam_ani {
+					0% { transform: rotate(75deg); }
+					50% { transform: rotate(-15deg); }
+					100% { transform: rotate(75deg); }
+				}
+
+				.sphere {
+					z-index:999;
+					position: absolute;
+					top: 60px;
+					right: 50px;
+					width: 280px;
+					height: 280px;
+					background-image:url(../images/homepage_hero_orb_03.png);
+					background-position: center center;
+					background-repeat: no-repeat;
+				}
+
+			} //beams_wrap
+
+
+			.person_wrap {
+				position: absolute;
+				left: 0px;
+				bottom: 0px;
+				width: 100%;
+				height: 595px;
+				background-image:url(../images/homepage_v1_hero_person_01.png);
+				background-repeat: no-repeat;
+				background-position: center bottom;
+				z-index: 4;
+
+			} // person_wrap				
+			
+
+
+		} //hero_background_image_wrap
+	}
+
+
+
+	.hero {
+
+		
+		.hero-body {
+			padding: 80px 0px;
+			// border: 1px solid red;
+
+			.header_title_wrap {
+				.header_title_content_wrap {
+
+					width: 50%;
+					position: relative;
+					z-index: 3;
+
+					.page_title {
+						color: #ffffff;
+						font-weight: $weight-bold;
+						font-size: 48px; //3rem;
+						line-height: 1.3;
+					}//page_title
+			
+					.page_subtitle {
+						color: #ffffff;
+						font-weight: $weight-normal;
+						font-size: 24px; //1.5rem;
+						line-height: 1.3;
+						margin-bottom: 30px;
+					} //page_subtitle
+
+
+					@media screen and (max-width: $widescreen), print {
+						width: 70%;
+					} //until widescreen
+
+					@media screen and (max-width: $tablet), print { //769
+
+						width: 100%;
+
+						.page_title {
+							font-size: 32px; //2rem;
+						}//page_title
+			
+						.page_subtitle {
+							font-size: 18px; //1.125rem;
+						}//page_subtitle
+			
+					} //until tablet
+
+
+				} //header_title_content_wrap
+
+			} //header_title_wrap
+
+			@media screen and (min-width: $tablet), print { //769
+				padding: 48px 24px; //3rem 1.5rem;
+			}
+		}
+
+	} //hero
+
+
+
+
+
+	// } //page-trivy_homepage
+
+
+
+
+	/* homepage_community */
+	.homepage_community_wrap {
+	position: relative;
+	background-color: $aq-trivy-dark;
+	color: #ffffff;
+	z-index: 5;
+	padding-top: 60px;
+	padding-bottom: 20px;
+
+
+	.container.wide_container {
+		max-width: 1640px;
+		padding-left: 20px;
+		padding-right: 20px;
+		display: flex;
+		flex-direction: row;
+		flex-wrap: wrap;
+	}
+
+
+	.community_titles_column {
+		width: 33.3333%;
+		padding-right: 32px;
+
+		@media screen and (max-width: $desktop), print {
+			width: 41.6666666667%;
+		} //until desktop
+
+		@media screen and (max-width: $tablet), print {
+			width: 100%;
+		} //until tablet
+	}
+
+	.community_slider_column {
+		width: 66.6666%;
+
+		@media screen and (max-width: $desktop), print {
+			width: 58.3333333333%;
+		} //until desktop
+
+		@media screen and (max-width: $tablet), print {
+			width: 100%;
+		} //until tablet
+	}
+
+
+	.community_title {
+		color: $aq-sea-foam;
+		font-size: 60px; //3.75rem;
+		font-weight: $weight-bold;
+		margin-bottom: 24px; ////1.5rem;
+		line-height: 1.2;
+		
+
+	}
+
+	.community_subtitle  {
+		color: #ffffff;
+		font-size: 26px; //1.625rem;
+		margin-bottom: 24px; ////1.5rem;
+		
+
+	}
+
+	.community_cta_wrap {
+
+		.button {
+			font-weight: $weight-bold;
+			margin-right: 10px;
+		}
+		
+	}
+
+	.community_quotes_wrap {
+		position: relative;
+		
+
+		.community_quotes {
+			column-count: 3;
+			column-gap: 20px;
+
+			@media screen and (max-width: $widescreen), print { //1216
+				column-count: 2;
+			}
+
+			@media screen and (max-width: $tablet), print { //769
+				column-count: 1;
+			}
+
+			.quote_item_wrap {
+				display: inline-block;
+				margin: 0px 0px 20px 0px;
+				width: 100%;
+			}
+
+			.quote_item {
+
+				display: block;
+				position: relative;
+				color: #ffffff;
+				border: 1px solid rgba($aq-sea-foam,0.2);
+				background-color: rgba($aq-sea-foam,0.05);
+				border-radius: 4px;
+				padding: 25px;
+
+				.quote_name {
+					font-size: 16px; //1rem;
+					font-weight: $weight-semibold;
+				}
+
+				.quote_twitter_handle {
+					opacity: 0.6;
+					font-size: 13px; //0.8125rem;
+				}
+
+				.quote_company {
+					opacity: 0.6;
+					font-size: 13px; //0.8125rem;
+				}
+
+				.quote_text {
+					font-size: 16px; //1rem;
+					font-weight: $weight-normal;
+					line-height: 1.3;
+				}
+
+				.quote_avatar {
+					display: block;
+					position: absolute;
+					top: 25px;
+					left: 25px;
+					width: 40px;
+					height: 40px;
+					border-radius: 50%;
+					background-repeat: no-repeat;
+					background-position: center center;
+					background-size: cover;
+
+				}
+
+				&.is_tweet {
+
+					.quote_text {
+						padding-top: 10px;
+					}
+					
+
+					&.has_avatar {
+						.quote_name,
+						.quote_twitter_handle {
+							padding-left: 50px;
+						}
+					} //has_avatar
+
+				} //&is_tweet
+
+				&.is_quote {
+
+					.quote_text {
+						position: relative;
+						padding-top: 40px;
+						padding-bottom: 10px;
+
+						&:before {
+							content: "";
+							display: block;
+							position: absolute;
+							top: -10px;
+							left: 0px;
+							width: 56px;
+							height: 42px;
+							background-image: url(../images/community_quote.png);
+							background-position: center center;
+							background-repeat: no-repeat;
+						}
+					} //quote_text
+					
+				} //&is_quote
+
+			} //quote_item
+
+		}
+
+	} //community_quotes_wrap
+
+	@media screen and (max-width: $tablet), print { //tablet
+
+		.community_title {
+			font-size: 32px; //2rem;
+		}
+		.community_subtitle {
+			font-size: 18px; //1.125rem;
+		}
+
+	} //until
+
+
+	} //homepage_community_wrap
+
+} //trivy_homepage_wrap
+
+
+
+
+
+/* Slider */
+.slick-slider{position:relative;display:block;box-sizing:border-box;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;-webkit-touch-callout:none;-khtml-user-select:none;-ms-touch-action:pan-y;touch-action:pan-y;-webkit-tap-highlight-color:transparent;}
+.slick-list{position:relative;display:block;overflow:hidden;margin:0;padding:0;}
+.slick-list:focus{outline:none;}
+.slick-list.dragging{cursor:hand;}
+.slick-slider .slick-track,.slick-slider .slick-list{transform:translate3d(0,0,0);}
+.slick-track{position:relative;top:0;left:0;display:block;margin-left:auto;margin-right:auto;}
+.slick-track:before,.slick-track:after{display:table;content:'';}
+.slick-track:after{clear:both;}
+.slick-loading .slick-track{visibility:hidden;}
+.slick-slide{display:none;float:left;height:100%;min-height:1px;}
+.slick-slide:focus{outline:none;}
+.slick-slide img{display:block;}
+.slick-slide.slick-loading img{display:none;}
+.slick-slide.dragging img{pointer-events:none;}
+.slick-initialized .slick-slide{display:block;}
+.slick-loading .slick-slide{visibility:hidden;}
+.slick-vertical .slick-slide{display:block;height:auto;border:1px solid transparent;}
+.slick-arrow.slick-hidden{display:none;}
+
+.slick-arrow {display:block;background-color:transparent;border:none;color:transparent;cursor:pointer;position:absolute;top:0px;height:330px;width:80px;z-index:20;outline:none;}
+.slick-arrow:focus, .slick-arrow:active {outline:none;}
+.slick-arrow.slick-prev {left:0px;background-image:linear-gradient(to right, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
+.slick-arrow.slick-next {right:0px;background-image:linear-gradient(to left, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
+.slick-arrow:before {content:"";display:block;position:absolute;left:0px;top:0px;width:100%;height:100%;z-index:21;background-repeat:no-repeat;}
+.slick-arrow.slick-prev:before {background-image:url(../images/arrow_left.png);background-position:center left;}
+.slick-arrow.slick-next:before {background-image:url(../images/arrow_right.png);background-position:center right;}
+
+
+
+/* dots */
+.slick-dotted.slick-slider
+{
+	margin-bottom: 0px;
+}
+
+
+.slick-dots
+{
+	//position: absolute;
+	//bottom: -25px;
+	position: relative;
+	display: block;
+
+	width: 100%;
+	padding: 0;
+	margin: 0;
+
+	list-style: none;
+
+	text-align: center;
+}
+
+
+.slick-dots li {
+	position: relative;
+	display: inline-block;
+	width: 24px;
+	height: 24px;
+	margin: 0px 4px;
+	padding: 0;
+	cursor: pointer;
+}
+
+.slick-dots li button
+{
+	font-size: 0;
+	line-height: 0;
+
+	display: block;
+
+	width: 24px;
+	height: 24px;
+	padding: 0px;
+
+	cursor: pointer;
+
+	color: transparent;
+	border: 0;
+	outline: none;
+	background: transparent;
+
+	&:before {
+
+		position: relative;
+		top: 0px;
+		left: 0px;
+		width: 20px;
+		height: 20px;
+		content: "";
+		background-color: transparent;
+		border: 2px solid $aq-sea-foam;
+		border-radius: 50%;
+		display: block;
+		opacity: 0.7;
+	}
+
+	&:after {
+
+		position: absolute;
+		top: 7px;
+		left: 5px;
+		width: 10px;
+		height: 10px;
+		content: "";
+		background-color: $aq-sea-foam;
+		//border: 1px solid #666;
+		border-radius: 50%;
+		//box-shadow: inset 1px 1px 1px #888;
+		display: block;
+		opacity: 0;
+		transition: 0.2s ease-out;
+
+	}
+
+
+	
+
+}
+.slick-dots li button:hover,
+.slick-dots li button:focus
+{
+	outline: none;
+	&:after {
+		opacity: 1;
+	}
+}
+
+.slick-dots li.slick-active button:after {
+		opacity: 1;
+}
+
+
+
+
--- a/docs/assets/images/homepage_hero_orb_03.png
+++ b/docs/assets/images/homepage_hero_orb_03.png
--- a/docs/assets/images/homepage_hero_stars_02.svg
+++ b/docs/assets/images/homepage_hero_stars_02.svg
@@ -0,0 +1 @@
+<svg version="1.1" id="Layer_2" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 240 240" enable-background="new 0 0 240 240" xml:space="preserve"><rect x="106" y="90" fill="#00ffe4" width="2" height="2"/><rect x="74" y="63" fill="#00ffe4" width="1" height="1"/><rect x="23" y="66" fill="#00ffe4" width="1" height="1"/><rect x="50" y="110" fill="#00ffe4" width="1" height="1"/><rect x="63" y="128" fill="#00ffe4" width="1" height="1"/><rect x="45" y="149" fill="#00ffe4" width="1" height="1"/><rect x="92" y="151" fill="#00ffe4" width="1" height="1"/><rect x="58" y="8" fill="#00ffe4" width="1" height="1"/><rect x="147" y="33" fill="#00ffe4" width="2" height="2"/><rect x="91" y="43" fill="#00ffe4" width="1" height="1"/><rect x="169" y="29" fill="#ffffff" width="1" height="1"/><rect x="182" y="19" fill="#00ffe4" width="1" height="1"/><rect x="161" y="59" fill="#00ffe4" width="1" height="1"/><rect x="138" y="95" fill="#00ffe4" width="1" height="1"/><rect x="199" y="71" fill="#ffffff" width="3" height="3"/><rect x="213" y="153" fill="#00ffe4" width="2" height="2"/><rect x="128" y="163" fill="#ffffff" width="1" height="1"/><rect x="205" y="174" fill="#00ffe4" width="1" height="1"/><rect x="152" y="200" fill="#00ffe4" width="1" height="1"/><rect x="52" y="211" fill="#00ffe4" width="2" height="2"/><rect y="191" fill="#00ffe4" width="1" height="1"/><rect x="110" y="184" fill="#00ffe4" width="1" height="1"/></svg>
--- a/docs/assets/images/homepage_hero_terrain_08.svg
+++ b/docs/assets/images/homepage_hero_terrain_08.svg
--- a/docs/assets/images/homepage_v1_hero_person_01.png
+++ b/docs/assets/images/homepage_v1_hero_person_01.png
--- a/docs/assets/images/trivy_logo_horizontal_white.svg
+++ b/docs/assets/images/trivy_logo_horizontal_white.svg
@@ -0,0 +1 @@
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" x="0" y="0" viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891" xml:space="preserve"><style>.st0{fill:#fff}.st1{fill:#50f0ff}</style><path class="st0" d="M1421.86 281.92h-46.97c-25.9 0-46.97-21.07-46.97-46.97s21.07-46.97 46.97-46.97 46.97 21.07 46.97 46.97v46.97zm-46.97-74.87c-15.38 0-27.9 12.52-27.9 27.9 0 15.38 12.52 27.9 27.9 27.9h27.9v-27.9c0-15.38-12.51-27.9-27.9-27.9zM1737.06 281.92h-46.97c-25.9 0-46.97-21.07-46.97-46.97s21.07-46.97 46.97-46.97 46.97 21.07 46.97 46.97v46.97zm-46.97-74.87c-15.38 0-27.9 12.52-27.9 27.9 0 15.38 12.52 27.9 27.9 27.9h27.9v-27.9c-.01-15.38-12.52-27.9-27.9-27.9zM1585.02 281.94c-25.91 0-46.99-21.08-46.99-46.99v-44.08h19.08v44.08c0 15.39 12.52 27.91 27.91 27.91s27.91-12.52 27.91-27.91v-44.08h19.09v44.08c-.01 25.91-21.1 46.99-47 46.99zM1479.94 187.98c-25.9 0-46.97 21.07-46.97 46.97s21.07 46.97 46.97 46.97l19.07-19.07h-19.07c-15.38 0-27.9-12.52-27.9-27.9 0-15.38 12.52-27.9 27.9-27.9 15.38 0 27.9 12.52 27.9 27.9v91.8h19.07v-91.8c0-25.9-21.07-46.97-46.97-46.97zM942.76 588.45v46.29c-31.53 0-59.94-11.34-82.34-30.14-28.15-23.63-46.04-59.08-46.04-98.71V274.06h46.04v105.2h82.34v46.59h-82.34v81.19c.63 45.06 37.13 81.41 82.34 81.41zM1106.82 379.26v45.98c-43.65.1-79.18 34.71-80.78 77.98v131.52h-46.12V379.26h46.12v29.16c21.93-18.18 50.08-29.12 80.78-29.16zM1136.4 353.72v-40.29h46.05v40.29h-46.05zm0 281.02V379.26h46.05v255.48h-46.05zM1464.76 379.26l-127.64 255.48-127.8-255.48h52.33l75.47 150.88 75.31-150.88h52.33zM1740.81 379.26v297.8c0 71.31-58.52 128.26-127.83 128.2-32.47.03-62.55-12.29-85.37-32.76l33.1-33.09c14.13 11.97 32.36 19.22 52.28 19.2 44.86 0 81.17-36.69 81.17-81.55v-71.39c-22.26 18.42-50.67 29.09-81.17 29.06-69.46.06-127.95-56-127.95-127.85V379.24h46.64l.02 127.64c0 44.67 36.39 81.6 81.28 81.55 44.86 0 81.17-36.69 81.17-81.55V379.26h46.66z"/><path class="st1" d="M428.54 364.9h.12c6.56.01 11.98-5.03 11.98-11.58V135.99l-12.23-6.83-12.18 6.8v217.36c0 6.56 5.43 11.61 11.98 11.58h.33z"/><path d="M355.18 463.55 153.55 598.87v15.41l11.49 6.29 203.73-136.73c5.23-3.51 6.53-10.52 3.15-15.84-.14-.23-.29-.45-.43-.68-3.5-5.62-10.81-7.46-16.31-3.77z" style="fill:#0744dd"/><path d="m488.27 483.95 203.55 136.61 11.45-6.28v-15.44L501.86 463.66c-5.51-3.7-12.82-1.87-16.32 3.76-.13.21-.27.43-.4.64-3.41 5.34-2.12 12.37 3.13 15.89z" style="fill:#ffc900"/><path class="st0" d="M727.69 282.29v-13.96l-12.5-6.98-.93-.49-273.93-152.99-11.92-6.64-11.87 6.64-273.98 152.99-.93.49-12.5 6.98v13.96l-.93.54.93.49v345.42l12.69 6.94 266.85 146.2 3.37 1.85 16.41 8.98 16.36-8.98 3.37-1.85 266.85-146.2 12.65-6.94V283.37l.98-.54-.97-.54zM440.95 758.05V511.4c0-6.72-5.5-12.22-12.22-12.21h-.32c-6.72-.01-12.22 5.49-12.22 12.21v246.64L165.04 620.57l-11.49-6.29V294.7l199.98 109.56c5.77 3.16 13.1 1.04 16.28-4.72l.14-.26c3.22-5.83 1.08-13.22-4.76-16.42L167.81 274.72l248.42-138.75 12.18-6.8 12.23 6.83 248.37 138.73-197.54 108.22c-5.81 3.18-7.63 10.45-4.41 16.24.05.1.11.2.16.29 3.16 5.73 10.22 8.01 15.96 4.86L703.27 294.7v319.59l-11.45 6.28-250.87 137.48z"/><circle cx="428.54" cy="432.05" r="35.42" style="fill:#ff0036"/><path class="st1" d="M617.65 262.99 426.32 155.74c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l191.33 107.25c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM533.81 271.27l-107.48-60.25c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l107.48 60.25c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.97-16.62 4.68zM569.02 291c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68 5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM462.29 288.33l-35.7-20.01c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l35.7 20.01c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM516.16 321.21l-20.67-11.58c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l20.67 11.58c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68z"/></svg>
--- a/docs/assets/javascripts/trivy_v1_homepage.js
+++ b/docs/assets/javascripts/trivy_v1_homepage.js
--- a/docs/build/Dockerfile
+++ b/docs/build/Dockerfile
@@ -1,10 +1,6 @@
-FROM squidfunk/mkdocs-material:9.4.6
+FROM squidfunk/mkdocs-material:9.5.44

-## If you want to see exactly the same version as is published to GitHub pages
-## use a private image for insiders, which requires authentication.
-
-# docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN} ghcr.io
-# FROM ghcr.io/squidfunk/mkdocs-material-insiders
+# https://squidfunk.github.io/mkdocs-material/getting-started/?h=macros#with-docker-material-for-mkdocs

 COPY requirements.txt .
 RUN pip install -r requirements.txt
--- a/docs/build/requirements.in
+++ b/docs/build/requirements.in
@@ -0,0 +1,3 @@
+mkdocs-material==9.5.44
+mkdocs-macros-plugin
+mike
--- a/docs/build/requirements.txt
+++ b/docs/build/requirements.txt
@@ -1,30 +1,114 @@
-click==8.1.2
-csscompressor==0.9.5
-ghp-import==2.0.2
-htmlmin==0.1.12
-importlib-metadata==4.11.3
-Jinja2==3.1.1
-jsmin==3.0.1
-Markdown==3.3.6
-MarkupSafe==2.1.1
+#
+# This file is autogenerated by pip-compile with Python 3.13
+# by the following command:
+#
+#    pip-compile --output-file=docs/build/requirements.txt docs/build/requirements.in
+#
+babel==2.16.0
+    # via mkdocs-material
+certifi==2024.8.30
+    # via requests
+charset-normalizer==3.4.0
+    # via requests
+click==8.1.7
+    # via mkdocs
+colorama==0.4.6
+    # via mkdocs-material
+ghp-import==2.1.0
+    # via mkdocs
+hjson==3.1.0
+    # via
+    #   mkdocs-macros-plugin
+    #   super-collections
+idna==3.10
+    # via requests
+importlib-metadata==8.5.0
+    # via mike
+importlib-resources==6.4.5
+    # via mike
+jinja2==3.1.4
+    # via
+    #   mike
+    #   mkdocs
+    #   mkdocs-macros-plugin
+    #   mkdocs-material
+markdown==3.7
+    # via
+    #   mkdocs
+    #   mkdocs-material
+    #   pymdown-extensions
+markupsafe==3.0.2
+    # via
+    #   jinja2
+    #   mkdocs
 mergedeep==1.3.4
-mike==1.1.2
-mkdocs==1.3.0
-mkdocs-macros-plugin==0.7.0
-mkdocs-material==8.3.9
-mkdocs-material-extensions==1.0.3
-mkdocs-minify-plugin==0.5.0
-mkdocs-redirects==1.0.4
-packaging==21.3
-Pygments==2.12.0
-pymdown-extensions==9.5
-pyparsing==3.0.8
-python-dateutil==2.8.2
-PyYAML==6.0.1
+    # via
+    #   mkdocs
+    #   mkdocs-get-deps
+mike==2.1.3
+    # via -r docs/build/requirements.in
+mkdocs==1.6.1
+    # via
+    #   mike
+    #   mkdocs-macros-plugin
+    #   mkdocs-material
+mkdocs-get-deps==0.2.0
+    # via mkdocs
+mkdocs-macros-plugin==1.3.7
+    # via -r docs/build/requirements.in
+mkdocs-material==9.5.44
+    # via -r docs/build/requirements.in
+mkdocs-material-extensions==1.3.1
+    # via mkdocs-material
+packaging==24.2
+    # via
+    #   mkdocs
+    #   mkdocs-macros-plugin
+paginate==0.5.7
+    # via mkdocs-material
+pathspec==0.12.1
+    # via
+    #   mkdocs
+    #   mkdocs-macros-plugin
+platformdirs==4.3.6
+    # via mkdocs-get-deps
+pygments==2.18.0
+    # via mkdocs-material
+pymdown-extensions==10.12
+    # via mkdocs-material
+pyparsing==3.2.0
+    # via mike
+python-dateutil==2.9.0.post0
+    # via
+    #   ghp-import
+    #   mkdocs-macros-plugin
+pyyaml==6.0.2
+    # via
+    #   mike
+    #   mkdocs
+    #   mkdocs-get-deps
+    #   mkdocs-macros-plugin
+    #   pymdown-extensions
+    #   pyyaml-env-tag
 pyyaml-env-tag==0.1
+    # via
+    #   mike
+    #   mkdocs
+regex==2024.11.6
+    # via mkdocs-material
+requests==2.32.3
+    # via mkdocs-material
 six==1.16.0
-termcolor==1.1.0
+    # via python-dateutil
+super-collections==0.5.3
+    # via mkdocs-macros-plugin
+termcolor==2.5.0
+    # via mkdocs-macros-plugin
+urllib3==2.2.3
+    # via requests
 verspec==0.1.0
-watchdog==2.1.7
-zipp==3.8.0
-
+    # via mike
+watchdog==6.0.0
+    # via mkdocs
+zipp==3.21.0
+    # via importlib-metadata
--- a/docs/commercial/compare.md
+++ b/docs/commercial/compare.md
@@ -0,0 +1,86 @@
+# Aqua Security is the home of Trivy
+
+Trivy is proudly maintained by [Aqua Security](https://aquasec.com).
+If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
+In this page you can find a high level comparison between Trivy Open Source and Aqua's commercial product.
+If you'd like to learn more or request a demo, [click here to contact us](./contact.md).
+
+## User experience
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Interface | CLI tool | CLI tool <br> Enterprise-grade web application <br> SaaS or on-prem |
+| Search & Discover | - | Easily search for security issues across all workloads and infrastructure in your organization <br> Visually discover risks across your organization |
+| User management | - | Multi account <br> Granular permissions (RBAC) <br> Single Sign On (SSO) |
+| Support | Some skills required for setup and integration <br> Best effort community support | Personal onboarding by Aqua Customer Success <br> SLA backed professional support |
+| Scalability & Availability | Single scan at a time | Centralized scanning service supports concurrent scans efficiently <br> Highly available production grade architecture |
+| Rate limiting | Assets hosted on public free infrastructure and could be rate limited | Assets hosted on Aqua infrastructure and does not have limitations |
+
+## Vulnerability scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Vulnerabilities sources | Based on open source vulnerability feeds | Based on open source and commercial vulnerability feeds |
+| New Vulnerabilities SLA | No SLA | Commercial level SLA |
+| Package managers | Find packages in lock files | Find packages in lock files or reconstructed lock files |
+| Vulnerability management | Manually ignore specific vulnerabilities by ID or property | Advanced vulnerability management solution <br> Vulnerability tracking and suppression <br> Incident lifecycle management |
+| Vulnerability prioritization | Manually triage by severity | Multiple prioritization tools:  <br> Accessibility of the affected resources <br> Exploitability of the vulnerability <br> Open Source packages health and trustworthiness score <br> Affected image layers |
+| Reachability analysis | - | Analyze source code to eliminate vulnerabilities of unused dependencies |
+| Contextual vulnerabilities | - | Reduce irrelevant vulnerabilities based on environmental factors (e.g. Spring4Shell not relevant due to JDK version) |
+| Compiled binaries | Find embedded dependencies in Go and Rust binaries <br> Find SBOM by hash in public Sigstore | In addition, identify popular applications |
+
+## Container scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Windows containers | - | Support scanning windows containers |
+| Scan container registries | - | Connect to any container registries and automatically scan it |
+| Private registries | Standard registry authenticationCloud authentication with ECR, GCR, ACR | Supports registry specific authentication schemes |
+| Layer cache | Local cache directory | Scalable Cloud cache |
+
+## Advanced scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Malware scanning | - | Scan container images for malware |
+| Sandbox scanning | - | Use DTA (Dynamic threat analysis) to run and test container images' behavior to detect sophisticated threats |
+| SAST (code scanning) | - | Analyze source code for security issues and vulnerabilities |
+
+## Policy and enforcement
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Kubernetes admission | - | Validating Kubernetes Admission based on automatic or user defined policy |
+| CI/CD policies | Can fail the entire build on any finding | Granular policies to fail builds based on custom criteria |
+| Container engine | - | Block incompliant images from running at container engine level |
+| Block vulnerable packages | - | vShield – monitor and block usage of vulnerable packages |
+
+## Secrets scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Detected patterns | Basic patterns | Advanced patterns |
+| Leaked secrets validation | - | Automatically checks if leaked secrets are valid and usable |
+
+## IaC/CSPM scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/policy/builtin/) | In addition, Build Pipeline configuration scanning |
+| Checks customization | Create custom checks with Rego | Create custom checks in no-code interface <br> Customize existing checks with organizational preferences |
+| Cloud scanning | AWS (subset of services) | AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud |
+| Compliance frameworks | CIS, NSA, vendor guides | More than 25 compliance programs |
+| Custom compliance | Create in YAML | Create in a web UI |
+| Remediation advice | Basic | AI powered specialized remediation guides |
+
+## Kubernetes scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+Scan initiation | CLI / Kubernetes Operator | Kubernetes Operator / Management web application |
+Results consumption | kubectl / CRD / Prometheus exporter | In addition, Advanced UI dashboards, Automatic notifications and incident management flows |
+Cluster discovery | Kubeconfig | Automatic discovery thorough cloud onboarding |
+Workload image scanning | Scanning in cluster, requires capacity planning | Scanning offloaded to Aqua service, little impact on scanned clusters |
+| Cluster scanning | CIS, NSA, PSS | More than 25 compliance programs |
+| Scope |  Single cluster | Multi cluster, Cloud relationship |
+| Scalability | Reports limited by in-cluster etcd storage (size and number of reports) | Cloud-based storage (unlimited scalability) |
--- a/docs/commercial/contact.md
+++ b/docs/commercial/contact.md
@@ -0,0 +1,17 @@
+<style>
+    .md-content .md-content__inner a, h1 {
+        display:none;
+    }
+    input.hs-input, textarea.hs-input {
+        border: silver solid 1px !important;
+        font-size: 0.8em;
+        padding: 5px;
+    }
+</style>
+<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script>
+<script>
+  hbspt.forms.create({
+    portalId: "1665891",
+    formId: "a1d0c098-3b3a-40d8-afb4-e04ddb697afe"
+  });
+</script>
--- a/docs/community/contribute/discussion.md
+++ b/docs/community/contribute/discussion.md
@@ -38,12 +38,12 @@ If the data source is correct and Trivy shows wrong results, please raise an iss
 Visit [here](https://github.com/advisories) and search CVE-ID.

 If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
- 
+
 ### GitLab Advisory Database
 Visit [here](https://advisories.gitlab.com/) and search CVE-ID.

-If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
- 
+If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues)
+
 ### Red Hat CVE Database
 Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.

--- a/docs/community/maintainer/release-flow.md
+++ b/docs/community/maintainer/release-flow.md
@@ -10,7 +10,7 @@ For detailed behavior, please refer to [the GitHub Actions configuration][workfl

 !!! note
    Commits with prefixes like `chore` or `build` are not considered releasable, and no release PR is created.
-    To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release).
+    To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release-pr-creation).

 ## Flow
 The release flow consists of the following main steps:
--- a/docs/community/maintainer/triage.md
+++ b/docs/community/maintainer/triage.md
@@ -188,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
 and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
 to identify issues that have been specially groomed for new contributors.

-We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
+We have specific [guidelines](./help-wanted.md)
 for how to use these labels. If you see an issue that satisfies these
 guidelines, you can add the `help wanted` label and the `good first issue` label.
 Please note that adding the `good first issue` label must also 
--- a/docs/community/principles.md
+++ b/docs/community/principles.md
@@ -48,6 +48,6 @@ As mentioned in [the Core Principles](#detecting-unintended-states), detection o
 ### User Interface
 Trivy primarily operates via CLI for displaying results, with a richer UI available in [the commercial version][aqua].

-[trivy-aqua]: https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md
+[trivy-aqua]: ../commercial/compare.md
 [tracee]: https://github.com/aquasecurity/tracee
 [aqua]: https://www.aquasec.com/
--- a/docs/docs/advanced/air-gap.md
+++ b/docs/docs/advanced/air-gap.md
@@ -1,162 +1,77 @@
-# Advanced Network Scenarios
+# Connectivity and Network considerations

-Trivy needs to connect to the internet occasionally in order to download relevant content. This document explains the network connectivity requirements of Trivy and setting up Trivy in particular scenarios.
+Trivy requires internet connectivity in order to function normally. If your organizations blocks or restricts network traffic, that could prevent Trivy from working correctly.
+This document explains Trivy's network connectivity requirements, and how to configure Trivy to work in restricted networks environments, including completely air-gapped environments.

-## Network requirements
+The following table lists all external resources that are required by Trivy:

-Trivy's databases are distributed as OCI images via GitHub Container registry (GHCR):
+External Resource | Feature | Details
+--- | --- | ---
+Vulnerability Database | Vulnerability scanning | [Trivy DB](../scanner/vulnerability.md)
+Java Vulnerability Database | Java vulnerability scanning | [Trivy Java DB](../coverage/language/java.md)
+Checks Bundle | Misconfigurations scanning | [Trivy Checks](../scanner/misconfiguration/check/builtin.md)
+VEX Hub | VEX Hub | [VEX Hub](../supply-chain/vex/repo/#vex-hub)
+Maven Central / Remote Repositories | Java vulnerability scanning | [Java Scanner/Remote Repositories](../coverage/language/java.md#remote-repositories)

- <https://ghcr.io/aquasecurity/trivy-db>
- <https://ghcr.io/aquasecurity/trivy-java-db>
- <https://ghcr.io/aquasecurity/trivy-checks>
+!!! note
+    Trivy is an open source project that relies on public free infrastructure. In case of extreme load, you may encounter rate limiting when Trivy attempts to connect to external resources.

-The following hosts are required in order to fetch them:
+The rest of this document details each resource's connectivity requirements and network related considerations.

- `ghcr.io`
- `pkg-containers.githubusercontent.com`
+## OCI Databases

-The databases are pulled by Trivy using the [OCI Distribution](https://github.com/opencontainers/distribution-spec) specification, which is a simple HTTPS-based protocol.
+Trivy's Vulnerability, Java, and Checks Bundle are packaged as OCI images and stored in public container registries.

-[VEX Hub](https://github.com/aquasecurity/vexhub) is distributed from GitHub over HTTPS.
-The following hosts are required in order to fetch it:
+### Connectivity requirements
+
+The specific registries and locations are detailed in the [databases document](../configuration/db.md).
+
+Communication with OCI Registries follows the [OCI Distribution](https://github.com/opencontainers/distribution-spec) spec.
+
+The following hosts are known to be used by the default container registries:
+
+Registry | Hosts | Additional info
+--- | --- | ---
+Google Artifact Registry | <ul><li>`mirror.gcr.io`</li><li>`googlecode.l.googleusercontent.com`</li></ul> | [Google's IP addresses](https://support.google.com/a/answer/10026322?hl=en)
+GitHub Container Registry | <ul><li>`ghcr.io`</li><li>`pkg-containers.githubusercontent.com`</li></ul> | [GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses)
+
+### Self-hosting
+
+You can host Trivy's databases in your own container registry. Please refer to [Self-hosting document](./self-hosting.md#oci-databases) for a detailed guide.
+
+## Embedded Checks
+
+Checks Bundle is embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the database from the time of the Trivy release you are using.
+
+## VEX Hub
+
+### Connectivity Requirements
+
+VEX Hub is hosted as at <https://github.com/aquasecurity/vexhub>.
+
+Trivy is fetching VEX Hub GitHub Repository directly using simple HTTPS requests.
+
+The following hosts are known to be used by GitHub's services:

 - `api.github.com`
 - `codeload.github.com`

-## Running Trivy in air-gapped environment
+For more information about GitHub connectivity (including specific IP addresses), please refer to [GitHub's connectivity troubleshooting guide](https://docs.github.com/en/get-started/using-github/troubleshooting-connectivity-problems).

-An air-gapped environment refers to situations where the network connectivity from the machine Trivy runs on is blocked or restricted.
+### Self-hosting

-In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis. 
+You can host a copy of VEX Hub on your own internal server. Please refer to the [self-hosting document](./self-hosting.md#vex-hub) for a detailed guide.

-## Offline Mode
+## Maven Central / Remote Repositories

-By default, Trivy will attempt to download latest databases. If it fails, the scan might fail. To avoid this behavior, you can tell Trivy to not attempt to download database files:
+Trivy might call out to Maven central or other remote repositories to fetch in order to correctly identify Java packages during a vulnerability scan.

- `--skip-db-update` to skip updating the main vulnerability database.
- `--skip-java-db-update` to skip updating the Java vulnerability database.
- `--skip-check-update` to skip updating the misconfiguration database.
+### Connectivity requirements

-```shell
-trivy image --skip-db-update --skip-java-db-update --offline-scan --skip-check-update myimage
-```
+Trivy might attempt to connect (over HTTPS) to the following URLs:

-## Self-Hosting
+- `https://repo.maven.apache.org/maven2`

-### OCI Databases
+### Offline mode

-You can host the databases on your own local OCI registry. 
-
-First, make a copy of the databases in a container registry that is accessible to Trivy. The databases are in:
-
- `ghcr.io/aquasecurity/trivy-db:2`
- `ghcr.io/aquasecurity/trivy-java-db:1`
- `ghcr.io/aquasecurity/trivy-checks:0`
-
-Then, tell Trivy to use the local registry:
-
-```shell
-trivy image \
-    --db-repository myregistry.local/trivy-db \
-    --java-db-repository myregistry.local/trivy-java-db \
-    --checks-bundle-repository myregistry.local/trivy-checks \
-    myimage
-```
-
-#### Authentication
-
-If the registry requires authentication, you can configure it as described in the [private registry authentication document](../advanced/private-registries/index.md).
-
-### VEX Hub
-
-You can host a copy of VEX Hub on your own internal server.
-
-First, make a copy of VEX Hub in a location that is accessible to Trivy.
-
-1. Download the [VEX Hub](https://github.com/aquasecurity/vexhub) archive from: <https://github.com/aquasecurity/vexhub/archive/refs/heads/main.zip>.
-1. Download the [VEX Hub Repository Manifest](https://github.com/aquasecurity/vex-repo-spec#2-repository-manifest) file from: <https://github.com/aquasecurity/vexhub/blob/main/vex-repository.json>.
-1. Create or identify an internal HTTP server that can serve the VEX Hub repository in your environment (e.g `https://server.local`).
-1. Make the downloaded archive file available for serving from your server (e.g `https://server.local/main.zip`).
-1. Modify the downloaded manifest file's [Location URL](https://github.com/aquasecurity/vex-repo-spec?tab=readme-ov-file#locations-subfields) field to the URL of the archive file on your server (e.g `url: https://server.local/main.zip`).
-1. Make the manifest file available for serving from your server under the `/.well-known` path  (e.g `https://server.local/.well-known/vex-repository.json`).
-
-Then, tell Trivy to use the local VEX Repository:
-
-1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo/#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
-1. Disable the default VEX Hub repo (`enabled: false`)
-1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo/#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
-
-#### Authentication
-
-If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo/#authentication).
-
-## Manual cache population
-
-You can also download the databases files manually and surgically populate the Trivy cache directory with them.
-
-### Downloading the DB files
-
-On a machine with internet access, pull the database container archive from the public registry into your local workspace:
-
-Note that these examples operate in the current working directory.
-
-=== "Using ORAS"
-This example uses [ORAS](https://oras.land), but you can use any other container registry manipulation tool.
-
-```shell
-oras pull ghcr.io/aquasecurity/trivy-db:2
-```
-
-You should now have a file called `db.tar.gz`. Next, extract it to reveal the db files:
-
-```shell
-tar -xzf db.tar.gz
-```
-
-You should now have 2 new files, `metadata.json` and `trivy.db`. These are the Trivy DB files.
-
-=== "Using Trivy"
-This example uses Trivy to pull the database container archive. The `--cache-dir` flag makes Trivy download the database files into our current working directory. The `--download-db-only` flag tells Trivy to only download the database files, not to scan any images.
-
-```shell
-trivy image --cache-dir . --download-db-only
-```
-
-You should now have 2 new files, `metadata.json` and `trivy.db`. These are the Trivy DB files, copy them over to the air-gapped environment.
-
-### Populating the Trivy Cache
-
-In order to populate the cache, you need to identify the location of the cache directory. If it is under the default location, you can run the following command to find it:
-
-```shell
-trivy -h | grep cache
-```
-
-For the example, we will assume the `TRIVY_CACHE_DIR` variable holds the cache location:
-
-```shell
-TRIVY_CACHE_DIR=/home/user/.cache/trivy
-```
-
-Put the Trivy DB files in the Trivy cache directory under a `db` subdirectory:
-
-```shell
-# ensure cache db directory exists
-mkdir -p ${TRIVY_CACHE_DIR}/db
-# copy the db files
-cp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/
-```
-
-### Java DB
-
-For Java DB the process is the same, except for the following:
-
-1. Image location is `ghcr.io/aquasecurity/trivy-java-db:1`
-2. Archive file name is `javadb.tar.gz`
-3. DB file name is `trivy-java.db`
-
-## Misconfigurations scanning
-
-Note that the misconfigurations checks bundle is also embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the Checks from the time of the Trivy release you are using.
-
-The misconfiguration scanner can be configured to load checks from a local directory, using the `--config-check` flag. In an air-gapped scenario you can copy the checks library from [Trivy checks repository](https://github.com/aquasecurity/trivy-checks) into a local directory, and load it with this flag. See more in the [Misconfiguration scanner documentation](../scanner/misconfiguration/index.md).
+There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Trivy from trying to connect to it by using the `--offline-scan` flag.
--- a/docs/docs/advanced/self-hosting.md
+++ b/docs/docs/advanced/self-hosting.md
@@ -0,0 +1,132 @@
+# Self-Hosting Trivy's Databases
+
+This document explains how to host Trivy's [external dependencies](./air-gap.md) in your own infrastructure to prevent external network access. If you haven't already, please familiarize yourself with the [Databases document](../configuration/db.md) that explains about the different databases used by Trivy and the different configuration options that control them. This guide assumes you are already familiar with the concepts explained there.
+
+## OCI databases
+
+The following [Trivy Databases](../configuration/db.md) are packaged as OCI images:
+
+- `trivy-db`
+- `trivy-java-db`
+- `trivy-checks`
+
+To host these databases in your own infrastructure:
+
+### Make a local copy
+
+Use any container registry manipulation tool (e.g , [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md, [ORAS](https://oras.land), [regclient](https://github.com/regclient/regclient/tree/main)) to copy the images to your destination registry.
+
+!!! note
+    You will need to keep the databases updated in order to maintain relevant scanning results over time.
+
+### Configure Trivy
+
+Use the appropriate [database location flags](../configuration/db.md#database-locations) to change the db-repository location:
+
+- `--db-repository`
+- `--java-db-repository`
+- `--checks-bundle-repository`
+
+### Authentication
+
+If the registry requires authentication, you can configure it as described in the [private registry authentication document](../advanced/private-registries/index.md).
+
+### OCI Media Types
+
+When serving, proxying, or manipulating Trivy's databases, note that the media type of the OCI layer is not a standard container image type:
+
+DB | Media Type | Reference
+--- | --- | ---
+`trivy-db` | `application/vnd.aquasec.trivy.db.layer.v1.tar+gzip` | <https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db>
+`trivy-java-db` | `application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip` | https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db
+`trivy-checks` | `application/vnd.oci.image.manifest.v1+json` | https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks
+
+## Manual cache population
+
+Trivy uses a local cache directory to store the database files, as described in the [cache](../configuration/cache.md) document.
+You can download the databases files and surgically populate the Trivy cache directory with them.
+
+### Downloading the DB files
+
+On a machine with internet access, pull the database container archive from the public registry into your local workspace:
+
+Note that these examples operate in the current working directory.
+
+=== "Using ORAS"
+    This example uses [ORAS](https://oras.land), but you can use any other container registry manipulation tool.
+
+    ```shell
+    oras pull ghcr.io/aquasecurity/trivy-db:2
+    ```
+    
+    You should now have a file called `db.tar.gz`. Next, extract it to reveal the db files:
+    
+    ```shell
+    tar -xzf db.tar.gz
+    ```
+    
+
+=== "Using Trivy"
+    This example uses Trivy to pull the database container archive. The `--cache-dir` flag makes Trivy download the database files into our current working directory. The `--download-db-only` flag tells Trivy to only download the database files, not to scan any images.
+    
+    ```shell
+    trivy image --cache-dir . --download-db-only
+    ```
+
+You should now have 2 new files, `metadata.json` and `trivy.db`. These are the Trivy DB files, copy them over to the air-gapped environment.
+
+### Populating the Trivy Cache
+
+In order to populate the cache, you need to identify the location of the cache directory. If it is under the default location, you can run the following command to find it:
+
+```shell
+trivy -h | grep cache
+```
+
+For the example, we will assume the `TRIVY_CACHE_DIR` variable holds the cache location:
+
+```shell
+TRIVY_CACHE_DIR=/home/user/.cache/trivy
+```
+
+Put the Trivy DB files in the Trivy cache directory under a `db` subdirectory:
+
+```shell
+# ensure cache db directory exists
+mkdir -p ${TRIVY_CACHE_DIR}/db
+# copy the db files
+cp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/
+```
+
+### Java DB adaptations
+
+For Java DB the process is the same, except for the following:
+
+1. Image location is `ghcr.io/aquasecurity/trivy-java-db:1`
+2. Archive file name is `javadb.tar.gz`
+3. DB file name is `trivy-java.db`
+
+## VEX Hub
+
+### Make a local copy
+
+To make a copy of VEX Hub in a location that is accessible to Trivy.
+
+1. Download the [VEX Hub](https://github.com/aquasecurity/vexhub) archive from: <https://github.com/aquasecurity/vexhub/archive/refs/heads/main.zip>.
+1. Download the [VEX Hub Repository Manifest](https://github.com/aquasecurity/vex-repo-spec#2-repository-manifest) file from: <https://github.com/aquasecurity/vexhub/blob/main/vex-repository.json>.
+1. Create or identify an internal HTTP server that can serve the VEX Hub repository in your environment (e.g `https://server.local`).
+1. Make the downloaded archive file available for serving from your server (e.g `https://server.local/main.zip`).
+1. Modify the downloaded manifest file's [Location URL](https://github.com/aquasecurity/vex-repo-spec?tab=readme-ov-file#locations-subfields) field to the URL of the archive file on your server (e.g `url: https://server.local/main.zip`).
+1. Make the manifest file available for serving from your server under the `/.well-known` path  (e.g `https://server.local/.well-known/vex-repository.json`).
+
+### Configure Trivy
+
+To configure Trivy to use the local VEX Repository:
+
+1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo/#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
+1. Disable the default VEX Hub repo (`enabled: false`)
+1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo/#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
+
+### Authentication
+
+If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo/#authentication).
--- a/docs/docs/compliance/compliance.md
+++ b/docs/docs/compliance/compliance.md
@@ -10,7 +10,6 @@ Trivy’s compliance flag lets you curate a specific set of checks into a report
 Compliance report is currently supported in the following targets (trivy sub-commands):

 - `trivy image`
- `trivy aws`
 - `trivy k8s`

 Add the `--compliance` flag to the command line, and set it's value to desired report.
--- a/docs/docs/compliance/contrib-compliance.md
+++ b/docs/docs/compliance/contrib-compliance.md
@@ -1,26 +1,26 @@
 # Custom Compliance Spec

 Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md).
-All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance)).
+All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)).

-New checks are based on the custom compliance report detailed in the [main documentation.](../../docs/compliance/compliance/#custom-compliance)
+New checks are based on the custom compliance report detailed in the [main documentation.](./compliance.md#custom-compliance)
 If you would like to create your custom compliance report, please reference the information in the main documentation. This section details how community members can contribute new Compliance Specs to Trivy.

 All compliance specs in Trivy are based on formal compliance reports such as CIS Benchmarks.

 ## Contributing new Compliance Specs

-Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access. 
+Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access.

 ### Create a new Compliance Spec

-The existing compliance specs in Trivy are located under the `trivy-checks/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance)).
+The existing compliance specs in Trivy are located under the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)).

 Create a new file under `trivy-checks/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. Note that if the compliance spec is not specific to a provider, the `provider` field can be ignored.

 ### Minimum spec structure

-The structure of the compliance spec is detailed in the [main documentation](./compliance/#custom-compliance). 
+The structure of the compliance spec is detailed in the [main documentation](./compliance.md#custom-compliance).

 The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report e.g. the CIS Benchmark report.

@@ -37,7 +37,7 @@ Additional information is provided below.

 Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-checks/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.

-Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance) available. 
+Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance) available.

 For example, the following check is detailed in the AWS EKS CIS v1.4 Benchmark:
 `3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)`
--- a/docs/docs/configuration/cache.md
+++ b/docs/docs/configuration/cache.md
@@ -51,9 +51,7 @@ It supports three types of backends for this cache:
    - TTL can be configured via `--cache-ttl`

 ### Local File System
-The local file system backend is the default choice for container and VM image scans.
-When scanning container images, it stores analysis results on a per-layer basis, using layer IDs as keys.
-This approach enables faster scans of the same container image or different images that share layers.
+The local file system backend is the default choice for container image, VM image and repository scans.

 !!! note
    Internally, this backend uses [BoltDB][boltdb], which has an important limitation: only one process can access the cache at a time.
@@ -63,7 +61,7 @@ This approach enables faster scans of the same container image or different imag
 ### Memory
 The memory backend stores analysis results in memory, which means the cache is discarded when the process ends.
 This makes it useful in scenarios where caching is not required or desired.
-It serves as the default for repository, filesystem and SBOM scans and can also be employed for container image scans when caching is unnecessary.
+It serves as the default for filesystem and SBOM scans and can also be employed for container image scans when caching is unnecessary.

 To use the memory backend for a container image scan, you can use the following command:

--- a/docs/docs/configuration/db.md
+++ b/docs/docs/configuration/db.md
@@ -1,126 +1,129 @@
-# DB
+# Trivy Databases

-|     Scanner      | Supported |
-|:----------------:|:---------:|
-|  Vulnerability   |     ✓     |
-| Misconfiguration |           |
-|      Secret      |           |
-|     License      |           |
+When you install Trivy, the installed artifact contains the scanner engine but is lacking relevant security information needed to make security detections and recommendations.
+These so called "databases" are automatically fetched and maintained by Trivy as needed, so normally you shouldn't notice or worry about them.   
+This document elaborates on the database management mechanism and its configuration options.

-The vulnerability database and the Java index database are needed only for vulnerability scanning.
-See [here](../scanner/vulnerability.md) for the detail.
+Trivy relies on the following databases:

-## Vulnerability Database
+DB | Artifact name | Contents | Purpose
+--- | --- | --- | ---
+Vulnerabilities DB | `trivy-db` | CVE information collected from various feeds | used only for [vulnerability scanning](../scanner/vulnerability.md)
+Java DB | `trivy-java-db` | Index of Java artifacts and their hash digest | used to identify Java artifacts only in [JAR scanning](../coverage/language/java.md)
+Checks Bundle | `trivy-checks` | Logic of misconfiguration checks | used only in [misconfiguration/IaC scanning](../scanner/misconfiguration/check/builtin.md)

-### Skip update of vulnerability DB
-If you want to skip downloading the vulnerability database, use the `--skip-db-update` option.
+!!! note
+    This is not an exhaustive list of Trivy's external connectivity requirements.
+    There are additional external resources which may be required by specific Trivy features.
+    To learn about external connectivity requirements, see the [Advanced Network Scenarios](../advanced/air-gap.md).
+
+## Locations
+
+Trivy's databases are published to the following locations:
+
+| Registry | Image Address | Link
+| --- | --- | ---
+| GHCR | `ghcr.io/aquasecurity/trivy-db` | <https://ghcr.io/aquasecurity/trivy-db>
+| | `ghcr.io/aquasecurity/trivy-java-db` | <https://ghcr.io/aquasecurity/trivy-java-db>
+| | `ghcr.io/aquasecurity/trivy-checks` | <https://ghcr.io/aquasecurity/trivy-checks>
+| Docker Hub | `aquasec/trivy-db` | <https://hub.docker.com/r/aquasec/trivy-db>
+| | `aquasec/trivy-java-db` | <https://hub.docker.com/r/aquasec/trivy-java-db>
+| | `aquasec/trivy-checks` | <https://hub.docker.com/r/aquasec/trivy-checks>
+| AWS ECR | `public.ecr.aws/aquasecurity/trivy-db` | <https://gallery.ecr.aws/aquasecurity/trivy-db>
+| | `public.ecr.aws/aquasecurity/trivy-java-db` | <https://gallery.ecr.aws/aquasecurity/trivy-java-db>
+| | `public.ecr.aws/aquasecurity/trivy-checks` | <https://gallery.ecr.aws/aquasecurity/trivy-checks>
+
+In addition, images are also available via pull-through cache registries like [Google Container Registry Mirror](https://cloud.google.com/artifact-registry/docs/pull-cached-dockerhub-images).
+
+## Default Locations
+
+Trivy will attempt to pull images from the following registries in the order specified.
+
+1. `mirror.gcr.io/aquasec`
+2. `ghcr.io/aquasecurity`
+
+You can specify additional alternative repositories as explained in the [configuring database locations section](#database-locations).
+
+## DB Management Configuration
+
+### Database Locations
+
+You can configure Trivy to download databases from alternative locations by using the flags:
+
+- `--db-repository`
+- `--java-db-repository`
+- `--checks-bundle-repository`
+
+The value should be an image address in a container registry.
+
+For example:

 ```
-$ trivy image --skip-db-update python:3.4-alpine3.9
+trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine
 ```

-<details>
-<summary>Result</summary>
+The flags accepts multiple values, which can be used to specify multiple alternative repository locations. In case of a transient errors (e.g. status 429 or 5xx), Trivy will fall back to alternative registries in the order specified.
+
+For example:

 ```
-2019-05-16T12:48:08.703+0900    INFO    Detecting Alpine vulnerabilities...
-
-python:3.4-alpine3.9 (alpine 3.9.2)
-===================================
-Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
-
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
-|         |                  |          |                   |               | with long nonces               |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
+trivy image --db-repository my.registry.local/trivy-db --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine
 ```

-</details>
+The Checks Bundle registry location option does not support fallback through multiple options. This is because in case of a failure pulling the Checks Bundle, Trivy will use the embedded checks as a fallback.

-### Only download vulnerability database
-You can also ask `Trivy` to simply retrieve the vulnerability database.
-This is useful to initialize workers in Continuous Integration systems.
-
-```
-$ trivy image --download-db-only
-```
-
-### DB Repository
-`Trivy` could also download the vulnerability database from an external OCI registry by using `--db-repository` option.
-
-```
-$ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
-```
-
-The media type of the OCI layer must be `application/vnd.aquasec.trivy.db.layer.v1.tar+gzip`.
-You can reference the OCI manifest of [trivy-db].
-
-<details>
-<summary>Manifest</summary>
-
-```shell
-{
-  "schemaVersion": 2,
-  "mediaType": "application/vnd.oci.image.manifest.v1+json",
-  "config": {
-    "mediaType": "application/vnd.aquasec.trivy.config.v1+json",
-    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
-    "size": 2
-  },
-  "layers": [
-    {
-      "mediaType": "application/vnd.aquasec.trivy.db.layer.v1.tar+gzip",
-      "digest": "sha256:29ad6505b8957c7cd4c367e7c705c641a9020d2be256812c5f4cc2fc099f4f02",
-      "size": 55474933,
-      "annotations": {
-        "org.opencontainers.image.title": "db.tar.gz"
-      }
-    }
-  ],
-  "annotations": {
-    "org.opencontainers.image.created": "2024-09-11T06:14:51Z"
-  }
-}
-```
-</details>
+!!! note 
+    Setting the repository location flags override the default values which include the official db locations. In case you want to preserve the default locations, you should include them in the list the you set as repository locations.

 !!!note
-    Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used:
+    When pulling `trivy-db` or `trivy-java-db`, if image tag is not specified, Trivy defaults to the db schema number instead of the `latest` tag.

-    `trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`.
+### Skip updates

+You can configure Trivy to not attempt to download any or all database(s), using the flags:

-## Java Index Database
-The same options are also available for the Java index DB, which is used for scanning Java applications.
-Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
+- `--skip-db-update`
+- `--skip-java-db-update`
+- `--skip-check-update`

-!!! Note
-    In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side.
-
-Downloading the Java index DB from an external OCI registry can be done by using the `--java-db-repository` option.
+For example:

 ```
-$ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db --download-java-db-only
+trivy image --skip-db-update --skip-java-db-update --skip-check-update alpine
 ```

-The media type of the OCI layer must be `application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip`.
-You can reference the OCI manifest of [trivy-java-db].
+### Only update

-!!!note
-    Trivy automatically adds the `trivy-java-db` schema version as a tag if the tag is not used:
+You can ask `Trivy` to only update the database without performing a scan. This action will ensure Trivy is up to date, and populate Trivy's database cache for subsequent scans.

-    `java-db-registry:latest` => `java-db-registry:latest`, but `java-db-registry` => `java-db-registry:1`.
+- `--download-db-only`
+- `--download-java-db-only`

-## Remove DBs
-"trivy clean" command removes caches and databases.
+For example:
+
+```
+trivy image --download-db-only
+```
+
+Note that currently there is no option to download only the Checks Bundle.
+
+### Remove Databases
+
+`trivy clean` command removes caches and databases.
+You can select which cache component to remove:
+
+option | description
+--- | ---
+`-a`/`--all` | remove all caches
+`--checks-bundle` | remove checks bundle
+`--java-db` | remove Java database
+`--scan-cache` | remove scan cache (container and VM image analysis results)
+`--vuln-db` | remove vulnerability database
+
+Example:

 ```
 $ trivy clean --vuln-db --java-db
 2024-06-24T11:42:31+06:00       INFO    Removing vulnerability database...
 2024-06-24T11:42:31+06:00       INFO    Removing Java database...
 ```
-
-[trivy-db]: https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db
-[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db
--- a/docs/docs/configuration/index.md
+++ b/docs/docs/configuration/index.md
@@ -1,23 +1,21 @@
 # Configuration
-Trivy can be configured using the following ways. Each item takes precedence over the item below it:
+Trivy's settings can be configured in any of the following methods, which will apply in the following precedence:

- CLI flags
- Environment variables
- Configuration file
+1. CLI flags (overrides all other settings)
+2. Environment variables (overrides config file settings)
+3. Configuration file

 ## CLI Flags
-You can view the list of available flags using the `--help` option.
-For more details, please refer to [the CLI reference](../references/configuration/cli/trivy.md).
+You can view the list of available flags by adding the `--help` flag to a Trivy command, or by exploring the [CLI reference](../references/configuration/cli/trivy.md).

 ## Environment Variables
-Trivy can be customized by environment variables.
-The environment variable key is the flag name converted by the following procedure.
+Any CLI option can be set as an environment variable. The environment variable name are similar to the CLI option name, with the following augmentations:

 - Add `TRIVY_` prefix
- Make it all uppercase
+- All uppercase letters
 - Replace `-` with `_`

-For example,
+For example:

 - `--debug` => `TRIVY_DEBUG`
 - `--cache-dir` => `TRIVY_CACHE_DIR`
@@ -27,5 +25,6 @@ $ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15
 ```

 ## Configuration File
-By default, Trivy reads the `trivy.yaml` file.
-For more details, please refer to [the page](../references/configuration/config-file.md).
+Any setting can be set in a YAML file. By default, config file named `trivy.yaml` is read from the current directory where Trivy is run. To load configuration from a different file, use the `--config` flag and specify the config path to load: `trivy --config /etc/trivy/myconfig.yaml`.
+
+The structure and settings of the YAML config file is documented in the [Config file](../references/configuration/config-file.md) document.
--- a/docs/docs/configuration/others.md
+++ b/docs/docs/configuration/others.md
@@ -117,3 +117,46 @@ The following example will fail when a critical vulnerability is found or the OS
 ```
 $ trivy image --exit-code 1 --exit-on-eol 1 --severity CRITICAL alpine:3.16.3
 ```
+
+## Mirror Registries
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy supports mirrors for [remote container images](../target/container_image.md#container-registry) and [databases](./db.md).
+
+To configure them, add a list of mirrors along with the host to the [trivy config file](../references/configuration/config-file.md#registry-options).
+
+!!! note
+    Use the `index.docker.io` host for images from `Docker Hub`, even if you don't use that prefix.
+
+Example for `index.docker.io`:
+```yaml
+registry:
+  mirrors:
+    index.docker.io:
+     - mirror.gcr.io
+```
+
+### Registry check procedure
+Trivy uses the following registry order to get the image:
+
+- mirrors in the same order as they are specified in the configuration file
+- source registry
+
+In cases where we can't get the image from the mirror registry (e.g. when authentication fails, image doesn't exist, etc.) - Trivy will check other mirrors (or the source registry if all mirrors have already been checked).
+
+Example:
+```yaml
+registry:
+  mirrors:
+    index.docker.io:
+     - mirror.with.bad.auth // We don't have credentials for this registry
+     - mirror.without.image // Registry doesn't have this image
+```
+
+When we want to get the image `alpine` with the settings above. The logic will be as follows:
+
+1. Try to get the image from `mirror.with.bad.auth/library/alpine`, but we get an error because there are no credentials for this registry.
+2. Try to get the image from `mirror.without.image/library/alpine`, but we get an error because this registry doesn't have this image (but most likely it will be an error about authorization).
+3. Get the image from `index.docker.io` (the original registry).
--- a/docs/docs/configuration/reporting.md
+++ b/docs/docs/configuration/reporting.md
@@ -58,6 +58,7 @@ The following languages are currently supported:
 |          | [yarn.lock][yarn-lock]                     |
 | .NET     | [packages.lock.json][dotnet-packages-lock] |
 | Python   | [poetry.lock][poetry-lock]                 |
+|          | [uv.lock][uv-lock]                         |
 | Ruby     | [Gemfile.lock][gemfile-lock]               |
 | Rust     | [cargo-auditable binaries][cargo-binaries] |
 | Go       | [go.mod][go-mod]                           |
@@ -120,15 +121,21 @@ Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to reso
 |     License      |     ✓     |

 ```
-$ trivy image -f json -o results.json golang:1.12-alpine
+$ trivy image -f json -o results.json alpine:latest
 ```

 <details>
 <summary>Result</summary>

 ```
-2019-05-16T01:46:31.777+0900    INFO    Updating vulnerability database...
-2019-05-16T01:47:03.007+0900    INFO    Detecting Alpine vulnerabilities...
+2024-12-26T22:01:18+05:30	INFO	[vuln] Vulnerability scanning is enabled
+2024-12-26T22:01:18+05:30	INFO	[secret] Secret scanning is enabled
+2024-12-26T22:01:18+05:30	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
+2024-12-26T22:01:18+05:30	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
+2024-12-26T22:01:18+05:30	INFO	Detected OS	family="alpine" version="3.20.3"
+2024-12-26T22:01:18+05:30	INFO	[alpine] Detecting vulnerabilities...	os_version="3.20" repository="3.20" pkg_num=14
+2024-12-26T22:01:18+05:30	INFO	Number of language-specific files	num=0
+2024-12-26T22:01:18+05:30	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.
 ```

 </details>
@@ -137,107 +144,176 @@ $ trivy image -f json -o results.json golang:1.12-alpine
 <summary>JSON</summary>

 ```
-[
-  {
-    "Target": "php-app/composer.lock",
-    "Vulnerabilities": null
-  },
-  {
-    "Target": "node-app/package-lock.json",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2018-16487",
-        "PkgName": "lodash",
-        "InstalledVersion": "4.17.4",
-        "FixedVersion": "\u003e=4.17.11",
-        "Title": "lodash: Prototype pollution in utilities function",
-        "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
-        "Severity": "HIGH",
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487",
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2024-12-26T21:58:15.943876+05:30",
+  "ArtifactName": "alpine:latest",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.20.3"
+    },
+    "ImageID": "sha256:511a44083d3a23416fadc62847c45d14c25cbace86e7a72b2b350436978a0450",
+    "DiffIDs": [
+      "sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8"
+    ],
+    "RepoTags": [
+      "alpine:latest"
+    ],
+    "RepoDigests": [
+      "alpine@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a"
+    ],
+    "ImageConfig": {
+      "architecture": "arm64",
+      "created": "2024-09-06T12:05:36Z",
+      "history": [
+        {
+          "created": "2024-09-06T12:05:36Z",
+          "created_by": "ADD alpine-minirootfs-3.20.3-aarch64.tar.gz / # buildkit",
+          "comment": "buildkit.dockerfile.v0"
+        },
+        {
+          "created": "2024-09-06T12:05:36Z",
+          "created_by": "CMD [\"/bin/sh\"]",
+          "comment": "buildkit.dockerfile.v0",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8"
        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "WorkingDir": "/",
+        "ArgsEscaped": true
      }
-    ]
+    }
  },
-  {
-    "Target": "trivy-ci-test (alpine 3.7.1)",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2018-16840",
-        "PkgName": "curl",
-        "InstalledVersion": "7.61.0-r0",
-        "FixedVersion": "7.61.1-r1",
-        "Title": "curl: Use-after-free when closing \"easy\" handle in Curl_close()",
-        "Description": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. ",
-        "Severity": "HIGH",
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840",
-        ]
-      },
-      {
-        "VulnerabilityID": "CVE-2019-3822",
-        "PkgName": "curl",
-        "InstalledVersion": "7.61.0-r0",
-        "FixedVersion": "7.61.1-r2",
-        "Title": "curl: NTLMv2 type-3 header stack buffer overflow",
-        "Description": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. ",
-        "Severity": "HIGH",
-        "References": [
-          "https://curl.haxx.se/docs/CVE-2019-3822.html",
-          "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E"
-        ]
-      },
-      {
-        "VulnerabilityID": "CVE-2018-16839",
-        "PkgName": "curl",
-        "InstalledVersion": "7.61.0-r0",
-        "FixedVersion": "7.61.1-r1",
-        "Title": "curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()",
-        "Description": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
-        "Severity": "HIGH",
-        "References": [
-          "https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5",
-        ]
-      },
-      {
-        "VulnerabilityID": "CVE-2018-19486",
-        "PkgName": "git",
-        "InstalledVersion": "2.15.2-r0",
-        "FixedVersion": "2.15.3-r0",
-        "Title": "git: Improper handling of PATH allows for commands to be executed from the current directory",
-        "Description": "Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.",
-        "Severity": "HIGH",
-        "References": [
-          "https://usn.ubuntu.com/3829-1/",
-        ]
-      },
-      {
-        "VulnerabilityID": "CVE-2018-17456",
-        "PkgName": "git",
-        "InstalledVersion": "2.15.2-r0",
-        "FixedVersion": "2.15.3-r0",
-        "Title": "git: arbitrary code execution via .gitmodules",
-        "Description": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
-        "Severity": "HIGH",
-        "References": [
-          "http://www.securitytracker.com/id/1041811",
-        ]
-      }
-    ]
-  },
-  {
-    "Target": "python-app/Pipfile.lock",
-    "Vulnerabilities": null
-  },
-  {
-    "Target": "ruby-app/Gemfile.lock",
-    "Vulnerabilities": null
-  },
-  {
-    "Target": "rust-app/Cargo.lock",
-    "Vulnerabilities": null
-  }
-]
+  "Results": [
+    {
+      "Target": "alpine:latest (alpine 3.20.3)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2024-9143",
+          "PkgID": "libcrypto3@3.3.2-r0",
+          "PkgName": "libcrypto3",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libcrypto3@3.3.2-r0?arch=aarch64\u0026distro=3.20.3",
+            "UID": "f705555b49cd2259"
+          },
+          "InstalledVersion": "3.3.2-r0",
+          "FixedVersion": "3.3.2-r1",
+          "Status": "fixed",
+          "Layer": {
+            "DiffID": "sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8"
+          },
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-9143",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access",
+          "Description": "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates.  Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds.  Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "VendorSeverity": {
+            "amazon": 3,
+            "redhat": 1,
+            "ubuntu": 1
+          },
+          "CVSS": {
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2024-9143",
+            "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712",
+            "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700",
+            "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4",
+            "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154",
+            "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a",
+            "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41",
+            "https://nvd.nist.gov/vuln/detail/CVE-2024-9143",
+            "https://openssl-library.org/news/secadv/20241016.txt",
+            "https://www.cve.org/CVERecord?id=CVE-2024-9143"
+          ],
+          "PublishedDate": "2024-10-16T17:15:18.13Z",
+          "LastModifiedDate": "2024-11-08T16:35:21.58Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2024-9143",
+          "PkgID": "libssl3@3.3.2-r0",
+          "PkgName": "libssl3",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libssl3@3.3.2-r0?arch=aarch64\u0026distro=3.20.3",
+            "UID": "c4a39ef718e71832"
+          },
+          "InstalledVersion": "3.3.2-r0",
+          "FixedVersion": "3.3.2-r1",
+          "Status": "fixed",
+          "Layer": {
+            "DiffID": "sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8"
+          },
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-9143",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access",
+          "Description": "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates.  Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds.  Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "VendorSeverity": {
+            "amazon": 3,
+            "redhat": 1,
+            "ubuntu": 1
+          },
+          "CVSS": {
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2024-9143",
+            "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712",
+            "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700",
+            "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4",
+            "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154",
+            "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a",
+            "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41",
+            "https://nvd.nist.gov/vuln/detail/CVE-2024-9143",
+            "https://openssl-library.org/news/secadv/20241016.txt",
+            "https://www.cve.org/CVERecord?id=CVE-2024-9143"
+          ],
+          "PublishedDate": "2024-10-16T17:15:18.13Z",
+          "LastModifiedDate": "2024-11-08T16:35:21.58Z"
+        }
+      ]
+    }
+  ]
+}
+
 ```

 </details>
@@ -339,8 +415,8 @@ If Trivy is installed using rpm then default templates can be found at `/usr/loc
 |:----------------:|:---------:|
 |  Vulnerability   |     ✓     |
 | Misconfiguration |     ✓     |
-|      Secret      |           |
-|     License      |           |
+|      Secret      |     ✓     |
+|     License      |     ✓     |

 In the following example using the template `junit.tpl` XML can be generated.
 ```
@@ -428,7 +504,7 @@ $ trivy convert --format table --severity CRITICAL result.json
 ```

 !!! note
-    JSON reports from "trivy aws" and "trivy k8s" are not yet supported.
+    JSON reports from "trivy k8s" are not yet supported.

 [cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
 [action]: https://github.com/aquasecurity/trivy-action
@@ -449,9 +525,10 @@ $ trivy convert --format table --severity CRITICAL result.json
 [yarn-lock]: ../coverage/language/nodejs.md#yarn
 [dotnet-packages-lock]: ../coverage/language/dotnet.md#packageslockjson
 [poetry-lock]: ../coverage/language/python.md#poetry
+[uv-lock]: ../coverage/language/python.md#uv
 [gemfile-lock]: ../coverage/language/ruby.md#bundler
-[go-mod]: ../coverage/language/golang.md#go-modules
-[composer-lock]: ../coverage/language/php.md#composer
+[go-mod]: ../coverage/language/golang.md#go-module
+[composer-lock]: ../coverage/language/php.md#composerlock
 [pom-xml]: ../coverage/language/java.md#pomxml
 [gradle-lockfile]: ../coverage/language/java.md#gradlelock
 [sbt-lockfile]: ../coverage/language/java.md#sbt
--- a/docs/docs/coverage/kubernetes.md
+++ b/docs/docs/coverage/kubernetes.md
@@ -17,7 +17,7 @@ Container image is scanned for:

 Kubernetes resource definition is scanned for:

- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
+- Vulnerabilities - partially supported through [KBOM scanning](../target/kubernetes.md#kbom)
 - Misconfigurations
 - Exposed secrets

--- a/docs/docs/coverage/language/golang.md
+++ b/docs/docs/coverage/language/golang.md
@@ -12,17 +12,17 @@ The following scanners are supported.

 The table below provides an outline of the features Trivy offers.

-| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] |          Stdlib          | [Detection Priority][detection-priority] |
-|----------|:-----------:|:-----------------|:------------------------------------:|:------------------------:|:----------------------------------------:|
-| Modules  |      ✅      | Include          |        [✅](#dependency-graph)        |  [✅](#standard-library)  |          [✅](#standard-library)          |
-| Binaries |      ✅      | Exclude          |                  -                   | [✅](#standard-library-1) |                Not needed                |
+| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] |         Stdlib         | [Detection Priority][detection-priority] |
+|----------|:-----------:|:-----------------|:------------------------------------:|:----------------------:|:----------------------------------------:|
+| Modules  |      ✅      | Include          |        [✅](#dependency-graph)        |   [✅](#gomod-stdlib)   |            [✅](#gomod-stdlib)            |
+| Binaries |      ✅      | Exclude          |                  -                   | [✅](#go-binary-stdlib) |                Not needed                |

 !!! note
    When scanning Go projects (go.mod or binaries built with Go), Trivy scans only dependencies of the project, and does not detect vulnerabilities of application itself. 
    For example, when scanning the Docker project (Docker's source code with go.mod or the Docker binary), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself. Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.

 ## Data Sources
-The data sources are listed [here](../../scanner/vulnerability.md#data-sources-1).
+The data sources are listed [here](../../scanner/vulnerability.md#langpkg-data-sources).
 Trivy uses Go Vulnerability Database for [standard library](https://pkg.go.dev/std) and uses GitHub Advisory Database for other Go modules.

 ## Go Module
@@ -60,12 +60,12 @@ If you want to have better detection, please consider updating the Go version in
    $ go mod tidy -go=1.18
    ```

-### Main Module
+### Main Module { #gomod-main }
 Trivy scans only dependencies of the project, and does not detect vulnerabilities of the main module. 
 For example, when scanning the Docker project (Docker's source code with go.mod), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself.
 Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.

-### Standard Library
+### Standard Library { #gomod-stdlib }
 Detecting the version of Go used in the project can be tricky.
 The go.mod file include hints that allows Trivy to guess the Go version but it eventually depends on the Go tool version in the build environment.
 Since this strategy is not fully deterministic and accurate, it is enabled only in [--detection-priority comprehensive][detection-priority] mode.
@@ -105,7 +105,7 @@ In other cases, Go uses the `(devel)` version[^2].
 In this case, Trivy will attempt to parse any `-ldflags` as it's a common practice to pass versions this way.
 If unsuccessful, the version will be empty[^3].

-### Standard Library
+### Standard Library { #go-binary-stdlib }
 Trivy detects the Go version used to compile the binary and detects its vulnerabilities in the standard libraries.
 It possibly produces false positives.
 See [the caveat](#stdlib-vulnerabilities) for details.
@@ -120,7 +120,7 @@ There are a few ways to mitigate this:
 2. Suppress non-applicable vulnerabilities using either [ignore file](../../configuration/filtering.md) for self-use or [VEX Hub](../../supply-chain/vex/repo.md) for public use.

 ### Empty Version
-As described in the [Main Module](#main-module-1) section, the main module of Go binaries might have an empty version.
+As described in the [Main Module](#gomod-main) section, the main module of Go binaries might have an empty version.
 Also, dependencies replaced with local ones will have an empty version.

 [^1]: It doesn't require the Internet access.
--- a/docs/docs/coverage/language/index.md
+++ b/docs/docs/coverage/language/index.md
@@ -16,16 +16,16 @@ This is because Trivy primarily categorizes targets into two groups:
 If the target is a pre-build project, like a code repository, Trivy will analyze files used for building, such as lock files.
 On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like `.gemspec`, binary files, and so on.

-| Language             | File                                                                                       | Image[^5] | Rootfs[^6] | Filesystem[^7] | Repository[^8] |
+| Language             | File                                                                                       | Image[^4] | Rootfs[^5] | Filesystem[^6] | Repository[^7] |
 |----------------------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:--------------:|:--------------:|
 | [Ruby](ruby.md)      | Gemfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | gemspec                                                                                    |     ✅     |     ✅      |       -        |       -        |
 | [Python](python.md)  | Pipfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | poetry.lock                                                                                |     -     |     -      |       ✅        |       ✅        |
+|                      | uv.lock                                                                                    |     -     |     -      |       ✅        |       ✅        |
 |                      | requirements.txt                                                                           |     -     |     -      |       ✅        |       ✅        |
 |                      | egg package[^1]                                                                            |     ✅     |     ✅      |       -        |       -        |
 |                      | wheel package[^2]                                                                          |     ✅     |     ✅      |       -        |       -        |
-|                      | conda package[^3]                                                                          |     ✅     |     ✅      |       -        |       -        |
 | [PHP](php.md)        | composer.lock                                                                              |     -     |     -      |       ✅        |       ✅        |
 |                      | installed.json                                                                             |     ✅     |     ✅      |       -        |       -        |
 | [Node.js](nodejs.md) | package-lock.json                                                                          |     -     |     -      |       ✅        |       ✅        |
@@ -35,8 +35,8 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [.NET](dotnet.md)    | packages.lock.json                                                                         |     ✅     |     ✅      |       ✅        |       ✅        |
 |                      | packages.config                                                                            |     ✅     |     ✅      |       ✅        |       ✅        |
 |                      | .deps.json                                                                                 |     ✅     |     ✅      |       ✅        |       ✅        |
-|                      | *Packages.props[^11]                                                                       |     ✅     |     ✅      |       ✅        |       ✅        |
-| [Java](java.md)      | JAR/WAR/PAR/EAR[^4]                                                                        |     ✅     |     ✅      |       -        |       -        |
+|                      | *Packages.props[^9]                                                                        |     ✅     |     ✅      |       ✅        |       ✅        |
+| [Java](java.md)      | JAR/WAR/PAR/EAR[^3]                                                                        |     ✅     |     ✅      |       -        |       -        |
 |                      | pom.xml                                                                                    |     -     |     -      |       ✅        |       ✅        |
 |                      | *gradle.lockfile                                                                           |     -     |     -      |       ✅        |       ✅        |
 |                      | *.sbt.lock                                                                                 |     -     |     -      |       ✅        |       ✅        |
@@ -45,7 +45,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [Rust](rust.md)      | Cargo.lock                                                                                 |     ✅     |     ✅      |       ✅        |       ✅        |
 |                      | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |       -        |       -        |
 | [C/C++](c.md)        | conan.lock                                                                                 |     -     |     -      |       ✅        |       ✅        |
-| [Elixir](elixir.md)  | mix.lock[^10]                                                                              |     -     |     -      |       ✅        |       ✅        |
+| [Elixir](elixir.md)  | mix.lock[^8]                                                                               |     -     |     -      |       ✅        |       ✅        |
 | [Dart](dart.md)      | pubspec.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 | [Swift](swift.md)    | Podfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | Package.resolved                                                                           |     -     |     -      |       ✅        |       ✅        |
@@ -61,12 +61,10 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do

 [^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
 [^2]: `.dist-info/META-DATA`
-[^3]: `envs/*/conda-meta/*.json`
-[^4]: `*.jar`, `*.war`, `*.par` and `*.ear`
-[^5]: ✅ means "enabled" and `-` means "disabled" in the image scanning
-[^6]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
-[^7]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
-[^8]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
-[^9]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../../configuration/reporting.md#json) and [sarif](../../configuration/reporting.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
-[^10]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
-[^11]: `Directory.Packages.props` and  legacy `Packages.props` file names are supported
+[^3]: `*.jar`, `*.war`, `*.par` and `*.ear`
+[^4]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^5]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^6]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^7]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^8]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
+[^9]: `Directory.Packages.props` and  legacy `Packages.props` file names are supported
--- a/docs/docs/coverage/language/java.md
+++ b/docs/docs/coverage/language/java.md
@@ -60,7 +60,7 @@ Trivy reproduces Maven's repository selection and priority:

 !!! Note
    Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
-    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources-1).
+    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#langpkg-data-sources).

 You can disable connecting to the maven repository with the `--offline-scan` flag.
 The `--offline-scan` flag does not affect the Trivy database.
--- a/docs/docs/coverage/language/python.md
+++ b/docs/docs/coverage/language/python.md
@@ -8,6 +8,7 @@ The following scanners are supported for package managers.
 | pip             |  ✓   |       ✓       |    ✓    |
 | Pipenv          |  ✓   |       ✓       |    -    |
 | Poetry          |  ✓   |       ✓       |    -    |
+| uv              |  ✓   |       ✓       |    -    |

 In addition, Trivy supports three formats of Python packages: `egg`, `wheel` and `conda`.
 The following scanners are supported for Python packages.
@@ -25,7 +26,8 @@ The following table provides an outline of the features Trivy offers.
 |-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
 | pip             | requirements.txt |            -            |     Include      |                  -                   |    ✓     |                    ✓                     |
 | Pipenv          | Pipfile.lock     |            ✓            |     Include      |                  -                   |    ✓     |                Not needed                |
-| Poetry          | poetry.lock      |            ✓            |     Exclude      |                  ✓                   |    -     |                Not needed                |
+| Poetry          | poetry.lock      |            ✓            |     [Exclude](#poetry)      |                  ✓                   |    -     |                Not needed                |
+| uv              | uv.lock          |            ✓            |     [Exclude](#uv)      |                  ✓                   |    -     |                Not needed                |          |


 | Packaging | Dependency graph |
@@ -44,7 +46,7 @@ Trivy parses your files generated by package managers in filesystem/repository s
 #### Dependency detection
 By default, Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id5) with `==` comparison operator and without `.*`.

-Using the [--detection-priority comprehensive](#detection-priority) option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging. 
+Using the [--detection-priority comprehensive][detection-priority] option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging. 
 In such case Trivy parses specifiers `>=`,`~=` and a trailing `.*`.

 ```
@@ -126,6 +128,16 @@ To build the correct dependency graph, `pyproject.toml` also needs to be present

 License detection is not supported for `Poetry`.

+By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
+
+
+### uv
+Trivy uses `uv.lock` to identify dependencies and find vulnerabilities.
+
+License detection is not supported for `uv`.
+
+By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
+
 ## Packaging
 Trivy parses the manifest files of installed packages in container image scanning and so on.
 See [here](https://packaging.python.org/en/latest/discussions/package-formats/) for the detail.
--- a/docs/docs/coverage/os/index.md
+++ b/docs/docs/coverage/os/index.md
@@ -11,7 +11,7 @@ Trivy supports operating systems for

 | OS                                    | Supported Versions                  | Package Managers |
 |---------------------------------------|-------------------------------------|------------------|
-| [Alpine Linux](alpine.md)             | 2.2 - 2.7, 3.0 - 3.20, edge         | apk              |
+| [Alpine Linux](alpine.md)             | 2.2 - 2.7, 3.0 - 3.21, edge         | apk              |
 | [Wolfi Linux](wolfi.md)               | (n/a)                               | apk              |
 | [Chainguard](chainguard.md)           | (n/a)                               | apk              |
 | [Red Hat Enterprise Linux](rhel.md)   | 6, 7, 8                             | dnf/yum/rpm      |
--- a/docs/docs/coverage/os/oracle.md
+++ b/docs/docs/coverage/os/oracle.md
@@ -28,6 +28,19 @@ See [here](../../scanner/vulnerability.md#data-sources).
 ### Fixed Version
 Trivy takes fixed versions from [Oracle security advisories][alerts].

+#### Flavors
+Trivy detects the flavor for version of the found package and finds vulnerabilities only for that flavor.
+
+| Flavor  |                Format                | Example                                              |
+|:-------:|:------------------------------------:|------------------------------------------------------|
+| normal  | version without `fips` and `ksplice` | 3.6.16-4.el8                                         |
+|  fips   |               `*_fips`               | 10:3.6.16-4.0.1.el8_fips                             |
+| ksplice |            `*.ksplice*.*`            | 2:2.34-60.0.3.ksplice1.el9_2.7, 151.0.1.ksplice2.el8 |
+
+
+For example Trivy finds [CVE-2021-33560](https://linux.oracle.com/cve/CVE-2021-33560.html) only for the `normal` and `fips` flavors. 
+For the `ksplice` flavor, [CVE-2021-33560](https://linux.oracle.com/cve/CVE-2021-33560.html) will be skipped.
+
 ### Severity
 Trivy determines vulnerability severity based on the severity metric provided in [Oracle security advisories][alerts].
 For example, the security patch for [CVE-2023-0464][CVE-2023-0464] is provided as [ELSA-2023-2645][ELSA-2023-2645].
--- a/docs/docs/coverage/others/index.md
+++ b/docs/docs/coverage/others/index.md
@@ -0,0 +1,28 @@
+# Others
+
+In this section we have placed images, package managers and files that we can't assign to existing sections.
+
+Trivy supports them for
+
+- [SBOM][sbom]
+- [Vulnerabilities][vuln]
+- [Licenses][license]
+
+## Supported elements
+
+| Element                        | File                                                | Image[^1] | Rootfs[^2] | Filesystem[^3] | Repository[^4] |
+|--------------------------------|-----------------------------------------------------|:---------:|:----------:|:--------------:|:--------------:|
+| [Bitnami packages](bitnami.md) | `/opt/bitnami/<component>/.spdx-<component>.spdx`   |     ✅     |     ✅      |       -        |       -        |
+| [Conda](conda.md)              | `<conda-root>/envs/<env>/conda-meta/<package>.json` |     ✅     |     ✅      |       -        |       -        |
+|                                | `environment.yml`                                   |     -     |     -      |       ✅        |       ✅        |
+| [RPM Archives](rpm.md)         | `*.rpm`                                             |   ✅[^5]   |   ✅[^5]    |     ✅[^5]      |     ✅[^5]      |
+
+[sbom]: ../../supply-chain/sbom.md
+[vuln]: ../../scanner/vulnerability.md
+[license]: ../../scanner/license.md
+
+[^1]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^2]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^3]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^4]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^5]: Only if the `TRIVY_EXPERIMENTAL_RPM_ARCHIVE` env is set.
--- a/docs/docs/index.md
+++ b/docs/docs/index.md
@@ -1,5 +1,6 @@
 # Docs

-In this section you can find the complete reference documentation for all the different features and settings that Trivy has to offer.
+Welcome to the Trivy documentation!  
+Here you can find complete and thorough information about every aspect of Trivy, how to use it, features available, and configuration options.

-👈 Please use the side-navigation on the left in order to browse the different topics.
+👈 Please use the left side navigation browse the different topics.
--- a/docs/docs/plugin/user-guide.md
+++ b/docs/docs/plugin/user-guide.md
@@ -103,7 +103,6 @@ VERSION:
   dev

 Scanning Commands
-  aws         [EXPERIMENTAL] Scan AWS account
  config      Scan config files for misconfigurations
  filesystem  Scan local filesystem
  image       Scan a container image
--- a/docs/docs/references/configuration/cli/trivy_config.md
+++ b/docs/docs/references/configuration/cli/trivy_config.md
@@ -13,7 +13,7 @@ trivy config [flags] DIR
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
      --compliance string                 compliance report to generate
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
--- a/docs/docs/references/configuration/cli/trivy_filesystem.md
+++ b/docs/docs/references/configuration/cli/trivy_filesystem.md
@@ -23,18 +23,19 @@ trivy filesystem [flags] PATH
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
      --compliance string                 compliance report to generate
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --custom-headers strings            custom headers in client mode
-      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --detection-priority string         specify the detection priority:
                                            - "precise": Prioritizes precise by minimizing false positives.
                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                           (precise,comprehensive) (default "precise")
+      --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
      --enable-modules strings            [EXPERIMENTAL] module names to enable
@@ -56,7 +57,7 @@ trivy filesystem [flags] PATH
      --include-deprecated-checks         include deprecated checks
      --include-dev-deps                  include development dependencies in the report (supported: npm, yarn)
      --include-non-failures              include successes, available with '--scanners misconfig'
-      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
@@ -69,7 +70,7 @@ trivy filesystem [flags] PATH
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin                    password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-relationships strings         list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
      --pkg-types strings                 list of package types (os,library) (default [os,library])
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
--- a/docs/docs/references/configuration/cli/trivy_image.md
+++ b/docs/docs/references/configuration/cli/trivy_image.md
@@ -37,18 +37,19 @@ trivy image [flags] IMAGE_NAME
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
      --compliance string                 compliance report to generate (docker-cis-1.6.0)
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --custom-headers strings            custom headers in client mode
-      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --detection-priority string         specify the detection priority:
                                            - "precise": Prioritizes precise by minimizing false positives.
                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                           (precise,comprehensive) (default "precise")
+      --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
      --docker-host string                unix domain socket path to use for docker scanning
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
@@ -74,10 +75,11 @@ trivy image [flags] IMAGE_NAME
      --include-deprecated-checks         include deprecated checks
      --include-non-failures              include successes, available with '--scanners misconfig'
      --input string                      input file path instead of image name
-      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --max-image-size string             [EXPERIMENTAL] maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
@@ -87,7 +89,7 @@ trivy image [flags] IMAGE_NAME
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin                    password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-relationships strings         list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
      --pkg-types strings                 list of package types (os,library) (default [os,library])
      --platform string                   set platform in the form os/arch if image is multi-platform capable
      --podman-host string                unix podman socket path to use for podman scanning
--- a/docs/docs/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -33,18 +33,19 @@ trivy kubernetes [flags] [CONTEXT]
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
      --compliance string                 compliance report to generate (k8s-nsa-1.0,k8s-cis-1.23,eks-cis-1.4,rke2-cis-1.24,k8s-pss-baseline-0.1,k8s-pss-restricted-0.1)
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
-      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --detection-priority string         specify the detection priority:
                                            - "precise": Prioritizes precise by minimizing false positives.
                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                           (precise,comprehensive) (default "precise")
      --disable-node-collector            When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
+      --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
      --exclude-kinds strings             indicate the kinds exclude from scanning (example: node)
@@ -70,7 +71,7 @@ trivy kubernetes [flags] [CONTEXT]
      --include-kinds strings             indicate the kinds included in scanning (example: node)
      --include-namespaces strings        indicate the namespaces included in scanning (example: kube-system)
      --include-non-failures              include successes, available with '--scanners misconfig'
-      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
      --kubeconfig string                 specify the kubeconfig file path to use
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
@@ -84,7 +85,7 @@ trivy kubernetes [flags] [CONTEXT]
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin                    password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-relationships strings         list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
      --pkg-types strings                 list of package types (os,library) (default [os,library])
      --qps float                         specify the maximum QPS to the master from this client (default 5)
      --redis-ca string                   redis ca file location, if using redis as cache backend
--- a/docs/docs/references/configuration/cli/trivy_repository.md
+++ b/docs/docs/references/configuration/cli/trivy_repository.md
@@ -19,17 +19,17 @@ trivy repository [flags] (REPO_PATH | REPO_URL)

 ```
      --branch string                     pass the branch name to be scanned
-      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
+      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
      --commit string                     pass the commit hash to be scanned
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --custom-headers strings            custom headers in client mode
-      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --detection-priority string         specify the detection priority:
                                            - "precise": Prioritizes precise by minimizing false positives.
@@ -56,7 +56,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --include-deprecated-checks         include deprecated checks
      --include-dev-deps                  include development dependencies in the report (supported: npm, yarn)
      --include-non-failures              include successes, available with '--scanners misconfig'
-      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
@@ -69,7 +69,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin                    password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-relationships strings         list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
      --pkg-types strings                 list of package types (os,library) (default [os,library])
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
--- a/docs/docs/references/configuration/cli/trivy_rootfs.md
+++ b/docs/docs/references/configuration/cli/trivy_rootfs.md
@@ -26,17 +26,18 @@ trivy rootfs [flags] ROOTDIR
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --custom-headers strings            custom headers in client mode
-      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --detection-priority string         specify the detection priority:
                                            - "precise": Prioritizes precise by minimizing false positives.
                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                           (precise,comprehensive) (default "precise")
+      --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
      --enable-modules strings            [EXPERIMENTAL] module names to enable
@@ -58,7 +59,7 @@ trivy rootfs [flags] ROOTDIR
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
      --include-deprecated-checks         include deprecated checks
      --include-non-failures              include successes, available with '--scanners misconfig'
-      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
@@ -71,7 +72,7 @@ trivy rootfs [flags] ROOTDIR
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin                    password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-relationships strings         list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
      --pkg-types strings                 list of package types (os,library) (default [os,library])
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
--- a/docs/docs/references/configuration/cli/trivy_sbom.md
+++ b/docs/docs/references/configuration/cli/trivy_sbom.md
@@ -24,11 +24,12 @@ trivy sbom [flags] SBOM_PATH
      --cache-ttl duration           cache TTL when using redis as cache backend
      --compliance string            compliance report to generate
      --custom-headers strings       custom headers in client mode
-      --db-repository strings        OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+      --db-repository strings        OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
      --detection-priority string    specify the detection priority:
                                       - "precise": Prioritizes precise by minimizing false positives.
                                       - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                      (precise,comprehensive) (default "precise")
+      --distro string                [EXPERIMENTAL] specify a distribution, <family>/<version>
      --download-db-only             download/update vulnerability database but don't run a scan
      --download-java-db-only        download/update Java index database but don't run a scan
      --exit-code int                specify exit code when any security issues are found
@@ -41,7 +42,7 @@ trivy sbom [flags] SBOM_PATH
      --ignore-unfixed               display only fixed vulnerabilities
      --ignored-licenses strings     specify a list of license to ignore
      --ignorefile string            specify .trivyignore file (default ".trivyignore")
-      --java-db-repository strings   OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+      --java-db-repository strings   OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --list-all-pkgs                output all packages in the JSON report regardless of vulnerability
      --no-progress                  suppress progress bar
      --offline-scan                 do not issue API requests to identify dependencies
@@ -49,7 +50,7 @@ trivy sbom [flags] SBOM_PATH
      --output-plugin-arg string     [EXPERIMENTAL] output plugin arguments
      --password strings             password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin               password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings    list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-relationships strings    list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
      --pkg-types strings            list of package types (os,library) (default [os,library])
      --redis-ca string              redis ca file location, if using redis as cache backend
      --redis-cert string            redis certificate file location, if using redis as cache backend
--- a/docs/docs/references/configuration/cli/trivy_server.md
+++ b/docs/docs/references/configuration/cli/trivy_server.md
@@ -22,7 +22,7 @@ trivy server [flags]
 ```
      --cache-backend string     [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration       cache TTL when using redis as cache backend
-      --db-repository strings    OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+      --db-repository strings    OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
      --download-db-only         download/update vulnerability database but don't run a scan
      --enable-modules strings   [EXPERIMENTAL] module names to enable
  -h, --help                     help for server
--- a/docs/docs/references/configuration/cli/trivy_vm.md
+++ b/docs/docs/references/configuration/cli/trivy_vm.md
@@ -23,16 +23,17 @@ trivy vm [flags] VM_IMAGE
      --aws-region string                 AWS region to scan
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
      --compliance string                 compliance report to generate
      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --custom-headers strings            custom headers in client mode
-      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --detection-priority string         specify the detection priority:
                                            - "precise": Prioritizes precise by minimizing false positives.
                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                           (precise,comprehensive) (default "precise")
+      --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
      --enable-modules strings            [EXPERIMENTAL] module names to enable
@@ -52,7 +53,7 @@ trivy vm [flags] VM_IMAGE
      --ignore-unfixed                    display only fixed vulnerabilities
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
      --include-non-failures              include successes, available with '--scanners misconfig'
-      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
@@ -61,7 +62,7 @@ trivy vm [flags] VM_IMAGE
  -o, --output string                     output file name
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
-      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-relationships strings         list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
      --pkg-types strings                 list of package types (os,library) (default [os,library])
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
--- a/docs/docs/references/configuration/config-file.md
+++ b/docs/docs/references/configuration/config-file.md
@@ -105,6 +105,7 @@ db:

  # Same as '--java-db-repository'
  java-repository:
+   - mirror.gcr.io/aquasec/trivy-java-db:1
   - ghcr.io/aquasecurity/trivy-java-db:1

  # Same as '--skip-java-db-update'
@@ -115,6 +116,7 @@ db:

  # Same as '--db-repository'
  repository:
+   - mirror.gcr.io/aquasec/trivy-db:2
   - ghcr.io/aquasecurity/trivy-db:2

  # Same as '--skip-db-update'
@@ -135,6 +137,9 @@ image:
  # Same as '--input'
  input: ""

+  # Same as '--max-image-size'
+  max-size: ""
+
  # Same as '--platform'
  platform: ""

@@ -373,7 +378,7 @@ license:
 ```yaml
 misconfiguration:
  # Same as '--checks-bundle-repository'
-  checks-bundle-repository: "ghcr.io/aquasecurity/trivy-checks:1"
+  checks-bundle-repository: "mirror.gcr.io/aquasec/trivy-checks:1"

  cloudformation:
    # Same as '--cf-params'
@@ -445,6 +450,7 @@ pkg:
  relationships:
   - unknown
   - root
+   - workspace
   - direct
   - indirect

@@ -458,6 +464,8 @@ pkg:

 ```yaml
 registry:
+  mirrors:
+
  # Same as '--password'
  password: []

@@ -567,6 +575,9 @@ scan:
  # Same as '--detection-priority'
  detection-priority: "precise"

+  # Same as '--distro'
+  distro: ""
+
  # Same as '--file-patterns'
  file-patterns: []

--- a/docs/docs/references/terminology.md
+++ b/docs/docs/references/terminology.md
@@ -0,0 +1,160 @@
+# Terminology
+
+This page explains the terminology system used in Trivy, helping users understand the specific terms and concepts unique to the Trivy ecosystem.
+
+**Inclusion Criteria**
+
+1. Core Components of Trivy
+    - Primary features such as Scanner, Target
+    - Essential components such as Scan Assets (trivy-db, trivy-java-db)
+    - Components that users directly interact with
+
+2. Trivy-specific Terms
+    - Terms unique to Trivy (e.g., VEX Hub)
+    - Terms that have special meaning in Trivy's context (e.g., Plugin, Module)
+
+**Exclusion Criteria**
+
+1. General Terms
+    - Common security/technical terms (e.g., CVE, CVSS, Container, Registry)
+    - Standard industry terminology
+
+2. Implementation Details
+    - Internal workings of components
+    - Usage instructions (these belong in feature documentation)
+
+
+## Core Concepts
+
+### Target
+Types of artifacts that Trivy can scan, like container images and filesystem.
+
+### Scanner
+Trivy's built-in security scanning engines. Trivy has four main scanners:
+
+- [Vulnerability Scanner](../scanner/vulnerability.md)
+- [Misconfiguration Scanner](../scanner/misconfiguration/index.md)
+- [Secret Scanner](../scanner/secret.md)
+- [License Scanner](../scanner/license.md)
+
+!!! note
+   SBOM is not a scanner but an output format option.
+
+### Scan Assets
+External data that Trivy downloads (if needed for scanner) and uses during scanning:
+
+- [Vulnerability Database (Trivy DB, trivy-db)](#vulnerability-database-trivy-db-trivy-db): Database containing vulnerability information
+- [Java Index Database (Trivy Java DB, trivy-java-db)](#java-index-database-trivy-java-db-trivy-java-db): Database for Java artifact identification
+- [Checks Bundle (trivy-checks)](#checks-bundle): Archive containing misconfiguration detection rules
+- [VEX Repository](#vex-repository): Repository containing VEX documents
+
+## Vulnerability Scanning
+
+### Vulnerability Database (Trivy DB, trivy-db)
+The core vulnerability database required for vulnerability detection.
+Contains comprehensive vulnerability information for multiple ecosystems.
+Distributed via OCI registry.
+
+Managed at https://github.com/aquasecurity/trivy-db.
+
+The vulnerability database is built from a GitHub repository that collects and stores vulnerability information from various data sources.
+This repository serves as the foundation for building the Trivy DB.
+
+Managed at:
+
+- https://github.com/aquasecurity/vuln-list
+- https://github.com/aquasecurity/vuln-list-nvd
+- https://github.com/aquasecurity/vuln-list-redhat
+- https://github.com/aquasecurity/vuln-list-debian
+- etc.
+
+### Java Index Database (Trivy Java DB, trivy-java-db)
+Specialized database used for identifying Java libraries and their components during JAR/WAR/PAR/EAR scanning.
+Distributed via OCI registry.
+
+Managed at https://github.com/aquasecurity/trivy-java-db.
+
+
+## Misconfiguration Scanning
+When the context does not clearly indicate these terms are related to misconfiguration scanning, they may be prefixed with "Misconfiguration" for clarity.
+For example, "Check" may be referred to as "Misconfiguration Check", and "Checks Bundle" as "Misconfiguration Checks Bundle".
+
+### Check
+A Rego file that defines rules for detecting misconfigurations in various types of IaC files.
+
+### Built-in Checks
+Default set of checks distributed through [the trivy-checks repository](https://github.com/aquasecurity/trivy-checks), providing standard security and configuration best practices.
+
+### Checks Bundle
+A tar.gz archive containing [the built-in checks](#built-in-checks), distributed via OCI registry.
+
+## Secret Scanning
+
+### Rule
+Pattern matching rules used to detect hardcoded secrets and sensitive information.
+Each rule consists of:
+
+- Metadata (ID, Category, Title, etc.)
+- Regular expressions for matching sensitive patterns
+- Additional context for detection accuracy
+
+## Kubernetes Integration
+
+### KBOM (Kubernetes Bill of Materials)
+A specialized SBOM format for Kubernetes clusters that includes detailed information about the cluster's components.
+
+## VEX (Vulnerability Exploitability eXchange)
+
+### VEX Repository
+A repository system that stores VEX documents following [the VEX Repository Specification](https://github.com/aquasecurity/vex-repo-spec).
+VEX repositories help users manage and share information about vulnerability applicability and exploitability.
+
+For detailed information about VEX repositories, see [the document](../supply-chain/vex/repo.md).
+
+### VEX Hub
+The default VEX repository managed by Aqua Security at https://github.com/aquasecurity/vexhub.
+It primarily aggregates VEX documents published by package maintainers in their source repositories.
+VEX Hub serves as a central point for collecting and distributing vulnerability applicability information for OSS projects.
+
+## Cache System
+
+### Cache Types
+The cache directory contains several distinct types of data:
+
+- [Vulnerability Database](#vulnerability-database-trivy-db-trivy-db)
+- [Java Index Database](#java-index-database-trivy-java-db-trivy-java-db)
+- [Misconfiguration Checks](#misconfiguration-scanning)
+- [VEX Repositories](#vex-repository)
+- [Scan Cache](#scan-cache)
+
+### Asset Cache
+Downloaded assets like vulnerability databases and Java index databases.
+
+### Scan Cache
+A caching mechanism that stores analysis results from previous scans to speed up subsequent scans.
+For container image scanning, the scan cache stores analysis results including package names and versions per layer.
+
+For detailed information about caching, see [the document](../configuration/cache.md).
+
+## Plugin System
+
+### Plugin
+An add-on tool that integrates with Trivy to extend its core functionality.
+Plugins can be written in any programming language and integrate seamlessly with Trivy CLI, appearing in Trivy help and subcommands.
+They can be installed and removed independently without affecting the core Trivy installation.
+
+For detailed information about plugins, see [the document](../plugin/index.md).
+
+### Plugin Index (trivy-plugin-index)
+A centralized registry that lists available Trivy plugins, managed at https://github.com/aquasecurity/trivy-plugin-index.
+The index maintains a curated list of official and community plugins, providing metadata such as plugin names, descriptions, and maintainers.
+It enables plugin discovery through the `trivy plugin search` command and facilitates automatic plugin installation and updates.
+
+For detailed information about the plugin index, see [the document](../plugin/user-guide.md).
+
+## Module System
+### Module
+A WebAssembly-based extension mechanism that allows custom scanning logic without modifying the Trivy binary.
+Modules can modify scan results by analyzing files or post-processing results.
+
+For detailed information about modules, see [the document](../advanced/modules.md).
--- a/docs/docs/references/troubleshooting.md
+++ b/docs/docs/references/troubleshooting.md
@@ -79,21 +79,25 @@ $ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]
 ```

 ### GitHub Rate limiting
+Trivy uses GitHub API for [VEX repositories](../supply-chain/vex/repo.md).

 !!! error
    ``` bash
-    $ trivy image ...
+    $ trivy image --vex repo ...
    ...
    API rate limit exceeded for xxx.xxx.xxx.xxx.
    ```

-Specify GITHUB_TOKEN for authentication
-https://developer.github.com/v3/#rate-limiting
+Specify GITHUB_TOKEN for [authentication](https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28)

 ```
-$ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
+$ GITHUB_TOKEN=XXXXXXXXXX trivy image --vex repo [YOUR_IMAGE]
 ```

+!!! note
+    `GITHUB_TOKEN` doesn't help with the rate limit for the vulnerability database and other assets.
+    See https://github.com/aquasecurity/trivy/discussions/8009
+
 ### Unable to open JAR files

 !!! error
@@ -217,6 +221,11 @@ Please remove the token and try downloading the DB again.
 docker logout ghcr.io
 ```

+or
+
+```shell
+unset GITHUB_TOKEN
+```

 ## Homebrew
 ### Scope error
@@ -269,4 +278,4 @@ $ trivy clean --all

 [air-gapped]: ../advanced/air-gap.md
 [network]: ../advanced/air-gap.md#network-requirements
-[redis-cache]: ../../vulnerability/examples/cache/#cache-backend
+[redis-cache]: ../configuration/cache.md#redis
--- a/docs/docs/scanner/misconfiguration/check/builtin.md
+++ b/docs/docs/scanner/misconfiguration/check/builtin.md
@@ -9,7 +9,7 @@ See [here](../../../coverage/iac/index.md) for the list of supported config type
 When performing a misconfiguration scan, Trivy will automatically download the relevant Checks bundle. The bundle is cached locally and Trivy will reuse it for subsequent scans on the same machine. Trivy takes care of updating the cache automatically, so normally users can be oblivious to it.

 ## Checks Distribution
-Trivy checks are distributed as an [OPA bundle](opa-bundle) hosted in the following GitHub Container Registry: <https://ghcr.io/aquasecurity/trivy-checks>.  
+Trivy checks are distributed as an [OPA bundle][opa-bundle] hosted in the following GitHub Container Registry: <https://ghcr.io/aquasecurity/trivy-checks>.  
 Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.

 ### External connectivity
--- a/docs/docs/scanner/misconfiguration/custom/index.md
+++ b/docs/docs/scanner/misconfiguration/custom/index.md
@@ -121,17 +121,17 @@ Trivy supports extra fields in the `custom` section as described below.
 If you are creating checks for your Trivy misconfiguration scans, some fields are optional as referenced in the table below. The `schemas` field should be used to enable policy validation using a built-in schema. It is recommended to use this to ensure your checks are 
 correct and do not reference incorrect properties/values.

-| Field name                 | Allowed values                                                    |        Default value         |     In table     |     In JSON      |
-|----------------------------|-------------------------------------------------------------------|:----------------------------:|:----------------:|:----------------:|
-| title                      | Any characters                                                    |             N/A              | :material-check: | :material-check: |
-| description                | Any characters                                                    |                              | :material-close: | :material-check: |
-| schemas.input              | `schema["kubernetes"]`, `schema["dockerfile"]`, `schema["cloud"]` | (applied to all input types) | :material-close: | :material-close: |
-| custom.id                  | Any characters                                                    |             N/A              | :material-check: | :material-check: |
-| custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`                               |           UNKNOWN            | :material-check: | :material-check: |
-| custom.recommended_actions | Any characters                                                    |                              | :material-close: | :material-check: |
-| custom.deprecated          | `true`, `false`                                                   |           `false`            | :material-close: | :material-check: | 
-| custom.input.selector.type | Any item(s) in [this list][source-types]                          |                              | :material-close: | :material-check: |
-| url                        | Any characters                                                    |                              | :material-close: | :material-check: |
+| Field name                 | Allowed values                                                    |        Default value         | In table | In JSON |
+|----------------------------|-------------------------------------------------------------------|:----------------------------:|:--------:|:-------:|
+| title                      | Any characters                                                    |             N/A              |    ✅     |    ✅    |
+| description                | Any characters                                                    |                              |    -     |    ✅    |
+| schemas.input              | `schema["kubernetes"]`, `schema["dockerfile"]`, `schema["cloud"]` | (applied to all input types) |    -     |    -    |
+| custom.id                  | Any characters                                                    |             N/A              |    ✅     |    ✅    |
+| custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`                               |           UNKNOWN            |    ✅     |    ✅    |
+| custom.recommended_actions | Any characters                                                    |                              |    -     |    ✅    |
+| custom.deprecated          | `true`, `false`                                                   |           `false`            |    -     |    ✅    |
+| custom.input.selector.type | Any item(s) in [this list][source-types]                          |                              |    -     |    ✅    |
+| url                        | Any characters                                                    |                              |    -     |    ✅    |

 #### custom.avd_id and custom.id

--- a/docs/docs/scanner/misconfiguration/index.md
+++ b/docs/docs/scanner/misconfiguration/index.md
@@ -449,9 +449,9 @@ From the Terraform [docs](https://developer.hashicorp.com/terraform/cli/config/c
 If multiple variables evaluate to the same hostname, Trivy will choose the environment variable name where the dashes have not been encoded as double underscores.


-### Skipping resources by inline comments
+### Skipping detected misconfigurations by inline comments

-Trivy supports ignoring misconfigured resources by inline comments for Terraform and CloudFormation configuration files only.
+Trivy supports ignoring detected misconfigurations by inline comments for Terraform, CloudFormation (YAML), Helm and Dockerfile configuration files only.

 In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to ignore findings from a single source of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). The format for these comments is `trivy:ignore:<rule>` immediately following the format-specific line-comment [token](https://developer.hashicorp.com/terraform/language/syntax/configuration#comments).

@@ -503,6 +503,29 @@ Resources:
      BucketName: test-bucket
 ```

+!!!note
+    Ignore rules for Helm files should be placed before the YAML object, since only it contains the location data needed for ignoring.
+    
+Example for Helm:
+```yaml
+      serviceAccountName: "testchart.serviceAccountName"
+      containers:
+        # trivy:ignore:KSV018
+        - name: "testchart"
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 3000
+          image: "your-repository/your-image:your-tag"
+          imagePullPolicy: "Always"
+```
+
+Example for Dockerfile:
+```Dockerfile
+FROM scratch
+# trivy:ignore:AVD-DS-0022
+MAINTAINER moby@example.com
+```
+
 #### Expiration Date

 You can specify the expiration date of the ignore rule in `yyyy-mm-dd` format. This is a useful feature when you want to make sure that an ignored issue is not forgotten and worth revisiting in the future. For example:
--- a/docs/docs/scanner/vulnerability.md
+++ b/docs/docs/scanner/vulnerability.md
@@ -113,7 +113,7 @@ To hide unfixed/unfixable vulnerabilities, you can use the `--ignore-unfixed` fl
 ### Supported Languages
 See [here](../coverage/language/index.md#supported-languages) for the supported languages.

-### Data Sources
+### Data Sources { #langpkg-data-sources }

 | Language | Source                                              | Commercial Use | Delay[^1] |
 |----------|-----------------------------------------------------|:--------------:|:---------:|
@@ -141,10 +141,10 @@ See [here](../coverage/language/index.md#supported-languages) for the supported

 If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases:

- [Using SBOM from Sigstore Rekor](../supply-chain/attestation/rekor/#non-packaged-binaries)
- [Go Binaries with embedded module information](../coverage/language/golang/#go-binaries)
- [Rust Binaries with embedded information](../coverage/language/rust/#binaries)
- [SBOM embedded in container images](../supply-chain/container-image/#sbom-embedded-in-container-images)
+- [Using SBOM from Sigstore Rekor](../supply-chain/attestation/rekor.md#non-packaged-binaries)
+- [Go Binaries with embedded module information](../coverage/language/golang.md#go-binary)
+- [Rust Binaries with embedded information](../coverage/language/rust.md#binaries)
+- [SBOM embedded in container images](../supply-chain/sbom.md#sbom-detection-inside-targets)

 ## Kubernetes

@@ -152,28 +152,15 @@ Trivy can detect vulnerabilities in Kubernetes clusters and components by scanni

 ### Data Sources

-| Vendor        | Source                                      |
-| ------------- |---------------------------------------------|
-| Kubernetes    | [Kubernetes Official CVE feed][k8s-cve][^1] |
+| Vendor     | Source                                      |
+|------------|---------------------------------------------|
+| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] |

 [^1]: Some manual triage and correction has been made.

 ## Databases
-Trivy utilizes several databases containing information relevant for vulnerability scanning.  
-When performing a vulnerability scan, Trivy will automatically downloads the relevant databases. The databases are cached locally and Trivy will reuse them for subsequent scans on the same machine. Trivy takes care of updating the databases cache automatically, so normally users can be oblivious to it.
-
-For CLI flags related to the database, please refer to [this page](../configuration/db.md).
-
-### Vulnerability Database
-This is Trivy's main database which contains vulnerability information, as collected from the datasources mentioned above.  
-It is built every six hours on [GitHub](https://github.com/aquasecurity/trivy-db).  
-
-### Java Index Database
-When scanning JAR files, Trivy relies on a dedicated database for identifying the groupId, artifactId, and version of the scanned JAR files. This database is only used when scanning JAR files, however your scanned artifacts might contain JAR files that you're not aware of.  
-This database is built once a day on [GitHub](https://github.com/aquasecurity/trivy-java-db).  
-
-### External connectivity
-Trivy needs to connect to the internet to download the databases. If you are running Trivy in an air-gapped environment, or an tightly controlled network, please refer to the [Advanced Network Scenarios document](../advanced/air-gap.md).
+The information from the above sources is collected and stored in databases that Trivy uses for vulnerability scanning. Trivy automatically fetches, maintains, and caches the relevant databases when performing a vulnerability scan
+For more information about Trivy's Databases mechanism and configurations, refer to the [Databases document](../configuration/db.md).

 ## Detection Behavior
 Trivy prioritizes precision in vulnerability detection, aiming to minimize false positives while potentially accepting some false negatives.
@@ -352,6 +339,12 @@ Regardless of the chosen mode, user review of detected vulnerabilities is crucia
 - `precise`: Review thoroughly, considering potential missed vulnerabilities.
 - `comprehensive`: Carefully investigate each reported vulnerability due to increased false positive possibility.

+### Overriding OS version
+By default, Trivy automatically detects the OS during container image scanning and performs vulnerability detection based on that OS.
+However, in some cases, you may want to scan an image with a different OS version than the one detected.
+Also, you may want to specify the OS version when OS is not detected.
+For these cases, Trivy supports a `--distro` flag using the `<family>/<version>` format (e.g. `alpine/3.20`) to set the desired OS version.
+
 [^1]: https://github.com/GoogleContainerTools/distroless

 [nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464
--- a/docs/docs/supply-chain/attestation/sbom.md
+++ b/docs/docs/supply-chain/attestation/sbom.md
@@ -9,7 +9,7 @@ And, Trivy can take an SBOM attestation as input and scan for vulnerabilities

 ## Sign with a local key pair

-Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key_management/signing_with_self-managed_keys).

 ```bash
 $ cosign generate-key-pair
--- a/docs/docs/supply-chain/attestation/vuln.md
+++ b/docs/docs/supply-chain/attestation/vuln.md
@@ -154,7 +154,7 @@ $ trivy image --format cosign-vuln --output vuln.json alpine:3.10

 ### Sign with a local key pair

-Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key_management/signing_with_self-managed_keys).

 ```bash
 $ cosign generate-key-pair
--- a/docs/docs/supply-chain/sbom.md
+++ b/docs/docs/supply-chain/sbom.md
@@ -738,6 +738,7 @@ See [here](../target/sbom.md) for more details.

 ### SBOM Detection inside Targets
 Trivy searches for SBOM files in container images with the following extensions:
+
 - `.spdx`
 - `.spdx.json`
 - `.cdx`
@@ -762,7 +763,7 @@ It is enabled in the following targets.

 When scanning container images, Trivy can discover SBOM for those images. [See here](../target/container_image.md) for more details.

-[spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf
+[spdx]: https://spdx.github.io/spdx-spec/v2.2.2/

 [cyclonedx]: https://cyclonedx.org/
 [sbom]: https://cyclonedx.org/capabilities/sbom/
--- a/docs/docs/supply-chain/vex/file.md
+++ b/docs/docs/supply-chain/vex/file.md
@@ -269,13 +269,13 @@ You can see [the appendix](#applying-vex-to-dependency-trees) for more details o
 Provide the VEX when scanning your target.

 ```bash
-$ trivy image debian:11 --vex debian11.openvex.json
+$ trivy image debian:11.6 --vex debian11.openvex.json
 ...
 2023-04-26T17:56:05.358+0300    INFO    Filtered out the detected vulnerability {"VEX format": "OpenVEX", "vulnerability-id": "CVE-2019-8457", "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path"}

-debian11.spdx.json (debian 11.6)
-================================
-Total: 80 (UNKNOWN: 0, LOW: 58, MEDIUM: 6, HIGH: 16, CRITICAL: 0)
+debian:11.6 (debian 11.6)
+
+Total: 176 (UNKNOWN: 1, LOW: 82, MEDIUM: 46, HIGH: 41, CRITICAL: 5)
 ```

 CVE-2019-8457 is no longer shown as it is filtered out according to the given OpenVEX document.
@@ -420,13 +420,13 @@ You can see [the appendix](#applying-vex-to-dependency-trees) for more details o
 Provide the CSAF document when scanning your target.

 ```bash
-$ trivy image debian:11 --vex debian11.vex.csaf
+$ trivy image debian:11.8 --vex debian11.vex.csaf
 ...
 2024-01-02T10:28:26.704+0100	INFO	Filtered out the detected vulnerability	{"VEX format": "CSAF", "vulnerability-id": "CVE-2019-8457", "status": "not_affected"}

-debian11.spdx.json (debian 11.6)
-================================
-Total: 80 (UNKNOWN: 0, LOW: 58, MEDIUM: 6, HIGH: 16, CRITICAL: 0)
+debian:11.8 (debian 11.8)
+
+Total: 153 (UNKNOWN: 1, LOW: 82, MEDIUM: 33, HIGH: 32, CRITICAL: 5)
 ```

 CVE-2019-8457 is no longer shown as it is filtered out according to the given CSAF document.
--- a/docs/docs/supply-chain/vex/oci.md
+++ b/docs/docs/supply-chain/vex/oci.md
@@ -87,7 +87,7 @@ You can also refer to [Trivy's example](https://github.com/aquasecurity/trivy/bl

 ### Step 2: Generate and Upload a VEX Attestation to an OCI Registry

-You can use the [Cosign command](https://docs.sigstore.dev/verifying/attestation/) to generate and upload the VEX attestation.
+You can use the [Cosign command](https://docs.sigstore.dev/cosign/verifying/attestation/) to generate and upload the VEX attestation.
 Cosign offers methods both with and without keys.
 For detailed instructions, please refer to the Cosign documentation.

--- a/docs/docs/target/aws.md
+++ b/docs/docs/target/aws.md
@@ -1,109 +0,0 @@
-# Amazon Web Services
-
-!!! warning "EXPERIMENTAL"
-    This feature might change without preserving backwards compatibility.
-
-The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. 
-You can either run the CLI locally or integrate it into your CI/CD pipeline. 
-
-Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
-
-The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
-
-Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
-
-You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
-
-Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region.
-
-Trivy currently supports the following scanning for AWS accounts.
-
- Misconfigurations
-
-## CLI Commands
-
-Scan a full AWS account (all supported services):
-
-```shell
-trivy aws --region us-east-1
-```
-
-You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
-
-![AWS Summary Report](../../imgs/trivy-aws.png)
-
-The summary view is the default when scanning multiple services.
-
-Scan a specific service:
-
-```shell
-trivy aws --service s3
-```
-
-Scan multiple services:
-
-```shell
-# --service s3,ec2 works too
-trivy aws --service s3 --service ec2
-```
-
-Show results for a specific AWS resource:
-
-```shell
-trivy aws --service s3 --arn arn:aws:s3:::example-bucket
-```
-
-All ARNs with detected issues will be displayed when showing results for their associated service.
-
-## Compliance
-This section describes AWS specific compliance reports.
-For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
-
-### Built in reports
-
-the following reports are available out of the box:
-
-| Compliance                         | Name for command | More info                                                                                            |
-|------------------------------------|------------------|------------------------------------------------------------------------------------------------------|
-| AWS CIS Foundations Benchmark v1.2 | `aws-cis-1.2`    | [link](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)            |
-| AWS CIS Foundations Benchmark v1.4 | `aws-cis-1.4`    | [link](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html) |
-
-### Examples
-
-Scan a cloud account and generate a compliance summary report:
-
-```
-$ trivy aws --compliance=<compliance_id> --report=summary
-```
-
-***Note*** : The `Issues` column represent the total number of failed checks for this control.
-
-
-Get all of the detailed output for checks:
-
-```
-$ trivy aws --compliance=<compliance_id> --report all
-```
-
-Report result in JSON format:
-
-```
-$ trivy aws --compliance=<compliance_id> --report all --format json
-```
-
-## Cached Results
-
-By default, Trivy will cache a representation of each AWS service for 24 hours.
-This means you can filter and view results for a service without having to wait for the entire scan to run again.
-If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`.
-Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.).
-Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`.
-
-## Custom Checks
-
-You can write custom checks for Trivy to evaluate against your AWS account.
-These checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/).
-See the [Custom Checks](../scanner/misconfiguration/custom/index.md) page for more information on how to write custom checks.
-
-Custom checks in cloud scanning also support passing in custom data. This can be useful when you want to selectively enable/disable certain aspects of your cloud checks.
-See the [Custom Data](../scanner/misconfiguration/custom/data.md) page for more information on how to provide custom data to custom checks.
--- a/docs/docs/target/container_image.md
+++ b/docs/docs/target/container_image.md
@@ -272,7 +272,7 @@ $ trivy image aquasec/nginx
    This feature might change without preserving backwards compatibility.

 Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported.
-Before performing Trivy commands, you must enable the podman.sock systemd service on your machine.
+If you prefer to keep the socket open at all times, then before performing Trivy commands, you can enable the podman.sock systemd service on your machine.
 For more details, see [here](https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md#enable-the-podman-service-on-the-server-machine).


@@ -293,6 +293,15 @@ localhost/test            latest  efc372d4e0de  About a minute ago  7.94 MB
 $ trivy image test
 ```

+If you prefer not to keep the socket open at all times, but to limit the socket opening for your trivy scanning duration only then you can scan your image with the following command:
+
+```bash
+podman system service --time=0 "${TMP_PODMAN_SOCKET}" &                                                                                                                                                             
+PODMAN_SYSTEM_SERVICE_PID="$!"                                                                                                                                                                                      
+trivy image --podman-host="${TMP_PODMAN_SOCKET}" --docker-host="${TMP_PODMAN_SOCKET}" test
+kill "${PODMAN_SYSTEM_SERVICE_PID}"
+```
+
 ### Container Registry
 Trivy supports registries that comply with the following specifications.

@@ -454,6 +463,12 @@ trivy image --compliance docker-cis-1.6.0 [YOUR_IMAGE_NAME]
 ## Authentication
 Please reference [this page](../advanced/private-registries/index.md).

+## Scan Cache
+When scanning container images, it stores analysis results in the cache, using the image ID and the layer IDs as the key.
+This approach enables faster scans of the same container image or different images that share layers.
+
+More details are available in the [cache documentation](../configuration/cache.md#scan-cache-backend).
+
 ## Options
 ### Scan Image on a specific Architecture and OS
 By default, Trivy loads an image on a "linux/amd64" machine.
@@ -509,3 +524,30 @@ You can configure Podman daemon socket with `--podman-host`.
 ```shell
 $ trivy image --podman-host /run/user/1000/podman/podman.sock YOUR_IMAGE
 ```
+
+### Prevent scanning oversized container images
+Use the `--max-image-size` flag to avoid scanning images that exceed a specified size. The size is specified in a human-readable format[^1] (e.g., `100MB`, `10GB`).
+
+An error is returned in the following cases:
+
+- if the compressed image size exceeds the limit,
+- if the accumulated size of the uncompressed layers exceeds the limit during their pulling.
+
+The layers are pulled into a temporary folder during their pulling and are always cleaned up, even after a successful scan.
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+
+Example Usage:
+```bash
+# Limit uncompressed image size to 10GB
+$ trivy image --max-image-size=10GB myapp:latest
+```
+
+Error Output:
+```bash
+Error: uncompressed image size (15GB) exceeds maximum allowed size (10GB)
+```
+
+[^1]: Trivy uses decimal (SI) prefixes (based on 1000) for size.
--- a/docs/docs/target/filesystem.md
+++ b/docs/docs/target/filesystem.md
@@ -91,3 +91,13 @@ $ trivy fs --scanners license /path/to/project
 ## SBOM generation
 Trivy can generate SBOM for local projects.
 See [here](../supply-chain/sbom.md) for the detail.
+
+## Scan Cache
+When scanning local projects, it doesn't use the cache by default.
+However, when the local project is a git repository with clean status and the cache backend other than the memory one is enabled, it stores analysis results, using the latest commit hash as the key.
+
+```shell
+$ trivy fs --cache-backend fs /path/to/git/repo
+```
+
+More details are available in the [cache documentation](../configuration/cache.md#scan-cache-backend).
--- a/docs/docs/target/kubernetes.md
+++ b/docs/docs/target/kubernetes.md
@@ -38,6 +38,10 @@ for example:
 trivy k8s --report summary
 ```

+!!! note "JSON result for multi-container pods"
+    For multi-container pods, it may be challenging to associate results with specific images in the json summary report. Kubernetes treats a pod as a single object, so individual images within the pod aren’t distinguished. 
+    For detailed information, please use the `--report all` option.
+
 By default Trivy will look for a [`kubeconfig` configuration file in the default location](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/), and use the default cluster that is specified.  
 You can also specify a `kubeconfig` using the `--kubeconfig` flag:

@@ -45,10 +49,41 @@ You can also specify a `kubeconfig` using the `--kubeconfig` flag:
 trivy k8s --kubeconfig ~/.kube/config2
 ```

-By default, all cluster resource images will be downloaded and scanned.
+## Required roles
+To successfully scan a Kubernetes cluster, `trivy kubernetes` subcommand must be executed under a role or a cluster role that has some specific permissions.
+
+The role must have `list` verb for all resources (`"*"`) inside the following API groups: core (`""`), `"apps"`, `"batch"`,`"networking.k8s.io"`, `"rbac.authorization.k8s.io"`:
+```yaml
+- apiGroups: [""]
+  resources: ["*"]
+  verbs: ["list"]
+- apiGroups: ["apps", "batch", "networking.k8s.io", "rbac.authorization.k8s.io"]
+  resources: ["*"]
+  verbs: ["list"]
+```
+If `node collector` is enabled (default: enabled), Trivy needs a cluster role with some additional permissions to run and track the jobs:
+```yaml
+- apiGroups: [""]
+  resources: ["nodes/proxy", "pods/log"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["watch"]
+- apiGroups: ["batch"]
+  resources: ["jobs", "cronjobs"]
+  verbs: ["list", "get"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["create","delete", "watch"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["create"]
+```

 ### Skip-images

+By default, all cluster resource images will be downloaded and scanned.
+
 You can control whether Trivy will scan and download the cluster resource images. To disable this feature, add the --skip-images flag.

 - `--skip-images` flag will prevent the downloading and scanning of images (including vulnerabilities and secrets) in the cluster resources.
@@ -87,6 +122,9 @@ You can control which namespaces will be discovered using the `--include-namespa

 By default, all namespaces will be included in cluster scanning.

+!!! note "using `--exclude-namespaces`"
+    Trivy requires a complete list of namespaces to exclude specific ones. Therefore, `--exclude-namespaces` option is only available for cluster roles now.
+
 Example:

 ```sh
--- a/docs/docs/target/repository.md
+++ b/docs/docs/target/repository.md
@@ -109,6 +109,12 @@ $ trivy repo --scanners license (REPO_PATH | REPO_URL)
 Trivy can generate SBOM for code repositories.
 See [here](../supply-chain/sbom.md) for the detail.

+## Scan Cache
+When scanning git repositories, it stores analysis results in the cache, using the latest commit hash as the key.
+Note that the cache is not used when the repository is dirty, otherwise Trivy will miss the files that are not committed.
+
+More details are available in the [cache documentation](../configuration/cache.md#scan-cache-backend).
+
 ## References
 The following flags and environmental variables are available for remote git repositories.

--- a/docs/docs/target/sbom.md
+++ b/docs/docs/target/sbom.md
@@ -6,7 +6,7 @@ Trivy can take the following SBOM formats as an input and scan for vulnerabiliti
 - SPDX
 - SPDX JSON
 - CycloneDX-type attestation
- [KBOM](./kubernetes.md#KBOM) in CycloneDX format
+- [KBOM](./kubernetes.md#kbom) in CycloneDX format

 To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
 The input format is automatically detected.
@@ -118,7 +118,7 @@ Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

 ## KBOM

-To read more about KBOM, see the [documentation for Kubernetes scanning](./kubernetes.md#KBOM).
+To read more about KBOM, see the [documentation for Kubernetes scanning](./kubernetes.md#kbom).

 The supported Kubernetes distributions for core components vulnerability scanning are:

--- a/docs/docs/target/vm.md
+++ b/docs/docs/target/vm.md
@@ -12,7 +12,7 @@ The following targets are currently supported:
 - AWS EC2
    - Amazon Machine Image (AMI)
    - Amazon Elastic Block Store (EBS) Snapshot
- 
+
 ### Local file
 Pass the path to your local VM image file.

@@ -58,7 +58,7 @@ Total: 802 (UNKNOWN: 0, LOW: 17, MEDIUM: 554, HIGH: 221, CRITICAL: 10)
 │                            │                │          │                               │                               │ cause named to terminate...                                  │
 │                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25214                   │
 ├────────────────────────────┼────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
-... 
+...
 ```

 </details>
@@ -182,6 +182,14 @@ $ trivy vm --scanners license [YOUR_VM_IMAGE]
 Trivy can generate SBOM for VM images.
 See [here](../supply-chain/sbom.md) for the detail.

+## Scan Cache
+When scanning AMI or EBS snapshots, it stores analysis results in the cache, using the snapshot ID.
+Scanning the same snapshot several times skips analysis if the cache is already available.
+
+When scanning local files, it doesn't use the cache by default.
+
+More details are available in the [cache documentation](../configuration/cache.md#scan-cache-backend).
+
 ## Supported Architectures

 ### Virtual machine images
@@ -234,7 +242,7 @@ Reference: [VMware Virtual Disk Format 1.1.pdf][vmdk]
 | ZFS               |         |


-[vmdk]: https://www.vmware.com/app/vmdk/?src=vmdk
+[vmdk]: https://github.com/libyal/libvmdk/blob/main/documentation/VMWare%20Virtual%20Disk%20Format%20(VMDK).asciidoc
 [ebsapi-elements]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html#ebsapi-elements
 [coldsnap]: https://github.com/awslabs/coldsnap

--- a/docs/ecosystem/ide.md
+++ b/docs/ecosystem/ide.md
@@ -1,11 +1,13 @@
 # IDE and developer tools Integrations

 ## VSCode (Official)
+
 [Visual Studio Code](https://code.visualstudio.com/) is an open source versatile code editor and development environment.

 👉 Get it at: <https://github.com/aquasecurity/trivy-vscode-extension>

 ## JetBrains (Official)
+
 [JetBrains](https://jetbrains.com) makes IDEs such as Goland, Pycharm, IntelliJ, Webstorm, and more.

 The Trivy plugin for JetBrains IDEs lets you use Trivy right from your development environment.
@@ -13,6 +15,7 @@ The Trivy plugin for JetBrains IDEs lets you use Trivy right from your developme
 👉 Get it at: <https://plugins.jetbrains.com/plugin/18690-trivy-findings-explorer>

 ## Kubernetes Lens (Official)
+
 [Kubernetes Lens](https://k8slens.dev/) is a management application for Kubernetes clusters.

 Trivy has an extension for Kubernetes Lens that lets you scan Kubernetes workloads and view the results in the Lens UI.
@@ -20,6 +23,7 @@ Trivy has an extension for Kubernetes Lens that lets you scan Kubernetes workloa
 👉 Get it at: <https://github.com/aquasecurity/trivy-operator-lens-extension>

 ## Vim (Community)
+
 [Vim](https://www.vim.org/) is a terminal based text editor.

 Vim plugin for Trivy to install and run Trivy.
@@ -27,6 +31,7 @@ Vim plugin for Trivy to install and run Trivy.
 👉 Get it at: <https://github.com/aquasecurity/vim-trivy>

 ## Docker Desktop (Community)
+
 [Docker Desktop](https://www.docker.com/products/docker-desktop/) is an easy way to install [Docker]() container engine on your development machine, and manage it in a GUI .

 Trivy Docker Desktop extension for scanning container images for vulnerabilities and generating SBOMs
@@ -34,11 +39,13 @@ Trivy Docker Desktop extension for scanning container images for vulnerabilities
 👉 Get it at: <https://github.com/aquasecurity/trivy-docker-extension>

 ## Rancher Desktop (Community)
+
 [Rancher Desktop](https://rancherdesktop.io/) is an easy way to use containers and Kubernetes on your development machine, and manage it in a GUI.

-Trivy is natively integrated with Rancher, no installation is needed. More info in Rancher documentation: <https://docs.rancherdesktop.io/getting-started/features#scanning-images>
+Trivy is natively integrated with Rancher, no installation is needed. More info in Rancher documentation: <https://docs.rancherdesktop.io/ui/images/#scanning-images>

 ## LazyTrivy (Community)
+
 A terminal native UI for Trivy

 👉 Get it at: <https://github.com/owenrumney/lazytrivy>
@@ -64,3 +71,9 @@ A trivy pre-commit hook that runs a `trivy fs` in your git repo before commiting
 A CDK Construct Library to scan an image with trivy in CDK codes.

 👉 Get it at: <https://constructs.dev/packages/image-scanner-with-trivy>
+
+## Headlamp plugin (Community)
+
+[Headlamp](https://headlamp.dev/) is a user-friendly Kubernetes UI focused on extensibility. The Kubescape plugin extends Headlamp with views on Trivy reports.
+
+👉 Get it at: <https://github.com/kubebeam/trivy-headlamp-plugin>
--- a/docs/getting-started/faq.md
+++ b/docs/getting-started/faq.md
@@ -11,7 +11,7 @@ Check out the [Scanning coverage page](../docs/coverage/index.md).
 ### Is there a paid version of Trivy?

 If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
-You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).  
+You can find a high level comparison table specific to Trivy users [here](../commercial/compare.md).  
 In addition check out the <https://aquasec.com> website for more information about our products and services.
 If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>

--- a/docs/getting-started/index.md
+++ b/docs/getting-started/index.md
@@ -0,0 +1,74 @@
+# First steps with Trivy
+
+## Get Trivy
+
+Trivy is available in most common distribution channels. The complete list of installation options is available in the [Installation](./installation.md) page. Here are a few popular examples:
+
+- macOS: `brew install trivy`
+- Docker: `docker run aquasec/trivy`
+- Download binary from [GitHub Release](https://github.com/aquasecurity/trivy/releases/latest/)
+- See [Installation](./installation.md) for more
+
+Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem](../ecosystem/index.md) page. Here are a few popular options examples:
+
+- [GitHub Actions](https://github.com/aquasecurity/trivy-action)
+- [Kubernetes operator](https://github.com/aquasecurity/trivy-operator)
+- [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)
+- See [Ecosystem](../ecosystem/index.md) for more
+
+## General usage
+
+Trivy's Command Line Interface pattern follows its major concepts: targets (what you want to scan), and scanners (what you want to scan for):
+
+```bash
+trivy <target> [--scanners <scanner1,scanner2>] <subject>
+```
+
+### Examples
+
+Scan a container image from registry, with the default scanner which is Vulnerabilities scanner:
+
+```bash
+trivy image python:3.4-alpine
+```
+
+<video width="1000" muted controls>
+  <source src="https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov" type="video/mp4" />
+</video>
+
+Scan a local code repository, for vulnerabilities, exposed secrets and misconfigurations:
+
+```bash
+trivy fs --scanners vuln,secret,misconfig /path/to/myproject
+```
+
+<video width="1000" muted controls>
+  <source src="https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov" type="video/mp4" />
+</video>
+
+Scan a Kubernetes cluster, with all available scanners, and show a summary report:
+
+```bash
+trivy k8s --report summary cluster
+```
+
+<img src="../imgs/trivy-k8s.png" width="1000" alt="trivy-k8s"/>
+
+For a more complete introduction, check out the basic Trivy Demo: <https://github.com/itaysk/trivy-demo>
+
+## Learn more
+
+Now that you up and ready, here are some resources to help you deepen your knowledge:
+
+- Learn more about Trivy's capabilities by exploring the complete [documentation](../docs/index.md).
+- Explore community questions and under [GitHub Discussions](https://github.com/aquasecurity/trivy/discussions).
+- Stay up to date by watching for [New Releases & Announcements](https://github.com/aquasecurity/trivy/discussions/categories/announcements).
+- Follow Trivy on Twitter/X: [@aquatrivy](https://x.com/aquatrivy)
+- Explore and subscribe to our YouTube channel [@AquaSecOSS](http://youtube.com/@aquasecoss)
+
+# Want more? Check out Aqua
+
+If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
+You can find a high level comparison table specific to Trivy users [here](../commercial/compare.md).  
+In addition, check out the <https://aquasec.com> website for more information about our products and services.
+If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>
--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@@ -1,10 +1,47 @@
 # Installing Trivy

-In this section you will find an aggregation of the different ways to install Trivy. installations are listed as either "official" or "community". Official integrations are developed by the core Trivy team and supported by it. Community integrations are integrations developed by the community, and collected here for your convenience. For support or questions about community integrations, please contact the original developers.
+In this section you will find an aggregation of the different ways to install Trivy. Installation options are labeled as either "Official" or "Community". Official installations are developed by the Trivy team and supported by it. Community installations could be developed by anyone from the Trivy community, and collected here for your convenience. For support or questions about community installations, please contact the original developers.

-## Install using Package Manager
+!!! note
+    If you are looking to integrate Trivy into another system, such as CI/CD, IDE, Kubernetes, etc, please see [Ecosystem section](../ecosystem/index.md) to explore integrations of Trivy with other tools.

-### RHEL/CentOS (Official)
+## Container image (Official)
+
+Use one of the official Trivy images:
+
+| Registry | Repository | Link |
+| --- | --- | --- |
+| Docker Hub | `docker.io/aquasec/trivy` | https://hub.docker.com/r/aquasec/trivy |
+| GitHub Container Registry (GHCR) | `ghcr.io/aquasecurity/trivy` | https://github.com/orgs/aquasecurity/packages/container/package/trivy |
+| AWS Elastic Container Registry (ECR) | `public.ecr.aws/aquasecurity/trivy` | https://gallery.ecr.aws/aquasecurity/trivy |
+
+!!! Tip
+    It is advisable to mount a persistent [cache dir](../docs/configuration/cache.md) on the host into the Trivy container.
+
+!!! Tip
+    For scanning container images with Trivy, mount the container engine socket from the host into the Trivy container.
+
+Example:
+
+``` bash
+docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image python:3.4-alpine
+```
+
+## GitHub Release (Official)
+
+1. Download the file for your operating system/architecture from [GitHub Release assets](https://github.com/aquasecurity/trivy/releases/tag/{{ git.tag }}).  
+2. Unpack the downloaded archive (`tar -xzf ./trivy.tar.gz`).
+3. Make sure the binary has execution bit turned on (`chmod +x ./trivy`).
+
+## Install Script (Official)
+
+For convenience, you can use the install script to download and install Trivy from GitHub Release.
+
+```bash
+curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin {{ git.tag }}
+```
+
+## RHEL/CentOS (Official)

 === "Repository"
    Add repository setting to `/etc/yum.repos.d`.
@@ -28,7 +65,7 @@ In this section you will find an aggregation of the different ways to install Tr
    rpm -ivh https://github.com/aquasecurity/trivy/releases/download/{{ git.tag }}/trivy_{{ git.tag[1:] }}_Linux-64bit.rpm
    ```

-### Debian/Ubuntu (Official)
+## Debian/Ubuntu (Official)

 === "Repository"
    Add repository setting to `/etc/apt/sources.list.d`.
@@ -48,22 +85,20 @@ In this section you will find an aggregation of the different ways to install Tr
    sudo dpkg -i trivy_{{ git.tag[1:] }}_Linux-64bit.deb
    ```

-### Homebrew (Official)
+## Homebrew (Official)

-Homebrew for MacOS and Linux.
+Homebrew for macOS and Linux.

 ```bash
 brew install trivy
 ```

-### Windows (Official)
+## Windows (Official)

 1. Download trivy_x.xx.x_windows-64bit.zip file from [releases page](https://github.com/aquasecurity/trivy/releases/).
 2. Unzip file and copy to any folder.
-3. Ensure PATH environment variable is configured to folder trivy installed.

-
-### Arch Linux (Community)
+## Arch Linux (Community)

 Arch Linux Package Repository.

@@ -76,9 +111,9 @@ References:
 - <https://gitlab.archlinux.org/archlinux/packaging/packages/trivy/-/blob/main/PKGBUILD>


-### MacPorts (Community)
+## MacPorts (Community)

-[MacPorts](https://www.macports.org) for MacOS.
+[MacPorts](https://www.macports.org) for macOS.

 ```bash
 sudo port install trivy
@@ -87,9 +122,9 @@ sudo port install trivy
 References:
 - <https://ports.macports.org/port/trivy/details/>

-### Nix/NixOS (Community)
+## Nix/NixOS (Community)

-Nix package manager for Linux and MacOS.
+Nix package manager for Linux and macOS.

 === "Command line"
    `nix-env --install -A nixpkgs.trivy`
@@ -116,15 +151,15 @@ References:

 -  https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/admin/trivy/default.nix

-### FreeBSD (Official)
+## FreeBSD (Official)

-[Pkg](https://freebsd.org) for FreeBSD.
+Pkg package manager for FreeBSD.

 ```bash
 pkg install trivy
 ```

-### asdf/mise (Community)
+## asdf/mise (Community)

 [asdf](https://github.com/asdf-vm/asdf) and [mise](https://github.com/jdx/mise) are quite similar tools you can use to install trivy.
 See their respective documentation for more information of how to install them and use them:
@@ -165,50 +200,3 @@ The plugin used by both tools is developped [here](https://github.com/zufardhiya
    # Now trivy commands are available
    trivy --version
    ```
-
-## Install from GitHub Release (Official)
-
-### Download Binary
-
-1. Download the file for your operating system/architecture from [GitHub Release assets](https://github.com/aquasecurity/trivy/releases/tag/{{ git.tag }}).  
-2. Unpack the downloaded archive (`tar -xzf ./trivy.tar.gz`).
-3. Make sure the binary has execution bit turned on (`chmod +x ./trivy`).
-4. Put the binary somewhere in your `$PATH` (e.g `sudo mv ./trivy /usr/local/bin/`).
-
-### Install Script
-
-The process above can be automated by the following script:
-
-```bash
-curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin {{ git.tag }}
-```
-
-### Install from source
-
-```bash
-git clone --depth 1 --branch {{ git.tag }} https://github.com/aquasecurity/trivy
-cd trivy
-go install ./cmd/trivy
-```
-
-## Use container image
-
-1. Pull Trivy image (`docker pull aquasec/trivy:{{ git.tag[1:] }}`)
-   2. It is advisable to mount a consistent [cache dir](../docs/configuration/cache.md) on the host into the Trivy container.
-3. For scanning container images with Trivy, mount `docker.sock` from the host into the Trivy container.
-
-Example:
-
-``` bash
-docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image python:3.4-alpine
-```
-
-| Registry                             | Repository                          | Link                                                                  | Supportability |
-|--------------------------------------|-------------------------------------|-----------------------------------------------------------------------|----------------|
-| Docker Hub                           | `docker.io/aquasec/trivy`           | https://hub.docker.com/r/aquasec/trivy                                | Official       |
-| GitHub Container Registry (GHCR)     | `ghcr.io/aquasecurity/trivy`        | https://github.com/orgs/aquasecurity/packages/container/package/trivy | Official       |
-| AWS Elastic Container Registry (ECR) | `public.ecr.aws/aquasecurity/trivy` | https://gallery.ecr.aws/aquasecurity/trivy                            | Official       |
-
-## Other Tools to use and deploy Trivy
-
-For additional tools and ways to install and use Trivy in different environments such as in IDE, Kubernetes or CI/CD, see [Ecosystem section](../ecosystem/index.md).
--- a/docs/getting-started/signature-verification.md
+++ b/docs/getting-started/signature-verification.md
@@ -1,60 +1,47 @@
 # Signature Verification

-## Verifying a Cosign signature
 All binaries and container images are signed by [Cosign](https://github.com/sigstore/cosign).

-You need the following tool:
+## Verifying container image

- [Cosign](https://docs.sigstore.dev/cosign/installation/)
-
-### Verifying signed container images
-1. Use the following command for keyless [verification](https://docs.sigstore.dev/cosign/verify/):
-   ```shell
-   cosign verify aquasec/trivy:<version> \
-   --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
-   --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
-   ```
-   
-2. You should get the following output
-   ```shell
-   Verification for index.docker.io/aquasec/trivy:latest --
-   The following checks were performed on each of these signatures:
-     - The cosign claims were validated
-     - Existence of the claims in the transparency log was verified offline
-     - The code-signing certificate was verified using trusted certificate authority certificates
-
-     ....
-   ```
-
-### Verifying signed binaries
-
-1. Download the required tarball, associated signature and certificate files
-2. Use the following command for keyless verification:
-   ```shell
-   cosign verify-blob <path to binray> \
-   --certificate <path to cert> \
-   --signature <path to sig> \
-   --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
-   --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
-   ```
-3. You should get the following output
-   ```
-   Verified OK
-   ```
-   
-For example:
+Use the following command for keyless [verification](https://docs.sigstore.dev/cosign/verify/):

 ```shell
-$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz"
-$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.pem"
-$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.sig"
-$ cosign verify-blob trivy_0.45.0_Linux-32bit.tar.gz \
-  --certificate trivy_0.45.0_Linux-32bit.tar.gz.pem \
-  --signature trivy_0.45.0_Linux-32bit.tar.gz.sig \
-  --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
-  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" 
-  
-Vetified OK
+cosign verify aquasec/trivy:<version> \
+--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+You should get the following output
+
+```
+Verification for index.docker.io/aquasec/trivy:latest --
+The following checks were performed on each of these signatures:
+   - The cosign claims were validated
+   - Existence of the claims in the transparency log was verified offline
+   - The code-signing certificate was verified using trusted certificate authority certificates
+
+   ....
+```
+
+## Verifying binary
+
+Download the required tarball, associated signature and certificate files from the [GitHub Release](https://github.com/aquasecurity/trivy/releases).
+
+Use the following command for keyless verification:
+
+```shell
+cosign verify-blob <path to binray> \
+--certificate <path to cert> \
+--signature <path to sig> \
+--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+You should get the following output
+
+```
+Verified OK
 ```

 ## Verifying a GPG signature
@@ -63,37 +50,33 @@ RPM and Deb packages are also signed by GPG.

 ### Verifying RPM

-The public key downloaded [here](https://aquasecurity.github.io/trivy-repo/rpm/public.key).
+The public key is available at <https://aquasecurity.github.io/trivy-repo/rpm/public.key>.

-1. Download the public key
-   ```shell
-   curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \ 
-   --output pub.key
-   ```
-2. Import the key
-   ```shell
-   rpm --import pub.key
-   ```
-3. Verify that the key has been imported
-   ```shell
-   rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
-   ```
-   You should get the following output
-   ```shell
-   gpg(trivy)
-   ```
-   
-4. Download the required binary
-   ```shell
-   curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \
-   --output trivy.rpm
-   ```
-5. Check the binary with the following command
-   ```shell
-   rpm -K trivy.rpm
-   ```
-   You should get the following output
-   ```shell
-   trivy.rpm: digests signatures OK
-   ```
+First, download and import the key:

+```shell
+curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \
+--output pub.key
+rpm --import pub.key
+rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
+```
+
+You should get the following output:
+
+```
+gpg(trivy)
+```
+
+Then you can verify the signature:
+
+```shell
+curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \
+--output trivy.rpm
+rpm -K trivy.rpm
+```
+
+You should get the following output
+
+```
+trivy.rpm: digests signatures OK
+```
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,140 +1,10 @@
 ---
+template: home.html
 hide:
- toc
---
-![logo](imgs/logo.png){ align=right }
-
-# Trivy Documentation
-
-👋 Welcome to Trivy Documentation! To help you get around, please notice the different sections at the top global menu:
-
- You are currently in the [Getting Started] section where you can find general information and help with first steps.
- In the [Tutorials] section you can find step-by-step guides that help you accomplish specific tasks.
- In the [Docs] section you can find the complete reference documentation for all of the different features and settings that Trivy has to offer.
- In the [Ecosystem] section you can find how Trivy works together with other tools and applications that you might already use.
- In the [Contributing] section you can find technical developer documentation and contribution guidelines.
-
-# About Trivy
-
-Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner. Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.
-
-Targets (what Trivy can scan):
-
- Container Image
- Filesystem
- Git Repository (remote)
- Virtual Machine Image
- Kubernetes
- AWS
-
-Scanners (what Trivy can find there):
-
- OS packages and software dependencies in use (SBOM)
- Known vulnerabilities (CVEs)
- IaC issues and misconfigurations
- Sensitive information and secrets
- Software licenses
-
-Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the [Scanning Coverage] page.
-
-To learn more, go to the [Trivy homepage][homepage] for feature highlights, or to the [Documentation site][Docs] for detailed information.
-
-## Quick Start
-
-### Get Trivy
-
-Trivy is available in most common distribution channels. The complete list of installation options is available in the [Installation] page. Here are a few popular examples:
-
- `brew install trivy`
- `docker run aquasec/trivy`
- Download binary from <https://github.com/aquasecurity/trivy/releases/latest/>
- See [Installation] for more
-
-Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem] page. Here are a few popular options examples:
-
- [GitHub Actions](https://github.com/aquasecurity/trivy-action)
- [Kubernetes operator](https://github.com/aquasecurity/trivy-operator)
- [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)
- See [Ecosystem] for more
-
-### General usage
-
-```bash
-trivy <target> [--scanners <scanner1,scanner2>] <subject>
-```
-
-Examples:
-
-```bash
-trivy image python:3.4-alpine
-```
-
-<details>
-<summary>Result</summary>
-
-<figure style="text-align: center">
-  <video width="1000" autoplay muted controls loop>
-    <source src="https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov" type="video/mp4" />
-  </video>
-  <figcaption>Demo: Vulnerability Detection</figcaption>
-</figure>
-
-</details>
-
-```bash
-trivy fs --scanners vuln,secret,misconfig myproject/
-```
-
-<details>
-<summary>Result</summary>
-
-<figure style="text-align: center">
-  <video width="1000" autoplay muted controls loop>
-    <source src="https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov" type="video/mp4" />
-  </video>
-  <figcaption>Demo: Misconfiguration Detection</figcaption>
-</figure>
-
-</details>
-
-```bash
-trivy k8s --report summary cluster
-```
-
-<details>
-<summary>Result</summary>
-
-<figure style="text-align: center">
-  <img src="imgs/secret-demo.gif" width="1000">
-  <figcaption>Demo: Secret Detection</figcaption>
-</figure>
-
-</details>
-
-# Want more? Check out Aqua
-
-If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
-You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).  
-In addition check out the <https://aquasec.com> website for more information about our products and services.
-If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>
-
+  - navigation
+  - toc
+  - path
+  - tags
 ---

-Trivy is an [Aqua Security][aquasec] open source project.  
-Learn about our open source work and portfolio [here][oss].  
-Contact us about any matter by opening a GitHub Discussion [here][discussions]
-
-[Ecosystem]: ./ecosystem/index.md
-[Installation]: getting-started/installation.md
-[pronunciation]: getting-started/faq.md#how-to-pronounce-the-name-trivy
-[Scanning Coverage]: ./docs/coverage/index.md
-
-[aquasec]: https://aquasec.com
-[oss]: https://www.aquasec.com/products/open-source-projects/
-[discussions]: https://github.com/aquasecurity/trivy/discussions
-
-[homepage]: https://trivy.dev
-[Tutorials]: ./tutorials/overview
-[Docs]: ./docs
-[Getting Started]: ./
-[Contributing]: ./community/contribute/issue
+<!-- the home page is fully customized and implemented in the "home.html" template -->
--- a/docs/overrides/home.html
+++ b/docs/overrides/home.html
@@ -0,0 +1,244 @@
+{% extends "main.html" %}
+
+{% block content %}
+<!-- don't render markdown content in the homepage -->
+{% endblock %}
+
+{% block hero %}
+<link rel='stylesheet' id='main-style-css' href='assets/css/trivy_v1_homepage.min.css' type='text/css' media='all' />
+<script type='text/javascript' src='assets/javascripts/trivy_v1_homepage.js' id='trivy_v1_homepage-js'></script>
+
+<div class="trivy_v1_homepage_wrap">
+
+    <!-- hero starts -->
+    <div class="hero_wrap">
+        <div class="hero header_wrap">
+            <div class="hero-body">
+                <div class="clearboth container">
+                    <div class="header_title_wrap">
+                        <div class="header_title_content_wrap">
+                            <div class="page_logo">
+                                <img src="assets/images/trivy_logo_horizontal_white.svg" height="100" alt="Trivy Logo">
+                            </div>
+                            <h1 class="title page_title is-spaced fadeInUp">
+                                The all-in-one open source security scanner
+                            </h1>
+                            <h2 class="subtitle page_subtitle fadeInUp animationDelay_1">
+                                Use Trivy to find vulnerabilities (CVE) & misconfigurations (IaC) across code repositories, binary artifacts, container images, Kubernetes clusters, and more. All in one tool! 
+                            </h2>
+                            <a href="./getting-started" class="button is-seafoam large_btn">Get started</a>
+                            <a href="./docs" class="button is-seafoam is-outlined large_btn">Read the Docs</a>
+                        </div><!-- header_title_content_wrap -->
+                    </div><!-- header_title_wrap -->
+                </div><!-- container -->
+            </div><!-- hero-body -->
+        </div><!-- hero -->
+
+        <div class="homepage_background_image_wrap">
+            <div class="stars_wrap">
+                <div class="stars_bg"></div>
+            </div>
+            <div class="terrain_wrap"></div>
+            <div class="beams_wrap">
+                <div class="beam"></div>
+                <div class="beam num2"></div>
+                <div class="beam num3"></div>
+                <div class="beam num4"></div>
+                <div class="sphere"></div>
+            </div>
+            <div class="person_wrap"></div>
+        </div><!-- homepage_background_image_wrap -->
+    </div><!-- hero_wrap -->
+    <!-- hero ends -->
+
+    <!-- homepage_community starts -->
+    <div class="homepage_community_wrap">
+        <div class="container wide_container">
+            <div class="community_titles_column">
+                <div class="title is-spaced community_title fadeInUp animationDelay_1">It's all about the community!</div>
+                <div class="subtitle is-spaced community_subtitle fadeInUp animationDelay_2">Trivy is praised by professionals worldwide. Are you a Trivy fan as well? We'd love to hear from you!
+                </div>
+                <div class="community_cta_wrap fadeInUp animationDelay_3">
+                    <a href="https://github.com/aquasecurity/trivy/discussions/categories/adopters" target="_blank" class="button is-seafoam">Share your story</a>
+                    <a href="https://github.com/aquasecurity/trivy/discussions/" target="_blank" class="button is-seafoam is-outlined">Discuss on GitHub</a>
+                </div>
+            </div><!-- community_titles_column -->
+
+            <div class="community_slider_column">
+                <div class="community_quotes_wrap">
+                    <!-- quotes page 1 -->
+                    <div class="community_quotes">
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Sam White, GitLab</div>
+                                <div class="quote_twitter_handle"><a href="https://www.aquasec.com/blog/trivy-scanner-gitlab-case-study/" target="_blank">Case Study</a></div>
+                                <div class="quote_text">"Trivy was a clear leader in the market as far as features, functionality, and capabilities"</div>
+                                <div class="quote_avatar" style="background-image:url('https://media.licdn.com/dms/image/v2/C5603AQEeHph5FWOpTw/profile-displayphoto-shrink_800_800/profile-displayphoto-shrink_800_800/0/1601489956361?e=1736380800&v=beta&t=lqBO9XE4rmgn_jOBD4E3YCyxZyWtBZ33eLh7kHJJBfo');"></div>
+                            </div><!-- quote_item is_quote -->
+                        </div><!-- quote_item_wrap -->
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Ariadne Conill, Alpine Security</div>
+                                <div class="quote_twitter_handle">@ariadneconill</div>
+                                <div class="quote_text">...the tl;dr is basically Aqua's Trivy is the best one, all of the other ones are a waste of time </div>
+                                <div class="quote_avatar" style="background-image:url('https://pbs.twimg.com/profile_images/1584412202945093632/UaXJmOMy_400x400.jpg');"></div>
+                            </div><!-- quote_item is_tweet -->
+                        </div><!-- quote_item_wrap -->
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Harbor Team</div>
+                                <div class="quote_twitter_handle"><a href="https://goharbor.io/blog/harbor-2.0/" target="_blank">Harbor blog</a></div>
+                                <div class="quote_text">"Trivy takes container image scanning to higher levels of usability and performance."</div>
+                                <div class="quote_avatar" style="background-image:url('https://www.jpaul.me/wp-content/uploads/2020/09/harbor-icon-color.png');"></div>
+                            </div><!-- quote_item is_quote -->
+                        </div><!-- quote_item_wrap -->
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Milind Gadre, Mirantis</div>
+                                <div class="quote_twitter_handle"><a href="https://www.aquasec.com/news/trivy-vulnerability-scanner-aqua-security-adopted-by-leading-cloud-native-platforms/" target="_blank">Mirantis</a></div>
+                                <div class="quote_text">"After evaluating several leading options for open source vulnerability scanning, Trivy really stood out"</div>
+                                <div class="quote_avatar" style="background-image:url('https://media.licdn.com/dms/image/v2/C5103AQHKRwg19TMyjQ/profile-displayphoto-shrink_800_800/profile-displayphoto-shrink_800_800/0/1567694195920?e=1736380800&v=beta&t=tn7utvMY__6lyJSWWFDQApvikQAOep-5Sxwx_op7t5c');"></div>
+                            </div><!-- quote_item is_quote -->
+                        </div><!-- quote_item_wrap -->
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Jerry Gambli</div>
+                                <div class="quote_twitter_handle">@JGamblin</div>
+                                <div class="quote_text">The way the @AquaSecTeam team has turned Trivy into the best open-source vulnerability scanner in such a short time is really amazing.</div>
+                                <div class="quote_avatar" style="background-image:url('https://pbs.twimg.com/profile_images/1490086716568395777/mDaSylm1_400x400.jpg');"></div>
+                            </div><!-- quote_item is_tweet -->
+                        </div><!-- quote_item_wrap -->
+
+                    </div><!-- community_quotes (break) -->
+                    <!-- quotes page 2 -->
+                    <div class="community_quotes">
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Yaney</div>
+                                <div class="quote_twitter_handle"><a href="https://github.com/aquasecurity/trivy/discussions/4738#discussioncomment-6335342" target="_blank">y4ney</a></div>
+                                <div class="quote_text">"Trivy is, by far, the best open-source tool for cloud-native security that I have ever used"</div>
+                                <div class="quote_avatar" style="background-image:url('https://avatars.githubusercontent.com/u/44939500?v=4');"></div>
+                            </div><!-- quote_item is_quote -->
+                        </div><!-- quote_item_wrap -->
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Ulises Galeano, MasterCard</div>
+                                <div class="quote_twitter_handle"><a href="https://www.linkedin.com/posts/ulises-galeano_aqua-securitys-trivy-adds-cspm-capabilities-activity-6965797718019502080-8ah_?utm_source=share&utm_medium=member_desktop" target="_blank">ulises-galeano</a></div>
+                                <div class="quote_text">"This tool just keeps getting better and better..."</div>
+                                <div class="quote_avatar" style="background-image:url('https://media.licdn.com/dms/image/v2/D5603AQFkCipQMhfD6g/profile-displayphoto-shrink_400_400/profile-displayphoto-shrink_400_400/0/1698769096426?e=1736380800&v=beta&t=BF7ZacfGdzO7E70vZOIxKrEsPvUQUkzH9dvlXCHp364');"></div>
+                            </div><!-- quote_item is_tweet -->
+                        </div><!-- quote_item_wrap -->
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Damian Naprawa</div>
+                                <div class="quote_twitter_handle"><a href="https://x.com/DamianNaprawa/status/1469229068419842049" target="_blank">@DamianNaprawa</a></div>
+                                <div class="quote_text">"So happy to see collaboration between @Azure and @AquaSecTeam on scanning container images in Azure Container Registry CI/CD workflows using such a great tool - Trivy."</div>
+                                <div class="quote_avatar" style="background-image:url('https://pbs.twimg.com/profile_images/1348967860945747971/LFtYvPTm_400x400.jpg');"></div>
+                            </div><!-- quote_item is_tweet -->
+                        </div><!-- quote_item_wrap -->
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Mustafa Akin, Resmo</div>
+                                <div class="quote_twitter_handle"><a href="https://github.com/aquasecurity/trivy/discussions/5898#discussioncomment-8257890" target="_blank">mustafaakin</a></div>
+                                <div class="quote_text">"I love how Trivy democratized dependency scanning to the masses as a free and extremely easy to use tool, with also a permissive license. This used to be a gated community with predatory security vendors charging premium, and they were not half as good as Trivy."</div>
+                                <div class="quote_avatar" style="background-image:url('https://avatars.githubusercontent.com/u/803763?v=4');"></div>
+                            </div><!-- quote_item is_quote -->
+                        </div><!-- quote_item_wrap -->
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">dynaptik, Deutsche Bahn</div>
+                                <div class="quote_twitter_handle"><a href="https://x.com/dynaptik/status/1760063329941291098?s=20" target="_blank">@dynaptik</a></div>
+                                <div class="quote_text">"Trivy easily for what it brings to the table (secret scanning, vuln scan, license check) and little effort required. Bang for the buck it's pretty amazing"</div>
+                                <div class="quote_avatar" style="background-image:url('https://pbs.twimg.com/profile_images/1520351613839417347/cX0be6tB_400x400.jpg');"></div>
+                            </div><!-- quote_item is_tweet -->
+                        </div><!-- quote_item_wrap -->
+
+                    </div><!-- community_quotes (break) -->
+                    <!-- quotes page 3 -->
+                    <div class="community_quotes">
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Cristiano Corrado, Wise</div>
+                                <div class="quote_twitter_handle"><a href="https://medium.com/wise-engineering/our-application-security-journey-part-1-fb7d449a7126" target="_blank">wise-engineering</a></div>
+                                <div class="quote_text">"The discovery process led us to evaluate multiple open-source tools ... The final decision was to use Trivy"</div>
+                                <div class="quote_avatar" style="background-image:url('https://miro.medium.com/v2/da:true/resize:fill:176:176/0*RFJEFPwmqPoJk0_Q');"></div>
+                            </div><!-- quote_item is_tweet -->
+                        </div><!-- quote_item_wrap -->
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Saim Safdar</div>
+                                <div class="quote_twitter_handle"><a href="https://x.com/cloudnativeboy/status/1538840080873291777" target="_blank">@cloudnativeboy</a></div>
+                                <div class="quote_text">"my favorite @Docker extension. (Trivy)"</div>
+                                <div class="quote_avatar" style="background-image:url('https://pbs.twimg.com/profile_images/1852731741263298560/j82MEKDC_400x400.jpg');"></div>
+                            </div><!-- quote_item is_tweet -->
+                        </div><!-- quote_item_wrap -->
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Jonathan Gonzalez V., CloudNativePG</div>
+                                <div class="quote_twitter_handle"><a href="https://x.com/sxd/status/1555688296092672000" target="_blank">@sxd</a></div>
+                                <div class="quote_text">"Thanks @AquaSecTeam for creating Trivy and help us to improve @CloudNativePg security"</div>
+                                <div class="quote_avatar" style="background-image:url('https://pbs.twimg.com/profile_images/724741714867445760/4neP98k7_400x400.jpg');"></div>
+                            </div><!-- quote_item is_tweet -->
+                        </div><!-- quote_item_wrap -->
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Andy Roberts, Vista</div>
+                                <div class="quote_twitter_handle"><a href="https://x.com/andyr8939/status/1523402643397562368" target="_blank">@andyr8939</a></div>
+                                <div class="quote_text">"I've tried a few and all have pros/cons but I found that Trivy is the best of them"</div>
+                                <div class="quote_avatar" style="background-image:url('https://pbs.twimg.com/profile_images/1384815728201588736/5uQfnSPb_400x400.jpg');"></div>
+                            </div><!-- quote_item is_tweet -->
+                        </div><!-- quote_item_wrap -->
+
+                        <div class="quote_item_wrap">
+                            <div class="quote_item is_tweet has_avatar">
+                                <div class="quote_name">Ali Faraj, Antigen Security</div>
+                                <div class="quote_twitter_handle"><a href="https://www.linkedin.com/posts/activity-6932020213307625472-zWs8/" target="_blank">@andyr8939</a></div>
+                                <div class="quote_text">"Trivy from Aqua Security is my new favorite tool... It's such a powerful tool with the ability to generate SBOMs, find vulnerabilities, misconfigurations, and secrets!"</div>
+                                <div class="quote_avatar" style="background-image:url('https://media.licdn.com/dms/image/v2/C4D03AQEwMCBM6uAGdQ/profile-displayphoto-shrink_800_800/profile-displayphoto-shrink_800_800/0/1599152832090?e=1736380800&v=beta&t=2negMF6o75BjLkIM3iz6gkl-5Aqk4jv7rGnO_sbMKf4');"></div>
+                            </div><!-- quote_item is_tweet -->
+                        </div><!-- quote_item_wrap -->
+
+                    </div><!-- community_quotes -->
+                </div><!-- community_quotes_wrap -->
+
+            </div><!-- community_slider_column -->
+
+        </div><!-- container -->
+    </div><!-- homepage_community_wrap -->
+
+    <script type="text/javascript">
+        var $j_hpcom = jQuery.noConflict();
+        $j_hpcom(document).ready(function () {
+
+            $j_hpcom('.community_quotes_wrap').slick({
+                arrows: false,
+                dots: true,
+                centerMode: false,
+                infinite: true,
+                slidesToShow: 1,
+                focusOnSelect: true,
+                autoplay: true,
+                autoplaySpeed: 11000
+            });
+
+        });
+    </script>
+
+    <!-- homepage_community ends -->
+</div><!-- trivy_v1_homepage_wrap -->
+
+{% endblock %}
--- a/docs/overrides/main.html
+++ b/docs/overrides/main.html
@@ -1,7 +1,35 @@
 {% extends "base.html" %}

+{% block extrahead %}
+
+{% set title = config.site_name %}
+{% if page and page.title and not page.is_homepage %}
+  {% set title = config.site_name ~ " - " ~ page.title | striptags %}
+{% endif %}
+
+{% set image = config.site_url ~ 'assets/images/illustrations/banner.png' %}
+
+<meta property="og:type" content="website" />
+<meta property="og:title" content="{{ title }}" />
+<meta property="og:description" content="{{ config.site_description }}" />
+<meta property="og:url" content="{{ page.canonical_url }}" />
+<meta property="og:image" content="{{ image }}" />
+<meta property="og:image:type" content="image/png" />
+<meta property="og:image:width" content="1080" />
+<meta property="og:image:height" content="568" />
+
+<style>
+  :root{
+    --md-primary-fg-color:#0a0b23;
+  }
+  .md-typeset a{
+    color:#10147e;
+  }
+</style>
+{% endblock %}
+
 {% block outdated %}
-You're not viewing the latest version.
+You're not viewing the latest version of the documentation.
 <a href="{{ '../' ~ base_url }}">
    <strong>Click here to go to latest.</strong>
 </a>
--- a/docs/tutorials/integrations/gitlab-ci.md
+++ b/docs/tutorials/integrations/gitlab-ci.md
@@ -114,7 +114,7 @@ container_scanning:
 Depending on the edition of gitlab you have or your desired workflow, the
 container scanning template may not meet your needs. As an addition to the
 above container scanning template, a template for
-[code climate](https://docs.gitlab.com/ee/user/project/merge_requests/code_quality.html)
+[code climate](https://docs.gitlab.com/ee/ci/testing/code_quality.html)
 has been included. The key things to update from the above examples are
 the `template` and `report` type. An updated example is below.

--- a/docs/tutorials/kubernetes/cluster-scanning.md
+++ b/docs/tutorials/kubernetes/cluster-scanning.md
@@ -59,7 +59,7 @@ This has several benefits:

 - The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator. 

-There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator)
+There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation.

 Please follow the Trivy Operator documentation for further information on:

--- a/docs/tutorials/shell/shell-completion.md
+++ b/docs/tutorials/shell/shell-completion.md
@@ -49,7 +49,6 @@ trivy completion zsh > "${fpath[1]}/_trivy"

 ```bash
 $ trivy [tab]
-aws         -- scan aws account
 completion  -- Generate the autocompletion script for the specified shell
 config      -- Scan config files for misconfigurations
 filesystem  -- Scan local filesystem
--- a/docs/tutorials/signing/vuln-attestation.md
+++ b/docs/tutorials/signing/vuln-attestation.md
@@ -8,7 +8,7 @@ This tutorial details how to
 #### Prerequisites

 1. [Trivy CLI](../../getting-started/installation.md) installed
-2. [Cosign CLI](https://docs.sigstore.dev/system_config/installation/) installed 
+2. [Cosign CLI](https://docs.sigstore.dev/cosign/system_config/installation/) installed
 3. Ensure that you have access to a container image in a remote container registry that you own/within your account. In this tutorial, we will use DockerHub.

 ## Scan Container Image for vulnerabilities
--- a/examples/module/spring4shell/spring4shell.go
+++ b/examples/module/spring4shell/spring4shell.go
@@ -5,6 +5,7 @@ package main

 import (
 	"bufio"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -112,7 +113,7 @@ func (Spring4Shell) parseTomcatReleaseNotes(f *os.File, filePath string) (*seria

 	m := tomcatVersionRegex.FindStringSubmatch(string(b))
 	if len(m) != 2 {
-		return nil, fmt.Errorf("unknown tomcat release notes format")
+		return nil, errors.New("unknown tomcat release notes format")
 	}

 	return &serialize.AnalysisResult{
--- a/go.mod
+++ b/go.mod
@@ -1,80 +1,79 @@
 module github.com/aquasecurity/trivy

-go 1.22.0
-
-toolchain go1.22.4
+go 1.23.5

 require (
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1
 	github.com/BurntSushi/toml v1.4.0
-	github.com/CycloneDX/cyclonedx-go v0.9.1
+	github.com/CycloneDX/cyclonedx-go v0.9.2
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/Masterminds/sprig/v3 v3.3.0
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alecthomas/chroma v0.10.0
-	github.com/alicebob/miniredis/v2 v2.33.0
-	github.com/antchfx/htmlquery v1.3.2
+	github.com/alicebob/miniredis/v2 v2.34.0
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
-	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
-	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
-	github.com/aquasecurity/go-version v0.0.0-20240603093900-cf8a8d29271d
+	github.com/aquasecurity/go-npm-version v0.0.1
+	github.com/aquasecurity/go-pep440-version v0.0.1
+	github.com/aquasecurity/go-version v0.0.1
+	github.com/aquasecurity/iamgo v0.0.10
+	github.com/aquasecurity/jfather v0.0.8
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-checks v1.2.2
-	github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1
+	github.com/aquasecurity/trivy-checks v1.6.1
+	github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
-	github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241029051843-2606b7e0f0b4
-	github.com/aws/aws-sdk-go-v2 v1.31.0
-	github.com/aws/aws-sdk-go-v2/config v1.27.38
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.36
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.179.1
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.35.2
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.63.2
-	github.com/aws/aws-sdk-go-v2/service/sts v1.31.2 // indirect
-	github.com/aws/smithy-go v1.21.0
+	github.com/aquasecurity/trivy-kubernetes v0.7.0
+	github.com/aws/aws-sdk-go-v2 v1.34.0
+	github.com/aws/aws-sdk-go-v2/config v1.29.2
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.55
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.201.1
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.38.7
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.74.1
+	github.com/aws/smithy-go v1.22.2
 	github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
-	github.com/bmatcuk/doublestar/v4 v4.6.1
+	github.com/bmatcuk/doublestar/v4 v4.8.1
 	github.com/cenkalti/backoff/v4 v4.3.0
-	github.com/cheggaaa/pb/v3 v3.1.5
-	github.com/containerd/containerd v1.7.22
-	github.com/csaf-poc/csaf_distribution/v3 v3.0.0
-	github.com/docker/cli v27.2.1+incompatible
-	github.com/docker/docker v27.3.1+incompatible
+	github.com/cheggaaa/pb/v3 v3.1.6
+	github.com/containerd/containerd/v2 v2.0.2
+	github.com/containerd/platforms v1.0.0-rc.1
+	github.com/distribution/reference v0.6.0
+	github.com/docker/cli v27.5.0+incompatible
+	github.com/docker/docker v27.5.0+incompatible
 	github.com/docker/go-connections v0.5.0
-	github.com/fatih/color v1.17.0
-	github.com/go-git/go-git/v5 v5.12.0
+	github.com/docker/go-units v0.5.0
+	github.com/fatih/color v1.18.0
+	github.com/go-git/go-git/v5 v5.13.2
 	github.com/go-openapi/runtime v0.28.0 // indirect
 	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-redis/redis/v8 v8.11.5
+	github.com/gocsaf/csaf/v3 v3.1.1
 	github.com/golang-jwt/jwt/v5 v5.2.1
-	github.com/google/go-containerregistry v0.20.2
+	github.com/google/go-containerregistry v0.20.3
 	github.com/google/go-github/v62 v62.0.0
 	github.com/google/licenseclassifier/v2 v2.0.0
 	github.com/google/uuid v1.6.0
 	github.com/google/wire v0.6.0
-	github.com/hashicorp/go-getter v1.7.6
+	github.com/hashicorp/go-getter v1.7.8
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-retryablehttp v0.7.7
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
-	github.com/hashicorp/hc-install v0.9.0
-	github.com/hashicorp/hcl/v2 v2.22.0
-	github.com/hashicorp/terraform-exec v0.21.0
+	github.com/hashicorp/hc-install v0.9.1
+	github.com/hashicorp/hcl/v2 v2.23.0
+	github.com/hashicorp/terraform-exec v0.22.0
 	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
-	github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422
+	github.com/knqyf263/go-deb-version v0.0.0-20241115132648-6f4aee6ccd23
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
 	github.com/knqyf263/go-rpmdb v0.1.1
 	github.com/knqyf263/nested v0.0.1
 	github.com/kylelemons/godebug v1.1.0
-	github.com/liamg/iamgo v0.0.9
-	github.com/liamg/jfather v0.0.7
 	github.com/liamg/memoryfs v1.6.0
 	github.com/magefile/mage v1.15.0
 	github.com/masahiro331/go-disk v0.0.0-20240625071113-56c933208fee
@@ -88,63 +87,67 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/moby/buildkit v0.16.0
-	github.com/open-policy-agent/opa v0.68.1-0.20240903211041-76f7038ea2d1
+	github.com/moby/buildkit v0.18.2
+	github.com/open-policy-agent/opa v1.1.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
 	github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553
 	github.com/openvex/go-vex v0.2.5
 	github.com/owenrumney/go-sarif/v2 v2.3.3
-	github.com/owenrumney/squealer v1.2.4
+	github.com/owenrumney/squealer v1.2.6
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/quasilyte/go-ruleguard/dsl v0.3.22
-	github.com/samber/lo v1.47.0
+	github.com/samber/lo v1.49.0
 	github.com/sassoftware/go-rpmutils v0.4.0
-	github.com/secure-systems-lab/go-securesystemslib v0.8.0
-	github.com/sigstore/rekor v1.3.6
+	github.com/secure-systems-lab/go-securesystemslib v0.9.0
+	github.com/sigstore/rekor v1.3.8
 	github.com/sirupsen/logrus v1.9.3
 	github.com/sosedoff/gitkit v0.4.0
 	github.com/spdx/tools-golang v0.5.5 // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
-	github.com/spf13/cast v1.7.0
+	github.com/spf13/cast v1.7.1
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.19.0
-	github.com/stretchr/testify v1.9.0
-	github.com/testcontainers/testcontainers-go v0.33.0
-	github.com/testcontainers/testcontainers-go/modules/localstack v0.33.0
-	github.com/tetratelabs/wazero v1.8.0
+	github.com/stretchr/testify v1.10.0
+	github.com/testcontainers/testcontainers-go v0.35.0
+	github.com/testcontainers/testcontainers-go/modules/localstack v0.35.0
+	github.com/tetratelabs/wazero v1.8.2
 	github.com/twitchtv/twirp v8.1.3+incompatible
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/xlab/treeprint v1.2.0
-	github.com/zclconf/go-cty v1.15.0
-	github.com/zclconf/go-cty-yaml v1.0.3
+	github.com/zclconf/go-cty v1.16.2
+	github.com/zclconf/go-cty-yaml v1.1.0
 	go.etcd.io/bbolt v1.3.11
-	golang.org/x/crypto v0.27.0
-	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
-	golang.org/x/mod v0.21.0
-	golang.org/x/net v0.29.0
-	golang.org/x/sync v0.8.0
-	golang.org/x/term v0.25.0
-	golang.org/x/text v0.18.0
-	golang.org/x/vuln v1.1.3
-	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
-	google.golang.org/protobuf v1.34.2
+	golang.org/x/crypto v0.32.0
+	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
+	golang.org/x/mod v0.22.0
+	golang.org/x/net v0.34.0
+	golang.org/x/sync v0.10.0
+	golang.org/x/term v0.28.0
+	golang.org/x/text v0.21.0
+	golang.org/x/vuln v1.1.4
+	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9
+	google.golang.org/protobuf v1.36.4
 	gopkg.in/yaml.v3 v3.0.1
-	helm.sh/helm/v3 v3.16.1
-	k8s.io/api v0.31.2
-	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
-	modernc.org/sqlite v1.33.1
+	helm.sh/helm/v3 v3.17.0
+	k8s.io/api v0.32.1
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
+	modernc.org/sqlite v1.34.5
 	sigs.k8s.io/yaml v1.4.0
 )

 require (
-	cloud.google.com/go v0.112.1 // indirect
-	cloud.google.com/go/compute/metadata v0.3.0 // indirect
-	cloud.google.com/go/iam v1.1.6 // indirect
-	cloud.google.com/go/storage v1.39.1 // indirect
+	cel.dev/expr v0.19.0 // indirect
+	cloud.google.com/go v0.116.0 // indirect
+	cloud.google.com/go/auth v0.13.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	cloud.google.com/go/iam v1.2.2 // indirect
+	cloud.google.com/go/monitoring v1.21.2 // indirect
+	cloud.google.com/go/storage v1.45.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
-	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
-	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
+	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -153,8 +156,11 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 // indirect
 	github.com/DataDog/zstd v1.5.5 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 // indirect
 	github.com/Intevation/gval v1.3.0 // indirect
 	github.com/Intevation/jsonpath v0.2.1 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
@@ -162,76 +168,69 @@ require (
 	github.com/Masterminds/semver/v3 v3.3.0 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/Microsoft/hcsshim v0.12.0 // indirect
+	github.com/Microsoft/hcsshim v0.12.9 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
+	github.com/ProtonMail/go-crypto v1.1.5 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
-	github.com/agnivade/levenshtein v1.1.1 // indirect
-	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
+	github.com/agnivade/levenshtein v1.2.0 // indirect
+	github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
-	github.com/antchfx/xpath v1.3.1 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go v1.55.5 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.23.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/briandowns/spinner v1.23.0 // indirect
+	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/cloudflare/circl v1.3.8 // indirect
-	github.com/containerd/cgroups/v3 v3.0.2 // indirect
-	github.com/containerd/containerd/api v1.7.19 // indirect
-	github.com/containerd/continuity v0.4.3 // indirect
-	github.com/containerd/errdefs v0.1.0 // indirect
+	github.com/cloudflare/circl v1.5.0 // indirect
+	github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
+	github.com/containerd/cgroups/v3 v3.0.3 // indirect
+	github.com/containerd/containerd v1.7.25 // indirect
+	github.com/containerd/containerd/api v1.8.0 // indirect
+	github.com/containerd/continuity v0.4.5 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/platforms v0.2.1 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
-	github.com/containerd/ttrpc v1.2.5 // indirect
-	github.com/containerd/typeurl/v2 v2.2.0 // indirect
-	github.com/cpuguy83/dockercfg v0.3.1 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/containerd/plugin v1.0.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
+	github.com/containerd/ttrpc v1.2.7 // indirect
+	github.com/containerd/typeurl/v2 v2.2.3 // indirect
+	github.com/cpuguy83/dockercfg v0.3.2 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
-	github.com/cyphar/filepath-securejoin v0.3.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
-	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.2 // indirect
-	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
-	github.com/docker/go-units v0.5.0 // indirect
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
 	github.com/dsnet/compress v0.0.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/envoyproxy/go-control-plane v0.13.1 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
-	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
+	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
@@ -247,8 +246,8 @@ require (
 	github.com/goccy/go-yaml v1.9.5 // indirect
 	github.com/gofrs/uuid v4.3.1+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
@@ -257,10 +256,10 @@ require (
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
-	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
@@ -269,31 +268,30 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/golang-lru v0.6.0 // indirect
-	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
-	github.com/hashicorp/terraform-json v0.22.1 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
+	github.com/hashicorp/terraform-json v0.24.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
-	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
 	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.17.9 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a // indirect
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/magiconair/properties v1.8.9 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
@@ -301,9 +299,9 @@ require (
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/spdystream v0.4.0 // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.2 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/moby/sys/signal v0.7.1 // indirect
 	github.com/moby/sys/user v0.3.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
@@ -318,25 +316,27 @@ require (
 	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/runtime-spec v1.2.0 // indirect
-	github.com/opencontainers/selinux v1.11.0 // indirect
+	github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 // indirect
+	github.com/opencontainers/selinux v1.11.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/prometheus/client_golang v1.20.2 // indirect
+	github.com/prometheus/client_golang v1.20.5 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/common v0.61.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/rubenv/sql-migrate v1.7.0 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rubenv/sql-migrate v1.7.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/locafero v0.6.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
@@ -346,15 +346,16 @@ require (
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sigstore/cosign/v2 v2.2.4 // indirect
-	github.com/sigstore/sigstore v1.8.3 // indirect
+	github.com/sigstore/sigstore v1.8.12 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
-	github.com/skeema/knownhosts v1.2.2 // indirect
+	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
-	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/tchap/go-patricia/v2 v2.3.2 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tklauser/go-sysconf v0.3.13 // indirect
@@ -362,8 +363,8 @@ require (
 	github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	github.com/ulikunitz/xz v0.5.12 // indirect
-	github.com/vbatts/tar-split v0.11.5 // indirect
-	github.com/vmihailenco/msgpack/v5 v5.3.5 // indirect
+	github.com/vbatts/tar-split v0.11.6 // indirect
+	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
@@ -375,51 +376,64 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
-	go.opentelemetry.io/otel v1.28.0 // indirect
-	go.opentelemetry.io/otel/metric v1.28.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
-	go.opentelemetry.io/otel/trace v1.28.0 // indirect
-	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.32.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
+	go.opentelemetry.io/otel v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.32.0 // indirect
+	go.opentelemetry.io/otel/trace v1.34.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/oauth2 v0.25.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect
-	golang.org/x/time v0.6.0 // indirect
-	golang.org/x/tools v0.24.0 // indirect
-	google.golang.org/api v0.172.0 // indirect
-	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
-	google.golang.org/grpc v1.66.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/tools v0.29.0 // indirect
+	google.golang.org/api v0.216.0 // indirect
+	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
+	google.golang.org/grpc v1.70.0 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
-	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apiextensions-apiserver v0.31.0 // indirect
-	k8s.io/apimachinery v0.31.2 // indirect
-	k8s.io/apiserver v0.31.0 // indirect
-	k8s.io/cli-runtime v0.31.2 // indirect
-	k8s.io/client-go v0.31.2 // indirect
-	k8s.io/component-base v0.31.2 // indirect
+	k8s.io/apiextensions-apiserver v0.32.0 // indirect
+	k8s.io/apimachinery v0.32.1 // indirect
+	k8s.io/apiserver v0.32.0 // indirect
+	k8s.io/cli-runtime v0.32.1 // indirect
+	k8s.io/client-go v0.32.1 // indirect
+	k8s.io/component-base v0.32.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
-	k8s.io/kubectl v0.31.2 // indirect
-	modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
+	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
+	k8s.io/kubectl v0.32.1 // indirect
 	modernc.org/libc v1.55.3 // indirect
 	modernc.org/mathutil v1.6.0 // indirect
 	modernc.org/memory v1.8.0 // indirect
-	modernc.org/strutil v1.2.0 // indirect
-	modernc.org/token v1.1.0 // indirect
 	mvdan.cc/sh/v3 v3.10.0 // indirect
 	oras.land/oras-go v1.2.5 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/kustomize/api v0.17.2 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/kustomize/api v0.18.0 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
+	tags.cncf.io/container-device-interface v0.8.0 // indirect
+	tags.cncf.io/container-device-interface/specs-go v0.8.0 // indirect
+)
+
+require (
+	github.com/aws/aws-sdk-go v1.55.6 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.10 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				<svg version="1.1" id="Layer_2" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 240 240" enable-background="new 0 0 240 240" xml:space="preserve"><rect x="106" y="90" fill="#00ffe4" width="2" height="2"/><rect x="74" y="63" fill="#00ffe4" width="1" height="1"/><rect x="23" y="66" fill="#00ffe4" width="1" height="1"/><rect x="50" y="110" fill="#00ffe4" width="1" height="1"/><rect x="63" y="128" fill="#00ffe4" width="1" height="1"/><rect x="45" y="149" fill="#00ffe4" width="1" height="1"/><rect x="92" y="151" fill="#00ffe4" width="1" height="1"/><rect x="58" y="8" fill="#00ffe4" width="1" height="1"/><rect x="147" y="33" fill="#00ffe4" width="2" height="2"/><rect x="91" y="43" fill="#00ffe4" width="1" height="1"/><rect x="169" y="29" fill="#ffffff" width="1" height="1"/><rect x="182" y="19" fill="#00ffe4" width="1" height="1"/><rect x="161" y="59" fill="#00ffe4" width="1" height="1"/><rect x="138" y="95" fill="#00ffe4" width="1" height="1"/><rect x="199" y="71" fill="#ffffff" width="3" height="3"/><rect x="213" y="153" fill="#00ffe4" width="2" height="2"/><rect x="128" y="163" fill="#ffffff" width="1" height="1"/><rect x="205" y="174" fill="#00ffe4" width="1" height="1"/><rect x="152" y="200" fill="#00ffe4" width="1" height="1"/><rect x="52" y="211" fill="#00ffe4" width="2" height="2"/><rect y="191" fill="#00ffe4" width="1" height="1"/><rect x="110" y="184" fill="#00ffe4" width="1" height="1"/></svg>
				`@@ -0,0 +1 @@`
				<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" x="0" y="0" viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891" xml:space="preserve"><style>.st0{fill:#fff}.st1{fill:#50f0ff}</style><path class="st0" d="M1421.86 281.92h-46.97c-25.9 0-46.97-21.07-46.97-46.97s21.07-46.97 46.97-46.97 46.97 21.07 46.97 46.97v46.97zm-46.97-74.87c-15.38 0-27.9 12.52-27.9 27.9 0 15.38 12.52 27.9 27.9 27.9h27.9v-27.9c0-15.38-12.51-27.9-27.9-27.9zM1737.06 281.92h-46.97c-25.9 0-46.97-21.07-46.97-46.97s21.07-46.97 46.97-46.97 46.97 21.07 46.97 46.97v46.97zm-46.97-74.87c-15.38 0-27.9 12.52-27.9 27.9 0 15.38 12.52 27.9 27.9 27.9h27.9v-27.9c-.01-15.38-12.52-27.9-27.9-27.9zM1585.02 281.94c-25.91 0-46.99-21.08-46.99-46.99v-44.08h19.08v44.08c0 15.39 12.52 27.91 27.91 27.91s27.91-12.52 27.91-27.91v-44.08h19.09v44.08c-.01 25.91-21.1 46.99-47 46.99zM1479.94 187.98c-25.9 0-46.97 21.07-46.97 46.97s21.07 46.97 46.97 46.97l19.07-19.07h-19.07c-15.38 0-27.9-12.52-27.9-27.9 0-15.38 12.52-27.9 27.9-27.9 15.38 0 27.9 12.52 27.9 27.9v91.8h19.07v-91.8c0-25.9-21.07-46.97-46.97-46.97zM942.76 588.45v46.29c-31.53 0-59.94-11.34-82.34-30.14-28.15-23.63-46.04-59.08-46.04-98.71V274.06h46.04v105.2h82.34v46.59h-82.34v81.19c.63 45.06 37.13 81.41 82.34 81.41zM1106.82 379.26v45.98c-43.65.1-79.18 34.71-80.78 77.98v131.52h-46.12V379.26h46.12v29.16c21.93-18.18 50.08-29.12 80.78-29.16zM1136.4 353.72v-40.29h46.05v40.29h-46.05zm0 281.02V379.26h46.05v255.48h-46.05zM1464.76 379.26l-127.64 255.48-127.8-255.48h52.33l75.47 150.88 75.31-150.88h52.33zM1740.81 379.26v297.8c0 71.31-58.52 128.26-127.83 128.2-32.47.03-62.55-12.29-85.37-32.76l33.1-33.09c14.13 11.97 32.36 19.22 52.28 19.2 44.86 0 81.17-36.69 81.17-81.55v-71.39c-22.26 18.42-50.67 29.09-81.17 29.06-69.46.06-127.95-56-127.95-127.85V379.24h46.64l.02 127.64c0 44.67 36.39 81.6 81.28 81.55 44.86 0 81.17-36.69 81.17-81.55V379.26h46.66z"/><path class="st1" d="M428.54 364.9h.12c6.56.01 11.98-5.03 11.98-11.58V135.99l-12.23-6.83-12.18 6.8v217.36c0 6.56 5.43 11.61 11.98 11.58h.33z"/><path d="M355.18 463.55 153.55 598.87v15.41l11.49 6.29 203.73-136.73c5.23-3.51 6.53-10.52 3.15-15.84-.14-.23-.29-.45-.43-.68-3.5-5.62-10.81-7.46-16.31-3.77z" style="fill:#0744dd"/><path d="m488.27 483.95 203.55 136.61 11.45-6.28v-15.44L501.86 463.66c-5.51-3.7-12.82-1.87-16.32 3.76-.13.21-.27.43-.4.64-3.41 5.34-2.12 12.37 3.13 15.89z" style="fill:#ffc900"/><path class="st0" d="M727.69 282.29v-13.96l-12.5-6.98-.93-.49-273.93-152.99-11.92-6.64-11.87 6.64-273.98 152.99-.93.49-12.5 6.98v13.96l-.93.54.93.49v345.42l12.69 6.94 266.85 146.2 3.37 1.85 16.41 8.98 16.36-8.98 3.37-1.85 266.85-146.2 12.65-6.94V283.37l.98-.54-.97-.54zM440.95 758.05V511.4c0-6.72-5.5-12.22-12.22-12.21h-.32c-6.72-.01-12.22 5.49-12.22 12.21v246.64L165.04 620.57l-11.49-6.29V294.7l199.98 109.56c5.77 3.16 13.1 1.04 16.28-4.72l.14-.26c3.22-5.83 1.08-13.22-4.76-16.42L167.81 274.72l248.42-138.75 12.18-6.8 12.23 6.83 248.37 138.73-197.54 108.22c-5.81 3.18-7.63 10.45-4.41 16.24.05.1.11.2.16.29 3.16 5.73 10.22 8.01 15.96 4.86L703.27 294.7v319.59l-11.45 6.28-250.87 137.48z"/><circle cx="428.54" cy="432.05" r="35.42" style="fill:#ff0036"/><path class="st1" d="M617.65 262.99 426.32 155.74c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l191.33 107.25c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM533.81 271.27l-107.48-60.25c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l107.48 60.25c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.97-16.62 4.68zM569.02 291c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68 5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM462.29 288.33l-35.7-20.01c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l35.7 20.01c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM516.16 321.21l-20.67-11.58c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l20.67 11.58c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68z"/></svg>