fix: separating multiple licenses from one line in dpkg copyright files (#2508)

Co-authored-by: knqyf263 <knqyf263@gmail.com>

.github/CODEOWNERS

@@ -4,6 +4,12 @@
 # Helm chart
 helm/trivy/ @krol3
 
+# Misconfiguration scanning
+examples/misconf/           @owenrumney @liamg @knqyf263
+docs/docs/misconfiguration  @owenrumney @liamg @knqyf263
+pkg/fanal/analyzer/config   @owenrumney @liamg @knqyf263
+pkg/fanal/handler/misconf   @owenrumney @liamg @knqyf263
+
 # Kubernetes scanning
-pkg/k8s/                @josedonizetti @chen-keinan
-docs/docs/kubernetes/   @josedonizetti @chen-keinan
+pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
+docs/docs/kubernetes/   @josedonizetti @chen-keinan @knqyf263

.github/workflows/canary.yaml

@@ -0,0 +1,59 @@
+name: Canary build
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '**.go'
+      - 'Dockerfile.canary'
+      - '.github/workflows/canary.yaml'
+  workflow_dispatch:
+
+jobs:
+  build-binaries:
+    name: Build binaries
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser-canary.yml
+      goreleaser_options: '--snapshot --rm-dist --timeout 60m' # will not release
+    secrets: inherit
+
+  upload-binaries:
+    name: Upload binaries
+    needs: build-binaries # run this job after 'build-binaries' job completes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.0.4
+        with:
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+        # Upload artifacts
+      - name: Upload artifacts (trivy_Linux-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-64bit
+          path: dist/trivy_*_Linux-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_Linux-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-ARM64
+          path: dist/trivy_*_Linux-ARM64.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-64bit
+          path: dist/trivy_*_macOS-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-ARM64
+          path: dist/trivy_*_macOS-ARM64.tar.gz
+          if-no-files-found: error

.github/workflows/mkdocs-dev.yaml

@@ -16,7 +16,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/mkdocs-latest.yaml

@@ -18,7 +18,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/publish-chart.yaml

@@ -30,14 +30,14 @@ jobs:
         with:
           version: v3.5.0
       - name: Set up python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: 3.7
       - name: Setup Chart Linting
         id: lint
         uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a
       - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478
+        uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}

.github/workflows/release.yaml

@@ -3,76 +3,37 @@ on:
   push:
     tags:
       - "v*"
-env:
-  GO_VERSION: "1.18"
-  GH_USER: "aqua-bot"
+
 jobs:
   release:
     name: Release
-    runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
-    env:
-      DOCKER_CLI_EXPERIMENTAL: "enabled"
-    permissions:
-      id-token: write # For cosign
-      packages: write # For GHCR
-      contents: read  # Not required for public repositories, but for clarity
-    steps:
-      - name: Install dependencies
-        run: |
-          sudo apt-get -y update
-          sudo apt-get -y install rpm reprepro createrepo distro-info
-      - uses: sigstore/cosign-installer@536b37ec5d5b543420bdfd9b744c5965bd4d8730
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2
-      - name: Show available Docker Buildx platforms
-        run: echo ${{ steps.buildx.outputs.platforms }}
-      - name: Setup Go
-        uses: actions/setup-go@v3
+    uses: ./.github/workflows/reusable-release.yaml
     with:
-          go-version: ${{ env.GO_VERSION }}
+      goreleaser_config: goreleaser.yml
+      goreleaser_options: '--rm-dist --timeout 60m'
+    secrets: inherit
+
+  deploy-packages:
+    name: Deploy rpm/dep packages
+    needs: release # run this job after 'release' job completes
+    runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
+    steps:
       - name: Checkout code
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: Cache Go modules
-        uses: actions/cache@v3.0.2
+
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.0.4
         with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: Login to docker.io registry
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to ghcr.io registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ env.GH_USER }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login to ECR
-        uses: docker/login-action@v2
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
-          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
-      - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v1
-        with:
-          args: mod -licenses -json -output bom.json
-          version: ^v1
-      - name: Release
-        uses: goreleaser/goreleaser-action@v3
-        with:
-          version: v1.4.1
-          args: release --rm-dist --timeout 60m
-        env:
-          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install rpm reprepro createrepo distro-info
+
       - name: Checkout trivy-repo
         uses: actions/checkout@v3
         with:
@@ -80,13 +41,17 @@ jobs:
           path: trivy-repo
           fetch-depth: 0
           token: ${{ secrets.ORG_REPO_TOKEN }}
+
       - name: Setup git settings
         run: |
           git config --global user.email "knqyf263@gmail.com"
           git config --global user.name "Teppei Fukuda"
+
       - name: Create rpm repository
         run: ci/deploy-rpm.sh
+
       - name: Import GPG key
         run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import
+
       - name: Create deb repository
         run: ci/deploy-deb.sh

.github/workflows/reusable-release.yaml

@@ -0,0 +1,109 @@
+name: Reusable release
+on:
+  workflow_call:
+    inputs:
+      goreleaser_config:
+        description: 'file path to GoReleaser config'
+        required: true
+        type: string
+      goreleaser_options:
+        description: 'GoReleaser options separated by spaces'
+        default: ''
+        required: false
+        type: string
+
+env:
+  GO_VERSION: "1.18"
+  GH_USER: "aqua-bot"
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: read  # Not required for public repositories, but for clarity
+    steps:
+      - name: Cosign install
+        uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Show available Docker Buildx platforms
+        run: echo ${{ steps.buildx.outputs.platforms }}
+
+      - name: Login to docker.io registry
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to ghcr.io registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ env.GH_USER }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to ECR
+        uses: docker/login-action@v2
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
+          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Generate SBOM
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
+        with:
+          args: mod -licenses -json -output bom.json
+          version: ^v1
+
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          version: v1.4.1
+          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
+        env:
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
+      ## push images to registries
+      ## only for canary build
+      - name: Build and push
+        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
+        uses: docker/build-push-action@v3
+        with:
+          platforms: linux/amd64, linux/arm64
+          file: ./Dockerfile.canary # path to Dockerfile
+          context: .
+          push: true
+          tags: |
+            aquasec/trivy:canary
+            ghcr.io/aquasecurity/trivy:canary
+            public.ecr.aws/aquasecurity/trivy:canary
+
+      - name: Cache Trivy binaries
+        uses: actions/cache@v3.0.4
+        with:
+          path: dist/
+          # use 'github.sha' to create a unique cache folder for each run.
+          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
+          # e.g. build and release runs
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/scan.yaml

@@ -18,6 +18,6 @@ jobs:
           assignee: knqyf263
           severity: CRITICAL
           skip-dirs: integration,examples
-          label: vulnerability
+          label: kind/security
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/semantic-pr.yaml

@@ -34,6 +34,7 @@ jobs:
             vuln
             misconf
             secret
+            license
 
             image
             fs
@@ -80,6 +81,9 @@ jobs:
             cli
             flag
             
+            cyclonedx
+            spdx
+
             helm
             report
             db

.github/workflows/test.yaml

@@ -28,6 +28,7 @@ jobs:
         run: |
           go mod tidy
           if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'go mod tidy' and push it"
             exit 1
           fi
 
@@ -123,7 +124,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: true
-    - uses: actions/setup-python@v3
+    - uses: actions/setup-python@v4
       with:
         python-version: 3.x
     - name: Install dependencies

.gitignore

@@ -16,6 +16,7 @@
 *.out
 
 .idea
+.vscode
 
 # Directory Cache Files
 .DS_Store

.golangci.yaml

@@ -31,7 +31,6 @@ linters:
     - ineffassign
     - typecheck
     - govet
-    - errcheck
     - varcheck
     - deadcode
     - revive

Dockerfile.canary

@@ -0,0 +1,10 @@
+FROM alpine:3.16.0
+RUN apk --no-cache add ca-certificates git
+
+# binaries were created with GoReleaser
+# need to copy binaries from folder with correct architecture
+# example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
+ARG TARGETARCH
+COPY "dist/trivy_canary_build_linux_${TARGETARCH}/trivy" /usr/local/bin/trivy
+COPY contrib/*.tpl contrib/
+ENTRYPOINT ["trivy"]

Dockerfile.protoc

@@ -1,4 +1,4 @@
-FROM golang:1.18.2
+FROM golang:1.18.3
 
 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

Makefile

@@ -1,4 +1,4 @@
-VERSION := $(shell git describe --tags)
+VERSION := $(shell git describe --tags --always)
 LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"
 
 GOPATH := $(shell go env GOPATH)
@@ -70,7 +70,7 @@ integration/testdata/fixtures/images/*.tar.gz: $(GOBIN)/crane
 # Run integration tests
 .PHONY: test-integration
 test-integration: integration/testdata/fixtures/images/*.tar.gz
-	go test -v -tags=integration ./integration/...
+	go test -v -tags=integration ./integration/... ./pkg/fanal/test/integration/...
 
 # Run WASM integration tests
 .PHONY: test-module-integration

README.md

@@ -74,7 +74,7 @@ https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b
 </details>
 
 ```bash
-$ trivy k8s mycluster
+$ trivy k8s --report summary cluster
 ```
 
 <details>
@@ -84,6 +84,8 @@ $ trivy k8s mycluster
 
 </details>
 
+Note that you can also receive a detailed scan, scan only a specific namespace, resource and more.
+
 Find out more in the [Trivy Documentation][docs] - [Getting Started][getting-started]
 
 
@@ -135,7 +137,7 @@ Contact us about any matter by opening a GitHub Discussion [here][discussions]
 [getting-started]: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
 [docs]: https://aquasecurity.github.io/trivy
 [integrations]:https://aquasecurity.github.io/trivy/latest/docs/integrations/
-[installation]:https://aquasecurity.github.io/trivy/latest/docs/getting-started/installation/
+[installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
 [releases]: https://github.com/aquasecurity/trivy/releases
 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
 [rego]: https://www.openpolicyagent.org/docs/latest/#rego

ci/deploy-rpm.sh

@@ -15,7 +15,7 @@ function create_rpm_repo () {
 
 cd trivy-repo
 
-VERSIONS=(5 6 7 8)
+VERSIONS=(5 6 7 8 9)
 for version in ${VERSIONS[@]}; do
         echo "Processing RHEL/CentOS $version..."
         create_rpm_repo $version

cmd/trivy/main.go

@@ -1,8 +1,6 @@
 package main
 
 import (
-	"os"
-
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
 )
@@ -13,8 +11,7 @@ var (
 
 func main() {
 	app := commands.NewApp(version)
-	err := app.Run(os.Args)
-	if err != nil {
+	if err := app.Execute(); err != nil {
 		log.Fatal(err)
 	}
 }

contrib/asff.tpl

@@ -35,12 +35,14 @@
             },
             "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
             "Description": {{ escapeString $description | printf "%q" }},
+            {{ if not (empty .PrimaryURL) -}}
             "Remediation": {
                 "Recommendation": {
                     "Text": "More information on this vulnerability is provided in the hyperlink",
                     "Url": "{{ .PrimaryURL }}"
                 }
             },
+            {{ end -}}
             "ProductFields": { "Product Name": "Trivy" },
             "Resources": [
                 {

docs/community/contribute/pr.md

@@ -42,6 +42,7 @@ checks:
 - vuln
 - misconf
 - secret
+- license
 
 mode:
 
@@ -160,5 +161,4 @@ Trivy is composed of several repositories that work together:
 - [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
 - [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
 - [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
-- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information from containers. It is being used by Trivy to find testable subjects in the container image.
 - [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.

docs/community/maintainer/triage.md

@@ -188,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
 and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
 to identify issues that have been specially groomed for new contributors.
 
-We have specific [guidelines](/docs/docs/advanced/contribd/contrib/help-wanted.md)
+We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
 for how to use these labels. If you see an issue that satisfies these
 guidelines, you can add the `help wanted` label and the `good first issue` label.
 Please note that adding the `good first issue` label must also 

docs/docs/index.md

@@ -28,7 +28,7 @@ See [Integrations][integrations] for details.
 
 - Comprehensive vulnerability detection
     - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
+    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
 - Detect IaC misconfigurations
     - A wide variety of [built-in policies][builtin] are provided **out of the box**:
         - Kubernetes
@@ -63,6 +63,7 @@ See [Integrations][integrations] for details.
 - [SBOM][sbom] (Software Bill of Materials) support
     - CycloneDX
     - SPDX
+    - GitHub Dependency Snapshots
 
 Please see [LICENSE][license] for Trivy licensing information.
 

docs/docs/integrations/github-actions.md

@@ -1,6 +1,6 @@
 # GitHub Actions
 
-- Here is the [Trivy Github Action][action]
+- Here is the [Trivy GitHub Action][action]
 - The Microsoft Azure team have written a [container-scan action][azure] that uses Trivy and Dockle
 - For full control over the options specified to Trivy, this [blog post][blog] describes adding Trivy into your own GitHub action workflows 
 

docs/docs/integrations/gitlab-ci.md

@@ -111,7 +111,7 @@ container_scanning:
 [example]: https://gitlab.com/aquasecurity/trivy-ci-test/pipelines
 [repository]: https://github.com/aquasecurity/trivy-ci-test
 
-### Gitlab CI alternative template
+### GitLab CI alternative template
 
 Depending on the edition of gitlab you have or your desired workflow, the
 container scanning template may not meet your needs. As an addition to the
@@ -174,8 +174,8 @@ be necessary to rename the artifact if you want to reuse the name. To then
 combine the previous artifact with the output of trivy, the following `jq`
 command can be used, `jq -s 'add' prev-codeclimate.json trivy-codeclimate.json > gl-codeclimate.json`.
 
-### Gitlab CI alternative template example report
+### GitLab CI alternative template example report
 
-You'll be able to see a full report in the Gitlab pipeline code quality UI, where filesystem vulnerabilities and misconfigurations include links to the flagged files and image vulnerabilities report the image/os or runtime/library that the vulnerability originates from instead.
+You'll be able to see a full report in the GitLab pipeline code quality UI, where filesystem vulnerabilities and misconfigurations include links to the flagged files and image vulnerabilities report the image/os or runtime/library that the vulnerability originates from instead.
 
 ![codequality](../../imgs/gitlab-codequality.png)

docs/docs/kubernetes/cli/scanning.md

@@ -27,7 +27,7 @@ Filter by severity:
 $ trivy k8s --severity=CRITICAL --report=all cluster
 ```
 
-Filter by security check (Vulnerabilties, Secrets or Misconfigurations):
+Filter by security check (Vulnerabilities, Secrets or Misconfigurations):
 
 ```
 $ trivy k8s --security-checks=secret --report=summary cluster
@@ -47,6 +47,13 @@ Scan a specific resource and get all the output:
 $ trivy k8s deployment appname
 ```
 
+Scan all deploys, or deploys and configmaps:
+
+```
+$ trivy k8s --report=summary deployment
+$ trivy k8s --report=summary deployment,configmaps
+```
+
 If you want to pass in flags before scanning specific workloads, you will have to do it before the resource name.
 For example, scanning a deployment in the app namespace of your Kubernetes cluster for critical vulnerabilities would be done through the following command:
 

docs/docs/kubernetes/operator/configuration-auditing/built-in-policies.md

@@ -1,107 +0,0 @@
-# Built-in Configuration Audit Policies
-
-The following sections list built-in configuration audit policies installed with trivy-operator. They are stored in the
-`trivy-operator-policies-config` ConfigMap created in the installation namespace (e.g. `trivy-system`). You can modify
-them or add a new policy. For example, follow the [Writing Custom Configuration Audit Policies] tutorial to add a custom
-policy that checks for recommended Kubernetes labels on any resource kind.
-
-## General
-
-| NAME                                       | DESCRIPTION                                                                                                                                                                                                         | KINDS    |
-|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
-| [CPU not limited]                          | Enforcing CPU limits prevents DoS via resource exhaustion.                                                                                                                                                          | Workload |
-| [CPU requests not specified]               | When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.                                             | Workload |
-| [SYS_ADMIN capability added]               | SYS_ADMIN gives the processes running inside the container privileges that are equivalent to root.                                                                                                                  | Workload |
-| [Default capabilities not dropped]         | The container should drop all default capabilities and add only those that are needed for its execution.                                                                                                            | Workload |
-| [Root file system is not read-only]        | An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk. | Workload |
-| [Memory not limited]                       | Enforcing memory limits prevents DoS via resource exhaustion.                                                                                                                                                       | Workload |
-| [Memory requests not specified]            | When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.                                               | Workload |
-| [hostPath volume mounted with docker.sock] | Mounting docker.sock from the host can give the container full root access to the host.                                                                                                                             | Workload |
-| [Runs with low group ID]                   | Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.                                                                                                                     | Workload |
-| [Runs with low user ID]                    | Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.                                                                                                                      | Workload |
-| [Tiller Is Deployed]                       | Check if Helm Tiller component is deployed.                                                                                                                                                                         | Workload |
-| [Image tag ':latest' used]                 | It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.                | Workload |
-
-## Advanced
-
-| NAME                                                           | DESCRIPTION                                                                                                                              | KINDS         |
-|----------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|---------------|
-| [Unused capabilities should be dropped (drop any)]             | Security best practices require containers to run with minimal required capabilities.                                                    | Workload      |
-| [hostAliases is set]                                           | Managing /etc/hosts aliases can prevent the container engine from modifying the file after a pod’s containers have already been started. | Workload      |
-| [User Pods should not be placed in kube-system namespace]      | ensure that User pods are not placed in kube-system namespace                                                                            | Workload      |
-| [Protecting Pod service account tokens]                        | ensure that Pod specifications disable the secret token being mounted by setting automountServiceAccountToken: false                     | Workload      |
-| [Selector usage in network policies]                           | ensure that network policies selectors are applied to pods or namespaces to restricted ingress and egress traffic within the pod network | NetworkPolicy |
-| [limit range usage]                                            | ensure limit range policy has configure in order to limit resource usage for namespaces or nodes                                         | LimitRange    |
-| [resource quota usage]                                         | ensure resource quota policy has configure in order to limit aggregate resource usage within namespace                                   | ResourceQuota |
-| [All container images must start with the *.azurecr.io domain] | Containers should only use images from trusted registries.                                                                               | Workload      |
-| [All container images must start with a GCR domain]            | Containers should only use images from trusted GCR registries.                                                                           | Workload      |
-
-## Pod Security Standard
-
-### Baseline
-
-| NAME                               | DESCRIPTION                                                                                                                                                                                                                                                                              | KINDS    |
-|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
-| [Access to host IPC namespace]     | Sharing the host’s IPC namespace allows container processes to communicate with processes on the host.                                                                                                                                                                                   | Workload |
-| [Access to host network]           | Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.                                                                                                                                                    | Workload |
-| [Access to host PID]               | Sharing the host’s PID namespace allows visibility on host processes, potentially leaking information such as environment variables and configuration.                                                                                                                                   | Workload |
-| [Privileged container]             | Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.                                                                                                           | Workload |
-| [Non-default capabilities added]   | Adding NET_RAW or capabilities beyond the default set must be disallowed.                                                                                                                                                                                                                | Workload |
-| [hostPath volumes mounted]         | HostPath volumes must be forbidden.                                                                                                                                                                                                                                                      | Workload |
-| [Access to host ports]             | HostPorts should be disallowed, or at minimum restricted to a known list.                                                                                                                                                                                                                | Workload |
-| [Default AppArmor profile not set] | A program inside the container can bypass AppArmor protection policies.                                                                                                                                                                                                                  | Workload |
-| [SELinux custom options set]       | Setting a custom SELinux user or role option should be forbidden.                                                                                                                                                                                                                        | Workload |
-| [Non-default /proc masks set]      | The default /proc masks are set up to reduce attack surface, and should be required.                                                                                                                                                                                                     | Workload |
-| [Unsafe sysctl options set]        | Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node. | Workload |
-
-### Restricted
-
-| NAME                                      | DESCRIPTION                                                                                                                                      | KINDS    |
-|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|----------|
-| [Non-ephemeral volume types used]         | In addition to restricting HostPath volumes, usage of non-ephemeral volume types should be limited to those defined through PersistentVolumes.   | Workload |
-| [Process can elevate its own privileges]  | A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node. | Workload |
-| [Runs as root user]                       | 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.                                                    | Workload |
-| [A root primary or supplementary GID set] | Containers should be forbidden from running with a root primary or supplementary GID.                                                            | Workload |
-| [Default Seccomp profile not set]         | The RuntimeDefault seccomp profile must be required, or allow specific additional profiles.                                                      | Workload |
-
-
-[CPU not limited]: https://avd.aquasec.com/misconfig/kubernetes/ksv011/
-[CPU requests not specified]: https://avd.aquasec.com/misconfig/kubernetes/ksv015/
-[SYS_ADMIN capability added]: https://avd.aquasec.com/misconfig/kubernetes/ksv005/
-[Default capabilities not dropped]: https://avd.aquasec.com/misconfig/kubernetes/ksv003/
-[Root file system is not read-only]: https://avd.aquasec.com/misconfig/kubernetes/ksv014/
-[Memory not limited]: https://avd.aquasec.com/misconfig/kubernetes/ksv018/
-[Memory requests not specified]: https://avd.aquasec.com/misconfig/kubernetes/ksv016/
-[hostPath volume mounted with docker.sock]: https://avd.aquasec.com/misconfig/kubernetes/ksv006/
-[Runs with low group ID]: https://avd.aquasec.com/misconfig/kubernetes/ksv021/
-[Runs with low user ID]: https://avd.aquasec.com/misconfig/kubernetes/ksv020/
-[Tiller Is Deployed]: https://avd.aquasec.com/misconfig/kubernetes/ksv102/
-[Image tag ':latest' used]: https://avd.aquasec.com/misconfig/kubernetes/ksv013/
-
-[Unused capabilities should be dropped (drop any)]: https://avd.aquasec.com/misconfig/kubernetes/ksv004/
-[hostAliases is set]: https://avd.aquasec.com/misconfig/kubernetes/ksv007/
-[User Pods should not be placed in kube-system namespace]: https://avd.aquasec.com/misconfig/kubernetes/ksv037/
-[Protecting Pod service account tokens]: https://avd.aquasec.com/misconfig/kubernetes/ksv036/
-[Selector usage in network policies]: https://avd.aquasec.com/misconfig/kubernetes/ksv038/
-[limit range usage]: https://avd.aquasec.com/misconfig/kubernetes/ksv039/
-[resource quota usage]: https://avd.aquasec.com/misconfig/kubernetes/ksv040/
-[All container images must start with the *.azurecr.io domain]: https://avd.aquasec.com/misconfig/kubernetes/ksv032/
-[All container images must start with a GCR domain]: https://avd.aquasec.com/misconfig/kubernetes/ksv033/
-
-[Access to host IPC namespace]: https://avd.aquasec.com/misconfig/kubernetes/ksv008/
-[Access to host network]: https://avd.aquasec.com/misconfig/kubernetes/ksv009/
-[Access to host PID]: https://avd.aquasec.com/misconfig/kubernetes/ksv010/
-[Privileged container]: https://avd.aquasec.com/misconfig/kubernetes/ksv017/
-[Non-default capabilities added]: https://avd.aquasec.com/misconfig/kubernetes/ksv022/
-[hostPath volumes mounted]: https://avd.aquasec.com/misconfig/kubernetes/ksv023/
-[Access to host ports]: https://avd.aquasec.com/misconfig/kubernetes/ksv024/
-[Default AppArmor profile not set]: https://avd.aquasec.com/misconfig/kubernetes/ksv002/
-[SELinux custom options set]: https://avd.aquasec.com/misconfig/kubernetes/ksv025/
-[Non-default /proc masks set]: https://avd.aquasec.com/misconfig/kubernetes/ksv027/
-[Unsafe sysctl options set]: https://avd.aquasec.com/misconfig/kubernetes/ksv026/
-
-[Non-ephemeral volume types used]: https://avd.aquasec.com/misconfig/kubernetes/ksv028/
-[Process can elevate its own privileges]: https://avd.aquasec.com/misconfig/kubernetes/ksv001/
-[Runs as root user]: https://avd.aquasec.com/misconfig/kubernetes/ksv012/
-[A root primary or supplementary GID set]: https://avd.aquasec.com/misconfig/kubernetes/ksv029/
-[Default Seccomp profile not set]: https://avd.aquasec.com/misconfig/kubernetes/ksv030/

docs/docs/kubernetes/operator/configuration-auditing/index.md

@@ -1,18 +0,0 @@
-# Configuration Auditing
-
-As your organization deploys containerized workloads in Kubernetes environments, you will be faced with many
-configuration choices related to images, containers, control plane, and data plane. Setting these configurations
-improperly creates a high-impact security and compliance risk. DevOps, and platform owners need the ability to
-continuously assess build artifacts, workloads, and infrastructure against configuration hardening standards to
-remediate any violations.
-
-trivy-operator configuration audit capabilities are purpose-built for Kubernetes environments. In particular, trivy
-Operator continuously checks images, workloads, and Kubernetes infrastructure components against common configurations
-security standards and generates detailed assessment reports, which are then stored in the default Kubernetes database.
-
-Kubernetes applications and other core configuration objects, such as Ingress, NetworkPolicy and ResourceQuota resources, are evaluated against [Built-in Policies]. 
-Additionally, application and infrastructure owners can integrate these reports into incident response workflows for
-active remediation.
-
-[Built-in Policies]: ./built-in-policies.md
-

docs/docs/kubernetes/operator/configuration.md

@@ -1,100 +0,0 @@
-# Configuration
-
-You can configure Trivy-Operator to control it's behavior and adapt it to your needs. Aspects of the operator machinery are configured using environment variables on the operator Pod, while aspects of the scanning behavior are controlled by ConfigMaps and Secrets.
-
-# Operator Configuration
-
-| NAME| DEFAULT| DESCRIPTION|
-|---|---|---|
-| `OPERATOR_NAMESPACE`| N/A| See [Install modes](#install-modes)|
-| `OPERATOR_TARGET_NAMESPACES`| N/A| See [Install modes](#install-modes)|
-| `OPERATOR_EXCLUDE_NAMESPACES`| N/A| A comma separated list of namespaces (or glob patterns) to be excluded from scanning in all namespaces [Install mode](#install-modes).|
-| `OPERATOR_SERVICE_ACCOUNT`| `trivy-operator`| The name of the service account assigned to the operator's pod|
-| `OPERATOR_LOG_DEV_MODE`| `false`| The flag to use (or not use) development mode (more human-readable output, extra stack traces and logging information, etc).|
-| `OPERATOR_SCAN_JOB_TIMEOUT`| `5m`| The length of time to wait before giving up on a scan job|
-| `OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT`| `10`| The maximum number of scan jobs create by the operator|
-| `OPERATOR_SCAN_JOB_RETRY_AFTER`| `30s`| The duration to wait before retrying a failed scan job|
-| `OPERATOR_BATCH_DELETE_LIMIT`| `10`| The maximum number of config audit reports deleted by the operator when the plugin's config has changed.|
-| `OPERATOR_BATCH_DELETE_DELAY`| `10s`| The duration to wait before deleting another batch of config audit reports.|
-| `OPERATOR_METRICS_BIND_ADDRESS`| `:8080`| The TCP address to bind to for serving [Prometheus][prometheus] metrics. It can be set to `0` to disable the metrics serving.|
-| `OPERATOR_HEALTH_PROBE_BIND_ADDRESS`| `:9090`| The TCP address to bind to for serving health probes, i.e. `/healthz/` and `/readyz/` endpoints.|
-| `OPERATOR_VULNERABILITY_SCANNER_ENABLED`| `true`| The flag to enable vulnerability scanner|
-| `OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED`| `false`| The flag to enable configuration audit scanner|
-| `OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS`| `false`| The flag to enable config audit scanner to only scan the current revision of a deployment|
-| `OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN`| `true`| The flag to enable built-in configuration audit scanner|
-| `OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS`| `false`| The flag to enable vulnerability scanner to only scan the current revision of a deployment|
-| `OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL`| `""`| The flag to set how long a vulnerability report should exist. When a old report is deleted a new one will be created by the controller. It can be set to `""` to disabled the TTL for vulnerability scanner. |
-| `OPERATOR_LEADER_ELECTION_ENABLED`| `false`| The flag to enable operator replica leader election|
-| `OPERATOR_LEADER_ELECTION_ID`| `trivy-operator-lock`| The name of the resource lock for leader election|
-
-The values of the `OPERATOR_NAMESPACE` and `OPERATOR_TARGET_NAMESPACES` determine the install mode, which in turn determines the multitenancy support of the operator.
-
-| MODE| OPERATOR_NAMESPACE | OPERATOR_TARGET_NAMESPACES | DESCRIPTION|
-|---|---|---|---|
-| OwnNamespace| `operators`| `operators`| The operator can be configured to watch events in the namespace it is deployed in.                             |
-| SingleNamespace| `operators`| `foo`| The operator can be configured to watch for events in a single namespace that the operator is not deployed in. |
-| MultiNamespace| `operators`| `foo,bar,baz`| The operator can be configured to watch for events in more than one namespace.                                 |
-| AllNamespaces| `operators`| (blank string)| The operator can be configured to watch for events in all namespaces.|
-
-## Example - configure namespaces to scan
-
-To change the target namespace from all namespaces to the `default` namespace edit the `trivy-operator` Deployment and change the value of the `OPERATOR_TARGET_NAMESPACES` environment variable from the blank string (`""`) to the `default` value.
-
-# Scanning configuration
-
-| CONFIGMAP KEY| DEFAULT| DESCRIPTION|
-|---|---|---|
-| `vulnerabilityReports.scanner`| `Trivy`| The name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`.|
-| `vulnerabilityReports.scanJobsInSameNamespace` | `"false"`| Whether to run vulnerability scan jobs in same namespace of workload. Set `"true"` to enable.|
-| `scanJob.tolerations`| N/A| JSON representation of the [tolerations] to be applied to the scanner pods so that they can run on nodes with matching taints. Example: `'[{"key":"key1", "operator":"Equal", "value":"value1", "effect":"NoSchedule"}]'`|
-| `scanJob.annotations`| N/A| One-line comma-separated representation of the annotations which the user wants the scanner pods to be annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage` |
-| `scanJob.templateLabel`| N/A| One-line comma-separated representation of the template labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage`|
-
-## Example - patch ConfigMap
-
-By default Trivy displays vulnerabilities with all severity levels (`UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`). To display only `HIGH` and `CRITICAL` vulnerabilities by patching the `trivy.severity` value in the `trivy-operator-trivy-config` ConfigMap:
-
-```bash
-kubectl patch cm trivy-operator-trivy-config -n trivy-operator \
-  --type merge \
-  -p "$(cat <<EOF
-{
-  "data": {
-    "trivy.severity": "HIGH,CRITICAL"
-  }
-}
-EOF
-)"
-```
-
-## Example - patch Secret
-
-To set the GitHub token used by Trivy scanner add the `trivy.githubToken` value to the `trivy-operator-trivy-config` Secret:
-
-```bash
-kubectl patch secret trivy-operator-trivy-config -n trivy-operator \
-  --type merge \
-  -p "$(cat <<EOF
-{
-  "data": {
-    "trivy.githubToken": "$(echo -n <your token> | base64)"
-  }
-}
-EOF
-)"
-```
-
-## Example - delete a key
-
-The following `kubectl patch` command deletes the `trivy.httpProxy` key:
-
-```bash
-kubectl patch cm trivy-operator-trivy-config -n trivy-operator \
-  --type json \
-  -p '[{"op": "remove", "path": "/data/trivy.httpProxy"}]'
-```
-
-[tolerations]: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration
-
-
-[prometheus]: https://github.com/prometheus

docs/docs/kubernetes/operator/getting-started.md

@@ -1,195 +0,0 @@
-# Getting Started
-
-## Before you Begin
-
-You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your
-cluster. If you do not already have a cluster, you can create one by installing [minikube], [kind] or [microk8s], or you can use the following [Kubernetes playground].
-
-You also need the Trivy-Operator to be installed in the `trivy-system` namespace, e.g. with
-[kubectl](./installation/kubectl.md) or [Helm](./installation/helm.md). Let's also assume that the operator is
-configured to discover built-in Kubernetes resources in all namespaces, except `kube-system` and `trivy-system`.
-
-## Workloads Scanning
-
-Let's create the `nginx` Deployment that we know is vulnerable:
-
-```
-kubectl create deployment nginx --image nginx:1.16
-```
-
-When the `nginx` Deployment is created, the operator immediately detects its current revision (aka active ReplicaSet)
-and scans the `nginx:1.16` image for vulnerabilities. It also audits the ReplicaSet's specification for common pitfalls
-such as running the `nginx` container as root.
-
-If everything goes fine, the operator saves scan reports as VulnerabilityReport and ConfigAuditReport resources in the
-`default` namespace. Reports are named after the scanned ReplicaSet. For image vulnerability scans, the operator creates
-a VulnerabilityReport for each different container. In this example there is just one container image called `nginx`:
-
-```
-kubectl get vulnerabilityreports -o wide
-```
-<details>
-<summary>Result</summary>
-
-```
-NAME                                REPOSITORY      TAG    SCANNER   AGE   CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN
-replicaset-nginx-78449c65d4-nginx   library/nginx   1.16   Trivy     85s   33         62     49       114   1
-```
-</details>
-
-```
-kubectl get configauditreports -o wide
-```
-<details>
-<summary>Result</summary>
-
-```
-NAME                          SCANNER     AGE    CRITICAL  HIGH   MEDIUM   LOW
-replicaset-nginx-78449c65d4   Trivy-Operator   2m7s   0         0      6        7
-```
-</details>
-
-Notice that scan reports generated by the operator are controlled by Kubernetes workloads. In our example,
-VulnerabilityReport and ConfigAuditReport resources are controlled by the active ReplicaSet of the `nginx` Deployment:
-
-```console
-kubectl tree deploy nginx
-```
-
-<details>
-<summary>Result</summary>
-
-```
-NAMESPACE  NAME                                                       READY  REASON  AGE
-default    Deployment/nginx                                           -              7h2m
-default    └─ReplicaSet/nginx-78449c65d4                              -              7h2m
-default      ├─ConfigAuditReport/replicaset-nginx-78449c65d4          -              2m31s
-default      ├─Pod/nginx-78449c65d4-5wvdx                             True           7h2m
-default      └─VulnerabilityReport/replicaset-nginx-78449c65d4-nginx  -              2m7s
-```
-</details>
-
-!!! note
-    The [tree] command is a kubectl plugin to browse Kubernetes object hierarchies as a tree.
-
-Moving forward, let's update the container image of the `nginx` Deployment from `nginx:1.16` to `nginx:1.17`. This will
-trigger a rolling update of the Deployment and eventually create another ReplicaSet.
-
-```
-kubectl set image deployment nginx nginx=nginx:1.17
-```
-
-Even this time the operator will pick up changes and rescan our Deployment with updated configuration:
-
-```
-kubectl tree deploy nginx
-```
-
-<details>
-<summary>Result</summary>
-
-```
-NAMESPACE  NAME                                                       READY  REASON  AGE
-default    Deployment/nginx                                           -              7h5m
-default    ├─ReplicaSet/nginx-5fbc65fff                               -              2m36s
-default    │ ├─ConfigAuditReport/replicaset-nginx-5fbc65fff           -              2m36s
-default    │ ├─Pod/nginx-5fbc65fff-j7zl2                              True           2m36s
-default    │ └─VulnerabilityReport/replicaset-nginx-5fbc65fff-nginx   -              2m22s
-default    └─ReplicaSet/nginx-78449c65d4                              -              7h5m
-default      ├─ConfigAuditReport/replicaset-nginx-78449c65d4          -              5m46s
-default      └─VulnerabilityReport/replicaset-nginx-78449c65d4-nginx  -              5m22s
-```
-</details>
-
-By following this guide you could realize that the operator knows how to attach VulnerabilityReport and
-ConfigAuditReport resources to build-in Kubernetes objects. What's more, in this approach where a custom resource
-inherits a life cycle of the built-in resource we could leverage Kubernetes garbage collection. For example, when the
-previous ReplicaSet named `nginx-78449c65d4` is deleted the VulnerabilityReport named `replicaset-nginx-78449c65d4-nginx`
-as well as the ConfigAuditReport named `replicaset-nginx-78449c65d46` are automatically garbage collected.
-
-!!! tip
-    If you only want the latest ReplicaSet in your Deployment to be scanned for vulnerabilities, you can set the value
-    of the `OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS` environment variable to `true` in the operator's
-    deployment descriptor. This is useful to identify vulnerabilities that impact only the running workloads.
-
-!!! tip
-    If you only want the latest ReplicaSet in your Deployment to be scanned for config audit, you can set the value
-    of the `OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS` environment variable to `true` in the operator's
-    deployment descriptor. This is useful to identify config issues that impact only the running workloads.
-
-!!! tip
-    You can get and describe `vulnerabilityreports` and `configauditreports` as built-in Kubernetes objects:
-    ```
-    kubectl get vulnerabilityreport replicaset-nginx-5fbc65fff-nginx -o json
-    kubectl describe configauditreport replicaset-nginx-5fbc65fff
-    ```
-
-Notice that scaling up the `nginx` Deployment will not schedule new scans because all replica Pods refer to the same Pod
-template defined by the `nginx-5fbc65fff` ReplicaSet.
-
-```
-kubectl scale deploy nginx --replicas 3
-```
-
-```
-kubectl tree deploy nginx
-```
-
-<details>
-<summary>Result</summary>
-
-```
-NAMESPACE  NAME                                                       READY  REASON  AGE
-default    Deployment/nginx                                           -              7h6m
-default    ├─ReplicaSet/nginx-5fbc65fff                               -              4m7s
-default    │ ├─ConfigAuditReport/replicaset-nginx-5fbc65fff           -              4m7s
-default    │ ├─Pod/nginx-5fbc65fff-458n7                              True           8s
-default    │ ├─Pod/nginx-5fbc65fff-fk847                              True           8s
-default    │ ├─Pod/nginx-5fbc65fff-j7zl2                              True           4m7s
-default    │ └─VulnerabilityReport/replicaset-nginx-5fbc65fff-nginx   -              3m53s
-default    └─ReplicaSet/nginx-78449c65d4                              -              7h6m
-default      ├─ConfigAuditReport/replicaset-nginx-78449c65d4          -              7m17s
-default      └─VulnerabilityReport/replicaset-nginx-78449c65d4-nginx  -              6m53s
-```
-</details>
-
-Finally, when you delete the `nginx` Deployment, orphaned security reports will be deleted in the background by the
-Kubernetes garbage collection controller.
-
-```
-kubectl delete deploy nginx
-```
-
-```console
-kubectl get vuln,configaudit
-```
-
-<details>
-<summary>Result</summary>
-
-```
-No resources found in default namespace.
-```
-</details>
-
-!!! Tip
-    Use `vuln` and `configaudit` as short names for `vulnerabilityreports` and `configauditreports` resources.
-
-!!! Note
-    You can define the validity period for VulnerabilityReports by setting the duration as the value of the
-    `OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL` environment variable. For example, setting the value to `24h`
-    would delete reports after 24 hours. When a VulnerabilityReport gets deleted Trivy-Operator will automatically
-
-
-
-## What's Next?
-
-- Find out how the operator scans workloads that use container images from [Private Registries].
-- By default, the operator uses Trivy as [Vulnerability Scanner] and Polaris as [Configuration Checker], but you can
-  choose other tools that are integrated with Trivy-Operator or even implement you own plugin.
-
-[minikube]: https://minikube.sigs.k8s.io/docs/
-[kind]: https://kind.sigs.k8s.io/docs/
-[microk8s]: https://microk8s.io/
-[Kubernetes playground]: http://labs.play-with-k8s.com/
-[tree]: https://github.com/ahmetb/kubectl-tree

docs/docs/kubernetes/operator/images/trivy-operator-icon-white.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 22"><path d="M19.90856,11.37359l-.94046,1.16318.04433.42088a.66075.66075,0,0,1,.00653.25385l-.00778.04071a.66193.66193,0,0,1-.08906.21314c-.01313.01986-.027.03932-.0384.0537l-4.57928,5.69351a.70189.70189,0,0,1-.53066.25266l-7.34439-.00171a.70458.70458,0,0,1-.52974-.25154L1.32209,13.51754a.64957.64957,0,0,1-.096-.16658.71032.71032,0,0,1-.02863-.08952.66205.66205,0,0,1-.00515-.30511l1.6348-7.10077a.66883.66883,0,0,1,.1355-.274.65915.65915,0,0,1,.22568-.17666L9.80881,2.24386a.69063.69063,0,0,1,.29475-.0667l.00515.0002.03424.00112a.68668.68668,0,0,1,.25649.06544l6.61569,3.161a.66765.66765,0,0,1,.21678.165.675.675,0,0,1,.14909.29139l.60521,2.64815,1.1606-.20569-.61853-2.70614a1.85372,1.85372,0,0,0-1.00544-1.25474l-6.616-3.16113a1.84812,1.84812,0,0,0-.67883-.17726l-.03061-.00218c-.02692-.00125-.05416-.00152-.05851-.00152L10.10146,1a1.87317,1.87317,0,0,0-.80022.18175l-6.62038,3.161a1.83083,1.83083,0,0,0-.62572.48916,1.84956,1.84956,0,0,0-.37523.75964L.04518,12.69226a1.84474,1.84474,0,0,0,.00956.8516,1.88289,1.88289,0,0,0,.07772.24244,1.826,1.826,0,0,0,.27219.46878L4.98281,19.9503a1.8815,1.8815,0,0,0,1.4473.6903l7.34394.00172a1.87874,1.87874,0,0,0,1.4475-.69182l4.58278-5.698c.03609-.04578.07026-.093.10252-.14243a1.82018,1.82018,0,0,0,.25207-.59695c.00805-.03517.01484-.07079.021-.10773a1.8273,1.8273,0,0,0-.02032-.71135Z" style="fill:#fff"/><polygon points="9.436 4.863 9.332 11.183 12.92 10.115 9.436 4.863" style="fill:#fff"/><polygon points="7.913 11.605 8.265 11.5 8.617 11.395 8.629 11.392 8.74 4.605 8.753 3.838 8.384 4.915 8.015 5.994 5.964 11.986 6.684 11.971 7.913 11.605" style="fill:#fff"/><polygon points="5.738 13.279 5.888 12.956 6.014 12.685 5.723 12.691 5.352 12.699 5.06 12.705 1.918 12.771 4.498 15.952 5.588 13.603 5.738 13.279" style="fill:#fff"/><polygon points="14.026 10.516 13.675 10.621 13.324 10.725 9.32 11.917 8.969 12.021 8.617 12.126 8.604 12.13 8.252 12.235 7.9 12.339 7.593 12.431 7.894 12.688 8.238 12.982 8.583 13.277 8.598 13.289 8.943 13.584 9.288 13.879 9.61 14.154 9.896 14.398 10.183 14.643 14.064 17.958 22 8.143 14.026 10.516" style="fill:#fff"/><polygon points="9.273 14.787 9.229 14.749 8.943 14.505 8.928 14.492 8.583 14.197 8.567 14.183 8.222 13.889 7.877 13.594 7.362 13.154 7.086 12.919 6.81 12.683 6.794 12.669 6.641 12.998 6.488 13.328 6.468 13.371 6.318 13.694 6.168 14.017 4.989 16.557 4.989 16.558 4.99 16.558 4.992 16.559 5.341 16.638 5.691 16.716 12.164 18.175 12.895 18.339 13.625 18.504 9.516 14.994 9.273 14.787" style="fill:#fff"/></svg>

docs/docs/kubernetes/operator/index.md

@@ -1,15 +1,14 @@
 # Trivy Operator  
 
-Trivy has a native [Kubernetes Operator](operator) which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources](crd). It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
+Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
 
-> Trivy Operator is based on existing Aqua OSS project - [Starboard], and shares some of the design, principles and code with it. Existing content that relates to Starboard Operator might also be relevant for Trivy Operator. To learn more about the transition from Starboard from Trivy, see the [announcement discussion](starboard-announcement).
+
+> Kubernetes-native security toolkit. ([Documentation][trivy-operator]).
 
 <figure>
-  <img src="./images/operator/trivy-operator-workloads.png" />
   <figcaption>Workload reconcilers discover K8s controllers, manage scan jobs, and create VulnerabilityReport and ConfigAuditReport objects.</figcaption>
 </figure>
 
 [operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/
 [crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
-[Starboard]: https://github.com/aquasecurity/starboard
-[starboard-announcement]: https://github.com/aquasecurity/starboard/discussions/1173
+[trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest

docs/docs/kubernetes/operator/installation/helm.md

@@ -1,90 +0,0 @@
-# Helm
-
-[Helm], which is a popular package manager for Kubernetes, allows installing applications from parameterized
-YAML manifests called Helm [charts].
-
-The Helm chart is available on GitHub in [https://github.com/aquasecurity/trivy-operator](https://github.com/aquasecurity/trivy-operator) under `/deploy/helm` and is also hosted in a Chart repository for your convenience under [https://aquasecurity.github.io/helm-charts/](https://aquasecurity.github.io/helm-charts/).
-
-## Example - Chart repository
-
-This will install the operator in the `trivy-system` namespace and configure it to scan all namespaces, except `kube-system` and `trivy-system`:
-
-```bash
-helm repo add aqua https://aquasecurity.github.io/helm-charts/
-helm repo update
-helm install trivy-operator aqua/trivy-operator \
-   --namespace trivy-system \
-   --create-namespace \
-   --set="trivy.ignoreUnfixed=true" \
-   --version {{ var.operator_version }}
-```
-
-## Example - Download the chart
-
-This will install the operator in the `trivy-system` namespace and configure it to scan all namespaces, except `kube-system` and `trivy-system`:
-
-```bash
-git clone --depth 1 --branch {{ var.operator_version }} https://github.com/aquasecurity/trivy-operator.git
-cd trivy-operator
-helm install trivy-operator ./deploy/helm \
---namespace trivy-system \
---create-namespace \
---set="trivy.ignoreUnfixed=true"
-```
-
-## Post install sanity check
-
-Check that the `trivy-operator` Helm release is created in the `trivy-system` namespace, and it has status `deployed`:
-
-```console
-$ helm list -n trivy-system
-NAME              	NAMESPACE         	REVISION	UPDATED                             	STATUS  	CHART                   	APP VERSION
-trivy-operator	trivy-system	1       	2021-01-27 20:09:53.158961 +0100 CET	deployed	trivy-operator-{{ var.operator_version }}	{{  var.operator_version[1:] }}
-```
-
-To confirm that the operator is running, check that the `trivy-operator` Deployment in the `trivy-system`
-namespace is available and all its containers are ready:
-
-```console
-$ kubectl get deployment -n trivy-system
-NAME                 READY   UP-TO-DATE   AVAILABLE   AGE
-trivy-operator   1/1     1            1           11m
-```
-
-If for some reason it's not ready yet, check the logs of the Deployment for errors:
-
-```
-kubectl logs deployment/trivy-operator -n trivy-system
-```
-
-## Advanced Configuration
-
-The Helm chart supports all available [installation modes](./../configuration.md#install-modes) of Trivy Operator. 
-
-Please refer to the chart's [values] file for configuration options.
-
-## Uninstall
-
-You can uninstall the operator with the following command:
-
-```
-helm uninstall trivy-operator -n trivy-system
-```
-
-You have to manually delete custom resource definitions created by the `helm install` command:
-
-!!! danger
-    Deleting custom resource definitions will also delete all security reports generated by the operator.
-
-    ```
-    kubectl delete crd vulnerabilityreports.aquasecurity.github.io
-    kubectl delete crd clustervulnerabilityreports.aquasecurity.github.io
-    kubectl delete crd configauditreports.aquasecurity.github.io
-    kubectl delete crd clusterconfigauditreports.aquasecurity.github.io
-    kubectl delete crd clustercompliancereports.aquasecurity.github.io
-    kubectl delete crd clustercompliancedetailreports.aquasecurity.github.io
-    ```
-
-[Helm]: https://helm.sh/
-[charts]: https://helm.sh/docs/topics/charts/
-[values]: https://raw.githubusercontent.com/aquasecurity/trivy-operator/{{  var.operator_version }}/deploy/helm/values.yaml

docs/docs/kubernetes/operator/installation/kubectl.md

@@ -1,45 +0,0 @@
-# kubectl
-
-Kubernetes Yaml deployment files are available on GitHub in [https://github.com/aquasecurity/trivy-operator](https://github.com/aquasecurity/trivy-operator) under `/deploy/static`.
-
-## Example - Deploy from GitHub
-
-This will install the operator in the `trivy-system` namespace and configure it to scan all namespaces, except `kube-system` and `trivy-system`:
-
-```bash
-kubectl apply -f https://raw.githubusercontent.com/aquasecurity/trivy-operator/{{ var.operator_version }}/deploy/static/trivy-operator.yaml
-```
-
-To confirm that the operator is running, check that the `trivy-operator` Deployment in the `trivy-system`
-namespace is available and all its containers are ready:
-
-```bash
-$ kubectl get deployment -n trivy-system
-NAME                 READY   UP-TO-DATE   AVAILABLE   AGE
-trivy-operator   1/1     1            1           11m
-```
-
-If for some reason it's not ready yet, check the logs of the `trivy-operator` Deployment for errors:
-
-```bash
-kubectl logs deployment/trivy-operator -n trivy-system
-```
-
-## Advanced Configuration
-
-You can configure Trivy-Operator to control it's behavior and adapt it to your needs. Aspects of the operator machinery are configured using environment variables on the operator Pod, while aspects of the scanning behavior are controlled by ConfigMaps and Secrets.
-To learn more, please refer to the [Configuration](config) documentation.
-
-## Uninstall
-
-!!! danger
-    Uninstalling the operator and deleting custom resource definitions will also delete all generated security reports.
-
-You can uninstall the operator with the following command:
-
-```
-kubectl delete -f https://raw.githubusercontent.com/aquasecurity/trivy-operator/{{  var.operator_version }}/deploy/static/trivy-operator.yaml
-```
-
-[Settings]: ./../../settings.md
-[Helm]: ./helm.md

docs/docs/kubernetes/operator/installation/upgrade.md

@@ -1,10 +0,0 @@
-# Upgrade
-
-We recommend that you upgrade Trivy Operator often to stay up to date with the latest fixes and enhancements.
-
-However, at this stage we do not provide automated upgrades. Therefore, uninstall the previous version of the operator
-before you install the latest release.
-
-!!! warning
-    Consult release notes and changelog to revisit and migrate configuration settings which may not be compatible
-    between different versions.

docs/docs/kubernetes/operator/troubleshooting.md

@@ -1,106 +0,0 @@
-# Troubleshooting the Trivy Operator
-
-The Trivy Operator installs several Kubernetes resources into your Kubernetes cluster.
-
-Here are the common steps to check whether the operator is running correctly and to troubleshoot common issues.
-
-So in addition to this section, you might want to check [issues](https://github.com/aquasecurity/trivy/issues), [discussion forum](https://github.com/aquasecurity/trivy/discussions), or [Slack](https://slack.aquasec.com) to see if someone from the community had similar problems before.
-
-Also note that Trivy Operator is based on existing Aqua OSS project - [Starboard], and shares some of the design, principles and code with it. Existing content that relates to Starboard Operator might also be relevant for Trivy Operator, and Starboard's [issues](https://github.com/aquasecurity/starboard/issues), [discussion forum](https://github.com/aquasecurity/starboard/discussions), or [Slack](https://slack.aquasec.com) might also be interesting to check.  
-In some cases you might want to refer to [Starboard's Design documents](https://aquasecurity.github.io/starboard/latest/design/)
-
-## Installation
-
-Make sure that the latest version of the Trivy Operator is installed. For this, have a look at the installation [options.](./installation/helm.md)
-
-For instance, if your are using the Helm deployment, you need to check the Helm Chart version deployed to your cluster. You can check the Helm Chart version with the following command:
-```
-helm list -n trivy-operator
-```
-
-## Operator Pod Not Running
-
-The Trivy Operator will run a pod inside your cluster. If you have followed the installation guide, you will have installed the Operator to the `trivy-system`.
-
-Make sure that the pod is in the `Running` status:
-```
-kubectl get pods -n trivy-system
-```
-
-This is how it will look if it is running okay:
-
-```
-NAMESPACE            NAME                                         READY   STATUS    RESTARTS      AGE
-trivy-operator     trivy-operator-6c9bd97d58-hsz4g          1/1     Running   5 (19m ago)   30h
-```
-
-If the pod is in `Failed`, `Pending`, or `Unknown` check the events and the logs of the pod.
-
-First, check the events, since they might be more descriptive of the problem. However, if the events do not give a clear reason why the pod cannot spin up, then you want to check the logs, which provide more detail.
-
-```
-kubectl describe pod <POD-NAME> -n trivy-system
-```
-
-To check the logs, use the following command:
-```
-kubectl logs deployment/trivy-operator -n trivy-system
-```
-
-If your pod is not running, try to look for errors as they can give an indication on the problem.
-
-If there are too many logs messages, try deleting the Trivy pod and observe its behavior upon restarting. A new pod should spin up automatically after deleting the failed pod.
-
-## ImagePullBackOff or ErrImagePull
-
-Check the status of the Trivy Operator pod running inside of your Kubernetes cluster. If the Status is ImagePullBackOff or ErrImagePull, it means that the Operator either
-
-* tries to access the wrong image
-* cannot pull the image from the registry
-
-Make sure that you are providing the right resources upon installing the Trivy Operator.
-
-## CrashLoopBackOff
-
-If your pod is in `CrashLoopBackOff`, it is likely the case that the pod cannot be scheduled on the Kubernetes node that it is trying to schedule on.
-In this case, you want to investigate further whether there is an issue with the node. It could for instance be the case that the node does not have sufficient resources.
-
-## Reconcilation Error
-
-It could happen that the pod appears to be running normally but does not reconcile the resources inside of your Kubernetes cluster.
-
-Check the logs for reconcilation errors:
-```
-kubectl logs deployment/trivy-operator -n trivy-system
-```
-
-If this is the case, the Trivy Operator likely does not have the right configurations to access your resource. 
-
-## Operator does not Create VulnerabilityReports
-
-VulnerabilityReports are owned and controlled by the immediate Kubernetes workload. Every VulnerabilityReport of a pod is thus, linked to a [ReplicaSet.](./index.md) In case the Trivy Operator does not create a VulnerabilityReport for your workloads, it could be that it is not monitoring the namespace that your workloads are running on.
-
-An easy way to check this is by looking for the `ClusterRoleBinding` for the Trivy Operator:
-
-```
-kubectl get ClusterRoleBinding | grep "trivy-operator"
-```
-
-Alternatively, you could use the `kubectl-who-can` [plugin by Aqua](https://github.com/aquasecurity/kubectl-who-can):
-
-```console
-$ kubectl who-can list vulnerabilityreports
-No subjects found with permissions to list vulnerabilityreports assigned through RoleBindings
-
-CLUSTERROLEBINDING                           SUBJECT                         TYPE            SA-NAMESPACE
-cluster-admin                                system:masters                  Group
-trivy-operator                           trivy-operator              ServiceAccount  trivy-system
-system:controller:generic-garbage-collector  generic-garbage-collector       ServiceAccount  kube-system
-system:controller:namespace-controller       namespace-controller            ServiceAccount  kube-system
-system:controller:resourcequota-controller   resourcequota-controller        ServiceAccount  kube-system
-system:kube-controller-manager               system:kube-controller-manager  User
-```
-
-If the `ClusterRoleBinding` does not exist, Trivy currently cannot monitor any namespace outside of the `trivy-system` namespace. 
-
-For instance, if you are using the [Helm Chart](./installation/helm.md), you want to make sure to set the `targetNamespace` to the namespace that you want the Operator to monitor.

docs/docs/kubernetes/operator/vulnerability-scanning/configuration.md

@@ -1,109 +0,0 @@
-# Vulnerability Scanning Configuration
-
-## Standalone
-
-The default configuration settings enable Trivy `vulnerabilityReports.scanner` in [`Standalone`][trivy-standalone]
-`trivy.mode`. Even though it doesn't require any additional setup, it's the least efficient method. Each Pod created
-by a scan Job has the init container that downloads the Trivy vulnerabilities database from the GitHub releases page
-and stores it in the local file system of the [emptyDir volume]. This volume is then shared with containers that perform
-the actual scanning. Finally, the Pod is deleted along with the emptyDir volume.
-
-![](./../images/design/trivy-standalone.png)
-
-The number of containers defined by a scan Job equals the number of containers defined by the scanned Kubernetes
-workload, so the cache in this mode is useful only if the workload defines multiple containers.
-
-Beyond that, frequent downloads from GitHub might lead to a [rate limiting] problem. The limits are imposed by GitHub on
-all anonymous requests originating from a given IP. To mitigate such problems you can add the `trivy.githubToken` key to
-the `trivy-operator` secret.
-
-```bash
-
-kubectl patch secret trivy-operator-trivy-config -n trivy-operator \
-  --type merge \
-  -p "$(cat <<EOF
-{
-  "data": {
-    "trivy.githubToken": "$(echo -n <GITHUB_TOKEN> | base64)"
-  }
-}
-EOF
-)"
-```
-
-## ClientServer
-
-You can connect Trivy to an external Trivy server by changing the default `trivy.mode` from
-[`Standalone`][trivy-standalone] to [`ClientServer`][trivy-clientserver] and specifying `trivy.serverURL`.
-
-```bash
-kubectl patch cm trivy-operator-trivy-config -n trivy-operator \
-  --type merge \
-  -p "$(cat <<EOF
-{
-  "data": {
-    "trivy.mode":      "ClientServer",
-    "trivy.serverURL": "<TRIVY_SERVER_URL>"
-  }
-}
-EOF
-)"
-```
-
-The Trivy server could be your own deployment, or it could be an external service. See [Trivy server][trivy-clientserver] documentation for more information.
-
-If the server requires access token and/or custom HTTP authentication headers, you may add `trivy.serverToken` and `trivy.serverCustomHeaders` properties to the Trivy Operator secret.
-
-```bash
-kubectl patch secret trivy-operator-trivy-config -n trivy-operator \
-  --type merge \
-  -p "$(cat <<EOF
-{
-  "data": {
-    "trivy.serverToken":         "$(echo -n <SERVER_TOKEN> | base64)",
-    "trivy.serverCustomHeaders": "$(echo -n x-api-token:<X_API_TOKEN> | base64)"
-  }
-}
-EOF
-)"
-```
-
-![](./../images/design/trivy-clientserver.png)
-
-## Settings
-
-| CONFIGMAP KEY| DEFAULT| DESCRIPTION|
-|---|---|---|
-| `trivy.imageRef`| `docker.io/aquasec/trivy:0.25.2`| Trivy image reference|
-| `trivy.dbRepository`| `ghcr.io/aquasecurity/trivy-db`| External OCI Registry to download the vulnerability database|
-| `trivy.mode`| `Standalone`| Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required.                              |
-| `trivy.severity`| `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | A comma separated list of severity levels reported by Trivy|
-| `trivy.ignoreUnfixed`| N/A| Whether to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to `"true"` to enable it.|
-| `trivy.skipFiles`| N/A| A comma separated list of file paths for Trivy to skip traversal.|
-| `trivy.skipDirs`| N/A| A comma separated list of directories for Trivy to skip traversal.|
-| `trivy.ignoreFile`| N/A| It specifies the `.trivyignore` file which contains a list of vulnerability IDs to be ignored from vulnerabilities reported by Trivy.|
-| `trivy.timeout`| `5m0s`| The duration to wait for scan completion|
-| `trivy.serverURL`| N/A| The endpoint URL of the Trivy server. Required in `ClientServer` mode.|
-| `trivy.serverTokenHeader`| `Trivy-Token`| The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified.|
-| `trivy.serverInsecure`| N/A| The Flag to enable insecure connection to the Trivy server.|
-| `trivy.insecureRegistry.<id>`| N/A| The registry to which insecure connections are allowed. There can be multiple registries with different registry `<id>`.|
-| `trivy.nonSslRegistry.<id>`| N/A| A registry without SSL. There can be multiple registries with different registry `<id>`.|
-| `trivy.registry.mirror.<registry>` | N/A| Mirror for the registry `<registry>`, e.g. `trivy.registry.mirror.index.docker.io: mirror.io` would use `mirror.io` to get images originated from `index.docker.io` |
-| `trivy.httpProxy`| N/A| The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub.|
-| `trivy.httpsProxy`| N/A| The HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub.|
-| `trivy.noProxy`| N/A| A comma separated list of IPs and domain names that are not subject to proxy settings.|
-| `trivy.resources.requests.cpu`| `100m`| The minimum amount of CPU required to run Trivy scanner pod.|
-| `trivy.resources.requests.memory`| `100M`| The minimum amount of memory required to run Trivy scanner pod.|
-| `trivy.resources.limits.cpu`| `500m`| The maximum amount of CPU allowed to run Trivy scanner pod.|
-| `trivy.resources.limits.memory`| `500M`| The maximum amount of memory allowed to run Trivy scanner pod.|
-
-| SECRET KEY| DESCRIPTION|
-|---|---|
-| `trivy.githubToken`| The GitHub access token used by Trivy to download the vulnerabilities database from GitHub. Only applicable in `Standalone` mode. |
-| `trivy.serverToken`| The token to authenticate Trivy client with Trivy server. Only applicable in `ClientServer` mode.|
-| `trivy.serverCustomHeaders`| A comma separated list of custom HTTP headers sent by Trivy client to Trivy server. Only applicable in `ClientServer` mode.|
-
-[trivy-standalone]: https://aquasecurity.github.io/trivy/latest/modes/standalone/
-[emptyDir volume]: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir
-[rate limiting]: https://docs.github.com/en/free-pro-team@latest/rest/overview/resources-in-the-rest-api#rate-limiting
-[trivy-clientserver]: https://aquasecurity.github.io/trivy/latest/advanced/modes/client-server/

docs/docs/kubernetes/operator/vulnerability-scanning/faq.md

@@ -1,29 +0,0 @@
-# Frequently Asked Questions
-
-## Why do you duplicate instances of VulnerabilityReports for the same image digest?
-
-Docker image reference is not a first class citizen in Kubernetes. It's a
-property of the container definition. Trivy-operator relies on label selectors to
-associate VulnerabilityReports with corresponding Kubernetes workloads, not
-particular image references. For example, we can get all reports for the
-wordpress Deployment with the following command:
-
-```text
-kubectl get vulnerabilityreports \
-  -l trivy-operator.resource.kind=Deployment \
-  -l trivy-operator.resource.name=wordpress
-```
-
-Beyond that, for each instance of the VulnerabilityReports we set the owner
-reference pointing to the corresponding pods controller. By doing that we can
-manage orphaned VulnerabilityReports and leverage Kubernetes garbage collection.
-For example, if the `wordpress` Deployment is deleted, all related
-VulnerabilityReports are automatically garbage collected.
-
-## Why do you create an instance of the VulnerabilityReport for each container?
-The idea is to partition VulnerabilityReports generated for a particular
-Kubernetes workload by containers is to mitigate the risk of exceeding the etcd
-request payload limit. By default, the payload of each Kubernetes object stored
-etcd is subject to 1.5 MiB.
-
-

docs/docs/kubernetes/operator/vulnerability-scanning/index.md

@@ -1,20 +0,0 @@
-# Vulnerability Scanners
-
-Vulnerability scanning is an important way to identify and remediate security gaps in Kubernetes workloads. The
-process involves scanning container images to check all software on them and report any vulnerabilities found.
-
-Trivy Operator automatically discovers and scans all images that are being used in a Kubernetes cluster, including
-images of application pods and system pods. Scan reports are saved as [VulnerabilityReport] resources, which are owned
-by a Kubernetes controller.
-
-For example, when Trivy scans a Deployment, the corresponding VulnerabilityReport instance is attached to its
-current revision. In other words, the VulnerabilityReport inherits the life cycle of the Kubernetes controller. This
-also implies that when a Deployment is rolling updated, it will get scanned automatically, and a new instance of the
-VulnerabilityReport will be created and attached to the new revision. On the other hand, if the previous revision is
-deleted, the corresponding VulnerabilityReport will be deleted automatically by the Kubernetes garbage collector.
-
-Trivy may scan Kubernetes workloads that run images from [Private Registries] and certain [Managed Registries].
-
-[Trivy]: ./trivy.md
-[Private Registries]: ./managed-registries.md
-[Managed Registries]: ./managed-registries.md

docs/docs/kubernetes/operator/vulnerability-scanning/managed-registries.md

@@ -1,77 +0,0 @@
-## Amazon Elastic Container Registry (ECR)
-
-You must create an IAM OIDC identity provider for your cluster:
-
-```
-eksctl utils associate-iam-oidc-provider \
-  --cluster <cluster_name> \
-  --approve
-```
-
-Override the existing `trivy-operator` service account and
-attach the IAM policy to grant it permission to pull images from the ECR:
-
-```
-eksctl create iamserviceaccount \
-  --name trivy-operator \
-  --namespace trivy-operator \
-  --cluster <cluster_name> \
-  --attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
-  --approve \
-  --override-existing-serviceaccounts
-```
-
-## Azure Container Registry (ACR)
-
-Before you can start, you need to install `aad-pod-identity` inside your cluster, see installation instructions:
-https://azure.github.io/aad-pod-identity/docs/getting-started/installation/
-
-Create a managed identity and assign the permission to the ACR.
-```sh
-export IDENTITY_NAME=trivy-operator-identity
-export AZURE_RESOURCE_GROUP=<my_resource_group>
-export AZURE_LOCATION=westeurope
-export ACR_NAME=<my_azure_container_registry>
-
-az identity create --name ${IDENTITY_NAME} --resource-group ${AZURE_RESOURCE_GROUP} --location ${AZURE_LOCATION}
-
-export IDENTITY_ID=(az identity show --name ${IDENTITY_NAME} --resource-group ${AZURE_RESOURCE_GROUP} --query id -o tsv)
-export IDENTITY_CLIENT_ID=$(az identity show --name ${IDENTITY_NAME} --resource-group ${AZURE_RESOURCE_GROUP} --query clientId -o tsv)
-export ACR_ID=$(az acr show --name ${ACR_NAME} --query id -o tsv)
-
-az role assignment create --assignee ${IDENTITY_CLIENT_ID} --role 'AcrPull' --scope ${ACR_ID}
-```
-
-create an `AzureIdentity` and `AzureIdentityBinding` resource inside your kubernetes cluster:
-```yaml
-apiVersion: aadpodidentity.k8s.io/v1
-kind: AzureIdentity
-metadata:
-  name: trivy-identity
-  namespace: trivy-operator
-spec:
-  clientID: ${IDENTITY_ID}
-  resourceID: ${IDENTITY_CLIENT_ID}
-  type: 0
-```
-
-```yaml
- apiVersion: aadpodidentity.k8s.io/v1
- kind: AzureIdentityBinding
- metadata:
-   name: trivy-id-binding
-   namespace: trivy-operator
- spec:
-   azureIdentity: trivy-operator-identity
-   selector: trivy-operator-label
-```
-
-add `scanJob.podTemplateLabels` to the Trivy Operator config map, the value must match the `AzureIdentityBinding` selector.
-
-```sh
-kubectl -n trivy-operator edit cm trivy-operator
-# Insert scanJob.podTemplateLabels: aadpodidbinding=trivy-operator-label in data block
-
-# validate
-trivy-operator config --get scanJob.podTemplateLabels
-```

docs/docs/licenses/scanning.md

@@ -0,0 +1,320 @@
+# License Scanning
+
+Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
+
+License are classified using the [Google License Classification][google-license-classification] -
+
+ - Forbidden
+ - Restricted 
+ - Reciprocal
+ - Notice
+ - Permissive
+ - Unencumbered
+ - Unknown
+
+!!! tip
+    Licenses that Trivy fails to recognize are classified as UNKNOWN.
+    As those licenses may be in violation, it is recommended to check those unknown licenses as well.    
+
+By default, Trivy scans licenses for packages installed by `apk`, `apt-get`, `dnf`, `npm`, `pip`, `gem`, etc.
+To enable extended license scanning, you can use `--license-full`.
+In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
+
+!!! note
+    The full license scanning is expensive. It takes a while.
+
+Currently, the standard license scanning doesn't support filesystem and repository scanning.
+
+|   License scnanning   | Image | Rootfs    | Filesystem | Repository |
+|:---------------------:|:-----:|:---------:|:----------:|:----------:|
+|       Standard        |  ✅   |     ✅    |   -        |      -     |
+| Full (--license-full) |  ✅   |     ✅    |     ✅     |     ✅     |
+
+
+License checking classifies the identified licenses and map the classification to severity.
+
+| Classification | Severity |
+|----------------|----------|
+| Forbidden      | CRITICAL |
+| Restricted     | HIGH     |
+| Reciprocal     | MEDIUM   |
+| Notice         | LOW      |
+| Permissive     | LOW      |
+| Unencumbered   | LOW      |
+| Unknown        | UNKNOWN  |
+
+## Quick start
+This section shows how to scan license in container image and filesystem.
+
+### Standard scanning
+Specify an image name with `--security-cheks license`.
+
+``` shell
+$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
+2022-07-13T17:28:39.526+0300    INFO    License scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
+
+┌───────────────────┬─────────┬────────────────┬──────────┐
+│      Package      │ License │ Classification │ Severity │
+├───────────────────┼─────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
+├───────────────────┤         │                │          │
+│ apk-tools         │         │                │          │
+├───────────────────┤         │                │          │
+│ busybox           │         │                │          │
+├───────────────────┤         │                │          │
+│ musl-utils        │         │                │          │
+├───────────────────┤         │                │          │
+│ scanelf           │         │                │          │
+├───────────────────┤         │                │          │
+│ ssl_client        │         │                │          │
+└───────────────────┴─────────┴────────────────┴──────────┘
+```
+
+### Full scanning
+Specify `--license-full`
+
+``` shell
+$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
+2022-07-13T17:48:40.905+0300    INFO    Full license scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 20 (UNKNOWN: 9, HIGH: 11, CRITICAL: 0)
+
+┌───────────────────┬───────────────────┬────────────────┬──────────┐
+│      Package      │      License      │ Classification │ Severity │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0           │ Restricted     │ HIGH     │
+├───────────────────┤                   │                │          │
+│ apk-tools         │                   │                │          │
+├───────────────────┼───────────────────┤                │          │
+│ bash              │ GPL-3.0           │                │          │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ keyutils-libs     │ GPL-2.0           │ Restricted     │ HIGH     │
+│                   ├───────────────────┼────────────────┼──────────┤
+│                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
+├───────────────────┼───────────────────┤                │          │
+│ libaio            │ LGPL-2.1-or-later │                │          │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ libcom_err        │ GPL-2.0           │ Restricted     │ HIGH     │
+│                   ├───────────────────┼────────────────┼──────────┤
+│                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ tzdata            │ Public-Domain     │ Non Standard   │ UNKNOWN  │
+└───────────────────┴───────────────────┴────────────────┴──────────┘
+
+Loose File License(s) (license)
+===============================
+Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)
+
+┌────────────────┬──────────┬──────────────┬──────────────────────────────────────────────────────────────┐
+│ Classification │ Severity │   License    │                        File Location                         │
+├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
+│ Forbidden      │ CRITICAL │ AGPL-3.0     │ /usr/share/grafana/LICENSE                                   │
+│                │          │              │                                                              │
+│                │          │              │                                                              │
+├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
+│ Non Standard   │ UNKNOWN  │ BSD-0-Clause │ /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/7889.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/canvasPanel.d6aae9dd11d49c7- │
+│                │          │              │ 41a80.js.LICENSE.txt                                         │
+└────────────────┴──────────┴──────────────┴──────────────────────────────────────────────────────────────┘
+```
+
+## Configuration
+
+Trivy has number of configuration flags for use with license scanning;
+                                 
+### Ignored Licenses
+
+Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the `--ignored-licenses` flag;
+
+```shell
+$ trivy image --security-checks license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
+2022-07-13T18:15:28.605Z        INFO    License scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 2 (HIGH: 2, CRITICAL: 0)
+
+┌───────────────────┬─────────┬────────────────┬──────────┐
+│      Package      │ License │ Classification │ Severity │
+├───────────────────┼─────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
+├───────────────────┤         │                │          │
+│ ssl_client        │         │                │          │
+└───────────────────┴─────────┴────────────────┴──────────┘
+
+```
+
+### Custom Classification
+You can generate the default config by the `--generate-default-config` flag and customize the license classification.
+For example, if you want to forbid only AGPL-3.0, you can leave it under `forbidden` and move other licenses to another classification.
+
+```shell
+$ trivy image --generate-default-config
+$ vim trivy.yaml
+license:
+  forbidden:
+  - AGPL-3.0
+  
+  restricted:
+  - AGPL-1.0
+  - CC-BY-NC-1.0
+  - CC-BY-NC-2.0
+  - CC-BY-NC-2.5
+  - CC-BY-NC-3.0
+  - CC-BY-NC-4.0
+  - CC-BY-NC-ND-1.0
+  - CC-BY-NC-ND-2.0
+  - CC-BY-NC-ND-2.5
+  - CC-BY-NC-ND-3.0
+  - CC-BY-NC-ND-4.0
+  - CC-BY-NC-SA-1.0
+  - CC-BY-NC-SA-2.0
+  - CC-BY-NC-SA-2.5
+  - CC-BY-NC-SA-3.0
+  - CC-BY-NC-SA-4.0
+  - Commons-Clause
+  - Facebook-2-Clause
+  - Facebook-3-Clause
+  - Facebook-Examples
+  - WTFPL
+  - BCL
+  - CC-BY-ND-1.0
+  - CC-BY-ND-2.0
+  - CC-BY-ND-2.5
+  - CC-BY-ND-3.0
+  - CC-BY-ND-4.0
+  - CC-BY-SA-1.0
+  - CC-BY-SA-2.0
+  - CC-BY-SA-2.5
+  - CC-BY-SA-3.0
+  - CC-BY-SA-4.0
+  - GPL-1.0
+  - GPL-2.0
+  - GPL-2.0-with-autoconf-exception
+  - GPL-2.0-with-bison-exception
+  - GPL-2.0-with-classpath-exception
+  - GPL-2.0-with-font-exception
+  - GPL-2.0-with-GCC-exception
+  - GPL-3.0
+  - GPL-3.0-with-autoconf-exception
+  - GPL-3.0-with-GCC-exception
+  - LGPL-2.0
+  - LGPL-2.1
+  - LGPL-3.0
+  - NPL-1.0
+  - NPL-1.1
+  - OSL-1.0
+  - OSL-1.1
+  - OSL-2.0
+  - OSL-2.1
+  - OSL-3.0
+  - QPL-1.0
+  - Sleepycat
+  
+  reciprocal:
+  - APSL-1.0
+  - APSL-1.1
+  - APSL-1.2
+  - APSL-2.0
+  - CDDL-1.0
+  - CDDL-1.1
+  - CPL-1.0
+  - EPL-1.0
+  - EPL-2.0
+  - FreeImage
+  - IPL-1.0
+  - MPL-1.0
+  - MPL-1.1
+  - MPL-2.0
+  - Ruby
+  
+  notice:
+  - AFL-1.1
+  - AFL-1.2
+  - AFL-2.0
+  - AFL-2.1
+  - AFL-3.0
+  - Apache-1.0
+  - Apache-1.1
+  - Apache-2.0
+  - Artistic-1.0-cl8
+  - Artistic-1.0-Perl
+  - Artistic-1.0
+  - Artistic-2.0
+  - BSL-1.0
+  - BSD-2-Clause-FreeBSD
+  - BSD-2-Clause-NetBSD
+  - BSD-2-Clause
+  - BSD-3-Clause-Attribution
+  - BSD-3-Clause-Clear
+  - BSD-3-Clause-LBNL
+  - BSD-3-Clause
+  - BSD-4-Clause
+  - BSD-4-Clause-UC
+  - BSD-Protection
+  - CC-BY-1.0
+  - CC-BY-2.0
+  - CC-BY-2.5
+  - CC-BY-3.0
+  - CC-BY-4.0
+  - FTL
+  - ISC
+  - ImageMagick
+  - Libpng
+  - Lil-1.0
+  - Linux-OpenIB
+  - LPL-1.02
+  - LPL-1.0
+  - MS-PL
+  - MIT
+  - NCSA
+  - OpenSSL
+  - PHP-3.01
+  - PHP-3.0
+  - PIL
+  - Python-2.0
+  - Python-2.0-complete
+  - PostgreSQL
+  - SGI-B-1.0
+  - SGI-B-1.1
+  - SGI-B-2.0
+  - Unicode-DFS-2015
+  - Unicode-DFS-2016
+  - Unicode-TOU
+  - UPL-1.0
+  - W3C-19980720
+  - W3C-20150513
+  - W3C
+  - X11
+  - Xnet
+  - Zend-2.0
+  - zlib-acknowledgement
+  - Zlib
+  - ZPL-1.1
+  - ZPL-2.0
+  - ZPL-2.1
+  
+  unencumbered:
+  - CC0-1.0
+  - Unlicense
+  - 0BSD
+  
+  permissive: []
+```
+
+
+[google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses

docs/docs/misconfiguration/custom/examples.md

@@ -6,7 +6,7 @@ See [here][k8s].
 
 The custom policy is defined in `user.kubernetes.ID001` package.
 You need to pass the package prefix you want to evaluate through `--namespaces` option.
-In this case, the package prefix should be `user`, `user.kuberntes`, or `user.kubernetes.ID001`.
+In this case, the package prefix should be `user`, `user.kubernetes`, or `user.kubernetes.ID001`.
 
 ### Dockerfile
 See [here][dockerfile].

docs/docs/misconfiguration/policy/builtin.md

@@ -16,7 +16,7 @@ Those policies are managed under [defsec repository][defsec].
 
 For suggestions or issues regarding policy content, please open an issue under the [defsec][defsec] repository.
 
-Helm Chart scanning will resolve the chart to Kubernetes manifests then run the [kubenetes][kubernetes] checks.
+Helm Chart scanning will resolve the chart to Kubernetes manifests then run the [kubernetes][kubernetes] checks.
 
 Ansible scanning is coming soon.
 

docs/docs/references/cli/client.md

@@ -1,32 +1,69 @@
 # Client
 
 ```bash
-NAME:
-   trivy client - DEPRECATED client mode, use `trivy image` with `--server` option for remote scans now.
+Usage:
+  [DEPRECATED] trivy client [flags] IMAGE_NAME
 
-USAGE:
-   trivy image --server value
+Aliases:
+  client, c
 
-   trivy client [deprecated command options] image_name
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs string         specify the directories where the traversal is skipped
+      --skip-files string        specify the file paths to skip traversal
 
-DEPRECATED OPTIONS:
-   --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
-   --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value    output file name [$TRIVY_OUTPUT]
-   --exit-code value           Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --ignore-unfixed            display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs              detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
-   --vuln-type value           comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --ignorefile value          specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --token value               for authentication [$TRIVY_TOKEN]
-   --token-header value        specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --remote value              server address (default: "http://localhost:4954") [$TRIVY_REMOTE]
-   --custom-headers value      custom headers [$TRIVY_CUSTOM_HEADERS]
-   --help, -h                  show help (default: false)
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+      --report string          specify a report format for the output. (all,summary) (default "all")
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --remote string            server address (default "http://localhost:4954")
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
 ```

docs/docs/references/cli/config.md

@@ -1,29 +1,52 @@
 # Config
 
 ``` bash
-NAME:
-   trivy config - scan config files
+Scan config files for misconfigurations
 
-USAGE:
-   trivy config [command options] dir
+Usage:
+  trivy config [flags] DIR
+
+Aliases:
+  config, conf
+
+Scan Flags
+      --skip-dirs string    specify the directories where the traversal is skipped
+      --skip-files string   specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
 
-OPTIONS:
-   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value                       output file name [$TRIVY_OUTPUT]
-   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --reset                                        remove all caches and database (default: false) [$TRIVY_RESET]
-   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
-   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
-   --policy value, --config-policy value          specify paths to the Rego policy files directory, applying config files [$TRIVY_POLICY]
-   --data value, --config-data value              specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_DATA]
-   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
-   --file-patterns value                          specify file patterns [$TRIVY_FILE_PATTERNS]
-   --include-successes                            include successes of misconfigurations (default: false) [$TRIVY_INCLUDE_SUCCESSES]
-   --help, -h                                     show help (default: false)
 ```

docs/docs/references/cli/fs.md

@@ -1,42 +1,80 @@
 # Filesystem
 
 ```bash
-NAME:
-   trivy filesystem - scan local filesystem for language-specific dependencies and config files
+Scan local filesystem
 
-USAGE:
-   trivy filesystem [command options] path
+Usage:
+  trivy filesystem [flags] PATH
 
-OPTIONS:
-   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value                       output file name [$TRIVY_OUTPUT]
-   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update                skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --insecure                                     allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --cache-backend value                          cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                              cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --db-repository value                          OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --skip-files value                             specify the file paths to skip traversal                                        (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                              specify the directories where the traversal is skipped                          (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --config-policy value                          specify paths to the Rego policy files directory, applying config files         (accepts multiple inputs) [$TRIVY_CONFIG_POLICY]
-   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded  (accepts multiple inputs) [$TRIVY_CONFIG_DATA]
-   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users")                                              (accepts multiple inputs) [$TRIVY_POLICY_NAMESPACES]
-   --server value                                 server address [$TRIVY_SERVER]
-   --token value                                  for authentication in client/server mode [$TRIVY_TOKEN]
-   --token-header value                           specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --custom-headers value                         custom headers in client/server mode  (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS]
-   --help, -h                                     show help (default: false)
+Aliases:
+  filesystem, fs
+
+Examples:
+  # Scan a local project including language-specific files
+  $ trivy fs /path/to/your_project
+
+  # Scan a single file
+  $ trivy fs ./trivy-ci-test/Pipfile.lock
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs string         specify the directories where the traversal is skipped
+      --skip-files string        specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
 ```

docs/docs/references/cli/image.md

@@ -1,43 +1,99 @@
 # Image
 
 ```bash
-NAME:
-   trivy image - scan an image
+Scan a container image
 
-USAGE:
-   trivy image [command options] image_name
+Usage:
+  trivy image [flags] IMAGE_NAME
 
-OPTIONS:
-   --template value, -t value       output template [$TRIVY_TEMPLATE]
-   --format value, -f value         format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value          input file path instead of image name [$TRIVY_INPUT]
-   --severity value, -s value       severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value         output file name [$TRIVY_OUTPUT]
-   --exit-code value                Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update  skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --download-db-only               download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
-   --reset                          remove all caches and database (default: false) [$TRIVY_RESET]
-   --clear-cache, -c                clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --no-progress                    suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --ignore-unfixed                 display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs                   detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
-   --vuln-type value                comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value          comma-separated list of what security issues to detect (vuln,config,secret) (default: "vuln,secret") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value               specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value                  timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --light                          deprecated (default: false) [$TRIVY_LIGHT]
-   --ignore-policy value            specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                  enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --cache-backend value            cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --offline-scan                   do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --insecure                       allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --db-repository value            OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --skip-files value               specify the file paths to skip traversal                (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                specify the directories where the traversal is skipped  (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --server value                   server address [$TRIVY_SERVER]
-   --token value                    for authentication in client/server mode [$TRIVY_TOKEN]
-   --token-header value             specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --custom-headers value           custom headers in client/server mode  (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS]
-   --help, -h                       show help (default: false)
+Aliases:
+  image, i
+
+Examples:
+  # Scan a container image
+  $ trivy image python:3.4-alpine
+
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
+
+  # Filter by severities
+  $ trivy image --severity HIGH,CRITICAL alpine:3.15
+
+  # Ignore unfixed/unpatched vulnerabilities
+  $ trivy image --ignore-unfixed alpine:3.15
+
+  # Scan a container image in client mode
+  $ trivy image --server http://127.0.0.1:4954 alpine:latest
+
+  # Generate json result
+  $ trivy image --format json --output result.json alpine:3.15
+
+  # Generate a report in the CycloneDX format
+  $ trivy image --format cyclonedx --output result.cdx alpine:3.15
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs string         specify the directories where the traversal is skipped
+      --skip-files string        specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Image Flags
+      --input string   input file path instead of image name
+      --removed-pkgs   detect vulnerabilities of removed packages (only for Alpine)
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
 ```

docs/docs/references/cli/index.md

@@ -1,32 +1,49 @@
 Trivy has several sub commands, image, fs, repo, client and server.
 
 ``` bash
-NAME:
-   trivy - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
+Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
 
-USAGE:
-   trivy [global options] command [command options] target
+Usage:
+  trivy [command]
 
-VERSION:
-   dev
+Examples:
+  # Scan a container image
+  $ trivy image python:3.4-alpine
 
-COMMANDS:
-   image, i          scan an image
-   filesystem, fs    scan local filesystem for language-specific dependencies and config files
-   rootfs            scan rootfs
-   repository, repo  scan remote repository
-   server, s         server mode
-   config, conf      scan config files
-   plugin, p         manage plugins
-   kubernetes, k8s   scan kubernetes vulnerabilities and misconfigurations
-   sbom              generate SBOM for an artifact
-   version           print the version
-   help, h           Shows a list of commands or help for one command
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
 
-GLOBAL OPTIONS:
-   --quiet, -q        suppress progress bar and log output (default: false) [$TRIVY_QUIET]
-   --debug, -d        debug mode (default: false) [$TRIVY_DEBUG]
-   --cache-dir value  cache directory (default: "/Users/teppei/Library/Caches/trivy") [$TRIVY_CACHE_DIR]
-   --help, -h         show help (default: false)
-   --version, -v      print the version (default: false)
+  # Scan local filesystem
+  $ trivy fs .
+
+  # Run in server mode
+  $ trivy server
+
+Available Commands:
+  config      Scan config files for misconfigurations
+  filesystem  Scan local filesystem
+  help        Help about any command
+  image       Scan a container image
+  kubectl     scan kubectl resources
+  kubernetes  scan kubernetes cluster
+  module      Manage modules
+  plugin      Manage plugins
+  repository  Scan a remote repository
+  rootfs      Scan rootfs
+  sbom        Scan SBOM for vulnerabilities
+  server      Server mode
+  version     Print the version
+
+Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+  -f, --format string      version format (json)
+  -h, --help               help for trivy
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
+
+Use "trivy [command] --help" for more information about a command.
 ```

docs/docs/references/cli/module.md

@@ -1,17 +1,27 @@
 # Module
 
 ```bash
-NAME:
-   trivy module - manage modules
+Manage modules
 
-USAGE:
-   trivy module command [command options] [arguments...]
+Usage:
+  trivy module [command]
 
-COMMANDS:
-   install, i    install a module
-   uninstall, u  uninstall a module
-   help, h       Shows a list of commands or help for one command
+Aliases:
+  module, m
 
-OPTIONS:
-   --help, -h  show help (default: false)
+Available Commands:
+  install     Install a module
+  uninstall   Uninstall a module
+
+Flags:
+  -h, --help   help for module
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
 ```

docs/docs/references/cli/plugin.md

@@ -1,21 +1,31 @@
 # Plugin
 
 ```bash
-NAME:
-   trivy plugin - manage plugins
+Manage plugins
 
-USAGE:
-   trivy plugin command [command options] plugin_uri
+Usage:
+  trivy plugin [command]
 
-COMMANDS:
-   install, i    install a plugin
-   uninstall, u  uninstall a plugin
-   list, l       list installed plugin
-   info          information about a plugin
-   run, r        run a plugin on the fly
-   update        update an existing plugin
-   help, h       Shows a list of commands or help for one command
+Aliases:
+  plugin, p
 
-OPTIONS:
-   --help, -h  show help (default: false)
+Available Commands:
+  Uninstall   uninstall a plugin
+  info        Show information about the specified plugin
+  install     Install a plugin
+  list        List installed plugin
+  run         Run a plugin on the fly
+  update      Update an existing plugin
+
+Flags:
+  -h, --help   help for plugin
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
 ```

docs/docs/references/cli/repo.md

@@ -1,38 +1,77 @@
 # Repository
 
 ```bash
-NAME:
-   trivy repository - scan remote repository
+Scan a remote repository
 
-USAGE:
-   trivy repository [command options] repo_url
+Usage:
+  trivy repository [flags] REPO_URL
 
-OPTIONS:
-   --template value, -t value       output template [$TRIVY_TEMPLATE]
-   --format value, -f value         format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value          input file path instead of image name [$TRIVY_INPUT]
-   --severity value, -s value       severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value         output file name [$TRIVY_OUTPUT]
-   --exit-code value                Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update  skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --skip-policy-update             skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --clear-cache, -c                clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignore-unfixed                 display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs                   detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
-   --vuln-type value                comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value          comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value               specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --cache-backend value            cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --timeout value                  timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --no-progress                    suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --quiet, -q                      suppress progress bar and log output (default: false) [$TRIVY_QUIET]
-   --ignore-policy value            specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                  enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan                   do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --insecure                       allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --db-repository value            OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --skip-files value               specify the file paths to skip traversal                (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                specify the directories where the traversal is skipped  (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --help, -h                       show help (default: false)
+Aliases:
+  repository, repo
+
+Examples:
+  # Scan your remote git repository
+  $ trivy repo https://github.com/knqyf263/trivy-ci-test
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs string         specify the directories where the traversal is skipped
+      --skip-files string        specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
 ```

docs/docs/references/cli/rootfs.md

@@ -1,36 +1,74 @@
 # Rootfs
 
 ```bash
-NAME:
-   trivy rootfs - scan rootfs
+Scan rootfs
 
-USAGE:
-   trivy rootfs [command options] dir
+Usage:
+  trivy rootfs [flags] ROOTDIR
 
-OPTIONS:
-   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value                       output file name [$TRIVY_OUTPUT]
-   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update                skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --insecure                                     allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --cache-backend value                          cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
-   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
-   --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
-   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
-   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
-   --help, -h                                     show help (default: false)
+Examples:
+  # Scan unpacked filesystem
+  $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
+  $ trivy rootfs /tmp/rootfs
+
+  # Scan from inside a container
+  $ docker run --rm -it alpine:3.11
+  / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+  / # trivy rootfs /
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs string         specify the directories where the traversal is skipped
+      --skip-files string        specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
 ```

docs/docs/references/cli/sbom.md

@@ -1,27 +1,67 @@
 # SBOM
 
 ```bash
-NAME:
-   trivy sbom - generate SBOM for an artifact
+Scan SBOM for vulnerabilities
 
-USAGE:
-   trivy sbom [command options] ARTIFACT
+Usage:
+  trivy sbom [flags] SBOM_PATH
 
-DESCRIPTION:
-   ARTIFACT can be a container image, file path/directory, git repository or container image archive. See examples.
+Examples:
+  # Scan CycloneDX and show the result in tables
+  $ trivy sbom /path/to/report.cdx
 
-OPTIONS:
-   --output value, -o value             output file name [$TRIVY_OUTPUT]
-   --clear-cache, -c                    clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignorefile value                   specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value                      timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --severity value, -s value           severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --offline-scan                       do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --db-repository value                OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --insecure                           allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --skip-files value                   specify the file paths to skip traversal                (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                    specify the directories where the traversal is skipped  (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --artifact-type value, --type value  input artifact type (image, fs, repo, archive) (default: "image") [$TRIVY_ARTIFACT_TYPE]
-   --sbom-format value, --format value  SBOM format (cyclonedx, spdx, spdx-json) (default: "cyclonedx") [$TRIVY_SBOM_FORMAT]
-   --help, -h                           show help (default: false)
+  # Scan CycloneDX and generate a CycloneDX report
+  $ trivy sbom --format cyclonedx /path/to/report.cdx
+
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs string         specify the directories where the traversal is skipped
+      --skip-files string        specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
 ```

docs/docs/references/cli/server.md

@@ -1,22 +1,48 @@
 # Server
 
 ```bash
-NAME:
-   trivy server - server mode
+Server mode
 
-USAGE:
-   trivy server [command options] [arguments...]
+Usage:
+  trivy server [flags]
 
-OPTIONS:
-   --skip-db-update, --skip-update  skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --download-db-only               download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
-   --insecure                       allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --reset                          remove all caches and database (default: false) [$TRIVY_RESET]
-   --cache-backend value            cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --db-repository value            OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --token value                    for authentication in client/server mode [$TRIVY_TOKEN]
-   --token-header value             specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --listen value                   listen address (default: "localhost:4954") [$TRIVY_LISTEN]
-   --help, -h                       show help (default: false)
+Aliases:
+  server, s
+
+Examples:
+  # Run a server
+  $ trivy server
+
+  # Listen on 0.0.0.0:10000
+  $ trivy server --listen 0.0.0.0:10000
+
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Client/Server Flags
+      --listen string         listen address in server mode (default "localhost:4954")
+      --token string          for authentication in client/server mode
+      --token-header string   specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
 ```

docs/docs/references/customization/config-file.md

@@ -0,0 +1,271 @@
+# Config file
+
+Trivy can be customized by tweaking a `trivy.yaml` file. The config path can be overridden by the `--config` flag.
+
+An example is [here][example].
+
+## Global Options
+
+```
+# Same as '--quiet'
+# Default is false
+quiet: false
+
+# Same as '--debug'
+# Default is false
+debug: false
+
+# Same as '--insecure'
+# Default is false
+insecure: false
+
+# Same as '--timeout'
+# Default is '5m'
+timeout: 10m
+
+# Same as '--cache-dir'
+# Default is your system cache dir
+cache-dir: $HOME/.cache/trivy
+```
+
+## Report Options
+
+```
+# Same as '--format'
+# Default is 'table'
+format: table
+
+# Same as '--report' (available with 'trivy k8s')
+# Default is all
+report: all
+
+# Same as '--template'
+# Default is empty
+template: 
+
+# Same as '--dependency-tree'
+# Default is false
+dependency-tree: false
+
+# Same as '--list-all-pkgs'
+# Default is false
+list-all-pkgs: false
+
+# Same as '--ignorefile'
+# Default is '.trivyignore'
+ignorefile: .trivyignore
+
+# Same as '--ignore-policy'
+# Default is empty
+ignore-policy:
+
+# Same as '--exit-code'
+# Default is 0
+exit-code: 0
+
+# Same as '--output'
+# Default is empty (stdout)
+output:
+
+# Same as '--severity'
+# Default is all severities
+severity:
+  - UNKNOWN
+  - LOW
+  - MEDIUM
+  - HIGH
+  - CRITICAL
+```
+
+## Scan Options
+Available in client/server mode
+
+```
+scan:
+  # Same as '--skip-dirs'
+  # Default is empty
+  skip-dirs:
+    - usr/local/
+    - etc/
+  
+  # Same as '--skip-files'
+  # Default is empty
+  skip-files:
+    - package-dev.json
+  
+  # Same as '--offline-scan'
+  # Default is false
+  offline-scan: false
+  
+  # Same as '--security-checks'
+  # Default depends on subcommand
+  security-checks:
+    - vuln
+    - config
+    - secret
+```
+
+## Cache Options
+
+```
+cache:
+  # Same as '--cache-backend'
+  # Default is 'fs' 
+  backend: 'fs'
+  
+  # Same as '--cache-ttl'
+  # Default is 0 (no ttl) 
+  ttl: 0
+  
+  # Redis options
+  redis:
+    # Same as '--redis-ca'
+    # Default is empty
+    ca:
+    
+    # Same as '--redis-cert'
+    # Default is empty
+    cert:
+    
+    # Same as '--redis-key'
+    # Default is empty
+    key:
+```
+
+## DB Options
+
+```
+db:
+  # Same as '--skip-db-update'
+  # Default is false
+  skip-update: false
+  
+  # Same as '--no-progress'
+  # Default is false
+  no-progress: false
+  
+  # Same as '--db-repository'
+  # Default is 'github.com/aquasecurity-trivy-repo'
+  repository: github.com/aquasecurity-trivy-repo
+```
+
+## Image Options
+Available with container image scanning
+
+```
+image:
+  # Same as '--input' (available with 'trivy image')
+  # Default is empty
+  input:
+  
+  # Same as '--removed-pkgs'
+  # Default is false
+  removed-pkgs: false
+```
+
+## Vulnerability Options
+Available with vulnerability scanning
+
+```
+vulnerability:
+  # Same as '--vuln-type'
+  # Default is 'os,library'
+  type:
+    - os
+    - library
+  
+  # Same as '--ignore-unfixed'
+  # Default is false
+  ignore-unfixed: false
+```
+
+## Secret Options
+Available with secret scanning
+
+```
+secret:
+  # Same as '--secret-config'
+  # Default is 'trivy-secret.yaml'
+  config: config/trivy/secret.yaml
+```
+
+
+## Misconfiguration Options
+Available with misconfiguration scanning
+
+```
+misconfiguration:
+  # Same as '--file-patterns'
+  # Default is empty
+  file-patterns:
+    -
+  
+  # Same as '--include-non-failures'
+  # Default is false
+  include-non-failures: false
+  
+  # Same as '--trace'
+  # Default is false
+  trace: false
+  
+  # Same as '--config-policy'
+  # Default is empty
+  policy:
+    - policy/repository
+    - policy/custom
+    
+  # Same as '--config-data'
+  # Default is empty
+  data:
+    - data/
+    
+  # Same as '--policy-namespaces'
+  # Default is empty
+  namespaces:
+    - opa.examples
+    - users
+```
+
+## Kubernetes Options
+Available with Kubernetes scanning
+
+```
+kubernetes:
+  # Same as '--context'
+  # Default is empty
+  context:
+  
+  # Same as '--namespace'
+  # Default is empty
+  namespace:
+```
+
+## Client/Server Options
+Available in client/server mode
+
+```
+server:
+  # Same as '--server' (available in client mode)
+  # Default is empty
+  addr: http://localhost:4954
+  
+  # Same as '--token'
+  # Default is empty
+  token: "something-secret"
+  
+  # Same as '--token-header'
+  # Default is 'Trivy-Token'
+  token-header: 'My-Token-Header'
+  
+  # Same as '--custom-headers'
+  # Default is empty
+  custom-headers:
+    - scanner: trivy
+    - x-api-token: xxx
+    
+  # Same as '--listen' (available in server mode)
+  # Default is 'localhost:4954'
+  listen: 0.0.0.0:10000
+```
+
+[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml

docs/docs/references/customization/envs.md

@@ -0,0 +1,17 @@
+# Environment variables
+
+Trivy can be customized by environment variables.
+The environment variable key is the flag name converted by the following procedure.
+
+- Add `TRIVY_` prefix
+- Make it all uppercase
+- Replace `-` with `_`
+
+For example, 
+
+- `--debug` => `TRIVY_DEBUG`
+- `--cache-dir` => `TRIVY_CACHE_DIR`
+
+```
+$ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15
+```

docs/docs/references/troubleshooting.md

@@ -106,7 +106,19 @@ If trivy is running behind corporate firewall, you have to add the following url
 !!! error
     --skip-update cannot be specified with the old DB schema.
 
-Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][../advanced/air-gap.md].
+Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
+
+### Multiple Trivy servers
+
+!!! error
+    ```
+    $ trivy image --server http://xxx.com:xxxx test-image
+    ...
+    - twirp error internal: failed scan, test-image: failed to apply layers: layer cache missing: sha256:*****
+    ```
+To run multiple Trivy servers, you need to use Redis as the cache backend so that those servers can share the cache. 
+Follow [this instruction][redis-cache] to do so.
+
 
 ## Homebrew
 ### Scope error
@@ -157,4 +169,5 @@ Try again with `--reset` option:
 $ trivy image --reset
 ```
 
-[air-gapped]: ../how-to-guides/air-gap.md
+[air-gapped]: ../advanced/air-gap.md
+[redis-cache]: ../../vulnerability/examples/cache/#cache-backend

docs/docs/sbom/cyclonedx.md

@@ -1,5 +1,6 @@
 # CycloneDX
 
+## Reporting
 Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
 Note that XML format is not supported at the moment.
 
@@ -230,4 +231,32 @@ $ cat result.json | jq .
 
 </details>
 
+## Scanning
+Trivy can take CycloneDX as an input and scan for vulnerabilities.
+To scan SBOM, you can use the `sbom` subcommand and pass the path to your CycloneDX report. 
+
+```bash
+$ trivy sbom /path/to/cyclonedx.json
+
+cyclonedx.json (alpine 3.7.1)
+=========================
+Total: 3 (CRITICAL: 3)
+
+┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
+│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ curl        │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ libbz2      │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
+└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
+```
+
+!!! note
+    If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
+
 [cyclonedx]: https://cyclonedx.org/

docs/docs/sbom/index.md

@@ -1,6 +1,7 @@
 # SBOM
 
-Trivy currently supports the following SBOM formats.
+## Reporting
+Trivy can generate the following SBOM formats.
 
 - [CycloneDX][cyclonedx]
 - [SPDX][spdx]
@@ -11,10 +12,8 @@ To generate SBOM, you can use the `--format` option for each subcommand such as
 $ trivy image --format cyclonedx --output result.json alpine:3.15
 ```
 
-In addition, you can use the `trivy sbom` subcommand.
-
 ```
-$ trivy sbom alpine:3.15
+$ trivy fs --format cyclonedx --output result.json /app/myproject
 ```
 
 <details>
@@ -177,18 +176,37 @@ $ trivy sbom alpine:3.15
 
 </details>
 
-`fs`, `repo` and `archive` also work with `sbom` subcommand.
+## Scanning
+Trivy also can take the following SBOM formats as an input and scan for vulnerabilities.
 
+- CycloneDX
+
+To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
+
+```bash
+$ trivy sbom /path/to/cyclonedx.json
+
+cyclonedx.json (alpine 3.7.1)
+=========================
+Total: 3 (CRITICAL: 3)
+
+┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
+│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ curl        │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ libbz2      │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
+└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
 ```
-# filesystem
-$ trivy sbom --artifact-type fs /path/to/project
 
-# repository
-$ trivy sbom --artifact-type repo github.com/aquasecurity/trivy-ci-test
 
-# container image archive
-$ trivy sbom --artifact-type archive alpine.tar
-```
+!!! note
+    CycloneDX XML and SPDX are not supported at the moment.
 
 [cyclonedx]: cyclonedx.md
 [spdx]: spdx.md

docs/docs/vulnerability/detection/data-source.md

@@ -1,11 +1,10 @@
 # OS
 
 | OS                 | Source                                      |
-| ---------------| ---------------------------------------- |
+|--------------------|---------------------------------------------|
 | Arch Linux         | [Vulnerable Issues][arch]                   |
 | Alpine Linux       | [secdb][alpine]                             |
-| Amazon Linux 1 | [Amazon Linux Security Center][amazon1]  |
-| Amazon Linux 2 | [Amazon Linux Security Center][amazon2]  |
+| Amazon Linux       | [Amazon Linux Security Center][amazon]      |
 | Debian             | [Security Bug Tracker][debian-tracker]      |
 |                    | [OVAL][debian-oval]                         |
 | Ubuntu             | [Ubuntu CVE Tracker][ubuntu]                |
@@ -57,8 +56,7 @@ The severity is from the selected data source. If the data source does not provi
 
 [arch]: https://security.archlinux.org/
 [alpine]: https://secdb.alpinelinux.org/
-[amazon1]: https://alas.aws.amazon.com/
-[amazon2]: https://alas.aws.amazon.com/alas2.html
+[amazon]: https://alas.aws.amazon.com/
 [debian-tracker]: https://security-tracker.debian.org/tracker/
 [debian-oval]: https://www.debian.org/security/oval/
 [ubuntu]: https://ubuntu.com/security/cve

docs/docs/vulnerability/detection/language.md

@@ -3,7 +3,7 @@
 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
 
 | Language | File                    | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies |
-|----------|--------------------------|:---------:|:----------:|:--------------:|:--------------:|-----------------|
+| -------- |-------------------------| :-------: | :--------: | :-------------: | :-------------: | ---------------- |
 | Ruby     | Gemfile.lock            |     -     |     -      |        ✅        |        ✅        | included         |
 |          | gemspec                 |     ✅     |     ✅      |        -        |        -        | included         |
 | Python   | Pipfile.lock            |     -     |     -      |        ✅        |        ✅        | excluded         |
@@ -14,9 +14,11 @@
 | PHP      | composer.lock           |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
 | Node.js  | package-lock.json       |     -     |     -      |        ✅        |        ✅        | excluded         |
 |          | yarn.lock               |     -     |     -      |        ✅        |        ✅        | included         |
+|          | pnpm-lock.yaml          |     -     |     -      |        ✅        |        ✅        | excluded         |
 |          | package.json            |     ✅     |     ✅      |        -        |        -        | excluded         |
 | .NET     | packages.lock.json      |     ✅     |     ✅      |        ✅        |        ✅        | included         |
 |          | packages.config         |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
+|          | .deps.json              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
 | Java     | JAR/WAR/PAR/EAR[^3][^4] |     ✅     |     ✅      |        -        |        -        | included         |
 |          | pom.xml[^5]             |     -     |     -      |        ✅        |        ✅        | excluded         |
 | Go       | Binaries built by Go[^6] |     ✅     |     ✅      |        -        |        -        | excluded         |

docs/docs/vulnerability/detection/os.md

@@ -12,7 +12,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 | Rocky Linux                      | 8                                         | Installed by yum/rpm          |                  NO                  |
 | Oracle Linux                     | 5, 6, 7, 8                                | Installed by yum/rpm          |                  NO                  |
 | CBL-Mariner                      | 1.0, 2.0                                  | Installed by yum/rpm          |                 YES                  |
-| Amazon Linux                     | 1, 2                                      | Installed by yum/rpm          |                  NO                  |
+| Amazon Linux                     | 1, 2, 2022                                | Installed by yum/rpm          |                  NO                  |
 | openSUSE Leap                    | 42, 15                                    | Installed by zypper/rpm       |                  NO                  |
 | SUSE Enterprise Linux            | 11, 12, 15                                | Installed by zypper/rpm       |                  NO                  |
 | Photon OS                        | 1.0, 2.0, 3.0, 4.0                        | Installed by tdnf/yum/rpm     |                  NO                  |

docs/docs/vulnerability/distributions.md

@@ -6,7 +6,7 @@ The following table provides an outline of the features Trivy offers.
 
 | Version | Container image | Virtual machine | Distroless |  Multi-arch  | Unfixed support |
 |---------|:---------------:|:---------------:|:----------:|:------------:|:---------------:|
-| 1.0     |        ✔        |        ✔        |            | amd64, arm64 |        ✔        |
+| 1.0     |        ✔        |        ✔        |      ✔     | amd64, arm64 |        ✔        |
 | 2.0     |        ✔        |        ✔        |      ✔     | amd64, arm64 |        ✔        |
 
 ### Examples

docs/docs/vulnerability/examples/report.md

@@ -15,7 +15,7 @@ Modern software development relies on the use of third-party libraries.
 Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph.
 In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree.
 To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
-This flag is available with the `--format table` flag only.
+This flag is only available with the `fs` or `repo` commands and the `--format table` flag.
 
 This tree is the reverse of the npm list command.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -63,33 +63,6 @@ Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to reso
 !!! note
     Only Node.js (package-lock.json) is supported at the moment.
 
-## JSON
-Similar structure is included in JSON output format
-```json
-          "VulnerabilityID": "CVE-2022-0235",
-          "PkgID": "node-fetch@1.7.3",
-          "PkgName": "node-fetch",
-          "PkgParents": [
-            {
-              "ID": "isomorphic-fetch@2.2.1",
-              "Parents": [
-                {
-                  "ID": "fbjs@0.8.18",
-                  "Parents": [
-                    {
-                      "ID": "styled-components@3.1.3"
-                    }
-                  ]
-                }
-              ]
-            }
-          ],
-
-```
-
-!!! caution
-As of May 2022 the feature is supported for `npm` dependency parser only
-
 ## JSON
 
 ```

docs/docs/vulnerability/scanning/git-repository.md

@@ -112,7 +112,7 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
 |                     |                  |          |                   |                        | 2.11.3. The ReDOS...                  |
 +---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
 | py                  | CVE-2020-29651   | HIGH     | 1.8.0             |                        | python-py: ReDoS in the py.path.svnwc |
-|                     |                  |          |                   |                        | component via mailicious input        |
+|                     |                  |          |                   |                        | component via malicious input         |
 |                     |                  |          |                   |                        | to blame functionality...             |
 |                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-29651 |
 +---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+

docs/getting-started/overview.md

@@ -4,7 +4,7 @@ Trivy detects three types of security issues:
 
 - [Vulnerabilities][vuln]
     - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-    - [Language-specific packages][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
+    - [Language-specific packages][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
 - [Misconfigurations][misconf]
     - Kubernetes
     - Docker

docs/index.md

@@ -22,17 +22,21 @@ All you need to do for scanning is to specify a target such as an image name of
     <h1 id="demo">Demo</h1>
 </div>
 
-<figure style="text-aligh: center">
-  <img src="imgs/vuln-demo.gif" width="1000">
+<figure style="text-align: center">
+  <video width="1000">
+    <source src="https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov" type="video/mp4" />
+  </video>
   <figcaption>Demo: Vulnerability Detection</figcaption>
 </figure>
 
-<figure style="text-aligh: center">
-  <img src="imgs/misconf-demo.gif" width="1000">
+<figure style="text-align: center">
+  <video width="1000">
+    <source src="https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov" type="video/mp4" />
+  </video>
   <figcaption>Demo: Misconfiguration Detection</figcaption>
 </figure>
 
-<figure style="text-aligh: center">
+<figure style="text-align: center">
   <img src="imgs/secret-demo.gif" width="1000">
   <figcaption>Demo: Secret Detection</figcaption>
 </figure>

examples/misconf/custom-policy/dockerfile/policy/from.rego

@@ -11,7 +11,7 @@ __rego_metadata__ := {
 __rego_input__ := {"selector": [{"type": "dockerfile"}]}
 
 deny[res] {
-	add := input.stages[_][_]
+	add := input.Stages[_].Commands[_]
 	add.Cmd == "add"
 	startswith(add.Value[0], "http://")
 

examples/misconf/custom-policy/dockerfile/policy/from_test.rego

@@ -1,21 +1,21 @@
 package user.dockerfile.ID002
 
 test_http_denied {
-	r := deny with input as {"stages": {"alpine:3.13": [
+	r := deny with input as {"Stages": [{"Name": "alpine:3.31", "Commands": [
 		{"Cmd": "from", "Value": ["alpine:3.13"]},
 		{"Cmd": "add", "Value": ["http://example.com/big.tar.xz", "/usr/src/things/"]},
 		{"Cmd": "run", "Value": ["tar -xJf /usr/src/things/big.tar.xz -C /usr/src/things"]},
-	]}}
+	]}]}
 
 	count(r) == 1
 	r[_] == "HTTP not allowed: 'http://example.com/big.tar.xz'"
 }
 
 test_http_allowed {
-	r := deny with input as {"stages": {"alpine:3.13": [
+	r := deny with input as {"Stages": [{"Name": "alpine:3.31", "Commands": [
 		{"Cmd": "from", "Value": ["alpine:3.13"]},
 		{"Cmd": "add", "Value": ["https://example.com/big.tar.xz", "/usr/src/things/"]},
-	]}}
+	]}]}
 
 	count(r) == 0
 }

examples/misconf/go-testing/go.mod

@@ -3,6 +3,5 @@ module github.com/aquasecurity/trivy/examples/misconf/go-testing
 go 1.16
 
 require (
-	github.com/aquasecurity/fanal v0.0.0-20210710080753-f728f1973410
 	github.com/stretchr/testify v1.7.0
 )

examples/misconf/go-testing/go.sum

@@ -156,8 +156,6 @@ github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/
 github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
-github.com/aquasecurity/fanal v0.0.0-20210710080753-f728f1973410 h1:b6yRcMDPpkI1S4VLiROgwgXmusvgX8LtgRzAnKd9HSw=
-github.com/aquasecurity/fanal v0.0.0-20210710080753-f728f1973410/go.mod h1:zl2aczB7UrczEeMgKTRH6Xp/Lf+gxf0W7kXRjaOubrU=
 github.com/aquasecurity/go-dep-parser v0.0.0-20210520015931-0dd56983cc62 h1:aahEMQZXrwhpCMlDgXi2d7jJVNDTpYGJOgLyNptGQoY=
 github.com/aquasecurity/go-dep-parser v0.0.0-20210520015931-0dd56983cc62/go.mod h1:Cv/FOCXy6gwvDbz/KX48+y//SmbnKroFwW5hquXn5G4=
 github.com/aquasecurity/testdocker v0.0.0-20210106133225-0b17fe083674/go.mod h1:psfu0MVaiTDLpNxCoNsTeILSKY2EICBwv345f3M+Ffs=

examples/misconf/go-testing/main_test.go

@@ -7,8 +7,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/fanal/external"
-	"github.com/aquasecurity/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/fanal/external"
+	"github.com/aquasecurity/trivy/pkg/fanal/types"
 )
 
 func TestPolicy(t *testing.T) {

examples/trivy-conf/trivy.yaml

@@ -0,0 +1,24 @@
+timeout: 10m
+format: json
+dependency-tree: true
+list-all-pkgs: true
+exit-code: 1
+output: result.json
+severity:
+  - HIGH
+  - CRITICAL
+scan:
+  skip-dirs:
+    - /lib64
+    - /lib
+    - /usr/lib
+    - /usr/include
+
+  security-checks:
+    - vuln
+    - secret
+vulnerability:
+  type:
+    - os
+    - library
+  ignore-unfixed: true

go.mod

@@ -6,74 +6,88 @@ require (
 	github.com/CycloneDX/cyclonedx-go v0.6.0
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/NYTimes/gziphandler v1.1.1
+	github.com/alicebob/miniredis/v2 v2.22.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20220615115521-e411bc995c6d
-	github.com/aquasecurity/go-dep-parser v0.0.0-20220607141748-ab2deea55bdf
+	github.com/aquasecurity/go-dep-parser v0.0.0-20220626060741-179d0b167e5f
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/table v1.5.1
-	github.com/aquasecurity/trivy-db v0.0.0-20220602091213-39d8a6798e07
-	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220613131930-79b2cb425b18
+	github.com/aquasecurity/table v1.6.0
+	github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516
+	github.com/aquasecurity/trivy-db v0.0.0-20220627104749-930461748b63
+	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220623094029-353ad52f879b
 	github.com/caarlos0/env/v6 v6.9.3
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.8
-	github.com/docker/docker v20.10.16+incompatible
+	github.com/containerd/containerd v1.6.6
+	github.com/docker/docker v20.10.17+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/fatih/color v1.13.0
+	github.com/go-enry/go-license-detector/v4 v4.3.0
 	github.com/go-redis/redis/v8 v8.11.5
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.2
 	github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
+	github.com/google/licenseclassifier/v2 v2.0.0-pre5
 	github.com/google/uuid v1.3.0
 	github.com/google/wire v0.5.0
-	github.com/hashicorp/go-getter v1.6.1
+	github.com/hashicorp/go-getter v1.6.2
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
-	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
-	github.com/mailru/easyjson v0.7.6
+	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
+	github.com/kylelemons/godebug v1.1.0
+	github.com/liamg/memoryfs v1.4.2
+	github.com/liamg/tml v0.6.0
+	github.com/mailru/easyjson v0.7.7
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/open-policy-agent/opa v0.41.0
-	github.com/owenrumney/go-sarif/v2 v2.1.1
+	github.com/open-policy-agent/opa v0.42.0
+	github.com/owenrumney/go-sarif/v2 v2.1.2
 	github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
-	github.com/samber/lo v1.21.0
-	github.com/stretchr/testify v1.7.2
+	github.com/samber/lo v1.24.0
+	github.com/sosedoff/gitkit v0.3.0
+	github.com/spf13/cobra v1.5.0
+	github.com/spf13/pflag v1.0.5
+	github.com/spf13/viper v1.8.1
+	github.com/stretchr/testify v1.8.0
 	github.com/testcontainers/testcontainers-go v0.13.0
-	github.com/tetratelabs/wazero v0.0.0-20220606011721-119b069ba23e
+	github.com/tetratelabs/wazero v0.0.0-20220701105919-891761ac1ee2
 	github.com/twitchtv/twirp v8.1.2+incompatible
-	github.com/urfave/cli/v2 v2.8.1
 	github.com/xlab/treeprint v1.1.0
+	go.etcd.io/bbolt v1.3.6
 	go.uber.org/zap v1.21.0
 	golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
+	golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df
 	google.golang.org/protobuf v1.28.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
 )
 
 require (
-	cloud.google.com/go v0.99.0 // indirect
+	cloud.google.com/go v0.100.2 // indirect
+	cloud.google.com/go/compute v1.6.1 // indirect
+	cloud.google.com/go/iam v0.3.0 // indirect
 	cloud.google.com/go/storage v1.14.0 // indirect
-	github.com/Azure/azure-sdk-for-go v65.0.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go v66.0.0+incompatible
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.27 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.27
+	github.com/Azure/go-autorest/autorest/adal v0.9.20
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/BurntSushi/toml v1.1.0 // indirect
-	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible // indirect
+	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
 	github.com/Masterminds/squirrel v1.5.2 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/Microsoft/hcsshim v0.9.2 // indirect
+	github.com/Microsoft/hcsshim v0.9.3 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
@@ -83,55 +97,48 @@ require (
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.0.1 // indirect
 	github.com/alecthomas/chroma v0.10.0 // indirect
+	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/aquasecurity/defsec v0.68.1 // indirect
+	github.com/aquasecurity/defsec v0.68.6
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
-	github.com/aws/aws-sdk-go v1.44.25 // indirect
+	github.com/aws/aws-sdk-go v1.44.46
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
-	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/bmatcuk/doublestar v1.3.4 // indirect
 	github.com/briandowns/spinner v1.12.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
-	github.com/container-orchestrated-devices/container-device-interface v0.3.1 // indirect
-	github.com/containerd/cgroups v1.0.3 // indirect
-	github.com/containerd/console v1.0.3 // indirect
-	github.com/containerd/containerd v1.6.4 // indirect
+	github.com/containerd/cgroups v1.0.4 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
 	github.com/containerd/fifo v1.0.0 // indirect
-	github.com/containerd/go-cni v1.1.6 // indirect
-	github.com/containerd/imgcrypt v1.1.5-0.20220421044638-8ba028dca028 // indirect
-	github.com/containerd/nerdctl v0.20.0 // indirect
-	github.com/containerd/stargz-snapshotter v0.11.4 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.11.4 // indirect
 	github.com/containerd/ttrpc v1.1.1-0.20220420014843-944ef4a40df3 // indirect
-	github.com/containerd/typeurl v1.0.3-0.20220422153119-7f6e6d160d67 // indirect
-	github.com/containernetworking/cni v1.1.1 // indirect
-	github.com/containers/ocicrypt v1.1.3 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
+	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dgryski/go-minhash v0.0.0-20170608043002-7fe510aff544 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/docker/cli v20.10.16+incompatible // indirect
+	github.com/docker/cli v20.10.17+incompatible // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.6.4 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
+	github.com/ekzhu/minhash-lsh v0.0.0-20171225071031-5c06ee8586a1 // indirect
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
+	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
 	github.com/go-git/go-billy/v5 v5.3.1 // indirect
-	github.com/go-git/go-git/v5 v5.4.2 // indirect
+	github.com/go-git/go-git/v5 v5.4.2
 	github.com/go-gorp/gorp/v3 v3.0.2 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
@@ -139,6 +146,8 @@ require (
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-yaml v1.8.2 // indirect
+	github.com/gofrs/uuid v4.0.0+incompatible // indirect
+	github.com/gogo/googleapis v1.4.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -147,7 +156,7 @@ require (
 	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
+	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
@@ -158,74 +167,65 @@ require (
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.4.0 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/hcl/v2 v2.12.0 // indirect
+	github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/ipfs/go-cid v0.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jdkato/prose v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jmoiron/sqlx v1.3.4 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
-	github.com/klauspost/compress v1.15.1 // indirect
-	github.com/klauspost/cpuid/v2 v2.0.6 // indirect
-	github.com/knqyf263/go-rpmdb v0.0.0-20220607073645-842f01763e21 // indirect
-	github.com/knqyf263/nested v0.0.1 // indirect
+	github.com/klauspost/compress v1.15.6 // indirect
+	github.com/knqyf263/go-rpmdb v0.0.0-20220607073645-842f01763e21
+	github.com/knqyf263/nested v0.0.1
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/liamg/iamgo v0.0.6 // indirect
 	github.com/liamg/jfather v0.0.7 // indirect
-	github.com/liamg/memoryfs v1.4.2
-	github.com/liamg/tml v0.6.0
 	github.com/lib/pq v1.10.4 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
-	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
-	github.com/miekg/pkcs11 v1.1.1 // indirect
-	github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 // indirect
-	github.com/minio/sha256-simd v1.0.0 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/moby/buildkit v0.10.3 // indirect
+	github.com/moby/buildkit v0.10.3
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/sys/mount v0.3.2 // indirect
-	github.com/moby/sys/mountinfo v0.6.1 // indirect
+	github.com/moby/sys/mount v0.3.3 // indirect
+	github.com/moby/sys/mountinfo v0.6.2 // indirect
 	github.com/moby/sys/signal v0.7.0 // indirect
 	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/montanaflynn/stats v0.0.0-20151014174947-eeaced052adb // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/mr-tron/base58 v1.2.0 // indirect
-	github.com/multiformats/go-base32 v0.0.3 // indirect
-	github.com/multiformats/go-base36 v0.1.0 // indirect
-	github.com/multiformats/go-multibase v0.0.3 // indirect
-	github.com/multiformats/go-multihash v0.0.15 // indirect
-	github.com/multiformats/go-varint v0.0.6 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 // indirect
-	github.com/opencontainers/runc v1.1.2 // indirect
+	github.com/opencontainers/go-digest v1.0.0
+	github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1
+	github.com/opencontainers/runc v1.1.3 // indirect
 	github.com/opencontainers/runtime-spec v1.0.3-0.20220311020903-6969a0a09ab1 // indirect
-	github.com/opencontainers/runtime-tools v0.0.0-20190417131837-cd1349b7c47e // indirect
 	github.com/opencontainers/selinux v1.10.1 // indirect
 	github.com/owenrumney/squealer v1.0.1-0.20220510063705-c0be93f0edea // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_golang v1.12.2 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
@@ -235,55 +235,67 @@ require (
 	github.com/rubenv/sql-migrate v1.1.1 // indirect
 	github.com/russross/blackfriday v1.6.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e // indirect
+	github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e
 	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/shogo82148/go-shuffle v0.0.0-20170808115208-59829097ff3b // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/spdx/tools-golang v0.3.0
-	github.com/spf13/cast v1.4.1 // indirect
-	github.com/spf13/cobra v1.4.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
-	github.com/stretchr/objx v0.3.0 // indirect
-	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
-	github.com/tidwall/gjson v1.14.1 // indirect
-	github.com/tidwall/match v1.1.1 // indirect
-	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/spf13/afero v1.8.2 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/stretchr/objx v0.4.0 // indirect
+	github.com/subosito/gotenv v1.4.0 // indirect
 	github.com/ulikunitz/xz v0.5.8 // indirect
-	github.com/urfave/cli v1.22.9 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
-	github.com/vektah/gqlparser/v2 v2.4.4 // indirect
+	github.com/vektah/gqlparser/v2 v2.4.5 // indirect
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	github.com/yashtewari/glob-intersection v0.1.0 // indirect
+	github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9 // indirect
 	github.com/zclconf/go-cty v1.10.0 // indirect
 	github.com/zclconf/go-cty-yaml v1.0.2 // indirect
-	go.etcd.io/bbolt v1.3.6 // indirect
-	go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
-	golang.org/x/crypto v0.0.0-20220513210258-46612604a0f9
-	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
-	golang.org/x/net v0.0.0-20220516133312-45b265872317 // indirect
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sync v0.0.0-20220513210516-0976fa681c29 // indirect
-	golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect
-	golang.org/x/term v0.0.0-20220411215600-e5f449aeb171 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e
+	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3
+	golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
+	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
+	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
+	golang.org/x/sys v0.0.0-20220624220833-87e55d714810 // indirect
+	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
+	golang.org/x/text v0.3.7
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717 // indirect
-	google.golang.org/api v0.62.0 // indirect
+	gonum.org/v1/gonum v0.7.0 // indirect
+	google.golang.org/api v0.81.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220426171045-31bebdecfb46 // indirect
+	google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
 	google.golang.org/grpc v1.47.0 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.66.4 // indirect
+	gopkg.in/neurosnap/sentences.v1 v1.0.6 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gotest.tools v2.2.0+incompatible
+	gotest.tools/v3 v3.2.0 // indirect
+	helm.sh/helm/v3 v3.9.0 // indirect
+	k8s.io/api v0.24.2 // indirect
+	k8s.io/apiextensions-apiserver v0.24.0 // indirect
+	k8s.io/apimachinery v0.24.2 // indirect
+	k8s.io/apiserver v0.24.1 // indirect
+	k8s.io/cli-runtime v0.24.2 // indirect
+	k8s.io/client-go v0.24.2 // indirect
+	k8s.io/component-base v0.24.2 // indirect
+	k8s.io/klog/v2 v2.60.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
+	k8s.io/kubectl v0.24.2 // indirect
 	lukechampine.com/uint128 v1.1.1 // indirect
 	modernc.org/cc/v3 v3.36.0 // indirect
 	modernc.org/ccgo/v3 v3.16.6 // indirect
@@ -294,25 +306,7 @@ require (
 	modernc.org/sqlite v1.17.3 // indirect
 	modernc.org/strutil v1.1.1 // indirect
 	modernc.org/token v1.0.0 // indirect
-)
-
-require (
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gotest.tools v2.2.0+incompatible
-	helm.sh/helm/v3 v3.9.0 // indirect
-	k8s.io/api v0.24.1 // indirect
-	k8s.io/apiextensions-apiserver v0.24.0 // indirect
-	k8s.io/apimachinery v0.24.1 // indirect
-	k8s.io/apiserver v0.24.1 // indirect
-	k8s.io/cli-runtime v0.24.1 // indirect
-	k8s.io/client-go v0.24.1 // indirect
-	k8s.io/component-base v0.24.1 // indirect
-	k8s.io/klog/v2 v2.60.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
-	k8s.io/kubectl v0.24.1 // indirect
-	oras.land/oras-go v1.1.1 // indirect
+	oras.land/oras-go v1.2.0 // indirect
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
 	sigs.k8s.io/kustomize/api v0.11.4 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.13.6 // indirect
@@ -320,9 +314,9 @@ require (
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
-replace (
-	// containerd main
-	github.com/containerd/containerd => github.com/containerd/containerd v1.6.1-0.20220606171923-c1bcabb45419
 // See https://github.com/moby/moby/issues/42939#issuecomment-1114255529
-	github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220224222438-c78f6963a1c0+incompatible
-)
+replace github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220224222438-c78f6963a1c0+incompatible
+
+// v1.2.0 is taken from github.com/open-policy-agent/opa v0.42.0
+// v1.2.0 incompatible with github.com/docker/docker v20.10.3-0.20220224222438-c78f6963a1c0+incompatible
+replace oras.land/oras-go => oras.land/oras-go v1.1.1

goreleaser-canary.yml

@@ -0,0 +1,31 @@
+project_name: trivy_canary_build
+builds:
+  -
+    main: cmd/trivy/main.go
+    binary: trivy
+    ldflags:
+      - -s -w
+      - "-extldflags '-static'"
+      - -X main.version={{.Version}}
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+      - linux
+    goarch:
+      - amd64
+      - arm64
+
+archives:
+  -
+    format: tar.gz
+    name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}"
+    replacements:
+      amd64: 64bit
+      arm64: ARM64
+      darwin: macOS
+      linux: Linux
+    files:
+      - README.md
+      - LICENSE
+      - contrib/*.tpl

helm/trivy/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: trivy
-version: 0.4.14
-appVersion: 0.27.0
+version: 0.4.16
+appVersion: 0.29.2
 description: Trivy helm chart
 keywords:
   - scanner

helm/trivy/README.md

@@ -18,7 +18,7 @@ This chart bootstraps a Trivy deployment on a [Kubernetes](http://kubernetes.io)
 - Kubernetes 1.12+
 - Helm 3+
 
-## Installing from the the Aqua Chart Repository
+## Installing from the Aqua Chart Repository
 
 ```
 helm repo add aquasecurity https://aquasecurity.github.io/helm-charts/
@@ -69,6 +69,7 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set.                    |      |
 | `trivy.serviceAccount.annotations`        | Additional annotations to add to the Kubernetes service account resource |     |
 | `trivy.skipUpdate`                    | The flag to enable or disable Trivy DB downloads from GitHub            | `false`        |
+| `trivy.dbRepository`                  | OCI repository to retrieve the trivy vulnerability database from        | `ghcr.io/aquasecurity/trivy-db`        |
 | `trivy.cache.redis.enabled`           | Enable Redis as caching backend                                         | `false` |
 | `trivy.cache.redis.url`               | Specify redis connection url, e.g. redis://redis.redis.svc:6379         | `` |
 | `trivy.serverToken`                   | The token to authenticate Trivy client with Trivy server                | `` |
@@ -101,5 +102,5 @@ This chart uses a PersistentVolumeClaim to reduce the number of database downloa
 
 ## Caching
 
-You can specify a Redis server as cache backend. This Redis server has to be already present. You can use the [bitname chart](https://bitnami.com/stack/redis/helm).
+You can specify a Redis server as cache backend. This Redis server has to be already present. You can use the [bitnami chart](https://bitnami.com/stack/redis/helm).
 More Information about the caching backends can be found [here](https://github.com/aquasecurity/trivy#specify-cache-backend).

helm/trivy/templates/configmap.yaml

@@ -12,6 +12,7 @@ data:
 {{- end }}
   TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
   TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}
+  TRIVY_DB_REPOSITORY: {{ .Values.trivy.dbRepository | quote }}
 {{- if .Values.httpProxy }}
   HTTP_PROXY: {{ .Values.httpProxy | quote }}
 {{- end }}

helm/trivy/values.yaml

@@ -99,6 +99,8 @@ trivy:
   # If the flag is enabled you have to manually download the `trivy.db` file and mount it in the
   # `/home/scanner/.cache/trivy/db/trivy.db` path (see `cacheDir`).
   skipUpdate: false
+  # OCI repository to retrieve the trivy vulnerability database from
+  dbRepository: ghcr.io/aquasecurity/trivy-db
   # Trivy supports filesystem and redis as caching backend
   # https://github.com/aquasecurity/trivy#specify-cache-backend
   # This location is only used for the cache, not the db storage: https://github.com/aquasecurity/trivy/issues/765#issue-756010345

integration/client_server_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package integration
 
@@ -7,7 +6,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io"
 	"os"
 	"path/filepath"
 	"strings"
@@ -19,10 +17,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	testcontainers "github.com/testcontainers/testcontainers-go"
-	"github.com/urfave/cli/v2"
 
 	"github.com/aquasecurity/trivy/pkg/clock"
-	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/report"
 )
 
@@ -225,7 +221,7 @@ func TestClientServer(t *testing.T) {
 			golden: "testdata/mariner-1.0.json.golden",
 		},
 		{
-			name: "buxybox with Cargo.lock",
+			name: "busybox with Cargo.lock",
 			args: csArgs{
 				Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
 			},
@@ -242,14 +238,14 @@ func TestClientServer(t *testing.T) {
 		},
 	}
 
-	app, addr, cacheDir := setup(t, setupOptions{})
+	addr, cacheDir := setup(t, setupOptions{})
 
 	for _, c := range tests {
 		t.Run(c.name, func(t *testing.T) {
 			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)
 
-			// Run Trivy client
-			err := app.Run(osArgs)
+			//
+			err := execute(osArgs)
 			require.NoError(t, err)
 
 			compareReports(t, c.golden, outputFile)
@@ -340,7 +336,7 @@ func TestClientServerWithFormat(t *testing.T) {
 		report.CustomTemplateFuncMap = map[string]interface{}{}
 	})
 
-	app, addr, cacheDir := setup(t, setupOptions{})
+	addr, cacheDir := setup(t, setupOptions{})
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -349,7 +345,7 @@ func TestClientServerWithFormat(t *testing.T) {
 			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)
 
 			// Run Trivy client
-			err := app.Run(osArgs)
+			err := execute(osArgs)
 			require.NoError(t, err)
 
 			want, err := os.ReadFile(tt.golden)
@@ -386,13 +382,13 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 		},
 	}
 
-	app, addr, cacheDir := setup(t, setupOptions{})
+	addr, cacheDir := setup(t, setupOptions{})
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, "")
 
 			// Run Trivy client
-			err := app.Run(osArgs)
+			err := execute(osArgs)
 			require.NoError(t, err)
 
 			f, err := os.Open(outputFile)
@@ -450,7 +446,7 @@ func TestClientServerWithToken(t *testing.T) {
 
 	serverToken := "token"
 	serverTokenHeader := "Trivy-Token"
-	app, addr, cacheDir := setup(t, setupOptions{
+	addr, cacheDir := setup(t, setupOptions{
 		token:       serverToken,
 		tokenHeader: serverTokenHeader,
 	})
@@ -460,16 +456,14 @@ func TestClientServerWithToken(t *testing.T) {
 			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)
 
 			// Run Trivy client
-			err := app.Run(osArgs)
-
+			err := execute(osArgs)
 			if c.wantErr != "" {
-				require.NotNil(t, err, c.name)
+				require.Error(t, err, c.name)
 				assert.Contains(t, err.Error(), c.wantErr, c.name)
 				return
-			} else {
-				assert.NoError(t, err, c.name)
 			}
 
+			require.NoError(t, err, c.name)
 			compareReports(t, c.golden, outputFile)
 		})
 	}
@@ -481,7 +475,7 @@ func TestClientServerWithRedis(t *testing.T) {
 	redisC, addr := setupRedis(t, ctx)
 
 	// Set up Trivy server
-	app, addr, cacheDir := setup(t, setupOptions{cacheBackend: addr})
+	addr, cacheDir := setup(t, setupOptions{cacheBackend: addr})
 	t.Cleanup(func() { os.RemoveAll(cacheDir) })
 
 	// Test parameters
@@ -494,7 +488,7 @@ func TestClientServerWithRedis(t *testing.T) {
 		osArgs, outputFile := setupClient(t, testArgs, addr, cacheDir, golden)
 
 		// Run Trivy client
-		err := app.Run(osArgs)
+		err := execute(osArgs)
 		require.NoError(t, err)
 
 		compareReports(t, golden, outputFile)
@@ -507,8 +501,8 @@ func TestClientServerWithRedis(t *testing.T) {
 		osArgs, _ := setupClient(t, testArgs, addr, cacheDir, golden)
 
 		// Run Trivy client
-		err := app.Run(osArgs)
-		require.NotNil(t, err)
+		err := execute(osArgs)
+		require.Error(t, err)
 		assert.Contains(t, err.Error(), "connect: connection refused")
 	})
 }
@@ -519,9 +513,8 @@ type setupOptions struct {
 	cacheBackend string
 }
 
-func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
+func setup(t *testing.T, options setupOptions) (string, string) {
 	t.Helper()
-	version := "dev"
 
 	// Set up testing DB
 	cacheDir := initDB(t)
@@ -534,28 +527,21 @@ func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
 	addr := fmt.Sprintf("localhost:%d", port)
 
 	go func() {
-		// Setup CLI App
-		app := commands.NewApp(version)
-		app.Writer = io.Discard
 		osArgs := setupServer(addr, options.token, options.tokenHeader, cacheDir, options.cacheBackend)
 
 		// Run Trivy server
-		app.Run(osArgs)
+		require.NoError(t, execute(osArgs))
 	}()
 
 	ctx, _ := context.WithTimeout(context.Background(), 5*time.Second)
 	err = waitPort(ctx, addr)
 	assert.NoError(t, err)
 
-	// Setup CLI App
-	app := commands.NewApp(version)
-	app.Writer = io.Discard
-
-	return app, addr, cacheDir
+	return addr, cacheDir
 }
 
 func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []string {
-	osArgs := []string{"trivy", "--cache-dir", cacheDir, "server", "--skip-update", "--listen", addr}
+	osArgs := []string{"--cache-dir", cacheDir, "server", "--skip-update", "--listen", addr}
 	if token != "" {
 		osArgs = append(osArgs, []string{"--token", token, "--token-header", tokenHeader}...)
 	}
@@ -573,7 +559,7 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
 		c.RemoteAddrOption = "--server"
 	}
 	t.Helper()
-	osArgs := []string{"trivy", "--cache-dir", cacheDir, c.Command, c.RemoteAddrOption, "http://" + addr}
+	osArgs := []string{"--cache-dir", cacheDir, c.Command, c.RemoteAddrOption, "http://" + addr}
 
 	if c.Format != "" {
 		osArgs = append(osArgs, "--format", c.Format)

integration/docker_engine_test.go

@@ -15,8 +15,6 @@ import (
 	"github.com/docker/docker/client"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-
-	"github.com/aquasecurity/trivy/pkg/commands"
 )
 
 func TestDockerEngine(t *testing.T) {
@@ -233,16 +231,14 @@ func TestDockerEngine(t *testing.T) {
 			tmpDir := t.TempDir()
 			output := filepath.Join(tmpDir, "result.json")
 
-			// run trivy
-			app := commands.NewApp("dev")
-			trivyArgs := []string{"trivy", "--cache-dir", cacheDir, "image",
+			osArgs := []string{"--cache-dir", cacheDir, "image",
 				"--skip-update", "--format=json", "--output", output}
 
 			if tt.ignoreUnfixed {
-				trivyArgs = append(trivyArgs, "--ignore-unfixed")
+				osArgs = append(osArgs, "--ignore-unfixed")
 			}
 			if len(tt.severity) != 0 {
-				trivyArgs = append(trivyArgs,
+				osArgs = append(osArgs,
 					[]string{"--severity", strings.Join(tt.severity, ",")}...,
 				)
 			}
@@ -252,11 +248,12 @@ func TestDockerEngine(t *testing.T) {
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
-			trivyArgs = append(trivyArgs, tt.input)
+			osArgs = append(osArgs, tt.input)
 
-			err = app.Run(trivyArgs)
+			// Run Trivy
+			err = execute(osArgs)
 			if tt.wantErr != "" {
-				require.NotNil(t, err)
+				require.Error(t, err)
 				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
 				return
 			}

integration/fs_test.go

@@ -4,15 +4,13 @@
 package integration
 
 import (
-	"io"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-
-	"github.com/aquasecurity/trivy/pkg/commands"
+	"github.com/stretchr/testify/require"
 )
 
 func TestFilesystem(t *testing.T) {
@@ -47,6 +45,14 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/nodejs.json.golden",
 		},
+		{
+			name: "pnpm",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/pnpm",
+			},
+			golden: "testdata/pnpm.json.golden",
+		},
 		{
 			name: "pip",
 			args: args{
@@ -137,7 +143,7 @@ func TestFilesystem(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			osArgs := []string{
-				"trivy", "--cache-dir", cacheDir, "fs", "--skip-db-update", "--skip-policy-update",
+				"-q", "--cache-dir", cacheDir, "fs", "--skip-db-update", "--skip-policy-update",
 				"--format", "json", "--offline-scan", "--security-checks", tt.args.securityChecks,
 			}
 
@@ -181,12 +187,9 @@ func TestFilesystem(t *testing.T) {
 			osArgs = append(osArgs, "--output", outputFile)
 			osArgs = append(osArgs, tt.args.input)
 
-			// Setup CLI App
-			app := commands.NewApp("dev")
-			app.Writer = io.Discard
-
 			// Run "trivy fs"
-			assert.Nil(t, app.Run(osArgs))
+			err := execute(osArgs)
+			require.NoError(t, err)
 
 			// Compare want and got
 			compareReports(t, tt.golden, outputFile)

integration/integration_test.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"encoding/json"
 	"flag"
+	"io"
 	"net"
 	"os"
 	"path/filepath"
@@ -18,6 +19,7 @@ import (
 
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	"github.com/aquasecurity/trivy-db/pkg/metadata"
+	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/dbtest"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
@@ -120,6 +122,16 @@ func readReport(t *testing.T, filePath string) types.Report {
 	return report
 }
 
+func execute(osArgs []string) error {
+	// Setup CLI App
+	app := commands.NewApp("dev")
+	app.SetOut(io.Discard)
+
+	// Run Trivy
+	app.SetArgs(osArgs)
+	return app.Execute()
+}
+
 func compareReports(t *testing.T, wantFile, gotFile string) {
 	want := readReport(t, wantFile)
 	got := readReport(t, gotFile)