fix(deps): fix errors on yarn.lock files that contain local file reference (#3384 )

feat(flag): early fail when the format is invalid (#3370 )
chore(deps): bump github.com/aws/aws-sdk-go from 1.44.136 to 1.44.171 (#3366 )
2025-12-21 23:00:42 -08:00 · 2023-01-05 12:17:11 +02:00 · 2023-01-04 13:46:04 +02:00 · 2023-01-03 20:53:50 +02:00 · 2023-01-03 17:59:28 +02:00 · 2023-01-03 15:28:29 +02:00
614 changed files with 31474 additions and 7008 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
+* text=auto eol=lf 
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,14 +1,27 @@
 # Global
 *   @knqyf263

+# Docs
+/docs/community/ @knqyf263 @AnaisUrlichs @itaysk
+/docs/ecosystem/ @knqyf263 @AnaisUrlichs @itaysk
+/docs/getting-started/ @knqyf263 @AnaisUrlichs @itaysk
+/docs/tutorials/ @knqyf263 @AnaisUrlichs @itaysk
+/mkdocs.yml @knqyf263 @AnaisUrlichs @itaysk
+/docs/index.md @knqyf263 @AnaisUrlichs @itaysk
+/README.md @knqyf263 @AnaisUrlichs @itaysk
+
 # Helm chart
-helm/trivy/ @krol3
+helm/trivy/ @chen-keinan

 # Misconfiguration scanning
-examples/misconf/           @owenrumney @liamg @knqyf263
-docs/docs/misconfiguration  @owenrumney @liamg @knqyf263
-pkg/fanal/analyzer/config   @owenrumney @liamg @knqyf263
-pkg/fanal/handler/misconf   @owenrumney @liamg @knqyf263
+examples/misconf/           @knqyf263
+docs/docs/misconfiguration  @knqyf263
+docs/docs/cloud             @knqyf263
+pkg/fanal/analyzer/config   @knqyf263
+pkg/fanal/handler/misconf   @knqyf263
+pkg/cloud                   @knqyf263
+pkg/flag/aws_flags.go       @knqyf263
+pkg/flag/misconf_flags.go   @knqyf263

 # Kubernetes scanning
 pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
--- a/.github/workflows/canary.yaml
+++ b/.github/workflows/canary.yaml
@@ -5,6 +5,7 @@ on:
      - 'main'
    paths:
      - '**.go'
+      - 'go.mod'
      - 'Dockerfile.canary'
      - '.github/workflows/canary.yaml'
  workflow_dispatch:
@@ -24,7 +25,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.0.4
+        uses: actions/cache@v3.2.2
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/mkdocs-dev.yaml
+++ b/.github/workflows/mkdocs-dev.yaml
@@ -9,7 +9,7 @@ on:
 jobs:
  deploy:
    name: Deploy the dev documentation
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout main
        uses: actions/checkout@v3
--- a/.github/workflows/mkdocs-latest.yaml
+++ b/.github/workflows/mkdocs-latest.yaml
@@ -11,7 +11,7 @@ on:
 jobs:
  deploy:
    name: Deploy the latest documentation
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout main
        uses: actions/checkout@v3
@@ -35,7 +35,7 @@ jobs:
        if: ${{ github.event.inputs.version == '' }}
        run: |
          VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
-          mike deploy --push --update-aliases $VERSION latest
+          mike deploy --push --update-aliases ${VERSION%.*} latest
      - name: Deploy the latest documents from manual trigger
        if: ${{ github.event.inputs.version != '' }}
        run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -15,8 +15,8 @@ env:
  HELM_REP: helm-charts
  GH_OWNER: aquasecurity
  CHART_DIR: helm/trivy
-  KIND_VERSION: "v0.11.1"
-  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
+  KIND_VERSION: "v0.14.0"
+  KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
 jobs:
  test-chart:
    runs-on: ubuntu-20.04
@@ -26,7 +26,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
        with:
          version: v3.5.0
      - name: Set up python
@@ -35,9 +35,9 @@ jobs:
          python-version: 3.7
      - name: Setup Chart Linting
        id: lint
-        uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a
+        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec
      - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d
+        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00
        with:
          version: ${{ env.KIND_VERSION }}
          image: ${{ env.KIND_IMAGE }}
@@ -45,7 +45,7 @@ jobs:
        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
      - name: Run chart-testing (Ingress enabled)
        run: |
-          sed -i -e '117s,false,'true',g' ./helm/trivy/values.yaml
+          sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
          ct lint-and-install --validate-maintainers=false --charts helm/trivy

  publish-chart:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,13 +10,13 @@ jobs:
    uses: ./.github/workflows/reusable-release.yaml
    with:
      goreleaser_config: goreleaser.yml
-      goreleaser_options: '--rm-dist --timeout 60m'
+      goreleaser_options: '--rm-dist --timeout 90m'
    secrets: inherit

  deploy-packages:
    name: Deploy rpm/dep packages
    needs: release # run this job after 'release' job completes
-    runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
@@ -24,7 +24,7 @@ jobs:
          fetch-depth: 0

      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.0.4
+        uses: actions/cache@v3.2.2
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -32,7 +32,7 @@ jobs:
      - name: Install dependencies
        run: |
          sudo apt-get -y update
-          sudo apt-get -y install rpm reprepro createrepo distro-info
+          sudo apt-get -y install rpm reprepro createrepo-c distro-info

      - name: Checkout trivy-repo
        uses: actions/checkout@v3
@@ -54,4 +54,4 @@ jobs:
        run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import

      - name: Create deb repository
-        run: ci/deploy-deb.sh
+        run: ci/deploy-deb.sh
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -13,7 +13,6 @@ on:
        type: string

 env:
-  GO_VERSION: "1.18"
  GH_USER: "aqua-bot"

 jobs:
@@ -28,7 +27,7 @@ jobs:
      contents: read  # Not required for public repositories, but for clarity
    steps:
      - name: Cosign install
-        uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
@@ -60,16 +59,16 @@ jobs:
          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}

-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
      - name: Generate SBOM
        uses: CycloneDX/gh-gomod-generate-sbom@v1
        with:
@@ -77,7 +76,7 @@ jobs:
          version: ^v1

      - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@v4
        with:
          version: v1.4.1
          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
@@ -100,10 +99,10 @@ jobs:
            public.ecr.aws/aquasecurity/trivy:canary

      - name: Cache Trivy binaries
-        uses: actions/cache@v3.0.4
+        uses: actions/cache@v3.2.2
        with:
          path: dist/
          # use 'github.sha' to create a unique cache folder for each run.
          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
          # e.g. build and release runs
-          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/roadmap.yaml
+++ b/.github/workflows/roadmap.yaml
@@ -0,0 +1,79 @@
+name: Add issues to the roadmap project
+
+on:
+  issues:
+    types:
+      - labeled
+
+jobs:
+  add-issue-to-roadmap-project:
+    name: Add issue to the roadmap project
+    runs-on: ubuntu-latest
+    steps:
+      # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/backlog
+          label-operator: AND
+        id: add-backlog-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-backlog-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-backlog-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Backlog
+
+      # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/important-longterm
+          label-operator: AND
+        id: add-longterm-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-longterm-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-longterm-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Important (long-term)
+
+      # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/important-soon
+          label-operator: AND
+        id: add-soon-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-soon-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-soon-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Important (soon)
+
+      # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/critical-urgent
+          label-operator: AND
+        id: add-urgent-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-urgent-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-urgent-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Urgent
--- a/.github/workflows/semantic-pr.yaml
+++ b/.github/workflows/semantic-pr.yaml
@@ -12,11 +12,11 @@ jobs:
    name: Validate PR title
    runs-on: ubuntu-latest
    steps:
-      - uses: amannn/action-semantic-pull-request@v4
+      - uses: amannn/action-semantic-pull-request@v5
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
-          types:
+          types: |
            feat
            fix
            docs
@@ -30,7 +30,7 @@ jobs:
            revert
            BREAKING

-          scopes:
+          scopes: |
            vuln
            misconf
            secret
@@ -42,8 +42,11 @@ jobs:
            sbom
            server
            k8s
+            aws
+            vm

            alpine
+            wolfi
            redhat
            alma
            rocky
@@ -55,6 +58,7 @@ jobs:
            suse
            photon
            distroless
+            windows

            ruby
            php
@@ -64,7 +68,10 @@ jobs:
            dotnet
            java
            go
-            
+            c
+            c++
+            elixir
+
            os
            lang

@@ -80,11 +87,12 @@ jobs:

            cli
            flag
-            
+
            cyclonedx
            spdx
+            purl

            helm
            report
            db
-            deps
+            deps
--- a/.github/workflows/stale-issues.yaml
+++ b/.github/workflows/stale-issues.yaml
@@ -7,7 +7,7 @@ jobs:
    timeout-minutes: 1
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/stale@v5
+    - uses: actions/stale@v7
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -9,20 +9,20 @@ on:
      - 'mkdocs.yml'
      - 'LICENSE'
  pull_request:
-env:
-  GO_VERSION: "1.18"
-  TINYGO_VERSION: "0.23.0"
 jobs:
  test:
    name: Test
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      matrix:
+        operating-system: [ubuntu-latest, windows-latest, macos-latest]
    steps:
      - uses: actions/checkout@v3

      - name: Set up Go
        uses: actions/setup-go@v3
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod

      - name: go mod tidy
        run: |
@@ -31,18 +31,20 @@ jobs:
            echo "Run 'go mod tidy' and push it"
            exit 1
          fi
+        if: matrix.operating-system == 'ubuntu-latest'

      - name: Lint
-        uses: golangci/golangci-lint-action@v3.2.0
+        uses: golangci/golangci-lint-action@v3.3.0
        with:
-          version: v1.45
+          version: v1.49
          args: --deadline=30m
          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
+        if: matrix.operating-system == 'ubuntu-latest'

-      - name: Install TinyGo
-        run: |
-          wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
-          sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb
+      # Install tools
+      - uses: aquaproj/aqua-installer@v1.2.0
+        with:
+          aqua_version: v1.25.0

      - name: Run unit tests
        run: make test
@@ -51,37 +53,36 @@ jobs:
    name: Integration Test
    runs-on: ubuntu-latest
    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: ${{ env.GO_VERSION }}
-      id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod

-    - name: Run integration tests
-      run: make test-integration
+      - name: Run integration tests
+        run: make test-integration

  module-test:
    name: Module Integration Test
    runs-on: ubuntu-latest
    steps:
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
-      - name: Install TinyGo
-        run: |
-          wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
-          sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb
-
      - name: Checkout
        uses: actions/checkout@v3

+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      # Install tools
+      - uses: aquaproj/aqua-installer@v1.1.2
+        with:
+          aqua_version: v1.25.0
+
      - name: Run module integration tests
+        shell: bash
        run: |
          make test-module-integration

@@ -107,13 +108,13 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version: ${{ env.GO_VERSION }}
+        go-version-file: go.mod

    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v3
+      uses: goreleaser/goreleaser-action@v4
      with:
        version: v1.4.1
-        args: release --snapshot --rm-dist --skip-publish --timeout 60m
+        args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m

  build-documents:
    name: Documentation Test
--- a/.github/workflows/vm-test.yaml
+++ b/.github/workflows/vm-test.yaml
@@ -0,0 +1,27 @@
+name: VM Test
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'pkg/fanal/vm/**'
+      - 'pkg/fanal/walker/vm.go'
+      - 'pkg/fanal/artifact/vm/**'
+      - 'integration/vm_test.go'
+  pull_request:
+
+jobs:
+  vm-test:
+    name: VM Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+      - name: Run vm integration tests
+        run: |
+          make test-vm-integration
--- a/.gitignore
+++ b/.gitignore
@@ -25,6 +25,7 @@ thumbs.db
 # test fixtures
 coverage.txt
 integration/testdata/fixtures/images
+integration/testdata/fixtures/vm-images

 # SBOMs generated during CI
 /bom.json
@@ -33,4 +34,4 @@ integration/testdata/fixtures/images
 dist

 # WebAssembly
-*.wasm
+*.wasm
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -21,18 +21,17 @@ linters-settings:
    local-prefixes: github.com/aquasecurity
  gosec:
    excludes:
+      - G114
      - G204
      - G402

 linters:
  disable-all: true
  enable:
-    - structcheck
+    - unused
    - ineffassign
    - typecheck
    - govet
-    - varcheck
-    - deadcode
    - revive
    - gosec
    - unconvert
@@ -43,7 +42,7 @@ linters:
    - misspell

 run:
-  go: 1.18
+  go: 1.19
  skip-files:
    - ".*._mock.go$"
    - ".*._test.go$"
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.16.0
+FROM alpine:3.17.0
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -1,4 +1,4 @@
-FROM alpine:3.16.0
+FROM alpine:3.17.0
 RUN apk --no-cache add ca-certificates git

 # binaries were created with GoReleaser
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -1,4 +1,4 @@
-FROM golang:1.18.3
+FROM golang:1.19

 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
--- a/17
+++ b/17
@@ -1,7 +1,7 @@
-VERSION := $(shell git describe --tags --always)
+VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
 LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"

-GOPATH := $(shell go env GOPATH)
+GOPATH := $(firstword $(subst :, ,$(shell go env GOPATH)))
 GOBIN := $(GOPATH)/bin
 GOSRC := $(GOPATH)/src

@@ -26,7 +26,7 @@ $(GOBIN)/crane:
 	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0

 $(GOBIN)/golangci-lint:
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.45.2
+	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0

 $(GOBIN)/labeler:
 	go install github.com/knqyf263/labeler@latest
@@ -77,6 +77,15 @@ test-integration: integration/testdata/fixtures/images/*.tar.gz
 test-module-integration: integration/testdata/fixtures/images/*.tar.gz $(EXAMPLE_MODULES)
 	go test -v -tags=module_integration ./integration/...

+# Run VM integration tests
+.PHONY: test-vm-integration
+test-vm-integration: integration/testdata/fixtures/vm-images/*.img.gz
+	go test -v -tags=vm_integration ./integration/...
+
+integration/testdata/fixtures/vm-images/*.img.gz:
+	integration/scripts/download-vm-images.sh
+
+
 .PHONY: lint
 lint: $(GOBIN)/golangci-lint
 	$(GOBIN)/golangci-lint run --timeout 5m
@@ -121,4 +130,4 @@ mkdocs-serve:
 # Generate JSON marshaler/unmarshaler for TinyGo/WebAssembly as TinyGo doesn't support encoding/json.
 .PHONY: easyjson
 easyjson: $(GOBIN)/easyjson
-	easyjson pkg/module/serialize/types.go
+	easyjson pkg/module/serialize/types.go
--- a/README.md
+++ b/README.md
@@ -5,54 +5,61 @@
 [![Test][test-img]][test]
 [![Go Report Card][go-report-img]][go-report]
 [![License: Apache-2.0][license-img]][license]
-[![GitHub All Releases][github-all-releases-img]][release]
+[![GitHub Downloads][github-downloads-img]][release]
 ![Docker Pulls][docker-pulls]

 [📖 Documentation][docs]
 </div>

-Trivy (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.
+Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner.
+Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.

-Trivy has different *scanners* that look for different security issues, and different *targets* where it can find those issues.
+Targets (what Trivy can scan):

-Targets:
 - Container Image
 - Filesystem
- Git repository (remote)
- Kubernetes cluster or resource
+- Git Repository (remote)
+- Virtual Machine Image
+- Kubernetes
+- AWS
+
+Scanners (what Trivy can find there):

-Scanners:
 - OS packages and software dependencies in use (SBOM)
 - Known vulnerabilities (CVEs)
- IaC misconfigurations
+- IaC issues and misconfigurations
 - Sensitive information and secrets
-
-Much more scanners and targets are coming up. Missing something? Let us know!
-
-Read more in the [Trivy Documentation][docs]
+- Software licenses

 ## Quick Start

 ### Get Trivy

-Get Trivy by your favorite installation method. See [installation] section in the documentation for details. For example:
+Trivy is available in most common distribution methods. The full list of installation options is available in the [Installation] page, here are a few popular options:

 - `apt-get install trivy`
 - `yum install trivy`
 - `brew install aquasecurity/trivy/trivy`
 - `docker run aquasec/trivy`
- Download binary from https://github.com/aquasecurity/trivy/releases/latest/
+- Download binary from <https://github.com/aquasecurity/trivy/releases/latest/>
+
+Trivy is integrated with many popular platforms and applications. The full list of integrations is available in the [Ecosystem] page. Here are a few popular options:
+
+- [GitHub Actions](https://github.com/aquasecurity/trivy-action)
+- [CircleCI](https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb)
+- [Kubernetes operator](https://github.com/aquasecurity/trivy-operator)
+- [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)

 ### General usage

 ```bash
-trivy <target> [--security-checks <scanner1,scanner2>] TARGET_NAME
+trivy <target> [--security-checks <scanner1,scanner2>] <subject>
 ```

 Examples:

 ```bash
-$ trivy image python:3.4-alpine
+trivy image python:3.4-alpine
 ```

 <details>
@@ -63,7 +70,7 @@ https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-a
 </details>

 ```bash
-$ trivy fs --security-checks vuln,secret,config myproject/
+trivy fs --security-checks vuln,secret,config myproject/
 ```

 <details>
@@ -74,7 +81,7 @@ https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b
 </details>

 ```bash
-$ trivy k8s --report summary cluster
+trivy k8s --report summary cluster
 ```

 <details>
@@ -84,37 +91,41 @@ $ trivy k8s --report summary cluster

 </details>

-Note that you can also receive a detailed scan, scan only a specific namespace, resource and more.
-
-Find out more in the [Trivy Documentation][docs] - [Getting Started][getting-started]
-
-
 ## Highlights

 - Comprehensive vulnerability detection
-  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-  - **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
-  - High accuracy, especially [Alpine Linux][alpine] and RHEL/CentOS
+    - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+    - **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
+    - High accuracy, especially [Alpine Linux][alpine] and RHEL/CentOS
 - Supply chain security (SBOM support)
-  - Support CycloneDX
-  - Support SPDX
+    - Support CycloneDX
+    - Support SPDX
+    - Generating and Scanning SBOM
+    - Leveraging in-toto attestations
+    - Integrated with [Sigstore]
 - Misconfiguration detection (IaC scanning) 
-  - Wide variety of security checks are provided **out of the box**
-  - Kubernetes, Docker, Terraform, and more
-  - User-defined policies using [OPA Rego][rego]
+    - Wide variety of security checks are provided **out of the box**
+    - Kubernetes, Docker, Terraform, and more
+    - User-defined policies using [OPA Rego][rego]
 - Secret detection
-  - A wide variety of built-in rules are provided **out of the box**
-  - User-defined patterns
-  - Efficient scanning of container images
+    - A wide variety of built-in rules are provided **out of the box**
+    - User-defined patterns
+    - Efficient scanning of container images
 - Simple
-  - Available in apt, yum, brew, dockerhub
-  - **No pre-requisites** such as a database, system libraries, or eny environmental requirements. The binary runs anywhere.
-  - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish instantaneously.
+    - Available in apt, yum, brew, dockerhub
+    - **No pre-requisites** such as a database, system libraries, or eny environmental requirements. The binary runs anywhere.
+    - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish instantaneously.
 - Fits your workflow
-  - **Great for CI** such as GitHub Actions, Jenkins, GitLab CI, etc.
-  - Available as extension for IDEs such as vscode, jetbrains, vim
-  - Available as extension for Docker Desktop, Rancher Desktop
-  - See [integrations] section in the documentation.
+    - **Great for CI** such as GitHub Actions, Jenkins, GitLab CI, etc.
+    - Available as extension for IDEs such as vscode, jetbrains, vim
+    - Available as extension for Docker Desktop, Rancher Desktop
+    - See [Ecosystem] section in the documentation.
+
+## FAQ
+
+### How to pronounce the name "Trivy"?
+
+`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.

 ---

@@ -128,19 +139,20 @@ Contact us about any matter by opening a GitHub Discussion [here][discussions]
 [go-report-img]: https://goreportcard.com/badge/github.com/aquasecurity/trivy
 [release]: https://github.com/aquasecurity/trivy/releases
 [release-img]: https://img.shields.io/github/release/aquasecurity/trivy.svg?logo=github
-[github-all-releases-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
+[github-downloads-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
 [docker-pulls]: https://img.shields.io/docker/pulls/aquasec/trivy?logo=docker&label=docker%20pulls%20%2F%20trivy
 [license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
 [license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
-
-
-[getting-started]: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
 [docs]: https://aquasecurity.github.io/trivy
-[integrations]:https://aquasecurity.github.io/trivy/latest/docs/integrations/
-[installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
-[releases]: https://github.com/aquasecurity/trivy/releases
+[pronunciation]: #how-to-pronounce-the-name-trivy
+
+[Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
+[Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
+
 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
 [rego]: https://www.openpolicyagent.org/docs/latest/#rego
+[sigstore]: https://www.sigstore.dev/
+
 [aquasec]: https://aquasec.com
 [oss]: https://www.aquasec.com/products/open-source-projects/
 [discussions]: https://github.com/aquasecurity/trivy/discussions
--- a/aqua.yaml
+++ b/aqua.yaml
@@ -0,0 +1,8 @@
+---
+# aqua - Declarative CLI Version Manager
+# https://aquaproj.github.io/
+registries:
+- type: standard
+  ref: v3.106.0 # renovate: depName=aquaproj/aqua-registry
+packages:
+- name: tinygo-org/tinygo@v0.26.0
--- a/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g>
+	<path fill="#07242D" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#07242D" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#07242D" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#07242D" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#07242D" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.106-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.151,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#07242D" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#07242D" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#07242D" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>
--- a/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg
@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g display="none">
+	<g display="inline">
+		<path fill="#07242D" d="M-483.763,450.803h-11.559l-22.557-22.807c-0.919,0.114-1.853,0.174-2.802,0.174v22.632h-8.238v-63.931
+			h8.239c0,0-0.016,33.158,0,33.158c4.013,0,7.684-1.656,10.29-4.32l9.86-10.073h11.814l-16.032,15.918
+			c-1.42,1.421-3.031,2.655-4.787,3.659L-483.763,450.803z"/>
+		<path fill="#07242D" d="M-438.316,405.517v22.819c0,0,0,0.033,0,0.049c0,12.39-10.039,22.418-22.429,22.418
+			c-12.389,0-22.421-10.059-22.421-22.448c0-0.017,0-22.837,0-22.837h7.989v22.819c0,7.967,6.466,14.457,14.433,14.457
+			c7.966,0,14.424-6.491,14.424-14.457v-22.819H-438.316z"/>
+		<path fill="#07242D" d="M-385.244,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.217l-0.004,23.854c3.918-3.246,8.947-5.196,14.432-5.196
+			C-395.377,405.529-385.242,415.664-385.244,428.166z M-393.437,428.166c0-7.976-6.466-14.441-14.442-14.441
+			c-7.793,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-399.903,442.607-393.437,436.142-393.437,428.166z"/>
+		<path fill="#07242D" d="M-335.539,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-344.426,405.411-333.664,417.688-335.539,431.11z M-344.611,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-344.611z"/>
+		<path fill="#07242D" d="M-306.194,420.895v7.548h-23.302v-7.548H-306.194z"/>
+		<path fill="#07242D" d="M-252.987,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.218l-0.004,23.854c3.918-3.246,8.946-5.196,14.431-5.196
+			C-263.12,405.529-252.985,415.664-252.987,428.166z M-261.181,428.166c0-7.976-6.467-14.441-14.442-14.441
+			c-7.794,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-267.647,442.607-261.181,436.142-261.181,428.166z"/>
+		<path fill="#07242D" d="M-203.283,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-212.17,405.411-201.408,417.688-203.283,431.11z M-212.355,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-212.355z"/>
+		<path fill="#07242D" d="M-151.113,428.114c0,15.871,0,22.688,0,22.688h-8.262c0,0,0-14.878,0-22.688
+			c0-8.095-6.591-14.327-14.363-14.327c-7.772,0-14.393,6.163-14.393,14.327c0,7.814,0,22.688,0,22.688h-8.26v-45.285
+			c0,0,3.539,0,8.26,0v5.101c0,0,5.421-5.101,14.393-5.101C-163.095,405.517-151.113,413.789-151.113,428.114z"/>
+		<path fill="#07242D" d="M-112.598,438.373l5.799,5.798c-4.098,4.097-9.758,6.632-16.01,6.632c-6.252,0-11.912-2.534-16.01-6.632
+			c-4.097-4.098-6.632-9.758-6.632-16.01s2.534-11.912,6.632-16.01c4.098-4.097,9.758-6.632,16.01-6.632
+			c6.252,0,11.912,2.534,16.01,6.632l-5.799,5.799c-2.613-2.615-6.224-4.231-10.212-4.231c-3.988,0-7.599,1.617-10.212,4.231
+			c-2.614,2.613-4.23,6.224-4.23,10.212s1.616,7.599,4.23,10.213c2.613,2.613,6.224,4.229,10.212,4.229
+			C-118.821,442.602-115.211,440.986-112.598,438.373z"/>
+		<path fill="#07242D" d="M-55.678,428.174c0,15.827,0,22.626,0,22.626h-8.239c0,0,0-14.838,0-22.626
+			c0-8.072-6.575-14.287-14.324-14.287c-7.751,0-14.353,6.146-14.353,14.287c0,7.793,0,22.626,0,22.626h-8.238v-63.929h8.238v23.856
+			c0,0,5.405-5.086,14.353-5.086C-67.626,405.641-55.678,413.889-55.678,428.174z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M186.582,442.579v8.203c-5.588,0-10.623-2.012-14.594-5.346c-4.989-4.186-8.157-10.469-8.157-17.489
+			v-41.085h8.157v18.642h14.594v8.257h-14.594v14.386C172.1,436.134,178.571,442.579,186.582,442.579z"/>
+		<path fill="#07242D" d="M215.674,405.503v8.149c-7.739,0.015-14.037,6.152-14.317,13.818v23.312h-8.176v-45.279h8.176v5.169
+			C205.243,407.446,210.232,405.51,215.674,405.503z"/>
+		<path fill="#07242D" d="M220.928,395.003v-8.165h8.161v8.165H220.928z M220.928,450.782v-45.279h8.161v45.279H220.928z"/>
+		<path fill="#07242D" d="M279.137,405.503l-22.624,45.279l-22.647-45.279h9.271l13.376,26.737l13.349-26.737H279.137z"/>
+		<path fill="#07242D" d="M328.08,405.503c0,0,0,49.504,0,52.776c0,12.643-10.369,22.736-22.655,22.728
+			c-5.753,0-11.084-2.181-15.131-5.807l5.868-5.868c2.504,2.12,5.734,3.41,9.263,3.403c7.95,0,14.386-6.498,14.386-14.456v-12.651
+			c-3.944,3.264-8.979,5.154-14.386,5.154c-12.309,0.008-22.674-9.924-22.674-22.659c0-0.269,0-22.62,0-22.62h8.265
+			c0,0,0.004,22.014,0.004,22.62c0,7.919,6.448,14.463,14.406,14.456c7.95,0,14.386-6.506,14.386-14.456v-22.62H328.08z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1186.898,438.384c-0.411,4.687-4.656,12.67-15.302,12.67c-10.092,0-16.135-6.761-16.135-6.761
+			l5.797-5.801c4.906,4.664,10.338,4.372,10.338,4.372c3.473-0.238,6.258-2.643,6.469-5.471c0.242-3.235-2.009-5.486-6.469-6.124
+			c-2.098-0.307-7.184-0.791-11.36-4.533c-1.36-1.222-6.489-6.577-2.217-14.191c0.834-1.491,4.556-6.769,13.577-6.769
+			c0,0,7.434-0.53,14.311,5.086l-5.866,5.863c-1.16-0.96-4.46-2.904-8.444-2.881c-7.207,0.046-7.007,4.011-7.007,4.011
+			c0.061,3.166,2.874,4.864,7.007,5.409C1185.672,425.114,1187.309,433.743,1186.898,438.384z"/>
+		<path fill="#07242D" d="M1215.419,442.848v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495v-41.099
+			h8.16v18.648h14.599v8.26h-14.599v14.391C1200.932,436.401,1207.405,442.848,1215.419,442.848z"/>
+		<path fill="#07242D" d="M1263.522,428.372v22.682h-22.705c-0.5,0-0.999-0.015-1.495-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1263.068,423.132,1263.522,425.76,1263.522,428.372z M1255.131,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1255.131,432.352,1255.131,428.372z"/>
+		<path fill="#07242D" d="M1293.898,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1283.464,407.704,1288.454,405.767,1293.898,405.76z"/>
+		<path fill="#07242D" d="M1344.448,428.411c0,12.509-10.135,22.643-22.639,22.643c-5.486,0-10.515-1.952-14.433-5.194v5.194h-8.221
+			c0.008-0.515,0.008-63.942,0.008-63.942h8.217l-0.004,23.857c3.919-3.25,8.947-5.202,14.433-5.202
+			C1334.313,405.767,1344.452,415.91,1344.448,428.411z M1336.254,428.411c0-7.975-6.466-14.445-14.445-14.445
+			c-7.795,0-14.445,6.331-14.445,14.422c0,8.091,6.65,14.468,14.445,14.468C1329.788,442.856,1336.254,436.394,1336.254,428.411z"/>
+		<path fill="#07242D" d="M1394.394,428.411c0,12.509-10.15,22.643-22.643,22.643s-22.651-10.135-22.651-22.643
+			s10.157-22.651,22.651-22.651S1394.394,415.91,1394.394,428.411z M1386.127,428.411c0-7.937-6.431-14.376-14.376-14.376
+			c-7.941,0-14.387,6.431-14.387,14.376s6.446,14.383,14.387,14.383C1379.696,442.794,1386.127,436.355,1386.127,428.411z"/>
+		<path fill="#07242D" d="M1444.414,428.372v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054
+			c-6.431-0.423-12.128-3.527-15.985-8.214c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1443.961,423.132,1444.414,425.76,1444.414,428.372z M1436.024,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1436.024,432.352,1436.024,428.372z"/>
+		<path fill="#07242D" d="M1474.791,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1464.356,407.704,1469.347,405.767,1474.791,405.76z"/>
+		<path fill="#07242D" d="M1521.556,451.031h-8.214v-5.194c-3.919,3.242-8.951,5.194-14.43,5.194
+			c-12.501,0-22.635-10.127-22.635-22.628s10.135-22.636,22.635-22.636c5.478,0,10.511,1.952,14.43,5.194l0.008-23.85h8.221
+			C1521.572,387.112,1521.556,450.516,1521.556,451.031z M1513.35,428.38c0-8.091-6.646-14.422-14.437-14.422
+			c-7.975,0-14.445,6.469-14.445,14.445s6.469,14.437,14.445,14.437C1506.704,442.84,1513.35,436.471,1513.35,428.38z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1711.171,438.276l5.802,5.802c-4.1,4.096-9.763,6.632-16.014,6.632c-6.255,0-11.918-2.536-16.018-6.632
+			c-4.1-4.103-6.635-9.759-6.635-16.014s2.536-11.918,6.635-16.022c4.1-4.096,9.763-6.632,16.018-6.632
+			c6.251,0,11.915,2.536,16.014,6.632l-5.802,5.802c-2.613-2.613-6.224-4.234-10.213-4.234c-3.992,0-7.604,1.621-10.216,4.234
+			c-2.617,2.613-4.234,6.224-4.234,10.22c0,3.988,1.618,7.6,4.234,10.213c2.613,2.613,6.224,4.234,10.216,4.234
+			C1704.947,442.511,1708.559,440.889,1711.171,438.276z"/>
+		<path fill="#07242D" d="M1722.967,450.71v-63.95h8.241v63.95H1722.967z"/>
+		<path fill="#07242D" d="M1783.282,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C1773.131,405.41,1783.282,415.561,1783.282,428.064z M1775.013,428.064
+			c0-7.938-6.432-14.378-14.378-14.378c-7.942,0-14.389,6.432-14.389,14.378c0,7.946,6.447,14.385,14.389,14.385
+			C1768.581,442.449,1775.013,436.01,1775.013,428.064z"/>
+		<path fill="#07242D" d="M1833.833,405.41v22.823c0,0,0,0.038,0,0.054c0,12.395-10.04,22.423-22.435,22.423
+			c-12.395,0-22.427-10.059-22.427-22.454c0-0.015,0-22.846,0-22.846h7.992v22.823c0,7.976,6.466,14.462,14.435,14.462
+			c7.969,0,14.431-6.486,14.431-14.462V405.41H1833.833z"/>
+		<path fill="#07242D" d="M1884.777,450.687h-8.218v-5.195c-3.915,3.243-8.945,5.195-14.431,5.195
+			c-12.503,0-22.634-10.128-22.634-22.631c0-12.503,10.132-22.638,22.634-22.638c5.487,0,10.516,1.952,14.431,5.195l0.011-23.852
+			h8.219C1884.789,386.76,1884.773,450.172,1884.777,450.687z M1876.574,428.033c0-8.092-6.651-14.424-14.447-14.424
+			c-7.973,0-14.443,6.47-14.443,14.447c0,7.976,6.466,14.439,14.443,14.439C1869.923,442.495,1876.574,436.125,1876.574,428.033z"/>
+		<path fill="#07242D" d="M1922.865,438.038c-0.411,4.687-4.657,12.672-15.303,12.672c-10.094,0-16.137-6.762-16.137-6.762
+			l5.798-5.802c4.906,4.664,10.339,4.372,10.339,4.372c3.473-0.238,6.259-2.643,6.47-5.471c0.242-3.235-2.009-5.487-6.47-6.124
+			c-2.098-0.307-7.185-0.792-11.361-4.534c-1.36-1.222-6.489-6.578-2.217-14.193c0.834-1.491,4.557-6.77,13.578-6.77
+			c0,0,7.435-0.53,14.312,5.087l-5.867,5.863c-1.16-0.961-4.461-2.905-8.445-2.882c-7.208,0.046-7.008,4.011-7.008,4.011
+			c0.062,3.166,2.874,4.864,7.008,5.41C1921.639,424.767,1923.276,433.397,1922.865,438.038z"/>
+		<path fill="#07242D" d="M1975.107,428.041c0,12.526-10.151,22.73-22.661,22.73c-5.471,0-10.493-1.952-14.416-5.195v35.371h-8.276
+			V405.41h8.276v5.156c3.923-3.22,8.945-5.156,14.416-5.156C1964.956,405.41,1975.107,415.523,1975.107,428.041z M1966.831,428.041
+			c0-7.953-6.432-14.347-14.385-14.347s-14.416,6.393-14.416,14.347s6.463,14.462,14.416,14.462S1966.831,435.994,1966.831,428.041z
+			"/>
+		<path fill="#07242D" d="M1981.877,450.71v-63.95h8.245v63.95H1981.877z"/>
+		<path fill="#07242D" d="M2042.192,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C2032.041,405.41,2042.192,415.561,2042.192,428.064z M2033.916,428.064
+			c0-7.938-6.432-14.378-14.37-14.378c-7.946,0-14.393,6.432-14.393,14.378c0,7.946,6.447,14.385,14.393,14.385
+			C2027.484,442.449,2033.916,436.01,2033.916,428.064z"/>
+		<path fill="#07242D" d="M2049.016,394.906v-8.168h8.168v8.168H2049.016z M2049.016,450.71v-45.3h8.168v45.3H2049.016z"/>
+		<path fill="#07242D" d="M2087.737,442.503v8.207c-5.594,0-10.627-2.013-14.6-5.348c-4.987-4.188-8.161-10.474-8.161-17.497V386.76
+			h8.161v18.65h14.6v8.261h-14.6v14.393C2073.252,436.056,2079.722,442.503,2087.737,442.503z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M690.837,442.596v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495V386.86
+			h8.16v18.648h14.599v8.26h-14.599v14.391C676.35,436.15,682.823,442.596,690.837,442.596z"/>
+		<path fill="#07242D" d="M719.939,405.508v8.152c-7.737,0.015-14.042,6.154-14.322,13.823v23.319h-8.179v-45.294h8.179v5.171
+			C709.504,407.452,714.495,405.516,719.939,405.508z"/>
+		<path fill="#07242D" d="M766.789,428.12v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.183-14.414c0.523-25.548,35.102-31.264,44.026-7.699C766.335,422.88,766.789,425.508,766.789,428.12z
+			 M758.398,428.12c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008c-2.609,2.605-4.226,6.17-4.226,10.142
+			c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0S758.398,432.101,758.398,428.12z"/>
+		<path fill="#07242D" d="M805.36,438.37l5.801,5.801c-4.099,4.095-9.762,6.631-16.016,6.631c-6.254,0-11.913-2.536-16.012-6.631
+			c-4.099-4.103-6.631-9.766-6.631-16.02c0-6.247,2.532-11.909,6.631-16.012c4.099-4.095,9.758-6.631,16.012-6.631
+			c6.254,0,11.917,2.536,16.016,6.631l-5.801,5.801c-2.612-2.612-6.224-4.234-10.215-4.234c-3.988,0-7.599,1.621-10.211,4.234
+			c-2.616,2.612-4.234,6.224-4.234,10.211c0,3.995,1.617,7.607,4.234,10.219c2.612,2.612,6.224,4.234,10.211,4.234
+			C799.136,442.604,802.747,440.983,805.36,438.37z"/>
+		<path fill="#07242D" d="M858.664,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C849.774,405.4,860.539,417.679,858.664,431.109z M849.59,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H849.59z"/>
+		<path fill="#07242D" d="M908.514,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C899.625,405.4,910.389,417.679,908.514,431.109z M899.44,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H899.44z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#07242D" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#07242D" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#07242D" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#07242D" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#07242D" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#07242D" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#07242D" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>
--- a/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g display="none">
+	<polygon display="inline" fill="#FFFFFF" points="65.469,9.61 12.669,40.117 12.669,101.621 65.463,132.371 118.268,101.639 
+		118.268,40.115 	"/>
+	<g display="inline">
+		<path fill="#08B1D5" d="M64.511,80.035c-5.972-2.687-9.502-8.433-9.313-14.534l-12.765-7.371c-0.952,7.062,0.569,14.449,4.4,20.85
+			c4.078,6.813,9.966,11.887,17.678,14.825V80.035L64.511,80.035z"/>
+		<path fill="#08B1D5" d="M64.511,111.257V95.432c-8.26-3.017-14.588-8.448-18.931-15.703c-4.108-6.864-5.671-14.819-4.507-22.384
+			l-11.864-6.851C22.412,75.299,37.662,101.72,64.511,111.257z"/>
+		<path fill="#0D819B" d="M66.259,95.288v15.969c26.352-9.758,42.17-36.132,35.489-60.682l-11.8,6.874
+			c1.473,8.16,0.189,16.115-3.759,22.77C82.134,87.057,75.052,92.189,66.259,95.288z"/>
+		<path fill="#0D819B" d="M75.879,65.569c0.053,5.924-3.429,11.136-9.62,14.466v13.769c8.227-2.999,14.873-7.918,18.675-14.329
+			c3.681-6.207,4.934-13.613,3.671-21.243L75.879,65.569z"/>
+		<path fill="#F69421" d="M77.717,44.4c4.977,2.427,9.031,6.315,11.724,11.244c0.035,0.065,0.069,0.132,0.104,0.198l11.574-6.684
+			c-0.184-0.232-0.361-0.466-0.506-0.701c-4.246-6.868-9.855-12.036-16.673-15.361c-19.245-9.385-42.827-2.309-54.094,16.087
+			l11.546,6.665C49.232,43.242,65.013,38.204,77.717,44.4z"/>
+		<path fill="#F69421" d="M70.489,59.089c2.06,1.005,3.731,2.627,4.832,4.692c0.037,0.07,0.07,0.143,0.105,0.214l12.854-7.423
+			c-0.04-0.076-0.079-0.153-0.12-0.228c-2.546-4.662-6.379-8.339-11.082-10.632c-12.018-5.861-26.965-1.08-34.421,10.866
+			l12.783,7.379C58.771,58.613,65.217,56.518,70.489,59.089z"/>
+		<path fill="#0D819B" d="M116.672,41.881l-13.621,7.936c7.185,25.544-9.291,53.076-36.791,62.992v17.294l50.413-29.381V41.881z"/>
+		<path fill="#08B1D5" d="M14.265,41.864v58.842l50.245,29.397v-17.294C36.51,103.127,20.607,75.545,27.905,49.74l-13.001-7.508
+			L14.265,41.864z"/>
+		<path fill="#F69421" d="M14.987,40.606l1.484,0.857l12.109,6.989C40.23,29.398,64.649,22.066,84.579,31.784
+			c7.069,3.448,12.881,8.799,17.274,15.904c0.139,0.225,0.333,0.472,0.543,0.731l13.542-7.82l-50.47-29.146L14.987,40.606z"/>
+		<path fill="#F0DF36" d="M66.202,78.433c4.968-2.778,7.95-7.226,8.141-12.159c0,0,0.022-0.489-0.015-1.283
+			c-0.007-0.163-1.102-2.766-4.435-4.583c-4.476-2.441-10.828-0.093-13.372,4.583c0,0-0.061,0.574-0.033,1.283
+			c0.182,4.483,2.945,9.749,7.836,12.159l0.991,0.473L66.202,78.433z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#FFFFFF" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#FFFFFF" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#FFFFFF" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#FFFFFF" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.105-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.15,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#FFFFFF" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#FFFFFF" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#FFFFFF" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>
--- a/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g>
+	<path fill="#FFFFFF" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#FFFFFF" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#FFFFFF" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#FFFFFF" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#FFFFFF" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#FFFFFF" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#FFFFFF" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#FFFFFF" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>
--- a/brand/readme.md
+++ b/brand/readme.md
@@ -0,0 +1,2 @@
+This directory contains media assets, such as the Trivy logo.
+Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>
--- a/ci/deploy-rpm.sh
+++ b/ci/deploy-rpm.sh
@@ -10,7 +10,7 @@ function create_rpm_repo () {
        mkdir -p $rpm_path
        cp ../dist/*64bit.rpm ${rpm_path}/${RPM_EL}

-        createrepo --update $rpm_path
+        createrepo_c --update $rpm_path
 }

 cd trivy-repo
--- a/cmd/trivy/main.go
+++ b/cmd/trivy/main.go
@@ -1,8 +1,14 @@
 package main

 import (
+	"context"
+	"os"
+
+	"golang.org/x/xerrors"
+
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/plugin"
 )

 var (
@@ -10,8 +16,26 @@ var (
 )

 func main() {
-	app := commands.NewApp(version)
-	if err := app.Execute(); err != nil {
+	if err := run(); err != nil {
 		log.Fatal(err)
 	}
 }
+
+func run() error {
+	// Trivy behaves as the specified plugin.
+	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
+		if !plugin.IsPredefined(runAsPlugin) {
+			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
+		}
+		if err := plugin.RunWithArgs(context.Background(), runAsPlugin, os.Args[1:]); err != nil {
+			return xerrors.Errorf("plugin error: %w", err)
+		}
+		return nil
+	}
+
+	app := commands.NewApp(version)
+	if err := app.Execute(); err != nil {
+		return err
+	}
+	return nil
+}
--- a/contrib/asff.tpl
+++ b/contrib/asff.tpl
@@ -33,7 +33,7 @@
            "Severity": {
                "Label": "{{ $severity }}"
            },
-            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
+            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}, related to {{ .PkgName }}",
            "Description": {{ escapeString $description | printf "%q" }},
            {{ if not (empty .PrimaryURL) -}}
            "Remediation": {
@@ -119,6 +119,43 @@
            "RecordState": "ACTIVE"
        }
        {{- end -}}
+        {{- range .Secrets -}}
+            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
+            {{- $severity := .Severity -}}
+            {{- if eq $severity "UNKNOWN" -}}
+                {{- $severity = "INFORMATIONAL" -}}
+            {{- end -}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_DEFAULT_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Sensitive Data Identifications" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a secret in {{ $target }}: {{ .Title }}",
+            "Description": "Trivy found a secret in {{ $target }}: {{ .Title }}",
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Other",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_DEFAULT_REGION" }}",
+                    "Details": {
+                        "Other": {
+                            "Filename": "{{ $target }}"
+                        }
+                    }
+                }
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
      {{- end }}
    ]
 }
--- a/contrib/gitlab-codequality.tpl
+++ b/contrib/gitlab-codequality.tpl
@@ -45,7 +45,7 @@
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
-      "description": {{ list .ID .Title | join ": " | printf "%q" }},
+      "description": {{ list "Misconfig" .ID .Title | join " - " | printf "%q" }},
      "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
      "content": {{ .Description | printf "%q" }},
      "severity": {{ if eq .Severity "LOW" -}}
@@ -67,5 +67,37 @@
      }
    }
    {{- end -}}
+    {{- range .Secrets -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Secret" .RuleID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .RuleID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Title | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .StartLine }}
+        }
+      }
+    }
+    {{- end -}}
  {{- end }}
 ]
--- a/contrib/gitlab.tpl
+++ b/contrib/gitlab.tpl
@@ -1,10 +1,11 @@
 {{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
 {
-  "version": "2.3",
+  "version": "14.0.6",
  "vulnerabilities": [
  {{- $t_first := true }}
  {{- range . }}
  {{- $target := .Target }}
+    {{- $image := $target | regexFind "[^\\s]+" }}
    {{- range .Vulnerabilities -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
@@ -31,8 +32,6 @@
                  {{-  else -}}
                    "{{ .Severity }}"
                  {{- end }},
-      {{- /* TODO: Define confidence */}}
-      "confidence": "Unknown",
      "solution": {{ if .FixedVersion -}}
                    "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
                  {{- else -}}
@@ -51,7 +50,7 @@
        },
        {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
        "operating_system": "Unknown",
-        "image": "{{ $target }}"
+        "image": "{{ $image }}"
      },
      "identifiers": [
        {
@@ -71,7 +70,7 @@
          ,
        {{- end -}}
        {
-          "url": "{{ . }}"
+          "url": "{{ regexFind "[^ ]+" . }}"
        }
        {{- end }}
      ]
--- a/contrib/junit.tpl
+++ b/contrib/junit.tpl
@@ -1,5 +1,5 @@
 <?xml version="1.0" ?>
-<testsuites>
+<testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
@@ -28,4 +28,4 @@
    {{- end }}
    </testsuite>
 {{- end }}
-</testsuites>
+</testsuites>
--- a/docs/build/Dockerfile
+++ b/docs/build/Dockerfile
@@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material:8.2.10
+FROM squidfunk/mkdocs-material:8.3.9

 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.
--- a/docs/build/requirements.txt
+++ b/docs/build/requirements.txt
@@ -11,13 +11,13 @@ mergedeep==1.3.4
 mike==1.1.2
 mkdocs==1.3.0
 mkdocs-macros-plugin==0.7.0
-mkdocs-material==8.2.10
+mkdocs-material==8.3.9
 mkdocs-material-extensions==1.0.3
 mkdocs-minify-plugin==0.5.0
 mkdocs-redirects==1.0.4
 packaging==21.3
-Pygments==2.11.2
-pymdown-extensions==9.3
+Pygments==2.12.0
+pymdown-extensions==9.5
 pyparsing==3.0.8
 python-dateutil==2.8.2
 PyYAML==6.0
--- a/docs/community/contribute/pr.md
+++ b/docs/community/contribute/pr.md
@@ -50,7 +50,10 @@ mode:
 - fs
 - repo
 - sbom
+- k8s
 - server
+- aws
+- vm

 os:

@@ -77,6 +80,7 @@ language:
 - dotnet
 - java
 - go
+- elixir

 vuln:

@@ -102,6 +106,12 @@ cli:
 - cli
 - flag

+SBOM:
+
+- cyclonedx
+- spdx
+- purl
+
 others:

 - helm
--- a/docs/community/credit.md
+++ b/docs/community/credit.md
@@ -1,10 +0,0 @@
-# Author
-
-[Teppei Fukuda][knqyf263] (knqyf263)
-
-# Contributors
-
-Thanks to all [contributors][contributors]
-
-[knqyf263]: https://github.com/knqyf263
-[contributors]: https://github.com/aquasecurity/trivy/graphs/contributors
--- a/docs/community/references.md
+++ b/docs/community/references.md
@@ -1,48 +0,0 @@
-# Additional References
-There are external blogs and evaluations.
-
-## Blogs
- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join]
- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license]
- [DevSecOps with Trivy and GitHub Actions][actions]
- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
- [the vulnerability remediation lifecycle of Alpine containers][alpine]
- [Continuous Container Vulnerability Testing with Trivy][semaphore]
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
-
-## Links
- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
- [Istio evaluates scanners][istio]
-
-## Presentations
- Aqua Security YouTube Channel
-    - [Trivy - container image scanning][intro]
-    - [Using Trivy in client server mode][server]
-    - [Tweaking Trivy output to fit your workflow][tweaking]
-    - [How does a vulnerability scanner identify packages?][identify]
- CNCF Webinar 2020
-    - [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf]
- KubeCon + CloudNativeCon Europe 2020 Virtual
-    - [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon]
-
-[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
-[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
-[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
-
-[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
-[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
-[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
-[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4
-[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M
-[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU
-
-[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family
-[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license
-[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
-[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
-[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code
--- a/docs/community/tools.md
+++ b/docs/community/tools.md
@@ -1,37 +0,0 @@
-# Community Tools
-The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
-
-Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
-
-## GitHub Actions
-
-| Actions                                    | Description                                                                      |
-| ------------------------------------------ | -------------------------------------------------------------------------------- |
-| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
-| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
-
-## Semaphore
-
-| Name                                                   | Description                               |
-| -------------------------------------------------------| ----------------------------------------- |
-| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
-
-
-## CircleCI
-
-| Orb                                      | Description                               |
-| -----------------------------------------| ----------------------------------------- |
-| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
-
-## Others
-
-| Name                                     | Description                               |
-| -----------------------------------------| ----------------------------------------- |
-| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
-
-
-[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
-[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
-[gitrivy]: https://github.com/marketplace/actions/trivy-action
-[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
-[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
--- a/docs/docs/advanced/air-gap.md
+++ b/docs/docs/advanced/air-gap.md
@@ -5,14 +5,34 @@ Trivy can be used in air-gapped environments. Note that an allowlist is [here][a
 ## Air-Gapped Environment for vulnerabilities

 ### Download the vulnerability database
-At first, you need to download the vulnerability database for use in air-gapped environments.
-Please follow [oras installation instruction][oras].
+=== "Trivy"

-Download `db.tar.gz`:
+    ```
+    TRIVY_TEMP_DIR=$(mktemp -d)
+    trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+    tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+    rm -rf $TRIVY_TEMP_DIR
+    ```

-```
-$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a
-```
+=== "oras >= v0.13.0"
+    At first, you need to download the vulnerability database for use in air-gapped environments.
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull ghcr.io/aquasecurity/trivy-db:2
+    ```
+
+=== "oras < v0.13.0"
+    At first, you need to download the vulnerability database for use in air-gapped environments.
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
+    ```

 ### Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.
@@ -43,7 +63,7 @@ $ rm /path/to/db.tar.gz

 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 

-### Run Trivy with --skip-update and --offline-scan option
+### Run Trivy with `--skip-update` and `--offline-scan` option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
 In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.

@@ -55,7 +75,7 @@ $ trivy image --skip-update --offline-scan alpine:3.12

 No special measures are required to detect misconfigurations in an air-gapped environment.

-### Run Trivy with --skip-policy-update option
+### Run Trivy with `--skip-policy-update` option
 In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.

 ```
--- a/docs/docs/advanced/container/containerd.md
+++ b/docs/docs/advanced/container/containerd.md
@@ -19,4 +19,11 @@ $ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock
 $ trivy image aquasec/nginx
 ```

-[containerd]: https://containerd.io/
+If your scan targets are images in a namespace other than containerd's default namespace (`default`), you can override it via `CONTAINERD_NAMESPACE`.
+
+```bash
+$ export CONTAINERD_NAMESPACE=k8s.io
+$ trivy image aquasec/nginx
+```
+
+[containerd]: https://containerd.io/
--- a/docs/docs/attestation/rekor.md
+++ b/docs/docs/attestation/rekor.md
@@ -0,0 +1,142 @@
+# Scan SBOM attestation in Rekor
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+## Container images
+Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+ 
+
+### Scanning
+You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor.
+
+!!! note
+    `--sbom-sources` can be used only with `trivy image` at the moment.
+
+```bash
+$ trivy image --sbom-sources rekor otms61/alpine:3.7.3                                                                            [~/src/github.com/aquasecurity/trivy]
+2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
+2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
+2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
+2022-09-16T17:37:14.903+0900	INFO	Detecting Alpine vulnerabilities...
+2022-09-16T17:37:14.907+0900	INFO	Number of language-specific files: 0
+2022-09-16T17:37:14.908+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
+2022-09-16T17:37:14.908+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided
+
+otms61/alpine:3.7.3 (alpine 3.7.3)
+==================================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+
+```
+
+If you have your own Rekor instance, you can specify the URL via `--rekor-url`.
+
+```bash
+$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3
+```
+
+## Non-packaged binaries
+Trivy can retrieve SBOM attestation of non-packaged binaries in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+
+Cosign currently does not support keyless signing for blob attestation, so use our plugin at the moment.
+This example uses a cat clone [bat][bat] written in Rust.
+You need to generate SBOM from lock files like `Cargo.lock` at first.
+
+```bash
+$ git clone -b v0.20.0 https://github.com/sharkdp/bat
+$ trivy fs --format cyclonedx --output bat.cdx ./bat/Cargo.lock
+```
+
+Then [our attestation plugin][plugin-attest] allows you to store the SBOM attestation linking to a `bat` binary in the Rekor instance.
+
+```bash
+$ wget https://github.com/sharkdp/bat/releases/download/v0.20.0/bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ tar xvf bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ trivy plugin install github.com/aquasecurity/trivy-plugin-attest
+$ trivy attest --predicate ./bat.cdx --type cyclonedx ./bat-v0.20.0-x86_64-apple-darwin/bat
+```
+
+### Scan a non-packaged binary
+Trivy calculates the digest of the `bat` binary and searches for the SBOM attestation by the digest in Rekor.
+If it is found, Trivy uses that for vulnerability scanning.
+
+```bash
+$ trivy fs --sbom-sources rekor ./bat-v0.20.0-x86_64-apple-darwin/bat
+2022-10-25T13:27:25.950+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:27:25.993+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:27:25.993+0300    INFO    Detecting cargo vulnerabilities...
+
+bat (cargo)
+===========
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+Also, it is applied to non-packaged binaries even in container images.
+
+```bash
+$ trivy image --sbom-sources rekor --security-checks vuln alpine-with-bat
+2022-10-25T13:40:14.920+0300    INFO    Vulnerability scanning is enabled
+2022-10-25T13:40:18.047+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:40:18.186+0300    INFO    Detected OS: alpine
+2022-10-25T13:40:18.186+0300    INFO    Detecting Alpine vulnerabilities...
+2022-10-25T13:40:18.199+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:40:18.199+0300    INFO    Detecting cargo vulnerabilities...
+
+alpine-with-bat (alpine 3.15.6)
+===============================
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+
+bat (cargo)
+===========
+Total: 4 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+
+!!! note
+    The `--sbom-sources rekor` flag slows down the scanning as it queries Rekor on the Internet for all non-packaged binaries.
+
+[rekor]: https://github.com/sigstore/rekor
+[sbom-attest]: sbom.md#keyless-signing
+
+[plugin-attest]: https://github.com/aquasecurity/trivy-plugin-attest
+
+[bat]: https://github.com/sharkdp/bat
--- a/docs/docs/attestation/sbom.md
+++ b/docs/docs/attestation/sbom.md
@@ -1,6 +1,7 @@
 # SBOM attestation

 [Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify SBOM attestation.
+And, Trivy can take an SBOM attestation as input and scan for vulnerabilities

 !!! note
    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
@@ -8,43 +9,79 @@

 ## Sign with a local key pair

-Cosign can generate key pairs and use them for signing and verification. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
-
-In the following example, Trivy generates an SBOM in the spdx format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).

+```bash
+$ cosign generate-key-pair
 ```
-$ trivy image --format spdx -o predicate <IMAGE>
-$ cosign attest --key /path/to/cosign.key --type spdx --predicate predicate <IMAGE>
+
+In the following example, Trivy generates an SBOM in the CycloneDX format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>
 ```

 Then, you can verify attestations on the image.

-```
-$ cosign verify-attestation --key /path/to/cosign.pub <IMAGE>
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE>
 ```

 You can also create attestations of other formatted SBOM.

-```
-# spdx-json
-$ trivy image --format spdx-json -o predicate <IMAGE>
-$ cosign attest --key /path/to/cosign.key --type spdx --predicate predicate <IMAGE>
+```bash
+# spdx
+$ trivy image --format spdx -o sbom.spdx <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx <IMAGE>

-# cyclonedx
-$ trivy image --format cyclonedx -o predicate <IMAGE>
-$ cosign attest --key /path/to/cosign.key --type https://cyclonedx.org/schema --predicate predicate <IMAGE>
+# spdx-json
+$ trivy image --format spdx-json -o sbom.spdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json <IMAGE>
 ```

 ## Keyless signing

 You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).

-```
-$ trivy image --format spdx -o predicate <IMAGE>
-$ COSIGN_EXPERIMENTAL=1 cosign attest --type spdx --predicate predicate <IMAGE>
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+# The following command uploads SBOM attestation to the public Rekor instance.
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
 ```

 You can verify attestations.
+```bash
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>
 ```
-$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation <IMAGE>
+
+## Scanning
+
+Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
+
+In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it.
+You must create CycloneDX-type attestation before trying the example.
+To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
 ```
--- a/docs/docs/attestation/vuln.md
+++ b/docs/docs/attestation/vuln.md
@@ -0,0 +1,190 @@
+# Cosign Vulnerability Attestation
+
+## Generate Cosign Vulnerability Scan Record
+
+Trivy generates reports in the [Cosign vulnerability scan record format][vuln-attest-spec].
+
+You can use the regular subcommands (like image, fs and rootfs) and specify `cosign-vuln` with the --format option.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json alpine:3.10
+```
+
+<details>
+<summary>Result</summary>
+
+```json
+{
+  "invocation": {
+    "parameters": null,
+    "uri": "",
+    "event_id": "",
+    "builder.id": ""
+  },
+  "scanner": {
+    "uri": "pkg:github/aquasecurity/trivy@v0.30.1-8-gf9cb8a28",
+    "version": "v0.30.1-8-gf9cb8a28",
+    "db": {
+      "uri": "",
+      "version": ""
+    },
+    "result": {
+      "SchemaVersion": 2,
+      "ArtifactName": "alpine:3.10",
+      "ArtifactType": "container_image",
+      "Metadata": {
+        "OS": {
+          "Family": "alpine",
+          "Name": "3.10.9",
+          "EOSL": true
+        },
+        "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
+        "DiffIDs": [
+          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+        ],
+        "RepoTags": [
+          "alpine:3.10"
+        ],
+        "RepoDigests": [
+          "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
+        ],
+        "ImageConfig": {
+          "architecture": "amd64",
+          "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
+          "created": "2021-04-14T19:20:05.338397761Z",
+          "docker_version": "19.03.12",
+          "history": [
+            {
+              "created": "2021-04-14T19:20:04.987219124Z",
+              "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
+            },
+            {
+              "created": "2021-04-14T19:20:05.338397761Z",
+              "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+              "empty_layer": true
+            }
+          ],
+          "os": "linux",
+          "rootfs": {
+            "type": "layers",
+            "diff_ids": [
+              "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+            ]
+          },
+          "config": {
+            "Cmd": [
+              "/bin/sh"
+            ],
+            "Env": [
+              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+            ],
+            "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
+          }
+        }
+      },
+      "Results": [
+        {
+          "Target": "alpine:3.10 (alpine 3.10.9)",
+          "Class": "os-pkgs",
+          "Type": "alpine",
+          "Vulnerabilities": [
+            {
+              "VulnerabilityID": "CVE-2021-36159",
+              "PkgName": "apk-tools",
+              "InstalledVersion": "2.10.6-r0",
+              "FixedVersion": "2.10.7-r0",
+              "Layer": {
+                "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
+                "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+              },
+              "SeveritySource": "nvd",
+              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
+              "DataSource": {
+                "ID": "alpine",
+                "Name": "Alpine Secdb",
+                "URL": "https://secdb.alpinelinux.org/"
+              },
+              "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
+              "Severity": "CRITICAL",
+              "CweIDs": [
+                "CWE-125"
+              ],
+              "CVSS": {
+                "nvd": {
+                  "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
+                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
+                  "V2Score": 6.4,
+                  "V3Score": 9.1
+                }
+              },
+              "References": [
+                "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
+                "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
+              ],
+              "PublishedDate": "2021-08-03T14:15:00Z",
+              "LastModifiedDate": "2021-10-18T12:19:00Z"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "metadata": {
+    "scanStartedOn": "2022-07-24T17:14:04.864682+09:00",
+    "scanFinishedOn": "2022-07-24T17:14:04.864682+09:00"
+  }
+}
+```
+
+</details>
+
+## Create Cosign Vulnerability Attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify Cosign vulnerability attestation.
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+
+### Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates a cosign vulnerability scan record, and then Cosign attaches an attestation of it to a container image with a local key pair.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type vuln --predicate vuln.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```
+$ cosign verify-attestation --key /path/to/cosign.pub --type vuln <IMAGE>
+```
+
+### Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```
+$ trivy image --format cosign-vuln -o vuln.json <IMAGE>
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>
+```
+
+You can verify attestations.
+
+```
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type vuln <IMAGE>
+```
+
+[vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md
--- a/docs/docs/cloud/aws/compliance.md
+++ b/docs/docs/cloud/aws/compliance.md
@@ -0,0 +1,39 @@
+# AWS Compliance
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+This page describes AWS specific compliance reports. For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../../compliance/compliance.md).
+
+## Built in reports
+
+the following reports are available out of the box:
+
+| Compliance | Name for command | More info
+--- | --- | ---
+AWS CIS Foundations Benchmark v1.2 | `aws-cis-1.2` | [link](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
+AWS CIS Foundations Benchmark v1.4 | `aws-cis-1.4` | [link](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html)
+
+## Examples
+
+Scan a cloud account and generate a compliance summary report:
+
+```
+$ trivy aws --compliance=<compliance_id> --report=summary
+```
+
+***Note*** : The `Issues` column represent the total number of failed checks for this control.
+
+
+Get all of the detailed output for checks:
+
+```
+$ trivy aws --compliance=<compliance_id> --report all
+```
+
+Report result in JSON format:
+
+```
+$ trivy aws --compliance=<compliance_id> --report all --format json
+```
+
--- a/docs/docs/cloud/aws/scanning.md
+++ b/docs/docs/cloud/aws/scanning.md
@@ -0,0 +1,66 @@
+# Amazon Web Services
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. 
+
+Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
+
+The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
+
+Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
+
+You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
+
+Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region.
+
+## CLI Commands
+
+Scan a full AWS account (all supported services):
+
+```shell
+trivy aws --region us-east-1
+```
+
+You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
+
+![AWS Summary Report](../../../imgs/trivy-aws.png)
+
+The summary view is the default when scanning multiple services.
+
+Scan a specific service:
+
+```shell
+trivy aws --service s3
+```
+
+Scan multiple services:
+
+```shell
+# --service s3,ec2 works too
+trivy aws --service s3 --service ec2
+```
+
+Show results for a specific AWS resource:
+
+```shell
+trivy aws --service s3 --arn arn:aws:s3:::example-bucket
+```
+
+All ARNs with detected issues will be displayed when showing results for their associated service.
+
+## Compliance Spec
+Trivy can also run specific checks by spec by specifying the compliance flag:
+```shell
+trivy aws --compliance=awscis1.2
+```
+Will only target the checks defined under the AWS CIS 1.2 spec. Currently, we support AWS CIS 1.2 and 1.4 specs. More details [here](compliance.md).
+
+## Cached Results
+
+By default, Trivy will cache a representation of each AWS service for 24 hours. This means you can filter and view results for a service without having to wait for the entire scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.). Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`.
+
+## Custom Policies
+
+You can write custom policies for Trivy to evaluate against your AWS account. These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). See the [Custom Policies](../../misconfiguration/custom/index.md) page for more information.
--- a/docs/docs/compliance/compliance.md
+++ b/docs/docs/compliance/compliance.md
@@ -0,0 +1,67 @@
+# Compliance Reports
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy’s compliance flag lets you curate a specific set of checks into a report. In a typical Trivy scan, there are hundreds of different checks for many different components and configurations, but sometimes you already know which specific checks you are interested in. Often this would be an industry accepted set of checks such as CIS, or some vendor specific guideline, or your own organization policy that you want to comply with. These are all possible using the flexible compliance infrastructure that's built into Trivy. Compliance reports are defined as simple YAML documents that select checks to include in the report.
+
+## Usage
+
+Compliance report is currently supported in the following targets (trivy sub-commands):
+
+- `trivy aws`
+- `trivy k8s`
+
+Add the `--compliance` flag to the command line, and set it's value to desired report. For example: `trivy k8s cluster --compliance k8s-nsa` (see below for built-in and custom reports)
+
+### Options
+
+The following flags are compatible with `--compliance` flag and allows customizing it's output:
+
+flag | effect
+--- | ---
+`--report summary` | shows a summary of the results. for every control shows the number of failed checks.
+`--report all` | shows fully detailed results. for every control shows where it failed and why.
+`--format table` | shows results in textual table format (good for human readability).
+`--format json` | shows results in json format (good for machine readability).
+
+## Built-in compliance
+
+Trivy has a number of built-in compliance reports that you can asses right out of the box.
+to specify a built-in compliance report, select it by ID like `trivy --compliance <compliance_id>`.
+
+For the list of built-in compliance reports, please see the relevant section:
+
+- [Kubernetes compliance](../kubernetes/cli/compliance.md) 
+- [AWS compliance](../cloud/aws/compliance.md)
+
+## Custom compliance
+
+You can create your own custom compliance report. A compliance report is a simple YAML document in the following format:
+
+```yaml
+spec:
+  id: "k8s-myreport" # report unique identifier. this should not container spaces.
+  title: "My custom Kubernetes report" # report title. Any one-line title.
+  description: "Describe your report" # description of the report. Any text.
+  relatedResources :
+    - https://some.url # useful references. URLs only.
+  version: "1.0" # spec version (string)
+  controls:
+    - name: "Non-root containers" # Name for the control (appears in the report as is). Any one-line name.
+      description: 'Check that container is not running as root' # Description (appears in the report as is). Any text.
+      id: "1.0" # control identifier (string)
+      checks:   # list of existing Trivy checks that define the control
+        - id: AVD-KSV-0012 # check ID. Must start with `AVD-` or `CVE-` 
+      severity: "MEDIUM" # Severity for the control (note that checks severity isn't used)
+    - name: "Immutable container file systems"
+      description: 'Check that container root file system is immutable'
+      id: "1.1"
+      checks:
+        - id: AVD-KSV-0014
+      severity: "LOW"
+```
+
+The check id field (`controls[].checks[].id`) is referring to existing check by it's "AVD ID". This AVD ID is easily located in the check's source code metadata header, or by browsing [Aqua vulnerability DB](https://avd.aquasec.com/), specifically in the [Misconfigurations](https://avd.aquasec.com/misconfig/) and [Vulnerabilities](https://avd.aquasec.com/nvd) sections.
+
+Once you have a compliance spec, you can select it by file path: `trivy --compliance @</path/to/compliance.yaml>` (note the `@` indicating file path instead of report id).
--- a/docs/docs/index.md
+++ b/docs/docs/index.md
@@ -1,33 +1,11 @@
 # Docs

-Trivy detects two types of security issues:
-
- [Vulnerabilities][vuln]
- [Misconfigurations][misconf]
-
-Trivy can scan four different artifacts:
-
- [Container Images][container]
- [Filesystem][filesystem] and [Rootfs][rootfs]
- [Git Repositories][repo]
- [Kubernetes][kubernetes]
-
-Trivy can be run in two different modes:
-
- [Standalone][standalone]
- [Client/Server][client-server]
-
-Trivy can be run as a Kubernetes Operator:
-
- [Kubernetes Operator][kubernetesoperator]
-
-It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
-See [Integrations][integrations] for details.
+This documentation details how to use Trivy to access the features listed below.

 ## Features

 - Comprehensive vulnerability detection
-    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+    - [OS packages][os] (Alpine, Wolfi, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
 - Detect IaC misconfigurations
    - A wide variety of [built-in policies][builtin] are provided **out of the box**:
@@ -79,16 +57,16 @@ Please see [LICENSE][license] for Trivy licensing information.

 [standalone]: ../docs/references/modes/standalone.md
 [client-server]: ../docs/references/modes/client-server.md
-[integrations]: ../docs/integrations/index.md
+[integrations]: ../tutorials/integrations/index.md

 [os]: ../docs/vulnerability/detection/os.md
 [lang]: ../docs/vulnerability/detection/language.md

 [builtin]: ../docs/misconfiguration/policy/builtin.md
-[quickstart]: ../getting-started/quickstart.md
+[quickstart]: ../index.md
 [podman]: ../docs/advanced/container/podman.md

 [sbom]: ../docs/sbom/index.md

 [oci]: https://github.com/opencontainers/image-spec
-[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/docs/integrations/aws-security-hub.md
+++ b/docs/docs/integrations/aws-security-hub.md
@@ -1,29 +0,0 @@
-# AWS Security Hub
-
-## Upload findings to Security Hub
-
-In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
-
-```
-$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
-```
-
-ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
-
-Then, you can upload it with AWS CLI.
-
-```
-$ aws securityhub batch-import-findings --findings file://report.asff
-```
-
-## Customize
-You can customize [asff.tpl](https://github.com/aquasecurity/trivy/blob/main/contrib/asff.tpl)
-
-```
-$ export AWS_REGION=us-west-1
-$ export AWS_ACCOUNT_ID=123456789012
-$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
-```
-
-## Reference
-https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/
--- a/docs/docs/kubernetes/cli/compliance.md
+++ b/docs/docs/kubernetes/cli/compliance.md
@@ -0,0 +1,42 @@
+# Kubernetes Compliance
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+This page describes Kubernetes specific compliance reports. For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../../compliance/compliance.md).
+
+## Built in reports
+
+The following reports are available out of the box:
+
+| Compliance | Name for command | More info
+--- | --- | ---
+NSA, CISA Kubernetes Hardening Guidance v1.2 | `k8s-nsa` | [Link](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF)
+CIS Benchmark for Kubernetes v1.23 | `k8s-cis` | [Link](https://www.cisecurity.org/benchmark/kubernetes)
+
+## Examples
+
+Scan a full cluster and generate a compliance summary report:
+
+```
+$ trivy k8s cluster --compliance=<compliance_id> --report summary
+```
+
+***Note*** : The `Issues` column represent the total number of failed checks for this control.
+
+
+Get all of the detailed output for checks:
+
+```
+trivy k8s cluster --compliance=<compliance_id> --report all
+```
+
+Report result in JSON format:
+
+```
+trivy k8s cluster --compliance=<compliance_id> --report summary --format json
+```
+
+```
+trivy k8s cluster --compliance=<compliance_id> --report all --format json
+```
--- a/docs/docs/kubernetes/cli/scanning.md
+++ b/docs/docs/kubernetes/cli/scanning.md
@@ -5,7 +5,7 @@

 The Trivy K8s CLI allows you to scan your Kubernetes cluster for Vulnerabilities, Secrets and Misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.

-If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/getting-started.md)
+If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/index.md)

 Trivy uses your local kubectl configuration to access the API server to list artifacts.

@@ -41,6 +41,12 @@ Scan a specific namespace:
 $ trivy k8s -n kube-system --report=summary all
 ```

+Use a specific kubeconfig file:
+
+```
+$ trivy k8s --kubeconfig ~/.kube/config2 -n kube-system --report=summary all
+```
+
 Scan a specific resource and get all the output:

 ```
@@ -225,3 +231,49 @@ $ trivy k8s --format json -o results.json cluster

 </details>

+
+
+## Infra checks
+
+Trivy by default scans kubernetes infra components (apiserver, controller-manager, scheduler and etcd)
+if they exist under the `kube-system` namespace. For example, if you run a full cluster scan, or scan all
+components under `kube-system` with commands:
+
+```
+$ trivy k8s cluster --report summary # full cluster scan
+$ trivy k8s all -n kube-system --report summary # scan all components under kube-system
+```
+
+A table will be printed about misconfigurations found on kubernetes core components:
+
+```
+Summary Report for minikube
+┌─────────────┬──────────────────────────────────────┬─────────────────────────────┐
+│  Namespace  │               Resource               │ Kubernetes Infra Assessment │
+│             │                                      ├────┬────┬────┬─────┬────────┤
+│             │                                      │ C  │ H  │ M  │ L   │   U    │
+├─────────────┼──────────────────────────────────────┼────┼────┼────┼─────┼────────┤
+│ kube-system │ Pod/kube-apiserver-minikube          │    │    │ 1  │ 10  │        │
+│ kube-system │ Pod/kube-controller-manager-minikube │    │    │    │ 3   │        │
+│ kube-system │ Pod/kube-scheduler-minikube          │    │    │    │ 1   │        │
+└─────────────┴──────────────────────────────────────┴────┴────┴────┴─────┴────────┘
+Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
+```
+
+The infra checks are based on CIS Benchmarks recommendations for kubernetes.
+
+
+If you want filter only for the infra checks, you can use the flag `--components` along with the `--security-checks=config`
+
+```
+$ trivy k8s cluster --report summary --components=infra --security-checks=config # scan only infra
+```
+
+Or, to filter for all other checks besides the infra checks, you can:
+
+```
+$ trivy k8s cluster --report summary --components=workload --security-checks=config # scan all components besides infra
+```
+
+	
+
--- a/docs/docs/licenses/scanning.md
+++ b/docs/docs/licenses/scanning.md
@@ -47,7 +47,7 @@ License checking classifies the identified licenses and map the classification t
 This section shows how to scan license in container image and filesystem.

 ### Standard scanning
-Specify an image name with `--security-cheks license`.
+Specify an image name with `--security-checks license`.

 ``` shell
 $ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
@@ -317,4 +317,4 @@ license:
 ```


-[google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses
+[google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses
--- a/docs/docs/misconfiguration/comparison/cfsec.md
+++ b/docs/docs/misconfiguration/comparison/cfsec.md
@@ -1,24 +0,0 @@
-# vs cfsec
-[cfsec][cfsec] uses static analysis of your CloudFormation templates to spot potential security issues.
-Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec.
-This section describes the differences between Trivy and cfsec.
-
-| Feature               | Trivy                                                  | cfsec                        |
-|-----------------------|--------------------------------------------------------|------------------------------|
-| Built-in Policies     | :material-check:                                       | :material-check:             |
-| Custom Policies       | :material-check:                                       | :material-close:             |
-| Policy Metadata[^1]   | :material-check:                                       | :material-check:             |
-| Show Successes        | :material-check:                                       | :material-check:             |
-| Disable Policies      | :material-check:                                       | :material-check:             |
-| Show Issue Lines      | :material-check:                                       | :material-check:             |
-| View Statistics       | :material-close:                                       | :material-check:             |
-| Filtering by Severity | :material-check:                                       | :material-close:             |
-| Supported Formats     | Dockerfile, JSON, YAML, Terraform, CloudFormation etc. | CloudFormation JSON and YAML |
-
-[^1]: To enrich the results such as ID, Title, Description, Severity, etc.
-
-cfsec is designed for CloudFormation.
-People who use only want to scan their CloudFormation templates should use cfsec.
-People who want to scan a wide range of configuration files should use Trivy.
-
-[cfsec]: https://github.com/aquasecurity/cfsec
--- a/docs/docs/misconfiguration/comparison/conftest.md
+++ b/docs/docs/misconfiguration/comparison/conftest.md
@@ -1,43 +0,0 @@
-# vs Conftest
-[Conftest][conftest] is a really nice tool to help you write tests against structured configuration data.
-Misconfiguration detection in Trivy is heavily inspired by Conftest and provides similar features Conftest has.
-This section describes the differences between Trivy and Conftest.
-
-| Feature                     | Trivy                | Conftest             |
-| --------------------------- | -------------------- | -------------------- |
-| Support Rego Language       | :material-check:     | :material-check:     |
-| Built-in Policies           | :material-check:     | :material-close:     |
-| Custom Policies             | :material-check:     | :material-check:     |
-| Custom Data                 | :material-check:     | :material-check:     |
-| Combine                     | :material-check:     | :material-check:     |
-| Combine per Policy          | :material-check:     | :material-close:     |
-| Policy Input Selector[^1]   | :material-check:     | :material-close:     |
-| Policy Metadata[^2]         | :material-check:     | :material-close:[^3] |
-| Filtering by Severity       | :material-check:     | :material-close:     |
-| Rule-based Exceptions       | :material-check:     | :material-check:     |
-| Namespace-based Exceptions  | :material-check:     | :material-close:     |
-| Sharing Policies            | :material-close:     | :material-check:     |
-| Show Successes              | :material-check:     | :material-close:     |
-| Flexible Exit Code          | :material-check:     | :material-close:     |
-| Rego Unit Tests             | :material-close:[^4] | :material-check:     |
-| Go Testing                  | :material-check:     | :material-close:     |
-| Verbose Trace               | :material-check:     | :material-check:     |
-| Supported Formats           | 6 formats[^5]        | 14 formats[^6]       |
-
-Trivy offers built-in policies and a variety of options, while Conftest only supports custom policies.
-In other words, Conftest is simpler and lighter.
-
-Conftest is a general testing tool for configuration files, and Trivy is more security-focused.
-People who need an out-of-the-box misconfiguration scanner should use Trivy.
-People who don't need built-in policies and write your policies should use Conftest.
-
-[^1]: Pass only the types of configuration file as input, specified in selector
-[^2]: To enrich the results such as ID, Title, Description, etc.
-[^3]: Conftest supports [structured errors in rules][conftest-structured], but they are free format and not natively supported by Conftest.
-[^4]: Trivy is not able to run `*_test.rego` like `conftest verify`.
-[^5]: Dockerfile, HCL, HCL2, JSON, TOML, and YAML
-[^6]: CUE, Dockerfile, EDN, HCL, HCL2, HOCON, Ignore files, INI, JSON, Jsonnet, TOML, VCL, XML, and YAML
-
-
-[conftest-structured]: https://github.com/open-policy-agent/conftest/pull/243
-[conftest]: https://github.com/open-policy-agent/conftest
--- a/docs/docs/misconfiguration/comparison/tfsec.md
+++ b/docs/docs/misconfiguration/comparison/tfsec.md
@@ -1,25 +0,0 @@
-# vs tfsec
-[tfsec][tfsec] uses static analysis of your Terraform templates to spot potential security issues.
-Trivy uses tfsec internally to scan Terraform HCL files, but Trivy doesn't support some features provided by tfsec.
-This section describes the differences between Trivy and tfsec.
-
-| Feature               | Trivy                                                  | tfsec                |
-|-----------------------|--------------------------------------------------------|----------------------|
-| Built-in Policies     | :material-check:                                       | :material-check:     |
-| Custom Policies       | Rego                                                   | Rego, JSON, and YAML |
-| Policy Metadata[^1]   | :material-check:                                       | :material-check:     |
-| Show Successes        | :material-check:                                       | :material-check:     |
-| Disable Policies      | :material-check:                                       | :material-check:     |
-| Show Issue Lines      | :material-check:                                       | :material-check:     |
-| Support .tfvars       | :material-close:                                       | :material-check:     |
-| View Statistics       | :material-close:                                       | :material-check:     |
-| Filtering by Severity | :material-check:                                       | :material-check:     |
-| Supported Formats     | Dockerfile, JSON, YAML, Terraform, CloudFormation etc. | Terraform            |
-
-[^1]: To enrich the results such as ID, Title, Description, Severity, etc.
-
-tfsec is designed for Terraform.
-People who use only Terraform should use tfsec.
-People who want to scan a wide range of configuration files should use Trivy.
-
-[tfsec]: https://github.com/aquasecurity/tfsec
--- a/docs/docs/misconfiguration/custom/index.md
+++ b/docs/docs/misconfiguration/custom/index.md
@@ -36,27 +36,23 @@ A single package must contain only one policy.

 !!!example
    ``` rego
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # schemas:
+    #   - input: schema.input
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector: 
+    #     - type: kubernetes
    package user.kubernetes.ID001
    
-    import lib.result
-
-    __rego_metadata__ := {
-    	"id": "ID001",
-    	"title": "Deployment not allowed",
-    	"severity": "LOW",
-    	"description": "Deployments are not allowed because of some reasons.",
-    }
-
-    __rego_input__ := {
-        "selector": [
-            {"type": "kubernetes"},
-        ],
-    }
-    
    deny[res] {
        input.kind == "Deployment"
        msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name])
-        res := result.new(msg, input)
+        res := result.new(msg, input.kind)
    }
    ```

@@ -65,6 +61,10 @@ If you add a new custom policy, it must be defined under a new package like `use

 ### Policy structure

+`# METADATA` (optional)
+:   - SHOULD be defined for clarity since these values will be displayed in the scan results
+    - `custom.input` SHOULD be set to indicate the input type the policy should be applied to. See [list of available types](https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
+
 `package` (required)
 :   - MUST follow the Rego's [specification][package]
    - MUST be unique per policy
@@ -72,15 +72,6 @@ If you add a new custom policy, it must be defined under a new package like `use
    - MAY include the group name such as `kubernetes` for clarity
        - Group name has no effect on policy evaluation

-`import data.lib.result` (optional)
-:   - MAY be defined if you would like to embellish your result(s) with line numbers and code highlighting
-
-`__rego_metadata__` (optional)
-:   - SHOULD be defined for clarity since these values will be displayed in the scan results
-
-`__rego_input__` (optional)
-:   - MAY be defined when you want to specify input format
-
 `deny` (required)
 :   - SHOULD be `deny` or start with `deny_`
        - Although `warn`, `warn_*`, `violation`, `violation_` also work for compatibility, `deny` is recommended as severity can be defined in `__rego_metadata__`.
@@ -112,28 +103,38 @@ Any package prefixes such as `main` and `user` are allowed.
 ### Metadata
 Metadata helps enrich Trivy's scan results with useful information.

+The annotation format is described in the [OPA documentation](https://www.openpolicyagent.org/docs/latest/annotations/).
+
+Trivy supports extra fields in the `custom` section as described below.
+
 !!!example
    ``` rego
-    __rego_metadata__ := {
-    	"id": "ID001",
-    	"title": "Deployment not allowed",
-    	"severity": "LOW",
-    	"description": "Deployments are not allowed because of some reasons.",
-    	"recommended_actions": "Remove Deployment",
-    	"url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits",
-    }
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector:
+    #     - type: kubernetes
    ```
  
-All fields under `__rego_metadata__` are optional.
+All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The 
+schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are 
+correct and do not reference incorrect properties/values.
+
+| Field name                 | Allowed values                           |        Default value         |     In table     |     In JSON      |
+|----------------------------|------------------------------------------|:----------------------------:|:----------------:|:----------------:|
+| title                      | Any characters                           |             N/A              | :material-check: | :material-check: |
+| description                | Any characters                           |                              | :material-close: | :material-check: |
+| schemas.input              | `schema.input`                           | (applied to all input types) | :material-close: | :material-close: |
+| custom.id                  | Any characters                           |             N/A              | :material-check: | :material-check: |
+| custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`      |           UNKNOWN            | :material-check: | :material-check: |
+| custom.recommended_actions | Any characters                           |                              | :material-close: | :material-check: | 
+| custom.input.selector.type | Any item(s) in [this list][source-types] |                              | :material-close: | :material-check: | 
+| url                        | Any characters                           |                              | :material-close: | :material-check: |

-| Field name          | Allowed values                      | Default value |     In table     |     In JSON      |
-|---------------------|-------------------------------------|:-------------:|:----------------:|:----------------:|
-| id                  | Any characters                      |      N/A      | :material-check: | :material-check: |
-| title               | Any characters                      |      N/A      | :material-check: | :material-check: |
-| severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` |    UNKNOWN    | :material-check: | :material-check: |
-| description         | Any characters                      |               | :material-close: | :material-check: |
-| recommended_actions | Any characters                      |               | :material-close: | :material-check: | 
-| url                 | Any characters                      |               | :material-close: | :material-check: |

 Some fields are displayed in scan results.

@@ -156,17 +157,16 @@ Deployments are not allowed because of some reasons.
 ```

 ### Input
-You can specify input format via `__rego_input__`.
-All fields under `__rego_input` are optional.
+You can specify input format via the `custom.input` annotation.

 !!!example
    ``` rego
-    __rego_input__ := {
-        "combine": false,
-        "selector": [
-            {"type": "kubernetes"},
-        ],
-    }
+    # METADATA
+    # custom:
+    #   input:
+    #     combine: false
+    #     selector:
+    #     - type: kubernetes
    ```

 `combine` (boolean)
@@ -177,6 +177,15 @@ All fields under `__rego_input` are optional.
    In the above example, Trivy passes only Kubernetes files to this policy.
    Even if a Dockerfile exists in the specified directory, it will not be passed to the policy as input.

+    Possible values for input types are:
+    - `dockerfile` (Dockerfile)
+    - `kubernetes` (Kubernetes YAML/JSON)
+    - `rbac` (Kubernetes RBAC YAML/JSON)
+    - `cloud` (Cloud format, as defined by defsec - this is used for Terraform, CloudFormation, and Cloud/AWS scanning)
+    - `yaml` (Generic YAML)
+    - `json` (Generic JSON)
+    - `toml` (Generic TOML)
+
    When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as `type`.
    When a configuration language is identified, it will overwrite `type`.
    
@@ -186,5 +195,15 @@ All fields under `__rego_input` are optional.

    `type` accepts `kubernetes`, `dockerfile`, `cloudformation`, `terraform`, `terraformplan`, `json`, or `yaml`.

+### Schemas
+
+You can explore the format of input documents by browsing the schema for the relevant input type:
+
+- [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
+- [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
+- [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
+- [RBAC](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/rbac.json)
+
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [package]: https://www.openpolicyagent.org/docs/latest/policy-language/#packages
+[source-types]: https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
--- a/docs/docs/misconfiguration/options/others.md
+++ b/docs/docs/misconfiguration/options/others.md
@@ -2,21 +2,3 @@

 !!! hint
    See also [Others](../../vulnerability/examples/others.md) in Vulnerability section.
-
-## File patterns
-When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
-The default file patterns are [here](../custom/index.md).
-
-In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
-For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
-
-This can be repeated for specifying multiple file patterns.
-Allowed values are here:
-
- dockerfile
- yaml
- json
- toml
- hcl
-
-For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)
--- a/docs/docs/misconfiguration/options/values.md
+++ b/docs/docs/misconfiguration/options/values.md
@@ -0,0 +1,48 @@
+# Value Overrides
+
+Value files can be passed for supported scannable config files.
+
+## Terraform value overrides
+You can pass `tf-vars` files to Trivy to override default values found in the Terraform HCL code.
+
+```bash
+trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
+```
+
+## Helm value overrides
+There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
+
+### Setting inline value overrides
+Overrides can be set inline on the command line
+
+```bash
+trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
+```
+
+### Setting value file overrides
+Overrides can be in a file that has the key=value set. 
+
+```yaml
+# Example override file (overrides.yaml)
+
+securityContext:
+  runAsUser: 0
+```
+
+```bash
+trivy conf --helm-values overrides.yaml ./charts/mySql
+``` 
+
+### Setting value as explicit string
+the `--helm-set-string` is the same as `--helm-set` but explicitly retains the value as a string
+
+```bash
+trivy config --helm-set-string name=false ./infrastructure/tf
+```
+
+### Setting specific values from files
+Specific override values can come from specific files
+
+```bash
+trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
+```
--- a/docs/docs/misconfiguration/policy/builtin.md
+++ b/docs/docs/misconfiguration/policy/builtin.md
@@ -11,6 +11,7 @@ Those policies are managed under [defsec repository][defsec].
 | Dockerfile, Containerfile | [defsec][docker]     |
 | Terraform                 | [defsec][defsec]     |
 | CloudFormation            | [defsec][defsec]     |
+| Azure ARM Template        | [defsec][defsec]     |
 | Helm Chart                | [defsec][kubernetes] |      
 | RBAC                      | [defsec][rbac]       |      

@@ -20,8 +21,8 @@ Helm Chart scanning will resolve the chart to Kubernetes manifests then run the

 Ansible scanning is coming soon.

-[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
+[rego]: https://www.openpolicyagent.org/docs/latest/policy-language
 [defsec]: https://github.com/aquasecurity/defsec
-[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/kubernetes
-[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/rbac
-[docker]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/docker
+[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/policies/kubernetes
+[docker]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/policies/docker
+[rbac]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/policies/rbac
--- a/docs/docs/misconfiguration/scanning.md
+++ b/docs/docs/misconfiguration/scanning.md
@@ -1,12 +1,12 @@
 # Misconfiguration Scanning
-Trivy provides built-in policies to detect configuration issues in Docker, Kubernetes, Terraform and CloudFormation.
-Also, you can write your own policies in [Rego][rego] to scan JSON, YAML, etc, like [Conftest][conftest].
+Trivy provides built-in policies to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. 
+In addition to built-in policies, you can write your own custom policies, as you can see [here][custom].

 ![misconf](../../imgs/misconf.png)

 ## Quick start

-Simply specify a directory containing IaC files such as Terraform, CloudFormation and Dockerfile.
+Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.

 ``` bash
 $ trivy config [YOUR_IaC_DIRECTORY]
@@ -316,6 +316,4 @@ Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 ## Examples
 See [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/misconf/mixed)

-[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
-[conftest]: https://github.com/open-policy-agent/conftest/
-
+[custom]: ./custom/index.md
--- a/docs/docs/references/cli/client.md
+++ b/docs/docs/references/cli/client.md
@@ -2,7 +2,7 @@

 ```bash
 Usage:
-  [DEPRECATED] trivy client [flags] IMAGE_NAME
+  trivy client [flags] IMAGE_NAME

 Aliases:
  client, c
@@ -10,13 +10,13 @@ Aliases:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -34,7 +34,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -59,11 +59,12 @@ Client/Server Flags
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/config.md
+++ b/docs/docs/references/cli/config.md
@@ -10,19 +10,16 @@ Aliases:
  config, conf

 Scan Flags
-      --skip-dirs string    specify the directories where the traversal is skipped
-      --skip-files string   specify the file paths to skip traversal
+      --skip-dirs strings    specify the directories where the traversal is skipped
+      --skip-files strings   specify the file paths to skip traversal

 Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
-      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
-      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
-      --ignorefile string      specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
-  -o, --output string          output file name
-  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-  -t, --template string        output template
+      --exit-code int       specify exit code when any security issues are found
+  -f, --format string       format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignorefile string   specify .trivyignore file (default ".trivyignore")
+  -o, --output string       output file name
+  -s, --severity string     severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string     output template

 Cache Flags
      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
@@ -41,12 +38,12 @@ Misconfiguration Flags
      --trace                       enable more verbose trace output for custom queries

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
-
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/fs.md
+++ b/docs/docs/references/cli/fs.md
@@ -19,13 +19,13 @@ Examples:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -42,7 +42,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -63,6 +63,10 @@ Misconfiguration Flags
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
@@ -70,11 +74,12 @@ Client/Server Flags
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/image.md
+++ b/docs/docs/references/cli/image.md
@@ -34,13 +34,12 @@ Examples:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -57,7 +56,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -82,6 +81,10 @@ Misconfiguration Flags
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
@@ -89,11 +92,12 @@ Client/Server Flags
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/index.md
+++ b/docs/docs/references/cli/index.md
@@ -4,6 +4,7 @@ Trivy has several sub commands, image, fs, repo, client and server.
 Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets

 Usage:
+  trivy [global flags] command [flags] target
  trivy [command]

 Examples:
@@ -24,7 +25,6 @@ Available Commands:
  filesystem  Scan local filesystem
  help        Help about any command
  image       Scan a container image
-  kubectl     scan kubectl resources
  kubernetes  scan kubernetes cluster
  module      Manage modules
  plugin      Manage plugins
@@ -35,15 +35,16 @@ Available Commands:
  version     Print the version

 Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-  -f, --format string      version format (json)
-  -h, --help               help for trivy
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+  -f, --format string             version format (json)
+      --generate-default-config   write the default config to trivy-default.yaml
+  -h, --help                      help for trivy
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version

 Use "trivy [command] --help" for more information about a command.
 ```
--- a/docs/docs/references/cli/module.md
+++ b/docs/docs/references/cli/module.md
@@ -17,11 +17,14 @@ Flags:
  -h, --help   help for module

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy module [command] --help" for more information about a command.
 ```
--- a/docs/docs/references/cli/plugin.md
+++ b/docs/docs/references/cli/plugin.md
@@ -10,22 +10,25 @@ Aliases:
  plugin, p

 Available Commands:
-  Uninstall   uninstall a plugin
  info        Show information about the specified plugin
  install     Install a plugin
  list        List installed plugin
  run         Run a plugin on the fly
+  uninstall   Uninstall a plugin
  update      Update an existing plugin

 Flags:
  -h, --help   help for plugin

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy plugin [command] --help" for more information about a command.
 ```
--- a/docs/docs/references/cli/repo.md
+++ b/docs/docs/references/cli/repo.md
@@ -16,13 +16,13 @@ Examples:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -39,7 +39,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -60,23 +60,28 @@ Misconfiguration Flags
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
      --token string             for authentication in client/server mode
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
-      
+
 Repository Flags
      --branch string   pass the branch name to be scanned
      --commit string   pass the commit hash to be scanned
      --tag string      pass the tag name to be scanned

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/rootfs.md
+++ b/docs/docs/references/cli/rootfs.md
@@ -17,15 +17,18 @@ Examples:
  / # trivy rootfs /

 Scan Flags
-      --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --file-patterns strings     specify config file patterns
+      --offline-scan              do not issue API requests to identify dependencies
+      --rekor-url string          [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --sbom-sources strings      [EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)
+      --security-checks strings   comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --skip-dirs strings         specify the directories where the traversal is skipped
+      --skip-files strings        specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -42,7 +45,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -53,22 +56,39 @@ Vulnerability Flags
      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")

 Misconfiguration Flags
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
-      --policy-namespaces strings   Rego namespaces
-      --trace                       enable more verbose trace output for custom queries
+      --helm-set strings          specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings     specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings   specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings       specify paths to override the Helm values.yaml files
+      --include-non-failures      include successes and exceptions, available with '--security-checks config'
+      --tf-vars strings           specify paths to override the Terraform tfvars files

 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Rego Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
-```
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
--- a/docs/docs/references/cli/sbom.md
+++ b/docs/docs/references/cli/sbom.md
@@ -13,17 +13,19 @@ Examples:
  # Scan CycloneDX and generate a CycloneDX report
  $ trivy sbom --format cyclonedx /path/to/report.cdx

+  # Scan CycloneDX-type attestation and show the result in tables
+  $ trivy sbom /path/to/report.cdx.intoto.jsonl
+

 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -40,7 +42,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -57,11 +59,12 @@ Client/Server Flags
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/server.md
+++ b/docs/docs/references/cli/server.md
@@ -26,7 +26,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -38,11 +38,12 @@ Client/Server Flags
      --token-header string   specify a header name for token in client/server mode (default "Trivy-Token")

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/customization/config-file.md
+++ b/docs/docs/references/customization/config-file.md
@@ -6,7 +6,7 @@ An example is [here][example].

 ## Global Options

-```
+```yaml
 # Same as '--quiet'
 # Default is false
 quiet: false
@@ -30,7 +30,7 @@ cache-dir: $HOME/.cache/trivy

 ## Report Options

-```
+```yaml
 # Same as '--format'
 # Default is 'table'
 format: table
@@ -80,8 +80,13 @@ severity:
 ## Scan Options
 Available in client/server mode

-```
+```yaml
 scan:
+  # Same as '--file-patterns'
+  # Default is empty
+  file-patterns:
+    -
+
  # Same as '--skip-dirs'
  # Default is empty
  skip-dirs:
@@ -107,7 +112,7 @@ scan:

 ## Cache Options

-```
+```yaml
 cache:
  # Same as '--cache-backend'
  # Default is 'fs' 
@@ -134,7 +139,7 @@ cache:

 ## DB Options

-```
+```yaml
 db:
  # Same as '--skip-db-update'
  # Default is false
@@ -152,7 +157,7 @@ db:
 ## Image Options
 Available with container image scanning

-```
+```yaml
 image:
  # Same as '--input' (available with 'trivy image')
  # Default is empty
@@ -166,7 +171,7 @@ image:
 ## Vulnerability Options
 Available with vulnerability scanning

-```
+```yaml
 vulnerability:
  # Same as '--vuln-type'
  # Default is 'os,library'
@@ -182,43 +187,32 @@ vulnerability:
 ## Secret Options
 Available with secret scanning

-```
+```yaml
 secret:
  # Same as '--secret-config'
  # Default is 'trivy-secret.yaml'
  config: config/trivy/secret.yaml
 ```

+## Rego Options

-## Misconfiguration Options
-Available with misconfiguration scanning
-
-```
-misconfiguration:
-  # Same as '--file-patterns'
-  # Default is empty
-  file-patterns:
-    -
-  
-  # Same as '--include-non-failures'
-  # Default is false
-  include-non-failures: false
-  
+```yaml
+rego
  # Same as '--trace'
  # Default is false
  trace: false
-  
+
  # Same as '--config-policy'
  # Default is empty
  policy:
    - policy/repository
    - policy/custom
-    
+
  # Same as '--config-data'
  # Default is empty
  data:
    - data/
-    
+
  # Same as '--policy-namespaces'
  # Default is empty
  namespaces:
@@ -226,10 +220,47 @@ misconfiguration:
    - users
 ```

+## Misconfiguration Options
+Available with misconfiguration scanning
+
+```yaml
+misconfiguration:
+  # Same as '--include-non-failures'
+  # Default is false
+  include-non-failures: false
+
+  # helm value override configurations
+  # set individual values
+  helm:
+    set:
+      - securityContext.runAsUser=10001
+
+  # set values with file
+  helm:
+    values:
+      - overrides.yaml
+
+  # set specific values from specific files
+  helm:
+    set-file:
+      - image=dev-overrides.yaml
+
+  # set as string and preserve type
+  helm:
+    set-string:
+      - name=true
+
+  # terraform tfvars overrrides
+  terraform:
+    vars:
+      - dev-terraform.tfvars
+      - common-terraform.tfvars
+```
+
 ## Kubernetes Options
 Available with Kubernetes scanning

-```
+```yaml
 kubernetes:
  # Same as '--context'
  # Default is empty
@@ -243,7 +274,7 @@ kubernetes:
 ## Repository Options
 Available with git repository scanning (`trivy repo`) 

-```
+```yaml
 repository:
  # Same as '--branch'
  # Default is empty
@@ -261,7 +292,7 @@ repository:
 ## Client/Server Options
 Available in client/server mode

-```
+```yaml
 server:
  # Same as '--server' (available in client mode)
  # Default is empty
@@ -286,4 +317,28 @@ server:
  listen: 0.0.0.0:10000
 ```

+## Cloud Options
+
+Available for cloud scanning (currently only `trivy aws`)
+
+```yaml
+cloud:
+  # whether to force a cache update for every scan
+  update-cache: false
+  
+  # how old cached results can be before being invalidated
+  max-cache-age: 24h
+  
+  # aws-specific cloud settings
+  aws:
+    # the aws region to use
+    region: us-east-1
+    
+    # the aws endpoint to use (not required for general use)
+    endpoint: https://my.custom.aws.endpoint
+    
+    # the aws account to use (this will be determined from your environment when not set)
+    account: 123456789012
+```
+
 [example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml
--- a/docs/docs/references/modes/client-server.md
+++ b/docs/docs/references/modes/client-server.md
@@ -52,6 +52,8 @@ $ trivy fs --server http://localhost:8080 --severity CRITICAL ./integration/test
 **Note**: It's important to specify the protocol (http or https).
 <details>
 <summary>Result</summary>
+
+```
 pom.xml (pom)
 =============
 Total: 24 (CRITICAL: 24)
@@ -173,6 +175,107 @@ Total: 24 (CRITICAL: 24)
 |                                             |                  |          |                   |                                | gadgets in anteros-core               |
 |                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9548  |
 +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+```
+</details>
+
+## Remote scan of root filesystem
+Also, there is a way to scan root file system:
+```shell
+$ trivy rootfs --server http://localhost:8080 --severity CRITICAL /tmp/rootfs
+```
+**Note**: It's important to specify the protocol (http or https).
+<details>
+<summary>Result</summary>
+
+```
+/tmp/rootfs (alpine 3.10.2)
+
+Total: 1 (CRITICAL: 1)
+
+┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.4-r2         │ 2.10.7-r0     │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │
+│           │                │          │                   │               │ other products, mishandles...                               │
+│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36159                  │
+└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+```
+</details>
+
+## Remote scan of git repository
+Also, there is a way to scan remote git repository:
+```shell
+$ trivy repo https://github.com/knqyf263/trivy-ci-test --server http://localhost:8080 
+```
+**Note**: It's important to specify the protocol (http or https).
+<details>
+<summary>Result</summary>
+
+```
+Cargo.lock (cargo)
+==================
+Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
+
+┌───────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library  │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├───────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ ammonia   │ CVE-2019-15542      │ HIGH     │ 1.9.0             │ 2.1.0         │ Uncontrolled recursion in ammonia                           │
+│           │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-15542                  │
+│           ├─────────────────────┼──────────┤                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│           │ CVE-2021-38193      │ MEDIUM   │                   │ 2.1.3, 3.1.0  │ An issue was discovered in the ammonia crate before 3.1.0   │
+│           │                     │          │                   │               │ for Rust....                                                │
+│           │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-38193                  │
+├───────────┼─────────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ smallvec  │ CVE-2019-15551      │          │ 0.6.9             │ 0.6.10        │ An issue was discovered in the smallvec crate before 0.6.10 │
+│           │                     │          │                   │               │ for Rust....                                                │
+│           │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-15551                  │
+│           ├─────────────────────┼──────────┤                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│           │ CVE-2018-25023      │ HIGH     │                   │ 0.6.13        │ An issue was discovered in the smallvec crate before 0.6.13 │
+│           │                     │          │                   │               │ for Rust....                                                │
+│           │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-25023                  │
+│           ├─────────────────────┼──────────┤                   │               ├─────────────────────────────────────────────────────────────┤
+│           │ GHSA-66p5-j55p-32r9 │ MEDIUM   │                   │               │ smallvec creates uninitialized value of any type            │
+│           │                     │          │                   │               │ https://github.com/advisories/GHSA-66p5-j55p-32r9           │
+└───────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+
+Pipfile.lock (pipenv)
+=====================
+Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
+
+┌─────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
+│       Library       │ Vulnerability  │ Severity │ Installed Version │     Fixed Version      │                            Title                             │
+├─────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ celery              │ CVE-2021-23727 │ HIGH     │ 4.3.0             │ 5.2.2                  │ celery: stored command injection vulnerability may allow     │
+│                     │                │          │                   │                        │ privileges escalation                                        │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-23727                   │
+├─────────────────────┼────────────────┤          ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ django              │ CVE-2019-6975  │          │ 2.0.9             │ 1.11.19, 2.0.12, 2.1.7 │ python-django: memory exhaustion in                          │
+│                     │                │          │                   │                        │ django.utils.numberformat.format()                           │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2019-6975                    │
+│                     ├────────────────┼──────────┤                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                     │ CVE-2019-3498  │ MEDIUM   │                   │ 1.11.18, 2.0.10, 2.1.5 │ python-django: Content spoofing via URL path in default 404  │
+│                     │                │          │                   │                        │ page                                                         │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2019-3498                    │
+│                     ├────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                     │ CVE-2021-33203 │          │                   │ 2.2.24, 3.1.12, 3.2.4  │ django: Potential directory traversal via ``admindocs``      │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-33203                   │
+├─────────────────────┼────────────────┤          ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ urllib3             │ CVE-2019-11324 │          │ 1.24.1            │ 1.24.2                 │ python-urllib3: Certification mishandle when error should be │
+│                     │                │          │                   │                        │ thrown                                                       │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2019-11324                   │
+│                     ├────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                     │ CVE-2021-33503 │          │                   │ 1.26.5                 │ python-urllib3: ReDoS in the parsing of authority part of    │
+│                     │                │          │                   │                        │ URL                                                          │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-33503                   │
+│                     ├────────────────┼──────────┤                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                     │ CVE-2019-11236 │ MEDIUM   │                   │ 1.24.3                 │ python-urllib3: CRLF injection due to not encoding the       │
+│                     │                │          │                   │                        │ '\r\n' sequence leading to...                                │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2019-11236                   │
+│                     ├────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                     │ CVE-2020-26137 │          │                   │ 1.25.9                 │ python-urllib3: CRLF injection via HTTP request method       │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2020-26137                   │
+└─────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘
+```
 </details>

 ## Authentication
--- a/docs/docs/references/troubleshooting.md
+++ b/docs/docs/references/troubleshooting.md
@@ -120,6 +120,36 @@ To run multiple Trivy servers, you need to use Redis as the cache backend so tha
 Follow [this instruction][redis-cache] to do so.


+### Problems with `/tmp` on remote Git repository scans
+
+!!! error
+    FATAL repository scan error: scan error: unable to initialize a scanner: unable to initialize a filesystem scanner: git clone error: write /tmp/fanal-remote...
+
+Trivy clones remote Git repositories under the `/tmp` directory before scanning them. If `/tmp` doesn't work for you, you can change it by setting the `TMPDIR` environment variable.
+
+Try:
+
+```
+$ TMPDIR=/my/custom/path trivy repo ...
+```
+
+### Running out of space during image scans
+
+!!! error
+    ``` bash
+    image scan failed:
+    failed to copy the image:
+    write /tmp/fanal-3323732142: no space left on device
+    ```
+
+Trivy uses the `/tmp` directory during image scan, if the image is large or `/tmp` is of insufficient size then the scan fails You can set the `TMPDIR` environment variable to use redirect trivy to use a directory with adequate storage.
+
+Try:
+
+```
+$ TMPDIR=/my/custom/path trivy image ...
+```
+
 ## Homebrew
 ### Scope error
 !!! error
@@ -170,4 +200,4 @@ $ trivy image --reset
 ```

 [air-gapped]: ../advanced/air-gap.md
-[redis-cache]: ../../vulnerability/examples/cache/#cache-backend
+[redis-cache]: ../../vulnerability/examples/cache/#cache-backend
--- a/docs/docs/sbom/cyclonedx.md
+++ b/docs/docs/sbom/cyclonedx.md
@@ -1,13 +1,21 @@
 # CycloneDX

-## Reporting
-Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
+## Generating
+Trivy can generate SBOM in the [CycloneDX][cyclonedx] format.
 Note that XML format is not supported at the moment.

 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.

+CycloneDX can represent either or both SBOM or BOV.
+
+- [Software Bill of Materials (SBOM)][sbom]
+- [Bill of Vulnerabilities (BOV)][bov]
+
+By default, `--format cyclonedx` represents SBOM and doesn't include vulnerabilities in the CycloneDX output.
+
 ```
 $ trivy image --format cyclonedx --output result.json alpine:3.15
+2022-07-19T07:47:27.624Z        INFO    "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
 ```

 <details>
@@ -231,6 +239,12 @@ $ cat result.json | jq .

 </details>

+If you want to include vulnerabilities, you can enable vulnerability scanning via `--security-checks vuln`.
+
+```
+$ trivy image --security-checks vuln --format cyclonedx --output result.json alpine:3.15
+```
+
 ## Scanning
 Trivy can take CycloneDX as an input and scan for vulnerabilities.
 To scan SBOM, you can use the `sbom` subcommand and pass the path to your CycloneDX report. 
@@ -258,5 +272,8 @@ Total: 3 (CRITICAL: 3)

 !!! note
    If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
+    The report is called [BOV][bov].

-[cyclonedx]: https://cyclonedx.org/
+[cyclonedx]: https://cyclonedx.org/
+[sbom]: https://cyclonedx.org/capabilities/sbom/
+[bov]: https://cyclonedx.org/capabilities/bov/
--- a/docs/docs/sbom/index.md
+++ b/docs/docs/sbom/index.md
@@ -1,6 +1,6 @@
 # SBOM

-## Reporting
+## Generating
 Trivy can generate the following SBOM formats.

 - [CycloneDX][cyclonedx]
@@ -9,9 +9,10 @@ Trivy can generate the following SBOM formats.
 To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.

 ```
-$ trivy image --format cyclonedx --output result.json alpine:3.15
+$ trivy image --format spdx-json --output result.json alpine:3.15
 ```

+
 ```
 $ trivy fs --format cyclonedx --output result.json /app/myproject
 ```
@@ -180,33 +181,52 @@ $ trivy fs --format cyclonedx --output result.json /app/myproject
 Trivy also can take the following SBOM formats as an input and scan for vulnerabilities.

 - CycloneDX
+- SPDX
+- SPDX JSON
+- CycloneDX-type attestation

 To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.

 ```bash
 $ trivy sbom /path/to/cyclonedx.json
-
-cyclonedx.json (alpine 3.7.1)
-=========================
-Total: 3 (CRITICAL: 3)
-
-┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
-│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ curl        │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ libbz2      │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
-└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
 ```

+See [here][cyclonedx] for the detail.

 !!! note
-    CycloneDX XML and SPDX are not supported at the moment.
+    CycloneDX XML is not supported at the moment.
+
+```bash
+$ trivy sbom /path/to/spdx.json
+```
+
+See [here][spdx] for the detail.
+
+
+You can also scan an SBOM attestation.
+In the following example, [Cosign][Cosign] can get an attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page][sbom_attestation].
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+```

 [cyclonedx]: cyclonedx.md
 [spdx]: spdx.md
+[Cosign]: https://github.com/sigstore/cosign
+[sbom_attestation]: ../attestation/sbom.md#sign-with-a-local-key-pair
--- a/docs/docs/sbom/spdx.md
+++ b/docs/docs/sbom/spdx.md
@@ -1,6 +1,7 @@
 # SPDX

-Trivy generates reports in the [SPDX][spdx] format.
+## Generating
+Trivy can generate SBOM in the [SPDX][spdx] format.

 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `spdx` with the `--format` option.

@@ -294,4 +295,50 @@ $ cat result.spdx.json | jq .

 </details>

+## Scanning
+Trivy can take the SPDX SBOM as an input and scan for vulnerabilities.
+To scan SBOM, you can use the `sbom` subcommand and pass the path to your SPDX report.
+The input format is automatically detected.
+
+The following formats are supported:
+
+- Tag-value (`--format spdx`)
+- JSON (`--format spdx-json`)
+
+```bash
+$ trivy image --format spdx-json --output spdx.json alpine:3.16.0
+$ trivy sbom spdx.json
+2022-09-15T21:32:27.168+0300    INFO    Vulnerability scanning is enabled
+2022-09-15T21:32:27.169+0300    INFO    Detected SBOM format: spdx-json
+2022-09-15T21:32:27.210+0300    INFO    Detected OS: alpine
+2022-09-15T21:32:27.210+0300    INFO    Detecting Alpine vulnerabilities...
+2022-09-15T21:32:27.211+0300    INFO    Number of language-specific files: 0
+
+spdx.json (alpine 3.16.0)
+=========================
+Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)
+
+┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│   Library    │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ busybox      │ CVE-2022-30065 │ HIGH     │ 1.35.0-r13        │ 1.35.0-r15    │ busybox: A use-after-free in Busybox's awk applet leads to │
+│              │                │          │                   │               │ denial of service...                                       │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ libcrypto1.1 │ CVE-2022-2097  │ MEDIUM   │ 1.1.1o-r0         │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes               │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                  │
+├──────────────┤                │          │                   │               │                                                            │
+│ libssl1.1    │                │          │                   │               │                                                            │
+│              │                │          │                   │               │                                                            │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ ssl_client   │ CVE-2022-30065 │ HIGH     │ 1.35.0-r13        │ 1.35.0-r15    │ busybox: A use-after-free in Busybox's awk applet leads to │
+│              │                │          │                   │               │ denial of service...                                       │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ zlib         │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1         │ 1.2.12-r2     │ zlib: a heap-based buffer over-read or buffer overflow in  │
+│              │                │          │                   │               │ inflate in inflate.c...                                    │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                 │
+└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
 [spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf
--- a/docs/docs/sbom/supported.md
+++ b/docs/docs/sbom/supported.md
@@ -0,0 +1,14 @@
+## Packages that support vulnerability scanning
+- [OS packages][os_packages]
+- [Language-specific packages][language_packages]
+
+## Other language-specific packages
+
+| Language | File         | Dependency location[^1] |
+|----------|--------------|:-----------------------:|
+| Swift    | Podfile.lock |            -            |
+
+[^1]: Use `startline == 1 and endline == 1` for unsupported file types
+
+[os_packages]: ../vulnerability/detection/os.md
+[language_packages]: ../vulnerability/detection/language.md
--- a/docs/docs/secret/configuration.md
+++ b/docs/docs/secret/configuration.md
@@ -98,9 +98,9 @@ allow-rules:

 ## Enable Rules
 Trivy provides plenty of out-of-box rules and allow rules, but you may not need all of them.
-In that case, `enable-builin-rules` will be helpful.
+In that case, `enable-builtin-rules` will be helpful.
 If you just need AWS secret detection, you can enable only relevant rules as shown below.
-It specifies AWS-related rule IDs in `enable-builin-rules`.
+It specifies AWS-related rule IDs in `enable-builtin-rules`.
 All other rules are disabled, so the scanning will be much faster.
 We would strongly recommend using this option if you don't need all rules.

@@ -118,9 +118,9 @@ Trivy offers built-in rules and allow rules, but you may want to disable some of
 For example, you don't use Slack, so Slack doesn't have to be scanned.
 You can specify the Slack rule IDs, `slack-access-token` and `slack-web-hook` in `disable-rules` so that those rules will be disabled for less false positives.

-You should specify either `enable-builin-rules` or `disable-rules`.
+You should specify either `enable-builtin-rules` or `disable-rules`.
 If they both are specified, `disable-rules` takes precedence.
-In case `github-pat` is specified in `enable-builin-rules` and `disable-rules`, it will be disabled.
+In case `github-pat` is specified in `enable-builtin-rules` and `disable-rules`, it will be disabled.

 In addition, there are some allow rules.
 Markdown files are ignored by default, but you may want to scan markdown files as well.
@@ -137,6 +137,6 @@ disable-allow-rules:
 ```


-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-allow-rules.go
+[builtin]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go
+[builtin-allow]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-allow-rules.go
 [examples]: ./examples.md
--- a/docs/docs/secret/examples.md
+++ b/docs/docs/secret/examples.md
@@ -35,6 +35,18 @@ Total: 1 (CRITICAL: 1)
 +----------+-------------------+----------+---------+--------------------------------+
 ```

+## Filter by RuleID
+
+Use `.trivyignore`.
+
+```bash
+$ cat .trivyignore
+
+# Ignore these rules
+generic-unwanted-rule
+aws-account-id
+```
+
 ## Disable secret scanning
 If you need vulnerability scanning only, you can disable secret scanning via the `--security-checks` flag.

--- a/docs/docs/secret/scanning.md
+++ b/docs/docs/secret/scanning.md
@@ -101,7 +101,7 @@ The usage examples are [here][examples].

 In addition, all the built-in rules are enabled by default, so it takes some time to scan all of them.
 If you don't need all those rules, you can use `enable-builtin-rules` or `disable-rules` in the configuration file.
-You should use `enable-builin-rules` if you need only AWS secret detection, for example.
+You should use `enable-builtin-rules` if you need only AWS secret detection, for example.
 All rules are disabled except for the ones you specify, so it runs very fast.
 On the other hand, you should use `disable-rules` if you just want to disable some built-in rules.
 See the [enable-rules][enable-rules] and [disable-rules][disable-rules] sections for the detail.
@@ -116,8 +116,8 @@ $ trivy image --security-checks vuln alpine:3.15
 ## Credit
 This feature is inspired by [gitleaks][gitleaks]. 

-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
-[builtin-allow]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-allow-rules.go
+[builtin]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go
+[builtin-allow]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-allow-rules.go
 [configuration]: ./configuration.md
 [allow-rules]: ./configuration.md#allow-rules
 [enable-rules]: ./configuration.md#enable-rules
--- a/docs/docs/vm/aws.md
+++ b/docs/docs/vm/aws.md
@@ -0,0 +1,83 @@
+# AWS EC2
+
+Trivy can scan the following targets in AWS EC2.
+
+- Amazon Machine Image (AMI)
+- Elastic Block Store (EBS) Snapshot
+
+## Amazon Machine Image (AMI)
+You can specify your AMI ID with the `ami:` prefix.
+
+```shell
+$ trivy vm ami:${your_ami_id}
+```
+
+!!! note
+    AMIs in the marketplace are not supported because the EBS direct APIs don't support that.
+    See [the AWS documentation][ebsapi-elements] for the detail.
+
+### Example
+
+```shell
+$ trivy vm --security-checks vuln ami:ami-0123456789abcdefg
+```
+
+!!! tip
+    The scanning could be faster if you enable only vulnerability scanning (`--security-checks vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
+
+If you want to scan a AMI of non-default setting region, you can set any region via `--aws-region` option.
+
+```shell
+$ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg
+```
+
+
+### Required Actions
+Some actions on EBS are also necessary since Trivy scans an EBS snapshot tied to the specified AMI under the hood.
+
+- ec2:DescribeImages
+- ebs:ListSnapshotBlocks
+- ebs:GetSnapshotBlock
+
+## Elastic Block Store (EBS) Snapshot
+You can specify your EBS snapshot ID with the `ebs:` prefix.
+
+```shell
+$ trivy vm ebs:${your_ebs_snapshot_id}
+```
+
+!!! note
+    Public snapshots are not supported because the EBS direct APIs don't support that.
+    See [the AWS documentation][ebsapi-elements] for the detail.
+
+### Example
+```shell
+$ trivy vm --security-checks vuln ebs:snap-0123456789abcdefg
+```
+
+!!! tip
+The scanning could be faster if you enable only vulnerability scanning (`--security-checks vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
+
+If you want to scan an EBS Snapshot of non-default setting region, you can set any region via `--aws-region` option.
+
+```shell
+$ trivy vm --aws-region ap-northeast-1 ebs:ebs-0123456789abcdefg
+```
+
+
+The above command takes a while as it calls EBS API and fetches the EBS blocks.
+If you want to scan the same snapshot several times, you can download the snapshot locally by using [coldsnap][coldsnap] maintained by AWS.
+Then, Trivy can scan the local VM image file.
+
+```shell
+$ coldsnap download snap-0123456789abcdefg disk.img
+$ trivy vm ./disk.img
+```
+
+### Required Actions
+
+- ebs:ListSnapshotBlocks
+- ebs:GetSnapshotBlock
+
+[ebsapi-elements]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html#ebsapi-elements
+[coldsnap]: https://github.com/awslabs/coldsnap
--- a/docs/docs/vm/index.md
+++ b/docs/docs/vm/index.md
@@ -0,0 +1,121 @@
+# Virtual Machine Image
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+## Scanning
+Trivy supports VM image scanning for vulnerabilities, secrets, etc.
+The following targets are currently supported:
+
+- Local file
+- [AWS EC2][aws]
+
+To scan VM images, you can use the `vm` subcommand.
+
+### Local file
+Pass the path to your local VM image file.
+
+```bash
+$ trivy vm --security-checks vuln disk.vmdk
+```
+
+<details>
+<summary>Result</summary>
+
+```
+disk.vmdk (amazon 2 (Karoo))
+===========================================================================================
+Total: 802 (UNKNOWN: 0, LOW: 17, MEDIUM: 554, HIGH: 221, CRITICAL: 10)
+
+┌────────────────────────────┬────────────────┬──────────┬───────────────────────────────┬───────────────────────────────┬──────────────────────────────────────────────────────────────┐
+│          Library           │ Vulnerability  │ Severity │       Installed Version       │         Fixed Version         │                            Title                             │
+├────────────────────────────┼────────────────┼──────────┼───────────────────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ amazon-ssm-agent           │ CVE-2022-24675 │ HIGH     │ 3.0.529.0-1.amzn2             │ 3.1.1575.0-1.amzn2            │ golang: encoding/pem: fix stack overflow in Decode           │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2022-24675                   │
+├────────────────────────────┼────────────────┤          ├───────────────────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ bind-export-libs           │ CVE-2021-25215 │          │ 32:9.11.4-26.P2.amzn2.4       │ 32:9.11.4-26.P2.amzn2.5       │ bind: An assertion check can fail while answering queries    │
+│                            │                │          │                               │                               │ for DNAME records...                                         │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25215                   │
+│                            ├────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                            │ CVE-2021-25214 │ MEDIUM   │                               │ 32:9.11.4-26.P2.amzn2.5.2     │ bind: Broken inbound incremental zone update (IXFR) can      │
+│                            │                │          │                               │                               │ cause named to terminate...                                  │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25214                   │
+├────────────────────────────┼────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ bind-libs                  │ CVE-2021-25215 │ HIGH     │                               │ 32:9.11.4-26.P2.amzn2.5       │ bind: An assertion check can fail while answering queries    │
+│                            │                │          │                               │                               │ for DNAME records...                                         │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25215                   │
+│                            ├────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                            │ CVE-2021-25214 │ MEDIUM   │                               │ 32:9.11.4-26.P2.amzn2.5.2     │ bind: Broken inbound incremental zone update (IXFR) can      │
+│                            │                │          │                               │                               │ cause named to terminate...                                  │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25214                   │
+├────────────────────────────┼────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ bind-libs-lite             │ CVE-2021-25215 │ HIGH     │                               │ 32:9.11.4-26.P2.amzn2.5       │ bind: An assertion check can fail while answering queries    │
+│                            │                │          │                               │                               │ for DNAME records...                                         │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25215                   │
+│                            ├────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                            │ CVE-2021-25214 │ MEDIUM   │                               │ 32:9.11.4-26.P2.amzn2.5.2     │ bind: Broken inbound incremental zone update (IXFR) can      │
+│                            │                │          │                               │                               │ cause named to terminate...                                  │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25214                   │
+├────────────────────────────┼────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+... 
+```
+
+</details>
+
+### AWS EC2
+
+See [here][aws] for the detail.
+
+## Supported architectures
+
+### Virtual machine images
+
+| Image format | Support |
+|--------------|:-------:|
+| VMDK         |    ✔    |
+| OVA          |         |
+| VHD          |         |
+| VHDX         |         |
+| QCOW2        |         |
+
+
+#### VMDK disk types
+
+| VMDK disk type              | Support |
+|-----------------------------|:-------:|
+| streamOptimized             |    ✔    |
+| monolithicSparse            |         |
+| vmfs                        |         |
+| vmfsSparse                  |         |
+| twoGbMaxExtentSparse        |         |
+| monolithicFlat              |         |
+| twoGbMaxExtentFlat          |         |
+| vmfsRaw                     |         |
+| fullDevice                  |         |
+| partitionedDevice           |         |
+| vmfsRawDeviceMap            |         |
+| vmfsPassthroughRawDeviceMap |         |
+
+Reference: [VMware Virtual Disk Format 1.1.pdf][vmdk]
+
+
+### Disk partitions
+
+| Disk format                  | Support |
+|------------------------------|:-------:|
+| Master boot record (MBR)     |    ✔    |
+| Extended master boot record  |         |
+| GUID partition table (GPT)   |    ✔    |
+| Logical volume manager (LVM) |         |
+
+### Filesystems
+
+| Filesystem format | Support |
+|-------------------|:-------:|
+| XFS               |    ✔    |
+| EXT4              |    ✔    |
+| EXT2/3            |         |
+| ZFS               |         |
+
+[aws]: ./aws.md
+[vmdk]: https://www.vmware.com/app/vmdk/?src=vmdk
--- a/docs/docs/vulnerability/detection/data-source.md
+++ b/docs/docs/vulnerability/detection/data-source.md
@@ -1,40 +1,43 @@
 # OS

-| OS                 | Source                                      |
-|--------------------|---------------------------------------------|
-| Arch Linux         | [Vulnerable Issues][arch]                   |
-| Alpine Linux       | [secdb][alpine]                             |
-| Amazon Linux       | [Amazon Linux Security Center][amazon]      |
-| Debian             | [Security Bug Tracker][debian-tracker]      |
-|                    | [OVAL][debian-oval]                         |
-| Ubuntu             | [Ubuntu CVE Tracker][ubuntu]                |
-| RHEL/CentOS        | [OVAL][rhel-oval]                           |
-|                    | [Security Data][rhel-api]                   |
-| AlmaLinux          | [AlmaLinux Product Errata][alma]            |
-| Rocky Linux        | [Rocky Linux UpdateInfo][rocky]             |
-| Oracle Linux       | [OVAL][oracle]                              |
-| CBL-Mariner        | [OVAL][mariner]                             |
-| OpenSUSE/SLES      | [CVRF][suse]                                |
-| Photon OS          | [Photon Security Advisory][photon]          |
+| OS            | Source                                 |
+|---------------|----------------------------------------|
+| Arch Linux    | [Vulnerable Issues][arch]              |
+| Alpine Linux  | [secdb][alpine]                        |
+| Wolfi Linux   | [secdb][wolfi]                         |
+| Amazon Linux  | [Amazon Linux Security Center][amazon] |
+| Debian        | [Security Bug Tracker][debian-tracker] |
+|               | [OVAL][debian-oval]                    |
+| Ubuntu        | [Ubuntu CVE Tracker][ubuntu]           |
+| RHEL/CentOS   | [OVAL][rhel-oval]                      |
+|               | [Security Data][rhel-api]              |
+| AlmaLinux     | [AlmaLinux Product Errata][alma]       |
+| Rocky Linux   | [Rocky Linux UpdateInfo][rocky]        |
+| Oracle Linux  | [OVAL][oracle]                         |
+| CBL-Mariner   | [OVAL][mariner]                        |
+| OpenSUSE/SLES | [CVRF][suse]                           |
+| Photon OS     | [Photon Security Advisory][photon]     |

 # Programming Language

-| Language                     | Source                                              | Commercial Use  | Delay[^1]|
-| ---------------------------- | ----------------------------------------------------|:---------------:|:--------:|
-| PHP                          | [PHP Security Advisories Database][php]             | ✅              | -        |
-|                              | [GitHub Advisory Database (Composer)][php-ghsa]     | ✅              | -        |
-| Python                       | [GitHub Advisory Database (pip)][python-ghsa]       | ✅              | -        |
-|                              | [Open Source Vulnerabilities (PyPI)][python-osv]    | ✅              | -        |
-| Ruby                         | [Ruby Advisory Database][ruby]                      | ✅              | -        |
-|                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    | ✅              | -        |
-| Node.js                      | [Ecosystem Security Working Group][nodejs]          | ✅              | -        |
-|                              | [GitHub Advisory Database (npm)][nodejs-ghsa]       | ✅              | -        |
-| Java                         | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
-|                              | [GitHub Advisory Database (Maven)][java-ghsa]       | ✅              | -        |
-| Go                           | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
-|                              | [The Go Vulnerability Database][go]                 | ✅              | -        |
-| Rust                         | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅              | -        |
-| .NET                         | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     | ✅              | -        |
+| Language | Source                                              | Commercial Use | Delay[^1] |
+|----------|-----------------------------------------------------|:--------------:|:---------:|
+| PHP      | [PHP Security Advisories Database][php]             |       ✅        |     -     |
+|          | [GitHub Advisory Database (Composer)][php-ghsa]     |       ✅        |     -     |
+| Python   | [GitHub Advisory Database (pip)][python-ghsa]       |       ✅        |     -     |
+|          | [Open Source Vulnerabilities (PyPI)][python-osv]    |       ✅        |     -     |
+| Ruby     | [Ruby Advisory Database][ruby]                      |       ✅        |     -     |
+|          | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    |       ✅        |     -     |
+| Node.js  | [Ecosystem Security Working Group][nodejs]          |       ✅        |     -     |
+|          | [GitHub Advisory Database (npm)][nodejs-ghsa]       |       ✅        |     -     |
+| Java     | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
+|          | [GitHub Advisory Database (Maven)][java-ghsa]       |       ✅        |     -     |
+| Go       | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
+|          | [The Go Vulnerability Database][go]                 |       ✅        |     -     |
+| Rust     | [Open Source Vulnerabilities (crates.io)][rust-osv] |       ✅        |     -     |
+| .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     |       ✅        |     -     |
+| C/C++    | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
+| Elixir   | [GitHub Advisory Database (Erlang)][erlang-ghsa]    |       ✅        |           |

 [^1]: Intentional delay between vulnerability disclosure and registration in the DB

@@ -56,6 +59,7 @@ The severity is from the selected data source. If the data source does not provi

 [arch]: https://security.archlinux.org/
 [alpine]: https://secdb.alpinelinux.org/
+[wolfi]: https://packages.wolfi.dev/os/security.json
 [amazon]: https://alas.aws.amazon.com/
 [debian-tracker]: https://security-tracker.debian.org/tracker/
 [debian-oval]: https://www.debian.org/security/oval/
@@ -75,6 +79,7 @@ The severity is from the selected data source. If the data source does not provi
 [nodejs-ghsa]: https://github.com/advisories?query=ecosystem%3Anpm
 [java-ghsa]: https://github.com/advisories?query=ecosystem%3Amaven
 [dotnet-ghsa]: https://github.com/advisories?query=ecosystem%3Anuget
+[erlang-ghsa]: https://github.com/advisories?query=ecosystem%3Aerlang

 [php]: https://github.com/FriendsOfPHP/security-advisories
 [ruby]: https://github.com/rubysec/ruby-advisory-db
--- a/docs/docs/vulnerability/detection/language.md
+++ b/docs/docs/vulnerability/detection/language.md
@@ -2,28 +2,32 @@

 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

-| Language | File                    | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies |
-| -------- |-------------------------| :-------: | :--------: | :-------------: | :-------------: | ---------------- |
-| Ruby     | Gemfile.lock            |     -     |     -      |        ✅        |        ✅        | included         |
-|          | gemspec                 |     ✅     |     ✅      |        -        |        -        | included         |
-| Python   | Pipfile.lock            |     -     |     -      |        ✅        |        ✅        | excluded         |
-|          | poetry.lock             |     -     |     -      |        ✅        |        ✅        | included         |
-|          | requirements.txt        |     -     |     -      |        ✅        |        ✅        | included         |
-|          | egg package[^1]         |     ✅     |     ✅      |        -        |        -        | excluded         |
-|          | wheel package[^2]       |     ✅     |     ✅      |        -        |        -        | excluded         |
-| PHP      | composer.lock           |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
-| Node.js  | package-lock.json       |     -     |     -      |        ✅        |        ✅        | excluded         |
-|          | yarn.lock               |     -     |     -      |        ✅        |        ✅        | included         |
-|          | pnpm-lock.yaml          |     -     |     -      |        ✅        |        ✅        | excluded         |
-|          | package.json            |     ✅     |     ✅      |        -        |        -        | excluded         |
-| .NET     | packages.lock.json      |     ✅     |     ✅      |        ✅        |        ✅        | included         |
-|          | packages.config         |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
-|          | .deps.json              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
-| Java     | JAR/WAR/PAR/EAR[^3][^4] |     ✅     |     ✅      |        -        |        -        | included         |
-|          | pom.xml[^5]             |     -     |     -      |        ✅        |        ✅        | excluded         |
-| Go       | Binaries built by Go[^6] |     ✅     |     ✅      |        -        |        -        | excluded         |
-|          | go.mod[^7]              |     -     |     -      |        ✅        |        ✅        | included         |
-| Rust     | Cargo.lock              |     ✅     |     ✅      |        ✅        |        ✅        | included         |
+| Language | File                                                                                       | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies | Dependency location[^12] |
+|----------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:---------------:|:---------------:|------------------|:------------------------:|
+| Ruby     | Gemfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | included         |            -             |
+|          | gemspec                                                                                    |     ✅     |     ✅      |        -        |        -        | included         |            -             |
+| Python   | Pipfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
+|          | poetry.lock                                                                                |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
+|          | requirements.txt                                                                           |     -     |     -      |        ✅        |        ✅        | included         |            -             |
+|          | egg package[^1]                                                                            |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
+|          | wheel package[^2]                                                                          |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
+| PHP      | composer.lock                                                                              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |            -             |
+| Node.js  | package-lock.json                                                                          |     -     |     -      |        ✅        |        ✅        | excluded         |            ✅             |
+|          | yarn.lock                                                                                  |     -     |     -      |        ✅        |        ✅        | included         |            ✅             |
+|          | pnpm-lock.yaml                                                                             |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
+|          | package.json                                                                               |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
+| .NET     | packages.lock.json                                                                         |     ✅     |     ✅      |        ✅        |        ✅        | included         |            ✅             |
+|          | packages.config                                                                            |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |            -             |
+|          | .deps.json                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |            ✅             |
+| Java     | JAR/WAR/PAR/EAR[^3][^4]                                                                    |     ✅     |     ✅      |        -        |        -        | included         |            -             |
+|          | pom.xml[^5]                                                                                |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
+|          | *gradle.lockfile                                                                           |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
+| Go       | Binaries built by Go[^6]                                                                   |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
+|          | go.mod[^7]                                                                                 |     -     |     -      |        ✅        |        ✅        | included         |            -             |
+| Rust     | Cargo.lock                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | included         |            -             |
+|          | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
+| C/C++    | conan.lock[^13]                                                                            |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |   
+| Elixir   | mix.lock[^13]                                                                              |     -     |     -      |        ✅        |        ✅        | excluded         |            ✅             |

 The path of these files does not matter.

@@ -40,3 +44,5 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [^9]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
 [^10]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
 [^11]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^12]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../examples/report.md#json) and [sarif](../examples/report.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
+[^13]: To scan a filename other than the default filename use [file-patterns](../examples/others.md#file-patterns)
--- a/docs/docs/vulnerability/detection/os.md
+++ b/docs/docs/vulnerability/detection/os.md
@@ -3,8 +3,9 @@
 The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. Trivy doesn't support self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.

 | OS                               | Supported Versions                        | Target Packages               | Detection of unfixed vulnerabilities |
-| -------------------------------- |-------------------------------------------| ----------------------------- | :----------------------------------: |
-| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.16, edge               | Installed by apk              |                  NO                  |
+|----------------------------------|-------------------------------------------|-------------------------------|:------------------------------------:|
+| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.17, edge               | Installed by apk              |                  NO                  |
+| Wolfi Linux                      | (n/a)                                     | Installed by apk              |                  NO                  |
 | Red Hat Universal Base Image[^1] | 7, 8, 9                                   | Installed by yum/rpm          |                 YES                  |
 | Red Hat Enterprise Linux         | 6, 7, 8                                   | Installed by yum/rpm          |                 YES                  |
 | CentOS                           | 6, 7, 8                                   | Installed by yum/rpm          |                 YES                  |
--- a/docs/docs/vulnerability/distributions.md
+++ b/docs/docs/vulnerability/distributions.md
@@ -11,19 +11,48 @@ The following table provides an outline of the features Trivy offers.

 ### Examples

-```
-$ trivy image cblmariner.azurecr.io/base/core:1.0
-2022-01-31T15:02:27.754+0200    INFO    Detected OS: cbl-mariner
-2022-01-31T15:02:27.754+0200    INFO    Detecting CBL-Mariner vulnerabilities...
-2022-01-31T15:02:27.757+0200    INFO    Number of language-specific files: 0
+=== "image"
+    ```
+    ➜ trivy image mcr.microsoft.com/cbl-mariner/base/core:2.0
+    2022-07-27T14:48:20.355+0600	INFO	Detected OS: cbl-mariner
+    2022-07-27T14:48:20.355+0600	INFO	Detecting CBL-Mariner vulnerabilities...
+    2022-07-27T14:48:20.356+0600	INFO	Number of language-specific files: 0
+    
+    mcr.microsoft.com/cbl-mariner/base/core:2.0 (cbl-mariner 2.0.20220527)
+    
+    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
+    ```

-cblmariner.azurecr.io/base/core:1.0 (cbl-mariner 1.0.20220122)
-==============================================================
-Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 4, CRITICAL: 5) 
-```
+=== "fs"
+    ```
+    ➜ docker run  -it --rm --entrypoint bin/bash mcr.microsoft.com/cbl-mariner/base/core:2.0 
+    
+    root [ / ]# tdnf -y install ca-certificates
+    ...
+
+    root [ / ]# rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.30.4/trivy_0.30.4_Linux-64bit.rpm
+    ...
+    
+    root [ / ]# trivy fs /
+    2022-07-27T09:30:06.815Z	INFO	Need to update DB
+    2022-07-27T09:30:06.815Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
+    2022-07-27T09:30:06.815Z	INFO	Downloading DB...
+    33.25 MiB / 33.25 MiB [------------------------------] 100.00% 4.20 MiB p/s 8.1s
+    2022-07-27T09:30:21.756Z	INFO	Vulnerability scanning is enabled
+    2022-07-27T09:30:21.756Z	INFO	Secret scanning is enabled
+    2022-07-27T09:30:21.756Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+    2022-07-27T09:30:21.756Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection
+    2022-07-27T09:30:22.205Z	INFO	Detected OS: cbl-mariner
+    2022-07-27T09:30:22.205Z	INFO	Detecting CBL-Mariner vulnerabilities...
+    2022-07-27T09:30:22.205Z	INFO	Number of language-specific files: 0
+    
+    40ba9a55397c (cbl-mariner 2.0.20220527)
+    
+    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
+    ```

 ### Data source
 See [here][source].

 [mariner]: https://github.com/microsoft/CBL-Mariner
-[source]: detection/data-source.md
+[source]: detection/data-source.md
--- a/docs/docs/vulnerability/examples/others.md
+++ b/docs/docs/vulnerability/examples/others.md
@@ -16,6 +16,64 @@ If your image contains lock files which are not maintained by you, you can skip
 $ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
 ```

+## Scan Image on a specific Architecture and OS
+
+By default, Trivy loads an image on a "linux/amd64" machine.
+To customise this, pass a `--platform` argument in the format OS/Architecture for the image:
+
+```
+$ trivy image --platform=os/architecture [YOUR_IMAGE_NAME]
+```
+
+For example:
+
+```
+$ trivy image --platform=linux/arm alpine:3.16.1
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2022-10-25T21:00:50.972+0300    INFO    Vulnerability scanning is enabled
+2022-10-25T21:00:50.972+0300    INFO    Secret scanning is enabled
+2022-10-25T21:00:50.972+0300    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+2022-10-25T21:00:50.972+0300    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-10-25T21:00:56.190+0300    INFO    Detected OS: alpine
+2022-10-25T21:00:56.190+0300    INFO    Detecting Alpine vulnerabilities...
+2022-10-25T21:00:56.191+0300    INFO    Number of language-specific files: 0
+
+alpine:3.16.1 (alpine 3.16.1)
+=============================
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
+
+┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ zlib    │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1         │ 1.2.12-r2     │ zlib: heap-based buffer over-read and overflow in inflate() │
+│         │                │          │                   │               │ in inflate.c via a...                                       │
+│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                  │
+└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+```
+
+</details>
+
+## File patterns
+When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
+The default file patterns are [here](../../misconfiguration/custom/index.md).
+
+In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
+For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
+
+This can be repeated for specifying multiple file patterns.
+
+A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
+```
+--file-patterns "dockerfile:.*.docker" --file-patterns "yaml:deployment" --file-patterns "pip:requirements-.*\.txt"
+```
+
+For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)
+
 ## Exit Code
 By default, `Trivy` exits with code 0 even when vulnerabilities are detected.
 Use the `--exit-code` option if you want to exit with a non-zero exit code.
--- a/docs/docs/vulnerability/examples/report.md
+++ b/docs/docs/vulnerability/examples/report.md
@@ -15,7 +15,14 @@ Modern software development relies on the use of third-party libraries.
 Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph.
 In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree.
 To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
-This flag is only available with the `fs` or `repo` commands and the `--format table` flag.
+This flag is only available with the `--format table` flag.
+
+The following packages/languages are currently supported:
+
+- OS packages (apk, dpkg and rpm)
+- Node.js (package-lock.json and yarn.lock) 
+- Nuget lock files (packages.lock.json)
+- Rust Binaries built with [cargo-auditable][cargo-auditable]

 This tree is the reverse of the npm list command.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -60,9 +67,6 @@ Also, **glob-parent@3.1.0** with some vulnerabilities is included through chain

 Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to resolve vulnerabilities in **follow-redirects@1.14.6** and **glob-parent@3.1.0**.

-!!! note
-    Only Node.js (package-lock.json) is supported at the moment.
-
 ## JSON

 ```
@@ -273,9 +277,9 @@ The following example shows use of default HTML template when Trivy is installed
 $ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine
 ```

-
+[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
-[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/advanced/integrations/aws-security-hub.md
+[asff]: ../../../tutorials/integrations/aws-security-hub.md
 [sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
 [sprig]: http://masterminds.github.io/sprig/
--- a/docs/docs/vulnerability/scanning/git-repository.md
+++ b/docs/docs/vulnerability/scanning/git-repository.md
@@ -149,7 +149,7 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)

 ## Scanning a Branch

-Pass a `--branch` agrument with a valid branch name on the remote repository provided:
+Pass a `--branch` argument with a valid branch name on the remote repository provided:

 ```
 $ trivy repo --branch <branch-name> <repo-name>
@@ -157,7 +157,7 @@ $ trivy repo --branch <branch-name> <repo-name>

 ## Scanning upto a Commit

-Pass a `--commit` agrument with a valid commit hash on the remote repository provided:
+Pass a `--commit` argument with a valid commit hash on the remote repository provided:

 ```
 $ trivy repo --commit <commit-hash> <repo-name>
@@ -165,7 +165,7 @@ $ trivy repo --commit <commit-hash> <repo-name>

 ## Scanning a Tag

-Pass a `--tag` agrument with a valid tag on the remote repository provided:
+Pass a `--tag` argument with a valid tag on the remote repository provided:

 ```
 $ trivy repo --tag <tag-name> <repo-name>
@@ -187,3 +187,65 @@ $ # or
 $ export GITLAB_TOKEN="your_private_gitlab_token"
 $ trivy repo <your private GitLab repo URL>
 ```
+
+## Client/Server mode
+You must launch Trivy server in advance.
+
+```sh
+$ trivy server
+```
+
+Then, Trivy works as a client if you specify the `--server` option.
+
+```sh
+$ trivy repo https://github.com/knqyf263/trivy-ci-test --server http://localhost:4954
+```
+
+<details>
+<summary>Result</summary>
+
+```
+Cargo.lock (cargo)
+==================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)
+
+┌───────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library  │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├───────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ openssl   │ CVE-2018-20997      │ CRITICAL │ 0.8.3             │ 0.10.9        │ Use after free in openssl                                   │
+│           │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-20997                  │
+│           ├─────────────────────┼──────────┤                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│           │ CVE-2016-10931      │ HIGH     │                   │ 0.9.0         │ Improper Certificate Validation in openssl                  │
+│           │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2016-10931                  │
+└───────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+
+Pipfile.lock (pipenv)
+=====================
+Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 2)
+
+┌─────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
+│       Library       │ Vulnerability  │ Severity │ Installed Version │     Fixed Version      │                            Title                             │
+├─────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ py                  │ CVE-2020-29651 │ HIGH     │ 1.8.0             │ 1.10.0                 │ python-py: ReDoS in the py.path.svnwc component via          │
+│                     │                │          │                   │                        │ mailicious input to blame functionality...                   │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2020-29651                   │
+│                     ├────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                     │ CVE-2022-42969 │          │                   │                        │ The py library through 1.11.0 for Python allows remote       │
+│                     │                │          │                   │                        │ attackers to co...                                           │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-42969                   │
+├─────────────────────┼────────────────┤          ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ pyjwt               │ CVE-2022-29217 │          │ 1.7.1             │ 2.4.0                  │ python-jwt: Key confusion through non-blocklisted public key │
+│                     │                │          │                   │                        │ formats                                                      │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-29217                   │
+├─────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ pyyaml              │ CVE-2019-20477 │ CRITICAL │ 5.1               │ 5.2b1                  │ PyYAML: command execution through python/object/apply        │
+│                     │                │          │                   │                        │ constructor in FullLoader                                    │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2019-20477                   │
+│                     ├────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                     │ CVE-2020-1747  │          │                   │ 5.3.1                  │ PyYAML: arbitrary command execution through                  │
+│                     │                │          │                   │                        │ python/object/new when FullLoader is used                    │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2020-1747                    │
+└─────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘
+
+```
+</details>
--- a/docs/docs/vulnerability/scanning/image.md
+++ b/docs/docs/vulnerability/scanning/image.md
@@ -88,4 +88,3 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

 </details>

-
--- a/docs/docs/vulnerability/scanning/index.md
+++ b/docs/docs/vulnerability/scanning/index.md
@@ -1,11 +1,9 @@
 # Vulnerability Scanning

-Trivy scans [Container Images][image], [Rootfs][rootfs], [Filesystem][fs], and [Git Repositories][repo] to detect vulnerabilities.
-
-![vulnerability][vuln]
+Trivy scans [Container Images][image], [Rootfs][rootfs], [Filesystem][fs], [Virtual Machine Image][vm] and [Git Repositories][repo] to detect vulnerabilities.

 [image]: image.md
 [rootfs]: rootfs.md
 [fs]: filesystem.md
 [repo]: git-repository.md
-[vuln]: ../../../imgs/vulnerability.png
+[vm]: ../../vm/index.md
--- a/docs/docs/vulnerability/scanning/rootfs.md
+++ b/docs/docs/vulnerability/scanning/rootfs.md
@@ -6,7 +6,8 @@ Scan a root filesystem (such as a host machine, a virtual machine image, or an u
 $ trivy rootfs /path/to/rootfs
 ```

-## From Inside Containers
+## Standalone mode
+### From Inside Containers
 Scan your container from inside the container.

 ```bash
@@ -60,6 +61,40 @@ Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)

 </details>

+## Client/Server mode
+You must launch Trivy server in advance.
+
+```sh
+$ trivy server
+```
+
+Then, Trivy works as a client if you specify the `--server` option.
+
+```sh
+$ trivy rootfs --server http://localhost:4954 --severity CRITICAL /tmp/rootfs
+```
+
+<details>
+<summary>Result</summary>
+
+```
+/tmp/rootfs (alpine 3.10.2)
+
+Total: 1 (CRITICAL: 1)
+
+┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.4-r2         │ 2.10.7-r0     │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │
+│           │                │          │                   │               │ other products, mishandles...                               │
+│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36159                  │
+└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+
+```
+</details>
+
+
+
 ## Other Examples
 - [Embed in Dockerfile][embedding]
 - [Unpacked container image filesystem][unpacked]
--- a/docs/ecosystem/cicd.md
+++ b/docs/ecosystem/cicd.md
@@ -0,0 +1,67 @@
+# CI/CD Integrations
+
+## GitHub Actions
+[GitHub Actions](https://github.com/features/actions) is GitHub's native CI/CD and job orchestration service.
+
+### trivy-action (Official)
+
+GitHub Action for integrating Trivy into your GitHub pipeline
+
+👉 Get it at: <https://github.com/aquasecurity/trivy-action>
+
+### trivy-action (Community)
+
+GitHub Action to scan vulnerability using Trivy. If vulnerabilities are found by Trivy, it creates a GitHub Issue.
+
+👉 Get it at: <https://github.com/marketplace/actions/trivy-action>
+
+### trivy-github-issues (Community)
+
+In this action, Trivy scans the dependency files such as package-lock.json and go.sum in your repository, then create GitHub issues according to the result.
+
+👉 Get it at: <https://github.com/marketplace/actions/trivy-github-issues>
+
+## Azure DevOps (Official)
+[Azure Devops](https://azure.microsoft.com/en-us/products/devops/#overview) is Microsoft Azure cloud native CI/CD service.
+
+Trivy has a "Azure Devops Pipelines Task" for Trivy, that lets you easily introduce security scanning into your workflow, with an integrated Azure Devops UI.
+
+👉 Get it at: <https://github.com/aquasecurity/trivy-azure-pipelines-task>
+
+## Semaphore (Community)
+[Semaphore](https://semaphoreci.com/) is a CI/CD service.
+
+You can use Trivy in Semaphore for scanning code, containers, infrastructure, and Kubernetes in Semaphore workflow.
+
+👉 Get it at: <https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy>
+
+## CircleCI (Community)
+[CircleCI](https://circleci.com/) is a CI/CD service.
+
+You can use the Trivy Orb for Circle CI to introduce security scanning into your workflow.
+
+👉 Get it at: <https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb>
+Source: <https://github.com/15five/trivy-orb>
+
+## Woodpecker CI (Community)
+
+Example Trivy step in pipeline
+
+```yml
+pipeline:
+  securitycheck:
+    image: aquasec/trivy:latest
+    commands:
+      # use any trivy command, if exit code is 0 woodpecker marks it as passed, else it assumes it failed
+      - trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL .
+```
+
+Woodpecker does use Trivy itself so you can [see it in use there](https://github.com/woodpecker-ci/woodpecker/pull/1163).
+
+## Concourse CI (Community)
+[Concourse CI](https://concourse-ci.org/) is a CI/CD service.
+
+You can use Trivy Resource in Concourse for scanning containers and introducing security scanning into your workflow.
+It has capabilities to fail the pipeline, create issues, alert communication channels (using respective resources) based on Trivy scan output.
+
+👉 Get it at: <https://github.com/Comcast/trivy-resource/>
--- a/docs/ecosystem/ide.md
+++ b/docs/ecosystem/ide.md
@@ -0,0 +1,56 @@
+# IDE and developer tools Integrations
+
+## VSCode (Official)
+[Visual Studio Code](https://code.visualstudio.com/) is an open source versatile code editor and development environment.
+
+👉 Get it at: <https://github.com/aquasecurity/trivy-vscode-extension>
+
+## JetBrains (Official)
+[JetBrains](https://jetbrains.com) makes IDEs such as Goland, Pycharm, IntelliJ, Webstorm, and more.
+
+The Trivy plugin for JetBrains IDEs lets you use Trivy right from your development environment.
+
+👉 Get it at: <https://plugins.jetbrains.com/plugin/18690-trivy-findings-explorer>
+
+## Kubernetes Lens (Official)
+[Kubernetes Lens](https://k8slens.dev/) is a management application for Kubernetes clusters.
+
+Trivy has an extension for Kubernetes Lens that lets you scan Kubernetes workloads and view the results in the Lens UI.
+
+👉 Get it at: <https://github.com/aquasecurity/trivy-operator-lens-extension>
+
+## Vim (Community)
+[Vim](https://www.vim.org/) is a terminal based text editor.
+
+Vim plugin for Trivy to install and run Trivy.
+
+👉 Get it at: <https://github.com/aquasecurity/vim-trivy>
+
+## Docker Desktop (Community)
+[Docker Desktop](https://www.docker.com/products/docker-desktop/) is an easy way to install [Docker]() container engine on your development machine, and manage it in a GUI .
+
+Trivy Docker Desktop extension for scanning container images for vulnerabilities and generating SBOMs
+
+👉 Get it at: <https://github.com/aquasecurity/trivy-docker-extension>
+
+## Rancher Desktop (Community)
+[Rancher Desktop](https://rancherdesktop.io/) is an easy way to use containers and Kubernetes on your development machine, and mange it in a GUI.
+
+Trivy is natively integrated with Rancher, no installation is needed. More info in Rancher documentation: <https://docs.rancherdesktop.io/getting-started/features#scanning-images>
+
+## LazyTrivy (Community)
+A terminal native UI for Trivy
+
+👉 Get it at: <https://github.com/owenrumney/lazytrivy>
+
+## Trivy Vulnerability explorer (Community)
+
+Web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table
+
+👉 Get it at: <https://github.com/dbsystel/trivy-vulnerability-explorer>
+
+## Trivy pre-commit (Community)
+
+A trivy pre-commit hook that runs a `trivy fs` in your git repo before commiting, preventing you from commiting secrets in the first place.
+
+👉 Get it at: <https://github.com/mxab/pre-commit-trivy>
--- a/docs/ecosystem/index.md
+++ b/docs/ecosystem/index.md
@@ -0,0 +1,10 @@
+#  Ecosystem
+Trivy is already integrated into many popular tools and applications, so that you can easily add security to your workflow.
+
+In this section you will find an aggregation of the different integrations. Integrations are listed as either "official" or "community". Official integrations are developed by the core Trivy team and supported by it. Community integrations are integrations developed by the community, and collected here for your convenience. For support or questions about community integrations, please contact the original developers.
+
+👈 Choose a category from the side menu to browse integrations.
+
+## Add missing integration
+
+We are happy to showcase community integrations in this section. To suggest an addition simply make a Pull Request to add the missing integration.
--- a/docs/ecosystem/prod.md
+++ b/docs/ecosystem/prod.md
@@ -0,0 +1,23 @@
+# Production and cloud Integrations
+
+## Kubernetes 
+
+[Kubernetes](https://kubernetes.io/) is an open-source system for automating deployment, scaling, and management of containerized applications.
+
+### Trivy Operator (Official)
+
+Using the Trivy Operator you can install Trivy into a Kubernetes cluster so that it automatically and continuously scan your workloads and cluster for security issues.
+
+👉 Get it at: <https://github.com/aquasecurity/trivy-operator>
+
+## Harbor (Official)
+[Harbor](https://goharbor.io/) is an open source cloud native container and artifact registry.
+
+Trivy is natively integrated into Harbor, no installation is needed. More info in Harbor documentation: <https://goharbor.io/docs/2.6.0/administration/vulnerability-scanning>
+
+## Kyverno (Community)
+[Kyverno](https://kyverno.io/) is a policy management tool for Kubernetes.
+
+You can use Kyverno to ensure and enforce that deployed workloads' images are scanned for vulnerabilities.
+
+👉 Get it at: <https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno>
--- a/Show More
+++ b/Show More
				`@@ -88,4 +88,3 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)`

				`</details>`