gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 07:10:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:v0.63.0
Branches Tags
gitea-mirror:main gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-db43af7bd4 gitea-mirror:dependabot/go_modules/common-aee61fa259 gitea-mirror:release-please--branches--main gitea-mirror:gh-pages gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.2 gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
..
compare: gitea-mirror:v0.59.1
Branches Tags
gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-db43af7bd4 gitea-mirror:dependabot/go_modules/common-aee61fa259 gitea-mirror:main gitea-mirror:release-please--branches--main gitea-mirror:gh-pages gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.2 gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

5 Commits
v0.63.0 ... v0.59.1

Author SHA1 Message Date
Aqua Security automated builds
9aabfd2a91 release: v0.59.1 [release/v0.59] (#8334) 2025-02-05 06:13:48 +00:00
Aqua Security automated builds
412c690924 fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-02-04 11:27:18 +00:00
Aqua Security automated builds
98f9ba295a chore(deps): bump Go to v1.23.5 [backport: release/v0.59] (#8343) 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
 2025-02-04 06:52:15 +00:00
Aqua Security automated builds
1741fddbe0 fix(python): add poetry v2 support [backport: release/v0.59] (#8335) 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-02-03 09:04:49 +00:00
Aqua Security automated builds
3fd8e2785b fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333) 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2025-02-03 05:55:46 +00:00
856 changed files with 15428 additions and 29271 deletions
Expand all files Collapse all files

4
.github/DISCUSSION_TEMPLATE/bugs.yml vendored
View File

@@ -10,7 +10,7 @@ body:
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Description
@@ -117,7 +117,7 @@ body:
description: Have you tried the following?
options:
- label: Run `trivy clean --all`
- label: Read [the troubleshooting](https://trivy.dev/latest/docs/references/troubleshooting/)
- label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
- type: markdown
attributes:
value: |

2
.github/DISCUSSION_TEMPLATE/documentation.yml vendored
View File

@@ -7,7 +7,7 @@ body:
Feel free to create a docs report if something doesn't work as expected or is unclear in the documentation.
Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Description

4
.github/DISCUSSION_TEMPLATE/false-detection.yml vendored
View File

@@ -8,7 +8,7 @@ body:
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: input
attributes:
label: IDs
@@ -86,7 +86,7 @@ body:
attributes:
label: Checklist
options:
- label: Read [the documentation regarding wrong detection](https://trivy.dev/dev/community/contribute/discussion/#false-detection)
- label: Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection)
- label: Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct
validations:
required: true

2
.github/DISCUSSION_TEMPLATE/ideas.yml vendored
View File

@@ -9,7 +9,7 @@ body:
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Description

2
.github/DISCUSSION_TEMPLATE/q-a.yml vendored
View File

@@ -9,7 +9,7 @@ body:
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Question

11
.github/ISSUE_TEMPLATE/maintainer.md vendored
View File

@@ -1,11 +0,0 @@
---
name: Maintainer
about: Create an issue by maintainers
title: ''
labels: ''
assignees: ''
---
## Are you a maintainer of the Trivy project?
If not, please open [a discussion](https://github.com/aquasecurity/trivy/discussions); if you are, please review [the guideline](https://trivy.dev/latest/community/contribute/discussion/).

4
.github/pull_request_template.md vendored
View File

@@ -10,8 +10,8 @@
Remove this section if you don't have related PRs.
## Checklist
- [ ] I've read the [guidelines for contributing](https://trivy.dev/latest/community/contribute/pr/) to this repository.
- [ ] I've followed the [conventions](https://trivy.dev/latest/community/contribute/pr/#title) in the PR title.
- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
- [ ] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)

2
.github/workflows/auto-close-issue.yaml vendored
View File

@@ -26,7 +26,7 @@ jobs:
// If the user does not have write or admin permissions, leave a comment and close the issue
if (permission !== 'write' && permission !== 'admin') {
const commentBody = "Please see https://trivy.dev/latest/community/contribute/issue/";
const commentBody = "Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/";
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,

11
.github/workflows/auto-update-labels.yaml vendored
View File

@@ -5,6 +5,8 @@ on:
- 'misc/triage/labels.yaml'
branches:
- main
env:
GO_VERSION: '1.23'
jobs:
deploy:
name: Auto-update labels
@@ -16,11 +18,14 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
# cf. https://github.com/aquasecurity/trivy/pull/6711
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Install aqua tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: update labels
env:

4
.github/workflows/backport.yaml vendored
View File

@@ -41,10 +41,8 @@ jobs:
fetch-depth: 0
- name: Extract branch name
env:
COMMENT_BODY: ${{ github.event.comment.body }}
run: |
BRANCH_NAME=$(echo $COMMENT_BODY | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
BRANCH_NAME=$(echo ${{ github.event.comment.body }} | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
- name: Set up Git user

20
.github/workflows/cache-test-images.yaml vendored
View File

@@ -18,8 +18,10 @@ jobs:
go-version-file: go.mod
cache: false
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
if: github.ref_name == 'main'
@@ -27,7 +29,7 @@ jobs:
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
## We need to work with test image cache only for main branch
@@ -37,6 +39,8 @@ jobs:
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-images-
- name: Download test images
if: github.ref_name == 'main'
@@ -55,8 +59,10 @@ jobs:
go-version-file: go.mod
cache: false
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
if: github.ref_name == 'main'
@@ -64,7 +70,7 @@ jobs:
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags |= sort' | sha256sum | cut -d' ' -f1)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags | sort' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
## We need to work with test VM image cache only for main branch
@@ -74,6 +80,8 @@ jobs:
with:
path: integration/testdata/fixtures/vm-images
key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-vm-images-
- name: Download test VM images
if: github.ref_name == 'main'

2
.github/workflows/canary.yaml vendored
View File

@@ -25,7 +25,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Restore Trivy binaries from cache
uses: actions/cache@v4
uses: actions/cache@v4.0.2
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

36
.github/workflows/publish-chart.yaml vendored
View File

@@ -13,6 +13,9 @@ on:
- main
paths:
- 'helm/trivy/**'
push:
tags:
- "v*"
env:
HELM_REP: helm-charts
GH_OWNER: aquasecurity
@@ -22,6 +25,7 @@ env:
jobs:
# `test-chart` job starts if a PR with Helm Chart is created, merged etc.
test-chart:
if: github.event_name != 'push'
runs-on: ubuntu-24.04
steps:
- name: Checkout
@@ -29,7 +33,7 @@ jobs:
with:
fetch-depth: 0
- name: Install Helm
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
with:
version: v3.14.4
- name: Set up python
@@ -39,9 +43,9 @@ jobs:
check-latest: true
- name: Setup Chart Linting
id: lint
uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992
- name: Setup Kubernetes cluster (KIND)
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
@@ -52,6 +56,32 @@ jobs:
sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
ct lint-and-install --validate-maintainers=false --charts helm/trivy
# `update-chart-version` job starts if a new tag is pushed
update-chart-version:
if: github.event_name == 'push'
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
- name: Set up Git user
run: |
git config --global user.email "actions@github.com"
git config --global user.name "GitHub Actions"
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
aqua_opts: ""
- name: Create a PR with Trivy version
run: mage helm:updateVersion
env:
# Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
# This allows the created PR to trigger tests and other workflows
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
# `publish-chart` job starts if a PR with a new Helm Chart is merged or manually
publish-chart:

8
.github/workflows/release-please.yaml vendored
View File

@@ -47,12 +47,10 @@ jobs:
- name: Extract version and PR number from commit message
id: extract_info
shell: bash
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
echo "version=$( echo "$COMMIT_MESSAGE" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
echo "pr_number=$( echo "$COMMIT_MESSAGE" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
echo "release_branch=release/v$( echo "$COMMIT_MESSAGE" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
- name: Tag release
if: ${{ steps.extract_info.outputs.version }}

4
.github/workflows/release-pr-check.yaml vendored
View File

@@ -11,10 +11,8 @@ jobs:
steps:
- name: Check PR author
id: check_author
env:
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
run: |
if [ "$PR_AUTHOR" != "aqua-bot" ]; then
if [ "${{ github.actor }}" != "aqua-bot" ]; then
echo "::error::This branch is intended for automated backporting by bot. Please refer to the documentation:"
echo "::error::https://trivy.dev/latest/community/maintainer/backporting/"
exit 1

32
.github/workflows/release.yaml vendored
View File

@@ -24,7 +24,7 @@ jobs:
fetch-depth: 0
- name: Restore Trivy binaries from cache
uses: actions/cache@v4
uses: actions/cache@v4.0.2
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -55,33 +55,3 @@ jobs:
- name: Create deb repository
run: ci/deploy-deb.sh
# `update-chart-version` creates a new PR for updating the helm chart
update-chart-version:
needs: deploy-packages
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
- name: Set up Git user
run: |
git config --global user.email "actions@github.com"
git config --global user.name "GitHub Actions"
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Create a PR with Trivy version
run: mage helm:updateVersion
env:
# Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
# This allows the created PR to trigger tests and other workflows
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}

7
.github/workflows/reusable-release.yaml vendored
View File

@@ -14,6 +14,7 @@ on:
env:
GH_USER: "aqua-bot"
GO_VERSION: '1.23'
jobs:
release:
@@ -27,7 +28,7 @@ jobs:
contents: read # Not required for public repositories, but for clarity
steps:
- name: Cosign install
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
@@ -67,7 +68,7 @@ jobs:
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
- name: Generate SBOM
@@ -119,7 +120,7 @@ jobs:
public.ecr.aws/aquasecurity/trivy:canary
- name: Cache Trivy binaries
uses: actions/cache@v4
uses: actions/cache@v4.0.2
with:
path: dist/
# use 'github.sha' to create a unique cache folder for each run.

86
.github/workflows/semantic-pr.yaml vendored
View File

@@ -1,23 +1,22 @@
name: "Validate PR Title"
name: "Lint PR title"
on:
pull_request:
pull_request_target:
types:
- opened
- edited
- synchronize
jobs:
validate:
main:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- name: Validate PR title
shell: bash
- uses: amannn/action-semantic-pull-request@v5
env:
PR_TITLE: ${{ github.event.pull_request.title }}
# Valid types
VALID_TYPES: |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
types: |
feat
fix
docs
@@ -30,15 +29,13 @@ jobs:
chore
revert
release
# Valid scopes categorized by area
VALID_SCOPES: |
# Scanners
scopes: |
vuln
misconf
secret
license
# Targets
image
fs
repo
@@ -49,7 +46,6 @@ jobs:
vm
plugin
# OS
alpine
wolfi
chainguard
@@ -63,12 +59,9 @@ jobs:
amazon
suse
photon
echo
distroless
windows
minimos
# Languages
ruby
php
python
@@ -78,7 +71,7 @@ jobs:
java
go
c
c++
c\+\+
elixir
dart
swift
@@ -86,80 +79,29 @@ jobs:
conda
julia
# Package types
os
lang
# IaC
kubernetes
dockerfile
terraform
cloudformation
# Container
docker
podman
containerd
oci
# SBOM
sbom
spdx
cyclonedx
# Misc
cli
flag
cyclonedx
spdx
purl
vex
helm
report
db
parser
deps
run: |
set -euo pipefail
# Convert env vars to regex alternatives, excluding comments and empty lines
TYPES_REGEX=$(echo "$VALID_TYPES" | grep -v '^$' | paste -sd '|')
SCOPES_REGEX=$(echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | paste -sd '|')
# Basic format check (should match: type(scope): description or type: description)
FORMAT_REGEX="^[a-z]+(\([a-z0-9+]+\))?!?: .+$"
if ! echo "$PR_TITLE" | grep -qE "$FORMAT_REGEX"; then
echo "Error: Invalid PR title format"
echo "Expected format: <type>(<scope>): <description> or <type>: <description>"
echo "Examples:"
echo " feat(vuln): add new vulnerability detection"
echo " fix: correct parsing logic"
echo " docs(kubernetes): update installation guide"
echo -e "\nCurrent title: $PR_TITLE"
exit 1
fi
# Extract type and scope for validation
TYPE=$(echo "$PR_TITLE" | sed -E 's/^([a-z]+)(\([a-z0-9+]+\))?!?: .+$/\1/')
SCOPE=$(echo "$PR_TITLE" | sed -E 's/^[a-z]+\(([a-z0-9+]+)\)!?: .+$/\1/; t; s/.*//')
# Validate type
if ! echo "$VALID_TYPES" | grep -qx "$TYPE"; then
echo "Error: Invalid type '${TYPE}'"
echo -e "\nValid types:"
echo "$VALID_TYPES" | grep -v '^$' | sed 's/^/- /'
echo -e "\nCurrent title: $PR_TITLE"
exit 1
fi
# Validate scope if present
if [ -n "$SCOPE" ]; then
if ! echo "$VALID_SCOPES" | grep -v '^#' | grep -qx "$SCOPE"; then
echo "Error: Invalid scope '${SCOPE}'"
echo -e "\nValid scopes:"
echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | sed 's/^/- /'
echo -e "\nCurrent title: $PR_TITLE"
exit 1
fi
fi
echo "PR title validation passed ✅"
echo "Current title: $PR_TITLE"

13
.github/workflows/spdx-cron.yaml vendored
View File

@@ -12,14 +12,6 @@ jobs:
- name: Check out code
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Check if SPDX exceptions are up-to-date
run: |
mage spdx:updateLicenseExceptions
@@ -29,7 +21,10 @@ jobs:
fi
- name: Microsoft Teams Notification
uses: Skitionek/notify-microsoft-teams@e7a2493ac87dad8aa7a62f079f295e54ff511d88
## Until the PR with the fix for the AdaptivCard version is merged yet
## https://github.com/Skitionek/notify-microsoft-teams/pull/96
## Use the aquasecurity fork
uses: aquasecurity/notify-microsoft-teams@master
if: failure()
with:
webhook_url: ${{ secrets.TRIVY_MSTEAMS_WEBHOOK }}

59
.github/workflows/test.yaml vendored
View File

@@ -11,6 +11,8 @@ on:
merge_group:
workflow_dispatch:
env:
GO_VERSION: '1.23'
jobs:
test:
name: Test
@@ -24,7 +26,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false
- name: go mod tidy
@@ -38,10 +40,10 @@ jobs:
- name: Lint
id: lint
uses: golangci/golangci-lint-action@v7.0.0
uses: golangci/golangci-lint-action@v6.1.1
with:
version: v2.1
args: --verbose
version: v1.61
args: --verbose --out-format=line-number
if: matrix.operating-system == 'ubuntu-latest'
- name: Check if linter failed
@@ -51,7 +53,10 @@ jobs:
if: ${{ failure() && steps.lint.conclusion == 'failure' }}
- name: Install tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
aqua_opts: ""
- name: Check if CLI references are up-to-date
run: |
@@ -75,18 +80,20 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore test images from cache
@@ -94,6 +101,8 @@ jobs:
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-images-
- name: Run integration tests
run: mage test:integration
@@ -108,11 +117,13 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Run k8s integration tests
run: mage test:k8s
@@ -127,18 +138,20 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Install tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore test images from cache
@@ -146,6 +159,8 @@ jobs:
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-images-
- name: Run module integration tests
shell: bash
@@ -162,18 +177,20 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags |= sort' | sha256sum | cut -d' ' -f1)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags | sort' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore test VM images from cache
@@ -181,6 +198,8 @@ jobs:
with:
path: integration/testdata/fixtures/vm-images
key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-vm-images-
- name: Run vm integration tests
run: |
@@ -201,7 +220,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Determine GoReleaser ID

331
.golangci.yaml
View File

@@ -1,145 +1,111 @@
issues:
max-issues-per-linter: 0
max-same-issues: 0
linters-settings:
depguard:
rules:
main:
list-mode: lax
deny:
# Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
- pkg: "golang.org/x/exp/slices"
desc: "Use 'slices' instead"
- pkg: "golang.org/x/exp/maps"
desc: "Use 'maps' or 'github.com/samber/lo' instead"
dupl:
threshold: 100
errcheck:
check-type-assertions: true
check-blank: true
gci:
sections:
- standard
- default
- prefix(github.com/aquasecurity/)
- blank
- dot
goconst:
min-len: 3
min-occurrences: 3
gocritic:
disabled-checks:
- appendAssign
- unnamedResult
- whyNoLint
- indexAlloc
- octalLiteral
- hugeParam
- rangeValCopy
- regexpSimplify
- sloppyReassign
- commentedOutCode
enabled-tags:
- diagnostic
- style
- performance
- experimental
- opinionated
settings:
ruleguard:
failOn: all
rules: '${configDir}/misc/lint/rules.go'
gocyclo:
min-complexity: 20
gofmt:
simplify: false
rewrite-rules:
- pattern: 'interface{}'
replacement: 'any'
gomodguard:
blocked:
modules:
- github.com/hashicorp/go-version:
recommendations:
- github.com/aquasecurity/go-version
reason: "`aquasecurity/go-version` is designed for our use-cases"
- github.com/Masterminds/semver:
recommendations:
- github.com/aquasecurity/go-version
reason: "`aquasecurity/go-version` is designed for our use-cases"
gosec:
excludes:
- G101
- G114
- G115
- G204
- G304
- G402
govet:
check-shadowing: false
misspell:
locale: US
ignore-words:
- behaviour
- licence
- optimise
- simmilar
perfsprint:
# Optimizes even if it requires an int or uint type cast.
int-conversion: true
# Optimizes into `err.Error()` even if it is only equivalent for non-nil errors.
err-error: true
# Optimizes `fmt.Errorf`.
errorf: true
# Optimizes `fmt.Sprintf` with only one argument.
sprintf1: false
# Optimizes into strings concatenation.
strconcat: false
revive:
ignore-generated-header: true
testifylint:
enable-all: true
linters:
settings:
depguard:
rules:
main:
list-mode: lax
deny:
# Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
- pkg: "golang.org/x/exp/slices"
desc: "Use 'slices' instead"
- pkg: "golang.org/x/exp/maps"
desc: "Use 'maps' or 'github.com/samber/lo' instead"
dupl:
threshold: 100
errcheck:
check-type-assertions: true
check-blank: true
goconst:
min-len: 3
min-occurrences: 3
gocritic:
disabled-checks:
- appendAssign
- commentedOutCode
- hugeParam
- importShadow # FIXME
- indexAlloc
- rangeValCopy
- regexpSimplify
- sloppyReassign
- unnamedResult
- whyNoLint
enabled-tags:
- diagnostic
- style
- performance
- experimental
- opinionated
settings:
ruleguard:
failOn: all
rules: '${base-path}/misc/lint/rules.go'
gocyclo:
min-complexity: 20
gomodguard:
blocked:
modules:
- github.com/hashicorp/go-version:
recommendations:
- github.com/aquasecurity/go-version
reason: "`aquasecurity/go-version` is designed for our use-cases"
- github.com/Masterminds/semver:
recommendations:
- github.com/aquasecurity/go-version
reason: "`aquasecurity/go-version` is designed for our use-cases"
gosec:
excludes:
- G101
- G114
- G115
- G204
- G304
- G402
govet:
disable:
- shadow
misspell:
locale: US
ignore-rules:
- behaviour
- licence
- optimise
- simmilar
perfsprint:
# Optimizes even if it requires an int or uint type cast.
int-conversion: true
# Optimizes into `err.Error()` even if it is only equivalent for non-nil errors.
err-error: true
# Optimizes `fmt.Errorf`.
errorf: true
# Optimizes `fmt.Sprintf` with only one argument.
sprintf1: false
# Optimizes into strings concatenation.
strconcat: false
revive:
max-open-files: 2048
# https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIONS.md
rules:
- name: bool-literal-in-expr
- name: context-as-argument
arguments:
- allowTypesBefore: "*testing.T"
- name: duplicated-imports
- name: early-return
arguments:
- preserve-scope
- name: if-return
- name: increment-decrement
- name: indent-error-flow
arguments:
- preserve-scope
- name: range
- name: range-val-address
- name: superfluous-else
arguments:
- preserve-scope
- name: time-equal
- name: unnecessary-stmt
- name: unused-parameter
- name: use-any
staticcheck:
checks:
- all
- -QF1008 # Omit embedded fields from selector expression
- -S1007 # Simplify regular expression by using raw string literal
- -S1011 # Use a single append to concatenate two slices
- -S1023 # Omit redundant control flow
- -SA1019 # Using a deprecated function, variable, constant or field
- -SA1024 # A string cutset contains duplicate characters
- -SA4004 # The loop exits unconditionally after one iteration
- -SA4023 # Impossible comparison of interface value with untyped nil
- -SA4032 # Comparing runtime.GOOS or runtime.GOARCH against impossible value
- -SA5011 # Possible nil pointer dereference
- -ST1003 # Poorly chosen identifier
- -ST1012 # Poorly chosen name for error variable
testifylint:
enable-all: true
default: none
disable-all: true
enable:
- bodyclose
- depguard
- gci
- goconst
- gocritic
- gocyclo
- gofmt
- gomodguard
- gosec
- govet
@@ -147,70 +113,47 @@ linters:
- misspell
- perfsprint
- revive
- staticcheck
- tenv
- testifylint
- typecheck
- unconvert
- unused
- usestdlibvars
- usetesting
exclusions:
generated: lax
paths:
- "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
rules:
- path: ".*_test.go$"
linters:
- goconst
- gosec
- unused
- path: ".*_test.go$"
linters:
- govet
text: "copylocks:"
- path: ".*_test.go$"
linters:
- gocritic
text: "commentFormatting:"
- path: ".*_test.go$"
linters:
- gocritic
text: "exitAfterDefer:"
- path: ".*_test.go$"
linters:
- gocritic
text: "importShadow:"
- linters:
- goconst
text: "string `each` has 3 occurrences, make it a constant" # FIXME
presets:
- comments
- common-false-positives
- legacy
- std-error-handling
warn-unused: true
run:
go: '1.24'
go: '1.23'
timeout: 30m
formatters:
enable:
- gci
- gofmt
exclusions:
generated: lax
settings:
gci:
sections:
- standard
- default
- prefix(github.com/aquasecurity/)
- blank
- dot
gofmt:
simplify: false
version: "2"
issues:
exclude-files:
- "mock_*.go$"
- "examples/*"
exclude-dirs:
- "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
exclude-rules:
- path: ".*_test.go$"
linters:
- goconst
- gosec
- unused
- path: ".*_test.go$"
linters:
- govet
text: "copylocks:"
- path: ".*_test.go$"
linters:
- gocritic
text: "commentFormatting:"
- path: ".*_test.go$"
linters:
- gocritic
text: "exitAfterDefer:"
- path: ".*_test.go$"
linters:
- gocritic
text: "importShadow:"
- linters:
- perfsprint
text: "fmt.Sprint"
exclude-use-default: false
max-same-issues: 0

2
.release-please-manifest.json
View File

@@ -1 +1 @@
{".":"0.63.0"}
{".":"0.59.1"}

153
CHANGELOG.md
View File

@@ -1,158 +1,13 @@
# Changelog
## [0.63.0](https://github.com/aquasecurity/trivy/compare/v0.62.0...v0.63.0) (2025-05-29)
### Features
* add Bottlerocket OS package analyzer ([#8653](https://github.com/aquasecurity/trivy/issues/8653)) ([07ef63b](https://github.com/aquasecurity/trivy/commit/07ef63b4830f9f3d791a07433287a99118d7590a))
* add JSONC support for comments and trailing commas ([#8862](https://github.com/aquasecurity/trivy/issues/8862)) ([0b0e406](https://github.com/aquasecurity/trivy/commit/0b0e4061ef955efc0f94280d2d390f11ff6e2409))
* **alpine:** add maintainer field extraction for APK packages ([#8930](https://github.com/aquasecurity/trivy/issues/8930)) ([104bbc1](https://github.com/aquasecurity/trivy/commit/104bbc18ea85caec17125296dc4fe2dea9c49826))
* **cli:** Add available version checking ([#8553](https://github.com/aquasecurity/trivy/issues/8553)) ([5a0bf9e](https://github.com/aquasecurity/trivy/commit/5a0bf9ed31ad34248895e69231da602935e66785))
* **echo:** Add Echo Support ([#8833](https://github.com/aquasecurity/trivy/issues/8833)) ([c7b8cc3](https://github.com/aquasecurity/trivy/commit/c7b8cc392eb28eb63e10561cf1ff7991e5e3c548))
* **go:** support license scanning in both GOPATH and vendor ([#8843](https://github.com/aquasecurity/trivy/issues/8843)) ([26437be](https://github.com/aquasecurity/trivy/commit/26437be083960d17bee8b1b37b8a6780eff07981))
* **k8s:** get components from namespaced resources ([#8918](https://github.com/aquasecurity/trivy/issues/8918)) ([4f1ab23](https://github.com/aquasecurity/trivy/commit/4f1ab238693919772a65450de9fb9fb2f873c0d6))
* **license:** improve work text licenses with custom classification ([#8888](https://github.com/aquasecurity/trivy/issues/8888)) ([ee52230](https://github.com/aquasecurity/trivy/commit/ee522300b73a2afc72829fc2fa7ff419712fc89a))
* **license:** improve work with custom classification of licenses from config file ([#8861](https://github.com/aquasecurity/trivy/issues/8861)) ([c321fdf](https://github.com/aquasecurity/trivy/commit/c321fdfcdd58f34d076fc730e2b63fdd13e426a9))
* **license:** scan vendor directory for license for go.mod files ([#8689](https://github.com/aquasecurity/trivy/issues/8689)) ([dd6a6e5](https://github.com/aquasecurity/trivy/commit/dd6a6e50a44b7b543fd9dba634da599a76650acb))
* **license:** Support compound licenses (licenses using SPDX operators) ([#8816](https://github.com/aquasecurity/trivy/issues/8816)) ([39f9ed1](https://github.com/aquasecurity/trivy/commit/39f9ed128b2c0fb599ad9092a3cf5675106bffdc))
* **minimos:** Add support for MinimOS ([#8792](https://github.com/aquasecurity/trivy/issues/8792)) ([c2dde33](https://github.com/aquasecurity/trivy/commit/c2dde33c3f19d499258a7089d7658a9f90722acf))
* **misconf:** add misconfiguration location to junit template ([#8793](https://github.com/aquasecurity/trivy/issues/8793)) ([a516775](https://github.com/aquasecurity/trivy/commit/a516775da6fda92a55a62418a081561127a1d5ca))
* **misconf:** Add support for `Minimum Trivy Version` ([#8880](https://github.com/aquasecurity/trivy/issues/8880)) ([3b2a397](https://github.com/aquasecurity/trivy/commit/3b2a3976ac7e7785828655903b132e84ebd9d727))
* **misconf:** export raw Terraform data to Rego ([#8741](https://github.com/aquasecurity/trivy/issues/8741)) ([aaecc29](https://github.com/aquasecurity/trivy/commit/aaecc29e909db4d5dac03caa0daf223035bfb877))
* **nodejs:** add a bun.lock analyzer ([#8897](https://github.com/aquasecurity/trivy/issues/8897)) ([7ca656d](https://github.com/aquasecurity/trivy/commit/7ca656d54b99346253fc6ac6422eecaca169514e))
* **nodejs:** add bun.lock parser ([#8851](https://github.com/aquasecurity/trivy/issues/8851)) ([1dcf816](https://github.com/aquasecurity/trivy/commit/1dcf81666f1c814600702b9ab603b4070da0b940))
* terraform parser option to set current working directory ([#8909](https://github.com/aquasecurity/trivy/issues/8909)) ([8939451](https://github.com/aquasecurity/trivy/commit/893945117464bf6e090a55e3822f8299825f26d4))
## [0.59.1](https://github.com/aquasecurity/trivy/compare/v0.59.0...v0.59.1) (2025-02-04)
### Bug Fixes
* check post-analyzers for StaticPaths ([#8904](https://github.com/aquasecurity/trivy/issues/8904)) ([93e6680](https://github.com/aquasecurity/trivy/commit/93e6680b1c6bbb590157f521c667c0f611775143))
* **cli:** disable `--skip-dir` and `--skip-files` flags for `sbom` command ([#8886](https://github.com/aquasecurity/trivy/issues/8886)) ([69a5fa1](https://github.com/aquasecurity/trivy/commit/69a5fa18ca86ff7e5206abacf98732d46c000c7a))
* **cli:** don't use allow values for `--compliance` flag ([#8881](https://github.com/aquasecurity/trivy/issues/8881)) ([35e8889](https://github.com/aquasecurity/trivy/commit/35e88890c3c201b3eb11f95376172e57bf44df4b))
* filter all files when processing files installed from package managers ([#8842](https://github.com/aquasecurity/trivy/issues/8842)) ([6ebde88](https://github.com/aquasecurity/trivy/commit/6ebde88dbcaf22f25932bad4844b3c9eaca90560))
* **java:** exclude dev dependencies in gradle lockfile ([#8803](https://github.com/aquasecurity/trivy/issues/8803)) ([8995838](https://github.com/aquasecurity/trivy/commit/8995838e8d184ee9178d5b52d2d3fa9b4e403015))
* julia parser panicing ([#8883](https://github.com/aquasecurity/trivy/issues/8883)) ([be8c7b7](https://github.com/aquasecurity/trivy/commit/be8c7b796dbe36d8dc3889e0bdea23336de9a1ab))
* **julia:** add `Relationship` field support ([#8939](https://github.com/aquasecurity/trivy/issues/8939)) ([22f040f](https://github.com/aquasecurity/trivy/commit/22f040f94790060132c7b0a635f44c35d5a35fb6))
* **k8s:** use in-memory cache backend during misconfig scanning ([#8873](https://github.com/aquasecurity/trivy/issues/8873)) ([fe12771](https://github.com/aquasecurity/trivy/commit/fe127715e505d753e0d878d52c5f280cdc326b76))
* **misconf:** check if for-each is known when expanding dyn block ([#8808](https://github.com/aquasecurity/trivy/issues/8808)) ([5706603](https://github.com/aquasecurity/trivy/commit/570660314698472ab831a7e0d55044e0b1e9c6c0))
* **misconf:** use argument value in WithIncludeDeprecatedChecks ([#8942](https://github.com/aquasecurity/trivy/issues/8942)) ([7e9a54c](https://github.com/aquasecurity/trivy/commit/7e9a54cd6bf4bc15e485c6233d140b389e432fe5))
* more revive rules ([#8814](https://github.com/aquasecurity/trivy/issues/8814)) ([3ab459e](https://github.com/aquasecurity/trivy/commit/3ab459e3b674f319bf349d478917a531a69754c0))
* octalLiteral from go-critic ([#8811](https://github.com/aquasecurity/trivy/issues/8811)) ([a19e0aa](https://github.com/aquasecurity/trivy/commit/a19e0aa1ba0350198c898fd57c9405fbf38fa432))
* **redhat:** Also try to find buildinfo in root layer (layer 0) ([#8924](https://github.com/aquasecurity/trivy/issues/8924)) ([906b037](https://github.com/aquasecurity/trivy/commit/906b037cff97060267d20f8947f429e078419d66))
* **redhat:** save contentSets for OS packages in fs/vm modes ([#8820](https://github.com/aquasecurity/trivy/issues/8820)) ([9256804](https://github.com/aquasecurity/trivy/commit/9256804df8577d8a746fb8b97c508c247ab82f8f))
* **redhat:** trim invalid suffix from content_sets in manifest parsing ([#8818](https://github.com/aquasecurity/trivy/issues/8818)) ([fa1077b](https://github.com/aquasecurity/trivy/commit/fa1077bbf5863a519f6f180a600afe5e2d6180d8))
* **server:** add missed Relationship field for `rpc` ([#8872](https://github.com/aquasecurity/trivy/issues/8872)) ([38f17c9](https://github.com/aquasecurity/trivy/commit/38f17c945e3ef7784607037c0457fb1e06a99959))
* use-any from revive ([#8810](https://github.com/aquasecurity/trivy/issues/8810)) ([883c63b](https://github.com/aquasecurity/trivy/commit/883c63bf29568f0feab37e5d36ae1c417eef88f5))
* **vex:** use `lo.IsNil` to check `VEX` from OCI artifact ([#8858](https://github.com/aquasecurity/trivy/issues/8858)) ([e97af98](https://github.com/aquasecurity/trivy/commit/e97af9806ab13e1ec8b792e0586b486c4982c170))
* **wolfi:** support new APK database location ([#8937](https://github.com/aquasecurity/trivy/issues/8937)) ([b15d9a6](https://github.com/aquasecurity/trivy/commit/b15d9a60e6a3ed40811d5ca6387082266ae92ea7))
### Performance Improvements
* **secret:** only match secrets of meaningful length, allow example strings to not be matched ([#8602](https://github.com/aquasecurity/trivy/issues/8602)) ([60fef1b](https://github.com/aquasecurity/trivy/commit/60fef1b615a765248c5870b814ba0c4345220c0e))
## [0.62.0](https://github.com/aquasecurity/trivy/compare/v0.61.0...v0.62.0) (2025-04-30)
### Features
* **image:** save layers metadata into report ([#8394](https://github.com/aquasecurity/trivy/issues/8394)) ([a95cab0](https://github.com/aquasecurity/trivy/commit/a95cab0eab0fcaab57eb554e74e17da71bc4809f))
* **misconf:** add option to pass Rego scanner to IaC scanner ([#8369](https://github.com/aquasecurity/trivy/issues/8369)) ([890a360](https://github.com/aquasecurity/trivy/commit/890a3602444ad2e5320044c9b8cc79ca883d17ec))
* **misconf:** convert AWS managed policy to document ([#8757](https://github.com/aquasecurity/trivy/issues/8757)) ([7abf5f0](https://github.com/aquasecurity/trivy/commit/7abf5f0199ec65c40056d4f9addc3d27e373725a))
* **misconf:** support auto_provisioning_defaults in google_container_cluster ([#8705](https://github.com/aquasecurity/trivy/issues/8705)) ([9792611](https://github.com/aquasecurity/trivy/commit/9792611b36271efbf79f635deebae7e51f497b70))
* **nodejs:** add root and workspace for `yarn` packages ([#8535](https://github.com/aquasecurity/trivy/issues/8535)) ([bf4cd4f](https://github.com/aquasecurity/trivy/commit/bf4cd4f2d2dda0bb3a7018606db9a6c1e56e4f38))
* **rust:** add root and workspace relationships/package for `cargo` lock files ([#8676](https://github.com/aquasecurity/trivy/issues/8676)) ([93efe07](https://github.com/aquasecurity/trivy/commit/93efe0789ed9d9a71e04e93d87be63032ad9cae7))
### Bug Fixes
* early-return, indent-error-flow and superfluous-else rules from revive ([#8796](https://github.com/aquasecurity/trivy/issues/8796)) ([43350dd](https://github.com/aquasecurity/trivy/commit/43350dd9b487b39d7d19bd0875274c90262dbed9))
* **k8s:** correct compare artifact versions ([#8682](https://github.com/aquasecurity/trivy/issues/8682)) ([cc47711](https://github.com/aquasecurity/trivy/commit/cc4771158b72b88258057fa379deba9f39190994))
* **k8s:** remove using `last-applied-configuration` ([#8791](https://github.com/aquasecurity/trivy/issues/8791)) ([7a58ccb](https://github.com/aquasecurity/trivy/commit/7a58ccbc7fffdfb1e5ccff9fd4cb6ca08c03a9ea))
* **k8s:** skip passed misconfigs for the summary report ([#8684](https://github.com/aquasecurity/trivy/issues/8684)) ([bff0e9b](https://github.com/aquasecurity/trivy/commit/bff0e9b034f39d0d1ca02457558b1f89847009ac))
* **misconf:** add missing variable as unknown ([#8683](https://github.com/aquasecurity/trivy/issues/8683)) ([9dcd06f](https://github.com/aquasecurity/trivy/commit/9dcd06fda717347eab1ac8ef0710687a3bfd8588))
* **misconf:** check if metadata is not nil ([#8647](https://github.com/aquasecurity/trivy/issues/8647)) ([b7dfd64](https://github.com/aquasecurity/trivy/commit/b7dfd64987b94b4bdd8b7c5a68ba2b8f1a0a9198))
* **misconf:** filter null nodes when parsing json manifest ([#8785](https://github.com/aquasecurity/trivy/issues/8785)) ([e10929a](https://github.com/aquasecurity/trivy/commit/e10929a669f43861bae80652bdfc9f39fad7225f))
* **misconf:** perform operations on attribute safely ([#8774](https://github.com/aquasecurity/trivy/issues/8774)) ([3ce7d59](https://github.com/aquasecurity/trivy/commit/3ce7d59bb16553ab487762a5a660a046bcd63334))
* **misconf:** populate context correctly for module instances ([#8656](https://github.com/aquasecurity/trivy/issues/8656)) ([efd177b](https://github.com/aquasecurity/trivy/commit/efd177b300950d82e381992e1dea39308cc39bc3))
* **report:** clean buffer after flushing ([#8725](https://github.com/aquasecurity/trivy/issues/8725)) ([9a5383e](https://github.com/aquasecurity/trivy/commit/9a5383e993222d919d63f8d9934729cf4e291c06))
* **secret:** ignore .dist-info directories during secret scanning ([#8646](https://github.com/aquasecurity/trivy/issues/8646)) ([a032ad6](https://github.com/aquasecurity/trivy/commit/a032ad696aa58850b9576d889128559149282ad3))
* **server:** fix redis key when trying to delete blob ([#8649](https://github.com/aquasecurity/trivy/issues/8649)) ([36f8d0f](https://github.com/aquasecurity/trivy/commit/36f8d0fd6705bb0da5b43507128c772b153dafec))
* **terraform:** `evaluateStep` to correctly set `EvalContext` for multiple instances of blocks ([#8555](https://github.com/aquasecurity/trivy/issues/8555)) ([e25de25](https://github.com/aquasecurity/trivy/commit/e25de25262fd1cd559879dee07bb2db2747eedd4))
* **terraform:** hcl object expressions to return references ([#8271](https://github.com/aquasecurity/trivy/issues/8271)) ([0d3efa5](https://github.com/aquasecurity/trivy/commit/0d3efa5dc150dba437d975a2f8335de8786f94d6))
* testifylint last issues ([#8768](https://github.com/aquasecurity/trivy/issues/8768)) ([ee4f7dc](https://github.com/aquasecurity/trivy/commit/ee4f7dc6b4be437666e91383406bba8443eec199))
* unused-parameter rule from revive ([#8794](https://github.com/aquasecurity/trivy/issues/8794)) ([6562082](https://github.com/aquasecurity/trivy/commit/6562082e280a9df6199892927f2e3f7dc8f0c8ce))
## [0.61.0](https://github.com/aquasecurity/trivy/compare/v0.60.0...v0.61.0) (2025-03-28)
### Features
* **fs:** optimize scanning performance by direct file access for known paths ([#8525](https://github.com/aquasecurity/trivy/issues/8525)) ([8bf6caf](https://github.com/aquasecurity/trivy/commit/8bf6caf98e2b1eff7bd16987f6791122d827747c))
* **k8s:** add support for controllers ([#8614](https://github.com/aquasecurity/trivy/issues/8614)) ([1bf0117](https://github.com/aquasecurity/trivy/commit/1bf0117f776953bbfe67cf32e4231360010fdf33))
* **misconf:** adapt aws_default_security_group ([#8538](https://github.com/aquasecurity/trivy/issues/8538)) ([b57eccb](https://github.com/aquasecurity/trivy/commit/b57eccb09c33df4ad0423fb148ddeaa292028401))
* **misconf:** adapt aws_opensearch_domain ([#8550](https://github.com/aquasecurity/trivy/issues/8550)) ([9913465](https://github.com/aquasecurity/trivy/commit/9913465a535c29b377bd2f2563163ccf7cbcd6a4))
* **misconf:** adapt AWS::DynamoDB::Table ([#8529](https://github.com/aquasecurity/trivy/issues/8529)) ([8112cdf](https://github.com/aquasecurity/trivy/commit/8112cdf8d638fa2bf57e5687e32f54b704c7e6b7))
* **misconf:** adapt AWS::EC2::VPC ([#8534](https://github.com/aquasecurity/trivy/issues/8534)) ([0d9865f](https://github.com/aquasecurity/trivy/commit/0d9865f48f46e85595af40140faa5ff6f02b9a02))
* **misconf:** Add support for aws_ami ([#8499](https://github.com/aquasecurity/trivy/issues/8499)) ([573502e](https://github.com/aquasecurity/trivy/commit/573502e2e83ff18020d5e7dcad498468a548733e))
* replace TinyGo with standard Go for WebAssembly modules ([#8496](https://github.com/aquasecurity/trivy/issues/8496)) ([529957e](https://github.com/aquasecurity/trivy/commit/529957eac1fc790c57fa3d93524a901ce842a9f5))
### Bug Fixes
* **debian:** don't include empty licenses for `dpkgs` ([#8623](https://github.com/aquasecurity/trivy/issues/8623)) ([346f5b3](https://github.com/aquasecurity/trivy/commit/346f5b3553b9247f99f89d859d4f835e955d34e9))
* **fs:** check postAnalyzers for StaticPaths ([#8543](https://github.com/aquasecurity/trivy/issues/8543)) ([c228307](https://github.com/aquasecurity/trivy/commit/c22830766e8cf1532f20198864757161eed6fda4))
* **k8s:** show report for `--report all` ([#8613](https://github.com/aquasecurity/trivy/issues/8613)) ([dbb6f28](https://github.com/aquasecurity/trivy/commit/dbb6f288712240ef5dec59952e33b73e3a6d5b06))
* **misconf:** add ephemeral block type to config schema ([#8513](https://github.com/aquasecurity/trivy/issues/8513)) ([41512f8](https://github.com/aquasecurity/trivy/commit/41512f846e75bae73984138ad7b3d03284a53f19))
* **misconf:** Check values wholly prior to evalution ([#8604](https://github.com/aquasecurity/trivy/issues/8604)) ([ad58cf4](https://github.com/aquasecurity/trivy/commit/ad58cf4457ebef80ff0bc4c113d4ab4c86a9fe56))
* **misconf:** do not skip loading documents from subdirectories ([#8526](https://github.com/aquasecurity/trivy/issues/8526)) ([de7eb13](https://github.com/aquasecurity/trivy/commit/de7eb13938f2709983a27ab3f59dbfac3fb74651))
* **misconf:** do not use cty.NilVal for non-nil values ([#8567](https://github.com/aquasecurity/trivy/issues/8567)) ([400a79c](https://github.com/aquasecurity/trivy/commit/400a79c2c693e462ad2e1cfc21305ef13d2ec224))
* **misconf:** identify the chart file exactly by name ([#8590](https://github.com/aquasecurity/trivy/issues/8590)) ([ba77dbe](https://github.com/aquasecurity/trivy/commit/ba77dbe5f952d67bbbbc0f43543d5f34135bc280))
* **misconf:** Improve logging for unsupported checks ([#8634](https://github.com/aquasecurity/trivy/issues/8634)) ([5b7704d](https://github.com/aquasecurity/trivy/commit/5b7704d1d091a12822df060ee7a679135185f2ae))
* **misconf:** set default values for AWS::EKS::Cluster.ResourcesVpcConfig ([#8548](https://github.com/aquasecurity/trivy/issues/8548)) ([1f05b45](https://github.com/aquasecurity/trivy/commit/1f05b4545d8f1de3ee703de66a7b3df2baaa07a7))
* **misconf:** skip Azure CreateUiDefinition ([#8503](https://github.com/aquasecurity/trivy/issues/8503)) ([c7814f1](https://github.com/aquasecurity/trivy/commit/c7814f1401b0cc66a557292fe07da24d0ea7b5cc))
* **spdx:** save text licenses into `otherLicenses` without normalize ([#8502](https://github.com/aquasecurity/trivy/issues/8502)) ([e5072f1](https://github.com/aquasecurity/trivy/commit/e5072f1eef8f3a78f4db48b4ac3f7c48aeec5e92))
* use `--file-patterns` flag for all post analyzers ([#7365](https://github.com/aquasecurity/trivy/issues/7365)) ([8b88238](https://github.com/aquasecurity/trivy/commit/8b88238f07e389cc32e2478f84aceaf860e421ef))
### Performance Improvements
* **misconf:** parse input for Rego once ([#8483](https://github.com/aquasecurity/trivy/issues/8483)) ([0e5e909](https://github.com/aquasecurity/trivy/commit/0e5e9097650f60bc54f47a21ecc937a66e66e225))
* **misconf:** retrieve check metadata from annotations once ([#8478](https://github.com/aquasecurity/trivy/issues/8478)) ([7b96351](https://github.com/aquasecurity/trivy/commit/7b96351c32d264d136978fe8fd9e113ada69bb2b))
## [0.60.0](https://github.com/aquasecurity/trivy/compare/v0.59.0...v0.60.0) (2025-03-05)
### Features
* add `--vuln-severity-source` flag ([#8269](https://github.com/aquasecurity/trivy/issues/8269)) ([d464807](https://github.com/aquasecurity/trivy/commit/d4648073211e8451d66e4c0399e9441250b60a76))
* add report summary table ([#8177](https://github.com/aquasecurity/trivy/issues/8177)) ([dd54f80](https://github.com/aquasecurity/trivy/commit/dd54f80d3fda7821dba13553480e9893ba8b4cb3))
* **cyclonedx:** Add initial support for loading external VEX files from SBOM references ([#8254](https://github.com/aquasecurity/trivy/issues/8254)) ([4820eb7](https://github.com/aquasecurity/trivy/commit/4820eb70fc926a35d759c373112dbbdca890fd46))
* **go:** fix parsing main module version for go &gt;= 1.24 ([#8433](https://github.com/aquasecurity/trivy/issues/8433)) ([e58dcfc](https://github.com/aquasecurity/trivy/commit/e58dcfcf9f102c12825d5343ebbcc12a2d6c05c5))
* **misconf:** render causes for Terraform ([#8360](https://github.com/aquasecurity/trivy/issues/8360)) ([a99498c](https://github.com/aquasecurity/trivy/commit/a99498cdd9b7bdac000140af6654bfe30135242d))
### Bug Fixes
* **db:** fix case when 2 trivy-db were copied at the same time ([#8452](https://github.com/aquasecurity/trivy/issues/8452)) ([bb3cca6](https://github.com/aquasecurity/trivy/commit/bb3cca6018551e96fdd357563dc177215ca29bd4))
* don't use `scope` for `trivy registry login` command ([#8393](https://github.com/aquasecurity/trivy/issues/8393)) ([8715e5d](https://github.com/aquasecurity/trivy/commit/8715e5d14a727667c2e62d6f7a4b5308a0323386))
* **go:** merge nested flags into string for ldflags for Go binaries ([#8368](https://github.com/aquasecurity/trivy/issues/8368)) ([b675b06](https://github.com/aquasecurity/trivy/commit/b675b06e897aaf374e7b1262d4323060a8a62edb))
* **image:** disable AVD-DS-0007 for history scanning ([#8366](https://github.com/aquasecurity/trivy/issues/8366)) ([a3cd693](https://github.com/aquasecurity/trivy/commit/a3cd693a5ea88def2f9057df6178b0c0e7a6bdb0))
* **k8s:** add missed option `PkgRelationships` ([#8442](https://github.com/aquasecurity/trivy/issues/8442)) ([f987e41](https://github.com/aquasecurity/trivy/commit/f987e4157494434f6e4e4566fedfedda92167565))
* **misconf:** do not log scanners when misconfig scanning is disabled ([#8345](https://github.com/aquasecurity/trivy/issues/8345)) ([5695eb2](https://github.com/aquasecurity/trivy/commit/5695eb22dfed672eafacb64a71da8e9bdfbaab87))
* **misconf:** ecs include enhanced for container insights ([#8326](https://github.com/aquasecurity/trivy/issues/8326)) ([39789ff](https://github.com/aquasecurity/trivy/commit/39789fff438d11bc6eccd254b3b890beb68c240b))
* **misconf:** fix incorrect k8s locations due to JSON to YAML conversion ([#8073](https://github.com/aquasecurity/trivy/issues/8073)) ([a994453](https://github.com/aquasecurity/trivy/commit/a994453a7d0f543fe30c4dc8adbc92ad0c21bcbc))
* **os:** add mapping OS aliases ([#8466](https://github.com/aquasecurity/trivy/issues/8466)) ([6b4cebe](https://github.com/aquasecurity/trivy/commit/6b4cebe9592f3a06bd91aa58ba6d65869afebbee))
* **python:** add `poetry` v2 support ([#8323](https://github.com/aquasecurity/trivy/issues/8323)) ([10cd98c](https://github.com/aquasecurity/trivy/commit/10cd98cf55263749cb2583063a2e9e9953c7371a))
* **report:** remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports ([#8344](https://github.com/aquasecurity/trivy/issues/8344)) ([3eb0b03](https://github.com/aquasecurity/trivy/commit/3eb0b03f7c9ee462daccfacb291b2c463d848ff5))
* **sbom:** add SBOM file's filePath as Application FilePath if we can't detect its path ([#8346](https://github.com/aquasecurity/trivy/issues/8346)) ([ecc01bb](https://github.com/aquasecurity/trivy/commit/ecc01bb3fb876fd0cc503cb38efa23e4fb9484b4))
* **sbom:** improve logic for binding direct dependency to parent component ([#8489](https://github.com/aquasecurity/trivy/issues/8489)) ([85cca8c](https://github.com/aquasecurity/trivy/commit/85cca8c07affee4ded5c232efb45b05dacf22242))
* **sbom:** preserve OS packages from multiple SBOMs ([#8325](https://github.com/aquasecurity/trivy/issues/8325)) ([bd5baaf](https://github.com/aquasecurity/trivy/commit/bd5baaf93054d71223e0721c7547a0567dea3b02))
* **server:** secrets inspectation for the config analyzer in client server mode ([#8418](https://github.com/aquasecurity/trivy/issues/8418)) ([a1c4bd7](https://github.com/aquasecurity/trivy/commit/a1c4bd746f5f901e2a8f09f48f58b973b9103165))
* **spdx:** init `pkgFilePaths` map for all formats ([#8380](https://github.com/aquasecurity/trivy/issues/8380)) ([72ea4b0](https://github.com/aquasecurity/trivy/commit/72ea4b0632308bd6150aaf2f1549a3f10b60dc23))
* **terraform:** apply parser options to submodule parsing ([#8377](https://github.com/aquasecurity/trivy/issues/8377)) ([398620b](https://github.com/aquasecurity/trivy/commit/398620b471c25e467018bc23df53a3a1c2aa661c))
* update all documentation links ([#8045](https://github.com/aquasecurity/trivy/issues/8045)) ([49456ba](https://github.com/aquasecurity/trivy/commit/49456ba8410e0e4cc1756906ccea1fdd60006d2d))
* **misconf:** do not log scanners when misconfig scanning is disabled [backport: release/v0.59] ([#8349](https://github.com/aquasecurity/trivy/issues/8349)) ([412c690](https://github.com/aquasecurity/trivy/commit/412c690924d4414ef6d8a5f37b293969bc245d32))
* **python:** add `poetry` v2 support [backport: release/v0.59] ([#8335](https://github.com/aquasecurity/trivy/issues/8335)) ([1741fdd](https://github.com/aquasecurity/trivy/commit/1741fddbe07d166dffbfb9b6f768940e52d08487))
* **sbom:** preserve OS packages from multiple SBOMs [backport: release/v0.59] ([#8333](https://github.com/aquasecurity/trivy/issues/8333)) ([3fd8e27](https://github.com/aquasecurity/trivy/commit/3fd8e2785b2b838327a80cdc8b489583c3664944))
## [0.59.0](https://github.com/aquasecurity/trivy/compare/v0.58.0...v0.59.0) (2025-01-30)

2
CONTRIBUTING.md
View File

@@ -1 +1 @@
See [Issues](https://trivy.dev/latest/community/contribute/issue/) and [Pull Requests](https://trivy.dev/latest/community/contribute/pr/)
See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM alpine:3.21.3
FROM alpine:3.21.0
RUN apk --no-cache add ca-certificates git
COPY trivy /usr/local/bin/trivy
COPY contrib/*.tpl contrib/

2
Dockerfile.canary
View File

@@ -1,4 +1,4 @@
FROM alpine:3.21.3
FROM alpine:3.21.0
RUN apk --no-cache add ca-certificates git
# binaries were created with GoReleaser

2
Dockerfile.protoc
View File

@@ -1,4 +1,4 @@
FROM --platform=linux/amd64 golang:1.24
FROM --platform=linux/amd64 golang:1.23
# Set environment variable for protoc
ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

12
README.md
View File

@@ -107,7 +107,7 @@ trivy k8s --report summary cluster
## Want more? Check out Aqua
If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
You can find a high level comparison table specific to Trivy users [here](https://trivy.dev/latest/commercial/compare/).
You can find a high level comparison table specific to Trivy users [here](https://trivy.dev/commercial/comparison).
In addition check out the <https://aquasec.com> website for more information about our products and services.
If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>
@@ -116,6 +116,7 @@ If you'd like to contact Aqua or request a demo, please use this form: <https://
Trivy is an [Aqua Security][aquasec] open source project.
Learn about our open source work and portfolio [here][oss].
Contact us about any matter by opening a GitHub Discussion [here][discussions]
Join our [Slack community][slack] to stay up to date with community efforts.
Please ensure to abide by our [Code of Conduct][code-of-conduct] during all interactions.
@@ -130,13 +131,14 @@ Please ensure to abide by our [Code of Conduct][code-of-conduct] during all inte
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
[license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
[homepage]: https://trivy.dev
[docs]: https://trivy.dev/latest/docs/
[docs]: https://aquasecurity.github.io/trivy
[pronunciation]: #how-to-pronounce-the-name-trivy
[slack]: https://slack.aquasec.com
[code-of-conduct]: https://github.com/aquasecurity/community/blob/main/CODE_OF_CONDUCT.md
[Installation]:https://trivy.dev/latest/getting-started/installation/
[Ecosystem]: https://trivy.dev/latest/ecosystem/
[Scanning Coverage]: https://trivy.dev/latest/docs/coverage/
[Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
[Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
[Scanning Coverage]: https://aquasecurity.github.io/trivy/latest/docs/coverage/
[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
[rego]: https://www.openpolicyagent.org/docs/latest/#rego

10
aqua.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# aqua - Declarative CLI Version Manager
# https://aquaproj.github.io/
registries:
- type: standard
ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
packages:
- name: tinygo-org/tinygo@v0.33.0
- name: WebAssembly/binaryen@version_112
- name: magefile/mage@v1.14.0

5
cmd/trivy/main.go
View File

@@ -42,5 +42,8 @@ func run() error {
}
app := commands.NewApp()
return app.Execute()
if err := app.Execute(); err != nil {
return err
}
return nil
}

19
contrib/junit.tpl
View File

@@ -15,7 +15,6 @@
{{- end }}
</testsuite>
{{- $target := .Target }}
{{- if .MisconfSummary }}
<testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{ .Target }}" errors="0" time="">
{{- else }}
@@ -29,23 +28,7 @@
{{ range .Misconfigurations }}
<testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
{{- if (eq .Status "FAIL") }}
<failure message="{{ escapeXML .Title }}" type="description">&#xA;
{{- $target }}:
{{- with .CauseMetadata }}
{{- .StartLine }}
{{- if lt .StartLine .EndLine }}:{{ .EndLine }}{{ end }}:&#xA;&#xA;Occurrences:&#xA;
{{- range $i := .Occurrences -}}
via {{ .Filename }}:
{{- .Location.StartLine }}
{{- if lt .Location.StartLine .Location.EndLine }}:{{ .Location.EndLine }}{{ end }} ({{ .Resource }})&#xA;
{{- end -}}
&#xA;Code:&#xA;
{{- range .Code.Lines }}
{{- if .IsCause }}{{ escapeXML .Content }}&#xA;{{- end }}
{{- end }}&#xA;
{{- end }}
{{- escapeXML .Description }}
</failure>
<failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
{{- end }}
</testcase>
{{- end }}

2
docs/commercial/compare.md
View File

@@ -66,7 +66,7 @@ If you'd like to learn more or request a demo, [click here to contact us](./cont
| Feature | Trivy OSS | Aqua |
| --- | --- | --- |
| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://trivy.dev/latest/docs/scanner/misconfiguration/policy/builtin/) | In addition, Build Pipeline configuration scanning |
| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/policy/builtin/) | In addition, Build Pipeline configuration scanning |
| Checks customization | Create custom checks with Rego | Create custom checks in no-code interface <br> Customize existing checks with organizational preferences |
| Cloud scanning | AWS (subset of services) | AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud |
| Compliance frameworks | CIS, NSA, vendor guides | More than 25 compliance programs |

2
docs/community/contribute/checks/overview.md
View File

@@ -80,7 +80,7 @@ The package name should be in the format `builtin.PROVIDER.SERVICE.ID`, e.g. `bu
## Generating an ID
Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribute your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID.
Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribue your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID.
Running `make id` in the root of the trivy-checks repository will provide you with the next available _ID_ for your rule.

2
docs/community/contribute/checks/service-support.md
View File

@@ -57,7 +57,7 @@ type AWS struct {
### Update Adapters
Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adapter as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adatper as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
Another example for updating the adapters is provided in the [following PR.](https://github.com/aquasecurity/defsec/pull/1000/files) Additionally, please refer to the respective Terraform documentation on the provider to which you are adding the service. For instance, the Terraform documentation for AWS CodeBuild is provided [here.](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project)

2
docs/community/contribute/discussion.md
View File

@@ -24,7 +24,7 @@ There are 4 categories:
If you find any false positives or false negatives, please make sure to report them under the "False Detection" category, not "Bugs".
## False detection
Trivy depends on [multiple data sources](https://trivy.dev/latest/docs/scanner/vulnerability/#data-sources).
Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#data-sources).
Sometime these databases contain mistakes.
If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:

17
docs/community/maintainer/release-flow.md
View File

@@ -12,11 +12,6 @@ For detailed behavior, please refer to [the GitHub Actions configuration][workfl
Commits with prefixes like `chore` or `build` are not considered releasable, and no release PR is created.
To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release-pr-creation).
!!! tip
It's a good idea to check if there are any outstanding vulnerability updates created by dependabot waiting for your review.
They can be found in the "Security" tab of the repository.
If there are any, please review and merge them before creating a release. This will help to ensure that the release includes the latest security patches.
## Flow
The release flow consists of the following main steps:
@@ -79,18 +74,8 @@ Replace URLs with appropriate ones.
Example: https://github.com/aquasecurity/trivy/releases/tag/v0.52.0
### Merging the auto-generated Helm chart update PR
Once the release PR is merged, there will be an auto-generated PR that bumps the Trivy version for the Trivy Helm Chart. An example can be seen [here](https://github.com/aquasecurity/trivy/pull/8638).
> [!NOTE]
> It is possible that the release action takes a while to finish and the Helm chart action runs prior. In such a case the Helm chart action will fail as it will not be able to find the latest Trivy container image.
> In such a case, it is advised to manually restart the Helm chart action, once the release action is finished.
If things look good, approve and merge this PR to further trigger the publishing of the Helm Chart.
The release is now complete 🍻
The release is now complete.
[conventional-commits]: https://www.conventionalcommits.org/en/v1.0.0/
[release-please]: https://github.com/googleapis/release-please

7
docs/docs/advanced/air-gap.md
View File

@@ -10,7 +10,7 @@ External Resource | Feature | Details
Vulnerability Database | Vulnerability scanning | [Trivy DB](../scanner/vulnerability.md)
Java Vulnerability Database | Java vulnerability scanning | [Trivy Java DB](../coverage/language/java.md)
Checks Bundle | Misconfigurations scanning | [Trivy Checks](../scanner/misconfiguration/check/builtin.md)
VEX Hub | VEX Hub | [VEX Hub](../supply-chain/vex/repo.md)
VEX Hub | VEX Hub | [VEX Hub](../supply-chain/vex/repo/#vex-hub)
Maven Central / Remote Repositories | Java vulnerability scanning | [Java Scanner/Remote Repositories](../coverage/language/java.md#remote-repositories)
!!! note
@@ -75,8 +75,3 @@ Trivy might attempt to connect (over HTTPS) to the following URLs:
### Offline mode
There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Trivy from trying to connect to it by using the `--offline-scan` flag.
## Check updates service
Trivy [checks for updates](../configuration/others.md#check-for-updates) and [collects usage telemetry](../advanced/telemetry.md) by connecting to the following domain: `https://check.trivy.dev`.
Connectivity with this domain is entirely optional and is not necessary for the normal operation of Trivy.

24
docs/docs/advanced/modules.md
View File

@@ -12,7 +12,7 @@ They provide a way to extend the core feature set of Trivy, but without updating
- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
- They can be written in any programming language supporting WebAssembly.
- It supports only Go at the moment.
- It supports only [TinyGo][tinygo] at the moment.
You can write your own detection logic.
@@ -94,9 +94,9 @@ $ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
```
## Building Modules
It supports Go only at the moment.
It supports TinyGo only at the moment.
### Go
### TinyGo
Trivy provides Go SDK including three interfaces.
Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.
@@ -113,7 +113,7 @@ type Analyzer interface {
type PostScanner interface {
PostScanSpec() serialize.PostScanSpec
PostScan(types.Results) (types.Results, error)
PostScan(serialize.Results) (serialize.Results, error)
}
```
@@ -142,9 +142,6 @@ const (
name = "wordpress-module"
)
// main is required for Go to compile the Wasm module
func main() {}
type WordpressModule struct{
// Cannot define fields as modules can't keep state.
}
@@ -206,7 +203,7 @@ func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, erro
}
return &serialize.AnalysisResult{
CustomResources: []ftypes.CustomResource{
CustomResources: []serialize.CustomResource{
{
Type: typeWPVersion,
FilePath: filePath,
@@ -249,7 +246,7 @@ func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
}
}
func (WordpressModule) PostScan(results types.Results) (types.Results, error) {
func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
// e.g. results
// [
// {
@@ -291,7 +288,7 @@ func (WordpressModule) PostScan(results types.Results) (types.Results, error) {
if vulnerable {
// Add CVE-2020-36326
results = append(results, types.Result{
results = append(results, serialize.Result{
Target: wpPath,
Class: types.ClassLangPkg,
Type: "wordpress",
@@ -321,10 +318,10 @@ In the `Delete` action, `PostScan` needs to return results you want to delete.
If `PostScan` returns an empty, Trivy will not delete anything.
#### Build
Follow [the install guide][go-installation] and install Go.
Follow [the install guide][tinygo-installation] and install TinyGo.
```bash
$ GOOS=wasip1 GOARCH=wasm go build -o wordpress.wasm -buildmode=c-shared wordpress.go
$ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
```
Put the built binary to the module directory that is under the home directory by default.
@@ -350,11 +347,12 @@ Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
[regexp]: https://github.com/google/re2/wiki/Syntax
[tinygo]: https://tinygo.org/
[spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
[wazero]: https://github.com/tetratelabs/wazero
[trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
[trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
[go-installation]: https://go.dev/doc/install
[tinygo-installation]: https://tinygo.org/getting-started/install/
[oras]: https://oras.land/cli/

8
docs/docs/advanced/self-hosting.md
View File

@@ -14,7 +14,7 @@ To host these databases in your own infrastructure:
### Make a local copy
Use any container registry manipulation tool (e.g , [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md), [ORAS](https://oras.land), [regclient](https://github.com/regclient/regclient/tree/main)) to copy the images to your destination registry.
Use any container registry manipulation tool (e.g , [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md, [ORAS](https://oras.land), [regclient](https://github.com/regclient/regclient/tree/main)) to copy the images to your destination registry.
!!! note
You will need to keep the databases updated in order to maintain relevant scanning results over time.
@@ -123,10 +123,10 @@ To make a copy of VEX Hub in a location that is accessible to Trivy.
To configure Trivy to use the local VEX Repository:
1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo.md#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo/#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
1. Disable the default VEX Hub repo (`enabled: false`)
1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo.md#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo/#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
### Authentication
If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo.md#authentication).
If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo/#authentication).

33
docs/docs/advanced/telemetry.md
View File

@@ -1,33 +0,0 @@
# Usage Telemetry
Trivy collect anonymous usage data in order to help us improve the product. This document explains what is collected and how you can control it.
## Data collected
The following information could be collected:
- Environmental information
- Installation identifier
- Trivy version
- Operating system
- Scan
- Non-revealing scan options
## Privacy
No personal information, scan results, or sensitive data is specifically collected. We take the following measures to ensure that:
- Installation identifier: one-way hash of machine fingerprint, resulting in opaque string.
- Scaner: any option that is user controlled is omitted (never collected). For example, file paths, image names, etc are never collected.
Trivy is an Aqua Security product and adheres to the company's privacy policy: <https://aquasec.com/privacy>.
## Disabling telemetry
You can disable telemetry altogether using the `--disable-telemetry` flag. Like other Trivy flags, this can be set on the command line, YAML configuration file, or environment variable. For more details see [here](../configuration/index.md).
For example:
```bash
trivy image --disable-metrics alpine
```

7
docs/docs/compliance/compliance.md
View File

@@ -35,6 +35,7 @@ For the list of built-in compliance reports, please see the relevant section:
- [Docker compliance](../target/container_image.md#compliance)
- [Kubernetes compliance](../target/kubernetes.md#compliance)
- [AWS compliance](../target/aws.md#compliance)
## Contribute a Built-in Compliance Report
@@ -165,7 +166,7 @@ Example of how to define command data under [commands folder](https://github.com
title: kubelet.conf file permissions
nodeType: worker
audit: stat -c %a $kubelet.kubeconfig
platforms:
platfroms:
- k8s
- aks
```
@@ -180,7 +181,7 @@ make command-id
#### Command Key
- Re-use an existing key or specify a new one (make sure key name has no spaces)
- Re-use an existing key or specifiy a new one (make sure key name has no spaces)
Note: The key value should match the key name evaluated by the Rego check.
@@ -197,7 +198,7 @@ Specify the node type on which the command is supposed to run.
### Command Audit
Specify here the shell command to be used please make sure to add error suppression (2>/dev/null)
Specify here the shell command to be used please make sure to add error supression (2>/dev/null)
### Command Platforms

2
docs/docs/compliance/contrib-compliance.md
View File

@@ -56,7 +56,7 @@ Thus, we can use the information already present:
```
- The `ID`, `name`, and `description` is taken directly from the AWS EKS CIS Benchmarks
- The `check` and `severity` are taken from the existing compliance check in the `k8s-cis-1.23.yaml`
- The `check` and `severity` are taken from the existing complaince check in the `k8s-cis-1.23.yaml`
#### 2. Referencing a check manually that is not part of the Trivy default checks

6
docs/docs/configuration/cache.md
View File

@@ -96,11 +96,11 @@ $ trivy server --cache-backend redis://localhost:6379 \
--redis-key /path/to/key.pem
```
[trivy-db]: ./db.md
[trivy-java-db]: ./db.md
[trivy-db]: ./db.md#vulnerability-database
[trivy-java-db]: ./db.md#java-index-database
[misconf-checks]: ../scanner/misconfiguration/check/builtin.md
[boltdb]: https://github.com/etcd-io/bbolt
[parallel-run]: https://trivy.dev/{{ git.tag}}/docs/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run
[parallel-run]: https://aquasecurity.github.io/trivy/v0.52/docs/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run
[^1]: Downloaded when scanning for vulnerabilities
[^2]: Downloaded when scanning `jar/war/par/ear` files

2
docs/docs/configuration/filtering.md
View File

@@ -394,7 +394,7 @@ $ trivy image --ignorefile ./.trivyignore.yaml python:3.9.16-alpine3.16
2023-08-31T11:10:27.155+0600 INFO Vulnerability scanning is enabled
2023-08-31T11:10:27.155+0600 INFO Secret scanning is enabled
2023-08-31T11:10:27.155+0600 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-31T11:10:27.155+0600 INFO Please see also https://trivy.dev/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-08-31T11:10:27.155+0600 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-08-31T11:10:29.164+0600 INFO Detected OS: alpine
2023-08-31T11:10:29.164+0600 INFO Detecting Alpine vulnerabilities...
2023-08-31T11:10:29.169+0600 INFO Number of language-specific files: 1

11
docs/docs/configuration/others.md
View File

@@ -160,14 +160,3 @@ When we want to get the image `alpine` with the settings above. The logic will b
1. Try to get the image from `mirror.with.bad.auth/library/alpine`, but we get an error because there are no credentials for this registry.
2. Try to get the image from `mirror.without.image/library/alpine`, but we get an error because this registry doesn't have this image (but most likely it will be an error about authorization).
3. Get the image from `index.docker.io` (the original registry).
## Check for updates
Trivy periodically checks for updates and notices, and displays a message to the user with recommendations.
Updates checking is non-blocking and has no impact on scanning time, performance, results, or any user experience aspect besides displaying the message.
You can disable updates checking by specifying the `--skip-version-check` flag.
## Telemetry
Trivy collected usage data for product improvement. More details in the [Telemetry document](../advanced/telemetry.md).
You can disable telemetry collection using the `--disable-telemetry` flag.

163
docs/docs/configuration/reporting.md
View File

@@ -19,152 +19,9 @@ Trivy supports the following formats:
| Secret | ✓ |
| License | ✓ |
```bash
$ trivy image -f table golang:1.22.11-alpine3.20
```
<details>
<summary>Result</summary>
$ trivy image -f table golang:1.12-alpine
```
...
Report Summary
┌─────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ golang:1.22.11-alpine3.20 (alpine 3.20.5) │ alpine │ 6 │ - │
├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/go/bin/go │ gobinary │ 1 │ - │
├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
...
├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/go/pkg/tool/linux_amd64/vet │ gobinary │ 1 │ - │
└─────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
golang:1.22.11-alpine3.20 (alpine 3.20.5)
Total: 6 (UNKNOWN: 2, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-12797 │ HIGH │ fixed │ 3.3.2-r1 │ 3.3.3-r0 │ openssl: RFC7250 handshakes with unauthenticated servers │
│ │ │ │ │ │ │ don't abort as expected │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-12797 │
│ ├────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-13176 │ MEDIUM │ │ │ 3.3.2-r2 │ openssl: Timing side-channel in ECDSA signature computation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-13176 │
├────────────┼────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2024-12797 │ HIGH │ │ │ 3.3.3-r0 │ openssl: RFC7250 handshakes with unauthenticated servers │
│ │ │ │ │ │ │ don't abort as expected │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-12797 │
│ ├────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-13176 │ MEDIUM │ │ │ 3.3.2-r2 │ openssl: Timing side-channel in ECDSA signature computation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-13176 │
├────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ musl │ CVE-2025-26519 │ UNKNOWN │ │ 1.2.5-r0 │ 1.2.5-r1 │ musl libc 0.9.13 through 1.2.5 before 1.2.6 has an │
│ │ │ │ │ │ │ out-of-bounds write ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-26519 │
├────────────┤ │ │ │ │ │ │
│ musl-utils │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
usr/local/go/bin/go (gobinary)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2025-22866 │ MEDIUM │ fixed │ v1.22.11 │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│ │ │ │ │ │ │ on ppc64le in crypto/internal/nistec │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22866 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
...
```
</details>
#### Table mode
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy supports the following modes for `table` format:
| Mode | Enabled by default |
|:----------------------------:|:-----------------:|
| [summary](#summary-table) | ✓[^1] |
| [detailed](#detailed-tables) | ✓ |
You can use `--table-mode` flag to enable/disable table mode(s).
##### Summary table
Summary table contains general information about the scan performed.
Nuances of table contents:
- Table includes columns for enabled [scanners](../references/terminology.md#scanner) only. Use `--scanners` flag to enable/disable scanners.
- Table includes separate lines for the same targets but different scanners.
- `-` means that the scanner didn't scan this target.
- `0` means that the scanner scanned this target, but found no security issues.
<details>
<summary>Report Summary</summary>
```
┌───────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┬──────────┐
│ Target │ Type │ Vulnerabilities │ Misconfigurations │ Secrets │ Licenses │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ test (alpine 3.20.3) │ alpine │ 2 │ - │ - │ - │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ Java │ jar │ 2 │ - │ - │ - │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ app/Dockerfile │ dockerfile │ - │ 2 │ - │ - │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ requirements.txt │ text │ 0 │ - │ - │ - │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ requirements.txt │ text │ - │ - │ 1 │ - │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ OS Packages │ - │ - │ - │ - │ 1 │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ Java │ - │ - │ - │ - │ 0 │
└───────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┴──────────┘
```
</details>
##### Detailed tables
Detailed tables contain information about found security issues for each target with more detailed information (CVE-ID, severity, version, etc.).
<details>
<summary>Detailed tables</summary>
```
usr/local/go/bin/go (gobinary)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2025-22866 │ MEDIUM │ fixed │ v1.22.11 │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│ │ │ │ │ │ │ on ppc64le in crypto/internal/nistec │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22866 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
```
</details>
#### Show origins of vulnerable dependencies
@@ -267,6 +124,22 @@ Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to reso
$ trivy image -f json -o results.json alpine:latest
```
<details>
<summary>Result</summary>
```
2024-12-26T22:01:18+05:30 INFO [vuln] Vulnerability scanning is enabled
2024-12-26T22:01:18+05:30 INFO [secret] Secret scanning is enabled
2024-12-26T22:01:18+05:30 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-26T22:01:18+05:30 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-26T22:01:18+05:30 INFO Detected OS family="alpine" version="3.20.3"
2024-12-26T22:01:18+05:30 INFO [alpine] Detecting vulnerabilities... os_version="3.20" repository="3.20" pkg_num=14
2024-12-26T22:01:18+05:30 INFO Number of language-specific files num=0
2024-12-26T22:01:18+05:30 WARN Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.
```
</details>
<details>
<summary>JSON</summary>
@@ -661,5 +534,3 @@ $ trivy convert --format table --severity CRITICAL result.json
[sbt-lockfile]: ../coverage/language/java.md#sbt
[pubspec-lock]: ../coverage/language/dart.md#dart
[cargo-binaries]: ../coverage/language/rust.md#binaries
[^1]: To show summary table in `convert` mode - you need to enable the scanners used during JSON report generation.

144
docs/docs/configuration/skipping.md
View File

@@ -1,22 +1,8 @@
# Selecting files for scanning
# Skipping Files and Directories
When scanning a target (image, code repository, etc), Trivy traverses all directories and files in that target and looks for known files to scan. For example, vulnerability scanner might look for `/lib/apk/db/installed` for Alpine APK scanning or `requirements.txt` file for Python pip scanning, and misconfiguration scanner might look for `Dockerfile` for Dockerfile scanning. This document explains how to control which files Trivy looks (including skipping files) for and how it should process them.
!!! note
Selecting/skipping files is different from filtering/ignoring results, which is covered in the [Filtering document](./filtering.md)
## Skip Files and Directories
You can skip specific files and directories using the `--skip-files` and `--skip-dirs` flags.
For example:
```bash
trivy image --skip-files "/Gemfile.lock" --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
This feature is relevant for the following scanners:
This section details ways to specify the files and directories that Trivy should not scan.
## Skip Files
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
@@ -24,58 +10,89 @@ This feature is relevant for the following scanners:
| Secret | ✓ |
| License | ✓ |
It's possible to specify glob patterns when referring to a file or directory. The glob expression follows the ["doublestar" library syntax](https://pkg.go.dev/github.com/bmatcuk/doublestar/v4@v4.8.1#readme-patterns).
Examples:
By default, Trivy traverses directories and searches for all necessary files for scanning.
You can skip files that you don't maintain using the `--skip-files` flag, or the equivalent Trivy YAML config option.
Using the `--skip-files` flag:
```bash
# skip any file named `bar` in the subdirectories of testdata
trivy image --skip-files "./testdata/*/bar" .
$ trivy image --skip-files "/Gemfile.lock" --skip-files "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
```bash
# skip any files with the extension `.tf` in subdirectories of foo at any depth
trivy config --skip-files "./foo/**/*.tf" .
```
```bash
# skip all subdirectories of the testdata directory.
trivy image --skip-dirs "./testdata/*" .
```
```bash
# skip subdirectories at any depth named `.terraform/`.
# this will match `./foo/.terraform` or `./foo/bar/.terraform`, but not `./.terraform`
trivy config --skip-dirs "**/.terraform" .
```
Like any other flag, this is available as Trivy YAML configuration.
For example:
Using the Trivy YAML configuration:
```yaml
image:
skip-files:
- foo
- "testdata/*/bar"
```
It's possible to specify globs as part of the value.
```bash
$ trivy image --skip-files "./testdata/*/bar" .
```
This will skip any file named `bar` in the subdirectories of testdata.
```bash
$ trivy config --skip-files "./foo/**/*.tf" .
```
This will skip any files with the extension `.tf` in subdirectories of foo at any depth.
## Skip Directories
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | ✓ |
By default, Trivy traverses directories and searches for all necessary files for scanning.
You can skip directories that you don't maintain using the `--skip-dirs` flag, or the equivalent Trivy YAML config option.
Using the `--skip-dirs` flag:
```bash
$ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
Using the Trivy YAML configuration:
```yaml
image:
skip-dirs:
- foo/bar/
- "**/.terraform"
```
## Customizing file handling
You can customize which files Trivy scans and how it interprets them with the `--file-patterns` flag.
A file pattern configuration takes the following form: `<analyzer>:<path>`, such that files matching the `<path>` will be processed with the respective `<analyzer>`.
For example:
It's possible to specify globs as part of the value.
```bash
trivy fs --file-patterns "pip:.requirements-test.txt ."
$ trivy image --skip-dirs "./testdata/*" .
```
This feature is relevant for the following scanners:
This will skip all subdirectories of the testdata directory.
```bash
$ trivy config --skip-dirs "**/.terraform" .
```
This will skip subdirectories at any depth named `.terraform/`. (Note: this will match `./foo/.terraform` or
`./foo/bar/.terraform`, but not `./.terraform`.)
!!! tip
Glob patterns work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with `--skip-dirs`) and files (with `--skip-files`).
### Advanced globbing
Trivy also supports bash style [extended](https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Pattern-Matching) glob pattern matching.
```bash
$ trivy image --skip-files "**/foo" image:tag
```
This will skip the file `foo` that happens to be nested under any parent(s).
## File patterns
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
@@ -83,27 +100,20 @@ This feature is relevant for the following scanners:
| Secret | |
| License | ✓[^1] |
The list of analyzers can be found [here](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/pkg/fanal/analyzer/const.go).
Note that this flag is not applicable for parsers that accepts files of different extensions, for example the Terraform file parser which handles .tf and .tf.json files.
When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
The default file patterns are [here](../scanner/misconfiguration/custom/index.md).
In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
The file path can use a [regular expression](https://pkg.go.dev/regexp/syntax). For example:
This can be repeated for specifying multiple file patterns.
```bash
# interpret any file with .txt extension as a python pip requirements file
trivy fs --file-patterns "pip:requirements-.*\.txt .
A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
```
--file-patterns "dockerfile:.*.docker" --file-patterns "kubernetes:*.tpl" --file-patterns "pip:requirements-.*\.txt"
```
The flag can be repeated for specifying multiple file patterns. For example:
The prefixes are listed [here](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/pkg/fanal/analyzer/const.go)
```bash
# look for Dockerfile called production.docker and a python pip requirements file called requirements-test.txt
trivy fs --scanners misconfig,vuln --file-patterns "dockerfile:.production.docker" --file-patterns "pip:.requirements-test.txt ."
```
[^1]: Only work with the [license-full](../scanner/license.md) flag
## Avoid full filesystem traversal
In specific scenarios Trivy can avoid traversing the entire filesystem, which makes scanning faster and more efficient.
For more information see [here](../target/rootfs.md#performance-optimization)
[^1]: Only work with the [license-full](../scanner/license.md) flag)

7
docs/docs/coverage/language/golang.md
View File

@@ -82,9 +82,8 @@ It possibly produces false positives.
See [the caveat](#stdlib-vulnerabilities) for details.
### License
To identify licenses, you need to download modules to local cache beforehand, such as `go mod download`, `go mod tidy`, `go mod vendor`, etc.
If the `vendor` directory exists, Trivy uses this directory when scanning for license files.
For other cases Trivy traverses `$GOPATH/pkg/mod`dir and collects those extra information.
To identify licenses, you need to download modules to local cache beforehand, such as `go mod download`, `go mod tidy`, etc.
Trivy traverses `$GOPATH/pkg/mod` and collects those extra information.
### Dependency Graph
Same as licenses, you need to download modules to local cache beforehand.
@@ -101,7 +100,7 @@ $ trivy rootfs ./your_binary
It doesn't work with UPX-compressed binaries.
### Main Module
Go binaries installed using the `go install` command contains correct (semver) version for the main module and therefore are detected by Trivy.
Go binaries installed using the `go install` command contains correct (semver) version for the main module and therefor are detected by Trivy.
In other cases, Go uses the `(devel)` version[^2].
In this case, Trivy will attempt to parse any `-ldflags` as it's a common practice to pass versions this way.
If unsuccessful, the version will be empty[^3].

1
docs/docs/coverage/language/index.md
View File

@@ -31,7 +31,6 @@ On the other hand, when the target is a post-build artifact, like a container im
| [Node.js](nodejs.md) | package-lock.json | - | - | ✅ | ✅ |
| | yarn.lock | - | - | ✅ | ✅ |
| | pnpm-lock.yaml | - | - | ✅ | ✅ |
| | bun.lock | - | - | ✅ | ✅ |
| | package.json | ✅ | ✅ | - | - |
| [.NET](dotnet.md) | packages.lock.json | ✅ | ✅ | ✅ | ✅ |
| | packages.config | ✅ | ✅ | ✅ | ✅ |

17
docs/docs/coverage/language/java.md
View File

@@ -12,12 +12,12 @@ Each artifact supports the following scanners:
The following table provides an outline of the features Trivy offers.
| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
|------------------|:---------------------:|:----------------------:|:------------------------------------:|:--------:|:----------------------------------------:|
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed |
| pom.xml | Maven repository [^1] | Exclude | ✓ | ✓[^7] | - |
| *gradle.lockfile | - | [Exclude](#gradlelock) | ✓ | ✓ | Not needed |
| *.sbt.lock | - | Exclude | - | ✓ | Not needed |
| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed |
| pom.xml | Maven repository [^1] | Exclude | ✓ | ✓[^7] | - |
| *gradle.lockfile | - | Exclude | ✓ | ✓ | Not needed |
| *.sbt.lock | - | Exclude | - | ✓ | Not needed |
These may be enabled or disabled depending on the target.
See [here](./index.md) for the detail.
@@ -96,9 +96,6 @@ If you need to show them, use the `--include-dev-deps` flag.
!!!note
All necessary files are checked locally. Gradle file scanning doesn't require internet access.
By default, Trivy doesn't report development dependencies.
Use the `--include-dev-deps` flag to include them in the results.
### Dependency-tree
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
@@ -108,7 +105,7 @@ But there is no reliable way to determine direct dependencies (even using other
Therefore, we mark all dependencies as indirect to use logic to guess direct dependencies and build a dependency tree.
### Licenses
Trivy also can detect licenses for dependencies.
Trity also can detect licenses for dependencies.
Make sure that you have cache[^8] directory to find licenses from `*.pom` dependency files.

33
docs/docs/coverage/language/nodejs.md
View File

@@ -18,7 +18,7 @@ The following table provides an outline of the features Trivy offers.
| npm | package-lock.json | ✓ | [Excluded](#npm) | ✓ | ✓ |
| Yarn | yarn.lock | ✓ | [Excluded](#yarn) | ✓ | ✓ |
| pnpm | pnpm-lock.yaml | ✓ | [Excluded](#lock-file-v9-version) | ✓ | - |
| Bun | bun.lock | ✓ | [Excluded](#bun) | ✓ | ✓ |
| Bun | yarn.lock | ✓ | [Excluded](#yarn) | ✓ | ✓ |
In addition, Trivy scans installed packages with `package.json`.
@@ -43,26 +43,14 @@ Trivy analyzes `node_modules` for licenses.
By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
### Yarn
Trivy parses `yarn.lock`.
Trivy parses `yarn.lock`, which doesn't contain information about development dependencies.
Trivy also uses `package.json` file to handle [aliases](https://classic.yarnpkg.com/lang/en/docs/cli/add/#toc-yarn-add-alias).
Trivy also analyzes additional files to gather more information about the detected dependencies.
To exclude devDependencies and allow aliases, `package.json` also needs to be present next to `yarn.lock`.
- package.json
- node_modules/**
Trivy analyzes `.yarn` (Yarn 2+) or `node_modules` (Yarn Classic) folder next to the yarn.lock file to detect licenses.
#### Package relationships
`yarn.lock` files don't contain information about package relationships, such as direct or indirect dependencies.
To enrich this information, Trivy parses the `package.json` file located next to the `yarn.lock` file as well as workspace `package.json` files.
By default, Trivy doesn't report development dependencies.
Use the `--include-dev-deps` flag to include them in the results.
#### Development dependencies
`yarn.lock` files don't contain information about package groups, such as production and development dependencies.
To identify dev dependencies and support [aliases][yarn-aliases], Trivy parses the `package.json` file located next to the `yarn.lock` file as well as workspace `package.json` files.
#### Licenses
Trivy analyzes the `.yarn` directory (for Yarn 2+) or the `node_modules` directory (for Yarn Classic) located next to the `yarn.lock` file to detect licenses.
By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
### pnpm
Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
@@ -72,13 +60,7 @@ To identify licenses, you need to download dependencies to `node_modules` before
Trivy supports `Dev` field for `pnpm-lock.yaml` v9 or later. Use the `--include-dev-deps` flag to include the developer's dependencies in the result.
### Bun
Trivy also supports scanning `bun.lock` file generated by [Bun](https://bun.sh/blog/bun-lock-text-lockfile).
You can use Bun v1.2 which uses this file as default or use `bun install --save-text-lockfile` in Bun v1.1.39 to generate it.
For previous Bun versions you can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock` and then scan it with Trivy.
#### Development dependencies
`bun.lock` contains information about package groups, such as production and development dependencies. By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.
!!! note
`bun.lockb` is not supported.
@@ -92,6 +74,5 @@ It only extracts package names, versions and licenses for those packages.
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[pnpm-lockfile-v6]: https://github.com/pnpm/spec/blob/fd3238639af86c09b7032cc942bab3438b497036/lockfile/6.0.md
[yarn-aliases]: https://classic.yarnpkg.com/lang/en/docs/cli/add/#toc-yarn-add-alias
[^1]: [yarn.lock](#bun) must be generated

6
docs/docs/coverage/language/python.md
View File

@@ -54,8 +54,7 @@ keyring >= 4.1.1 # Minimum version 4.1.1
Mopidy-Dirble ~= 1.1 # Minimum version 1.1
python-gitlab==2.0.* # Minimum version 2.0.0
```
Also, there is a way to convert unsupported version specifiers - use either the `pip-compile` tool (which doesn't install the packages)
or call `pip freeze` from the virtual environment where the requirements are already installed.
Also, there is a way to convert unsupported version specifiers - use the `pip freeze` command.
```bash
$ cat requirements.txt
@@ -82,8 +81,7 @@ wheel==0.42.0
`requirements.txt` files usually contain only the direct dependencies and not contain the transitive dependencies.
Therefore, Trivy scans only for the direct dependencies with `requirements.txt`.
To detect transitive dependencies as well, you need to generate `requirements.txt` that contains them.
Like described above, tou can do it with `pip freeze` or `pip-compile`.
To detect transitive dependencies as well, you need to generate `requirements.txt` with `pip freeze`.
```zsh
$ cat requirements.txt # it will only find `requests@2.28.2`.

2
docs/docs/coverage/language/ruby.md
View File

@@ -1,7 +1,7 @@
# Ruby
Trivy supports [Bundler][bundler] and [RubyGems][rubygems].
The following scanners are supported for Bundler and RubyGems.
The following scanners are supported for Cargo.
| Package manager | SBOM | Vulnerability | License |
|-----------------|:----:|:-------------:|:-------:|

15
docs/docs/coverage/os/bottlerocket.md
View File

@@ -1,15 +0,0 @@
# Bottlerocket
Trivy supports the following scanners for OS packages.
| Scanner | Supported |
| :-----------: | :-------: |
| SBOM | ✓ |
| Vulnerability | - |
| License | - |
Please see [here](index.md#supported-os) for supported versions.
## SBOM
Trivy detects packages that are listed in the [software inventory].
[software inventory]: https://bottlerocket.dev/en/os/1.37.x/concepts/variants/#software-inventory

30
docs/docs/coverage/os/echo.md
View File

@@ -1,30 +0,0 @@
# Echo
Trivy supports these scanners for OS packages.
| Scanner | Supported |
| :-----------: | :-------: |
| SBOM | ✓ |
| Vulnerability | ✓ |
| License | ✓ |
The table below outlines the features offered by Trivy.
| Feature | Supported |
|:------------------------------------:|:---------:|
| Unfixed vulnerabilities | ✓ |
| [Dependency graph][dependency-graph] | ✓ |
## SBOM
Same as [Debian](debian.md#sbom).
## Vulnerability
Echo offers its own security advisories, and these are utilized when scanning Echo for vulnerabilities.
### Data Source
See [here](../../scanner/vulnerability.md#data-sources).
## License
Same as [Debian](debian.md#license).
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[advisory]: https://advisory.echohq.com/data.json

3
docs/docs/coverage/os/index.md
View File

@@ -14,7 +14,6 @@ Trivy supports operating systems for
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.21, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [MinimOS](minimos.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
@@ -27,10 +26,8 @@ Trivy supports operating systems for
| [SUSE Linux Enterprise](suse.md) | 11, 12, 15 | zypper/rpm |
| [SUSE Linux Enterprise Micro](suse.md)| 5, 6 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Echo](echo.md) | (n/a) | apt/dpkg |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [Bottlerocket](bottlerocket.md) | 1.7.0 and upper | bottlerocket |
| [OSs with installed Conda](../others/conda.md) | - | conda |
## Supported container images

30
docs/docs/coverage/os/minimos.md
View File

@@ -1,30 +0,0 @@
# MinimOS
Trivy supports these scanners for OS packages.
| Scanner | Supported |
| :-----------: | :-------: |
| SBOM | ✓ |
| Vulnerability | ✓ |
| License | ✓ |
The table below outlines the features offered by Trivy.
| Feature | Supported |
|:------------------------------------:|:---------:|
| Detect unfixed vulnerabilities | - |
| [Dependency graph][dependency-graph] | ✓ |
## SBOM
Same as [Alpine Linux](alpine.md#sbom).
## Vulnerability
MinimOS offers its own security advisories, and these are utilized when scanning MinimOS for vulnerabilities.
Everything else is the same as [Alpine Linux](alpine.md#vulnerability).
### Data Source
See [here](../../scanner/vulnerability.md#data-sources).
## License
Same as [Alpine Linux](alpine.md#license).
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies

9
docs/docs/coverage/os/rhel.md
View File

@@ -22,13 +22,6 @@ Trivy detects packages that have been installed through package managers such as
## Vulnerability
Red Hat offers its own security advisories, and these are utilized when scanning Red Hat Enterprise Linux (RHEL) for vulnerabilities.
### Content manifests
Red Hats security advisories use CPEs to identify product sets. For example, even packages installed in the same container image can have different CPEs.
For this reason, Red Hats container images include stored content manifests, which we convert to CPEs, and perform vulnerability scanning.
Since this system ties each content manifest to its packages on a per-layer basis,
if layers get merged (for instance, by using `docker run` or `docker export`) we can no longer determine the correct CPE, which may lead to false detection.
### Data Source
See [here](../../scanner/vulnerability.md#data-sources).
@@ -89,5 +82,3 @@ Trivy identifies licenses by examining the metadata of RPM packages.
[NVD]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464
[vulnerability statuses]: ../../configuration/filtering.md#by-status
[content-set-default]: https://github.com/aquasecurity/trivy/blob/c80310d7690d8aeb7d3d77416c18c0c8b9aebe17/pkg/detector/ospkg/redhat/redhat.go#L25-L42

56
docs/docs/references/abbreviations.md
View File

@@ -1,56 +0,0 @@
# Abbreviation List
This list compiles words that frequently appear in CLI flags or configuration files and are commonly abbreviated in industry and OSS communities.
Trivy may use the abbreviation in place of the full spelling for flag names.
It is also acceptable to add even shorter aliases if needed.
Words not included in this list should be spelled out in full when used in flags.
This list is intentionally limited to the most common and widely recognized abbreviations.
Excessive use of abbreviations in CLI flags can hinder initial user understanding and create a steeper learning curve.
!!! note
This list serves as a guideline rather than a strict requirement.
Its purpose is to maintain consistency across the project when naming flags and configuration options.
While we strive to follow these abbreviations, there may be exceptions where context or clarity demands a different approach.
## Scope
This list focuses on abbreviations of single words commonly used in technical contexts. It does not include:
1. Acronyms formed from the initial letters of multiple words (e.g., OS for Operating System, HTTP for Hypertext Transfer Protocol)
2. Domain-specific terminology that already has standardized short forms
3. Brand names or product-specific abbreviations
The abbreviations listed here are primarily intended for CLI flags, configuration keys, and similar technical interfaces where brevity is valued while maintaining clarity.
## Example
For a flag containing multiple words, only abbreviate words that appear in this list.
For instance, in `--database-repository`, "database" is in the list so it should be abbreviated to "db", but "repository" is not in the list so it must be spelled out completely.
The correct flag name would be `--db-repository`.
It's acceptable to add a shorter alias like `--db-repo` if desired.
## List
| Full Name | Default Abbreviation | Examples |
|-------------------|----------------------|-----------------------------------------------------------|
| application | app | `--app-name`, `--app-mode` |
| authentication | auth | `--auth-method`, `--auth-token` |
| authorization | authz | `--authz-rule`, `--authz-policy` |
| command | cmd | `--cmd-option`, `--cmd-args` |
| configuration | config | `--config`, `--config-dir` |
| database | db | `--db-repository`, `--db-user`, `--db-pass` |
| development | dev | `--dev-dependencies`, `--dev-mode` |
| directory | dir | `--dir-path`, `--output-dir` |
| environment | env | `--env-file`, `--env-vars` |
| information | info | `--info-level`, `--show-info` |
| initialization | init | `--init-script`, `--init-config` |
| library | lib | `--lib-path`, `--lib-dir` |
| maximum | max | `--max-image-size`, `--max-depth` |
| minimum | min | `--min-value`, `--min-severity` |
| misconfiguration | misconfig | `--misconfig-scanners` |
| package | pkg | `--pkg-types` |
| production | prod | `--prod-env`, `--prod-deploy` |
| specification | spec | `--spec-file`, `--spec-version` |
| temporary | tmp | `--tmp-dir`, `--tmp-file` |
| utility | util | `--util-script`, `--util-name` |
| vulnerability | vuln | `--vuln-scan`, `--vuln-report` |

27
docs/docs/references/configuration/cli/trivy_config.md
View File

@@ -21,18 +21,7 @@ trivy config [flags] DIR
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -51,26 +40,16 @@ trivy config [flags] DIR
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--report string specify a compliance report format for the output (allowed values: all,summary) (default "all")
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--report string specify a compliance report format for the output (all,summary) (default "all")
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--skip-check-update skip fetching rego check updates
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tf-vars strings specify paths to override the Terraform tfvars files

26
docs/docs/references/configuration/cli/trivy_convert.md
View File

@@ -22,36 +22,16 @@ trivy convert [flags] RESULT_JSON
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-h, --help help for convert
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--report string specify a report format for the output (allowed values: all,summary) (default "all")
--scanners strings List of scanners included when generating the json report. Used only for rendering the summary table. (allowed values: vuln,misconfig,secret,license)
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--report string specify a report format for the output (all,summary) (default "all")
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
```

92
docs/docs/references/configuration/cli/trivy_filesystem.md
View File

@@ -34,26 +34,14 @@ trivy filesystem [flags] PATH
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-telemetry disable sending anonymous usage data to Aqua
(precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -62,21 +50,12 @@ trivy filesystem [flags] PATH
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for filesystem
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn, gradle)
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
@@ -91,45 +70,27 @@ trivy filesystem [flags] PATH
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--report string specify a compliance report format for the output (allowed values: all,summary) (default "all")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--report string specify a compliance report format for the output (all,summary) (default "all")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tf-vars strings specify paths to override the Terraform tfvars files
@@ -138,39 +99,6 @@ trivy filesystem [flags] PATH
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```
### Options inherited from parent commands

96
docs/docs/references/configuration/cli/trivy_image.md
View File

@@ -38,7 +38,7 @@ trivy image [flags] IMAGE_NAME
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate (built-in compliance's: docker-cis-1.6.0)
--compliance string compliance report to generate (docker-cis-1.6.0)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
@@ -48,8 +48,7 @@ trivy image [flags] IMAGE_NAME
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-telemetry disable sending anonymous usage data to Aqua
(precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--docker-host string unix domain socket path to use for docker scanning
--download-db-only download/update vulnerability database but don't run a scan
@@ -58,18 +57,7 @@ trivy image [flags] IMAGE_NAME
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -78,21 +66,12 @@ trivy image [flags] IMAGE_NAME
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for image
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (allowed values: misconfig,secret)
--image-src strings image source(s) to use, in priority order (allowed values: docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (misconfig,secret)
--image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--include-deprecated-checks include deprecated checks
--include-non-failures include successes, available with '--scanners misconfig'
--input string input file path instead of image name
@@ -110,18 +89,10 @@ trivy image [flags] IMAGE_NAME
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--platform string set platform in the form os/arch if image is multi-platform capable
--podman-host string unix podman socket path to use for podman scanning
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
@@ -129,29 +100,19 @@ trivy image [flags] IMAGE_NAME
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--report string specify a format for the compliance report. (allowed values: all,summary) (default "summary")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--report string specify a format for the compliance report. (all,summary) (default "summary")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--token string for authentication in client/server mode
@@ -159,39 +120,6 @@ trivy image [flags] IMAGE_NAME
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```
### Options inherited from parent commands

89
docs/docs/references/configuration/cli/trivy_kubernetes.md
View File

@@ -34,14 +34,7 @@ trivy kubernetes [flags] [CONTEXT]
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate
Built-in compliance's:
- k8s-nsa-1.0
- k8s-cis-1.23
- eks-cis-1.4
- rke2-cis-1.24
- k8s-pss-baseline-0.1
- k8s-pss-restricted-0.1
--compliance string compliance report to generate (k8s-nsa-1.0,k8s-cis-1.23,eks-cis-1.4,rke2-cis-1.24,k8s-pss-baseline-0.1,k8s-pss-restricted-0.1)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
@@ -50,9 +43,8 @@ trivy kubernetes [flags] [CONTEXT]
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
(precise,comprehensive) (default "precise")
--disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
--disable-telemetry disable sending anonymous usage data to Aqua
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
@@ -62,7 +54,7 @@ trivy kubernetes [flags] [CONTEXT]
--exclude-owned exclude resources that have an owner reference
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (allowed values: table,json,cyclonedx) (default "table")
-f, --format string format (table,json,cyclonedx) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -71,19 +63,10 @@ trivy kubernetes [flags] [CONTEXT]
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for kubernetes
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore")
--image-src strings image source(s) to use, in priority order (allowed values: docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--include-deprecated-checks include deprecated checks
--include-kinds strings indicate the kinds included in scanning (example: node)
--include-namespaces strings indicate the namespaces included in scanning (example: kube-system)
@@ -102,36 +85,20 @@ trivy kubernetes [flags] [CONTEXT]
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--qps float specify the maximum QPS to the master from this client (default 5)
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--report string specify a report format for the output (allowed values: all,summary) (default "all")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
--report string specify a report format for the output (all,summary) (default "all")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
@@ -139,7 +106,6 @@ trivy kubernetes [flags] [CONTEXT]
--skip-files strings specify the files or glob patterns to skip
--skip-images skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
@@ -147,39 +113,6 @@ trivy kubernetes [flags] [CONTEXT]
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```
### Options inherited from parent commands

90
docs/docs/references/configuration/cli/trivy_repository.md
View File

@@ -34,25 +34,13 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-telemetry disable sending anonymous usage data to Aqua
(precise,comprehensive) (default "precise")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -61,21 +49,12 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for repository
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn, gradle)
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
@@ -90,44 +69,26 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
--tag string pass the tag name to be scanned
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
@@ -137,39 +98,6 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```
### Options inherited from parent commands

88
docs/docs/references/configuration/cli/trivy_rootfs.md
View File

@@ -36,8 +36,7 @@ trivy rootfs [flags] ROOTDIR
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-telemetry disable sending anonymous usage data to Aqua
(precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
@@ -45,18 +44,7 @@ trivy rootfs [flags] ROOTDIR
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -65,16 +53,7 @@ trivy rootfs [flags] ROOTDIR
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for rootfs
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
@@ -93,44 +72,26 @@ trivy rootfs [flags] ROOTDIR
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tf-vars strings specify paths to override the Terraform tfvars files
@@ -139,39 +100,6 @@ trivy rootfs [flags] ROOTDIR
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```
### Options inherited from parent commands

174
docs/docs/references/configuration/cli/trivy_sbom.md
View File

@@ -20,127 +20,59 @@ trivy sbom [flags] SBOM_PATH
### Options
```
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
--cache-ttl duration cache TTL when using redis as cache backend
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-telemetry disable sending anonymous usage data to Aqua
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
-h, --help help for sbom
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,license) (default [vuln])
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
--cache-ttl duration cache TTL when using redis as cache backend
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-h, --help help for sbom
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,license) (default [vuln])
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
-t, --template string output template
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
```
### Options inherited from parent commands

88
docs/docs/references/configuration/cli/trivy_vm.md
View File

@@ -32,8 +32,7 @@ trivy vm [flags] VM_IMAGE
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-telemetry disable sending anonymous usage data to Aqua
(precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
@@ -41,18 +40,7 @@ trivy vm [flags] VM_IMAGE
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -61,16 +49,7 @@ trivy vm [flags] VM_IMAGE
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for vm
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes, available with '--scanners misconfig'
@@ -83,80 +62,29 @@ trivy vm [flags] VM_IMAGE
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```
### Options inherited from parent commands

21
docs/docs/references/configuration/config-file.md
View File

@@ -409,12 +409,6 @@ misconfiguration:
# Same as '--include-non-failures'
include-non-failures: false
# Same as '--raw-config-scanners'
raw-config-scanners: []
# Same as '--render-cause'
render-cause: []
# Same as '--misconfig-scanners'
scanners:
- azure-arm
@@ -556,11 +550,6 @@ severity:
- HIGH
- CRITICAL
# Same as '--table-mode'
table-mode:
- summary
- detailed
# Same as '--template'
template: ""
@@ -586,9 +575,6 @@ scan:
# Same as '--detection-priority'
detection-priority: "precise"
# Same as '--disable-telemetry'
disable-telemetry: false
# Same as '--distro'
distro: ""
@@ -618,9 +604,6 @@ scan:
# Same as '--skip-files'
skip-files: []
# Same as '--skip-version-check'
skip-version-check: false
```
## Secret options
@@ -640,10 +623,6 @@ vulnerability:
# Same as '--ignore-unfixed'
ignore-unfixed: false
# Same as '--vuln-severity-source'
severity-source:
- auto
# Same as '--skip-vex-repo-update'
skip-vex-repo-update: false

2
docs/docs/references/troubleshooting.md
View File

@@ -277,5 +277,5 @@ $ trivy clean --all
```
[air-gapped]: ../advanced/air-gap.md
[network]: ../advanced/air-gap.md#connectivity-requirements
[network]: ../advanced/air-gap.md#network-requirements
[redis-cache]: ../configuration/cache.md#redis

24
docs/docs/scanner/license.md
View File

@@ -23,7 +23,7 @@ To enable extended license scanning, you can use `--license-full`.
In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
By default, Trivy only classifies licenses that are matched with a confidence level of 0.9 or more by the classifier.
To configure the confidence level, you can use `--license-confidence-level`. This enables us to classify licenses that might be matched with a lower confidence level by the classifier.
To configure the confidence level, you can use `--license-confidence-level`. This enables us to classify licenses that might be matched with a lower confidence level by the classifer.
!!! note
The full license scanning is expensive. It takes a while.
@@ -342,28 +342,6 @@ license:
permissive: []
```
#### Text licenses
By default, Trivy categorizes a license as UNKNOWN if it cannot determine the license name from the license text.
To define a category for a text license, you need to add license with the `text://` prefix to license classification.
For example:
```yaml
license:
forbidden:
- "text://Text of Apache Software Foundation License"
```
But a text license can by large. So for these cases Trivy supports using `regex` in license classification.
For example:
```yaml
license:
forbidden:
- "text://.* Apache Software .*"
```
!!! note
`regex` is only used for text licenses and can't be used to configure license IDs.
[^1]: See the list of supported language files [here](../coverage/language/index.md).
[^2]: Some lock files require additional files (e.g. files from the cache directory) to detect licenses. Check [coverage][coverage] for more information.

259
docs/docs/scanner/misconfiguration/config/config.md
View File

@@ -1,259 +0,0 @@
This page describes misconfiguration-specific configuration.
### Enabling a subset of misconfiguration scanners
It's possible to only enable certain misconfiguration scanners if you prefer.
You can do so by passing the `--misconfig-scanners` option.
This flag takes a comma-separated list of configuration scanner types.
```bash
trivy config --misconfig-scanners=terraform,dockerfile .
```
Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.
### Loading custom checks
You can load check files or directories including your custom checks using the `--config-check` flag.
This can be repeated for specifying multiple files or directories.
```bash
trivy config --config-check custom-policy/policy --config-check combine/policy --config-check policy.rego --namespaces user myapp
```
You can load checks bundle as OCI Image from a Container Registry using the `--checks-bundle-repository` flag.
```bash
trivy config --checks-bundle-repository myregistry.local/mychecks --namespaces user myapp
```
### Passing custom data
You can pass directories including your custom data through `--data` option.
This can be repeated for specifying multiple directories.
```bash
cd examples/misconf/custom-data
trivy config --config-check ./my-check --data ./data --namespaces user ./configs
```
For more details, see [Custom Data](./custom/data.md).
### Passing namespaces
By default, Trivy evaluates checks defined in `builtin.*`.
If you want to evaluate custom checks in other packages, you have to specify package prefixes through `--namespaces` option.
This can be repeated for specifying multiple packages.
``` bash
trivy config --config-check ./my-check --namespaces main --namespaces user ./configs
```
### Private Terraform registries
Trivy can download Terraform code from private registries.
To pass credentials you must use the `TF_TOKEN_` environment variables.
You cannot use a `.terraformrc` or `terraform.rc` file, these are not supported by trivy yet.
From the Terraform [docs](https://developer.hashicorp.com/terraform/cli/config/config-file#environment-variable-credentials):
> Environment variable names should have the prefix TF_TOKEN_ added to the domain name, with periods encoded as underscores.
> For example, the value of a variable named `TF_TOKEN_app_terraform_io` will be used as a bearer authorization token when the CLI makes service requests to the hostname `app.terraform.io`.
>
> You must convert domain names containing non-ASCII characters to their punycode equivalent with an ACE prefix.
> For example, token credentials for `例えば.com` must be set in a variable called `TF_TOKEN_xn--r8j3dr99h_com`.
>
> Hyphens are also valid within host names but usually invalid as variable names and may be encoded as double underscores.
> For example, you can set a token for the domain name café.fr as TF_TOKEN_xn--caf-dma_fr or TF_TOKEN_xn____caf__dma_fr.
If multiple variables evaluate to the same hostname, Trivy will choose the environment variable name where the dashes have not been encoded as double underscores.
### Filtering resources by inline comments
Trivy supports ignoring misconfigured resources by inline comments for Terraform, CloudFormation and Helm configuration files only.
In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to ignore findings from a single source of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). The format for these comments is `trivy:ignore:<rule>` immediately following the format-specific line-comment [token](https://developer.hashicorp.com/terraform/language/syntax/configuration#comments).
The ignore rule must contain one of the possible check IDs that can be found in its metadata: ID, short code or alias. The `id` from the metadata is not case-sensitive, so you can specify, for example, `AVD-AWS-0089` or `avd-aws-0089`.
For example, to ignore a misconfiguration ID `AVD-GCP-0051` in a Terraform HCL file:
```terraform
#trivy:ignore:AVD-GCP-0051
resource "google_container_cluster" "example" {
name = var.cluster_name
location = var.region
}
```
You can add multiple ignores on the same comment line:
```terraform
#trivy:ignore:AVD-GCP-0051 trivy:ignore:AVD-GCP-0053
resource "google_container_cluster" "example" {
name = var.cluster_name
location = var.region
}
```
You can also specify a long ID, which is formed as follows: `<provider>-<service>-<short-code>`.
As an example, consider the following check metadata:
```yaml
# custom:
# id: AVD-AWS-0089
# avd_id: AVD-AWS-0089
# provider: aws
# service: s3
# severity: LOW
# short_code: enable-logging
```
Long ID would look like the following: `aws-s3-enable-logging`.
Example for CloudFromation:
```yaml
AWSTemplateFormatVersion: "2010-09-09"
Resources:
#trivy:ignore:*
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: test-bucket
```
!!!note
Ignore rules for Helm files should be placed before the YAML object, since only it contains the location data needed for ignoring.
Example for Helm:
```yaml
serviceAccountName: "testchart.serviceAccountName"
containers:
# trivy:ignore:KSV018
- name: "testchart"
securityContext:
runAsUser: 1000
runAsGroup: 3000
image: "your-repository/your-image:your-tag"
imagePullPolicy: "Always"
#### Expiration Date
You can specify the expiration date of the ignore rule in `yyyy-mm-dd` format. This is a useful feature when you want to make sure that an ignored issue is not forgotten and worth revisiting in the future. For example:
```tf
#trivy:ignore:aws-s3-enable-logging:exp:2024-03-10
resource "aws_s3_bucket" "example" {
bucket = "test"
}
```
The `aws-s3-enable-logging` check will be ignored until `2024-03-10` until the ignore rule expires.
#### Ignoring by attributes
You can ignore a resource by its attribute value. This is useful when using the `for-each` meta-argument. For example:
```tf
locals {
ports = ["3306", "5432"]
}
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]
resource "aws_security_group_rule" "example" {
for_each = toset(local.ports)
type = "ingress"
from_port = each.key
to_port = each.key
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.example.id
source_security_group_id = aws_security_group.example.id
}
```
The `aws-ec2-no-public-ingress-sgr` check will be ignored only for the `aws_security_group_rule` resource with port number `5432`. It is important to note that the ignore rule should not enclose the attribute value in quotes, despite the fact that the port is represented as a string.
If you want to ignore multiple resources on different attributes, you can specify multiple ignore rules:
```tf
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=5432]
```
You can also ignore a resource on multiple attributes in the same rule:
```tf
locals {
rules = {
first = {
port = 1000
type = "ingress"
},
second = {
port = 1000
type = "egress"
}
}
}
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=1000,type=egress]
resource "aws_security_group_rule" "example" {
for_each = { for k, v in local.rules : k => v }
type = each.value.type
from_port = each.value.port
to_port = each.value.port
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.example.id
source_security_group_id = aws_security_group.example.id
}
```
Checks can also be ignored by nested attributes:
```tf
#trivy:ignore:*[logging_config.prefix=myprefix]
resource "aws_cloudfront_distribution" "example" {
logging_config {
include_cookies = false
bucket = "mylogs.s3.amazonaws.com"
prefix = "myprefix"
}
}
```
#### Ignoring module issues
Issues in third-party modules cannot be ignored using the method described above, because you may not have access to modify the module source code. In such a situation you can add ignore rules above the module block, for example:
```tf
#trivy:ignore:aws-s3-enable-logging
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
bucket = "my-s3-bucket"
}
```
An example of ignoring checks for a specific bucket in a module:
```tf
locals {
bucket = ["test1", "test2"]
}
#trivy:ignore:*[bucket=test1]
module "s3_bucket" {
for_each = toset(local.bucket)
source = "terraform-aws-modules/s3-bucket/aws"
bucket = each.value
}
```
#### Support for Wildcards
You can use wildcards in the `ws` (workspace) and `ignore` sections of the ignore rules.
```tf
# trivy:ignore:aws-s3-*:ws:dev-*
```
This example ignores all checks starting with `aws-s3-` for workspaces matching the pattern `dev-*`.

26
docs/docs/scanner/misconfiguration/custom/index.md
View File

@@ -121,18 +121,17 @@ Trivy supports extra fields in the `custom` section as described below.
If you are creating checks for your Trivy misconfiguration scans, some fields are optional as referenced in the table below. The `schemas` field should be used to enable policy validation using a built-in schema. It is recommended to use this to ensure your checks are
correct and do not reference incorrect properties/values.
| Field name | Allowed values | Default value | In table | In JSON |
|------------------------------|---------------------------------------------------------------------|:----------------------------:|:--------:|:-------:|
| title | Any characters | N/A | ✅ | ✅ |
| description | Any characters | | - | ✅ |
| schemas.input | `schema["kubernetes"]`, `schema["dockerfile"]`, `schema["cloud"]` | (applied to all input types) | - | - |
| custom.id | Any characters | N/A | ✅ | ✅ |
| custom.severity | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` | UNKNOWN | ✅ | ✅ |
| custom.recommended_actions | Any characters | | - | ✅ |
| custom.deprecated | `true`, `false` | `false` | - | ✅ |
| custom.input.selector.type | Any item(s) in [this list][source-types] | | - | ✅ |
| custom.minimum_trivy_version | The minimum version of Trivy that's required to evaluate this check | | - | ✅ |
| url | Any characters | | - | ✅ |
| Field name | Allowed values | Default value | In table | In JSON |
|----------------------------|-------------------------------------------------------------------|:----------------------------:|:--------:|:-------:|
| title | Any characters | N/A | ✅ | ✅ |
| description | Any characters | | - | ✅ |
| schemas.input | `schema["kubernetes"]`, `schema["dockerfile"]`, `schema["cloud"]` | (applied to all input types) | - | - |
| custom.id | Any characters | N/A | ✅ | ✅ |
| custom.severity | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` | UNKNOWN | ✅ | ✅ |
| custom.recommended_actions | Any characters | | - | ✅ |
| custom.deprecated | `true`, `false` | `false` | - | ✅ |
| custom.input.selector.type | Any item(s) in [this list][source-types] | | - | ✅ |
| url | Any characters | | - | ✅ |
#### custom.avd_id and custom.id
@@ -150,7 +149,7 @@ Services are defined within a provider. For instance, RDS is a service and AWS i
#### custom.input
The `input` tells Trivy what inputs this check should be applied to. Cloud provider checks should always use the `selector` input, and should always use the `type` selector with `cloud`. Check targeting Kubernetes yaml can use `kubernetes`, RBAC can use `rbac`, and so on.
The `input` tells Trivy what inputs this check should be applied to. Cloud provider checks should always use the `selector` input, and should always use the `type` selector with `cloud`. Check targeting Kubernetes yaml can use `kubenetes`, RBAC can use `rbac`, and so on.
#### Subtypes in the custom data
@@ -208,7 +207,6 @@ You can specify input format via the `custom.input` annotation.
- `yaml` (Generic YAML)
- `json` (Generic JSON)
- `toml` (Generic TOML)
- `terraform-raw` (Terraform configuration is not converted to common state as for the Cloud format, allowing for more flexible and direct checks on the original code)
When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as `type`.
When a configuration language is identified, it will overwrite `type`.

124
docs/docs/scanner/misconfiguration/custom/schema.md
View File

@@ -1,38 +1,11 @@
# Input Schema
## Overview
Schemas are declarative documents that define the structure, data types and constraints of inputs being scanned. Trivy provides certain schemas out of the box as seen in the explorer [here](https://aquasecurity.github.io/trivy-schemas/). You can also find the source code for the schemas [here](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas).
It is not required to pass in schemas, in order to scan inputs by Trivy but are required if type-checking is needed.
Checks can be defined with custom schemas that allow inputs to be verified against them. Adding an input schema
Checks can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
enables Trivy to show more detailed error messages when an invalid input is encountered.
## Unified Schema
One of the unique advantages of Trivy is to take a variety of inputs, such as IaC files (e.g. CloudFormation, Terraform etc.) and also live cloud scanning
(e.g. [Trivy AWS plugin](https://github.com/aquasecurity/trivy-aws)) and normalize them into a standard structure, as defined by the schema.
An example of such an application would be scanning AWS resources. You can scan them prior to deployment via the Trivy misconfiguration scanner and also
scan them after they've been deployed in the cloud with Trivy AWS scanning. Both scan methods should yield the same result as resources are gathered into
a unified representation as defined by the [Cloud schema](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json).
## Supported Schemas
Currently out of the box the following schemas are supported natively:
1. [Docker](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json)
2. [Kubernetes](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/kubernetes.json)
3. [Cloud](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json)
4. [Terraform Raw Format](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/terraform-raw.json)
You can interactively view these schemas with the [Trivy Schema Explorer](https://aquasecurity.github.io/trivy-schemas/)
## Example
As mentioned earlier, amongst other built-in schemas, Trivy offers a built in-schema for scanning Dockerfiles. It is available [here](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas)
Without input schemas, a check would be as follows:
In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas)
Without input schemas, a policy would be as follows:
!!! example
```
@@ -44,10 +17,10 @@ Without input schemas, a check would be as follows:
}
```
If this check is run against an offending Dockerfile(s), there will not be any issues as the check will fail to evaluate.
Although the check's failure to evaluate is legitimate, this should not result in a positive result for the scan.
If this policy is run against offending Dockerfile(s), there will not be any issues as the policy will fail to evaluate.
Although the policy's failure to evaluate is legitimate, this should not result in a positive result for the scan.
For instance if we have a check that checks for misconfigurations in a `Dockerfile`, we could define the
For instance if we have a policy that checks for misconfigurations in a `Dockerfile`, we could define the
schema as such
!!! example
@@ -65,20 +38,26 @@ schema as such
Here `input: schema["dockerfile"]` points to a schema that expects a valid `Dockerfile` as input. An example of this
can be found [here](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json).
Now if this check is evaluated against, a more descriptive error will be available to help fix the problem.
Now if this policy is evaluated against, a more descriptive error will be available to help fix the problem.
```bash
1 error occurred: testcheck.rego:8: rego_type_error: undefined ref: input.evil
1 error occurred: testpolicy.rego:8: rego_type_error: undefined ref: input.evil
input.evil
^
have: "evil"
want (one of): ["Stages"]
```
Currently, out of the box the following schemas are supported natively:
1. [Docker](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json)
2. [Kubernetes](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/kubernetes.json)
3. [Cloud](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json)
## Custom Checks with Custom Schemas
You can also bring a custom check that defines one or more custom schema.
You can also bring a custom policy that defines one or more custom schema.
!!! example
```
@@ -98,83 +77,16 @@ The checks can be placed in a structure as follows
!!! example
```
/Users/user/my-custom-checks
├── my_check.rego
├── my_policy.rego
└── schemas
└── fooschema.json
└── barschema.json
```
To use such a check with Trivy, use the `--config-check` flag that points to the check file or to the directory where the schemas and checks are contained.
To use such a policy with Trivy, use the `--config-policy` flag that points to the policy file or to the directory where the schemas and checks are contained.
```bash
$ trivy --config-check=/Users/user/my-custom-checks <path/to/iac>
$ trivy --config-policy=/Users/user/my-custom-checks <path/to/iac>
```
For more details on how to define schemas within Rego checks, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail.
### Scan arbitrary JSON and YAML configurations
By default, scanning JSON and YAML configurations is disabled, since Trivy does not contain built-in checks for these configurations. To enable it, pass the `json` or `yaml` to `--misconfig-scanners`. Trivy will pass each file as is to the checks input.
!!! example
```bash
$ cat iac/serverless.yaml
service: serverless-rest-api-with-pynamodb
frameworkVersion: ">=2.24.0"
plugins:
- serverless-python-requirements
...
$ cat serverless.rego
# METADATA
# title: Serverless Framework service name not starting with "aws-"
# description: Ensure that Serverless Framework service names start with "aws-"
# schemas:
# - input: schema["serverless-schema"]
# custom:
# id: SF001
# severity: LOW
package user.serverless001
deny[res] {
not startswith(input.service, "aws-")
res := result.new(
sprintf("Service name %q is not allowed", [input.service]),
input.service
)
}
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac
serverless.yaml (yaml)
Tests: 4 (SUCCESSES: 3, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
LOW: Service name "serverless-rest-api-with-pynamodb" is not allowed
═════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure that Serverless Framework service names start with "aws-"
```
!!! note
In the case above, the custom check specified has a metadata annotation for the input schema `input: schema["serverless-schema"]`. This allows Trivy to type check the input IaC files provided.
Optionally, you can also pass schemas using the `config-file-schemas` flag. Trivy will use these schemas for file filtering and type checking in Rego checks.
!!! example
```bash
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user --config-file-schemas ./serverless-schema.json ./iac
```
If the `--config-file-schemas` flag is specified Trivy ensures that each input IaC config file being scanned is type-checked against the schema. If the input file does not match any of the passed schemas, it will be ignored.
If the schema is specified in the check metadata and is in the directory specified in the `--config-check` argument, it will be automatically loaded as specified [here](./custom/schema.md#custom-checks-with-custom-schemas), and will only be used for type checking in Rego.
!!! note
If a user specifies the `--config-file-schemas` flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.
!!! tip
It is also possible to specify multiple input schemas with `--config-file-schema` flag as it can accept a comma seperated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.

2
docs/docs/scanner/misconfiguration/index.md
View File

@@ -407,7 +407,7 @@ If the schema is specified in the check metadata and is in the directory specifi
If a user specifies the `--config-file-schemas` flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.
!!! tip
It is also possible to specify multiple input schemas with `--config-file-schema` flag as it can accept a comma separated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
It is also possible to specify multiple input schemas with `--config-file-schema` flag as it can accept a comma seperated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
### Passing custom data

36
docs/docs/scanner/vulnerability.md
View File

@@ -25,9 +25,7 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.
| Alpine Linux | [secdb][alpine] |
| Wolfi Linux | [secdb][wolfi] |
| Chainguard | [secdb][chainguard] |
| MinimOS | [secdb][minimos] |
| Amazon Linux | [Amazon Linux Security Center][amazon] |
| Echo | [Echo][echo] |
| Debian | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
| Ubuntu | [Ubuntu CVE Tracker][ubuntu] |
| RHEL/CentOS | [OVAL][rhel-oval] / [Security Data][rhel-api] |
@@ -122,6 +120,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
| PHP | [PHP Security Advisories Database][php] | ✅ | - |
| | [GitHub Advisory Database (Composer)][php-ghsa] | ✅ | - |
| Python | [GitHub Advisory Database (pip)][python-ghsa] | ✅ | - |
| | [Open Source Vulnerabilities (PyPI)][python-osv] | ✅ | - |
| Ruby | [Ruby Advisory Database][ruby] | ✅ | - |
| | [GitHub Advisory Database (RubyGems)][ruby-ghsa] | ✅ | - |
| Node.js | [Ecosystem Security Working Group][nodejs] | ✅ | - |
@@ -295,10 +294,9 @@ This feature allows you to focus on vulnerabilities in specific types of depende
In Trivy, there are four types of package relationships:
1. `root`: The root package being scanned
2. `workspace`: Workspaces of the root package (Currently only `pom.xml`, `yarn.lock` and `cargo.lock` files are supported)
3. `direct`: Direct dependencies of the root/workspace package
4. `indirect`: Transitive dependencies
5. `unknown`: Packages whose relationship cannot be determined
2. `direct`: Direct dependencies of the root package
3. `indirect`: Transitive dependencies
4. `unknown`: Packages whose relationship cannot be determined
The available relationships may vary depending on the ecosystem.
To see which relationships are supported for a particular project, you can use the JSON output format and check the `Relationship` field:
@@ -347,30 +345,6 @@ However, in some cases, you may want to scan an image with a different OS versio
Also, you may want to specify the OS version when OS is not detected.
For these cases, Trivy supports a `--distro` flag using the `<family>/<version>` format (e.g. `alpine/3.20`) to set the desired OS version.
### Severity selection
By default, Trivy automatically detects severity (as described [here](#severity-selection)).
But there are cases when you may want to use your own source priority. Trivy supports the `--vuln-severity-source` flag for this.
Fill in a list of required sources, and Trivy will check the sources in that order until it finds an existing severity.
If no source has the severity - Trivy will use the `UNKNOWN` severity.
!!! note
To use the default logic in combination with your sources - use the `auto` value.
Example logic for the following vendor severity levels when scanning an Alpine image:
```json
"VendorSeverity": {
"ghsa": 3,
"nvd": 4,
}
```
- `--vuln-severity-source auto,nvd` - severity is `CRITICAL`, got from `auto`.
- `--vuln-severity-source alpine,auto` - severity is `CRITICAL`, got from `auto`.
- `--vuln-severity-source alpine,ghsa` - severity is `HIGH`, got from `ghsa`.
- `--vuln-severity-source alpine,alma` - severity is `UNKNOWN`.
[^1]: https://github.com/GoogleContainerTools/distroless
[nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464
@@ -380,9 +354,7 @@ Example logic for the following vendor severity levels when scanning an Alpine i
[alpine]: https://secdb.alpinelinux.org/
[wolfi]: https://packages.wolfi.dev/os/security.json
[chainguard]: https://packages.cgr.dev/chainguard/security.json
[minimos]: https://packages.mini.dev/advisories/secdb/security.json
[amazon]: https://alas.aws.amazon.com/
[echo]: https://advisory.echohq.com/data.json
[debian-tracker]: https://security-tracker.debian.org/tracker/
[debian-oval]: https://www.debian.org/security/oval/
[ubuntu]: https://ubuntu.com/security/cve

2
docs/docs/supply-chain/attestation/rekor.md
View File

@@ -22,7 +22,7 @@ $ trivy image --sbom-sources rekor otms61/alpine:3.7.3
2022-09-16T17:37:13.258+0900 INFO Vulnerability scanning is enabled
2022-09-16T17:37:13.258+0900 INFO Secret scanning is enabled
2022-09-16T17:37:13.258+0900 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2022-09-16T17:37:13.258+0900 INFO Please see also https://trivy.dev/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-16T17:37:13.258+0900 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-16T17:37:14.827+0900 INFO Detected SBOM format: cyclonedx-json
2022-09-16T17:37:14.901+0900 INFO Found SBOM (cyclonedx) attestation in Rekor
2022-09-16T17:37:14.903+0900 INFO Detected OS: alpine

1511
docs/docs/supply-chain/sbom.md
View File

File diff suppressed because it is too large Load Diff

4
docs/docs/supply-chain/vex/index.md
View File

@@ -8,12 +8,11 @@ By providing VEX during scanning, it is possible to filter vulnerabilities based
## VEX Usage Methods
Trivy currently supports four methods for utilizing VEX:
Trivy currently supports two methods for utilizing VEX:
1. [VEX Repository](./repo.md)
2. [Local VEX Files](./file.md)
3. [VEX Attestation](./oci.md)
4. [SBOM Reference](./sbom-ref.md)
### Enabling VEX
To enable VEX, use the `--vex` option.
@@ -22,7 +21,6 @@ You can specify the method to use:
- To enable the VEX Repository: `--vex repo`
- To use a local VEX file: `--vex /path/to/vex-document.json`
- To enable VEX attestation discovery in OCI registry: `--vex oci`
- To use remote VEX files referenced in SBOMs: `--vex sbom-ref`
```bash
$ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo

44
docs/docs/supply-chain/vex/sbom-ref.md
View File

@@ -1,44 +0,0 @@
# VEX SBOM Reference
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
## Using externally referenced VEX documents
Trivy can discover and download VEX documents referenced in the `externalReferences` of a scanned CycloneDX SBOM. This
requires the references to be of type `exploitability-statement`.
To be picked up by Trivy, following top level content needs to be part of a CycloneDx SBOM to dynamically resolve a
remotely hosted file VEX file at the location `https://vex.example.com`:
```
"externalReferences": [
{
"type": "exploitability-statement",
"url": "https://vex.example.com/vex"
}
]
```
This can also be used to dynamically retrieve VEX files stored on GitHub with an `externalReference` such as:
```
"externalReferences": [
{
"type": "exploitability-statement",
"url": "https://raw.githubusercontent.com/aquasecurity/trivy/refs/heads/main/.vex/trivy.openvex.json"
}
]
```
This is not enabled by default at the moment, but can be used when scanning a CycloneDx SBOM and explicitly specifying
`--vex sbom-ref`.
```shell
$ trivy sbom trivy.cdx.json --vex sbom-ref
2025-01-19T13:29:31+01:00 INFO [vex] Retrieving external VEX document from host vex.example.com type="externalReference"
2025-01-19T13:29:31+01:00 INFO Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
```
All the referenced VEX files are retrieved via HTTP/HTTPS and used in the same way as if they were explicitly specified
via a [file reference](./file.md).

30
docs/docs/target/container_image.md
View File

@@ -144,7 +144,7 @@ See https://avd.aquasec.com/misconfig/ds005
LOW: Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
See https://avd.aquasec.com/misconfig/ds026
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
@@ -154,15 +154,7 @@ See https://avd.aquasec.com/misconfig/ds026
!!! tip
You can see how each layer is created with `docker history`.
#### Disabled checks
The following checks are disabled for this scan type due to known issues. See the linked issues for more details.
| Check ID | Reason | Issue |
|----------|------------|--------|
| [AVD-DS-0007](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0007/) | This check detects multiple `ENTRYPOINT` instructions in a stage, but since image history analysis does not identify stages, this check is not relevant for this scan type. | [#8364](https://github.com/aquasecurity/trivy/issues/8364) |
| [AVD-DS-0016](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0016/) | This check detects multiple `CMD` instructions in a stage, but since image history analysis does not identify stages, this check is not relevant for this scan type. | [#7368](https://github.com/aquasecurity/trivy/issues/7368) |
The [AVD-DS-0016](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0016/) check is disabled for this scan type, see [issue](https://github.com/aquasecurity/trivy/issues/7368) for details.
### Secrets
Trivy detects secrets on the configuration of container images.
@@ -411,20 +403,9 @@ Trivy supports the generation of Software Bill of Materials (SBOM) for container
### Generation
Trivy can generate SBOM for container images.
See [here](../supply-chain/sbom.md) for details.
See [here](../supply-chain/sbom.md) for the detail.
### Discover SBOM inside container images
Trivy can search for Software Bill of Materials (SBOMs) within container image files and scan their components for vulnerabilities.
#### Third-party SBOM files
SBOM specifications define key requirements for component documentation[^2].
However, different tools and systems often have varying approaches to documenting component types and their relationships.
Due to these variations, Trivy cannot always accurately interpret SBOMs generated by other tools.
For example, it may have difficulty determining the correct file paths to component information files (such as lock files or binaries).
In such cases, Trivy uses the path to the scanned SBOM file itself to maintain traceability and ensure accurate dependency reporting.
### Discover SBOM referencing the container image
### Discovery
Trivy can search for Software Bill of Materials (SBOMs) that reference container images.
If an SBOM is found, the vulnerability scan is performed using the SBOM instead of the container image.
By using the SBOM, you can perform a vulnerability scan more quickly, as it allows you to skip pulling the container image and analyzing its layers.
@@ -510,7 +491,7 @@ $ trivy image --platform=linux/arm alpine:3.16.1
2022-10-25T21:00:50.972+0300 INFO Vulnerability scanning is enabled
2022-10-25T21:00:50.972+0300 INFO Secret scanning is enabled
2022-10-25T21:00:50.972+0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2022-10-25T21:00:50.972+0300 INFO Please see also https://trivy.dev/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-10-25T21:00:50.972+0300 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-10-25T21:00:56.190+0300 INFO Detected OS: alpine
2022-10-25T21:00:56.190+0300 INFO Detecting Alpine vulnerabilities...
2022-10-25T21:00:56.191+0300 INFO Number of language-specific files: 0
@@ -570,4 +551,3 @@ Error: uncompressed image size (15GB) exceeds maximum allowed size (10GB)
```
[^1]: Trivy uses decimal (SI) prefixes (based on 1000) for size.
[^2]: SPDX uses `package` instead of `component`.

2
docs/docs/target/kubernetes.md
View File

@@ -180,7 +180,7 @@ trivy k8s --report summary --disable-node-collector
The node-collector scan-job will run on every node. In case the node has been tainted, it is possible to add toleration to the scan job for it to be scheduled on the tainted node. for more details [see k8s docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
- `--tolerations key1=value1:NoExecute,key2=value2:NoSchedule` this flag will enable node-collector to be schedule on tainted Node
- `--tolerations key1=value1:NoExecute,key2=value2:NoSchedule` this flag wil enable node-collector to be schedule on tainted Node
Example:

16
docs/docs/target/rootfs.md
View File

@@ -13,19 +13,3 @@ $ trivy rootfs /path/to/rootfs
Rootfs scanning works differently from the Filesystem scanning.
You should use `trivy fs` to scan your local projects in CI/CD.
See [here](../scanner/vulnerability.md) for the differences.
!!! note
Scanning vulnerabilities for `Red Hat` has a limitation, see the [Red Hat](../coverage/os/rhel.md#content-manifests) page for details.
## Performance Optimization
By default, Trivy traverses all files from the specified root directory to find target files for scanning.
However, when you only need to scan specific files with absolute paths, you can avoid this traversal, which makes scanning faster.
For example, when scanning only OS packages, no full traversal is performed:
```bash
$ trivy rootfs --pkg-types os --scanners vuln /
```
When scanning language-specific packages or secrets, traversal is necessary because the location of these files is unknown.
If you want to exclude specific directories from scanning for better performance, you can use the [--skip-dirs](../configuration/skipping.md) option.

3
docs/docs/target/vm.md
View File

@@ -150,9 +150,6 @@ See [here](../scanner/vulnerability.md) for the detail.
$ trivy vm [YOUR_VM_IMAGE]
```
!!! note
Scanning `Red Hat` has a limitation, see the [Red Hat](../coverage/os/rhel.md#content-manifests) page for details.
### Misconfigurations
It is supported, but it is not useful in most cases.
As mentioned [here](../scanner/misconfiguration/index.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations.

2
docs/ecosystem/ide.md
View File

@@ -58,7 +58,7 @@ Web application that allows to load a Trivy report in json format and displays t
## Trivy pre-commit (Community)
A trivy pre-commit hook that runs a `trivy fs` in your git repo before committing, preventing you from committing secrets in the first place.
A trivy pre-commit hook that runs a `trivy fs` in your git repo before commiting, preventing you from commiting secrets in the first place.
👉 Get it at: <https://github.com/mxab/pre-commit-trivy>

2
docs/getting-started/installation.md
View File

@@ -167,7 +167,7 @@ See their respective documentation for more information of how to install them a
- [asdf](https://asdf-vm.com/guide/getting-started.html)
- [mise](https://mise.jdx.dev/getting-started.html)
The plugin used by both tools is developed [here](https://github.com/zufardhiyaulhaq/asdf-trivy)
The plugin used by both tools is developped [here](https://github.com/zufardhiyaulhaq/asdf-trivy)
=== "asdf"

8
docs/tutorials/misconfiguration/custom-checks.md
View File

@@ -1,6 +1,6 @@
# Custom Checks with Rego
Trivy can scan configuration files for common security issues (a.k.a IaC misconfiguration scanning). In addition to a comprehensive built in database of checks, you can add your own custom checks. Checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) language and the full documentation for checks and customizing them is available [here](https://trivy.dev/latest/docs/scanner/misconfiguration/custom/).
Trivy can scan configuration files for common security issues (a.k.a IaC misconfiguration scanning). In addition to a comprehensive built in database of checks, you can add your own custom checks. Checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) language and the full documentation for checks and customizing them is available [here](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/).
This tutorial will walk you through writing a custom check in Rego that checks for an issue in a Dockerfile.
@@ -38,7 +38,7 @@ Next, we need to specify metadata about the check. This is information that help
Important: The `METADATA` has to be defined on top of the file.
More information on the different fields in the metadata can be found in the [Trivy documentation.](https://trivy.dev/latest/docs/scanner/misconfiguration/custom/)
More information on the different fields in the metadata can be found in the [Trivy documentation.](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/)
## Package and imports
@@ -48,7 +48,7 @@ package custom.dockerfile.ID001
import future.keywords.in
```
Every Rego check has a package name. In our case, we will call it `custom.dockerfile.ID001` to avoid confusion between custom checks and built-in checks. The group name `dockerfile` has no effect on the package name. Note that each package has to contain only one check. However, we can pass multiple checks into our Trivy scan.
Every rego check has a package name. In our case, we will call it `custom.dockerfile.ID001` to avoid confusion between custom checks and built-in checks. The group name `dockerfile` has no effect on the package name. Note that each package has to contain only one check. However, we can pass multiple checks into our Trivy scan.
The first keyword of the package, in this case `custom`, will be reused in the `trivy` command as the `--namespace`.
## Allowed data
@@ -86,7 +86,7 @@ Let's look at the check line by line:
Note that Rego
* uses `AND` automatically to combine conditions in this check
* automatically iterates through the array of commands in the Dockerfile and allowed images
* automatically iterates through the array of commands in the Dockefile and allowed images
## Run the check in a Trivy misconfiguration scan

16
docs/tutorials/misconfiguration/terraform.md
View File

@@ -9,7 +9,7 @@ We have been consolidating all of our scanning-related efforts in one place, and
## Trivy Config Command
Terraform configuration scanning is available as part of the `trivy config` command. This command scans all configuration files for misconfiguration issues. You can find the details within [misconfiguration scans in the Trivy documentation.](https://trivy.dev/latest/docs/scanner/misconfiguration/)
Terraform configuration scanning is available as part of the `trivy config` command. This command scans all configuration files for misconfiguration issues. You can find the details within [misconfiguration scans in the Trivy documentation.](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/)
Command structure:
```
@@ -23,7 +23,7 @@ The `trivy config` command can scan Terraform configuration, CloudFormation, Doc
- If the configuration that has been defined does not follow best practices, the check will fail.
### Prerequisites
Install Trivy on your local machines. The documentation provides several [different installation options.](https://trivy.dev/latest/getting-started/installation/)
Install Trivy on your local machines. The documentation provides several [different installation options.](https://aquasecurity.github.io/trivy/latest/getting-started/installation/)
This tutorial will use this example [Terraform tutorial](https://github.com/Cloud-Native-Security/trivy-demo/tree/main/bad_iac/terraform) for terraform misconfiguration scanning with Trivy.
Git clone the tutorial and cd into the directory:
@@ -31,7 +31,7 @@ Git clone the tutorial and cd into the directory:
git clone git@github.com:Cloud-Native-Security/trivy-demo.git
cd bad_iac/terraform
```
In this case, the folder only contains Terraform configuration files. However, you could scan a directory that contains several different configurations e.g. Kubernetes YAML manifests, Dockerfile, and Terraform. Trivy will then detect the different configuration files and apply the right rules automatically.
In this case, the folder only containes Terraform configuration files. However, you could scan a directory that contains several different configurations e.g. Kubernetes YAML manifests, Dockerfile, and Terraform. Trivy will then detect the different configuration files and apply the right rules automatically.
## Different types of `trivy config` scans
@@ -83,14 +83,14 @@ trivy config --severity CRITICAL, MEDIUM terraform-infra
### Passing tf.tfvars files into `trivy config` scans
You can pass terraform values to Trivy to override default values found in the Terraform HCL code. More information are provided [in the documentation.](https://trivy.dev/latest/docs/coverage/iac/terraform/#value-overrides)
You can pass terraform values to Trivy to override default values found in the Terraform HCL code. More information are provided [in the documentation.](https://aquasecurity.github.io/trivy/latest/docs/coverage/iac/terraform/#value-overrides)
```
trivy config --tf-vars terraform.tfvars ./
```
### Custom Checks
We have lots of examples in the [documentation](https://trivy.dev/latest/docs/scanner/misconfiguration/custom/) on how you can write and pass custom Rego checks into terraform misconfiguration scans.
We have lots of examples in the [documentation](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/) on how you can write and pass custom Rego checks into terraform misconfiguration scans.
## Secret and vulnerability scans
@@ -100,15 +100,15 @@ The `trivy config` command does not perform secrete and vulnerability checks out
trivy fs --scanners secret,misconfig ./
```
The `trivy config` command is a sub-command of the `trivy fs` command. You can learn more about this command in the [documentation.](https://trivy.dev/latest/docs/target/filesystem/)
The `trivy config` command is a sub-command of the `trivy fs` command. You can learn more about this command in the [documentation.](https://aquasecurity.github.io/trivy/latest/docs/target/filesystem/)
## Scanning Terraform Plan files
Instead of scanning your different Terraform resources individually, you could also scan your Terraform Plan file before it is deployed for misconfiguration. This will give you insights into any misconfiguration of your resources as they would become deployed. [Here](https://trivy.dev/latest/docs/coverage/iac/terraform/#terraform) is the link to the documentation.
Instead of scanning your different Terraform resources individually, you could also scan your Terraform Plan file before it is deployed for misconfiguration. This will give you insights into any misconfiguration of your resources as they would become deployed. [Here](https://aquasecurity.github.io/trivy/latest/docs/coverage/iac/terraform/#terraform) is the link to the documentation.
Note that you need to be able to create a terraform init and plan without any errors.
## Using Trivy in your CI/CD pipeline
Similar to tfsec, Trivy can be used either on local developer machines or integrated into your CI/CD pipeline. There are several steps available for different pipelines, including GitHub Actions, Circle CI, GitLab, Travis and more in the tutorials section of the documentation: [https://trivy.dev/latest/tutorials/integrations/](https://trivy.dev/latest/tutorials/integrations/)
Similar to tfsec, Trivy can be used either on local developer machines or integrated into your CI/CD pipeline. There are several steps available for different pipelines, including GitHub Actions, Circle CI, GitLab, Travis and more in the tutorials section of the documentation: [https://aquasecurity.github.io/trivy/latest/tutorials/integrations/](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/)

2
examples/module/spring4shell/README.md
View File

@@ -5,7 +5,7 @@ This module provides a more in-depth investigation of Spring4Shell detection.
## Set up
```
$ GOOS=wasip1 GOARCH=wasm go build -o spring4shell.wasm -buildmode=c-shared spring4shell.go
$ tinygo build -o spring4shell.wasm -scheduler=none -target=wasi --no-debug spring4shell.go
$ mkdir -p ~/.trivy/modules
$ cp spring4shell.wasm ~/.trivy/modules
```

18
examples/module/spring4shell/spring4shell.go
View File

@@ -1,5 +1,5 @@
//go:generate go build -o spring4shell.wasm -buildmode=c-shared spring4shell.go
//go:build wasip1
//go:generate tinygo build -o spring4shell.wasm -scheduler=none -target=wasi --no-debug spring4shell.go
//go:build tinygo.wasm
package main
@@ -13,11 +13,9 @@ import (
"strconv"
"strings"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/module/api"
"github.com/aquasecurity/trivy/pkg/module/serialize"
"github.com/aquasecurity/trivy/pkg/module/wasm"
"github.com/aquasecurity/trivy/pkg/types"
)
const (
@@ -31,10 +29,8 @@ var (
tomcatVersionRegex = regexp.MustCompile(`Apache Tomcat Version ([\d.]+)`)
)
// main is required for Go to compile the Wasm module
func main() {}
func init() {
// main is required for TinyGo to compile to Wasm.
func main() {
wasm.RegisterModule(Spring4Shell{})
}
@@ -99,7 +95,7 @@ func (Spring4Shell) parseJavaRelease(f *os.File, filePath string) (*serialize.An
}
return &serialize.AnalysisResult{
CustomResources: []ftypes.CustomResource{
CustomResources: []serialize.CustomResource{
{
Type: TypeJavaMajor,
FilePath: filePath,
@@ -121,7 +117,7 @@ func (Spring4Shell) parseTomcatReleaseNotes(f *os.File, filePath string) (*seria
}
return &serialize.AnalysisResult{
CustomResources: []ftypes.CustomResource{
CustomResources: []serialize.CustomResource{
{
Type: TypeTomcatVersion,
FilePath: filePath,
@@ -226,7 +222,7 @@ func (Spring4Shell) PostScanSpec() serialize.PostScanSpec {
// }
//
// ]
func (Spring4Shell) PostScan(results types.Results) (types.Results, error) {
func (Spring4Shell) PostScan(results serialize.Results) (serialize.Results, error) {
var javaMajorVersion int
var tomcatVersion string
for _, result := range results {

347
go.mod
View File

@@ -1,12 +1,12 @@
module github.com/aquasecurity/trivy
go 1.24.2
go 1.23.5
require (
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0
github.com/BurntSushi/toml v1.5.0
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1
github.com/BurntSushi/toml v1.4.0
github.com/CycloneDX/cyclonedx-go v0.9.2
github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
github.com/Masterminds/sprig/v3 v3.3.0
@@ -20,38 +20,40 @@ require (
github.com/aquasecurity/go-pep440-version v0.0.1
github.com/aquasecurity/go-version v0.0.1
github.com/aquasecurity/iamgo v0.0.10
github.com/aquasecurity/table v1.10.0
github.com/aquasecurity/jfather v0.0.8
github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v1.11.2-0.20250529074512-7afea1b738c4
github.com/aquasecurity/trivy-db v0.0.0-20250529093513-a12dfc204b6e
github.com/aquasecurity/trivy-checks v1.6.1
github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.9.0
github.com/aws/aws-sdk-go-v2 v1.36.3
github.com/aws/aws-sdk-go-v2/config v1.29.14
github.com/aws/aws-sdk-go-v2/credentials v1.17.67
github.com/aws/aws-sdk-go-v2/service/ec2 v1.218.0
github.com/aws/aws-sdk-go-v2/service/ecr v1.44.0
github.com/aws/aws-sdk-go-v2/service/s3 v1.79.3
github.com/aws/smithy-go v1.22.3
github.com/aquasecurity/trivy-kubernetes v0.7.0
github.com/aws/aws-sdk-go-v2 v1.34.0
github.com/aws/aws-sdk-go-v2/config v1.29.2
github.com/aws/aws-sdk-go-v2/credentials v1.17.55
github.com/aws/aws-sdk-go-v2/service/ec2 v1.201.1
github.com/aws/aws-sdk-go-v2/service/ecr v1.38.7
github.com/aws/aws-sdk-go-v2/service/s3 v1.74.1
github.com/aws/smithy-go v1.22.2
github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
github.com/bmatcuk/doublestar/v4 v4.8.1
github.com/cenkalti/backoff/v4 v4.3.0
github.com/cheggaaa/pb/v3 v3.1.7
github.com/containerd/containerd/v2 v2.1.1
github.com/cheggaaa/pb/v3 v3.1.6
github.com/containerd/containerd/v2 v2.0.2
github.com/containerd/platforms v1.0.0-rc.1
github.com/distribution/reference v0.6.0
github.com/docker/cli v28.1.1+incompatible
github.com/docker/docker v28.1.1+incompatible
github.com/docker/cli v27.5.0+incompatible
github.com/docker/docker v27.5.0+incompatible
github.com/docker/go-connections v0.5.0
github.com/docker/go-units v0.5.0
github.com/fatih/color v1.18.0
github.com/go-git/go-git/v5 v5.16.0
github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874 // Replace with encoding/json/v2 when proposal is accepted. Track https://github.com/golang/go/issues/71497
github.com/go-git/go-git/v5 v5.13.2
github.com/go-openapi/runtime v0.28.0 // indirect
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-redis/redis/v8 v8.11.5
github.com/gocsaf/csaf/v3 v3.2.0
github.com/golang-jwt/jwt/v5 v5.2.2
github.com/google/go-containerregistry v0.20.5
github.com/gocsaf/csaf/v3 v3.1.1
github.com/golang-jwt/jwt/v5 v5.2.1
github.com/google/go-containerregistry v0.20.3
github.com/google/go-github/v62 v62.0.0
github.com/google/licenseclassifier/v2 v2.0.0
github.com/google/uuid v1.6.0
@@ -62,9 +64,9 @@ require (
github.com/hashicorp/go-uuid v1.0.3
github.com/hashicorp/go-version v1.7.0
github.com/hashicorp/golang-lru/v2 v2.0.7
github.com/hashicorp/hc-install v0.9.2
github.com/hashicorp/hc-install v0.9.1
github.com/hashicorp/hcl/v2 v2.23.0
github.com/hashicorp/terraform-exec v0.23.0
github.com/hashicorp/terraform-exec v0.22.0
github.com/in-toto/in-toto-golang v0.9.0
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
github.com/knqyf263/go-deb-version v0.0.0-20241115132648-6f4aee6ccd23
@@ -77,72 +79,76 @@ require (
github.com/masahiro331/go-disk v0.0.0-20240625071113-56c933208fee
github.com/masahiro331/go-ebs-file v0.0.0-20240917043618-e6d2bea5c32e
github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd
github.com/masahiro331/go-mvn-version v0.0.0-20250131095131-f4974fa13b8a
github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
github.com/masahiro331/go-xfs-filesystem v0.0.0-20231205045356-1b22259a6c44
github.com/mattn/go-shellwords v1.0.12
github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
github.com/mitchellh/go-homedir v1.1.0
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/mitchellh/mapstructure v1.5.0
github.com/moby/buildkit v0.21.1
github.com/open-policy-agent/opa v1.4.2
github.com/moby/buildkit v0.18.2
github.com/open-policy-agent/opa v1.1.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.1
github.com/opencontainers/image-spec v1.1.0
github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553
github.com/openvex/go-vex v0.2.5
github.com/owenrumney/go-sarif/v2 v2.3.3
github.com/owenrumney/squealer v1.2.6
github.com/package-url/packageurl-go v0.1.3
github.com/quasilyte/go-ruleguard/dsl v0.3.22
github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c
github.com/samber/lo v1.50.0
github.com/samber/lo v1.49.0
github.com/sassoftware/go-rpmutils v0.4.0
github.com/secure-systems-lab/go-securesystemslib v0.9.0
github.com/sigstore/rekor v1.3.10
github.com/sigstore/rekor v1.3.8
github.com/sirupsen/logrus v1.9.3
github.com/sosedoff/gitkit v0.4.0
github.com/spdx/tools-golang v0.5.5 // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
github.com/spf13/cast v1.8.0
github.com/spf13/cobra v1.9.1
github.com/spf13/pflag v1.0.6
github.com/spf13/viper v1.20.1
github.com/spf13/cast v1.7.1
github.com/spf13/cobra v1.8.1
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.19.0
github.com/stretchr/testify v1.10.0
github.com/testcontainers/testcontainers-go v0.37.0
github.com/testcontainers/testcontainers-go/modules/localstack v0.37.0
github.com/tetratelabs/wazero v1.9.0
github.com/testcontainers/testcontainers-go v0.35.0
github.com/testcontainers/testcontainers-go/modules/localstack v0.35.0
github.com/tetratelabs/wazero v1.8.2
github.com/twitchtv/twirp v8.1.3+incompatible
github.com/xeipuuv/gojsonschema v1.2.0
github.com/xlab/treeprint v1.2.0
github.com/zclconf/go-cty v1.16.3
github.com/zclconf/go-cty v1.16.2
github.com/zclconf/go-cty-yaml v1.1.0
go.etcd.io/bbolt v1.4.0
golang.org/x/crypto v0.38.0
golang.org/x/mod v0.24.0
golang.org/x/net v0.40.0
golang.org/x/sync v0.14.0
golang.org/x/term v0.32.0
golang.org/x/text v0.25.0
go.etcd.io/bbolt v1.3.11
golang.org/x/crypto v0.32.0
golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
golang.org/x/mod v0.22.0
golang.org/x/net v0.34.0
golang.org/x/sync v0.10.0
golang.org/x/term v0.28.0
golang.org/x/text v0.21.0
golang.org/x/vuln v1.1.4
golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9
google.golang.org/protobuf v1.36.6
google.golang.org/protobuf v1.36.4
gopkg.in/yaml.v3 v3.0.1
helm.sh/helm/v3 v3.17.3
k8s.io/api v0.33.1
helm.sh/helm/v3 v3.17.0
k8s.io/api v0.32.1
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
modernc.org/sqlite v1.37.0
modernc.org/sqlite v1.34.5
sigs.k8s.io/yaml v1.4.0
)
require (
cel.dev/expr v0.20.0 // indirect
cloud.google.com/go v0.118.3 // indirect
cloud.google.com/go/auth v0.15.0 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
cel.dev/expr v0.19.0 // indirect
cloud.google.com/go v0.116.0 // indirect
cloud.google.com/go/auth v0.13.0 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect
cloud.google.com/go/compute/metadata v0.6.0 // indirect
cloud.google.com/go/iam v1.4.1 // indirect
cloud.google.com/go/monitoring v1.24.0 // indirect
cloud.google.com/go/storage v1.50.0 // indirect
cloud.google.com/go/iam v1.2.2 // indirect
cloud.google.com/go/monitoring v1.21.2 // indirect
cloud.google.com/go/storage v1.45.0 // indirect
dario.cat/mergo v1.0.1 // indirect
github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.11.29 // indirect
@@ -150,11 +156,11 @@ require (
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 // indirect
github.com/DataDog/zstd v1.5.5 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 // indirect
github.com/Intevation/gval v1.3.0 // indirect
github.com/Intevation/jsonpath v0.2.1 // indirect
github.com/MakeNowJust/heredoc v1.0.0 // indirect
@@ -162,40 +168,29 @@ require (
github.com/Masterminds/semver/v3 v3.3.0 // indirect
github.com/Masterminds/squirrel v1.5.4 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/Microsoft/hcsshim v0.13.0 // indirect
github.com/ProtonMail/go-crypto v1.1.6 // indirect
github.com/Microsoft/hcsshim v0.12.9 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/ProtonMail/go-crypto v1.1.5 // indirect
github.com/VividCortex/ewma v1.2.0 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
github.com/agnivade/levenshtein v1.2.1 // indirect
github.com/alessio/shellescape v1.4.1 // indirect
github.com/agnivade/levenshtein v1.2.0 // indirect
github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/aquasecurity/jfather v0.0.8 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go v1.55.7 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/briandowns/spinner v1.23.0 // indirect
github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/cloudflare/circl v1.6.1 // indirect
github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 // indirect
github.com/containerd/cgroups/v3 v3.0.5 // indirect
github.com/containerd/containerd v1.7.27 // indirect
github.com/containerd/containerd/api v1.9.0 // indirect
github.com/cloudflare/circl v1.5.0 // indirect
github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
github.com/containerd/cgroups/v3 v3.0.3 // indirect
github.com/containerd/containerd v1.7.25 // indirect
github.com/containerd/containerd/api v1.8.0 // indirect
github.com/containerd/continuity v0.4.5 // indirect
github.com/containerd/errdefs v1.0.0 // indirect
github.com/containerd/errdefs/pkg v0.3.0 // indirect
@@ -206,30 +201,28 @@ require (
github.com/containerd/ttrpc v1.2.7 // indirect
github.com/containerd/typeurl/v2 v2.2.3 // indirect
github.com/cpuguy83/dockercfg v0.3.2 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
github.com/cyphar/filepath-securejoin v0.4.1 // indirect
github.com/cyphar/filepath-securejoin v0.3.6 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
github.com/dlclark/regexp2 v1.4.0 // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker-credential-helpers v0.9.3 // indirect
github.com/docker/docker-credential-helpers v0.8.2 // indirect
github.com/docker/go-metrics v0.0.1 // indirect
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
github.com/dsnet/compress v0.0.1 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/ebitengine/purego v0.8.2 // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
github.com/envoyproxy/go-control-plane v0.13.1 // indirect
github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
github.com/evanphx/json-patch v5.9.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.9.0 // indirect
github.com/fsnotify/fsnotify v1.8.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-errors/errors v1.4.2 // indirect
@@ -237,48 +230,45 @@ require (
github.com/go-git/go-billy/v5 v5.6.2 // indirect
github.com/go-gorp/gorp/v3 v3.1.0 // indirect
github.com/go-ini/ini v1.67.0 // indirect
github.com/go-jose/go-jose/v4 v4.0.5 // indirect
github.com/go-jose/go-jose/v4 v4.0.4 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-ole/go-ole v1.3.0 // indirect
github.com/go-openapi/analysis v0.23.0 // indirect
github.com/go-openapi/errors v0.22.1 // indirect
github.com/go-openapi/errors v0.22.0 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.21.0 // indirect
github.com/go-openapi/loads v0.22.0 // indirect
github.com/go-openapi/runtime v0.28.0 // indirect
github.com/go-openapi/spec v0.21.0 // indirect
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-openapi/swag v0.23.1 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/goccy/go-yaml v1.15.23 // indirect
github.com/goccy/go-yaml v1.9.5 // indirect
github.com/gofrs/uuid v4.3.1+incompatible // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/btree v1.1.3 // indirect
github.com/google/btree v1.1.2 // indirect
github.com/google/certificate-transparency-go v1.1.8 // indirect
github.com/google/gnostic-models v0.6.9 // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/go-github/v31 v31.0.0 // indirect
github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/s2a-go v0.1.9 // indirect
github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/s2a-go v0.1.8 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/google/subcommands v1.2.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
github.com/googleapis/gax-go/v2 v2.14.1 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
github.com/gorilla/websocket v1.5.0 // indirect
github.com/gosuri/uitable v0.0.4 // indirect
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-safetemp v1.0.0 // indirect
github.com/hashicorp/golang-lru v0.6.0 // indirect
github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
github.com/hashicorp/terraform-json v0.24.0 // indirect
github.com/huandu/xstrings v1.5.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -289,8 +279,7 @@ require (
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/klauspost/compress v1.18.0 // indirect
github.com/knqyf263/labeler v0.0.0-20200423181506-7a6e545148c3 // indirect
github.com/klauspost/compress v1.17.11 // indirect
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
@@ -298,8 +287,8 @@ require (
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a // indirect
github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect
github.com/magiconair/properties v1.8.10 // indirect
github.com/mailru/easyjson v0.9.0 // indirect
github.com/magiconair/properties v1.8.9 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-runewidth v0.0.16 // indirect
@@ -308,15 +297,13 @@ require (
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/go-archive v0.1.0 // indirect
github.com/moby/locker v1.0.1 // indirect
github.com/moby/patternmatcher v0.6.0 // indirect
github.com/moby/spdystream v0.5.0 // indirect
github.com/moby/sys/atomicwriter v0.1.0 // indirect
github.com/moby/sys/mountinfo v0.7.2 // indirect
github.com/moby/sys/sequential v0.6.0 // indirect
github.com/moby/sys/signal v0.7.1 // indirect
github.com/moby/sys/user v0.4.0 // indirect
github.com/moby/sys/user v0.3.0 // indirect
github.com/moby/sys/userns v0.1.0 // indirect
github.com/moby/term v0.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
@@ -328,13 +315,11 @@ require (
github.com/ncruces/go-strftime v0.1.9 // indirect
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/oklog/ulid/v2 v2.1.0 // indirect
github.com/opencontainers/runtime-spec v1.2.1 // indirect
github.com/opencontainers/selinux v1.12.0 // indirect
github.com/opencontainers/runtime-spec v1.2.0 // indirect
github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 // indirect
github.com/opencontainers/selinux v1.11.1 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/owenrumney/squealer v1.2.11 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/pelletier/go-toml/v2 v2.2.4 // indirect
github.com/pelletier/go-toml/v2 v2.2.3 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pjbgf/sha1cd v0.3.2 // indirect
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
@@ -342,44 +327,43 @@ require (
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
github.com/prometheus/client_golang v1.22.0 // indirect
github.com/prometheus/client_golang v1.20.5 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.62.0 // indirect
github.com/prometheus/common v0.61.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
github.com/rivo/uniseg v0.4.7 // indirect
github.com/rubenv/sql-migrate v1.7.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/sagikazarmark/locafero v0.7.0 // indirect
github.com/samber/oops v1.16.1 // indirect
github.com/sagikazarmark/locafero v0.6.0 // indirect
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/shirou/gopsutil/v4 v4.25.1 // indirect
github.com/shirou/gopsutil/v3 v3.24.2 // indirect
github.com/shoenig/go-m1cpu v0.1.6 // indirect
github.com/shopspring/decimal v1.4.0 // indirect
github.com/sigstore/cosign/v2 v2.2.4 // indirect
github.com/sigstore/protobuf-specs v0.4.1 // indirect
github.com/sigstore/sigstore v1.9.1 // indirect
github.com/sigstore/sigstore v1.8.12 // indirect
github.com/sigstore/timestamp-authority v1.2.2 // indirect
github.com/skeema/knownhosts v1.3.1 // indirect
github.com/skeema/knownhosts v1.3.0 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/spf13/afero v1.12.0 // indirect
github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
github.com/spf13/afero v1.11.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
github.com/tchap/go-patricia/v2 v2.3.2 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/tklauser/go-sysconf v0.3.13 // indirect
github.com/tklauser/numcpus v0.7.0 // indirect
github.com/tonglil/versioning v0.0.0-20170205083536-8b2a4334bd1d // indirect
github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
github.com/ulikunitz/xz v0.5.12 // indirect
github.com/vbatts/tar-split v0.12.1 // indirect
github.com/vbatts/tar-split v0.11.6 // indirect
github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
github.com/x448/float16 v0.8.4 // indirect
@@ -390,63 +374,66 @@ require (
github.com/yashtewari/glob-intersection v0.2.0 // indirect
github.com/yuin/gopher-lua v1.1.1 // indirect
github.com/yusufpapurcu/wmi v1.2.4 // indirect
github.com/zeebo/errs v1.4.0 // indirect
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.34.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
go.opentelemetry.io/otel v1.35.0 // indirect
go.opentelemetry.io/otel/metric v1.35.0 // indirect
go.opentelemetry.io/otel/sdk v1.35.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
go.opentelemetry.io/otel/trace v1.35.0 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.32.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
go.opentelemetry.io/otel v1.34.0 // indirect
go.opentelemetry.io/otel/metric v1.34.0 // indirect
go.opentelemetry.io/otel/sdk v1.34.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.32.0 // indirect
go.opentelemetry.io/otel/trace v1.34.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
golang.org/x/oauth2 v0.30.0 // indirect
golang.org/x/sys v0.33.0 // indirect
golang.org/x/oauth2 v0.25.0 // indirect
golang.org/x/sys v0.29.0 // indirect
golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect
golang.org/x/time v0.11.0 // indirect
golang.org/x/tools v0.33.0 // indirect
google.golang.org/api v0.228.0 // indirect
google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
google.golang.org/grpc v1.72.0 // indirect
golang.org/x/time v0.9.0 // indirect
golang.org/x/tools v0.29.0 // indirect
google.golang.org/api v0.216.0 // indirect
google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
google.golang.org/grpc v1.70.0 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
k8s.io/apiextensions-apiserver v0.32.2 // indirect
k8s.io/apimachinery v0.33.1 // indirect
k8s.io/apiserver v0.32.3 // indirect
k8s.io/cli-runtime v0.33.1 // indirect
k8s.io/client-go v0.33.1 // indirect
k8s.io/component-base v0.33.1 // indirect
k8s.io/apiextensions-apiserver v0.32.0 // indirect
k8s.io/apimachinery v0.32.1 // indirect
k8s.io/apiserver v0.32.0 // indirect
k8s.io/cli-runtime v0.32.1 // indirect
k8s.io/client-go v0.32.1 // indirect
k8s.io/component-base v0.32.1 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
k8s.io/kubectl v0.33.1 // indirect
modernc.org/libc v1.62.1 // indirect
modernc.org/mathutil v1.7.1 // indirect
modernc.org/memory v1.9.1 // indirect
mvdan.cc/sh/v3 v3.11.0 // indirect
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
k8s.io/kubectl v0.32.1 // indirect
modernc.org/libc v1.55.3 // indirect
modernc.org/mathutil v1.6.0 // indirect
modernc.org/memory v1.8.0 // indirect
mvdan.cc/sh/v3 v3.10.0 // indirect
oras.land/oras-go v1.2.5 // indirect
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
sigs.k8s.io/kind v0.19.0 // indirect
sigs.k8s.io/kustomize/api v0.19.0 // indirect
sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
sigs.k8s.io/kustomize/api v0.18.0 // indirect
sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
tags.cncf.io/container-device-interface v0.8.0 // indirect
tags.cncf.io/container-device-interface/specs-go v0.8.0 // indirect
)
tool (
github.com/google/wire/cmd/wire
github.com/knqyf263/labeler
github.com/magefile/mage
golang.org/x/tools/cmd/goyacc
sigs.k8s.io/kind
require (
github.com/aws/aws-sdk-go v1.55.6 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.24.12 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.33.10 // indirect
)

849
go.sum
View File

File diff suppressed because it is too large Load Diff

8
goreleaser.yml
View File

@@ -165,7 +165,7 @@ dockers:
- "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
- "--label=org.opencontainers.image.revision={{ .FullCommit }}"
- "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
- "--label=org.opencontainers.image.documentation=https://trivy.dev/v{{ .Version }}/"
- "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
- "--platform=linux/amd64"
extra_files:
- contrib/
@@ -190,7 +190,7 @@ dockers:
- "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
- "--label=org.opencontainers.image.revision={{ .FullCommit }}"
- "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
- "--label=org.opencontainers.image.documentation=https://trivy.dev/v{{ .Version }}/"
- "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
- "--platform=linux/arm64"
extra_files:
- contrib/
@@ -215,7 +215,7 @@ dockers:
- "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
- "--label=org.opencontainers.image.revision={{ .FullCommit }}"
- "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
- "--label=org.opencontainers.image.documentation=https://trivy.dev/v{{ .Version }}/"
- "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
- "--platform=linux/s390x"
extra_files:
- contrib/
@@ -240,7 +240,7 @@ dockers:
- "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
- "--label=org.opencontainers.image.revision={{ .FullCommit }}"
- "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
- "--label=org.opencontainers.image.documentation=https://trivy.dev/v{{ .Version }}/"
- "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
- "--platform=linux/ppc64le"
extra_files:
- contrib/

4
helm/trivy/Chart.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: v2
name: trivy
version: 0.14.1
appVersion: 0.62.1
version: 0.10.1
appVersion: 0.58.1
description: Trivy helm chart
keywords:
- scanner

10
helm/trivy/README.md
View File

@@ -63,9 +63,9 @@ The following table lists the configurable parameters of the Trivy chart and the
| `image.pullSecret` | The name of an imagePullSecret used to pull trivy image from e.g. Docker Hub or a private registry | |
| `replicaCount` | Number of Trivy Pods to run | `1` |
| `trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB. More info: https://trivy.dev/latest/docs/references/troubleshooting/#github-rate-limiting | |
| `trivy.registryUsername` | The username used to log in at dockerhub. More info: https://trivy.dev/latest/docs/advanced/private-registries/docker-hub/ | |
| `trivy.registryPassword` | The password used to log in at dockerhub. More info: https://trivy.dev/latest/docs/advanced/private-registries/docker-hub/ | |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB. More info: https://github.com/aquasecurity/trivy#github-rate-limiting | |
| `trivy.registryUsername` | The username used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryPassword` | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set. | |
| `trivy.serviceAccount.annotations` | Additional annotations to add to the Kubernetes service account resource | |
| `trivy.skipDBUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` |
@@ -90,7 +90,7 @@ The following table lists the configurable parameters of the Trivy chart and the
| `tolerations` | Tolerations for pod assignment | |
| `podAnnotations` | Annotations for pods created by statefulset | `{}` |
The above parameters map to the env variables defined in [trivy](https://trivy.dev/latest/docs/configuration/#configuration).
The above parameters map to the env variables defined in [trivy](https://github.com/aquasecurity/trivy#configuration).
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
@@ -108,4 +108,4 @@ This chart uses a PersistentVolumeClaim to reduce the number of database downloa
## Caching
You can specify a Redis server as cache backend. This Redis server has to be already present. You can use the [bitnami chart](https://bitnami.com/stack/redis/helm).
More Information about the caching backends can be found [here](https://trivy.dev/latest/docs/configuration/cache/#scan-cache-backend).
More Information about the caching backends can be found [here](https://github.com/aquasecurity/trivy#specify-cache-backend).

2
helm/trivy/values.yaml
View File

@@ -77,7 +77,7 @@ trivy:
gitHubToken: ""
# Docker registry credentials
# See also: https://trivy.dev/dev/advanced/private-registries/docker-hub/
# See also: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/
#
# Either
# Directly in this file

50
integration/client_server_test.go
View File

@@ -22,22 +22,21 @@ import (
)
type csArgs struct {
Command string
RemoteAddrOption string
Format types.Format
TemplatePath string
IgnoreUnfixed bool
Severity []string
IgnoreIDs []string
Input string
ClientToken string
ClientTokenHeader string
PathPrefix string
ListAllPackages bool
Target string
secretConfig string
Distro string
VulnSeveritySources []string
Command string
RemoteAddrOption string
Format types.Format
TemplatePath string
IgnoreUnfixed bool
Severity []string
IgnoreIDs []string
Input string
ClientToken string
ClientTokenHeader string
PathPrefix string
ListAllPackages bool
Target string
secretConfig string
Distro string
}
func TestClientServer(t *testing.T) {
@@ -281,19 +280,6 @@ func TestClientServer(t *testing.T) {
},
golden: "testdata/npm.json.golden",
},
{
name: "scan package-lock.json with severity from `ubuntu` in client/server mode",
args: csArgs{
Command: "repo",
RemoteAddrOption: "--server",
Target: "testdata/fixtures/repo/npm/",
VulnSeveritySources: []string{
"alpine",
"ubuntu",
},
},
golden: "testdata/npm-ubuntu-severity.json.golden",
},
{
name: "scan sample.pem with repo command in client/server mode",
args: csArgs{
@@ -691,12 +677,6 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string) []string
)
}
if len(c.VulnSeveritySources) != 0 {
osArgs = append(osArgs,
"--vuln-severity-source", strings.Join(c.VulnSeveritySources, ","),
)
}
if len(c.IgnoreIDs) != 0 {
trivyIgnore := filepath.Join(t.TempDir(), ".trivyignore")
err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)

11
integration/integration_test.go
View File

@@ -60,10 +60,9 @@ func initDB(t *testing.T) string {
defer dbtest.Close()
err = metadata.NewClient(db.Dir(cacheDir)).Update(metadata.Metadata{
Version: db.SchemaVersion,
NextUpdate: time.Now().Add(24 * time.Hour),
UpdatedAt: time.Now(),
DownloadedAt: time.Now(),
Version: db.SchemaVersion,
NextUpdate: time.Now().Add(24 * time.Hour),
UpdatedAt: time.Now(),
})
require.NoError(t, err)
@@ -154,9 +153,6 @@ func readReport(t *testing.T, filePath string) types.Report {
// We don't compare repo tags because the archive doesn't support it
report.Metadata.RepoTags = nil
report.Metadata.RepoDigests = nil
for i := range report.Metadata.Layers {
report.Metadata.Layers[i].Digest = ""
}
for i, result := range report.Results {
for j := range result.Vulnerabilities {
@@ -305,7 +301,6 @@ func compareReports(t *testing.T, wantFile, gotFile string, override func(t *tes
if override != nil {
override(t, &want, &got)
}
assert.Equal(t, want, got)
}

6
integration/module_test.go
View File

@@ -3,12 +3,12 @@
package integration
import (
"github.com/aquasecurity/trivy/pkg/types"
"path/filepath"
"testing"
"github.com/aquasecurity/trivy/pkg/extension"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/types"
"github.com/aquasecurity/trivy/pkg/scanner/post"
)
func TestModule(t *testing.T) {
@@ -52,7 +52,7 @@ func TestModule(t *testing.T) {
t.Cleanup(func() {
analyzer.DeregisterAnalyzer("spring4shell")
extension.DeregisterHook("spring4shell")
post.DeregisterPostScanner("spring4shell")
})
// Run Trivy

77
integration/repo_test.go
View File

@@ -10,7 +10,7 @@ import (
"github.com/stretchr/testify/require"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/fanal/artifact"
"github.com/aquasecurity/trivy/pkg/types"
)
@@ -18,24 +18,23 @@ import (
func TestRepository(t *testing.T) {
t.Setenv("NUGET_PACKAGES", t.TempDir())
type args struct {
scanner types.Scanner
ignoreIDs []string
policyPaths []string
namespaces []string
listAllPkgs bool
input string
secretConfig string
filePatterns []string
helmSet []string
helmValuesFile []string
skipFiles []string
skipDirs []string
command string
format types.Format
includeDevDeps bool
parallel int
vex string
vulnSeveritySources []string
scanner types.Scanner
ignoreIDs []string
policyPaths []string
namespaces []string
listAllPkgs bool
input string
secretConfig string
filePatterns []string
helmSet []string
helmValuesFile []string
skipFiles []string
skipDirs []string
command string
format types.Format
includeDevDeps bool
parallel int
vex string
}
tests := []struct {
name string
@@ -105,18 +104,6 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/npm.json.golden",
},
{
name: "npm with severity from ubuntu",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/repo/npm",
vulnSeveritySources: []string{
"alpine",
"ubuntu",
},
},
golden: "testdata/npm-ubuntu-severity.json.golden",
},
{
name: "npm with dev deps",
args: args{
@@ -145,15 +132,6 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/pnpm.json.golden",
},
{
name: "bun",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/repo/bun",
listAllPkgs: true,
},
golden: "testdata/bun.json.golden",
},
{
name: "pip",
args: args{
@@ -295,15 +273,6 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/composer.lock.json.golden",
},
{
name: "cargo.lock",
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/repo/cargo",
},
golden: "testdata/cargo.lock.json.golden",
},
{
name: "multiple lockfiles",
args: args{
@@ -449,7 +418,7 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/gomod-skip.json.golden",
override: func(_ *testing.T, want, _ *types.Report) {
want.ArtifactType = ftypes.TypeFilesystem
want.ArtifactType = artifact.TypeFilesystem
},
},
{
@@ -463,7 +432,7 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/dockerfile-custom-policies.json.golden",
override: func(_ *testing.T, want, got *types.Report) {
want.ArtifactType = ftypes.TypeFilesystem
want.ArtifactType = artifact.TypeFilesystem
},
},
{
@@ -569,12 +538,6 @@ func TestRepository(t *testing.T) {
}
}
if len(tt.args.vulnSeveritySources) != 0 {
osArgs = append(osArgs,
"--vuln-severity-source", strings.Join(tt.args.vulnSeveritySources, ","),
)
}
if tt.args.listAllPkgs {
osArgs = append(osArgs, "--list-all-pkgs")
}

Some files were not shown because too many files have changed in this diff Show More