test(flag): enhance TestCustomFlagGroups to include environment variable support

- Added a test case to verify the behavior of the `TRIVY_FOO` environment variable in the `TestCustomFlagGroups` function. - Ensured that the flag system correctly retrieves values from both environment variables and custom flags. - Improved test coverage for the flag handling functionality.
refactor(extension): add custom flag groups for commands
2025-12-10 06:40:46 -08:00 · 2025-04-14 13:08:21 +04:00 · 2025-04-11 15:21:09 +04:00 · 2025-04-11 09:43:02 +00:00 · 2025-04-11 08:47:43 +00:00 · 2025-04-10 05:21:19 +00:00
586 changed files with 19517 additions and 12627 deletions
--- a/.github/DISCUSSION_TEMPLATE/bugs.yml
+++ b/.github/DISCUSSION_TEMPLATE/bugs.yml
@@ -10,7 +10,7 @@ body:
        
        **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
        
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
  - type: textarea
    attributes:
      label: Description
@@ -117,7 +117,7 @@ body:
      description: Have you tried the following?
      options:
        - label: Run `trivy clean --all`
-        - label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
+        - label: Read [the troubleshooting](https://trivy.dev/latest/docs/references/troubleshooting/)
  - type: markdown
    attributes:
      value: |
--- a/.github/DISCUSSION_TEMPLATE/documentation.yml
+++ b/.github/DISCUSSION_TEMPLATE/documentation.yml
@@ -7,7 +7,7 @@ body:
        Feel free to create a docs report if something doesn't work as expected or is unclear in the documentation.
        Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
        
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
  - type: textarea
    attributes:
      label: Description
--- a/.github/DISCUSSION_TEMPLATE/false-detection.yml
+++ b/.github/DISCUSSION_TEMPLATE/false-detection.yml
@@ -8,7 +8,7 @@ body:
        
        **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
        
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
  - type: input
    attributes:
      label: IDs
@@ -86,7 +86,7 @@ body:
    attributes:
      label: Checklist
      options:
-        - label: Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection)
+        - label: Read [the documentation regarding wrong detection](https://trivy.dev/dev/community/contribute/discussion/#false-detection)
        - label: Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct
    validations:
      required: true
--- a/.github/DISCUSSION_TEMPLATE/ideas.yml
+++ b/.github/DISCUSSION_TEMPLATE/ideas.yml
@@ -9,7 +9,7 @@ body:
        
        **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
        
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
  - type: textarea
    attributes:
      label: Description
--- a/.github/DISCUSSION_TEMPLATE/q-a.yml
+++ b/.github/DISCUSSION_TEMPLATE/q-a.yml
@@ -9,7 +9,7 @@ body:
        
        **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
        
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
  - type: textarea
    attributes:
      label: Question
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -10,8 +10,8 @@
 Remove this section if you don't have related PRs.

 ## Checklist
- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
+- [ ] I've read the [guidelines for contributing](https://trivy.dev/latest/community/contribute/pr/) to this repository.
+- [ ] I've followed the [conventions](https://trivy.dev/latest/community/contribute/pr/#title) in the PR title.
 - [ ] I've added tests that prove my fix is effective or that my feature works.
 - [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
 - [ ] I've added usage information (if the PR introduces new options)
--- a/.github/workflows/auto-close-issue.yaml
+++ b/.github/workflows/auto-close-issue.yaml
@@ -26,7 +26,7 @@ jobs:
            
            // If the user does not have write or admin permissions, leave a comment and close the issue
            if (permission !== 'write' && permission !== 'admin') {
-              const commentBody = "Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/";
+              const commentBody = "Please see https://trivy.dev/latest/community/contribute/issue/";
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
--- a/.github/workflows/auto-update-labels.yaml
+++ b/.github/workflows/auto-update-labels.yaml
@@ -5,8 +5,6 @@ on:
      - 'misc/triage/labels.yaml'
    branches:
      - main
-env:
-  GO_VERSION: '1.23'
 jobs:
  deploy:
    name: Auto-update labels
@@ -18,14 +16,11 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          # cf. https://github.com/aquasecurity/trivy/pull/6711
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          cache: false

-      - name: Install aqua tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action

      - name: update labels
        env:
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@@ -41,8 +41,10 @@ jobs:
          fetch-depth: 0

      - name: Extract branch name
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
        run: |
-          BRANCH_NAME=$(echo ${{ github.event.comment.body }} | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
+          BRANCH_NAME=$(echo $COMMENT_BODY | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV

      - name: Set up Git user
--- a/.github/workflows/cache-test-images.yaml
+++ b/.github/workflows/cache-test-images.yaml
@@ -18,10 +18,8 @@ jobs:
          go-version-file: go.mod
          cache: false

-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action

      - name: Generate image list digest
        if: github.ref_name == 'main'
@@ -29,7 +27,7 @@ jobs:
        run: |
          source integration/testimages.ini
          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      ## We need to work with test image cache only for main branch
@@ -39,8 +37,6 @@ jobs:
        with:
          path: integration/testdata/fixtures/images
          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
-          restore-keys:
-            cache-test-images-

      - name: Download test images
        if: github.ref_name == 'main'
@@ -59,10 +55,8 @@ jobs:
          go-version-file: go.mod
          cache: false

-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action

      - name: Generate image list digest
        if: github.ref_name == 'main'
@@ -70,7 +64,7 @@ jobs:
        run: |
          source integration/testimages.ini
          IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags | sort' | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags |= sort' | sha256sum | cut -d' ' -f1)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      ## We need to work with test VM image cache only for main branch
@@ -80,8 +74,6 @@ jobs:
        with:
          path: integration/testdata/fixtures/vm-images
          key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
-          restore-keys:
-            cache-test-vm-images-

      - name: Download test VM images
        if: github.ref_name == 'main'
--- a/.github/workflows/canary.yaml
+++ b/.github/workflows/canary.yaml
@@ -25,7 +25,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4.0.2
+        uses: actions/cache@v4
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -33,7 +33,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112
        with:
          version: v3.14.4
      - name: Set up python
@@ -43,9 +43,9 @@ jobs:
          check-latest: true
      - name: Setup Chart Linting
        id: lint
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
      - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
        with:
          version: ${{ env.KIND_VERSION }}
          image: ${{ env.KIND_IMAGE }}
@@ -65,16 +65,19 @@ jobs:
        uses: actions/checkout@v4.1.6
        with:
          fetch-depth: 0
+
      - name: Set up Git user
        run: |
          git config --global user.email "actions@github.com"
          git config --global user.name "GitHub Actions"

-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
+      - name: Set up Go
+        uses: actions/setup-go@v5
        with:
-          aqua_version: v1.25.0
-          aqua_opts: ""
+          go-version-file: go.mod
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action  

      - name: Create a PR with Trivy version
        run: mage helm:updateVersion
--- a/.github/workflows/release-please.yaml
+++ b/.github/workflows/release-please.yaml
@@ -47,10 +47,12 @@ jobs:
      - name: Extract version and PR number from commit message
        id: extract_info
        shell: bash
+        env:
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
        run: |
-          echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
-          echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
-          echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "version=$( echo "$COMMIT_MESSAGE" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "pr_number=$( echo "$COMMIT_MESSAGE" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "release_branch=release/v$( echo "$COMMIT_MESSAGE" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT

      - name: Tag release
        if: ${{ steps.extract_info.outputs.version }}
--- a/.github/workflows/release-pr-check.yaml
+++ b/.github/workflows/release-pr-check.yaml
@@ -11,8 +11,10 @@ jobs:
    steps:
      - name: Check PR author
        id: check_author
+        env:
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
        run: |
-          if [ "${{ github.actor }}" != "aqua-bot" ]; then
+          if [ "$PR_AUTHOR" != "aqua-bot" ]; then
            echo "::error::This branch is intended for automated backporting by bot. Please refer to the documentation:"
            echo "::error::https://trivy.dev/latest/community/maintainer/backporting/"
            exit 1
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -24,7 +24,7 @@ jobs:
          fetch-depth: 0

      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4.0.2
+        uses: actions/cache@v4
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -14,7 +14,6 @@ on:

 env:
  GH_USER: "aqua-bot"
-  GO_VERSION: '1.23'

 jobs:
  release:
@@ -28,7 +27,7 @@ jobs:
      contents: read  # Not required for public repositories, but for clarity
    steps:
      - name: Cosign install
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
@@ -68,7 +67,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.

      - name: Generate SBOM
@@ -120,7 +119,7 @@ jobs:
            public.ecr.aws/aquasecurity/trivy:canary

      - name: Cache Trivy binaries
-        uses: actions/cache@v4.0.2
+        uses: actions/cache@v4
        with:
          path: dist/
          # use 'github.sha' to create a unique cache folder for each run.
--- a/.github/workflows/semantic-pr.yaml
+++ b/.github/workflows/semantic-pr.yaml
@@ -1,22 +1,23 @@
-name: "Lint PR title"
+name: "Validate PR Title"

 on:
-  pull_request_target:
+  pull_request:
    types:
      - opened
      - edited
      - synchronize

 jobs:
-  main:
+  validate:
    name: Validate PR title
    runs-on: ubuntu-latest
    steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - name: Validate PR title
+        shell: bash
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          types: |
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          # Valid types
+          VALID_TYPES: |
            feat
            fix
            docs
@@ -29,13 +30,15 @@ jobs:
            chore
            revert
            release
-
-          scopes: |
+          # Valid scopes categorized by area
+          VALID_SCOPES: |
+            # Scanners
            vuln
            misconf
            secret
            license

+            # Targets
            image
            fs
            repo
@@ -46,6 +49,7 @@ jobs:
            vm
            plugin

+            # OS
            alpine
            wolfi
            chainguard
@@ -62,6 +66,7 @@ jobs:
            distroless
            windows

+            # Languages
            ruby
            php
            python
@@ -71,7 +76,7 @@ jobs:
            java
            go
            c
-            c\+\+
+            c++
            elixir
            dart
            swift
@@ -79,29 +84,80 @@ jobs:
            conda
            julia

+            # Package types
            os
            lang

+            # IaC
            kubernetes
            dockerfile
            terraform
            cloudformation

+            # Container
            docker
            podman
            containerd
            oci

+            # SBOM
+            sbom
+            spdx
+            cyclonedx
+
+            # Misc
            cli
            flag
-
-            cyclonedx
-            spdx
            purl
            vex
-
            helm
            report
            db
            parser
            deps
+        run: |
+          set -euo pipefail
+
+          # Convert env vars to regex alternatives, excluding comments and empty lines
+          TYPES_REGEX=$(echo "$VALID_TYPES" | grep -v '^$' | paste -sd '|')
+          SCOPES_REGEX=$(echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | paste -sd '|')
+          
+          # Basic format check (should match: type(scope): description or type: description)
+          FORMAT_REGEX="^[a-z]+(\([a-z0-9+]+\))?!?: .+$"
+          if ! echo "$PR_TITLE" | grep -qE "$FORMAT_REGEX"; then
+            echo "Error: Invalid PR title format"
+            echo "Expected format: <type>(<scope>): <description> or <type>: <description>"
+            echo "Examples:"
+            echo "  feat(vuln): add new vulnerability detection"
+            echo "  fix: correct parsing logic"
+            echo "  docs(kubernetes): update installation guide"
+            echo -e "\nCurrent title: $PR_TITLE"
+            exit 1
+          fi
+
+          # Extract type and scope for validation
+          TYPE=$(echo "$PR_TITLE" | sed -E 's/^([a-z]+)(\([a-z0-9+]+\))?!?: .+$/\1/')
+          SCOPE=$(echo "$PR_TITLE" | sed -E 's/^[a-z]+\(([a-z0-9+]+)\)!?: .+$/\1/; t; s/.*//')
+
+          # Validate type
+          if ! echo "$VALID_TYPES" | grep -qx "$TYPE"; then
+            echo "Error: Invalid type '${TYPE}'"
+            echo -e "\nValid types:"
+            echo "$VALID_TYPES" | grep -v '^$' | sed 's/^/- /'
+            echo -e "\nCurrent title: $PR_TITLE"
+            exit 1
+          fi
+
+          # Validate scope if present
+          if [ -n "$SCOPE" ]; then
+            if ! echo "$VALID_SCOPES" | grep -v '^#' | grep -qx "$SCOPE"; then
+              echo "Error: Invalid scope '${SCOPE}'"
+              echo -e "\nValid scopes:"
+              echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | sed 's/^/- /'
+              echo -e "\nCurrent title: $PR_TITLE"
+              exit 1
+            fi
+          fi
+          
+          echo "PR title validation passed ✅"
+          echo "Current title: $PR_TITLE"
--- a/.github/workflows/spdx-cron.yaml
+++ b/.github/workflows/spdx-cron.yaml
@@ -12,6 +12,14 @@ jobs:
      - name: Check out code
        uses: actions/checkout@v4.1.6

+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
      - name: Check if SPDX exceptions are up-to-date
        run: |
          mage spdx:updateLicenseExceptions
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -11,8 +11,6 @@ on:
  merge_group:
  workflow_dispatch:

-env:
-  GO_VERSION: '1.23'
 jobs:
  test:
    name: Test
@@ -26,7 +24,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          cache: false

      - name: go mod tidy
@@ -40,9 +38,9 @@ jobs:

      - name: Lint
        id: lint
-        uses: golangci/golangci-lint-action@v6.1.1
+        uses: golangci/golangci-lint-action@v6.5.0
        with:
-          version: v1.61
+          version: v1.64
          args: --verbose --out-format=line-number
        if: matrix.operating-system == 'ubuntu-latest'

@@ -53,10 +51,7 @@ jobs:
        if: ${{ failure() && steps.lint.conclusion == 'failure' }}

      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
-          aqua_opts: ""
+        run: go install tool # GOBIN is added to the PATH by the setup-go action

      - name: Check if CLI references are up-to-date
        run: |
@@ -80,20 +75,18 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          cache: false

-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action

      - name: Generate image list digest
        id: image-digest
        run: |
          source integration/testimages.ini
          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      - name: Restore test images from cache
@@ -101,8 +94,6 @@ jobs:
        with:
          path: integration/testdata/fixtures/images
          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
-          restore-keys:
-            cache-test-images-

      - name: Run integration tests
        run: mage test:integration
@@ -117,13 +108,11 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          cache: false

-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action

      - name: Run k8s integration tests
        run: mage test:k8s
@@ -138,20 +127,18 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          cache: false

      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
+        run: go install tool # GOBIN is added to the PATH by the setup-go action

      - name: Generate image list digest
        id: image-digest
        run: |
          source integration/testimages.ini
          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      - name: Restore test images from cache
@@ -159,8 +146,6 @@ jobs:
        with:
          path: integration/testdata/fixtures/images
          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
-          restore-keys:
-            cache-test-images-

      - name: Run module integration tests
        shell: bash
@@ -177,20 +162,18 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          cache: false

-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action

      - name: Generate image list digest
        id: image-digest
        run: |
          source integration/testimages.ini
          IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags | sort' | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags |= sort' | sha256sum | cut -d' ' -f1)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      - name: Restore test VM images from cache
@@ -198,8 +181,6 @@ jobs:
        with:
          path: integration/testdata/fixtures/vm-images
          key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
-          restore-keys:
-            cache-test-vm-images-

      - name: Run vm integration tests
        run: |
@@ -220,7 +201,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v5
      with:
-        go-version: ${{ env.GO_VERSION }}
+        go-version-file: go.mod
        cache: false

    - name: Determine GoReleaser ID
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -73,7 +73,8 @@ linters-settings:
      - G304
      - G402
  govet:
-    check-shadowing: false
+    disable:
+      - shadow
  misspell:
    locale: US
    ignore-words:
@@ -113,7 +114,7 @@ linters:
    - misspell
    - perfsprint
    - revive
-    - tenv
+    - usetesting
    - testifylint
    - typecheck
    - unconvert
@@ -121,12 +122,11 @@ linters:
    - usestdlibvars

 run:
-  go: '1.23'
+  go: '1.24'
  timeout: 30m

 issues:
  exclude-files:
-    - "mock_*.go$"
    - "examples/*"
  exclude-dirs:
    - "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1 +1 @@
-{".":"0.59.0"}
+{".":"0.61.0"}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,75 @@
 # Changelog

+## [0.61.0](https://github.com/aquasecurity/trivy/compare/v0.60.0...v0.61.0) (2025-03-28)
+
+
+### Features
+
+* **fs:** optimize scanning performance by direct file access for known paths ([#8525](https://github.com/aquasecurity/trivy/issues/8525)) ([8bf6caf](https://github.com/aquasecurity/trivy/commit/8bf6caf98e2b1eff7bd16987f6791122d827747c))
+* **k8s:** add support for controllers ([#8614](https://github.com/aquasecurity/trivy/issues/8614)) ([1bf0117](https://github.com/aquasecurity/trivy/commit/1bf0117f776953bbfe67cf32e4231360010fdf33))
+* **misconf:** adapt aws_default_security_group ([#8538](https://github.com/aquasecurity/trivy/issues/8538)) ([b57eccb](https://github.com/aquasecurity/trivy/commit/b57eccb09c33df4ad0423fb148ddeaa292028401))
+* **misconf:** adapt aws_opensearch_domain ([#8550](https://github.com/aquasecurity/trivy/issues/8550)) ([9913465](https://github.com/aquasecurity/trivy/commit/9913465a535c29b377bd2f2563163ccf7cbcd6a4))
+* **misconf:** adapt AWS::DynamoDB::Table ([#8529](https://github.com/aquasecurity/trivy/issues/8529)) ([8112cdf](https://github.com/aquasecurity/trivy/commit/8112cdf8d638fa2bf57e5687e32f54b704c7e6b7))
+* **misconf:** adapt AWS::EC2::VPC ([#8534](https://github.com/aquasecurity/trivy/issues/8534)) ([0d9865f](https://github.com/aquasecurity/trivy/commit/0d9865f48f46e85595af40140faa5ff6f02b9a02))
+* **misconf:** Add support for aws_ami ([#8499](https://github.com/aquasecurity/trivy/issues/8499)) ([573502e](https://github.com/aquasecurity/trivy/commit/573502e2e83ff18020d5e7dcad498468a548733e))
+* replace TinyGo with standard Go for WebAssembly modules ([#8496](https://github.com/aquasecurity/trivy/issues/8496)) ([529957e](https://github.com/aquasecurity/trivy/commit/529957eac1fc790c57fa3d93524a901ce842a9f5))
+
+
+### Bug Fixes
+
+* **debian:** don't include empty licenses for `dpkgs` ([#8623](https://github.com/aquasecurity/trivy/issues/8623)) ([346f5b3](https://github.com/aquasecurity/trivy/commit/346f5b3553b9247f99f89d859d4f835e955d34e9))
+* **fs:** check postAnalyzers for StaticPaths ([#8543](https://github.com/aquasecurity/trivy/issues/8543)) ([c228307](https://github.com/aquasecurity/trivy/commit/c22830766e8cf1532f20198864757161eed6fda4))
+* **k8s:** show report for `--report all` ([#8613](https://github.com/aquasecurity/trivy/issues/8613)) ([dbb6f28](https://github.com/aquasecurity/trivy/commit/dbb6f288712240ef5dec59952e33b73e3a6d5b06))
+* **misconf:** add ephemeral block type to config schema ([#8513](https://github.com/aquasecurity/trivy/issues/8513)) ([41512f8](https://github.com/aquasecurity/trivy/commit/41512f846e75bae73984138ad7b3d03284a53f19))
+* **misconf:** Check values wholly prior to evalution ([#8604](https://github.com/aquasecurity/trivy/issues/8604)) ([ad58cf4](https://github.com/aquasecurity/trivy/commit/ad58cf4457ebef80ff0bc4c113d4ab4c86a9fe56))
+* **misconf:** do not skip loading documents from subdirectories ([#8526](https://github.com/aquasecurity/trivy/issues/8526)) ([de7eb13](https://github.com/aquasecurity/trivy/commit/de7eb13938f2709983a27ab3f59dbfac3fb74651))
+* **misconf:** do not use cty.NilVal for non-nil values ([#8567](https://github.com/aquasecurity/trivy/issues/8567)) ([400a79c](https://github.com/aquasecurity/trivy/commit/400a79c2c693e462ad2e1cfc21305ef13d2ec224))
+* **misconf:** identify the chart file exactly by name ([#8590](https://github.com/aquasecurity/trivy/issues/8590)) ([ba77dbe](https://github.com/aquasecurity/trivy/commit/ba77dbe5f952d67bbbbc0f43543d5f34135bc280))
+* **misconf:** Improve logging for unsupported checks ([#8634](https://github.com/aquasecurity/trivy/issues/8634)) ([5b7704d](https://github.com/aquasecurity/trivy/commit/5b7704d1d091a12822df060ee7a679135185f2ae))
+* **misconf:** set default values for AWS::EKS::Cluster.ResourcesVpcConfig ([#8548](https://github.com/aquasecurity/trivy/issues/8548)) ([1f05b45](https://github.com/aquasecurity/trivy/commit/1f05b4545d8f1de3ee703de66a7b3df2baaa07a7))
+* **misconf:** skip Azure CreateUiDefinition ([#8503](https://github.com/aquasecurity/trivy/issues/8503)) ([c7814f1](https://github.com/aquasecurity/trivy/commit/c7814f1401b0cc66a557292fe07da24d0ea7b5cc))
+* **spdx:** save text licenses into `otherLicenses` without normalize ([#8502](https://github.com/aquasecurity/trivy/issues/8502)) ([e5072f1](https://github.com/aquasecurity/trivy/commit/e5072f1eef8f3a78f4db48b4ac3f7c48aeec5e92))
+* use `--file-patterns` flag for all post analyzers ([#7365](https://github.com/aquasecurity/trivy/issues/7365)) ([8b88238](https://github.com/aquasecurity/trivy/commit/8b88238f07e389cc32e2478f84aceaf860e421ef))
+
+
+### Performance Improvements
+
+* **misconf:** parse input for Rego once ([#8483](https://github.com/aquasecurity/trivy/issues/8483)) ([0e5e909](https://github.com/aquasecurity/trivy/commit/0e5e9097650f60bc54f47a21ecc937a66e66e225))
+* **misconf:** retrieve check metadata from annotations once ([#8478](https://github.com/aquasecurity/trivy/issues/8478)) ([7b96351](https://github.com/aquasecurity/trivy/commit/7b96351c32d264d136978fe8fd9e113ada69bb2b))
+
+## [0.60.0](https://github.com/aquasecurity/trivy/compare/v0.59.0...v0.60.0) (2025-03-05)
+
+
+### Features
+
+* add `--vuln-severity-source` flag ([#8269](https://github.com/aquasecurity/trivy/issues/8269)) ([d464807](https://github.com/aquasecurity/trivy/commit/d4648073211e8451d66e4c0399e9441250b60a76))
+* add report summary table ([#8177](https://github.com/aquasecurity/trivy/issues/8177)) ([dd54f80](https://github.com/aquasecurity/trivy/commit/dd54f80d3fda7821dba13553480e9893ba8b4cb3))
+* **cyclonedx:** Add initial support for loading external VEX files from SBOM references ([#8254](https://github.com/aquasecurity/trivy/issues/8254)) ([4820eb7](https://github.com/aquasecurity/trivy/commit/4820eb70fc926a35d759c373112dbbdca890fd46))
+* **go:** fix parsing main module version for go &gt;= 1.24 ([#8433](https://github.com/aquasecurity/trivy/issues/8433)) ([e58dcfc](https://github.com/aquasecurity/trivy/commit/e58dcfcf9f102c12825d5343ebbcc12a2d6c05c5))
+* **misconf:** render causes for Terraform ([#8360](https://github.com/aquasecurity/trivy/issues/8360)) ([a99498c](https://github.com/aquasecurity/trivy/commit/a99498cdd9b7bdac000140af6654bfe30135242d))
+
+
+### Bug Fixes
+
+* **db:** fix case when 2 trivy-db were copied at the same time ([#8452](https://github.com/aquasecurity/trivy/issues/8452)) ([bb3cca6](https://github.com/aquasecurity/trivy/commit/bb3cca6018551e96fdd357563dc177215ca29bd4))
+* don't use `scope` for `trivy registry login` command ([#8393](https://github.com/aquasecurity/trivy/issues/8393)) ([8715e5d](https://github.com/aquasecurity/trivy/commit/8715e5d14a727667c2e62d6f7a4b5308a0323386))
+* **go:** merge nested flags into string for ldflags for Go binaries ([#8368](https://github.com/aquasecurity/trivy/issues/8368)) ([b675b06](https://github.com/aquasecurity/trivy/commit/b675b06e897aaf374e7b1262d4323060a8a62edb))
+* **image:** disable AVD-DS-0007 for history scanning ([#8366](https://github.com/aquasecurity/trivy/issues/8366)) ([a3cd693](https://github.com/aquasecurity/trivy/commit/a3cd693a5ea88def2f9057df6178b0c0e7a6bdb0))
+* **k8s:** add missed option `PkgRelationships` ([#8442](https://github.com/aquasecurity/trivy/issues/8442)) ([f987e41](https://github.com/aquasecurity/trivy/commit/f987e4157494434f6e4e4566fedfedda92167565))
+* **misconf:** do not log scanners when misconfig scanning is disabled ([#8345](https://github.com/aquasecurity/trivy/issues/8345)) ([5695eb2](https://github.com/aquasecurity/trivy/commit/5695eb22dfed672eafacb64a71da8e9bdfbaab87))
+* **misconf:** ecs include enhanced for container insights ([#8326](https://github.com/aquasecurity/trivy/issues/8326)) ([39789ff](https://github.com/aquasecurity/trivy/commit/39789fff438d11bc6eccd254b3b890beb68c240b))
+* **misconf:** fix incorrect k8s locations due to JSON to YAML conversion ([#8073](https://github.com/aquasecurity/trivy/issues/8073)) ([a994453](https://github.com/aquasecurity/trivy/commit/a994453a7d0f543fe30c4dc8adbc92ad0c21bcbc))
+* **os:** add mapping OS aliases ([#8466](https://github.com/aquasecurity/trivy/issues/8466)) ([6b4cebe](https://github.com/aquasecurity/trivy/commit/6b4cebe9592f3a06bd91aa58ba6d65869afebbee))
+* **python:** add `poetry` v2 support ([#8323](https://github.com/aquasecurity/trivy/issues/8323)) ([10cd98c](https://github.com/aquasecurity/trivy/commit/10cd98cf55263749cb2583063a2e9e9953c7371a))
+* **report:** remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports ([#8344](https://github.com/aquasecurity/trivy/issues/8344)) ([3eb0b03](https://github.com/aquasecurity/trivy/commit/3eb0b03f7c9ee462daccfacb291b2c463d848ff5))
+* **sbom:** add SBOM file's filePath as Application FilePath if we can't detect its path ([#8346](https://github.com/aquasecurity/trivy/issues/8346)) ([ecc01bb](https://github.com/aquasecurity/trivy/commit/ecc01bb3fb876fd0cc503cb38efa23e4fb9484b4))
+* **sbom:** improve logic for binding direct dependency to parent component ([#8489](https://github.com/aquasecurity/trivy/issues/8489)) ([85cca8c](https://github.com/aquasecurity/trivy/commit/85cca8c07affee4ded5c232efb45b05dacf22242))
+* **sbom:** preserve OS packages from multiple SBOMs ([#8325](https://github.com/aquasecurity/trivy/issues/8325)) ([bd5baaf](https://github.com/aquasecurity/trivy/commit/bd5baaf93054d71223e0721c7547a0567dea3b02))
+* **server:** secrets inspectation for the config analyzer in client server mode ([#8418](https://github.com/aquasecurity/trivy/issues/8418)) ([a1c4bd7](https://github.com/aquasecurity/trivy/commit/a1c4bd746f5f901e2a8f09f48f58b973b9103165))
+* **spdx:** init `pkgFilePaths` map for all formats ([#8380](https://github.com/aquasecurity/trivy/issues/8380)) ([72ea4b0](https://github.com/aquasecurity/trivy/commit/72ea4b0632308bd6150aaf2f1549a3f10b60dc23))
+* **terraform:** apply parser options to submodule parsing ([#8377](https://github.com/aquasecurity/trivy/issues/8377)) ([398620b](https://github.com/aquasecurity/trivy/commit/398620b471c25e467018bc23df53a3a1c2aa661c))
+* update all documentation links ([#8045](https://github.com/aquasecurity/trivy/issues/8045)) ([49456ba](https://github.com/aquasecurity/trivy/commit/49456ba8410e0e4cc1756906ccea1fdd60006d2d))
+
 ## [0.59.0](https://github.com/aquasecurity/trivy/compare/v0.58.0...v0.59.0) (2025-01-30)


--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1 +1 @@
-See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)
+See [Issues](https://trivy.dev/latest/community/contribute/issue/) and [Pull Requests](https://trivy.dev/latest/community/contribute/pr/)
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.21.0
+FROM alpine:3.21.3
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -1,4 +1,4 @@
-FROM alpine:3.21.0
+FROM alpine:3.21.3
 RUN apk --no-cache add ca-certificates git

 # binaries were created with GoReleaser
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.23
+FROM --platform=linux/amd64 golang:1.24

 # Set environment variable for protoc
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
--- a/README.md
+++ b/README.md
@@ -107,7 +107,7 @@ trivy k8s --report summary cluster
 ## Want more? Check out Aqua

 If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
-You can find a high level comparison table specific to Trivy users [here](https://trivy.dev/commercial/comparison).  
+You can find a high level comparison table specific to Trivy users [here](https://trivy.dev/latest/commercial/compare/).
 In addition check out the <https://aquasec.com> website for more information about our products and services.
 If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>

@@ -116,7 +116,6 @@ If you'd like to contact Aqua or request a demo, please use this form: <https://
 Trivy is an [Aqua Security][aquasec] open source project.  
 Learn about our open source work and portfolio [here][oss].  
 Contact us about any matter by opening a GitHub Discussion [here][discussions]
-Join our [Slack community][slack] to stay up to date with community efforts.

 Please ensure to abide by our [Code of Conduct][code-of-conduct] during all interactions.

@@ -131,14 +130,13 @@ Please ensure to abide by our [Code of Conduct][code-of-conduct] during all inte
 [license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
 [license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
 [homepage]: https://trivy.dev
-[docs]: https://aquasecurity.github.io/trivy
+[docs]: https://trivy.dev/latest/docs/
 [pronunciation]: #how-to-pronounce-the-name-trivy
-[slack]: https://slack.aquasec.com
 [code-of-conduct]: https://github.com/aquasecurity/community/blob/main/CODE_OF_CONDUCT.md

-[Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
-[Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
-[Scanning Coverage]: https://aquasecurity.github.io/trivy/latest/docs/coverage/
+[Installation]:https://trivy.dev/latest/getting-started/installation/
+[Ecosystem]: https://trivy.dev/latest/ecosystem/
+[Scanning Coverage]: https://trivy.dev/latest/docs/coverage/

 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
 [rego]: https://www.openpolicyagent.org/docs/latest/#rego
--- a/aqua.yaml
+++ b/aqua.yaml
@@ -1,10 +0,0 @@
---
-# aqua - Declarative CLI Version Manager
-# https://aquaproj.github.io/
-registries:
- type: standard
-  ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
-packages:
- name: tinygo-org/tinygo@v0.33.0
- name: WebAssembly/binaryen@version_112
- name: magefile/mage@v1.14.0
--- a/docs/commercial/compare.md
+++ b/docs/commercial/compare.md
@@ -66,7 +66,7 @@ If you'd like to learn more or request a demo, [click here to contact us](./cont

 | Feature | Trivy OSS | Aqua |
 | --- | --- | --- |
-| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/policy/builtin/) | In addition, Build Pipeline configuration scanning |
+| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://trivy.dev/latest/docs/scanner/misconfiguration/policy/builtin/) | In addition, Build Pipeline configuration scanning |
 | Checks customization | Create custom checks with Rego | Create custom checks in no-code interface <br> Customize existing checks with organizational preferences |
 | Cloud scanning | AWS (subset of services) | AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud |
 | Compliance frameworks | CIS, NSA, vendor guides | More than 25 compliance programs |
--- a/docs/community/contribute/checks/overview.md
+++ b/docs/community/contribute/checks/overview.md
@@ -80,7 +80,7 @@ The package name should be in the format `builtin.PROVIDER.SERVICE.ID`, e.g. `bu

 ## Generating an ID

-Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribue your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID. 
+Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribute your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID. 

 Running `make id` in the root of the trivy-checks repository will provide you with the next available _ID_ for your rule. 

--- a/docs/community/contribute/checks/service-support.md
+++ b/docs/community/contribute/checks/service-support.md
@@ -57,7 +57,7 @@ type AWS struct {

 ### Update Adapters

-Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adatper as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
+Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adapter as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).

 Another example for updating the adapters is provided in the [following PR.](https://github.com/aquasecurity/defsec/pull/1000/files) Additionally, please refer to the respective Terraform documentation on the provider to which you are adding the service. For instance, the Terraform documentation for AWS CodeBuild is provided [here.](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project)

--- a/docs/community/contribute/discussion.md
+++ b/docs/community/contribute/discussion.md
@@ -24,7 +24,7 @@ There are 4 categories:
    If you find any false positives or false negatives, please make sure to report them under the "False Detection" category, not "Bugs".

 ## False detection
-Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#data-sources).
+Trivy depends on [multiple data sources](https://trivy.dev/latest/docs/scanner/vulnerability/#data-sources).
 Sometime these databases contain mistakes.

 If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
--- a/docs/community/maintainer/release-flow.md
+++ b/docs/community/maintainer/release-flow.md
@@ -12,6 +12,11 @@ For detailed behavior, please refer to [the GitHub Actions configuration][workfl
    Commits with prefixes like `chore` or `build` are not considered releasable, and no release PR is created.
    To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release-pr-creation).

+!!! tip
+    It's a good idea to check if there are any outstanding vulnerability updates created by dependabot waiting for your review.
+    They can be found in the "Security" tab of the repository.
+    If there are any, please review and merge them before creating a release. This will help to ensure that the release includes the latest security patches.
+
 ## Flow
 The release flow consists of the following main steps:

@@ -74,8 +79,18 @@ Replace URLs with appropriate ones.

 Example: https://github.com/aquasecurity/trivy/releases/tag/v0.52.0

+### Merging the auto-generated Helm chart update PR
+Once the release PR is merged, there will be an auto-generated PR that bumps the Trivy version for the Trivy Helm Chart. An example can be seen [here](https://github.com/aquasecurity/trivy/pull/8638).
+
+> [!NOTE]  
+> It is possible that the release action takes a while to finish and the Helm chart action runs prior. In such a case the Helm chart action will fail as it will not be able to find the latest Trivy container image.
+> In such a case, it is advised to manually restart the Helm chart action, once the release action is finished.
+
+If things look good, approve and merge this PR to further trigger the publishing of the Helm Chart.
+
+
+The release is now complete 🍻

-The release is now complete.

 [conventional-commits]: https://www.conventionalcommits.org/en/v1.0.0/
 [release-please]: https://github.com/googleapis/release-please
--- a/docs/docs/advanced/air-gap.md
+++ b/docs/docs/advanced/air-gap.md
@@ -10,7 +10,7 @@ External Resource | Feature | Details
 Vulnerability Database | Vulnerability scanning | [Trivy DB](../scanner/vulnerability.md)
 Java Vulnerability Database | Java vulnerability scanning | [Trivy Java DB](../coverage/language/java.md)
 Checks Bundle | Misconfigurations scanning | [Trivy Checks](../scanner/misconfiguration/check/builtin.md)
-VEX Hub | VEX Hub | [VEX Hub](../supply-chain/vex/repo/#vex-hub)
+VEX Hub | VEX Hub | [VEX Hub](../supply-chain/vex/repo.md)
 Maven Central / Remote Repositories | Java vulnerability scanning | [Java Scanner/Remote Repositories](../coverage/language/java.md#remote-repositories)

 !!! note
--- a/docs/docs/advanced/modules.md
+++ b/docs/docs/advanced/modules.md
@@ -12,7 +12,7 @@ They provide a way to extend the core feature set of Trivy, but without updating

 - They can be added and removed from a Trivy installation without impacting the core Trivy tool.
 - They can be written in any programming language supporting WebAssembly.
-  - It supports only [TinyGo][tinygo] at the moment.
+  - It supports only Go at the moment.

 You can write your own detection logic.

@@ -94,9 +94,9 @@ $ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
 ```

 ## Building Modules
-It supports TinyGo only at the moment.
+It supports Go only at the moment.

-### TinyGo
+### Go
 Trivy provides Go SDK including three interfaces.
 Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.

@@ -113,7 +113,7 @@ type Analyzer interface {

 type PostScanner interface {
    PostScanSpec() serialize.PostScanSpec
-    PostScan(serialize.Results) (serialize.Results, error)
+    PostScan(types.Results) (types.Results, error)
 }
 ```

@@ -142,6 +142,9 @@ const (
    name = "wordpress-module"
 )

+// main is required for Go to compile the Wasm module
+func main() {}  
+
 type WordpressModule struct{
 	// Cannot define fields as modules can't keep state.
 }
@@ -203,7 +206,7 @@ func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, erro
    }
 	
    return &serialize.AnalysisResult{
-        CustomResources: []serialize.CustomResource{
+        CustomResources: []ftypes.CustomResource{
            {
                Type:     typeWPVersion,
                FilePath: filePath,
@@ -246,7 +249,7 @@ func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
    }
 }

-func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
+func (WordpressModule) PostScan(results types.Results) (types.Results, error) {
    // e.g. results
    // [
    //   {
@@ -288,7 +291,7 @@ func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, e

    if vulnerable {
        // Add CVE-2020-36326
-        results = append(results, serialize.Result{
+        results = append(results, types.Result{
            Target: wpPath,
            Class:  types.ClassLangPkg,
 			Type:   "wordpress",
@@ -318,10 +321,10 @@ In the `Delete` action, `PostScan` needs to return results you want to delete.
 If `PostScan` returns an empty, Trivy will not delete anything.

 #### Build
-Follow [the install guide][tinygo-installation] and install TinyGo.
+Follow [the install guide][go-installation] and install Go.

 ```bash
-$ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
+$ GOOS=wasip1 GOARCH=wasm go build -o wordpress.wasm -buildmode=c-shared wordpress.go
 ```

 Put the built binary to the module directory that is under the home directory by default.
@@ -347,12 +350,11 @@ Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f

 [regexp]: https://github.com/google/re2/wiki/Syntax

-[tinygo]: https://tinygo.org/
 [spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
 [wazero]: https://github.com/tetratelabs/wazero

 [trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
 [trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress

-[tinygo-installation]: https://tinygo.org/getting-started/install/
+[go-installation]: https://go.dev/doc/install
 [oras]: https://oras.land/cli/
--- a/docs/docs/advanced/self-hosting.md
+++ b/docs/docs/advanced/self-hosting.md
@@ -14,7 +14,7 @@ To host these databases in your own infrastructure:

 ### Make a local copy

-Use any container registry manipulation tool (e.g , [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md, [ORAS](https://oras.land), [regclient](https://github.com/regclient/regclient/tree/main)) to copy the images to your destination registry.
+Use any container registry manipulation tool (e.g , [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md), [ORAS](https://oras.land), [regclient](https://github.com/regclient/regclient/tree/main)) to copy the images to your destination registry.

 !!! note
    You will need to keep the databases updated in order to maintain relevant scanning results over time.
@@ -123,10 +123,10 @@ To make a copy of VEX Hub in a location that is accessible to Trivy.

 To configure Trivy to use the local VEX Repository:

-1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo/#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
+1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo.md#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
 1. Disable the default VEX Hub repo (`enabled: false`)
-1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo/#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
+1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo.md#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).

 ### Authentication

-If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo/#authentication).
+If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo.md#authentication).
--- a/docs/docs/compliance/compliance.md
+++ b/docs/docs/compliance/compliance.md
@@ -35,7 +35,6 @@ For the list of built-in compliance reports, please see the relevant section:

 - [Docker compliance](../target/container_image.md#compliance)
 - [Kubernetes compliance](../target/kubernetes.md#compliance)
- [AWS compliance](../target/aws.md#compliance)

 ## Contribute a Built-in Compliance Report

@@ -166,7 +165,7 @@ Example of how to define command data under [commands folder](https://github.com
  title: kubelet.conf file permissions
  nodeType: worker
  audit: stat -c %a $kubelet.kubeconfig
-  platfroms:
+  platforms:
    - k8s
    - aks
 ```
@@ -181,7 +180,7 @@ make command-id

 #### Command Key

- Re-use an existing key or specifiy a new one (make sure key name has no spaces)
+- Re-use an existing key or specify a new one (make sure key name has no spaces)

 Note: The key value should match the key name evaluated by the Rego check.

@@ -198,7 +197,7 @@ Specify the node type on which the command is supposed to run.

 ### Command Audit

-Specify here the shell command to be used please make sure to add error supression (2>/dev/null)
+Specify here the shell command to be used please make sure to add error suppression (2>/dev/null)

 ### Command Platforms

--- a/docs/docs/compliance/contrib-compliance.md
+++ b/docs/docs/compliance/contrib-compliance.md
@@ -56,7 +56,7 @@ Thus, we can use the information already present:
 ```

 - The `ID`, `name`, and `description` is taken directly from the AWS EKS CIS Benchmarks
- The `check` and `severity` are taken from the existing complaince check in the `k8s-cis-1.23.yaml`
+- The `check` and `severity` are taken from the existing compliance check in the `k8s-cis-1.23.yaml`


 #### 2. Referencing a check manually that is not part of the Trivy default checks
--- a/docs/docs/configuration/cache.md
+++ b/docs/docs/configuration/cache.md
@@ -96,11 +96,11 @@ $ trivy server --cache-backend redis://localhost:6379 \
  --redis-key /path/to/key.pem
 ```

-[trivy-db]: ./db.md#vulnerability-database
-[trivy-java-db]: ./db.md#java-index-database
+[trivy-db]: ./db.md
+[trivy-java-db]: ./db.md
 [misconf-checks]: ../scanner/misconfiguration/check/builtin.md
 [boltdb]: https://github.com/etcd-io/bbolt
-[parallel-run]: https://aquasecurity.github.io/trivy/v0.52/docs/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run
+[parallel-run]: https://trivy.dev/{{ git.tag}}/docs/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run

 [^1]: Downloaded when scanning for vulnerabilities
 [^2]: Downloaded when scanning `jar/war/par/ear` files
--- a/docs/docs/configuration/filtering.md
+++ b/docs/docs/configuration/filtering.md
@@ -394,7 +394,7 @@ $ trivy image --ignorefile ./.trivyignore.yaml python:3.9.16-alpine3.16
 2023-08-31T11:10:27.155+0600	INFO	Vulnerability scanning is enabled
 2023-08-31T11:10:27.155+0600	INFO	Secret scanning is enabled
 2023-08-31T11:10:27.155+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
-2023-08-31T11:10:27.155+0600	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
+2023-08-31T11:10:27.155+0600	INFO	Please see also https://trivy.dev/dev/docs/scanner/secret/#recommendation for faster secret detection
 2023-08-31T11:10:29.164+0600	INFO	Detected OS: alpine
 2023-08-31T11:10:29.164+0600	INFO	Detecting Alpine vulnerabilities...
 2023-08-31T11:10:29.169+0600	INFO	Number of language-specific files: 1
--- a/docs/docs/configuration/reporting.md
+++ b/docs/docs/configuration/reporting.md
@@ -19,9 +19,152 @@ Trivy supports the following formats:
 |      Secret      |     ✓     |
 |     License      |     ✓     |

+```bash
+$ trivy image -f table golang:1.22.11-alpine3.20
 ```
-$ trivy image -f table golang:1.12-alpine
+
+<details>
+<summary>Result</summary>
+
 ```
+...
+
+Report Summary
+
+┌─────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
+│                   Target                    │   Type   │ Vulnerabilities │ Secrets │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ golang:1.22.11-alpine3.20 (alpine 3.20.5)   │  alpine  │        6        │    -    │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ usr/local/go/bin/go                         │ gobinary │        1        │    -    │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+...
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ usr/local/go/pkg/tool/linux_amd64/vet       │ gobinary │        1        │    -    │
+└─────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+
+
+golang:1.22.11-alpine3.20 (alpine 3.20.5)
+
+Total: 6 (UNKNOWN: 2, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
+
+┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
+├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ libcrypto3 │ CVE-2024-12797 │ HIGH     │ fixed  │ 3.3.2-r1          │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers    │
+│            │                │          │        │                   │               │ don't abort as expected                                     │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                  │
+│            ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r2      │ openssl: Timing side-channel in ECDSA signature computation │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
+├────────────┼────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│ libssl3    │ CVE-2024-12797 │ HIGH     │        │                   │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers    │
+│            │                │          │        │                   │               │ don't abort as expected                                     │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                  │
+│            ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r2      │ openssl: Timing side-channel in ECDSA signature computation │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
+├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2025-26519 │ UNKNOWN  │        │ 1.2.5-r0          │ 1.2.5-r1      │ musl libc 0.9.13 through 1.2.5 before 1.2.6 has an          │
+│            │                │          │        │                   │               │ out-of-bounds write ......                                  │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-26519                  │
+├────────────┤                │          │        │                   │               │                                                             │
+│ musl-utils │                │          │        │                   │               │                                                             │
+│            │                │          │        │                   │               │                                                             │
+│            │                │          │        │                   │               │                                                             │
+└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+
+usr/local/go/bin/go (gobinary)
+
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+
+┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
+│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
+├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ stdlib  │ CVE-2025-22866 │ MEDIUM   │ fixed  │ v1.22.11          │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
+│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
+│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
+└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
+
+...
+```
+
+</details>
+
+#### Table mode
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy supports the following modes for `table` format:
+
+|             Mode             | Enabled by default |
+|:----------------------------:|:-----------------:|
+|  [summary](#summary-table)   |       ✓[^1]       |
+| [detailed](#detailed-tables) |         ✓         |
+
+You can use `--table-mode` flag to enable/disable table mode(s). 
+
+
+##### Summary table
+Summary table contains general information about the scan performed.
+
+Nuances of table contents:
+
+- Table includes columns for enabled [scanners](../references/terminology.md#scanner) only. Use `--scanners` flag to enable/disable scanners.
+- Table includes separate lines for the same targets but different scanners.
+    - `-` means that the scanner didn't scan this target.
+    - `0` means that the scanner scanned this target, but found no security issues.
+
+<details>
+<summary>Report Summary</summary>
+
+```
+┌───────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┬──────────┐
+│        Target         │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │ Licenses │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ test (alpine 3.20.3)  │   alpine   │        2        │         -         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ Java                  │    jar     │        2        │         -         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ app/Dockerfile        │ dockerfile │        -        │         2         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ requirements.txt      │    text    │        0        │         -         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ requirements.txt      │    text    │        -        │         -         │    1    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ OS Packages           │     -      │        -        │         -         │    -    │    1     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ Java                  │     -      │        -        │         -         │    -    │    0     │
+└───────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┴──────────┘
+```
+
+</details>
+
+##### Detailed tables
+Detailed tables contain information about found security issues for each target with more detailed information (CVE-ID, severity, version, etc.).
+
+<details>
+<summary>Detailed tables</summary>
+
+```
+
+usr/local/go/bin/go (gobinary)
+
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+
+┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
+│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
+├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ stdlib  │ CVE-2025-22866 │ MEDIUM   │ fixed  │ v1.22.11          │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
+│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
+│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
+└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
+
+```
+</details>

 #### Show origins of vulnerable dependencies

@@ -124,22 +267,6 @@ Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to reso
 $ trivy image -f json -o results.json alpine:latest
 ```

-<details>
-<summary>Result</summary>
-
-```
-2024-12-26T22:01:18+05:30	INFO	[vuln] Vulnerability scanning is enabled
-2024-12-26T22:01:18+05:30	INFO	[secret] Secret scanning is enabled
-2024-12-26T22:01:18+05:30	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
-2024-12-26T22:01:18+05:30	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
-2024-12-26T22:01:18+05:30	INFO	Detected OS	family="alpine" version="3.20.3"
-2024-12-26T22:01:18+05:30	INFO	[alpine] Detecting vulnerabilities...	os_version="3.20" repository="3.20" pkg_num=14
-2024-12-26T22:01:18+05:30	INFO	Number of language-specific files	num=0
-2024-12-26T22:01:18+05:30	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.
-```
-
-</details>
-
 <details>
 <summary>JSON</summary>

@@ -534,3 +661,5 @@ $ trivy convert --format table --severity CRITICAL result.json
 [sbt-lockfile]: ../coverage/language/java.md#sbt
 [pubspec-lock]: ../coverage/language/dart.md#dart
 [cargo-binaries]: ../coverage/language/rust.md#binaries
+
+[^1]: To show summary table in `convert` mode - you need to enable the scanners used during JSON report generation.
--- a/docs/docs/coverage/language/golang.md
+++ b/docs/docs/coverage/language/golang.md
@@ -100,7 +100,7 @@ $ trivy rootfs ./your_binary
    It doesn't work with UPX-compressed binaries.

 ### Main Module
-Go binaries installed using the `go install` command contains correct (semver) version for the main module and therefor are detected by Trivy.
+Go binaries installed using the `go install` command contains correct (semver) version for the main module and therefore are detected by Trivy.
 In other cases, Go uses the `(devel)` version[^2].
 In this case, Trivy will attempt to parse any `-ldflags` as it's a common practice to pass versions this way.
 If unsuccessful, the version will be empty[^3].
--- a/docs/docs/coverage/language/python.md
+++ b/docs/docs/coverage/language/python.md
@@ -54,7 +54,8 @@ keyring >= 4.1.1            # Minimum version 4.1.1
 Mopidy-Dirble ~= 1.1        # Minimum version 1.1
 python-gitlab==2.0.*        # Minimum version 2.0.0
 ```
-Also, there is a way to convert unsupported version specifiers - use the `pip  freeze` command.
+Also, there is a way to convert unsupported version specifiers - use either the `pip-compile` tool (which doesn't install the packages)
+or call `pip freeze` from the virtual environment where the requirements are already installed.

 ```bash
 $ cat requirements.txt 
@@ -81,7 +82,8 @@ wheel==0.42.0
 `requirements.txt` files usually contain only the direct dependencies and not contain the transitive dependencies.
 Therefore, Trivy scans only for the direct dependencies with `requirements.txt`.

-To detect transitive dependencies as well, you need to generate `requirements.txt` with `pip freeze`.
+To detect transitive dependencies as well, you need to generate `requirements.txt` that contains them.
+Like described above, tou can do it with `pip freeze` or `pip-compile`.

 ```zsh
 $ cat requirements.txt # it will only find `requests@2.28.2`.
--- a/docs/docs/coverage/language/ruby.md
+++ b/docs/docs/coverage/language/ruby.md
@@ -1,7 +1,7 @@
 # Ruby

 Trivy supports [Bundler][bundler] and [RubyGems][rubygems].
-The following scanners are supported for Cargo.
+The following scanners are supported for Bundler and RubyGems.

 | Package manager | SBOM | Vulnerability | License |
 |-----------------|:----:|:-------------:|:-------:|
--- a/docs/docs/references/abbreviations.md
+++ b/docs/docs/references/abbreviations.md
@@ -0,0 +1,56 @@
+# Abbreviation List
+
+This list compiles words that frequently appear in CLI flags or configuration files and are commonly abbreviated in industry and OSS communities.
+Trivy may use the abbreviation in place of the full spelling for flag names.
+It is also acceptable to add even shorter aliases if needed.
+
+Words not included in this list should be spelled out in full when used in flags.
+
+This list is intentionally limited to the most common and widely recognized abbreviations.
+Excessive use of abbreviations in CLI flags can hinder initial user understanding and create a steeper learning curve.
+
+!!! note
+    This list serves as a guideline rather than a strict requirement.
+    Its purpose is to maintain consistency across the project when naming flags and configuration options.
+    While we strive to follow these abbreviations, there may be exceptions where context or clarity demands a different approach.
+
+## Scope
+This list focuses on abbreviations of single words commonly used in technical contexts. It does not include:
+
+1. Acronyms formed from the initial letters of multiple words (e.g., OS for Operating System, HTTP for Hypertext Transfer Protocol)
+2. Domain-specific terminology that already has standardized short forms
+3. Brand names or product-specific abbreviations
+
+The abbreviations listed here are primarily intended for CLI flags, configuration keys, and similar technical interfaces where brevity is valued while maintaining clarity.
+
+## Example
+For a flag containing multiple words, only abbreviate words that appear in this list.
+For instance, in `--database-repository`, "database" is in the list so it should be abbreviated to "db", but "repository" is not in the list so it must be spelled out completely.
+The correct flag name would be `--db-repository`.
+It's acceptable to add a shorter alias like `--db-repo` if desired.
+
+## List
+
+| Full Name         | Default Abbreviation | Examples                                                  |
+|-------------------|----------------------|-----------------------------------------------------------|
+| application       | app                  | `--app-name`, `--app-mode`                                |
+| authentication    | auth                 | `--auth-method`, `--auth-token`                           |
+| authorization     | authz                | `--authz-rule`, `--authz-policy`                          |
+| command           | cmd                  | `--cmd-option`, `--cmd-args`                              |
+| configuration     | config               | `--config`, `--config-dir`                                |
+| database          | db                   | `--db-repository`, `--db-user`, `--db-pass`               |
+| development       | dev                  | `--dev-dependencies`, `--dev-mode`                        |
+| directory         | dir                  | `--dir-path`, `--output-dir`                              |
+| environment       | env                  | `--env-file`, `--env-vars`                                |
+| information       | info                 | `--info-level`, `--show-info`                             |
+| initialization    | init                 | `--init-script`, `--init-config`                          |
+| library           | lib                  | `--lib-path`, `--lib-dir`                                 |
+| maximum           | max                  | `--max-image-size`, `--max-depth`                         |
+| minimum           | min                  | `--min-value`, `--min-severity`                           |
+| misconfiguration  | misconfig            | `--misconfig-scanners`                                    |
+| package           | pkg                  | `--pkg-types`                                             |
+| production        | prod                 | `--prod-env`, `--prod-deploy`                             |
+| specification     | spec                 | `--spec-file`, `--spec-version`                           |
+| temporary         | tmp                  | `--tmp-dir`, `--tmp-file`                                 |
+| utility           | util                 | `--util-script`, `--util-name`                            |
+| vulnerability     | vuln                 | `--vuln-scan`, `--vuln-report`                            |
--- a/docs/docs/references/configuration/cli/trivy_config.md
+++ b/docs/docs/references/configuration/cli/trivy_config.md
@@ -21,7 +21,18 @@ trivy config [flags] DIR
      --enable-modules strings            [EXPERIMENTAL] module names to enable
      --exit-code int                     specify exit code when any security issues are found
      --file-patterns strings             specify config file patterns
-  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -f, --format string                     format
+                                          Allowed values:
+                                            - table
+                                            - json
+                                            - template
+                                            - sarif
+                                            - cyclonedx
+                                            - spdx
+                                            - spdx-json
+                                            - github
+                                            - cosign-vuln
+                                           (default "table")
      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -45,11 +56,20 @@ trivy config [flags] DIR
      --redis-key string                  redis key file location, if using redis as cache backend
      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
      --registry-token string             registry token
-      --report string                     specify a compliance report format for the output (all,summary) (default "all")
-  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --report string                     specify a compliance report format for the output (allowed values: all,summary) (default "all")
+  -s, --severity strings                  severities of security issues to be displayed
+                                          Allowed values:
+                                            - UNKNOWN
+                                            - LOW
+                                            - MEDIUM
+                                            - HIGH
+                                            - CRITICAL
+                                           (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --skip-check-update                 skip fetching rego check updates
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
+      --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
--- a/docs/docs/references/configuration/cli/trivy_convert.md
+++ b/docs/docs/references/configuration/cli/trivy_convert.md
@@ -22,16 +22,36 @@ trivy convert [flags] RESULT_JSON
      --dependency-tree            [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --exit-code int              specify exit code when any security issues are found
      --exit-on-eol int            exit with the specified code when the OS reaches end of service/life
-  -f, --format string              format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -f, --format string              format
+                                   Allowed values:
+                                     - table
+                                     - json
+                                     - template
+                                     - sarif
+                                     - cyclonedx
+                                     - spdx
+                                     - spdx-json
+                                     - github
+                                     - cosign-vuln
+                                    (default "table")
  -h, --help                       help for convert
      --ignore-policy string       specify the Rego file path to evaluate each vulnerability
      --ignorefile string          specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability
  -o, --output string              output file name
      --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
-      --report string              specify a report format for the output (all,summary) (default "all")
-  -s, --severity strings           severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --report string              specify a report format for the output (allowed values: all,summary) (default "all")
+      --scanners strings           List of scanners included when generating the json report. Used only for rendering the summary table. (allowed values: vuln,misconfig,secret,license)
+  -s, --severity strings           severities of security issues to be displayed
+                                   Allowed values:
+                                     - UNKNOWN
+                                     - LOW
+                                     - MEDIUM
+                                     - HIGH
+                                     - CRITICAL
+                                    (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed            [EXPERIMENTAL] show suppressed vulnerabilities
+      --table-mode strings         [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
  -t, --template string            output template
 ```

--- a/docs/docs/references/configuration/cli/trivy_filesystem.md
+++ b/docs/docs/references/configuration/cli/trivy_filesystem.md
@@ -34,14 +34,25 @@ trivy filesystem [flags] PATH
      --detection-priority string         specify the detection priority:
                                            - "precise": Prioritizes precise by minimizing false positives.
                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
-                                           (precise,comprehensive) (default "precise")
+                                           (allowed values: precise,comprehensive) (default "precise")
      --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
      --enable-modules strings            [EXPERIMENTAL] module names to enable
      --exit-code int                     specify exit code when any security issues are found
      --file-patterns strings             specify config file patterns
-  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -f, --format string                     format
+                                          Allowed values:
+                                            - table
+                                            - json
+                                            - template
+                                            - sarif
+                                            - cyclonedx
+                                            - spdx
+                                            - spdx-json
+                                            - github
+                                            - cosign-vuln
+                                           (default "table")
      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -50,7 +61,16 @@ trivy filesystem [flags] PATH
      --helm-values strings               specify paths to override the Helm values.yaml files
  -h, --help                              help for filesystem
      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
-      --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-status strings             comma-separated list of vulnerability status to ignore
+                                          Allowed values:
+                                            - unknown
+                                            - not_affected
+                                            - affected
+                                            - fixed
+                                            - under_investigation
+                                            - will_not_fix
+                                            - fix_deferred
+                                            - end_of_life
      --ignore-unfixed                    display only fixed vulnerabilities
      --ignored-licenses strings          specify a list of license to ignore
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
@@ -70,20 +90,35 @@ trivy filesystem [flags] PATH
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin                    password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings         list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
-      --pkg-types strings                 list of package types (os,library) (default [os,library])
+      --pkg-relationships strings         list of package relationships
+                                          Allowed values:
+                                            - unknown
+                                            - root
+                                            - workspace
+                                            - direct
+                                            - indirect
+                                           (default [unknown,root,workspace,direct,indirect])
+      --pkg-types strings                 list of package types (allowed values: os,library) (default [os,library])
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
      --registry-token string             registry token
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --report string                     specify a compliance report format for the output (all,summary) (default "all")
-      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --report string                     specify a compliance report format for the output (allowed values: all,summary) (default "all")
+      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
+      --scanners strings                  comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
-  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+  -s, --severity strings                  severities of security issues to be displayed
+                                          Allowed values:
+                                            - UNKNOWN
+                                            - LOW
+                                            - MEDIUM
+                                            - HIGH
+                                            - CRITICAL
+                                           (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
@@ -91,6 +126,7 @@ trivy filesystem [flags] PATH
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
+      --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
@@ -99,6 +135,37 @@ trivy filesystem [flags] PATH
      --trace                             enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
+                                          Allowed values:
+                                            - nvd
+                                            - redhat
+                                            - redhat-oval
+                                            - debian
+                                            - ubuntu
+                                            - alpine
+                                            - amazon
+                                            - oracle-oval
+                                            - suse-cvrf
+                                            - photon
+                                            - arch-linux
+                                            - alma
+                                            - rocky
+                                            - cbl-mariner
+                                            - azure
+                                            - ruby-advisory-db
+                                            - php-security-advisories
+                                            - nodejs-security-wg
+                                            - ghsa
+                                            - glad
+                                            - aqua
+                                            - osv
+                                            - k8s
+                                            - wolfi
+                                            - chainguard
+                                            - bitnami
+                                            - govulndb
+                                            - auto
+                                           (default [auto])
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/cli/trivy_image.md
+++ b/docs/docs/references/configuration/cli/trivy_image.md
@@ -38,7 +38,7 @@ trivy image [flags] IMAGE_NAME
      --cache-ttl duration                cache TTL when using redis as cache backend
      --check-namespaces strings          Rego namespaces
      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
-      --compliance string                 compliance report to generate (docker-cis-1.6.0)
+      --compliance string                 compliance report to generate (allowed values: docker-cis-1.6.0)
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
@@ -48,7 +48,7 @@ trivy image [flags] IMAGE_NAME
      --detection-priority string         specify the detection priority:
                                            - "precise": Prioritizes precise by minimizing false positives.
                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
-                                           (precise,comprehensive) (default "precise")
+                                           (allowed values: precise,comprehensive) (default "precise")
      --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
      --docker-host string                unix domain socket path to use for docker scanning
      --download-db-only                  download/update vulnerability database but don't run a scan
@@ -57,7 +57,18 @@ trivy image [flags] IMAGE_NAME
      --exit-code int                     specify exit code when any security issues are found
      --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
      --file-patterns strings             specify config file patterns
-  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -f, --format string                     format
+                                          Allowed values:
+                                            - table
+                                            - json
+                                            - template
+                                            - sarif
+                                            - cyclonedx
+                                            - spdx
+                                            - spdx-json
+                                            - github
+                                            - cosign-vuln
+                                           (default "table")
      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -66,12 +77,21 @@ trivy image [flags] IMAGE_NAME
      --helm-values strings               specify paths to override the Helm values.yaml files
  -h, --help                              help for image
      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
-      --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-status strings             comma-separated list of vulnerability status to ignore
+                                          Allowed values:
+                                            - unknown
+                                            - not_affected
+                                            - affected
+                                            - fixed
+                                            - under_investigation
+                                            - will_not_fix
+                                            - fix_deferred
+                                            - end_of_life
      --ignore-unfixed                    display only fixed vulnerabilities
      --ignored-licenses strings          specify a list of license to ignore
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
-      --image-config-scanners strings     comma-separated list of what security issues to detect on container image configurations (misconfig,secret)
-      --image-src strings                 image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
+      --image-config-scanners strings     comma-separated list of what security issues to detect on container image configurations (allowed values: misconfig,secret)
+      --image-src strings                 image source(s) to use, in priority order (allowed values: docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
      --include-deprecated-checks         include deprecated checks
      --include-non-failures              include successes, available with '--scanners misconfig'
      --input string                      input file path instead of image name
@@ -89,8 +109,15 @@ trivy image [flags] IMAGE_NAME
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin                    password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings         list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
-      --pkg-types strings                 list of package types (os,library) (default [os,library])
+      --pkg-relationships strings         list of package relationships
+                                          Allowed values:
+                                            - unknown
+                                            - root
+                                            - workspace
+                                            - direct
+                                            - indirect
+                                           (default [unknown,root,workspace,direct,indirect])
+      --pkg-types strings                 list of package types (allowed values: os,library) (default [os,library])
      --platform string                   set platform in the form os/arch if image is multi-platform capable
      --podman-host string                unix podman socket path to use for podman scanning
      --redis-ca string                   redis ca file location, if using redis as cache backend
@@ -100,12 +127,20 @@ trivy image [flags] IMAGE_NAME
      --registry-token string             registry token
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --removed-pkgs                      detect vulnerabilities of removed packages (only for Alpine)
-      --report string                     specify a format for the compliance report. (all,summary) (default "summary")
-      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --report string                     specify a format for the compliance report. (allowed values: all,summary) (default "summary")
+      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
+      --scanners strings                  comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
-  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+  -s, --severity strings                  severities of security issues to be displayed
+                                          Allowed values:
+                                            - UNKNOWN
+                                            - LOW
+                                            - MEDIUM
+                                            - HIGH
+                                            - CRITICAL
+                                           (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
@@ -113,6 +148,7 @@ trivy image [flags] IMAGE_NAME
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
+      --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --token string                      for authentication in client/server mode
@@ -120,6 +156,37 @@ trivy image [flags] IMAGE_NAME
      --trace                             enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
+                                          Allowed values:
+                                            - nvd
+                                            - redhat
+                                            - redhat-oval
+                                            - debian
+                                            - ubuntu
+                                            - alpine
+                                            - amazon
+                                            - oracle-oval
+                                            - suse-cvrf
+                                            - photon
+                                            - arch-linux
+                                            - alma
+                                            - rocky
+                                            - cbl-mariner
+                                            - azure
+                                            - ruby-advisory-db
+                                            - php-security-advisories
+                                            - nodejs-security-wg
+                                            - ghsa
+                                            - glad
+                                            - aqua
+                                            - osv
+                                            - k8s
+                                            - wolfi
+                                            - chainguard
+                                            - bitnami
+                                            - govulndb
+                                            - auto
+                                           (default [auto])
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -34,7 +34,14 @@ trivy kubernetes [flags] [CONTEXT]
      --cache-ttl duration                cache TTL when using redis as cache backend
      --check-namespaces strings          Rego namespaces
      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
-      --compliance string                 compliance report to generate (k8s-nsa-1.0,k8s-cis-1.23,eks-cis-1.4,rke2-cis-1.24,k8s-pss-baseline-0.1,k8s-pss-restricted-0.1)
+      --compliance string                 compliance report to generate
+                                          Allowed values:
+                                            - k8s-nsa-1.0
+                                            - k8s-cis-1.23
+                                            - eks-cis-1.4
+                                            - rke2-cis-1.24
+                                            - k8s-pss-baseline-0.1
+                                            - k8s-pss-restricted-0.1
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
@@ -43,7 +50,7 @@ trivy kubernetes [flags] [CONTEXT]
      --detection-priority string         specify the detection priority:
                                            - "precise": Prioritizes precise by minimizing false positives.
                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
-                                           (precise,comprehensive) (default "precise")
+                                           (allowed values: precise,comprehensive) (default "precise")
      --disable-node-collector            When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
      --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
      --download-db-only                  download/update vulnerability database but don't run a scan
@@ -54,7 +61,7 @@ trivy kubernetes [flags] [CONTEXT]
      --exclude-owned                     exclude resources that have an owner reference
      --exit-code int                     specify exit code when any security issues are found
      --file-patterns strings             specify config file patterns
-  -f, --format string                     format (table,json,cyclonedx) (default "table")
+  -f, --format string                     format (allowed values: table,json,cyclonedx) (default "table")
      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -63,10 +70,19 @@ trivy kubernetes [flags] [CONTEXT]
      --helm-values strings               specify paths to override the Helm values.yaml files
  -h, --help                              help for kubernetes
      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
-      --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-status strings             comma-separated list of vulnerability status to ignore
+                                          Allowed values:
+                                            - unknown
+                                            - not_affected
+                                            - affected
+                                            - fixed
+                                            - under_investigation
+                                            - will_not_fix
+                                            - fix_deferred
+                                            - end_of_life
      --ignore-unfixed                    display only fixed vulnerabilities
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
-      --image-src strings                 image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
+      --image-src strings                 image source(s) to use, in priority order (allowed values: docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
      --include-deprecated-checks         include deprecated checks
      --include-kinds strings             indicate the kinds included in scanning (example: node)
      --include-namespaces strings        indicate the namespaces included in scanning (example: kube-system)
@@ -85,8 +101,15 @@ trivy kubernetes [flags] [CONTEXT]
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin                    password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings         list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
-      --pkg-types strings                 list of package types (os,library) (default [os,library])
+      --pkg-relationships strings         list of package relationships
+                                          Allowed values:
+                                            - unknown
+                                            - root
+                                            - workspace
+                                            - direct
+                                            - indirect
+                                           (default [unknown,root,workspace,direct,indirect])
+      --pkg-types strings                 list of package types (allowed values: os,library) (default [os,library])
      --qps float                         specify the maximum QPS to the master from this client (default 5)
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
@@ -94,11 +117,19 @@ trivy kubernetes [flags] [CONTEXT]
      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
      --registry-token string             registry token
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --report string                     specify a report format for the output (all,summary) (default "all")
-      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --report string                     specify a report format for the output (allowed values: all,summary) (default "all")
+      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
+      --scanners strings                  comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
-  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+  -s, --severity strings                  severities of security issues to be displayed
+                                          Allowed values:
+                                            - UNKNOWN
+                                            - LOW
+                                            - MEDIUM
+                                            - HIGH
+                                            - CRITICAL
+                                           (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
@@ -113,6 +144,37 @@ trivy kubernetes [flags] [CONTEXT]
      --trace                             enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
+                                          Allowed values:
+                                            - nvd
+                                            - redhat
+                                            - redhat-oval
+                                            - debian
+                                            - ubuntu
+                                            - alpine
+                                            - amazon
+                                            - oracle-oval
+                                            - suse-cvrf
+                                            - photon
+                                            - arch-linux
+                                            - alma
+                                            - rocky
+                                            - cbl-mariner
+                                            - azure
+                                            - ruby-advisory-db
+                                            - php-security-advisories
+                                            - nodejs-security-wg
+                                            - ghsa
+                                            - glad
+                                            - aqua
+                                            - osv
+                                            - k8s
+                                            - wolfi
+                                            - chainguard
+                                            - bitnami
+                                            - govulndb
+                                            - auto
+                                           (default [auto])
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/cli/trivy_repository.md
+++ b/docs/docs/references/configuration/cli/trivy_repository.md
@@ -34,13 +34,24 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --detection-priority string         specify the detection priority:
                                            - "precise": Prioritizes precise by minimizing false positives.
                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
-                                           (precise,comprehensive) (default "precise")
+                                           (allowed values: precise,comprehensive) (default "precise")
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
      --enable-modules strings            [EXPERIMENTAL] module names to enable
      --exit-code int                     specify exit code when any security issues are found
      --file-patterns strings             specify config file patterns
-  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -f, --format string                     format
+                                          Allowed values:
+                                            - table
+                                            - json
+                                            - template
+                                            - sarif
+                                            - cyclonedx
+                                            - spdx
+                                            - spdx-json
+                                            - github
+                                            - cosign-vuln
+                                           (default "table")
      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -49,7 +60,16 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --helm-values strings               specify paths to override the Helm values.yaml files
  -h, --help                              help for repository
      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
-      --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-status strings             comma-separated list of vulnerability status to ignore
+                                          Allowed values:
+                                            - unknown
+                                            - not_affected
+                                            - affected
+                                            - fixed
+                                            - under_investigation
+                                            - will_not_fix
+                                            - fix_deferred
+                                            - end_of_life
      --ignore-unfixed                    display only fixed vulnerabilities
      --ignored-licenses strings          specify a list of license to ignore
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
@@ -69,19 +89,34 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin                    password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings         list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
-      --pkg-types strings                 list of package types (os,library) (default [os,library])
+      --pkg-relationships strings         list of package relationships
+                                          Allowed values:
+                                            - unknown
+                                            - root
+                                            - workspace
+                                            - direct
+                                            - indirect
+                                           (default [unknown,root,workspace,direct,indirect])
+      --pkg-types strings                 list of package types (allowed values: os,library) (default [os,library])
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
      --registry-token string             registry token
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
+      --scanners strings                  comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
-  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+  -s, --severity strings                  severities of security issues to be displayed
+                                          Allowed values:
+                                            - UNKNOWN
+                                            - LOW
+                                            - MEDIUM
+                                            - HIGH
+                                            - CRITICAL
+                                           (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
@@ -89,6 +124,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
+      --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
      --tag string                        pass the tag name to be scanned
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
@@ -98,6 +134,37 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --trace                             enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
+                                          Allowed values:
+                                            - nvd
+                                            - redhat
+                                            - redhat-oval
+                                            - debian
+                                            - ubuntu
+                                            - alpine
+                                            - amazon
+                                            - oracle-oval
+                                            - suse-cvrf
+                                            - photon
+                                            - arch-linux
+                                            - alma
+                                            - rocky
+                                            - cbl-mariner
+                                            - azure
+                                            - ruby-advisory-db
+                                            - php-security-advisories
+                                            - nodejs-security-wg
+                                            - ghsa
+                                            - glad
+                                            - aqua
+                                            - osv
+                                            - k8s
+                                            - wolfi
+                                            - chainguard
+                                            - bitnami
+                                            - govulndb
+                                            - auto
+                                           (default [auto])
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/cli/trivy_rootfs.md
+++ b/docs/docs/references/configuration/cli/trivy_rootfs.md
@@ -36,7 +36,7 @@ trivy rootfs [flags] ROOTDIR
      --detection-priority string         specify the detection priority:
                                            - "precise": Prioritizes precise by minimizing false positives.
                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
-                                           (precise,comprehensive) (default "precise")
+                                           (allowed values: precise,comprehensive) (default "precise")
      --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
@@ -44,7 +44,18 @@ trivy rootfs [flags] ROOTDIR
      --exit-code int                     specify exit code when any security issues are found
      --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
      --file-patterns strings             specify config file patterns
-  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -f, --format string                     format
+                                          Allowed values:
+                                            - table
+                                            - json
+                                            - template
+                                            - sarif
+                                            - cyclonedx
+                                            - spdx
+                                            - spdx-json
+                                            - github
+                                            - cosign-vuln
+                                           (default "table")
      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -53,7 +64,16 @@ trivy rootfs [flags] ROOTDIR
      --helm-values strings               specify paths to override the Helm values.yaml files
  -h, --help                              help for rootfs
      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
-      --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-status strings             comma-separated list of vulnerability status to ignore
+                                          Allowed values:
+                                            - unknown
+                                            - not_affected
+                                            - affected
+                                            - fixed
+                                            - under_investigation
+                                            - will_not_fix
+                                            - fix_deferred
+                                            - end_of_life
      --ignore-unfixed                    display only fixed vulnerabilities
      --ignored-licenses strings          specify a list of license to ignore
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
@@ -72,19 +92,34 @@ trivy rootfs [flags] ROOTDIR
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin                    password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings         list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
-      --pkg-types strings                 list of package types (os,library) (default [os,library])
+      --pkg-relationships strings         list of package relationships
+                                          Allowed values:
+                                            - unknown
+                                            - root
+                                            - workspace
+                                            - direct
+                                            - indirect
+                                           (default [unknown,root,workspace,direct,indirect])
+      --pkg-types strings                 list of package types (allowed values: os,library) (default [os,library])
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
      --registry-token string             registry token
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
+      --scanners strings                  comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
-  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+  -s, --severity strings                  severities of security issues to be displayed
+                                          Allowed values:
+                                            - UNKNOWN
+                                            - LOW
+                                            - MEDIUM
+                                            - HIGH
+                                            - CRITICAL
+                                           (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
@@ -92,6 +127,7 @@ trivy rootfs [flags] ROOTDIR
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
+      --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
@@ -100,6 +136,37 @@ trivy rootfs [flags] ROOTDIR
      --trace                             enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
+                                          Allowed values:
+                                            - nvd
+                                            - redhat
+                                            - redhat-oval
+                                            - debian
+                                            - ubuntu
+                                            - alpine
+                                            - amazon
+                                            - oracle-oval
+                                            - suse-cvrf
+                                            - photon
+                                            - arch-linux
+                                            - alma
+                                            - rocky
+                                            - cbl-mariner
+                                            - azure
+                                            - ruby-advisory-db
+                                            - php-security-advisories
+                                            - nodejs-security-wg
+                                            - ghsa
+                                            - glad
+                                            - aqua
+                                            - osv
+                                            - k8s
+                                            - wolfi
+                                            - chainguard
+                                            - bitnami
+                                            - govulndb
+                                            - auto
+                                           (default [auto])
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/cli/trivy_sbom.md
+++ b/docs/docs/references/configuration/cli/trivy_sbom.md
@@ -28,17 +28,37 @@ trivy sbom [flags] SBOM_PATH
      --detection-priority string      specify the detection priority:
                                         - "precise": Prioritizes precise by minimizing false positives.
                                         - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
-                                      (precise,comprehensive) (default "precise")
+                                        (allowed values: precise,comprehensive) (default "precise")
      --distro string                  [EXPERIMENTAL] specify a distribution, <family>/<version>
      --download-db-only               download/update vulnerability database but don't run a scan
      --download-java-db-only          download/update Java index database but don't run a scan
      --exit-code int                  specify exit code when any security issues are found
      --exit-on-eol int                exit with the specified code when the OS reaches end of service/life
      --file-patterns strings          specify config file patterns
-  -f, --format string                format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -f, --format string                  format
+                                       Allowed values:
+                                         - table
+                                         - json
+                                         - template
+                                         - sarif
+                                         - cyclonedx
+                                         - spdx
+                                         - spdx-json
+                                         - github
+                                         - cosign-vuln
+                                        (default "table")
  -h, --help                           help for sbom
      --ignore-policy string           specify the Rego file path to evaluate each vulnerability
-      --ignore-status strings        comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-status strings          comma-separated list of vulnerability status to ignore
+                                       Allowed values:
+                                         - unknown
+                                         - not_affected
+                                         - affected
+                                         - fixed
+                                         - under_investigation
+                                         - will_not_fix
+                                         - fix_deferred
+                                         - end_of_life
      --ignore-unfixed                 display only fixed vulnerabilities
      --ignored-licenses strings       specify a list of license to ignore
      --ignorefile string              specify .trivyignore file (default ".trivyignore")
@@ -50,29 +70,75 @@ trivy sbom [flags] SBOM_PATH
      --output-plugin-arg string       [EXPERIMENTAL] output plugin arguments
      --password strings               password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin                 password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings    list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
-      --pkg-types strings            list of package types (os,library) (default [os,library])
+      --pkg-relationships strings      list of package relationships
+                                       Allowed values:
+                                         - unknown
+                                         - root
+                                         - workspace
+                                         - direct
+                                         - indirect
+                                        (default [unknown,root,workspace,direct,indirect])
+      --pkg-types strings              list of package types (allowed values: os,library) (default [os,library])
      --redis-ca string                redis ca file location, if using redis as cache backend
      --redis-cert string              redis certificate file location, if using redis as cache backend
      --redis-key string               redis key file location, if using redis as cache backend
      --redis-tls                      enable redis TLS with public certificates, if using redis as cache backend
      --registry-token string          registry token
      --rekor-url string               [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --sbom-sources strings         [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings             comma-separated list of what security issues to detect (vuln,license) (default [vuln])
+      --sbom-sources strings           [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
+      --scanners strings               comma-separated list of what security issues to detect (allowed values: vuln,license) (default [vuln])
      --server string                  server address in client mode
-  -s, --severity strings             severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+  -s, --severity strings               severities of security issues to be displayed
+                                       Allowed values:
+                                         - UNKNOWN
+                                         - LOW
+                                         - MEDIUM
+                                         - HIGH
+                                         - CRITICAL
+                                        (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                [EXPERIMENTAL] show suppressed vulnerabilities
      --skip-db-update                 skip updating vulnerability database
      --skip-dirs strings              specify the directories or glob patterns to skip
      --skip-files strings             specify the files or glob patterns to skip
      --skip-java-db-update            skip updating Java index database
      --skip-vex-repo-update           [EXPERIMENTAL] Skip VEX Repository update
+      --table-mode strings             [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
  -t, --template string                output template
      --token string                   for authentication in client/server mode
      --token-header string            specify a header name for token in client/server mode (default "Trivy-Token")
      --username strings               username. Comma-separated usernames allowed.
      --vex strings                    [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings   order of data sources for selecting vulnerability severity level
+                                       Allowed values:
+                                         - nvd
+                                         - redhat
+                                         - redhat-oval
+                                         - debian
+                                         - ubuntu
+                                         - alpine
+                                         - amazon
+                                         - oracle-oval
+                                         - suse-cvrf
+                                         - photon
+                                         - arch-linux
+                                         - alma
+                                         - rocky
+                                         - cbl-mariner
+                                         - azure
+                                         - ruby-advisory-db
+                                         - php-security-advisories
+                                         - nodejs-security-wg
+                                         - ghsa
+                                         - glad
+                                         - aqua
+                                         - osv
+                                         - k8s
+                                         - wolfi
+                                         - chainguard
+                                         - bitnami
+                                         - govulndb
+                                         - auto
+                                        (default [auto])
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/cli/trivy_vm.md
+++ b/docs/docs/references/configuration/cli/trivy_vm.md
@@ -32,7 +32,7 @@ trivy vm [flags] VM_IMAGE
      --detection-priority string         specify the detection priority:
                                            - "precise": Prioritizes precise by minimizing false positives.
                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
-                                           (precise,comprehensive) (default "precise")
+                                           (allowed values: precise,comprehensive) (default "precise")
      --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
@@ -40,7 +40,18 @@ trivy vm [flags] VM_IMAGE
      --exit-code int                     specify exit code when any security issues are found
      --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
      --file-patterns strings             specify config file patterns
-  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -f, --format string                     format
+                                          Allowed values:
+                                            - table
+                                            - json
+                                            - template
+                                            - sarif
+                                            - cyclonedx
+                                            - spdx
+                                            - spdx-json
+                                            - github
+                                            - cosign-vuln
+                                           (default "table")
      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -49,7 +60,16 @@ trivy vm [flags] VM_IMAGE
      --helm-values strings               specify paths to override the Helm values.yaml files
  -h, --help                              help for vm
      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
-      --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-status strings             comma-separated list of vulnerability status to ignore
+                                          Allowed values:
+                                            - unknown
+                                            - not_affected
+                                            - affected
+                                            - fixed
+                                            - under_investigation
+                                            - will_not_fix
+                                            - fix_deferred
+                                            - end_of_life
      --ignore-unfixed                    display only fixed vulnerabilities
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
      --include-non-failures              include successes, available with '--scanners misconfig'
@@ -62,29 +82,76 @@ trivy vm [flags] VM_IMAGE
  -o, --output string                     output file name
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
-      --pkg-relationships strings         list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
-      --pkg-types strings                 list of package types (os,library) (default [os,library])
+      --pkg-relationships strings         list of package relationships
+                                          Allowed values:
+                                            - unknown
+                                            - root
+                                            - workspace
+                                            - direct
+                                            - indirect
+                                           (default [unknown,root,workspace,direct,indirect])
+      --pkg-types strings                 list of package types (allowed values: os,library) (default [os,library])
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
+      --scanners strings                  comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
-  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+  -s, --severity strings                  severities of security issues to be displayed
+                                          Allowed values:
+                                            - UNKNOWN
+                                            - LOW
+                                            - MEDIUM
+                                            - HIGH
+                                            - CRITICAL
+                                           (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
      --skip-db-update                    skip updating vulnerability database
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
+      --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --token string                      for authentication in client/server mode
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
+                                          Allowed values:
+                                            - nvd
+                                            - redhat
+                                            - redhat-oval
+                                            - debian
+                                            - ubuntu
+                                            - alpine
+                                            - amazon
+                                            - oracle-oval
+                                            - suse-cvrf
+                                            - photon
+                                            - arch-linux
+                                            - alma
+                                            - rocky
+                                            - cbl-mariner
+                                            - azure
+                                            - ruby-advisory-db
+                                            - php-security-advisories
+                                            - nodejs-security-wg
+                                            - ghsa
+                                            - glad
+                                            - aqua
+                                            - osv
+                                            - k8s
+                                            - wolfi
+                                            - chainguard
+                                            - bitnami
+                                            - govulndb
+                                            - auto
+                                           (default [auto])
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/config-file.md
+++ b/docs/docs/references/configuration/config-file.md
@@ -409,6 +409,9 @@ misconfiguration:
  # Same as '--include-non-failures'
  include-non-failures: false

+  # Same as '--render-cause'
+  render-cause: []
+
  # Same as '--misconfig-scanners'
  scanners:
   - azure-arm
@@ -550,6 +553,11 @@ severity:
 - HIGH
 - CRITICAL

+# Same as '--table-mode'
+table-mode:
+ - summary
+ - detailed
+
 # Same as '--template'
 template: ""

@@ -623,6 +631,10 @@ vulnerability:
  # Same as '--ignore-unfixed'
  ignore-unfixed: false

+  # Same as '--vuln-severity-source'
+  severity-source:
+   - auto
+
  # Same as '--skip-vex-repo-update'
  skip-vex-repo-update: false

--- a/docs/docs/references/troubleshooting.md
+++ b/docs/docs/references/troubleshooting.md
@@ -277,5 +277,5 @@ $ trivy clean --all
 ```

 [air-gapped]: ../advanced/air-gap.md
-[network]: ../advanced/air-gap.md#network-requirements
+[network]: ../advanced/air-gap.md#connectivity-requirements
 [redis-cache]: ../configuration/cache.md#redis
--- a/docs/docs/scanner/license.md
+++ b/docs/docs/scanner/license.md
@@ -23,7 +23,7 @@ To enable extended license scanning, you can use `--license-full`.
 In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.

 By default, Trivy only classifies licenses that are matched with a confidence level of 0.9 or more by the classifier.
-To configure the confidence level, you can use `--license-confidence-level`. This enables us to classify licenses that might be matched with a lower confidence level by the classifer. 
+To configure the confidence level, you can use `--license-confidence-level`. This enables us to classify licenses that might be matched with a lower confidence level by the classifier. 

 !!! note
    The full license scanning is expensive. It takes a while.
--- a/docs/docs/scanner/misconfiguration/custom/index.md
+++ b/docs/docs/scanner/misconfiguration/custom/index.md
@@ -149,7 +149,7 @@ Services are defined within a provider. For instance, RDS is a service and AWS i

 #### custom.input

-The `input` tells Trivy what inputs this check should be applied to. Cloud provider checks should always use the `selector` input, and should always use the `type` selector with `cloud`. Check targeting Kubernetes yaml can use `kubenetes`, RBAC can use `rbac`, and so on.
+The `input` tells Trivy what inputs this check should be applied to. Cloud provider checks should always use the `selector` input, and should always use the `type` selector with `cloud`. Check targeting Kubernetes yaml can use `kubernetes`, RBAC can use `rbac`, and so on.

 #### Subtypes in the custom data

--- a/docs/docs/scanner/misconfiguration/index.md
+++ b/docs/docs/scanner/misconfiguration/index.md
@@ -407,7 +407,7 @@ If the schema is specified in the check metadata and is in the directory specifi
    If a user specifies the `--config-file-schemas` flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.

 !!! tip
-    It is also possible to specify multiple input schemas with `--config-file-schema` flag as it can accept a comma seperated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
+    It is also possible to specify multiple input schemas with `--config-file-schema` flag as it can accept a comma separated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.


 ### Passing custom data
--- a/docs/docs/scanner/vulnerability.md
+++ b/docs/docs/scanner/vulnerability.md
@@ -345,6 +345,30 @@ However, in some cases, you may want to scan an image with a different OS versio
 Also, you may want to specify the OS version when OS is not detected.
 For these cases, Trivy supports a `--distro` flag using the `<family>/<version>` format (e.g. `alpine/3.20`) to set the desired OS version.

+### Severity selection
+By default, Trivy automatically detects severity (as described [here](#severity-selection)).
+But there are cases when you may want to use your own source priority. Trivy supports the `--vuln-severity-source` flag for this.
+
+Fill in a list of required sources, and Trivy will check the sources in that order until it finds an existing severity.
+If no source has the severity - Trivy will use the `UNKNOWN` severity.
+
+!!! note
+    To use the default logic in combination with your sources - use the `auto` value.
+
+Example logic for the following vendor severity levels when scanning an Alpine image:
+
+```json
+"VendorSeverity": {
+  "ghsa": 3,
+  "nvd": 4,
+}
+```
+
+- `--vuln-severity-source auto,nvd` - severity is `CRITICAL`, got from `auto`.
+- `--vuln-severity-source alpine,auto` - severity is `CRITICAL`, got from `auto`.
+- `--vuln-severity-source alpine,ghsa` - severity is `HIGH`, got from `ghsa`.
+- `--vuln-severity-source alpine,alma` - severity is `UNKNOWN`.
+
 [^1]: https://github.com/GoogleContainerTools/distroless

 [nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464
--- a/docs/docs/supply-chain/attestation/rekor.md
+++ b/docs/docs/supply-chain/attestation/rekor.md
@@ -22,7 +22,7 @@ $ trivy image --sbom-sources rekor otms61/alpine:3.7.3
 2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
 2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
 2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
-2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-09-16T17:37:13.258+0900	INFO	Please see also https://trivy.dev/dev/docs/secret/scanning/#recommendation for faster secret detection
 2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
 2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
 2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
--- a/docs/docs/supply-chain/sbom.md
+++ b/docs/docs/supply-chain/sbom.md
--- a/docs/docs/supply-chain/vex/index.md
+++ b/docs/docs/supply-chain/vex/index.md
@@ -8,11 +8,12 @@ By providing VEX during scanning, it is possible to filter vulnerabilities based

 ## VEX Usage Methods

-Trivy currently supports two methods for utilizing VEX:
+Trivy currently supports four methods for utilizing VEX:

 1. [VEX Repository](./repo.md)
 2. [Local VEX Files](./file.md)
 3. [VEX Attestation](./oci.md)
+4. [SBOM Reference](./sbom-ref.md)

 ### Enabling VEX
 To enable VEX, use the `--vex` option.
@@ -21,6 +22,7 @@ You can specify the method to use:
 - To enable the VEX Repository: `--vex repo`
 - To use a local VEX file: `--vex /path/to/vex-document.json`
 - To enable VEX attestation discovery in OCI registry: `--vex oci`
+- To use remote VEX files referenced in SBOMs: `--vex sbom-ref`

 ```bash
 $ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo
--- a/docs/docs/supply-chain/vex/sbom-ref.md
+++ b/docs/docs/supply-chain/vex/sbom-ref.md
@@ -0,0 +1,44 @@
+# VEX SBOM Reference
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+## Using externally referenced VEX documents
+
+Trivy can discover and download VEX documents referenced in the `externalReferences` of a scanned CycloneDX SBOM. This
+requires the references to be of type `exploitability-statement`.
+
+To be picked up by Trivy, following top level content needs to be part of a CycloneDx SBOM to dynamically resolve a
+remotely hosted file VEX file at the location `https://vex.example.com`:
+
+```
+  "externalReferences": [
+    {
+      "type": "exploitability-statement",
+      "url": "https://vex.example.com/vex"
+    }
+  ]
+```
+
+This can also be used to dynamically retrieve VEX files stored on GitHub with an `externalReference` such as:
+
+```
+  "externalReferences": [
+    {
+      "type": "exploitability-statement",
+      "url": "https://raw.githubusercontent.com/aquasecurity/trivy/refs/heads/main/.vex/trivy.openvex.json"
+    }
+  ]
+```
+
+This is not enabled by default at the moment, but can be used when scanning a CycloneDx SBOM and explicitly specifying
+`--vex sbom-ref`.
+
+```shell
+$ trivy sbom trivy.cdx.json --vex sbom-ref
+2025-01-19T13:29:31+01:00       INFO    [vex] Retrieving external VEX document from host vex.example.com type="externalReference"
+2025-01-19T13:29:31+01:00       INFO    Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
+```
+
+All the referenced VEX files are retrieved via HTTP/HTTPS and used in the same way as if they were explicitly specified
+via a [file reference](./file.md).
--- a/docs/docs/target/container_image.md
+++ b/docs/docs/target/container_image.md
@@ -144,7 +144,7 @@ See https://avd.aquasec.com/misconfig/ds005

 LOW: Add HEALTHCHECK instruction in your Dockerfile
 ════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
-You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
+You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

 See https://avd.aquasec.com/misconfig/ds026
 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
@@ -154,7 +154,15 @@ See https://avd.aquasec.com/misconfig/ds026
 !!! tip
    You can see how each layer is created with `docker history`.

-The [AVD-DS-0016](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0016/) check is disabled for this scan type, see [issue](https://github.com/aquasecurity/trivy/issues/7368) for details.
+#### Disabled checks
+
+The following checks are disabled for this scan type due to known issues. See the linked issues for more details.
+
+| Check ID | Reason | Issue |
+|----------|------------|--------|
+| [AVD-DS-0007](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0007/) | This check detects multiple `ENTRYPOINT` instructions in a stage, but since image history analysis does not identify stages, this check is not relevant for this scan type. | [#8364](https://github.com/aquasecurity/trivy/issues/8364) |
+| [AVD-DS-0016](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0016/) | This check detects multiple `CMD` instructions in a stage, but since image history analysis does not identify stages, this check is not relevant for this scan type. | [#7368](https://github.com/aquasecurity/trivy/issues/7368) |
+

 ### Secrets
 Trivy detects secrets on the configuration of container images.
@@ -403,9 +411,20 @@ Trivy supports the generation of Software Bill of Materials (SBOM) for container

 ### Generation
 Trivy can generate SBOM for container images.
-See [here](../supply-chain/sbom.md) for the detail.
+See [here](../supply-chain/sbom.md) for details.

-### Discovery
+### Discover SBOM inside container images
+Trivy can search for Software Bill of Materials (SBOMs) within container image files and scan their components for vulnerabilities.
+
+#### Third-party SBOM files
+SBOM specifications define key requirements for component documentation[^2].
+However, different tools and systems often have varying approaches to documenting component types and their relationships.
+
+Due to these variations, Trivy cannot always accurately interpret SBOMs generated by other tools.
+For example, it may have difficulty determining the correct file paths to component information files (such as lock files or binaries).
+In such cases, Trivy uses the path to the scanned SBOM file itself to maintain traceability and ensure accurate dependency reporting.
+
+### Discover SBOM referencing the container image
 Trivy can search for Software Bill of Materials (SBOMs) that reference container images.
 If an SBOM is found, the vulnerability scan is performed using the SBOM instead of the container image.
 By using the SBOM, you can perform a vulnerability scan more quickly, as it allows you to skip pulling the container image and analyzing its layers.
@@ -491,7 +510,7 @@ $ trivy image --platform=linux/arm alpine:3.16.1
 2022-10-25T21:00:50.972+0300    INFO    Vulnerability scanning is enabled
 2022-10-25T21:00:50.972+0300    INFO    Secret scanning is enabled
 2022-10-25T21:00:50.972+0300    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
-2022-10-25T21:00:50.972+0300    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-10-25T21:00:50.972+0300    INFO    Please see also https://trivy.dev/dev/docs/secret/scanning/#recommendation for faster secret detection
 2022-10-25T21:00:56.190+0300    INFO    Detected OS: alpine
 2022-10-25T21:00:56.190+0300    INFO    Detecting Alpine vulnerabilities...
 2022-10-25T21:00:56.191+0300    INFO    Number of language-specific files: 0
@@ -551,3 +570,4 @@ Error: uncompressed image size (15GB) exceeds maximum allowed size (10GB)
 ```

 [^1]: Trivy uses decimal (SI) prefixes (based on 1000) for size.
+[^2]: SPDX uses `package` instead of `component`.
--- a/docs/docs/target/kubernetes.md
+++ b/docs/docs/target/kubernetes.md
@@ -180,7 +180,7 @@ trivy k8s --report summary --disable-node-collector

 The node-collector scan-job will run on every node. In case the node has been tainted, it is possible to add toleration to the scan job for it to be scheduled on the tainted node. for more details [see k8s docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)

- `--tolerations  key1=value1:NoExecute,key2=value2:NoSchedule` this flag wil enable node-collector to be schedule on tainted Node
+- `--tolerations  key1=value1:NoExecute,key2=value2:NoSchedule` this flag will enable node-collector to be schedule on tainted Node

 Example:

--- a/docs/docs/target/rootfs.md
+++ b/docs/docs/target/rootfs.md
@@ -13,3 +13,16 @@ $ trivy rootfs /path/to/rootfs
    Rootfs scanning works differently from the Filesystem scanning.
    You should use `trivy fs` to scan your local projects in CI/CD.
    See [here](../scanner/vulnerability.md) for the differences.
+
+## Performance Optimization
+
+By default, Trivy traverses all files from the specified root directory to find target files for scanning.
+However, when you only need to scan specific files with absolute paths, you can avoid this traversal, which makes scanning faster.
+For example, when scanning only OS packages, no full traversal is performed:
+
+```bash
+$ trivy rootfs --pkg-types os --scanners vuln /
+```
+
+When scanning language-specific packages or secrets, traversal is necessary because the location of these files is unknown.
+If you want to exclude specific directories from scanning for better performance, you can use the [--skip-dirs](../configuration/skipping.md) option.
--- a/docs/ecosystem/ide.md
+++ b/docs/ecosystem/ide.md
@@ -58,7 +58,7 @@ Web application that allows to load a Trivy report in json format and displays t

 ## Trivy pre-commit (Community)

-A trivy pre-commit hook that runs a `trivy fs` in your git repo before commiting, preventing you from commiting secrets in the first place.
+A trivy pre-commit hook that runs a `trivy fs` in your git repo before committing, preventing you from committing secrets in the first place.

 👉 Get it at: <https://github.com/mxab/pre-commit-trivy>

--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@@ -167,7 +167,7 @@ See their respective documentation for more information of how to install them a
 - [asdf](https://asdf-vm.com/guide/getting-started.html)
 - [mise](https://mise.jdx.dev/getting-started.html)

-The plugin used by both tools is developped [here](https://github.com/zufardhiyaulhaq/asdf-trivy)
+The plugin used by both tools is developed [here](https://github.com/zufardhiyaulhaq/asdf-trivy)


 === "asdf"
--- a/docs/tutorials/misconfiguration/custom-checks.md
+++ b/docs/tutorials/misconfiguration/custom-checks.md
@@ -1,6 +1,6 @@
 # Custom Checks with Rego

-Trivy can scan configuration files for common security issues (a.k.a IaC misconfiguration scanning). In addition to a comprehensive built in database of checks, you can add your own custom checks. Checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) language and the full documentation for checks and customizing them is available [here](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/). 
+Trivy can scan configuration files for common security issues (a.k.a IaC misconfiguration scanning). In addition to a comprehensive built in database of checks, you can add your own custom checks. Checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) language and the full documentation for checks and customizing them is available [here](https://trivy.dev/latest/docs/scanner/misconfiguration/custom/). 

 This tutorial will walk you through writing a custom check in Rego that checks for an issue in a Dockerfile.

@@ -38,7 +38,7 @@ Next, we need to specify metadata about the check. This is information that help

 Important: The `METADATA` has to be defined on top of the file.

-More information on the different fields in the metadata can be found in the [Trivy documentation.](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/)
+More information on the different fields in the metadata can be found in the [Trivy documentation.](https://trivy.dev/latest/docs/scanner/misconfiguration/custom/)

 ## Package and imports

@@ -86,7 +86,7 @@ Let's look at the check line by line:
 Note that Rego

 * uses `AND` automatically to combine conditions in this check
-* automatically iterates through the array of commands in the Dockefile and allowed images 
+* automatically iterates through the array of commands in the Dockerfile and allowed images 

 ## Run the check in a Trivy misconfiguration scan

--- a/docs/tutorials/misconfiguration/terraform.md
+++ b/docs/tutorials/misconfiguration/terraform.md
@@ -9,7 +9,7 @@ We have been consolidating all of our scanning-related efforts in one place, and

 ## Trivy Config Command 

-Terraform configuration scanning is available as part of the `trivy config` command. This command scans all configuration files for misconfiguration issues. You can find the details within [misconfiguration scans in the Trivy documentation.](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/) 
+Terraform configuration scanning is available as part of the `trivy config` command. This command scans all configuration files for misconfiguration issues. You can find the details within [misconfiguration scans in the Trivy documentation.](https://trivy.dev/latest/docs/scanner/misconfiguration/) 

 Command structure: 
 ``` 
@@ -23,7 +23,7 @@ The `trivy config` command can scan Terraform configuration, CloudFormation, Doc
 - If the configuration that has been defined does not follow best practices, the check will fail.  

 ### Prerequisites 
-Install Trivy on your local machines. The documentation provides several [different installation options.](https://aquasecurity.github.io/trivy/latest/getting-started/installation/) 
+Install Trivy on your local machines. The documentation provides several [different installation options.](https://trivy.dev/latest/getting-started/installation/) 
 This tutorial will use this example [Terraform tutorial](https://github.com/Cloud-Native-Security/trivy-demo/tree/main/bad_iac/terraform) for terraform misconfiguration scanning with Trivy. 

 Git clone the tutorial and cd into the directory: 
@@ -31,7 +31,7 @@ Git clone the tutorial and cd into the directory:
 git clone git@github.com:Cloud-Native-Security/trivy-demo.git
 cd bad_iac/terraform
 ``` 
-In this case, the folder only containes Terraform configuration files. However, you could scan a directory that contains several different configurations e.g. Kubernetes YAML manifests, Dockerfile, and Terraform. Trivy will then detect the different configuration files and apply the right rules automatically. 
+In this case, the folder only contains Terraform configuration files. However, you could scan a directory that contains several different configurations e.g. Kubernetes YAML manifests, Dockerfile, and Terraform. Trivy will then detect the different configuration files and apply the right rules automatically. 

 ## Different types of `trivy config` scans 

@@ -83,14 +83,14 @@ trivy config --severity CRITICAL, MEDIUM terraform-infra

 ### Passing tf.tfvars files into `trivy config` scans 

-You can pass terraform values to Trivy to override default values found in the Terraform HCL code. More information are provided [in the documentation.](https://aquasecurity.github.io/trivy/latest/docs/coverage/iac/terraform/#value-overrides) 
+You can pass terraform values to Trivy to override default values found in the Terraform HCL code. More information are provided [in the documentation.](https://trivy.dev/latest/docs/coverage/iac/terraform/#value-overrides) 

 ``` 
 trivy config --tf-vars terraform.tfvars ./
 ``` 
 ### Custom Checks 

-We have lots of examples in the [documentation](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/) on how you can write and pass custom Rego checks into terraform misconfiguration scans. 
+We have lots of examples in the [documentation](https://trivy.dev/latest/docs/scanner/misconfiguration/custom/) on how you can write and pass custom Rego checks into terraform misconfiguration scans. 

 ## Secret and vulnerability scans

@@ -100,15 +100,15 @@ The `trivy config` command does not perform secrete and vulnerability checks out
 trivy fs --scanners secret,misconfig ./
 ```

-The `trivy config` command is a sub-command of the `trivy fs` command. You can learn more about this command in the [documentation.](https://aquasecurity.github.io/trivy/latest/docs/target/filesystem/) 
+The `trivy config` command is a sub-command of the `trivy fs` command. You can learn more about this command in the [documentation.](https://trivy.dev/latest/docs/target/filesystem/) 

 ## Scanning Terraform Plan files

-Instead of scanning your different Terraform resources individually, you could also scan your Terraform Plan file before it is deployed for misconfiguration. This will give you insights into any misconfiguration of your resources as they would become deployed. [Here](https://aquasecurity.github.io/trivy/latest/docs/coverage/iac/terraform/#terraform) is the link to the documentation.
+Instead of scanning your different Terraform resources individually, you could also scan your Terraform Plan file before it is deployed for misconfiguration. This will give you insights into any misconfiguration of your resources as they would become deployed. [Here](https://trivy.dev/latest/docs/coverage/iac/terraform/#terraform) is the link to the documentation.

 Note that you need to be able to create a terraform init and plan without any errors. 

 ## Using Trivy in your CI/CD pipeline 
-Similar to tfsec, Trivy can be used either on local developer machines or integrated into your CI/CD pipeline. There are several steps available for different pipelines, including GitHub Actions, Circle CI, GitLab, Travis and more in the tutorials section of the documentation: [https://aquasecurity.github.io/trivy/latest/tutorials/integrations/](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/) 
+Similar to tfsec, Trivy can be used either on local developer machines or integrated into your CI/CD pipeline. There are several steps available for different pipelines, including GitHub Actions, Circle CI, GitLab, Travis and more in the tutorials section of the documentation: [https://trivy.dev/latest/tutorials/integrations/](https://trivy.dev/latest/tutorials/integrations/) 

 
--- a/examples/module/spring4shell/README.md
+++ b/examples/module/spring4shell/README.md
@@ -5,7 +5,7 @@ This module provides a more in-depth investigation of Spring4Shell detection.
 ## Set up

 ```
-$ tinygo build -o spring4shell.wasm -scheduler=none -target=wasi --no-debug spring4shell.go 
+$ GOOS=wasip1 GOARCH=wasm go build -o spring4shell.wasm -buildmode=c-shared spring4shell.go 
 $ mkdir -p ~/.trivy/modules
 $ cp spring4shell.wasm ~/.trivy/modules
 ```
--- a/examples/module/spring4shell/spring4shell.go
+++ b/examples/module/spring4shell/spring4shell.go
@@ -1,5 +1,5 @@
-//go:generate tinygo build -o spring4shell.wasm -scheduler=none -target=wasi --no-debug spring4shell.go
-//go:build tinygo.wasm
+//go:generate go build -o spring4shell.wasm -buildmode=c-shared spring4shell.go
+//go:build wasip1

 package main

@@ -13,9 +13,11 @@ import (
 	"strconv"
 	"strings"

+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/module/api"
 	"github.com/aquasecurity/trivy/pkg/module/serialize"
 	"github.com/aquasecurity/trivy/pkg/module/wasm"
+	"github.com/aquasecurity/trivy/pkg/types"
 )

 const (
@@ -29,8 +31,10 @@ var (
 	tomcatVersionRegex = regexp.MustCompile(`Apache Tomcat Version ([\d.]+)`)
 )

-// main is required for TinyGo to compile to Wasm.
-func main() {
+// main is required for Go to compile the Wasm module
+func main() {}
+
+func init() {
 	wasm.RegisterModule(Spring4Shell{})
 }

@@ -95,7 +99,7 @@ func (Spring4Shell) parseJavaRelease(f *os.File, filePath string) (*serialize.An
 	}

 	return &serialize.AnalysisResult{
-		CustomResources: []serialize.CustomResource{
+		CustomResources: []ftypes.CustomResource{
 			{
 				Type:     TypeJavaMajor,
 				FilePath: filePath,
@@ -117,7 +121,7 @@ func (Spring4Shell) parseTomcatReleaseNotes(f *os.File, filePath string) (*seria
 	}

 	return &serialize.AnalysisResult{
-		CustomResources: []serialize.CustomResource{
+		CustomResources: []ftypes.CustomResource{
 			{
 				Type:     TypeTomcatVersion,
 				FilePath: filePath,
@@ -222,7 +226,7 @@ func (Spring4Shell) PostScanSpec() serialize.PostScanSpec {
 //	}
 //
 // ]
-func (Spring4Shell) PostScan(results serialize.Results) (serialize.Results, error) {
+func (Spring4Shell) PostScan(results types.Results) (types.Results, error) {
 	var javaMajorVersion int
 	var tomcatVersion string
 	for _, result := range results {
--- a/go.mod
+++ b/go.mod
@@ -1,11 +1,11 @@
 module github.com/aquasecurity/trivy

-go 1.23.4
+go 1.24

 require (
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2
 	github.com/BurntSushi/toml v1.4.0
 	github.com/CycloneDX/cyclonedx-go v0.9.2
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
@@ -24,35 +24,36 @@ require (
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-checks v1.6.1
-	github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e
+	github.com/aquasecurity/trivy-checks v1.8.1
+	github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
-	github.com/aquasecurity/trivy-kubernetes v0.7.0
-	github.com/aws/aws-sdk-go-v2 v1.34.0
-	github.com/aws/aws-sdk-go-v2/config v1.29.2
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.55
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.201.1
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.38.7
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.74.1
-	github.com/aws/smithy-go v1.22.2
+	github.com/aquasecurity/trivy-kubernetes v0.8.1
+	github.com/aws/aws-sdk-go-v2 v1.36.3
+	github.com/aws/aws-sdk-go-v2/config v1.29.13
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.66
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.211.2
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.43.2
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.79.1
+	github.com/aws/smithy-go v1.22.3
 	github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
 	github.com/bmatcuk/doublestar/v4 v4.8.1
 	github.com/cenkalti/backoff/v4 v4.3.0
-	github.com/cheggaaa/pb/v3 v3.1.6
-	github.com/containerd/containerd/v2 v2.0.2
+	github.com/cheggaaa/pb/v3 v3.1.7
+	github.com/containerd/containerd/v2 v2.0.4
 	github.com/containerd/platforms v1.0.0-rc.1
 	github.com/distribution/reference v0.6.0
-	github.com/docker/cli v27.5.0+incompatible
-	github.com/docker/docker v27.5.0+incompatible
+	github.com/docker/cli v28.0.4+incompatible
+	github.com/docker/docker v28.0.4+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/docker/go-units v0.5.0
 	github.com/fatih/color v1.18.0
-	github.com/go-git/go-git/v5 v5.13.2
+	github.com/go-git/go-git/v5 v5.14.0
+	github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874 // Replace with encoding/json/v2 when proposal is accepted. Track https://github.com/golang/go/issues/71497
 	github.com/go-openapi/runtime v0.28.0 // indirect
 	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/gocsaf/csaf/v3 v3.1.1
-	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/google/go-containerregistry v0.20.3
 	github.com/google/go-github/v62 v62.0.0
 	github.com/google/licenseclassifier/v2 v2.0.0
@@ -79,72 +80,72 @@ require (
 	github.com/masahiro331/go-disk v0.0.0-20240625071113-56c933208fee
 	github.com/masahiro331/go-ebs-file v0.0.0-20240917043618-e6d2bea5c32e
 	github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd
-	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
+	github.com/masahiro331/go-mvn-version v0.0.0-20250131095131-f4974fa13b8a
 	github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
 	github.com/masahiro331/go-xfs-filesystem v0.0.0-20231205045356-1b22259a6c44
 	github.com/mattn/go-shellwords v1.0.12
-	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/moby/buildkit v0.18.2
-	github.com/open-policy-agent/opa v1.1.0
+	github.com/open-policy-agent/opa v1.2.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.1.0
+	github.com/opencontainers/image-spec v1.1.1
 	github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553
 	github.com/openvex/go-vex v0.2.5
 	github.com/owenrumney/go-sarif/v2 v2.3.3
-	github.com/owenrumney/squealer v1.2.6
+	github.com/owenrumney/squealer v1.2.11 // indirect
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/quasilyte/go-ruleguard/dsl v0.3.22
-	github.com/samber/lo v1.49.0
+	github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c
+	github.com/samber/lo v1.49.1
 	github.com/sassoftware/go-rpmutils v0.4.0
 	github.com/secure-systems-lab/go-securesystemslib v0.9.0
-	github.com/sigstore/rekor v1.3.8
+	github.com/sigstore/rekor v1.3.9
 	github.com/sirupsen/logrus v1.9.3
 	github.com/sosedoff/gitkit v0.4.0
 	github.com/spdx/tools-golang v0.5.5 // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
 	github.com/spf13/cast v1.7.1
-	github.com/spf13/cobra v1.8.1
-	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.19.0
+	github.com/spf13/cobra v1.9.1
+	github.com/spf13/pflag v1.0.6
+	github.com/spf13/viper v1.20.0
 	github.com/stretchr/testify v1.10.0
-	github.com/testcontainers/testcontainers-go v0.35.0
-	github.com/testcontainers/testcontainers-go/modules/localstack v0.35.0
-	github.com/tetratelabs/wazero v1.8.2
+	github.com/testcontainers/testcontainers-go v0.36.0
+	github.com/testcontainers/testcontainers-go/modules/localstack v0.36.0
+	github.com/tetratelabs/wazero v1.9.0
 	github.com/twitchtv/twirp v8.1.3+incompatible
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/xlab/treeprint v1.2.0
 	github.com/zclconf/go-cty v1.16.2
 	github.com/zclconf/go-cty-yaml v1.1.0
-	go.etcd.io/bbolt v1.3.11
-	golang.org/x/crypto v0.32.0
+	go.etcd.io/bbolt v1.4.0
+	golang.org/x/crypto v0.36.0
 	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
-	golang.org/x/mod v0.22.0
-	golang.org/x/net v0.34.0
-	golang.org/x/sync v0.10.0
-	golang.org/x/term v0.28.0
-	golang.org/x/text v0.21.0
+	golang.org/x/mod v0.24.0
+	golang.org/x/net v0.37.0
+	golang.org/x/sync v0.12.0
+	golang.org/x/term v0.30.0
+	golang.org/x/text v0.23.0
 	golang.org/x/vuln v1.1.4
 	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9
-	google.golang.org/protobuf v1.36.4
+	google.golang.org/protobuf v1.36.5
 	gopkg.in/yaml.v3 v3.0.1
-	helm.sh/helm/v3 v3.17.0
-	k8s.io/api v0.32.1
+	helm.sh/helm/v3 v3.17.2
+	k8s.io/api v0.32.3
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
-	modernc.org/sqlite v1.34.5
-	sigs.k8s.io/yaml v1.4.0
+	modernc.org/sqlite v1.36.1
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

 require (
 	cel.dev/expr v0.19.0 // indirect
 	cloud.google.com/go v0.116.0 // indirect
-	cloud.google.com/go/auth v0.13.0 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect
+	cloud.google.com/go/auth v0.14.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
 	cloud.google.com/go/compute/metadata v0.6.0 // indirect
 	cloud.google.com/go/iam v1.2.2 // indirect
 	cloud.google.com/go/monitoring v1.21.2 // indirect
-	cloud.google.com/go/storage v1.45.0 // indirect
+	cloud.google.com/go/storage v1.49.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect
@@ -156,7 +157,7 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
 	github.com/DataDog/zstd v1.5.5 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect
@@ -169,11 +170,10 @@ require (
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Microsoft/hcsshim v0.12.9 // indirect
-	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v1.1.5 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
-	github.com/agnivade/levenshtein v1.2.0 // indirect
+	github.com/agnivade/levenshtein v1.2.1 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
@@ -186,10 +186,10 @@ require (
 	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/cloudflare/circl v1.5.0 // indirect
+	github.com/cloudflare/circl v1.6.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
 	github.com/containerd/cgroups/v3 v3.0.3 // indirect
-	github.com/containerd/containerd v1.7.25 // indirect
+	github.com/containerd/containerd v1.7.27 // indirect
 	github.com/containerd/containerd/api v1.8.0 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
@@ -203,7 +203,7 @@ require (
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
-	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
@@ -213,7 +213,7 @@ require (
 	github.com/docker/docker-credential-helpers v0.8.2 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
-	github.com/dsnet/compress v0.0.1 // indirect
+	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
@@ -230,7 +230,7 @@ require (
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
@@ -243,20 +243,20 @@ require (
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/goccy/go-yaml v1.9.5 // indirect
+	github.com/goccy/go-yaml v1.15.23 // indirect
 	github.com/gofrs/uuid v4.3.1+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/certificate-transparency-go v1.1.8 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/s2a-go v0.1.8 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
 	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
@@ -268,7 +268,6 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/golang-lru v0.6.0 // indirect
-	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
 	github.com/hashicorp/terraform-json v0.24.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -316,7 +315,6 @@ require (
 	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/runtime-spec v1.2.0 // indirect
-	github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 // indirect
 	github.com/opencontainers/selinux v1.11.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
@@ -327,33 +325,29 @@ require (
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/prometheus/client_golang v1.20.5 // indirect
+	github.com/prometheus/client_golang v1.21.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.61.0 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rubenv/sql-migrate v1.7.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sagikazarmark/locafero v0.6.0 // indirect
-	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/shirou/gopsutil/v3 v3.24.2 // indirect
-	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sigstore/cosign/v2 v2.2.4 // indirect
 	github.com/sigstore/sigstore v1.8.12 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
-	github.com/skeema/knownhosts v1.3.0 // indirect
+	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/afero v1.12.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/tchap/go-patricia/v2 v2.3.2 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
@@ -380,19 +374,19 @@ require (
 	go.opentelemetry.io/contrib/detectors/gcp v1.32.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
-	go.opentelemetry.io/otel v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.32.0 // indirect
-	go.opentelemetry.io/otel/trace v1.34.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/oauth2 v0.25.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/oauth2 v0.26.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect
-	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/time v0.10.0 // indirect
 	golang.org/x/tools v0.29.0 // indirect
-	google.golang.org/api v0.216.0 // indirect
+	google.golang.org/api v0.218.0 // indirect
 	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
@@ -400,40 +394,60 @@ require (
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	k8s.io/apiextensions-apiserver v0.32.0 // indirect
-	k8s.io/apimachinery v0.32.1 // indirect
-	k8s.io/apiserver v0.32.0 // indirect
-	k8s.io/cli-runtime v0.32.1 // indirect
-	k8s.io/client-go v0.32.1 // indirect
-	k8s.io/component-base v0.32.1 // indirect
+	k8s.io/apiextensions-apiserver v0.32.2 // indirect
+	k8s.io/apimachinery v0.32.3 // indirect
+	k8s.io/apiserver v0.32.2 // indirect
+	k8s.io/cli-runtime v0.32.3 // indirect
+	k8s.io/client-go v0.32.3 // indirect
+	k8s.io/component-base v0.32.3 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
-	k8s.io/kubectl v0.32.1 // indirect
-	modernc.org/libc v1.55.3 // indirect
-	modernc.org/mathutil v1.6.0 // indirect
-	modernc.org/memory v1.8.0 // indirect
-	mvdan.cc/sh/v3 v3.10.0 // indirect
+	k8s.io/kubectl v0.32.3 // indirect
+	modernc.org/libc v1.61.13 // indirect
+	modernc.org/mathutil v1.7.1 // indirect
+	modernc.org/memory v1.8.2 // indirect
+	mvdan.cc/sh/v3 v3.11.0 // indirect
 	oras.land/oras-go v1.2.5 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/kustomize/api v0.18.0 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
-	tags.cncf.io/container-device-interface v0.8.0 // indirect
-	tags.cncf.io/container-device-interface/specs-go v0.8.0 // indirect
 )

 require (
+	github.com/alessio/shellescape v1.4.1 // indirect
 	github.com/aws/aws-sdk-go v1.55.6 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.24.12 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.33.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.18 // indirect
+	github.com/ebitengine/purego v0.8.2 // indirect
+	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/google/go-github/v31 v31.0.0 // indirect
+	github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
+	github.com/google/subcommands v1.2.0 // indirect
+	github.com/knqyf263/labeler v0.0.0-20200423181506-7a6e545148c3 // indirect
+	github.com/oklog/ulid/v2 v2.1.0 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/samber/oops v1.15.0 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.1 // indirect
+	github.com/tonglil/versioning v0.0.0-20170205083536-8b2a4334bd1d // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	sigs.k8s.io/kind v0.19.0 // indirect
+)
+
+tool (
+	github.com/google/wire/cmd/wire
+	github.com/knqyf263/labeler
+	github.com/magefile/mage
+	golang.org/x/tools/cmd/goyacc
+	sigs.k8s.io/kind
 )
--- a/go.sum
+++ b/go.sum
--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -165,7 +165,7 @@ dockers:
      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
-      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
+      - "--label=org.opencontainers.image.documentation=https://trivy.dev/v{{ .Version }}/"
      - "--platform=linux/amd64"
    extra_files:
    - contrib/
@@ -190,7 +190,7 @@ dockers:
      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
-      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
+      - "--label=org.opencontainers.image.documentation=https://trivy.dev/v{{ .Version }}/"
      - "--platform=linux/arm64"
    extra_files:
    - contrib/
@@ -215,7 +215,7 @@ dockers:
      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
-      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
+      - "--label=org.opencontainers.image.documentation=https://trivy.dev/v{{ .Version }}/"
      - "--platform=linux/s390x"
    extra_files:
    - contrib/
@@ -240,7 +240,7 @@ dockers:
      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
-      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
+      - "--label=org.opencontainers.image.documentation=https://trivy.dev/v{{ .Version }}/"
      - "--platform=linux/ppc64le"
    extra_files:
    - contrib/
--- a/helm/trivy/Chart.yaml
+++ b/helm/trivy/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: trivy
-version: 0.10.1
-appVersion: 0.58.1
+version: 0.13.0
+appVersion: 0.61.0
 description: Trivy helm chart
 keywords:
  - scanner
--- a/helm/trivy/README.md
+++ b/helm/trivy/README.md
@@ -63,9 +63,9 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `image.pullSecret`                    | The name of an imagePullSecret used to pull trivy image from e.g. Docker Hub or a private registry  | |
 | `replicaCount`                        | Number of Trivy Pods to run                                   | `1`            |
 | `trivy.debugMode`                     | The flag to enable or disable Trivy debug mode                          | `false` |
-| `trivy.gitHubToken`                   | The GitHub access token to download Trivy DB. More info: https://github.com/aquasecurity/trivy#github-rate-limiting                          |      |
-| `trivy.registryUsername`              | The username used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ |      |
-| `trivy.registryPassword`              | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ |      |
+| `trivy.gitHubToken`                   | The GitHub access token to download Trivy DB. More info: https://trivy.dev/latest/docs/references/troubleshooting/#github-rate-limiting                          |      |
+| `trivy.registryUsername`              | The username used to log in at dockerhub. More info: https://trivy.dev/latest/docs/advanced/private-registries/docker-hub/ |      |
+| `trivy.registryPassword`              | The password used to log in at dockerhub. More info: https://trivy.dev/latest/docs/advanced/private-registries/docker-hub/ |      |
 | `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set.                    |      |
 | `trivy.serviceAccount.annotations`        | Additional annotations to add to the Kubernetes service account resource |     |
 | `trivy.skipDBUpdate`                    | The flag to enable or disable Trivy DB downloads from GitHub            | `false`        |
@@ -90,7 +90,7 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `tolerations`                         | Tolerations for pod assignment                                              |     |
 | `podAnnotations`                      | Annotations for pods created by statefulset                             | `{}` |

-The above parameters map to the env variables defined in [trivy](https://github.com/aquasecurity/trivy#configuration).
+The above parameters map to the env variables defined in [trivy](https://trivy.dev/latest/docs/configuration/#configuration).

 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.

@@ -108,4 +108,4 @@ This chart uses a PersistentVolumeClaim to reduce the number of database downloa
 ## Caching

 You can specify a Redis server as cache backend. This Redis server has to be already present. You can use the [bitnami chart](https://bitnami.com/stack/redis/helm).
-More Information about the caching backends can be found [here](https://github.com/aquasecurity/trivy#specify-cache-backend).
+More Information about the caching backends can be found [here](https://trivy.dev/latest/docs/configuration/cache/#scan-cache-backend).
--- a/helm/trivy/values.yaml
+++ b/helm/trivy/values.yaml
@@ -77,7 +77,7 @@ trivy:
  gitHubToken: ""

  # Docker registry credentials
-  # See also: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/
+  # See also: https://trivy.dev/dev/advanced/private-registries/docker-hub/
  #
  # Either
  # Directly in this file
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -37,6 +37,7 @@ type csArgs struct {
 	Target              string
 	secretConfig        string
 	Distro              string
+	VulnSeveritySources []string
 }

 func TestClientServer(t *testing.T) {
@@ -280,6 +281,19 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/npm.json.golden",
 		},
+		{
+			name: "scan package-lock.json with severity from `ubuntu` in client/server mode",
+			args: csArgs{
+				Command:          "repo",
+				RemoteAddrOption: "--server",
+				Target:           "testdata/fixtures/repo/npm/",
+				VulnSeveritySources: []string{
+					"alpine",
+					"ubuntu",
+				},
+			},
+			golden: "testdata/npm-ubuntu-severity.json.golden",
+		},
 		{
 			name: "scan sample.pem with repo command in client/server mode",
 			args: csArgs{
@@ -677,6 +691,12 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string) []string
 		)
 	}

+	if len(c.VulnSeveritySources) != 0 {
+		osArgs = append(osArgs,
+			"--vuln-severity-source", strings.Join(c.VulnSeveritySources, ","),
+		)
+	}
+
 	if len(c.IgnoreIDs) != 0 {
 		trivyIgnore := filepath.Join(t.TempDir(), ".trivyignore")
 		err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)
--- a/integration/module_test.go
+++ b/integration/module_test.go
@@ -3,12 +3,12 @@
 package integration

 import (
-	"github.com/aquasecurity/trivy/pkg/types"
 	"path/filepath"
 	"testing"

+	"github.com/aquasecurity/trivy/pkg/extension"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
-	"github.com/aquasecurity/trivy/pkg/scanner/post"
+	"github.com/aquasecurity/trivy/pkg/types"
 )

 func TestModule(t *testing.T) {
@@ -52,7 +52,7 @@ func TestModule(t *testing.T) {

 			t.Cleanup(func() {
 				analyzer.DeregisterAnalyzer("spring4shell")
-				post.DeregisterPostScanner("spring4shell")
+				extension.DeregisterHook("spring4shell")
 			})

 			// Run Trivy
--- a/integration/repo_test.go
+++ b/integration/repo_test.go
@@ -10,7 +10,7 @@ import (

 	"github.com/stretchr/testify/require"

-	"github.com/aquasecurity/trivy/pkg/fanal/artifact"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 )

@@ -35,6 +35,7 @@ func TestRepository(t *testing.T) {
 		includeDevDeps      bool
 		parallel            int
 		vex                 string
+		vulnSeveritySources []string
 	}
 	tests := []struct {
 		name     string
@@ -104,6 +105,18 @@ func TestRepository(t *testing.T) {
 			},
 			golden: "testdata/npm.json.golden",
 		},
+		{
+			name: "npm with severity from ubuntu",
+			args: args{
+				scanner: types.VulnerabilityScanner,
+				input:   "testdata/fixtures/repo/npm",
+				vulnSeveritySources: []string{
+					"alpine",
+					"ubuntu",
+				},
+			},
+			golden: "testdata/npm-ubuntu-severity.json.golden",
+		},
 		{
 			name: "npm with dev deps",
 			args: args{
@@ -418,7 +431,7 @@ func TestRepository(t *testing.T) {
 			},
 			golden: "testdata/gomod-skip.json.golden",
 			override: func(_ *testing.T, want, _ *types.Report) {
-				want.ArtifactType = artifact.TypeFilesystem
+				want.ArtifactType = ftypes.TypeFilesystem
 			},
 		},
 		{
@@ -432,7 +445,7 @@ func TestRepository(t *testing.T) {
 			},
 			golden: "testdata/dockerfile-custom-policies.json.golden",
 			override: func(_ *testing.T, want, got *types.Report) {
-				want.ArtifactType = artifact.TypeFilesystem
+				want.ArtifactType = ftypes.TypeFilesystem
 			},
 		},
 		{
@@ -538,6 +551,12 @@ func TestRepository(t *testing.T) {
 				}
 			}

+			if len(tt.args.vulnSeveritySources) != 0 {
+				osArgs = append(osArgs,
+					"--vuln-severity-source", strings.Join(tt.args.vulnSeveritySources, ","),
+				)
+			}
+
 			if tt.args.listAllPkgs {
 				osArgs = append(osArgs, "--list-all-pkgs")
 			}
--- a/integration/sbom_test.go
+++ b/integration/sbom_test.go
@@ -10,7 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/aquasecurity/trivy/pkg/fanal/artifact"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 )

@@ -38,7 +38,7 @@ func TestSBOM(t *testing.T) {
 			golden: "testdata/centos-7.json.golden",
 			override: func(t *testing.T, want, got *types.Report) {
 				want.ArtifactName = "testdata/fixtures/sbom/centos-7-cyclonedx.json"
-				want.ArtifactType = artifact.TypeCycloneDX
+				want.ArtifactType = ftypes.TypeCycloneDX

 				require.Len(t, got.Results, 1)
 				want.Results[0].Target = "testdata/fixtures/sbom/centos-7-cyclonedx.json (centos 7.6.1810)"
@@ -87,7 +87,7 @@ func TestSBOM(t *testing.T) {
 			golden: "testdata/centos-7.json.golden",
 			override: func(t *testing.T, want, got *types.Report) {
 				want.ArtifactName = "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl"
-				want.ArtifactType = artifact.TypeCycloneDX
+				want.ArtifactType = ftypes.TypeCycloneDX

 				require.Len(t, got.Results, 1)
 				want.Results[0].Target = "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl (centos 7.6.1810)"
@@ -108,7 +108,7 @@ func TestSBOM(t *testing.T) {
 			golden: "testdata/centos-7.json.golden",
 			override: func(t *testing.T, want, got *types.Report) {
 				want.ArtifactName = "testdata/fixtures/sbom/centos-7-spdx.txt"
-				want.ArtifactType = artifact.TypeSPDX
+				want.ArtifactType = ftypes.TypeSPDX

 				require.Len(t, got.Results, 1)
 				want.Results[0].Target = "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)"
@@ -124,7 +124,7 @@ func TestSBOM(t *testing.T) {
 			golden: "testdata/centos-7.json.golden",
 			override: func(t *testing.T, want, got *types.Report) {
 				want.ArtifactName = "testdata/fixtures/sbom/centos-7-spdx.json"
-				want.ArtifactType = artifact.TypeSPDX
+				want.ArtifactType = ftypes.TypeSPDX

 				require.Len(t, got.Results, 1)
 				want.Results[0].Target = "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)"
--- a/integration/testdata/conda-spdx.json.golden
+++ b/integration/testdata/conda-spdx.json.golden
@@ -3,7 +3,7 @@
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "testdata/fixtures/repo/conda",
-  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000004",
+  "documentNamespace": "http://trivy.dev/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000004",
  "creationInfo": {
    "creators": [
      "Organization: aquasecurity",
--- a/integration/testdata/fixtures/sbom/centos-7-spdx.json
+++ b/integration/testdata/fixtures/sbom/centos-7-spdx.json
@@ -8,7 +8,7 @@
 		]
 	},
 	"dataLicense": "CC0-1.0",
-	"documentNamespace": "http://aquasecurity.github.io/trivy/container_image/integration/testdata/fixtures/images/centos-7.tar.gz-2906855d-5098-4a22-9a72-4f7099ea3d66",
+	"documentNamespace": "http://trivy.dev/container_image/integration/testdata/fixtures/images/centos-7.tar.gz-2906855d-5098-4a22-9a72-4f7099ea3d66",
 	"name": "integration/testdata/fixtures/images/centos-7.tar.gz",
 	"packages": [
 		{
--- a/integration/testdata/fixtures/sbom/centos-7-spdx.txt
+++ b/integration/testdata/fixtures/sbom/centos-7-spdx.txt
@@ -2,7 +2,7 @@ SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: integration/testdata/fixtures/images/centos-7.tar.gz
-DocumentNamespace: http://aquasecurity.github.io/trivy/container_image/integration/testdata/fixtures/images/centos-7.tar.gz-6a2c050f-bc12-46dc-b2df-1f4e3e0b5e1d
+DocumentNamespace: http://trivy.dev/container_image/integration/testdata/fixtures/images/centos-7.tar.gz-6a2c050f-bc12-46dc-b2df-1f4e3e0b5e1d
 Creator: Organization: aquasecurity
 Creator: Tool: trivy-dev
 Created: 2022-09-13T13:24:58.796907Z
--- a/integration/testdata/helm.json.golden
+++ b/integration/testdata/helm.json.golden
@@ -21,8 +21,8 @@
      "Class": "config",
      "Type": "helm",
      "MisconfSummary": {
-        "Successes": 79,
-        "Failures": 15
+        "Successes": 78,
+        "Failures": 22
      },
      "Misconfigurations": [
        {
@@ -91,7 +91,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -160,7 +161,78 @@
                  "LastCause": true
                }
              ]
+            },
+            "RenderedCause": {}
          }
+        },
+        {
+          "Type": "Helm Security Check",
+          "ID": "KSV004",
+          "AVDID": "AVD-KSV-0004",
+          "Title": "Default capabilities: some containers do not drop any",
+          "Description": "Security best practices require containers to run with minimal required capabilities.",
+          "Message": "Container 'nginx' of 'deployment' 'nginx-deployment' in 'default' namespace should set securityContext.capabilities.drop",
+          "Namespace": "builtin.kubernetes.KSV004",
+          "Query": "data.builtin.kubernetes.KSV004.deny",
+          "Resolution": "Specify at least one unneeded capability in 'containers[].securityContext.capabilities.drop'",
+          "Severity": "LOW",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv004",
+          "References": [
+            "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/",
+            "https://avd.aquasec.com/misconfig/ksv004"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Kubernetes",
+            "Service": "general",
+            "StartLine": 19,
+            "EndLine": 22,
+            "Code": {
+              "Lines": [
+                {
+                  "Number": 19,
+                  "Content": "      - name: nginx",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "      - \u001b[38;5;33mname\u001b[0m: nginx",
+                  "FirstCause": true,
+                  "LastCause": false
+                },
+                {
+                  "Number": 20,
+                  "Content": "        image: nginx:1.14.2",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 21,
+                  "Content": "        ports:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        \u001b[38;5;33mports\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 22,
+                  "Content": "        - containerPort: 80",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
+                  "FirstCause": false,
+                  "LastCause": true
+                }
+              ]
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -229,7 +301,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -298,7 +371,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -367,7 +441,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -436,7 +511,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -505,7 +581,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -574,7 +651,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -643,7 +721,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -712,7 +791,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -781,7 +861,473 @@
                  "LastCause": true
                }
              ]
+            },
+            "RenderedCause": {}
          }
+        },
+        {
+          "Type": "Helm Security Check",
+          "ID": "KSV032",
+          "AVDID": "AVD-KSV-0032",
+          "Title": "All container images must start with the *.azurecr.io domain",
+          "Description": "Containers should only use images from trusted registries.",
+          "Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
+          "Namespace": "builtin.kubernetes.KSV032",
+          "Query": "data.builtin.kubernetes.KSV032.deny",
+          "Resolution": "Use images from trusted Azure registries.",
+          "Severity": "MEDIUM",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
+          "References": [
+            "https://avd.aquasec.com/misconfig/ksv032"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Kubernetes",
+            "Service": "general",
+            "StartLine": 19,
+            "EndLine": 22,
+            "Code": {
+              "Lines": [
+                {
+                  "Number": 19,
+                  "Content": "      - name: nginx",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "      - \u001b[38;5;33mname\u001b[0m: nginx",
+                  "FirstCause": true,
+                  "LastCause": false
+                },
+                {
+                  "Number": 20,
+                  "Content": "        image: nginx:1.14.2",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 21,
+                  "Content": "        ports:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        \u001b[38;5;33mports\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 22,
+                  "Content": "        - containerPort: 80",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
+                  "FirstCause": false,
+                  "LastCause": true
+                }
+              ]
+            },
+            "RenderedCause": {}
+          }
+        },
+        {
+          "Type": "Helm Security Check",
+          "ID": "KSV033",
+          "AVDID": "AVD-KSV-0033",
+          "Title": "All container images must start with a GCR domain",
+          "Description": "Containers should only use images from trusted GCR registries.",
+          "Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
+          "Namespace": "builtin.kubernetes.KSV033",
+          "Query": "data.builtin.kubernetes.KSV033.deny",
+          "Resolution": "Use images from trusted GCR registries.",
+          "Severity": "MEDIUM",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
+          "References": [
+            "https://avd.aquasec.com/misconfig/ksv033"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Kubernetes",
+            "Service": "general",
+            "StartLine": 19,
+            "EndLine": 22,
+            "Code": {
+              "Lines": [
+                {
+                  "Number": 19,
+                  "Content": "      - name: nginx",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "      - \u001b[38;5;33mname\u001b[0m: nginx",
+                  "FirstCause": true,
+                  "LastCause": false
+                },
+                {
+                  "Number": 20,
+                  "Content": "        image: nginx:1.14.2",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 21,
+                  "Content": "        ports:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        \u001b[38;5;33mports\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 22,
+                  "Content": "        - containerPort: 80",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
+                  "FirstCause": false,
+                  "LastCause": true
+                }
+              ]
+            },
+            "RenderedCause": {}
+          }
+        },
+        {
+          "Type": "Helm Security Check",
+          "ID": "KSV035",
+          "AVDID": "AVD-KSV-0035",
+          "Title": "All container images must start with an ECR domain",
+          "Description": "Container images from non-ECR registries should be forbidden.",
+          "Message": "Container 'nginx' of Deployment 'nginx-deployment' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
+          "Namespace": "builtin.kubernetes.KSV035",
+          "Query": "data.builtin.kubernetes.KSV035.deny",
+          "Resolution": "Container image should be used from Amazon container Registry",
+          "Severity": "MEDIUM",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
+          "References": [
+            "https://avd.aquasec.com/misconfig/ksv035"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Kubernetes",
+            "Service": "general",
+            "StartLine": 19,
+            "EndLine": 22,
+            "Code": {
+              "Lines": [
+                {
+                  "Number": 19,
+                  "Content": "      - name: nginx",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "      - \u001b[38;5;33mname\u001b[0m: nginx",
+                  "FirstCause": true,
+                  "LastCause": false
+                },
+                {
+                  "Number": 20,
+                  "Content": "        image: nginx:1.14.2",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 21,
+                  "Content": "        ports:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        \u001b[38;5;33mports\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 22,
+                  "Content": "        - containerPort: 80",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
+                  "FirstCause": false,
+                  "LastCause": true
+                }
+              ]
+            },
+            "RenderedCause": {}
+          }
+        },
+        {
+          "Type": "Helm Security Check",
+          "ID": "KSV039",
+          "AVDID": "AVD-KSV-0039",
+          "Title": "limit range usage",
+          "Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
+          "Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
+          "Namespace": "builtin.kubernetes.KSV039",
+          "Query": "data.builtin.kubernetes.KSV039.deny",
+          "Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
+          "Severity": "LOW",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
+          "References": [
+            "https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
+            "https://avd.aquasec.com/misconfig/ksv039"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Kubernetes",
+            "Service": "general",
+            "StartLine": 9,
+            "EndLine": 22,
+            "Code": {
+              "Lines": [
+                {
+                  "Number": 9,
+                  "Content": "  replicas: 3",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "  \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m3",
+                  "FirstCause": true,
+                  "LastCause": false
+                },
+                {
+                  "Number": 10,
+                  "Content": "  selector:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "\u001b[0m  \u001b[38;5;33mselector\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 11,
+                  "Content": "    matchLabels:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "    \u001b[38;5;33mmatchLabels\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 12,
+                  "Content": "      app: nginx",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "      \u001b[38;5;33mapp\u001b[0m: nginx",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 13,
+                  "Content": "  template:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "  \u001b[38;5;33mtemplate\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 14,
+                  "Content": "    metadata:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "    \u001b[38;5;33mmetadata\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 15,
+                  "Content": "      labels:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "      \u001b[38;5;33mlabels\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 16,
+                  "Content": "        app: nginx",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        \u001b[38;5;33mapp\u001b[0m: nginx",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 17,
+                  "Content": "    spec:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "    \u001b[38;5;33mspec\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": true
+                },
+                {
+                  "Number": 18,
+                  "Content": "",
+                  "IsCause": false,
+                  "Annotation": "",
+                  "Truncated": true,
+                  "FirstCause": false,
+                  "LastCause": false
+                }
+              ]
+            },
+            "RenderedCause": {}
+          }
+        },
+        {
+          "Type": "Helm Security Check",
+          "ID": "KSV040",
+          "AVDID": "AVD-KSV-0040",
+          "Title": "resource quota usage",
+          "Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
+          "Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
+          "Namespace": "builtin.kubernetes.KSV040",
+          "Query": "data.builtin.kubernetes.KSV040.deny",
+          "Resolution": "create resource quota policy with mem and cpu quota per each namespace",
+          "Severity": "LOW",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
+          "References": [
+            "https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
+            "https://avd.aquasec.com/misconfig/ksv040"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Kubernetes",
+            "Service": "general",
+            "StartLine": 9,
+            "EndLine": 22,
+            "Code": {
+              "Lines": [
+                {
+                  "Number": 9,
+                  "Content": "  replicas: 3",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "  \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m3",
+                  "FirstCause": true,
+                  "LastCause": false
+                },
+                {
+                  "Number": 10,
+                  "Content": "  selector:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "\u001b[0m  \u001b[38;5;33mselector\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 11,
+                  "Content": "    matchLabels:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "    \u001b[38;5;33mmatchLabels\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 12,
+                  "Content": "      app: nginx",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "      \u001b[38;5;33mapp\u001b[0m: nginx",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 13,
+                  "Content": "  template:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "  \u001b[38;5;33mtemplate\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 14,
+                  "Content": "    metadata:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "    \u001b[38;5;33mmetadata\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 15,
+                  "Content": "      labels:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "      \u001b[38;5;33mlabels\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 16,
+                  "Content": "        app: nginx",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "        \u001b[38;5;33mapp\u001b[0m: nginx",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 17,
+                  "Content": "    spec:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "    \u001b[38;5;33mspec\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": true
+                },
+                {
+                  "Number": 18,
+                  "Content": "",
+                  "IsCause": false,
+                  "Annotation": "",
+                  "Truncated": true,
+                  "FirstCause": false,
+                  "LastCause": false
+                }
+              ]
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -850,7 +1396,8 @@
                  "LastCause": true
                }
              ]
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -919,7 +1466,68 @@
                  "LastCause": true
                }
              ]
+            },
+            "RenderedCause": {}
          }
+        },
+        {
+          "Type": "Helm Security Check",
+          "ID": "KSV110",
+          "AVDID": "AVD-KSV-0110",
+          "Title": "Workloads in the default namespace",
+          "Description": "Checks whether a workload is running in the default namespace.",
+          "Message": "deployment nginx-deployment in default namespace should set metadata.namespace to a non-default namespace",
+          "Namespace": "builtin.kubernetes.KSV110",
+          "Query": "data.builtin.kubernetes.KSV110.deny",
+          "Resolution": "Set 'metadata.namespace' to a non-default namespace.",
+          "Severity": "LOW",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv110",
+          "References": [
+            "https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/",
+            "https://avd.aquasec.com/misconfig/ksv110"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Kubernetes",
+            "Service": "general",
+            "StartLine": 5,
+            "EndLine": 7,
+            "Code": {
+              "Lines": [
+                {
+                  "Number": 5,
+                  "Content": "  name: nginx-deployment",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "  \u001b[38;5;33mname\u001b[0m: nginx-deployment",
+                  "FirstCause": true,
+                  "LastCause": false
+                },
+                {
+                  "Number": 6,
+                  "Content": "  labels:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "  \u001b[38;5;33mlabels\u001b[0m:",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 7,
+                  "Content": "    app: nginx",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "    \u001b[38;5;33mapp\u001b[0m: nginx",
+                  "FirstCause": false,
+                  "LastCause": true
+                }
+              ]
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -946,7 +1554,8 @@
            "Service": "general",
            "Code": {
              "Lines": null
-            }
+            },
+            "RenderedCause": {}
          }
        },
        {
@@ -972,7 +1581,8 @@
            "Service": "general",
            "Code": {
              "Lines": null
-            }
+            },
+            "RenderedCause": {}
          }
        }
      ]
--- a/integration/testdata/helm_testchart.json.golden
+++ b/integration/testdata/helm_testchart.json.golden
--- a/integration/testdata/helm_testchart.overridden.json.golden
+++ b/integration/testdata/helm_testchart.overridden.json.golden
--- a/integration/testdata/julia-spdx.json.golden
+++ b/integration/testdata/julia-spdx.json.golden
@@ -3,7 +3,7 @@
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "testdata/fixtures/repo/julia",
-  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/julia-3ff14136-e09f-4df9-80ea-000000000006",
+  "documentNamespace": "http://trivy.dev/filesystem/testdata/fixtures/repo/julia-3ff14136-e09f-4df9-80ea-000000000006",
  "creationInfo": {
    "creators": [
      "Organization: aquasecurity",
--- a/integration/testdata/license-cyclonedx.json.golden
+++ b/integration/testdata/license-cyclonedx.json.golden
@@ -16,14 +16,6 @@
    }
  },
  "Results": [
-    {
-      "Target": "OS Packages",
-      "Class": "license"
-    },
-    {
-      "Target": "pom.xml",
-      "Class": "license"
-    },
    {
      "Target": "Java",
      "Class": "license",
@@ -34,6 +26,7 @@
          "PkgName": "org.eclipse.sisu:org.eclipse.sisu.plexus",
          "FilePath": "",
          "Name": "EPL-1.0",
+          "Text": "",
          "Confidence": 1,
          "Link": ""
        },
@@ -43,6 +36,7 @@
          "PkgName": "org.ow2.asm:asm",
          "FilePath": "",
          "Name": "BSD-3-Clause",
+          "Text": "",
          "Confidence": 1,
          "Link": ""
        },
@@ -52,14 +46,11 @@
          "PkgName": "org.slf4j:slf4j-api",
          "FilePath": "",
          "Name": "MIT License",
+          "Text": "",
          "Confidence": 1,
          "Link": ""
        }
      ]
-    },
-    {
-      "Target": "Loose File License(s)",
-      "Class": "license-file"
    }
  ]
 }
--- a/integration/testdata/npm-ubuntu-severity.json.golden
+++ b/integration/testdata/npm-ubuntu-severity.json.golden
@@ -0,0 +1,160 @@
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2021-08-25T12:20:30.000000005Z",
+  "ArtifactName": "testdata/fixtures/repo/npm",
+  "ArtifactType": "repository",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "package-lock.json",
+      "Class": "lang-pkgs",
+      "Type": "npm",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-11358",
+          "PkgID": "jquery@3.3.9",
+          "PkgName": "jquery",
+          "PkgIdentifier": {
+            "PURL": "pkg:npm/jquery@3.3.9",
+            "UID": "e19e84d31f72b60c"
+          },
+          "InstalledVersion": "3.3.9",
+          "FixedVersion": "3.4.0",
+          "Status": "fixed",
+          "Layer": {},
+          "SeveritySource": "ubuntu",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
+          "DataSource": {
+            "ID": "ghsa",
+            "Name": "GitHub Security Advisory Npm",
+            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
+          },
+          "Title": "jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection",
+          "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-79"
+          ],
+          "VendorSeverity": {
+            "alma": 2,
+            "amazon": 2,
+            "arch-linux": 2,
+            "ghsa": 2,
+            "nodejs-security-wg": 2,
+            "nvd": 2,
+            "oracle-oval": 2,
+            "redhat": 2,
+            "ruby-advisory-db": 2,
+            "ubuntu": 1
+          },
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+              "V2Score": 4.3,
+              "V3Score": 6.1
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
+              "V3Score": 5.6
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html",
+            "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html",
+            "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html",
+            "http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html",
+            "http://seclists.org/fulldisclosure/2019/May/10",
+            "http://seclists.org/fulldisclosure/2019/May/11",
+            "http://seclists.org/fulldisclosure/2019/May/13",
+            "http://www.openwall.com/lists/oss-security/2019/06/03/2",
+            "http://www.securityfocus.com/bid/108023",
+            "https://access.redhat.com/errata/RHBA-2019:1570",
+            "https://access.redhat.com/errata/RHSA-2019:1456",
+            "https://access.redhat.com/errata/RHSA-2019:2587",
+            "https://access.redhat.com/errata/RHSA-2019:3023",
+            "https://access.redhat.com/errata/RHSA-2019:3024",
+            "https://access.redhat.com/security/cve/CVE-2019-11358",
+            "https://backdropcms.org/security/backdrop-sa-core-2019-009",
+            "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358",
+            "https://github.com/DanielRuf/snyk-js-jquery-174006?files=1",
+            "https://github.com/advisories/GHSA-6c3j-c64m-qhgq",
+            "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b",
+            "https://github.com/jquery/jquery/pull/4333",
+            "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434",
+            "https://hackerone.com/reports/454365",
+            "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601",
+            "https://linux.oracle.com/cve/CVE-2019-11358.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4847.html",
+            "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E",
+            "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E",
+            "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E",
+            "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E",
+            "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E",
+            "https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E",
+            "https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E",
+            "https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E",
+            "https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E",
+            "https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E",
+            "https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E",
+            "https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E",
+            "https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E",
+            "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E",
+            "https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html",
+            "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html",
+            "https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/",
+            "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
+            "https://seclists.org/bugtraq/2019/Apr/32",
+            "https://seclists.org/bugtraq/2019/Jun/12",
+            "https://seclists.org/bugtraq/2019/May/18",
+            "https://security.netapp.com/advisory/ntap-20190919-0001/",
+            "https://snyk.io/vuln/SNYK-JS-JQUERY-174006",
+            "https://www.debian.org/security/2019/dsa-4434",
+            "https://www.debian.org/security/2019/dsa-4460",
+            "https://www.drupal.org/sa-core-2019-006",
+            "https://www.oracle.com//security-alerts/cpujul2021.html",
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2021.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
+            "https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/",
+            "https://www.synology.com/security/advisory/Synology_SA_19_19",
+            "https://www.tenable.com/security/tns-2019-08",
+            "https://www.tenable.com/security/tns-2020-02"
+          ],
+          "PublishedDate": "2019-04-20T00:29:00Z",
+          "LastModifiedDate": "2021-10-20T11:15:00Z"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testimages.ini
+++ b/integration/testimages.ini
@@ -1,3 +1,3 @@
 # Configuration file for both shell scripts and Go programs
-TEST_IMAGES=ghcr.io/knqyf263/trivy-test-images
-TEST_VM_IMAGES=ghcr.io/knqyf263/trivy-test-vm-images
+TEST_IMAGES=ghcr.io/aquasecurity/trivy-test-images
+TEST_VM_IMAGES=ghcr.io/aquasecurity/trivy-test-vm-images
--- a/internal/cachetest/cache.go
+++ b/internal/cachetest/cache.go
@@ -0,0 +1,121 @@
+package cachetest
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/samber/lo"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/cache"
+	"github.com/aquasecurity/trivy/pkg/fanal/types"
+)
+
+type WantArtifact struct {
+	ID           string
+	ArtifactInfo types.ArtifactInfo
+}
+
+type WantBlob struct {
+	ID       string
+	BlobInfo types.BlobInfo
+}
+
+type ErrorCache struct {
+	*cache.MemoryCache
+	opts ErrorCacheOptions
+}
+
+type ErrorCacheOptions struct {
+	MissingBlobs bool
+	PutArtifact  bool
+	PutBlob      bool
+	GetArtifact  bool
+	GetBlob      bool
+}
+
+func NewErrorCache(opts ErrorCacheOptions) *ErrorCache {
+	return &ErrorCache{
+		MemoryCache: cache.NewMemoryCache(),
+		opts:        opts,
+	}
+}
+
+func (c *ErrorCache) MissingBlobs(artifactID string, blobIDs []string) (bool, []string, error) {
+	if c.opts.MissingBlobs {
+		return false, nil, errors.New("MissingBlobs failed")
+	}
+	return c.MemoryCache.MissingBlobs(artifactID, blobIDs)
+}
+
+func (c *ErrorCache) PutArtifact(artifactID string, artifactInfo types.ArtifactInfo) error {
+	if c.opts.PutArtifact {
+		return errors.New("PutArtifact failed")
+	}
+	return c.MemoryCache.PutArtifact(artifactID, artifactInfo)
+}
+
+func (c *ErrorCache) PutBlob(artifactID string, blobInfo types.BlobInfo) error {
+	if c.opts.PutBlob {
+		return errors.New("PutBlob failed")
+	}
+	return c.MemoryCache.PutBlob(artifactID, blobInfo)
+}
+
+func (c *ErrorCache) GetArtifact(artifactID string) (types.ArtifactInfo, error) {
+	if c.opts.GetArtifact {
+		return types.ArtifactInfo{}, errors.New("GetArtifact failed")
+	}
+	return c.MemoryCache.GetArtifact(artifactID)
+}
+
+func (c *ErrorCache) GetBlob(blobID string) (types.BlobInfo, error) {
+	if c.opts.GetBlob {
+		return types.BlobInfo{}, errors.New("GetBlob failed")
+	}
+	return c.MemoryCache.GetBlob(blobID)
+}
+
+func NewCache(t *testing.T, setUpCache func(t *testing.T) cache.Cache) cache.Cache {
+	if setUpCache != nil {
+		return setUpCache(t)
+	}
+	return cache.NewMemoryCache()
+}
+
+func AssertArtifact(t *testing.T, c cache.Cache, wantArtifact WantArtifact) {
+	gotArtifact, err := c.GetArtifact(wantArtifact.ID)
+	require.NoError(t, err, "artifact not found")
+	assert.Equal(t, wantArtifact.ArtifactInfo, gotArtifact, wantArtifact.ID)
+}
+
+func AssertBlobs(t *testing.T, c cache.Cache, wantBlobs []WantBlob) {
+	if m, ok := c.(*cache.MemoryCache); ok {
+		blobIDs := m.BlobIDs()
+		wantBlobIDs := lo.Map(wantBlobs, func(want WantBlob, _ int) string {
+			return want.ID
+		})
+		require.ElementsMatch(t, wantBlobIDs, blobIDs, "blob IDs mismatch")
+	}
+
+	for _, want := range wantBlobs {
+		got, err := c.GetBlob(want.ID)
+		require.NoError(t, err, "blob not found")
+
+		for i := range got.Misconfigurations {
+			// suppress misconfiguration code block
+			for j := range got.Misconfigurations[i].Failures {
+				got.Misconfigurations[i].Failures[j].Code = types.Code{}
+			}
+			for j := range got.Misconfigurations[i].Successes {
+				got.Misconfigurations[i].Successes[j].Code = types.Code{}
+			}
+			for j := range got.Misconfigurations[i].Warnings {
+				got.Misconfigurations[i].Warnings[j].Code = types.Code{}
+			}
+		}
+
+		assert.Equal(t, want.BlobInfo, got, want.ID)
+	}
+}
--- a/internal/hooktest/hook.go
+++ b/internal/hooktest/hook.go
@@ -0,0 +1,96 @@
+package hooktest
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/aquasecurity/trivy/pkg/extension"
+	"github.com/aquasecurity/trivy/pkg/flag"
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+type testHook struct{}
+
+func (*testHook) Name() string {
+	return "test"
+}
+
+func (*testHook) Version() int {
+	return 1
+}
+
+// RunHook implementation
+func (*testHook) PreRun(ctx context.Context, opts flag.Options) error {
+	if opts.GlobalOptions.ConfigFile == "bad-config" {
+		return errors.New("bad pre-run")
+	}
+	return nil
+}
+
+func (*testHook) PostRun(ctx context.Context, opts flag.Options) error {
+	if opts.GlobalOptions.ConfigFile == "bad-config" {
+		return errors.New("bad post-run")
+	}
+	return nil
+}
+
+// ScanHook implementation
+func (*testHook) PreScan(ctx context.Context, target *types.ScanTarget, options types.ScanOptions) error {
+	if target.Name == "bad-pre" {
+		return errors.New("bad pre-scan")
+	}
+	target.Name += " (pre-scan)"
+	return nil
+}
+
+func (*testHook) PostScan(ctx context.Context, results types.Results) (types.Results, error) {
+	for i, r := range results {
+		if r.Target == "bad" {
+			return nil, errors.New("bad")
+		}
+		for j := range r.Vulnerabilities {
+			results[i].Vulnerabilities[j].References = []string{
+				"https://example.com/post-scan",
+			}
+		}
+	}
+	return results, nil
+}
+
+// ReportHook implementation
+func (*testHook) PreReport(ctx context.Context, report *types.Report, opts flag.Options) error {
+	if report.ArtifactName == "bad-report" {
+		return errors.New("bad pre-report")
+	}
+
+	// Modify the report
+	for i := range report.Results {
+		for j := range report.Results[i].Vulnerabilities {
+			report.Results[i].Vulnerabilities[j].Title = "Modified by pre-report hook"
+		}
+	}
+	return nil
+}
+
+func (*testHook) PostReport(ctx context.Context, report *types.Report, opts flag.Options) error {
+	if report.ArtifactName == "bad-report" {
+		return errors.New("bad post-report")
+	}
+
+	// Modify the report
+	for i := range report.Results {
+		for j := range report.Results[i].Vulnerabilities {
+			report.Results[i].Vulnerabilities[j].Description = "Modified by post-report hook"
+		}
+	}
+	return nil
+}
+
+func Init(t *testing.T) {
+	h := &testHook{}
+	extension.RegisterHook(h)
+	t.Cleanup(func() {
+		extension.DeregisterHook(h.Name())
+	})
+}
--- a/internal/testutil/docker.go
+++ b/internal/testutil/docker.go
@@ -29,7 +29,7 @@ func (c *DockerClient) ImageLoad(t *testing.T, ctx context.Context, imageFile st
 	defer testfile.Close()

 	// Load image into docker engine
-	res, err := c.Client.ImageLoad(ctx, testfile, true)
+	res, err := c.Client.ImageLoad(ctx, testfile, client.ImageLoadWithQuiet(true))
 	require.NoError(t, err)
 	defer res.Body.Close()

--- a/magefiles/magefile.go
+++ b/magefiles/magefile.go
@@ -61,22 +61,6 @@ func buildLdflags() (string, error) {

 type Tool mg.Namespace

-// Aqua installs aqua if not installed
-func (Tool) Aqua() error {
-	if exists(filepath.Join(GOBIN, "aqua")) {
-		return nil
-	}
-	return sh.Run("go", "install", "github.com/aquaproj/aqua/v2/cmd/aqua@v2.2.1")
-}
-
-// Wire installs wire if not installed
-func (Tool) Wire() error {
-	if installed("wire") {
-		return nil
-	}
-	return sh.Run("go", "install", "github.com/google/wire/cmd/wire@v0.5.0")
-}
-
 // Sass installs saas if not installed. npm is assumed to be available
 func (Tool) Sass() error {
 	if installed("sass") {
@@ -95,11 +79,13 @@ func (Tool) PipTools() error {

 // GolangciLint installs golangci-lint
 func (t Tool) GolangciLint() error {
-	const version = "v1.61.0"
+	const version = "v1.64.2"
 	bin := filepath.Join(GOBIN, "golangci-lint")
 	if exists(bin) && t.matchGolangciLintVersion(bin, version) {
 		return nil
 	}
+	// TODO: use `go install tool`
+	// cf. https://golangci-lint.run/welcome/install/#install-from-sources
 	command := fmt.Sprintf("curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b %s %s", GOBIN, version)
 	return sh.Run("bash", "-c", command)
 }
@@ -126,52 +112,15 @@ func (Tool) matchGolangciLintVersion(bin, version string) bool {
 	return true
 }

-// Labeler installs labeler
-func (Tool) Labeler() error {
-	if exists(filepath.Join(GOBIN, "labeler")) {
-		return nil
-	}
-	return sh.Run("go", "install", "github.com/knqyf263/labeler@latest")
-}
-
-// Kind installs kind cluster
-func (Tool) Kind() error {
-	return sh.RunWithV(ENV, "go", "install", "sigs.k8s.io/kind@v0.19.0")
-}
-
-// Goyacc installs goyacc
-func (Tool) Goyacc() error {
-	if exists(filepath.Join(GOBIN, "goyacc")) {
-		return nil
-	}
-	return sh.Run("go", "install", "golang.org/x/tools/cmd/goyacc@v0.7.0")
-}
-
-// Mockery installs mockery
-func (Tool) Mockery() error {
-	if exists(filepath.Join(GOBIN, "mockery")) {
-		return nil
-	}
-	return sh.Run("go", "install", "github.com/knqyf263/mockery/cmd/mockery@latest")
+func (Tool) Install() error {
+	log.Info("Installing tools, make sure you add $GOBIN to the $PATH")
+	return sh.Run("go", "install", "tool")
 }

 // Wire generates the wire_gen.go file for each package
 func Wire() error {
-	mg.Deps(Tool{}.Wire)
-	return sh.RunV("wire", "gen", "./pkg/commands/...", "./pkg/rpc/...", "./pkg/k8s/...")
-}
-
-// Mock generates mocks
-func Mock(dir string) error {
-	mg.Deps(Tool{}.Mockery)
-	mockeryArgs := []string{
-		"-all",
-		"-inpkg",
-		"-case=snake",
-		"-dir",
-		dir,
-	}
-	return sh.RunV("mockery", mockeryArgs...)
+	mg.Deps(Tool{}.Install) // Install wire
+	return sh.RunV("go", "tool", "wire", "gen", "./pkg/commands/...", "./pkg/rpc/...", "./pkg/k8s/...")
 }

 // Protoc parses PROTO_FILES and generates the Go code for client/server mode
@@ -216,7 +165,7 @@ func Protoc() error {

 // Yacc generates parser
 func Yacc() error {
-	mg.Deps(Tool{}.Goyacc)
+	mg.Deps(Tool{}.Install) // Install yacc
 	return sh.Run("go", "generate", "./pkg/licensing/expression/...")
 }

@@ -275,11 +224,11 @@ func compileWasmModules(pattern string) error {
 		} else if !updated {
 			continue
 		}
-		// Check if TinyGo is installed
-		if !installed("tinygo") {
-			return errors.New("need to install TinyGo, follow https://tinygo.org/getting-started/install/")
+		envs := map[string]string{
+			"GOOS":   "wasip1",
+			"GOARCH": "wasm",
 		}
-		if err = sh.Run("go", "generate", src); err != nil {
+		if err = sh.RunWith(envs, "go", "generate", src); err != nil {
 			return err
 		}
 	}
@@ -300,8 +249,7 @@ func (t Test) Integration() error {

 // K8s runs k8s integration tests
 func (t Test) K8s() error {
-	mg.Deps(Tool{}.Kind)
-
+	mg.Deps(Tool{}.Install) // Install kind
 	err := sh.RunWithV(ENV, "kind", "create", "cluster", "--name", "kind-test")
 	if err != nil {
 		return err
@@ -493,7 +441,7 @@ func Clean() error {

 // Label updates labels
 func Label() error {
-	mg.Deps(Tool{}.Labeler)
+	mg.Deps(Tool{}.Install) // Install labeler
 	return sh.RunV("labeler", "apply", "misc/triage/labels.yaml", "-l", "5")
 }

--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -1,5 +1,5 @@
 site_name: Trivy
-site_url: https://aquasecurity.github.io/trivy/
+site_url: https://trivy.dev/
 site_description: Trivy - All-in-one open source security scanner
 docs_dir: docs/
 repo_name: GitHub
@@ -133,6 +133,7 @@ nav:
              - Overview: docs/supply-chain/vex/index.md
              - VEX Repository: docs/supply-chain/vex/repo.md
              - Local VEX Files: docs/supply-chain/vex/file.md
+              - VEX SBOM Reference: docs/supply-chain/vex/sbom-ref.md
              - VEX Attestation: docs/supply-chain/vex/oci.md
      - Compliance:
          - Built-in Compliance:  docs/compliance/compliance.md
@@ -201,6 +202,7 @@ nav:
              - Client/Server: docs/references/modes/client-server.md
          - Troubleshooting: docs/references/troubleshooting.md
          - Terminology: docs/references/terminology.md
+          - Abbreviations: docs/references/abbreviations.md
  - Ecosystem: 
    - Overview: ecosystem/index.md
    - CI/CD: ecosystem/cicd.md
@@ -272,8 +274,6 @@ extra:
      link: https://twitter.com/AquaTrivy
    - icon: fontawesome/brands/github
      link: https://github.com/aquasecurity/trivy
-    - icon: fontawesome/brands/slack
-      link: https://github.com/aquasecurity/trivy
  analytics:
    provider: google
    property: G-V9LJGFH7GX
--- a/pkg/attestation/sbom/rekor_test.go
+++ b/pkg/attestation/sbom/rekor_test.go
@@ -1,7 +1,6 @@
 package sbom_test

 import (
-	"context"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -41,7 +40,7 @@ func TestRekor_RetrieveSBOM(t *testing.T) {
 			rc, err := sbom.NewRekor(ts.URL())
 			require.NoError(t, err)

-			got, err := rc.RetrieveSBOM(context.Background(), tt.digest)
+			got, err := rc.RetrieveSBOM(t.Context(), tt.digest)
 			if tt.wantErr != "" {
 				assert.ErrorContains(t, err, tt.wantErr)
 				return
--- a/pkg/cache/memory.go
+++ b/pkg/cache/memory.go
@@ -96,3 +96,17 @@ func (c *MemoryCache) Clear() error {
 	c.blobs = sync.Map{}
 	return nil
 }
+
+// BlobIDs returns all the blob IDs in the memory cache for testing
+func (c *MemoryCache) BlobIDs() []string {
+	var blobIDs []string
+	c.blobs.Range(func(key, value any) bool {
+		blobID, ok := key.(string)
+		if !ok {
+			return false
+		}
+		blobIDs = append(blobIDs, blobID)
+		return true
+	})
+	return blobIDs
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
knqyf263	51cefc4221	test(flag): enhance TestCustomFlagGroups to include environment variable support - Added a test case to verify the behavior of the `TRIVY_FOO` environment variable in the `TestCustomFlagGroups` function. - Ensured that the flag system correctly retrieves values from both environment variables and custom flags. - Improved test coverage for the flag handling functionality.	2025-04-14 13:08:21 +04:00
knqyf263	84eb62340e	refactor(extension): add custom flag groups for commands - Introduced a new extension system to support custom CLI flag groups for various commands. - Updated command definitions to utilize the new `CustomFlagGroups` method, enhancing modularity and flexibility. - Added tests to validate the behavior of custom flag groups and ensure proper integration with existing command structures. - Improved overall flag handling by allowing extensions to define their own flag groups, facilitating future enhancements.	2025-04-11 15:21:09 +04:00
Teppei Fukuda	346a6b794d	ci: improve PR title validation workflow (#8720 )	2025-04-11 09:43:02 +00:00
Teppei Fukuda	4a38d0121b	refactor(flag): improve flag system architecture and extensibility (#8718 ) Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>	2025-04-11 08:47:43 +00:00
Steven Masley	e25de25262	fix(terraform): `evaluateStep` to correctly set `EvalContext` for multiple instances of blocks (#8555 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-04-10 05:21:19 +00:00
DmitriyLewen	4b84dabd15	refactor: migrate from `github.com/aquasecurity/jfather` to `github.com/go-json-experiment/json` (#8591 )	2025-04-09 12:22:57 +00:00
Nikita Pivkin	9792611b36	feat(misconf): support auto_provisioning_defaults in google_container_cluster (#8705 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-04-08 21:13:46 +00:00
DmitriyLewen	13608eac24	ci: use `github.event.pull_request.user.login` for release PR check workflow (#8702 )	2025-04-08 11:49:52 +00:00
Teppei Fukuda	a0dc3b688e	refactor: add hook interface for extended functionality (#8585 )	2025-04-08 11:49:16 +00:00
Nikita Pivkin	9dcd06fda7	fix(misconf): add missing variable as unknown (#8683 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-04-08 06:33:33 +00:00
simar7	12cf218032	docs: Update maintainer docs (#8674 )	2025-04-08 06:33:04 +00:00
Seth Gibelyou	86138329cb	ci(vuln): reduce github action script injection attack risk (#8610 ) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>	2025-04-08 05:09:40 +00:00
Yugandhar	a032ad696a	fix(secret): ignore .dist-info directories during secret scanning (#8646 ) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>	2025-04-07 11:31:37 +00:00
Tamir Kiviti	36f8d0fd67	fix(server): fix redis key when trying to delete blob (#8649 )	2025-04-07 11:18:35 +00:00
dependabot[bot]	f1329c7ea1	chore(deps): bump the testcontainers group with 2 updates (#8650 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-04-07 07:55:40 +00:00
DmitriyLewen	c5e03f7d8f	test: use `aquasecurity` repository for test images (#8677 )	2025-04-07 06:32:53 +00:00
dependabot[bot]	a8a7ddb127	chore(deps): bump the aws group across 1 directory with 5 updates (#8652 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-04-07 06:18:33 +00:00
afdesk	bff0e9b034	fix(k8s): skip passed misconfigs for the summary report (#8684 ) Co-authored-by: Simar <simar@linux.com>	2025-04-05 06:48:10 +00:00
afdesk	cc4771158b	fix(k8s): correct compare artifact versions (#8682 )	2025-04-04 19:13:55 +00:00
Maria Ines Parnisari	b9b27fce42	chore: update Docker lib (#8681 )	2025-04-04 17:55:17 +00:00
Nikita Pivkin	bfa99d26fa	refactor(misconf): remove unused terraform attribute methods (#8657 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-04-03 00:25:13 +00:00
Nikita Pivkin	890a360244	feat(misconf): add option to pass Rego scanner to IaC scanner (#8369 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com> Co-authored-by: Simar <simar@linux.com>	2025-04-02 22:20:23 +00:00
Drew Hudson-Viles	ad1c37984e	chore: typo fix to replace `rego` with `repo` on the RepoFlagGroup options error output (#8643 )	2025-03-31 05:19:38 +00:00
simar7	dd28d4e238	docs: Add info about helm charts release (#8640 )	2025-03-29 04:53:46 +00:00
Aqua Security automated builds	1d42969518	ci(helm): bump Trivy version to 0.61.0 for Trivy Helm Chart 0.13.0 (#8638 ) Co-authored-by: GitHub Actions <actions@github.com>	2025-03-28 07:47:51 +00:00
Aqua Security automated builds	7f41822d4f	release: v0.61.0 [main] (#8507 )	2025-03-28 06:30:43 +00:00
simar7	5b7704d1d0	fix(misconf): Improve logging for unsupported checks (#8634 )	2025-03-28 05:20:57 +00:00
afdesk	1bf0117f77	feat(k8s): add support for controllers (#8614 )	2025-03-27 20:58:14 +00:00
DmitriyLewen	346f5b3553	fix(debian): don't include empty licenses for `dpkgs` (#8623 )	2025-03-27 20:50:59 +00:00
simar7	ad58cf4457	fix(misconf): Check values wholly prior to evalution (#8604 )	2025-03-27 07:19:31 +00:00
simar7	c76764ef5d	chore(deps): Bump trivy-checks (#8619 )	2025-03-27 07:11:45 +00:00
DmitriyLewen	dbb6f28871	fix(k8s): show report for `--report all` (#8613 )	2025-03-27 06:01:50 +00:00
dependabot[bot]	548a340075	chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#8597 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-03-27 02:03:24 +00:00
Teppei Fukuda	c80310d769	refactor: rename scanner to service (#8584 )	2025-03-23 23:47:03 +00:00
Nikita Pivkin	de7eb13938	fix(misconf): do not skip loading documents from subdirectories (#8526 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-22 06:01:04 +00:00
Nikita Pivkin	f07030daf2	refactor(misconf): get a block or attribute without calling HasChild (#8586 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-22 02:48:34 +00:00
Nikita Pivkin	ba77dbe5f9	fix(misconf): identify the chart file exactly by name (#8590 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-22 01:07:41 +00:00
Nikita Pivkin	7bafdcaaf9	test: use table-driven tests in Helm scanner tests (#8592 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: Simar <simar@linux.com>	2025-03-22 00:49:36 +00:00
simar7	68b164ddf4	refactor(misconf): Simplify misconfig checks bundle parsing (#8533 )	2025-03-21 22:38:26 +00:00
dependabot[bot]	8e1019d82c	chore(deps): bump the common group across 1 directory with 10 updates (#8566 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-03-20 13:58:42 +00:00
Nikita Pivkin	400a79c2c6	fix(misconf): do not use cty.NilVal for non-nil values (#8567 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-19 19:19:39 +00:00
Teppei Fukuda	fe400ea55f	docs(cli): improve flag value display format (#8560 ) Signed-off-by: knqyf263 <knqyf263@gmail.com>	2025-03-18 09:30:53 +00:00
Nikita Pivkin	1f05b4545d	fix(misconf): set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-17 20:13:42 +00:00
Itay Shakury	6973da6f5e	docs: remove slack (#8565 )	2025-03-17 12:43:59 +00:00
DmitriyLewen	8b88238f07	fix: use `--file-patterns` flag for all post analyzers (#7365 )	2025-03-17 10:12:10 +00:00
Konstantin Gukov	e8c32dedaa	docs(python): Mention pip-compile (#8484 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2025-03-17 02:45:01 +00:00
Nikita Pivkin	9913465a53	feat(misconf): adapt aws_opensearch_domain (#8550 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-15 05:49:04 +00:00
Nikita Pivkin	0d9865f48f	feat(misconf): adapt AWS::EC2::VPC (#8534 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-14 04:52:05 +00:00
Teppei Fukuda	9bedd989a9	docs: fix a broken link (#8546 )	2025-03-13 12:07:11 +00:00
DmitriyLewen	c22830766e	fix(fs): check postAnalyzers for StaticPaths (#8543 )	2025-03-13 11:36:24 +00:00
Nikita Pivkin	126d6cd033	refactor(misconf): remove unused methods for ec2.Instance (#8536 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-13 06:43:38 +00:00
Nikita Pivkin	b57eccb09c	feat(misconf): adapt aws_default_security_group (#8538 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-13 06:42:30 +00:00
Teppei Fukuda	8bf6caf98e	feat(fs): optimize scanning performance by direct file access for known paths (#8525 )	2025-03-13 04:29:42 +00:00
Nikita Pivkin	8112cdf8d6	feat(misconf): adapt AWS::DynamoDB::Table (#8529 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-11 21:21:14 +00:00
Asgeir Storesund Nilsen	124e161669	style: Fix MD syntax in self-hosting.md (#8523 )	2025-03-11 07:17:05 +00:00
Nikita Pivkin	7b96351c32	perf(misconf): retrieve check metadata from annotations once (#8478 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-11 04:52:56 +00:00
simar7	573502e2e8	feat(misconf): Add support for aws_ami (#8499 ) Signed-off-by: Simar <simar@linux.com> Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-11 03:26:25 +00:00
Nikita Pivkin	c7814f1401	fix(misconf): skip Azure CreateUiDefinition (#8503 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-11 00:45:15 +00:00
Nikita Pivkin	19e2c10e89	refactor(misconf): use OPA v1 (#8518 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-11 00:36:13 +00:00
Nikita Pivkin	41512f846e	fix(misconf): add ephemeral block type to config schema (#8513 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-11 00:23:41 +00:00
Nikita Pivkin	0e5e909765	perf(misconf): parse input for Rego once (#8483 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-08 07:49:24 +00:00
Teppei Fukuda	529957eac1	feat: replace TinyGo with standard Go for WebAssembly modules (#8496 )	2025-03-07 10:10:15 +00:00
Teppei Fukuda	fe09410ed4	chore: replace deprecated tenv linter with usetesting (#8504 )	2025-03-06 12:26:20 +00:00
DmitriyLewen	e5072f1eef	fix(spdx): save text licenses into `otherLicenses` without normalize (#8502 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2025-03-06 11:52:01 +00:00
dependabot[bot]	a93056133b	chore(deps): bump the common group across 1 directory with 13 updates (#8491 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-03-06 06:02:34 +00:00
Teppei Fukuda	463b11731c	chore: use go.mod for managing Go tools (#8493 ) Signed-off-by: knqyf263 <knqyf263@gmail.com>	2025-03-05 11:57:29 +00:00
Aqua Security automated builds	2998dcdf07	ci(helm): bump Trivy version to 0.60.0 for Trivy Helm Chart 0.12.0 (#8494 ) Co-authored-by: GitHub Actions <actions@github.com>	2025-03-05 11:01:13 +00:00
Aqua Security automated builds	a4009f62fd	release: v0.60.0 [main] (#8327 )	2025-03-05 09:45:10 +00:00
DmitriyLewen	85cca8c07a	fix(sbom): improve logic for binding direct dependency to parent component (#8489 )	2025-03-05 09:08:46 +00:00
DmitriyLewen	9892d040bc	chore(deps): remove missed replace of `trivy-db` (#8492 )	2025-03-05 07:48:17 +00:00
dependabot[bot]	8a89b2b759	chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 directory (#8490 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-03-05 07:39:44 +00:00
Teppei Fukuda	57b08d62de	chore(deps): update Go to 1.24 and switch to go-version-file (#8388 ) Signed-off-by: knqyf263 <knqyf263@gmail.com>	2025-03-05 06:40:42 +00:00
Teppei Fukuda	453c66dd30	docs: add abbreviation list (#8453 ) Signed-off-by: knqyf263 <knqyf263@gmail.com>	2025-03-05 03:14:44 +00:00
Steven Masley	f670602091	chore(terraform): assign *terraform.Module 'parent' field (#8444 )	2025-03-05 02:23:09 +00:00
Teppei Fukuda	dd54f80d3f	feat: add report summary table (#8177 ) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>	2025-03-04 09:26:06 +00:00
dependabot[bot]	ab1cf03a9d	chore(deps): bump the github-actions group with 3 updates (#8473 ) Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-04 03:28:23 +00:00
Teppei Fukuda	1f85b27773	refactor(vex): improve SBOM reference handling with project standards (#8457 )	2025-03-03 12:57:13 +00:00
Teppei Fukuda	da0b8760e5	ci: update GitHub Actions cache to v4 (#8475 )	2025-03-03 12:52:54 +00:00
DmitriyLewen	d464807321	feat: add `--vuln-severity-source` flag (#8269 )	2025-03-03 10:59:30 +00:00
afdesk	6b4cebe959	fix(os): add mapping OS aliases (#8466 )	2025-03-03 10:04:51 +00:00
dependabot[bot]	af1ea64f73	chore(deps): bump the aws group across 1 directory with 7 updates (#8468 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-03-03 10:03:23 +00:00
simar7	09cdae6639	chore(deps): Bump trivy-checks to v1.7.1 (#8467 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-03-03 06:03:16 +00:00
DmitriyLewen	3d3a3d6f19	refactor(report): write tables after rendering all results (#8357 )	2025-03-02 11:02:36 +00:00
Thomas Grininger	036ab75434	docs: update VEX documentation index page (#8458 )	2025-02-28 10:13:17 +00:00
DmitriyLewen	bb3cca6018	fix(db): fix case when 2 trivy-db were copied at the same time (#8452 )	2025-02-28 10:11:27 +00:00
Nikita Pivkin	a99498cdd9	feat(misconf): render causes for Terraform (#8360 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-02-28 07:01:01 +00:00
Nikita Pivkin	a994453a7d	fix(misconf): fix incorrect k8s locations due to JSON to YAML conversion (#8073 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-02-27 19:36:42 +00:00
Thomas Grininger	4820eb70fc	feat(cyclonedx): Add initial support for loading external VEX files from SBOM references (#8254 )	2025-02-27 07:21:09 +00:00
Tom Fay	3840d90f85	chore(deps): update go-rustaudit location (#8450 ) Signed-off-by: Tom Fay <tom@teamfay.co.uk>	2025-02-27 03:03:33 +00:00
Itay Shakury	49456ba841	fix: update all documentation links (#8045 ) Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>	2025-02-26 10:41:46 +00:00
dependabot[bot]	b3521e87b2	chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#8443 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-02-26 06:33:37 +00:00
dependabot[bot]	50364b836f	chore(deps): bump the common group with 6 updates (#8411 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-02-25 10:36:26 +00:00
afdesk	f987e41574	fix(k8s): add missed option `PkgRelationships` (#8442 )	2025-02-24 23:34:18 +00:00
DmitriyLewen	ecc01bb3fb	fix(sbom): add SBOM file's filePath as Application FilePath if we can't detect its path (#8346 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2025-02-24 11:28:20 +00:00
Maksim Nabokikh	e58dcfcf9f	feat(go): fix parsing main module version for go >= 1.24 (#8433 ) Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com> Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>	2025-02-24 11:22:13 +00:00
Nikita Pivkin	9c609c44a3	refactor(misconf): make Rego scanner independent of config type (#7517 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-02-21 22:56:12 +00:00
Nikita Pivkin	a3cd693a5e	fix(image): disable AVD-DS-0007 for history scanning (#8366 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-02-21 19:56:53 +00:00
iamtraining	a1c4bd746f	fix(server): secrets inspectation for the config analyzer in client server mode (#8418 )	2025-02-19 09:31:44 +00:00
Teppei Fukuda	613fc71347	chore: remove mockery (#8417 )	2025-02-18 12:52:53 +00:00
Teppei Fukuda	e9b3f0b79c	test(server): replace mock driver with memory cache in server tests (#8416 )	2025-02-18 07:28:11 +00:00
Teppei Fukuda	10b812710b	test: replace mock with memory cache and fix non-deterministic tests (#8410 )	2025-02-18 05:56:49 +00:00
Teppei Fukuda	5ed6fc67f5	test: replace mock with memory cache in scanner tests (#8413 )	2025-02-18 04:50:54 +00:00
Teppei Fukuda	24d0e2bf2d	test: use memory cache (#8403 ) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>	2025-02-17 07:15:32 +00:00
DmitriyLewen	72ea4b0632	fix(spdx): init `pkgFilePaths` map for all formats (#8380 )	2025-02-17 07:10:22 +00:00
dependabot[bot]	9637286de4	chore(deps): bump the common group across 1 directory with 11 updates (#8381 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-02-17 07:09:36 +00:00
Florian Heberl	a3a68c610f	docs: correct Ruby documentation (#8402 )	2025-02-14 10:33:47 +00:00
DmitriyLewen	3e503a0cc2	chore: bump `mockery` to update v2.52.2 version and rebuild mock files (#8390 )	2025-02-14 07:00:18 +00:00
DmitriyLewen	8715e5d14a	fix: don't use `scope` for `trivy registry login` command (#8393 )	2025-02-13 11:44:16 +00:00
DmitriyLewen	b675b06e89	fix(go): merge nested flags into string for ldflags for Go binaries (#8368 )	2025-02-13 08:16:14 +00:00
Steven Masley	f9c5043dee	chore(terraform): export module path on terraform modules (#8374 )	2025-02-11 05:33:52 +00:00
Steven Masley	398620b471	fix(terraform): apply parser options to submodule parsing (#8377 )	2025-02-11 05:31:39 +00:00
Greg M	02ebb4cb89	docs: Fix typos in documentation (#8361 )	2025-02-06 06:38:25 +00:00
Guspan Tanadi	7b10defaa8	docs: fix navigate links (#8336 )	2025-02-06 00:33:15 +00:00
Aqua Security automated builds	04c80a64af	ci(helm): bump Trivy version to 0.59.1 for Trivy Helm Chart 0.11.1 (#8354 ) Co-authored-by: afdesk <work@afdesk.com>	2025-02-05 10:06:50 +00:00
DmitriyLewen	f7b3f87dd5	ci(spdx): add `aqua-installer` step to fix `mage` error (#8353 )	2025-02-05 08:45:54 +00:00
Nikita Pivkin	ffa30235f0	chore: remove debug prints (#8347 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-02-04 12:57:08 +00:00
Nikita Pivkin	5695eb22df	fix(misconf): do not log scanners when misconfig scanning is disabled (#8345 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-02-04 10:44:39 +00:00
DmitriyLewen	3eb0b03f7c	fix(report): remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports (#8344 )	2025-02-04 10:27:26 +00:00
DmitriyLewen	3e13633615	chore(deps): bump Go to `v1.23.5` (#8341 )	2025-02-04 06:12:45 +00:00
DmitriyLewen	10cd98cf55	fix(python): add `poetry` v2 support (#8323 ) Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>	2025-02-03 08:22:12 +00:00
dependabot[bot]	9b74384842	chore(deps): bump the github-actions group across 1 directory with 4 updates (#8331 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-02-03 05:54:06 +00:00
Michael Foley	39789fff43	fix(misconf): ecs include enhanced for container insights (#8326 ) Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>	2025-01-31 19:06:33 +00:00
Teppei Fukuda	bd5baaf930	fix(sbom): preserve OS packages from multiple SBOMs (#8325 ) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>	2025-01-31 12:04:24 +00:00
Aqua Security automated builds	1d5ab92c7c	ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0 (#8311 ) Co-authored-by: GitHub Actions <actions@github.com>	2025-01-30 10:27:39 +00:00