release: v0.67.0 [main] (#9432)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: knqyf263 <knqyf263@gmail.com>

.clang-format

@@ -1,5 +0,0 @@
----
-Language: Proto
-BasedOnStyle: Google
-AlignConsecutiveAssignments: true
-AlignConsecutiveDeclarations: true

.github/actions/trivy-triage/helpers.js

@@ -1,6 +1,11 @@
+const patterns = {
+    Scanner: /### Scanner\r?\n\r?\n(.+)/,
+    Target: /### Target\r?\n\r?\n(.+)/,
+};
+
 module.exports = {
     detectDiscussionLabels: (discussion, configDiscussionLabels) => {
-        res = [];
+        const res = [];
         const discussionId = discussion.id;
         const category = discussion.category.name;
         const body = discussion.body;
@@ -8,15 +13,21 @@ module.exports = {
             console.log(`skipping discussion with category ${category} and body ${body}`);
             return [];
         }
-        const scannerPattern = /### Scanner\n\n(.+)/;
-        const scannerFound = body.match(scannerPattern);
-        if (scannerFound && scannerFound.length > 1) {
-            res.push(configDiscussionLabels[scannerFound[1]]);
-        }
-        const targetPattern = /### Target\n\n(.+)/;
-        const targetFound = body.match(targetPattern);
-        if (targetFound && targetFound.length > 1) {
-            res.push(configDiscussionLabels[targetFound[1]]);
+
+        for (const key in patterns) {
+            const match = body.match(patterns[key]);
+            if (match && match.length > 1 && match[1] !== "None") {
+                const val = configDiscussionLabels[match[1]];
+                if (val === undefined && match[1]) {
+                    console.warn(
+                        `Value for ${key.toLowerCase()} key "${
+                            match[1]
+                        }" not found in configDiscussionLabels`
+                    );
+                } else {
+                    res.push(val);
+                }
+            }
         }
         return res;
     },

.github/actions/trivy-triage/helpers.test.js

@@ -62,6 +62,17 @@ describe('trivy-triage', async function() {
       assert(labels.includes('ContainerImageLabel'));
       assert(labels.includes('VulnerabilityLabel'));
     });
+    it('detect scanner and target labels on windows', async function() {
+      const discussion = {
+        body: 'hello hello\r\nbla bla.\r\n### Scanner\r\n\r\nVulnerability\r\n### Target\r\n\r\nContainer Image\r\nbye bye.',
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+      assert(labels.includes('VulnerabilityLabel'));
+    });
     it('not detect other labels', async function() {
       const discussion = {
         body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
@@ -73,6 +84,16 @@ describe('trivy-triage', async function() {
       assert(!labels.includes('FilesystemLabel'));
       assert(!labels.includes('MisconfigurationLabel'));
     });
+    it('ignores unmatched label values from body', async function() {
+      const discussion = {
+        body: '### Target\r\n\r\nNone\r\n\r\n### Scanner\r\n\r\nMisconfiguration', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert.deepStrictEqual(labels, ['MisconfigurationLabel']);
+    });
     it('process only relevant categories', async function() {
       const discussion = {
         body: 'hello world', 

.github/dependabot.yml

@@ -21,6 +21,8 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 3
     ignore:
       - dependency-name: "github.com/aquasecurity/trivy-*" ## `trivy-*` dependencies are updated manually
     groups:

.github/workflows/auto-close-issue.yaml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Close issue if user does not have write or admin permissions
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             // Get the issue creator's username

.github/workflows/auto-ready-for-review.yaml

@@ -0,0 +1,138 @@
+name: Auto Ready for Review
+
+on:
+  workflow_run:
+    workflows: ["Test", "Validate PR Title"]
+    types: [completed]
+
+jobs:
+  auto-ready-for-review:
+    runs-on: ubuntu-24.04
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: Get PR context
+        id: pr-context
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_BRANCH: |-
+            ${{
+              (github.event.workflow_run.head_repository.owner.login != github.event.workflow_run.repository.owner.login)
+                && format('{0}:{1}', github.event.workflow_run.head_repository.owner.login, github.event.workflow_run.head_branch)
+                || github.event.workflow_run.head_branch
+            }}
+        run: |
+          echo "[INFO] Searching for PR with branch: ${PR_BRANCH}"
+          if gh pr view --repo "${{ github.repository }}" "${PR_BRANCH}" --json 'number' --jq '"number=\(.number)"' >> "${GITHUB_OUTPUT}"; then
+            echo "[INFO] PR found successfully"
+          else
+            echo "[INFO] No PR found for branch ${PR_BRANCH}, skipping"
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+          fi
+          
+      - name: Check PR and all workflows status
+        if: steps.pr-context.outputs.skip != 'true'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const prNumber = ${{ steps.pr-context.outputs.number }};
+            console.log(`[INFO] Processing PR #${prNumber}`);
+            
+            // Get PR info
+            const { data: pr } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: prNumber
+            });
+            
+            console.log(`[INFO] PR #${prNumber} - Draft: ${pr.draft}, Labels: ${pr.labels.map(l => l.name).join(', ')}`);
+            
+            // Check if PR has autoready label and is draft
+            const hasAutoreadyLabel = pr.labels.some(label => label.name === 'autoready');
+            
+            if (!pr.draft) {
+              console.log(`[INFO] PR #${prNumber} is not draft, skipping`);
+              return;
+            }
+            
+            if (!hasAutoreadyLabel) {
+              console.log(`[INFO] PR #${prNumber} doesn't have autoready label, skipping`);
+              return;
+            }
+            
+            // Get all workflow runs for this PR's head commit (head_sha)
+            const { data: workflowRuns } = await github.rest.actions.listWorkflowRunsForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head_sha: pr.head.sha,
+              per_page: 100
+            });
+            
+            console.log(`[INFO] Found ${workflowRuns.workflow_runs.length} workflow runs for PR #${prNumber}`);
+            
+            // Check workflow status
+            const runningWorkflows = workflowRuns.workflow_runs.filter(run => 
+              run.status === 'in_progress' || run.status === 'queued'
+            );
+            
+            const failedWorkflows = workflowRuns.workflow_runs.filter(run => 
+              run.conclusion === 'failure' || run.conclusion === 'cancelled'
+            );
+            
+            const successfulWorkflows = workflowRuns.workflow_runs.filter(run => 
+              run.conclusion === 'success'
+            );
+            
+            console.log(`[INFO] Workflow status - Running: ${runningWorkflows.length}, Failed: ${failedWorkflows.length}, Success: ${successfulWorkflows.length}`);
+            
+            if (runningWorkflows.length > 0) {
+              console.log(`[INFO] Some workflows are still running: ${runningWorkflows.map(w => w.name).join(', ')}`);
+              return;
+            }
+            
+            if (failedWorkflows.length > 0) {
+              console.log(`[INFO] Some workflows failed: ${failedWorkflows.map(w => w.name).join(', ')}`);
+              return;
+            }
+            
+            console.log(`[INFO] All workflows passed! Marking PR #${prNumber} as ready for review...`);
+            
+            // Mark PR as ready for review using GraphQL API
+            // Reference: https://github.com/orgs/community/discussions/70061
+            try {
+              const mutation = `
+                mutation MarkPullRequestReadyForReview($pullRequestId: ID!) {
+                  markPullRequestReadyForReview(input: { pullRequestId: $pullRequestId }) {
+                    pullRequest {
+                      id
+                      isDraft
+                      number
+                    }
+                  }
+                }
+              `;
+              
+              const updateResult = await github.graphql(mutation, {
+                pullRequestId: pr.node_id
+              });
+              
+              const isDraft = updateResult.markPullRequestReadyForReview.pullRequest.isDraft;
+              console.log(`[SUCCESS] PR #${prNumber} marked as ready for review. Draft status: ${isDraft}`);
+            } catch (error) {
+              console.log(`[ERROR] Failed to mark PR #${prNumber} as ready for review: ${error.message}`);
+              console.log(`[ERROR] Error details: ${JSON.stringify(error.response?.data || error, null, 2)}`);
+              return;
+            }
+            
+            // Remove autoready label
+            try {
+              const labelResult = await github.rest.issues.removeLabel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                name: 'autoready'
+              });
+              console.log(`[SUCCESS] autoready label removed from PR #${prNumber}. Status: ${labelResult.status}`);
+            } catch (error) {
+              console.log(`[WARNING] Could not remove autoready label from PR #${prNumber}: ${error.message}`);
+              console.log(`[WARNING] Error details: ${JSON.stringify(error.response?.data || error, null, 2)}`);
+            }

.github/workflows/auto-update-labels.yaml

@@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout main
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
           cache: false

.github/workflows/backport.yaml

@@ -16,7 +16,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission')
+          PERMISSION=$(gh api /repos/$GITHUB_REPOSITORY/collaborators/$GITHUB_ACTOR/permission --jq '.permission')
           if [ "$PERMISSION" == "admin" ] || [ "$PERMISSION" == "write" ]; then
            echo "is_maintainer=true" >> $GITHUB_OUTPUT
           else
@@ -36,7 +36,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -53,8 +53,9 @@ jobs:
           git config --global user.name "GitHub Actions"
 
       - name: Run backport script
-        run: ./misc/backport/backport.sh ${{ env.BRANCH_NAME }} ${{ github.event.issue.number }}
         env:
           # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
           # This allows the created PR to trigger tests and other workflows
-          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+        run: ./misc/backport/backport.sh "$BRANCH_NAME" "$ISSUE_NUMBER"

.github/workflows/cache-test-assets.yaml

@@ -1,7 +1,12 @@
-name: Cache test images
+name: Cache test assets
+# This workflow runs on the main branch to create caches that can be accessed by PRs.
+# GitHub Actions cache isolation restricts access:
+# - PRs can only restore caches from: current branch, base branch, and default branch (main)
+# - PRs cannot restore caches from sibling branches or other PR branches
+# - By creating caches on the main branch, all PRs can benefit from shared cache
 on:
-  schedule:
-    - cron: "0 0 * * *" # Run this workflow every day at 00:00 to avoid cache deletion.
+  push:
+    branches: [main]
   workflow_dispatch:
 
 jobs:
@@ -10,10 +15,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
           cache: false
@@ -22,7 +27,6 @@ jobs:
         run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Generate image list digest
-        if: github.ref_name == 'main'
         id: image-digest
         run: |
           source integration/testimages.ini
@@ -30,16 +34,13 @@ jobs:
           DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
           echo "digest=$DIGEST" >> $GITHUB_OUTPUT
 
-      ## We need to work with test image cache only for main branch
       - name: Restore and save test images cache
-        if: github.ref_name == 'main'
-        uses: actions/cache@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: integration/testdata/fixtures/images
           key: cache-test-images-${{ steps.image-digest.outputs.digest }}
 
       - name: Download test images
-        if: github.ref_name == 'main'
         run: mage test:fixtureContainerImages
 
   test-vm-images:
@@ -47,10 +48,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
           cache: false
@@ -59,7 +60,6 @@ jobs:
         run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Generate image list digest
-        if: github.ref_name == 'main'
         id: image-digest
         run: |
           source integration/testimages.ini
@@ -67,14 +67,32 @@ jobs:
           DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags |= sort' | sha256sum | cut -d' ' -f1)
           echo "digest=$DIGEST" >> $GITHUB_OUTPUT
 
-      ## We need to work with test VM image cache only for main branch
       - name: Restore and save test VM images cache
-        if: github.ref_name == 'main'
-        uses: actions/cache@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: integration/testdata/fixtures/vm-images
           key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
 
       - name: Download test VM images
-        if: github.ref_name == 'main'
-        run: mage test:fixtureVMImages
+        run: mage test:fixtureVMImages
+
+  lint-cache:
+    name: Cache lint results
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Run golangci-lint for caching
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        with:
+          version: v2.4
+          args: --verbose
+        env:
+          GOEXPERIMENT: jsonv2

.github/workflows/canary.yaml

@@ -25,36 +25,43 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: dist/
-          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+          key: ${{ runner.os }}-bins-${{ github.workflow }}-${{ github.sha }}
 
         # Upload artifacts
       - name: Upload artifacts (trivy_Linux-64bit)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: trivy_Linux-64bit
           path: dist/trivy_*_Linux-64bit.tar.gz
           if-no-files-found: error
 
       - name: Upload artifacts (trivy_Linux-ARM64)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: trivy_Linux-ARM64
           path: dist/trivy_*_Linux-ARM64.tar.gz
           if-no-files-found: error
 
       - name: Upload artifacts (trivy_macOS-64bit)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: trivy_macOS-64bit
           path: dist/trivy_*_macOS-64bit.tar.gz
           if-no-files-found: error
 
       - name: Upload artifacts (trivy_macOS-ARM64)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: trivy_macOS-ARM64
           path: dist/trivy_*_macOS-ARM64.tar.gz
-          if-no-files-found: error
+          if-no-files-found: error
+
+      - name: Delete cache after upload
+        run: |
+          gh cache delete "$CACHE_KEY" --repo "${{ github.repository }}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CACHE_KEY: ${{ runner.os }}-bins-${{ github.workflow }}-${{ github.sha }}

.github/workflows/mkdocs-dev.yaml

@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/mkdocs-latest.yaml

@@ -14,11 +14,11 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/publish-chart.yaml

@@ -25,23 +25,23 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         with:
           version: v3.14.4
       - name: Set up python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.x'
           check-latest: true
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
       - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}
@@ -61,7 +61,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
       - name: Install chart-releaser

.github/workflows/release-please.yaml

@@ -19,7 +19,7 @@ jobs:
     steps:
       - name: Release Please
         id: release
-        uses: googleapis/release-please-action@v4
+        uses: googleapis/release-please-action@c2a5a2bd6a758a0937f1ddb1e8950609867ed15c # v4.3.0
         with:
           token: ${{ secrets.ORG_REPO_TOKEN }}
           target-branch: ${{ github.ref_name }}
@@ -56,7 +56,7 @@ jobs:
 
       - name: Tag release
         if: ${{ steps.extract_info.outputs.version }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.ORG_REPO_TOKEN }} # To trigger another workflow
           script: |
@@ -70,7 +70,7 @@ jobs:
       # When v0.50.0 is released, a release branch "release/v0.50" is created.
       - name: Create release branch for patch versions
         if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }} # Should not trigger the workflow again
           script: |
@@ -98,7 +98,7 @@ jobs:
       # cf. https://github.com/googleapis/release-please?tab=readme-ov-file#release-please-bot-does-not-create-a-release-pr-why
       - name: Remove the label from PR
         if: ${{ steps.extract_info.outputs.pr_number }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/release.yaml

@@ -19,12 +19,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -35,7 +35,7 @@ jobs:
           sudo apt-get -y install rpm reprepro createrepo-c distro-info
 
       - name: Checkout trivy-repo
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: ${{ github.repository_owner }}/trivy-repo
           path: trivy-repo
@@ -62,7 +62,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -72,9 +72,10 @@ jobs:
           git config --global user.name "GitHub Actions"
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
+          cache: false
 
       - name: Install Go tools
         run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -85,3 +86,43 @@ jobs:
           # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
           # This allows the created PR to trigger tests and other workflows
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
+  # `trigger-version-update` triggers the `update_version` workflow in the `trivy-telemetry` repository
+  # and the trivy-downloads repository.
+  trigger-version-update:
+    needs: deploy-packages
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Trigger update_version workflow in trivy-telemetry
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows triggering workflows in other repositories
+          GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+        run: |
+          gh workflow run update_version.yml \
+            --repo ${{ github.repository_owner }}/trivy-telemetry \
+            --ref main \
+            --field version=${{ github.ref_name }}
+
+      - name: Trigger update_version workflow in trivy-downloads
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows triggering workflows in other repositories
+          GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+        run: |
+          gh workflow run update_version.yml \
+            --repo ${{ github.repository_owner }}/trivy-downloads \
+            --ref main \
+            --field version=${{ github.ref_name }} \
+            --field artifact=trivy
+
+      - name: Trigger version update and release workflow in trivy-chocolatey
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows triggering workflows in other repositories
+          GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+        run: |
+          gh workflow run release.yml \
+            --repo ${{ github.repository_owner }}/trivy-chocolatey \
+            --ref main \
+            --field version=${{ github.ref_name }}

.github/workflows/reusable-release.yaml

@@ -27,51 +27,51 @@ jobs:
       contents: read  # Not required for public repositories, but for clarity
     steps:
       - name: Cosign install
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Show available Docker Buildx platforms
         run: echo ${{ steps.buildx.outputs.platforms }}
 
       - name: Login to docker.io registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to ghcr.io registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
           username: ${{ env.GH_USER }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to ECR
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: public.ecr.aws
           username: ${{ secrets.ECR_ACCESS_KEY_ID }}
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
           cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
 
       - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v2
+        uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
         with:
           args: mod -licenses -json -output bom.json
           version: ^v1
@@ -88,7 +88,7 @@ jobs:
           mkdir tmp    
 
       - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           version: v2.1.0
           args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
@@ -107,7 +107,7 @@ jobs:
       # because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
       - name: Build and push
         if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           platforms: linux/amd64, linux/arm64
           file: ./Dockerfile.canary # path to Dockerfile
@@ -119,7 +119,7 @@ jobs:
             public.ecr.aws/aquasecurity/trivy:canary
 
       - name: Cache Trivy binaries
-        uses: actions/cache@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: dist/
           # use 'github.sha' to create a unique cache folder for each run.

.github/workflows/roadmap.yaml

@@ -11,14 +11,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
-      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
           labeled: kind/feature, priority/backlog
           label-operator: AND
         id: add-backlog-issue
-      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+      - uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
         if: ${{ steps.add-backlog-issue.outputs.itemId }}
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
@@ -28,14 +28,14 @@ jobs:
           field-values: Backlog
 
       # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
-      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
           labeled: kind/feature, priority/important-longterm
           label-operator: AND
         id: add-longterm-issue
-      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+      - uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
         if: ${{ steps.add-longterm-issue.outputs.itemId }}
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
@@ -45,14 +45,14 @@ jobs:
           field-values: Important (long-term)
 
       # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
-      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
           labeled: kind/feature, priority/important-soon
           label-operator: AND
         id: add-soon-issue
-      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+      - uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
         if: ${{ steps.add-soon-issue.outputs.itemId }}
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
@@ -62,14 +62,14 @@ jobs:
           field-values: Important (soon)
 
       # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
-      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
           labeled: kind/feature, priority/critical-urgent
           label-operator: AND
         id: add-urgent-issue
-      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+      - uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
         if: ${{ steps.add-urgent-issue.outputs.itemId }}
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25

.github/workflows/scan.yaml

@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run Trivy vulnerability scanner and create GitHub issues
-        uses: knqyf263/trivy-issue-action@v0.0.6
+        uses: knqyf263/trivy-issue-action@4466f52d1401b66dd2a2ab9e0c40cddc021829ec # v0.0.6
         with:
           assignee: knqyf263
           severity: CRITICAL

.github/workflows/semantic-pr.yaml

@@ -67,6 +67,8 @@ jobs:
             distroless
             windows
             minimos
+            rootio
+            seal
 
             # Languages
             ruby

.github/workflows/spdx-cron.yaml

@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
 
@@ -21,16 +21,17 @@ jobs:
         run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Check if SPDX exceptions are up-to-date
+        id: exceptions_check
         run: |
           mage spdx:updateLicenseExceptions
           if [ -n "$(git status --porcelain)" ]; then
             echo "Run 'mage spdx:updateLicenseExceptions' and push it"
-            exit 1
-          fi        
+            echo "send_notify=true" >> $GITHUB_OUTPUT
+          fi
 
       - name: Microsoft Teams Notification
-        uses: Skitionek/notify-microsoft-teams@e7a2493ac87dad8aa7a62f079f295e54ff511d88
-        if: failure()
+        uses: Skitionek/notify-microsoft-teams@e7a2493ac87dad8aa7a62f079f295e54ff511d88 # main
+        if: steps.exceptions_check.outputs.send_notify == 'true'
         with:
           webhook_url: ${{ secrets.TRIVY_MSTEAMS_WEBHOOK }}
           needs: ${{ toJson(needs) }}

.github/workflows/stale-issues.yaml

@@ -7,7 +7,7 @@ jobs:
     timeout-minutes: 1
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v9
+    - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-pr-message: 'This PR is stale because it has been labeled with inactivity.'

.github/workflows/test-docs.yaml

@@ -10,11 +10,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v4.1.6
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
         persist-credentials: true
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: 3.x
     - name: Install dependencies

.github/workflows/test.yaml

@@ -19,10 +19,10 @@ jobs:
       matrix:
         operating-system: [ubuntu-latest, windows-latest, macos-latest]
     steps:
-      - uses: actions/checkout@v4.1.6
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
           cache: false
@@ -38,10 +38,13 @@ jobs:
 
       - name: Lint
         id: lint
-        uses: golangci/golangci-lint-action@v7.0.0
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
-          version: v2.1
+          version: v2.4
           args: --verbose
+          skip-save-cache: true  # Restore cache from main branch but don't save new cache
+        env:
+          GOEXPERIMENT: jsonv2
         if: matrix.operating-system == 'ubuntu-latest'
 
       - name: Check if linter failed
@@ -70,10 +73,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
           cache: false
@@ -90,7 +93,7 @@ jobs:
           echo "digest=$DIGEST" >> $GITHUB_OUTPUT
 
       - name: Restore test images from cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: integration/testdata/fixtures/images
           key: cache-test-images-${{ steps.image-digest.outputs.digest }}
@@ -103,10 +106,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
           cache: false
@@ -122,10 +125,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
           cache: false
@@ -142,7 +145,7 @@ jobs:
           echo "digest=$DIGEST" >> $GITHUB_OUTPUT
 
       - name: Restore test images from cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: integration/testdata/fixtures/images
           key: cache-test-images-${{ steps.image-digest.outputs.digest }}
@@ -157,10 +160,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
           cache: false
@@ -177,7 +180,7 @@ jobs:
           echo "digest=$DIGEST" >> $GITHUB_OUTPUT
 
       - name: Restore test VM images from cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: integration/testdata/fixtures/vm-images
           key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
@@ -186,6 +189,25 @@ jobs:
         run: |
           mage test:vm
 
+  e2e-test:
+    name: E2E Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Run E2E tests
+        run: mage test:e2e
+
   build-test:
     name: Build Test
     runs-on: ${{ matrix.operating-system }}
@@ -196,10 +218,10 @@ jobs:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
     - name: Checkout
-      uses: actions/checkout@v4.1.6
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
         go-version-file: go.mod
         cache: false
@@ -217,7 +239,7 @@ jobs:
         fi
 
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v6
+      uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
       with:
         version: v2.1.0
         args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }}

.github/workflows/triage.yaml

@@ -10,7 +10,7 @@ jobs:
   label:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: ./.github/actions/trivy-triage
         with:
           discussion_num: ${{ github.event.inputs.discussion_num }}

.golangci.yaml

@@ -59,6 +59,9 @@ linters:
               recommendations:
                 - github.com/aquasecurity/go-version
               reason: "`aquasecurity/go-version` is designed for our use-cases"
+          - github.com/liamg/memoryfs:
+              recommendations:
+                - github.com/aquasecurity/trivy/pkg/mapfs
     gosec:
       excludes:
         - G101
@@ -193,7 +196,7 @@ linters:
     warn-unused: true
 
 run:
-  go: '1.24'
+  go: '1.25'
   timeout: 30m
 
 formatters:

.release-please-manifest.json

@@ -1 +1 @@
-{".":"0.64.0"}
+{".":"0.67.0"}

CHANGELOG.md

@@ -1,5 +1,109 @@
 # Changelog
 
+## [0.67.0](https://github.com/aquasecurity/trivy/compare/v0.66.0...v0.67.0) (2025-09-30)
+
+
+### Features
+
+* add documentation URL for database lock errors ([#9531](https://github.com/aquasecurity/trivy/issues/9531)) ([eba48af](https://github.com/aquasecurity/trivy/commit/eba48afd583391cef346e45a176aa5a6d77b704f))
+* **cli:** change --list-all-pkgs default to true ([#9510](https://github.com/aquasecurity/trivy/issues/9510)) ([7b663d8](https://github.com/aquasecurity/trivy/commit/7b663d86ca65ee3eb332c857b77bfa18e6da56c4))
+* **cloudformation:** support default values and list results in Fn::FindInMap ([#9515](https://github.com/aquasecurity/trivy/issues/9515)) ([42b3bf3](https://github.com/aquasecurity/trivy/commit/42b3bf37bb7d39139911843297c8b8ab3551c31a))
+* **cyclonedx:** preserve SBOM structure when scanning SBOM files with vulnerability updates ([#9439](https://github.com/aquasecurity/trivy/issues/9439)) ([aff03eb](https://github.com/aquasecurity/trivy/commit/aff03ebab2e7874dd997e20b4ec9962a41eae7bb))
+* **redhat:** add os-release detection for RHEL-based images ([#9458](https://github.com/aquasecurity/trivy/issues/9458)) ([cb25a07](https://github.com/aquasecurity/trivy/commit/cb25a074501c5cf48050fdf6a0ae7c85c4f385ea))
+* **sbom:** added support for CoreOS ([#9448](https://github.com/aquasecurity/trivy/issues/9448)) ([6d562a3](https://github.com/aquasecurity/trivy/commit/6d562a3b48926b6efd508e067e1059564173b270))
+* **seal:** add seal support ([#9370](https://github.com/aquasecurity/trivy/issues/9370)) ([e4af279](https://github.com/aquasecurity/trivy/commit/e4af279b29ed5b77ed1d62e31b232b1f9b92ef4f))
+
+
+### Bug Fixes
+
+* **aws:** use `BuildableClient` insead of `xhttp.Client` ([#9436](https://github.com/aquasecurity/trivy/issues/9436)) ([fa6f1bf](https://github.com/aquasecurity/trivy/commit/fa6f1bfecfb68c29ad4684a6fb5d86948c7d6887))
+* close file descriptors and pipes on error paths ([#9536](https://github.com/aquasecurity/trivy/issues/9536)) ([a4cbd6a](https://github.com/aquasecurity/trivy/commit/a4cbd6a1380b7b4dc650a312ec4e5bc47501f674))
+* **db:** Dowload database when missing but metadata still exists ([#9393](https://github.com/aquasecurity/trivy/issues/9393)) ([92ebc7e](https://github.com/aquasecurity/trivy/commit/92ebc7e4d72424c17d93c54e5f24891710c85a60))
+* **k8s:** disable parallel traversal with fs cache for k8s images ([#9534](https://github.com/aquasecurity/trivy/issues/9534)) ([c0c7a6b](https://github.com/aquasecurity/trivy/commit/c0c7a6bf1b92c868ed44172b3cd15c51667b8a6e))
+* **misconf:** handle tofu files in module detection ([#9486](https://github.com/aquasecurity/trivy/issues/9486)) ([bfd2f6b](https://github.com/aquasecurity/trivy/commit/bfd2f6ba697c223d60a7378283293d8e1fc8a8fe))
+* **misconf:** strip build metadata suffixes from image history ([#9498](https://github.com/aquasecurity/trivy/issues/9498)) ([c938806](https://github.com/aquasecurity/trivy/commit/c9388069a4325a9f8bc53bc8a82ff46d84d06847))
+* **misconf:** unmark cty values before access ([#9495](https://github.com/aquasecurity/trivy/issues/9495)) ([8e40d27](https://github.com/aquasecurity/trivy/commit/8e40d27a43ecb96795a8a7d4a2444241fc7fce9a))
+* **misconf:** wrap legacy ENV values in quotes to preserve spaces ([#9497](https://github.com/aquasecurity/trivy/issues/9497)) ([267a970](https://github.com/aquasecurity/trivy/commit/267a9700fa233abe1a04eada8f3ea513f3ebacb3))
+* **nodejs:** parse workspaces as objects for package-lock.json files ([#9518](https://github.com/aquasecurity/trivy/issues/9518)) ([404abb3](https://github.com/aquasecurity/trivy/commit/404abb3d91cb3b1c1ee027169de5a40e32ba8b8a))
+* **nodejs:** use snapshot string as `Package.ID` for pnpm packages ([#9330](https://github.com/aquasecurity/trivy/issues/9330)) ([4517e8c](https://github.com/aquasecurity/trivy/commit/4517e8c0ef5e942b8e2e498729257374634ffbf8))
+* **vex:** don't  suppress vulns for packages with infinity loop ([#9465](https://github.com/aquasecurity/trivy/issues/9465)) ([78f0d4a](https://github.com/aquasecurity/trivy/commit/78f0d4ae0378f81940a5faa6497e6905cb5d034a))
+* **vuln:** compare `nuget` package names in lower case ([#9456](https://github.com/aquasecurity/trivy/issues/9456)) ([1ff9ac7](https://github.com/aquasecurity/trivy/commit/1ff9ac79488e0d4deab4226f1a969676a9851cdb))
+
+## [0.66.0](https://github.com/aquasecurity/trivy/compare/v0.65.0...v0.66.0) (2025-09-02)
+
+
+### Features
+
+* add timeout handling for cache database operations ([#9307](https://github.com/aquasecurity/trivy/issues/9307)) ([235c24e](https://github.com/aquasecurity/trivy/commit/235c24e71a546b6196f7264fced2d02d836e3f85))
+* **misconf:** added audit config attribute ([#9249](https://github.com/aquasecurity/trivy/issues/9249)) ([4d4a244](https://github.com/aquasecurity/trivy/commit/4d4a2444b692512aca137dcbd367ff224fe25597))
+* **secret:** implement streaming secret scanner with byte offset tracking ([#9264](https://github.com/aquasecurity/trivy/issues/9264)) ([5a5e097](https://github.com/aquasecurity/trivy/commit/5a5e0972c72e629ddf2915ef066d632d58b8d3b0))
+* **terraform:** use .terraform cache for remote modules in plan scanning ([#9277](https://github.com/aquasecurity/trivy/issues/9277)) ([298a994](https://github.com/aquasecurity/trivy/commit/298a9941f098d2701b9524a703b9f9b1b9451785))
+
+
+### Bug Fixes
+
+* **conda:** memory leak by adding closure method for `package.json` file ([#9349](https://github.com/aquasecurity/trivy/issues/9349)) ([03d039f](https://github.com/aquasecurity/trivy/commit/03d039f17d94cf668152e83d0cf9dabf3b27d3dd))
+* create temp file under composite fs dir ([#9387](https://github.com/aquasecurity/trivy/issues/9387)) ([ce22f54](https://github.com/aquasecurity/trivy/commit/ce22f54a39a1abac08fa3ad540697c668792bf50))
+* **cyclonedx:** handle multiple license types ([#9378](https://github.com/aquasecurity/trivy/issues/9378)) ([46ab76a](https://github.com/aquasecurity/trivy/commit/46ab76a5af828c98cf93fc988ed6a405b7b07392))
+* **fs:** avoid shadowing errors in file.glob ([#9286](https://github.com/aquasecurity/trivy/issues/9286)) ([b51c789](https://github.com/aquasecurity/trivy/commit/b51c789330141d634a9b14bd10994c997862940f))
+* **image:** use standardized HTTP client for ECR authentication ([#9322](https://github.com/aquasecurity/trivy/issues/9322)) ([84fbf86](https://github.com/aquasecurity/trivy/commit/84fbf8674dfc0f91d8795a50bafa6041cce83ba2))
+* **misconf:** ensure ignore rules respect subdirectory chart paths ([#9324](https://github.com/aquasecurity/trivy/issues/9324)) ([d3cd101](https://github.com/aquasecurity/trivy/commit/d3cd101266eb7bf9b8ffe5899765efa7bd1abe30))
+* **misconf:** ensure module source is known ([#9404](https://github.com/aquasecurity/trivy/issues/9404)) ([81d9425](https://github.com/aquasecurity/trivy/commit/81d94253c8bc816ad932f7e0c0b8907e1cd759bb))
+* **misconf:** preserve original paths of remote submodules from .terraform ([#9294](https://github.com/aquasecurity/trivy/issues/9294)) ([1319d8d](https://github.com/aquasecurity/trivy/commit/1319d8dc7f4796177876af18f0e13ba1f7086348))
+* **misconf:** use correct field log_bucket instead of target_bucket in gcp bucket ([#9296](https://github.com/aquasecurity/trivy/issues/9296)) ([04ad0c4](https://github.com/aquasecurity/trivy/commit/04ad0c4fc2926a92e9e9ec11bb8eae826ed95827))
+* persistent flag option typo ([#9374](https://github.com/aquasecurity/trivy/issues/9374)) ([6e99dd3](https://github.com/aquasecurity/trivy/commit/6e99dd304c7fad8213489039e7ca42909383b5ff))
+* **plugin:** don't remove plugins when updating index.yaml file ([#9358](https://github.com/aquasecurity/trivy/issues/9358)) ([5f067ac](https://github.com/aquasecurity/trivy/commit/5f067ac15e5c609283bef26a211746a279b6b5d0))
+* **python:** impove package name normalization  ([#9290](https://github.com/aquasecurity/trivy/issues/9290)) ([1473e88](https://github.com/aquasecurity/trivy/commit/1473e88b74ca269691de7827e045703612b90050))
+* **repo:** preserve RepoMetadata on FS cache hit ([#9389](https://github.com/aquasecurity/trivy/issues/9389)) ([4f2a44e](https://github.com/aquasecurity/trivy/commit/4f2a44ea45bed1e842bb2072077da67ec7e744ac))
+* **repo:** sanitize git repo URL before inserting into report metadata ([#9391](https://github.com/aquasecurity/trivy/issues/9391)) ([1ac9b1f](https://github.com/aquasecurity/trivy/commit/1ac9b1f07cea429cc122bf9721e8909c649549cf))
+* **sbom:** add support for `file` component type of `CycloneDX` ([#9372](https://github.com/aquasecurity/trivy/issues/9372)) ([aa7cf43](https://github.com/aquasecurity/trivy/commit/aa7cf4387c5e82c1f629ac14cd6a35b48fc95983))
+* suppress debug log for context cancellation errors ([#9298](https://github.com/aquasecurity/trivy/issues/9298)) ([2458d5e](https://github.com/aquasecurity/trivy/commit/2458d5e28a54da9adec0b36f6b1e6bd4f15a72ce))
+
+## [0.65.0](https://github.com/aquasecurity/trivy/compare/v0.64.0...v0.65.0) (2025-07-30)
+
+
+### Features
+
+* add graceful shutdown with signal handling ([#9242](https://github.com/aquasecurity/trivy/issues/9242)) ([2c05882](https://github.com/aquasecurity/trivy/commit/2c05882f45071928c14d8212ef6c4f0f7048245d))
+* add HTTP request/response tracing support ([#9125](https://github.com/aquasecurity/trivy/issues/9125)) ([aa5b32a](https://github.com/aquasecurity/trivy/commit/aa5b32a19f4d61d0df72c11fd314c5a0b7284202))
+* **alma:** add AlmaLinux 10 support ([#9207](https://github.com/aquasecurity/trivy/issues/9207)) ([861d51e](https://github.com/aquasecurity/trivy/commit/861d51e99a45ee448f86fe195dedcaefb811c919))
+* **flag:** add schema validation for `--server` flag ([#9270](https://github.com/aquasecurity/trivy/issues/9270)) ([ed4640e](https://github.com/aquasecurity/trivy/commit/ed4640ec27f2575a50d7e6d516c9e2e45a59bb7f))
+* **image:** add Docker context resolution ([#9166](https://github.com/aquasecurity/trivy/issues/9166)) ([99cd4e7](https://github.com/aquasecurity/trivy/commit/99cd4e776c0c6cc689126e53fa86ee6333ba6277))
+* **license:** observe pkg types option in license scanner ([#9091](https://github.com/aquasecurity/trivy/issues/9091)) ([d44af8c](https://github.com/aquasecurity/trivy/commit/d44af8cfa21a145d14ca6e5e1ed4742d892f2dc5))
+* **misconf:** add private ip google access attribute to subnetwork ([#9199](https://github.com/aquasecurity/trivy/issues/9199)) ([263845c](https://github.com/aquasecurity/trivy/commit/263845cfc1419401f24adc8bc6316f3ea0caacad))
+* **misconf:** added logging and versioning to the gcp storage bucket ([#9226](https://github.com/aquasecurity/trivy/issues/9226)) ([110f80e](https://github.com/aquasecurity/trivy/commit/110f80ea29951863997dd5a1c48fe14eb81e230b))
+* **repo:** add git repository metadata to reports ([#9252](https://github.com/aquasecurity/trivy/issues/9252)) ([f4b2cf1](https://github.com/aquasecurity/trivy/commit/f4b2cf10e917d58c0840f789e083bd3f268a8af1))
+* **report:** add CVSS vectors in sarif report ([#9157](https://github.com/aquasecurity/trivy/issues/9157)) ([60723e6](https://github.com/aquasecurity/trivy/commit/60723e6cfce82ede2863cf545a189c581246f4e9))
+* **sbom:** add SHA-512 hash support for CycloneDX SBOM ([#9126](https://github.com/aquasecurity/trivy/issues/9126)) ([12d6706](https://github.com/aquasecurity/trivy/commit/12d6706961423acb12430c8b3d986b4aa4671d04))
+
+
+### Bug Fixes
+
+* **alma:** parse epochs from rpmqa file ([#9101](https://github.com/aquasecurity/trivy/issues/9101)) ([82db2fc](https://github.com/aquasecurity/trivy/commit/82db2fcc8034c911cc7a67f5a82d2f081d9c1fdf))
+* also check `filepath` when removing duplicate packages ([#9142](https://github.com/aquasecurity/trivy/issues/9142)) ([4d10a81](https://github.com/aquasecurity/trivy/commit/4d10a815dde53f5e128366f1dd0837a1dc29c17b))
+* **aws:** update amazon linux 2 EOL date ([#9176](https://github.com/aquasecurity/trivy/issues/9176)) ([0ecfed6](https://github.com/aquasecurity/trivy/commit/0ecfed6ea75cfe33e0f436a9015ac72a679e754e))
+* **cli:** Add more non-sensitive flags to telemetry ([#9110](https://github.com/aquasecurity/trivy/issues/9110)) ([7041a39](https://github.com/aquasecurity/trivy/commit/7041a39bdcf21c5b3114137d9a931f529eac2566))
+* **cli:** ensure correct command is picked by telemetry ([#9260](https://github.com/aquasecurity/trivy/issues/9260)) ([b4ad00f](https://github.com/aquasecurity/trivy/commit/b4ad00f301a5fd7326060a567871c6f4a9711696))
+* **cli:** panic: attempt to get os.Args[1] when len(os.Args) < 2 ([#9206](https://github.com/aquasecurity/trivy/issues/9206)) ([adfa879](https://github.com/aquasecurity/trivy/commit/adfa879e4e8ab88f211222a13d2b89013ae9a853))
+* **license:** add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping ([#9116](https://github.com/aquasecurity/trivy/issues/9116)) ([a692f29](https://github.com/aquasecurity/trivy/commit/a692f296d15f7241ba5ff082e4e69926b1c728a8))
+* **license:** handle WITH operator for `LaxSplitLicenses` ([#9232](https://github.com/aquasecurity/trivy/issues/9232)) ([b4193d0](https://github.com/aquasecurity/trivy/commit/b4193d0d31a167aafdcd9d9ccd89f3f124eef7ee))
+* migrate from `*.list` to `*.md5sums` files for `dpkg` ([#9131](https://github.com/aquasecurity/trivy/issues/9131)) ([f224de3](https://github.com/aquasecurity/trivy/commit/f224de3e39b08672212ec0f94660c36bef77bc30))
+* **misconf:** correctly adapt azure storage account ([#9138](https://github.com/aquasecurity/trivy/issues/9138)) ([51aa022](https://github.com/aquasecurity/trivy/commit/51aa0222604829706193eb2ff3a6886742bb42b4))
+* **misconf:** correctly parse empty port ranges in google_compute_firewall ([#9237](https://github.com/aquasecurity/trivy/issues/9237)) ([77bab7b](https://github.com/aquasecurity/trivy/commit/77bab7b6d25c712e2db7dc53956985c2721728e9))
+* **misconf:** fix log bucket in schema ([#9235](https://github.com/aquasecurity/trivy/issues/9235)) ([7ebc129](https://github.com/aquasecurity/trivy/commit/7ebc129ab726f3133d940708837b7edda2621105))
+* **misconf:** skip rewriting expr if attr is nil ([#9113](https://github.com/aquasecurity/trivy/issues/9113)) ([42ccd3d](https://github.com/aquasecurity/trivy/commit/42ccd3df9a7c838a99facb8248e1a68eaf47a999))
+* **nodejs:** don't use prerelease logic for compare npm constraints  ([#9208](https://github.com/aquasecurity/trivy/issues/9208)) ([fe96436](https://github.com/aquasecurity/trivy/commit/fe96436b99bae3bbfc7498d2ad222d4acccdfcf1))
+* prevent graceful shutdown message on normal exit ([#9244](https://github.com/aquasecurity/trivy/issues/9244)) ([6095984](https://github.com/aquasecurity/trivy/commit/6095984d5340633740204a7a40f002a5643802b9))
+* **rootio:** check full version to detect `root.io` packages ([#9117](https://github.com/aquasecurity/trivy/issues/9117)) ([c2ddd44](https://github.com/aquasecurity/trivy/commit/c2ddd44d98594a2066cb5b5acbb9ad2aaad8fd96))
+* **rootio:** fix severity selection ([#9181](https://github.com/aquasecurity/trivy/issues/9181)) ([6fafbeb](https://github.com/aquasecurity/trivy/commit/6fafbeb60609a020b47266743250ea847234cbbd))
+* **sbom:** merge in-graph and out-of-graph OS packages in scan results ([#9194](https://github.com/aquasecurity/trivy/issues/9194)) ([aa944cc](https://github.com/aquasecurity/trivy/commit/aa944cc6da43e2035f74e9d842f487c0d2f993f4))
+* **sbom:** use correct field for licenses in CycloneDX reports ([#9057](https://github.com/aquasecurity/trivy/issues/9057)) ([143da88](https://github.com/aquasecurity/trivy/commit/143da88dd82dfbe204f4c2afe46af3b01701675d))
+* **secret:** add UTF-8 validation in secret scanner to prevent protobuf marshalling errors ([#9253](https://github.com/aquasecurity/trivy/issues/9253)) ([54832a7](https://github.com/aquasecurity/trivy/commit/54832a77b50e2da3a3ceacbb6ce1b13e45605cde))
+* **secret:** fix line numbers for multiple-line secrets ([#9104](https://github.com/aquasecurity/trivy/issues/9104)) ([e579746](https://github.com/aquasecurity/trivy/commit/e57974649e4a3a275b9cf02db191b3f6bf10340f))
+* **server:** add HTTP transport setup to server mode ([#9217](https://github.com/aquasecurity/trivy/issues/9217)) ([1163b04](https://github.com/aquasecurity/trivy/commit/1163b044c7e91a81bba3a862cc4a38e90182f0b4))
+* supporting .egg-info/METADATA in python.Packaging analyzer ([#9151](https://github.com/aquasecurity/trivy/issues/9151)) ([e306e2d](https://github.com/aquasecurity/trivy/commit/e306e2dc5275c0e75f056c8c7ee9ff9261c78e7f))
+* **terraform:** `for_each` on a map returns a resource for every key ([#9156](https://github.com/aquasecurity/trivy/issues/9156)) ([153318f](https://github.com/aquasecurity/trivy/commit/153318f65f7e5059bcc064bd2cd651cc720791a9))
+
 ## [0.64.0](https://github.com/aquasecurity/trivy/compare/v0.63.0...v0.64.0) (2025-06-30)
 
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.21.3
+FROM alpine:3.22.1
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.canary

@@ -1,10 +1,10 @@
-FROM alpine:3.21.3
+FROM alpine:3.22.1
 RUN apk --no-cache add ca-certificates git
 
 # binaries were created with GoReleaser
 # need to copy binaries from folder with correct architecture
 # example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
-# GoReleaser adds _v* to the folder name, but only when GOARCH is amd64 
+# GoReleaser adds _v* to the folder name, but only when GOARCH is amd64
 ARG TARGETARCH
 COPY "dist/trivy_canary_build_linux_${TARGETARCH}*/trivy" /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.protoc

@@ -1,20 +0,0 @@
-FROM --platform=linux/amd64 golang:1.24
-
-# Set environment variable for protoc
-ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
-
-# Install unzip for protoc installation and clean up cache
-RUN apt-get update && apt-get install -y unzip && rm -rf /var/lib/apt/lists/*
-
-# Download and install protoc
-RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
-    && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
-    && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \
-    && rm -f $PROTOC_ZIP
-
-# Install Go tools
-RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
-RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.0
-RUN go install github.com/magefile/mage@v1.15.0
-
-ENV TRIVY_PROTOC_CONTAINER=true

buf.gen.yaml

@@ -0,0 +1,13 @@
+version: v2
+plugins:
+  - remote: buf.build/protocolbuffers/go:v1.34.0
+    out: .
+    opt:
+      - paths=source_relative
+  # Using local protoc-gen-twirp since the remote twirp plugin is not available on buf.build
+  - local: protoc-gen-twirp
+    out: .
+    opt:
+      - paths=source_relative
+inputs:
+  - directory: .

buf.yaml

@@ -0,0 +1,10 @@
+version: v2
+modules:
+  - path: .
+    name: buf.build/aquasecurity/trivy
+lint:
+  use:
+    - STANDARD
+breaking:
+  use:
+    - FILE

ci/deploy-rpm.sh

@@ -16,7 +16,7 @@ function create_common_rpm_repo () {
 
                 mkdir -p $rpm_path/$arch
                 cp ../dist/*${prefix}.rpm ${rpm_path}/$arch/
-                createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path/$arch
+                createrepo_c -u https://get.trivy.dev/rpm/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path/$arch
                 rm ${rpm_path}/$arch/*${prefix}.rpm
         done
 }
@@ -28,7 +28,7 @@ function create_rpm_repo () {
         mkdir -p $rpm_path
         cp ../dist/*64bit.rpm ${rpm_path}/
 
-        createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
+        createrepo_c -u https://get.trivy.dev/rpm/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
 
         rm ${rpm_path}/*64bit.rpm
 }

cmd/trivy/main.go

@@ -41,6 +41,11 @@ func run() error {
 		return nil
 	}
 
-	app := commands.NewApp()
-	return app.Execute()
+	// Ensure cleanup on exit
+	defer commands.Cleanup()
+
+	// Set up signal handling for graceful shutdown
+	ctx := commands.NotifyContext(context.Background())
+
+	return commands.Run(ctx)
 }

docs/assets/css/_glass_v2.scss

@@ -0,0 +1,210 @@
+/* glass_v2 */
+
+.glass_v2 {
+	position: relative;
+	min-width: 100px;
+	min-height: 100px;
+	border-radius: 20px;
+	border: 1px solid rgba(#ffffff, 0.15);
+	padding: 2em;
+	background: 
+		linear-gradient(235deg, rgba($aq-royal-blue, 0.18), rgba($aq-royal-blue, 0) 33%), 
+		linear-gradient(45deg, rgba($aq-neon-blue, 0.18), rgba($aq-neon-blue, 0) 33%), 
+		linear-gradient(rgba($aq-trivy-dark, 0.45));
+	backdrop-filter: blur(12px);
+	box-shadow: 
+		rgba($aq-neon-blue, 0.08) 0px 8px 12px -6px, 
+		rgba($aq-neon-blue, 0.12) 0px 16px 24px -10px,
+		inset 0 1px 0 rgba($aq-royal-blue, 0.4),
+		inset 1px 0 0 rgba($aq-royal-blue, 0.3),
+		inset 0 0 0 0.5px rgba(#ffffff, 0.1);
+
+	//top-right shine effect
+	&::before {
+		content: "";
+		pointer-events: none;
+		position: absolute;
+		right: -1px;
+		top: -1px;
+		width: 50%;
+		height: 50%;
+		border-radius: 0;
+		border-top-right-radius: inherit;
+		border-bottom-left-radius: inherit;
+		border: 1px solid transparent;
+		z-index: 1;
+		background: conic-gradient(
+			from -45deg at center in oklch,
+			transparent 8%, 
+			rgba($aq-royal-blue, 0.5), 
+			transparent 45%
+		) border-box;
+		mask: 
+			linear-gradient(transparent), 
+			linear-gradient(black);
+		mask-repeat: no-repeat;
+		mask-clip: padding-box, border-box;
+		mask-composite: subtract;
+	}
+
+	//bottom-left shine effect
+	&::after {
+		content: "";
+		pointer-events: none;
+		position: absolute;
+		left: -1px;
+		bottom: -1px;
+		width: 25%;
+		height: 25%;
+		border-radius: 0;
+		border-top-right-radius: inherit;
+		border-bottom-left-radius: inherit;
+		border: 1px solid transparent;
+		z-index: 1;
+		background: conic-gradient(
+			from 135deg at center in oklch,
+			transparent 15%, 
+			rgba($aq-neon-blue, 0.15), 
+			transparent 30%
+		) border-box;
+		mask: 
+			linear-gradient(transparent), 
+			linear-gradient(black);
+		mask-repeat: no-repeat;
+		mask-clip: padding-box, border-box;
+		mask-composite: subtract;
+	}
+
+	.glow_topright {
+		pointer-events: none;
+		position: absolute;
+		right: -12px;
+		top: -12px;
+		width: 40%;
+		height: 40%;
+		border-top-right-radius: 20px;
+		border-bottom-left-radius: 20px;
+		border: 12px solid transparent;
+		opacity: 0.7;
+		filter: blur(8px) saturate(1.2) brightness(0.7);
+		mix-blend-mode: plus-lighter;
+		z-index: 3;
+
+		&::before {
+			content: "";
+			position: absolute;
+			inset: 0;
+			border: inherit;
+			border-radius: inherit;
+			background: conic-gradient(
+				from -45deg at center in oklch,
+				transparent 5%, 
+				rgba($aq-royal-blue, 0.4), 
+				transparent 40%
+			) border-box;
+			mask: 
+				linear-gradient(transparent), 
+				linear-gradient(black);
+			mask-repeat: no-repeat;
+			mask-clip: padding-box, border-box;
+			mask-composite: subtract;
+		}
+
+		&::after {
+			content: "";
+			position: absolute;
+			inset: -3px;
+			border: 18px solid transparent;
+			border-radius: 25px;
+			z-index: 4;
+			opacity: 0.5;
+			background: conic-gradient(
+				from -45deg at center in oklch,
+				transparent 8%, 
+				rgba($aq-royal-blue, 0.6), 
+				transparent 35%
+			) border-box;
+			mask: 
+				linear-gradient(transparent), 
+				linear-gradient(black);
+			mask-repeat: no-repeat;
+			mask-clip: padding-box, border-box;
+			mask-composite: subtract;
+		}
+	}
+
+	//bottom-left glow
+	.glow_bottomleft {
+		pointer-events: none;
+		position: absolute;
+		left: -4px;
+		bottom: -4px;
+		width: 20%;
+		height: 20%;
+		border-top-right-radius: 15px;
+		border-bottom-left-radius: 15px;
+		border: 4px solid transparent;
+		opacity: 0.2;
+		filter: blur(6px) saturate(1.0) brightness(0.4);
+		mix-blend-mode: plus-lighter;
+		z-index: 3;
+
+		&::before {
+			content: "";
+			position: absolute;
+			inset: 0;
+			border: inherit;
+			border-radius: inherit;
+			background: conic-gradient(
+				from 135deg at center in oklch,
+				transparent 12%, 
+				rgba($aq-neon-blue, 0.15), 
+				transparent 28%
+			) border-box;
+			mask: 
+				linear-gradient(transparent), 
+				linear-gradient(black);
+			mask-repeat: no-repeat;
+			mask-clip: padding-box, border-box;
+			mask-composite: subtract;
+		}
+
+		&::after {
+			content: "";
+			position: absolute;
+			inset: -1px;
+			border: 6px solid transparent;
+			border-radius: 18px;
+			z-index: 4;
+			opacity: 0.15;
+			background: conic-gradient(
+				from 135deg at center in oklch,
+				transparent 15%, 
+				rgba($aq-neon-blue, 0.25), 
+				transparent 25%
+			) border-box;
+			mask: 
+				linear-gradient(transparent), 
+				linear-gradient(black);
+			mask-repeat: no-repeat;
+			mask-clip: padding-box, border-box;
+			mask-composite: subtract;
+		}
+	} //glow_bottomleft
+
+
+&.light_glass {
+	background: 
+		linear-gradient(235deg, rgba(#ffffff, 0.6), rgba(#ffffff, 0.3) 33%),
+		linear-gradient(45deg, rgba(#ffffff, 0.7), rgba(#ffffff, 0.20) 33%),
+		linear-gradient(rgba(#ffffff, 0.25));
+
+	border: 1px solid rgba(#ffffff, 0.3);
+	color: $aq-blue-abyss;
+}
+
+
+
+
+
+} //glass_v2

docs/assets/css/_hubspot_form.scss

@@ -0,0 +1,47 @@
+/* hubspot_form_wrap */
+.hubspot_form_wrap {
+	padding-top:20px;padding-bottom:35px;position:relative;z-index:5;
+
+	* {
+		font-family: "Inter", sans-serif;
+	}
+}
+
+/* hubspot form styles */
+.hs-form .hs-form-field {text-align:left;}
+.hs-form .hs-form-required {opacity:0.5;padding-left:0.2em;}
+.hs-form label {font-size: 14px;font-weight: 400;}
+.hs-form input[type="text"],.hs-form input[type="password"], .hs-form input[type="datetime"], .hs-form input[type="datetime-local"], .hs-form input[type="date"], .hs-form input[type="month"], .hs-form input[type="time"], .hs-form input[type="week"], .hs-form input[type="number"], .hs-form input[type="email"], .hs-form input[type="url"], .hs-form input[type="search"], .hs-form input[type="tel"], .hs-form input[type="color"],.hs-form input[type="file"],.hs-form textarea,.hs-form select {width:100%;height:38px;padding:6px 10px;background-color:#fff;border:1px solid #D1D1D1 !important;border-radius:4px;box-shadow:none;box-sizing:border-box;}
+.hs-form input[type="file"] {border:0px;padding:0px;}
+.hs-form input[type="text"]:focus,.hs-form input[type="password"]:focus, .hs-form input[type="datetime"]:focus, .hs-form input[type="datetime-local"]:focus, .hs-form input[type="date"]:focus, .hs-form input[type="month"]:focus, .hs-form input[type="time"]:focus, .hs-form input[type="week"]:focus, .hs-form input[type="number"]:focus, .hs-form input[type="email"]:focus, .hs-form input[type="url"]:focus, .hs-form input[type="search"]:focus, .hs-form input[type="tel"]:focus, .hs-form input[type="color"]:focus,.hs-form input[type="file"]:focus,.hs-form textarea:focus,.hs-form select:focus {border:1px solid #08b1d5;outline:0;}
+.hs-form textarea:focus {border:1px solid #08b1d5;outline:0;}
+.hs-form input:focus:required:invalid:focus, 
+.hs-form textarea:focus:required:invalid:focus, 
+.hs-form select:focus:required:invalid:focus {border:1px solid #08b1d5;outline:0;}
+.hs-form .hs-error-msgs {list-style-type:none;padding-left:0px;margin:5px 0 0 0;font-size: 14px;}
+.hs-form .hs-error-msgs label {color:$aq-coral-red;font-weight:normal;font-size:90%;}
+.hs-form .hs-recaptcha {margin-bottom: 20px;}
+::-webkit-input-placeholder {color:#999999;}
+:-moz-placeholder {color:#999999;}
+::-moz-placeholder {color:#999999;}
+:-ms-input-placeholder {color:#999999;}
+.hs-form fieldset.form-columns-0, .hs-form fieldset.form-columns-1, .hs-form fieldset.form-columns-2 {margin-bottom:0px;max-width:100%;}
+.hs-form fieldset.form-columns-3 {display:none;}
+.hs-form .field {margin-bottom:20px;}
+body .hs-form fieldset.form-columns-1 .hs-input {width:100%;}
+.hs-form .hs_submit {text-align:center;}
+.hs-form .hs-richtext {margin-bottom: 20px;}
+.hs-form .hs-richtext span {background-color: transparent !important;}
+.hs-form .hs-richtext a {color: $aq-neon-blue;}
+.hs-form .hs-recaptcha {visibility: hidden;position: absolute;}
+.hs-form .hs-fieldtype-textarea {min-height: 6em;}
+.hs-form .hs-field-desc {font-size: 14px;margin-bottom:10px;}
+.hs-button.primary {background-color:$aq-neon-blue;
+	border-color:$aq-neon-blue;
+	color:$aq-blue-abyss;-moz-user-select:none;background-image:none;border:1px solid rgba(0, 0, 0, 0);cursor:pointer;display:inline-block;font-weight:400;line-height:1.42857;margin-bottom:0;text-align:center;vertical-align:middle;white-space:nowrap;border-radius:4px;font-size:16px;padding:8px 15px;
+}
+
+/* ff fix */
+@-moz-document url-prefix() {
+	fieldset {display:table-cell;}
+}

docs/assets/css/_slick_slider.scss

@@ -89,7 +89,7 @@
 		height: 20px;
 		content: "";
 		background-color: transparent;
-		border: 2px solid $aq-sea-foam;
+		border: 2px solid $aq-neon-blue;
 		border-radius: 50%;
 		display: block;
 		opacity: 0.7;
@@ -103,7 +103,7 @@
 		width: 10px;
 		height: 10px;
 		content: "";
-		background-color: $aq-sea-foam;
+		background-color: $aq-neon-blue;
 		//border: 1px solid #666;
 		border-radius: 50%;
 		//box-shadow: inset 1px 1px 1px #888;

docs/assets/css/_trivy_homepage.scss

@@ -157,14 +157,14 @@
 					.page_title {
 						color: #ffffff;
 						font-weight: $weight-bold;
-						font-size: 48px; //3rem;
+						font-size: 48px; //3rem
 						line-height: 1.3;
 					}//page_title
 			
 					.page_subtitle {
 						color: #ffffff;
 						font-weight: $weight-normal;
-						font-size: 24px; //1.5rem;
+						font-size: 24px; //1.5rem
 						line-height: 1.3;
 						margin-bottom: 30px;
 					} //page_subtitle
@@ -179,11 +179,11 @@
 						width: 100%;
 
 						.page_title {
-							font-size: 32px; //2rem;
+							font-size: 32px; //2rem
 						}//page_title
 			
 						.page_subtitle {
-							font-size: 18px; //1.125rem;
+							font-size: 18px; //1.125rem
 						}//page_subtitle
 			
 					} //until tablet
@@ -194,7 +194,7 @@
 			} //header_title_wrap
 
 			@media screen and (min-width: $tablet), print { //769
-				padding: 48px 24px; //3rem 1.5rem;
+				padding: 48px 24px; //3rem 1.5rem
 			}
 		}
 
@@ -256,10 +256,10 @@
 
 
 	.community_title {
-		color: $aq-sea-foam;
-		font-size: 60px; //3.75rem;
+		color: $aq-neon-blue;
+		font-size: 60px; //3.75rem
 		font-weight: $weight-bold;
-		margin-bottom: 24px; ////1.5rem;
+		margin-bottom: 24px; //1.5rem
 		line-height: 1.2;
 		
 
@@ -267,8 +267,8 @@
 
 	.community_subtitle  {
 		color: #ffffff;
-		font-size: 26px; //1.625rem;
-		margin-bottom: 24px; ////1.5rem;
+		font-size: 26px; //1.625rem
+		margin-bottom: 24px; //1.5rem
 		
 
 	}
@@ -309,28 +309,28 @@
 				display: block;
 				position: relative;
 				color: #ffffff;
-				border: 1px solid rgba($aq-sea-foam,0.2);
-				background-color: rgba($aq-sea-foam,0.05);
+				border: 1px solid rgba($aq-neon-blue,0.2);
+				background-color: rgba($aq-neon-blue,0.05);
 				border-radius: 4px;
 				padding: 25px;
 
 				.quote_name {
-					font-size: 16px; //1rem;
+					font-size: 16px; //1rem
 					font-weight: $weight-semibold;
 				}
 
 				.quote_twitter_handle {
 					opacity: 0.6;
-					font-size: 13px; //0.8125rem;
+					font-size: 13px; //0.8125rem
 				}
 
 				.quote_company {
 					opacity: 0.6;
-					font-size: 13px; //0.8125rem;
+					font-size: 13px; //0.8125rem
 				}
 
 				.quote_text {
-					font-size: 16px; //1rem;
+					font-size: 16px; //1rem
 					font-weight: $weight-normal;
 					line-height: 1.3;
 				}
@@ -397,10 +397,10 @@
 	@media screen and (max-width: $tablet), print { //tablet
 
 		.community_title {
-			font-size: 32px; //2rem;
+			font-size: 32px; //2rem
 		}
 		.community_subtitle {
-			font-size: 18px; //1.125rem;
+			font-size: 18px; //1.125rem
 		}
 
 	} //until

docs/assets/css/_trivy_partners.scss

@@ -2,10 +2,99 @@
 .trivy_v1_homepage_wrap.partners_wrap {
 	position: relative;
 	z-index: 3;
+	background-color: $aq-trivy-dark;
+	color: #ffffff;
+	padding-bottom: 80px; //5rem
+
+	.generic_title {
+		color: #ffffff;
+	}
+
+
+	.section_title_wrap {
+		position: relative;
+		padding-bottom: $gap;
+		padding-top: $gap/2;
+		text-align: center;
+		z-index: 1;
+
+		.section_title, .section_subtitle {
+			position: relative;
+			z-index: 2;
+		}
+
+		.section_title_icon {
+			position: relative;
+			z-index: 2;
+			text-align: center;
+			
+			img {
+				display: block;
+				animation: float 3s ease-out infinite;
+				margin: 0px auto;
+			}
+			
+			&::after {
+				content: "";
+				position: relative;
+				margin: 30px auto 10px auto;
+				background-color: rgba(#ffffff,0.1);
+				width: 90px;
+				display: block;
+				height: 15px;
+				border-radius: 50%;
+				animation: shrink 3s ease-out infinite;
+				// transform-origin: center center;
+			}
+		}
+
+		@keyframes float {
+			50% {
+				transform: translate(0, 10px);
+			}
+		}
+
+
+		@keyframes shrink {
+		0% {
+			width: 80px;
+		}
+		50% {
+			width: 100px;
+		}
+		100% {
+			width: 80px;
+		}
+		}
+
+
+		.section_title_icon + .section_title {
+			margin-top: 0px;
+		}
+
+
+
+
+		&::before {
+			content: "";
+			position: absolute;
+			left: 20%;
+			width: 60%;
+			padding: 30% 0;
+			transform: translate(0, -70%) rotate(-45deg);
+			background: radial-gradient(circle at left bottom, rgba($aq-neon-blue, 0.5) 10%, rgba($aq-royal-blue, 0.4) 20%, rgba($aq-trivy-dark, 0) 60%);
+			filter: blur(40px);
+			z-index: 1;
+			pointer-events: none;
+
+		} //before
+
+
+	} //section_title_wrap
 
 	.partners_hero_wrap {
 		background-color: $aq-trivy-dark;
-		background-image: radial-gradient(1600px at 70% 120%, #031145 10%, $aq-trivy-dark 100%);
+		background-image: radial-gradient(60vw at 50%, #031145 10%, $aq-trivy-dark 100%);
 		min-height: 500px;
 		position: relative;
 		z-index: 10;
@@ -63,8 +152,7 @@
 
 		
 		.hero-body {
-			padding: 80px 0px;
-			// border: 1px solid red;
+			// padding: 80px 0px;
 
 			.header_title_wrap.with_columns {
 
@@ -72,7 +160,6 @@
 				flex-direction: row;
 
 				@media screen and (max-width: $desktop) {
-
 					flex-direction: column;
 				}
 
@@ -83,17 +170,37 @@
 					position: relative;
 					z-index: 3;
 
-					&.partners_hero_stage_image {
+
+
+					.page_title {
+						font-size: 64px; //4rem
+						margin-bottom: 0px;
+					}
+
+					&.partners_hero_titles {
+						display: flex;
 						align-self: center;
-						align-content: center;
+						justify-content: center;
+						flex-direction: column;
+					}
+
+					&.partners_hero_stage_image {
+						display: flex;
+						align-self: center;
+						justify-content: center;
 						img {
 							max-width: 100%;
+							height: auto;
 						}
 					}
 
 
 					@media screen and (max-width: $widescreen), print {
 						width: 70%;
+
+						.page_title {
+							font-size: 48px; //3rem
+						}
 					} //until widescreen
 
 					@media screen and (max-width: $tablet), print { //769
@@ -101,11 +208,11 @@
 						width: 100%;
 
 						.page_title {
-							font-size: 32px; //2rem;
+							font-size: 32px; //2rem
 						}//page_title
 			
 						.page_subtitle {
-							font-size: 18px; //1.125rem;
+							font-size: 18px; //1.125rem
 						}//page_subtitle
 			
 					} //until tablet
@@ -116,7 +223,7 @@
 			} //header_title_wrap
 
 			@media screen and (min-width: $tablet), print { //769
-				padding: 48px 24px; //3rem 1.5rem;
+				padding: 24px;
 			}
 		}
 
@@ -126,7 +233,7 @@
 } //trivy_v1_homepage_wrap partners_wrap
 
 
-
+/* logos */
 .partners_logos_wrap {
 	background-color: $aq-trivy-dark;
 	padding: 50px 0px;
@@ -141,7 +248,7 @@
 		flex-direction: row;
 		justify-content: center;
 		align-items: center;
-		gap: 4rem;
+		gap: 64px; //4rem
 		flex-wrap: wrap;
 
 		.logo_item {
@@ -163,7 +270,7 @@
 
 		@media screen and (max-width: $tablet) {
 
-			gap: 2rem;
+			gap: 32px; //2rem
 
 			.logo_item {
 				img {
@@ -174,4 +281,211 @@
 		}
 
 	} //partners_logos
-} //partners_logos_wrap
+} //partners_logos_wrap
+
+
+
+/* benefits */
+.partners_benefits_wrap {
+	position: relative;
+	z-index: 10;
+	padding: $gap;
+
+	.benefit_items {
+		display: flex;
+		flex-direction: row;
+		gap: $gap;
+		padding: 12px; //.75rem
+		position: relative;
+		z-index: 5;
+
+		@media screen and (max-width: $desktop) {
+			flex-direction: column;
+		}
+
+		.benefit_item {
+			flex: 1;
+
+			.benefit_icon {
+				text-align: center;
+				
+				img {
+					max-width: 150px;
+					margin-left: auto;
+					margin-right: auto;
+					height: auto;
+				}
+			}
+			
+			.benefit_title {
+				text-align: center;
+				font-size: 32px; //2rem
+			}
+
+
+			.benefit_content {
+				font-size: 18px; //1.125rem
+				line-height: 1.3;
+				margin: 12px; //.75rem
+				text-align: center;
+			}
+		} //benefit_item
+	} //benefit_items
+} //partners_benefits_wrap
+
+
+
+/* plans */
+.partners_plans_wrap {
+	position: relative;
+	z-index: 10;
+	padding: $gap;
+
+
+	.plan_items {
+
+		display: flex;
+		flex-direction: column;
+		gap: $gap;
+		padding: 12px; //.75rem
+		position: relative;
+		z-index: 5;
+
+		.plan_item {
+			// border: 1px solid orange;
+			padding-left: 60px;
+			
+			
+			.glass_content {
+				
+				display: flex;
+				flex-direction: row;
+				align-items: center;
+				gap: $gap;
+				margin: 0 12px; //.75rem
+				min-height: 180px;
+
+				.plan_titles_wrap {
+	
+					width: 80%;
+	
+					.plan_title {
+						font-size: 32px; //2rem
+						margin: 12px 0px;
+					}
+		
+					.plan_subtitle {
+						font-size: 26px; //1.625rem
+						margin: 12px 0px;
+					}
+				} //plan_titles_wrap
+
+				.plan_content {
+					font-size: 20px; //1.25rem
+					line-height: 1.3;
+					margin: 12px; //.75rem
+					width: 100%;
+				}
+
+
+
+				
+				@media screen and (max-width: $desktop) {
+					flex-direction: column;
+					gap: 0px;
+
+					.plan_titles_wrap {
+						width: 100%;
+					}
+
+				} //desktop
+
+
+			} //glass_content
+
+
+		} //plan_item
+
+	} //plan_items
+
+
+
+	.plan_level {
+		position: absolute;
+		top: 10%;
+		left: 24px;
+		height: 80%;
+		width: 20px;
+		background-color: $aq-royal-blue;
+		border-radius: 10px;
+		pointer-events: none;
+		overflow: hidden;
+
+		&.level_1 {background-color: $aq-starfish-yellow;}
+		&.level_2 {background-color: $aq-coral-red;}
+		&.level_3 {background-color: $aq-legacy-blue;}
+
+		&::after {
+			content: '';
+			position: absolute;
+			top: -150%;
+			left: -150%;
+			width: 400%;
+			height: 400%;
+			background: linear-gradient(
+				-45deg,
+				transparent 40%,
+				rgba(255, 255, 255, 0.05) 47%,
+				rgba(255, 255, 255, 0.2) 50%,
+				rgba(255, 255, 255, 0.05) 53%,
+				transparent 60%
+			);
+			transform: rotate(-45deg);
+			animation: shimmer 1.2s ease-out infinite;
+			animation-delay: 2s;
+			opacity: 0;
+		}
+
+		@keyframes shimmer {
+			0% {
+				transform: translateX(-120%) rotate(-45deg);
+				opacity: 0;
+			}
+			20% {
+				opacity: 1;
+			}
+			80% {
+				opacity: 1;
+			}
+			100% {
+				transform: translateX(120%) rotate(-45deg);
+				opacity: 0;
+			}
+		}
+	} //plan_level
+
+} //partners_plans_wrap
+
+
+.partners_contact_wrap {
+
+	.partners_contact_title {
+		text-align: center;
+	}
+
+	.contact_form_wrap {
+		position: relative;
+		z-index: 5;
+		max-width: 60%;
+		margin: 0 auto;
+
+		.hubspot_form_wrap {
+
+		} //hubspot_form_wrap
+
+		@media screen and (max-width: $desktop) {
+			max-width: 90%;
+		}
+
+	} //contact_form_wrap
+} //partners_contact_wrap

docs/assets/css/trivy_v1_styles.scss

@@ -6,9 +6,11 @@ $aq-legacy-blue: #08b1d5;
 $aq-coral-red: #ff445f;
 $aq-starfish-yellow: #ffc900;
 $aq-dark-abyss: #07242d;
+$aq-blue-abyss: #031730;
 $aq-deep-sea-blue: #183278;
 $aq-ocean-ash: #405a75;
-$aq-sea-foam: #00ffe4;
+// $aq-sea-foam: #00ffe4;
+$aq-neon-blue: #50f0ff;
 
 $aq-neo-background: #ebf3fa;
 $aq-neo-background-hover: #f0f8ff;
@@ -65,19 +67,50 @@ body {
 
 
 .generic_title {
-	font-size: 1.75rem;
+	font-size: 28px; //1.75rem
 	font-weight: $weight-bold;
-	margin: 0.75rem 1.25rem 0.75rem 0.75rem;
+	margin: 12px; //0.75rem
 	color: $aq-royal-blue;
 }
 
 .generic_subtitle {
-	font-size: 1.125rem;
+	font-size: 18px; //1.125rem
 	opacity: 0.8;
-	margin: 0.75rem;
+	margin: 12px; //0.75rem
 }
 
 
+	.section_title {
+		color: #ffffff; //$aq-neon-blue;
+		font-size: 48px; //3rem
+		font-weight: $weight-bold;
+		margin-bottom: 24px; //1.5rem
+		line-height: 1.2;
+
+		&.is_smaller {
+			font-size: 40px; //2.5rem
+		}
+	}
+
+	.section_subtitle  {
+		color: #ffffff;
+		font-size: 26px; //1.625rem
+		margin-bottom: 24px; //1.5rem
+	}
+
+
+	@media screen and (max-width: $tablet) {
+
+		.section_title, .section_title.is_smaller {
+			font-size: 32px; //2rem
+		}
+		.section_subtitle {
+			font-size: 18px; //1.125rem
+		}
+
+	} //until
+
+
 .button {
 
 	background-color: #ebf3fa;
@@ -99,20 +132,20 @@ body {
 	font-weight: 700;
 	
 	&.is-seafoam {
-		background-color: $aq-sea-foam;
-		border-color: $aq-sea-foam;
-		color: $aq-dark-abyss;
+		background-color: $aq-neon-blue;
+		border-color: $aq-neon-blue;
+		color: $aq-blue-abyss;
 
 
 		&.is-outlined {
 			background-color: rgba(0,0,0,0);
-			border-color: $aq-sea-foam;
-			color: $aq-sea-foam;
+			border-color: $aq-neon-blue;
+			color: $aq-neon-blue;
 			border-width: 2px;
 
 			&:hover {
-				background-color: $aq-sea-foam;
-				color: $aq-dark-abyss;
+				background-color: $aq-neon-blue;
+				color: $aq-blue-abyss;
 			}
 		} //is-outlines
 		
@@ -132,17 +165,17 @@ body {
 
 	&.solidseafoamarrowbutton {
 		
-		background-color: $aq-sea-foam;
+		background-color: $aq-neon-blue;
 		font-weight: 700;
-		border: 2px solid $aq-sea-foam;
-		font-size: 22px; //1.375rem; //1.125rem;
+		border: 2px solid $aq-neon-blue;
+		font-size: 22px; //1.375rem
 		padding: 16px 27px;
-		color: $aq-dark-abyss;
+		color: $aq-blue-abyss;
 
 
 		&:after {
 				content: "";
-				border: solid $aq-dark-abyss;
+				border: solid $aq-blue-abyss;
 				border-width: 0 2px 2px 0;
 				display: inline-block;
 				padding: 4px;
@@ -161,6 +194,8 @@ body {
 
 
 @import "_slick_slider";
+@import "_glass_v2";
+@import "_hubspot_form";
 
 @import "_trivy_homepage";
 @import "_trivy_partners";

docs/assets/images/partners_hero_stage_full.svg

@@ -1,136 +0,0 @@
-<svg width="955" height="552" viewBox="0 0 955 552" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_105_3404)">
-<path style="mix-blend-mode:screen" d="M477.5 550.515C739.041 550.515 951.062 493.881 951.062 424.02C951.062 354.159 739.041 297.525 477.5 297.525C215.959 297.525 3.93848 354.159 3.93848 424.02C3.93848 493.881 215.959 550.515 477.5 550.515Z" fill="url(#paint0_radial_105_3404)"/>
-<path d="M477.429 517.872C662.885 517.872 813.227 471.96 813.227 415.324C813.227 358.688 662.885 312.776 477.429 312.776C291.972 312.776 141.63 358.688 141.63 415.324C141.63 471.96 291.972 517.872 477.429 517.872Z" fill="url(#paint1_radial_105_3404)" style="mix-blend-mode:screen"/>
-<path d="M477.499 483.397C408.305 483.397 346.09 475.886 297.949 462.558C257.175 451.269 232.037 437.294 221.353 422.418C212.469 410.048 214.366 398.034 224.335 386.952C232.921 377.408 247.227 368.914 265.452 361.526C281.004 355.221 298.91 349.929 318.43 345.55C335.215 341.785 353.006 338.733 371.507 336.329C388.652 334.101 406.148 332.463 423.91 331.372C441.601 330.285 459.458 329.75 477.499 329.75C495.541 329.75 513.398 330.285 531.089 331.372C548.851 332.463 566.347 334.101 583.492 336.329C601.993 338.733 619.784 341.785 636.569 345.55C656.089 349.929 673.995 355.221 689.547 361.526C707.771 368.914 722.078 377.408 730.664 386.952C740.633 398.034 742.53 410.048 733.646 422.418C722.962 437.294 697.824 451.269 657.05 462.558C608.908 475.886 546.694 483.397 477.499 483.397ZM477.499 332.335C409.79 332.335 332.638 342.537 291.568 361.526C217.996 395.542 266.477 452.503 477.499 452.503C688.522 452.503 737.002 395.542 663.431 361.526C622.361 342.537 545.209 332.335 477.499 332.335Z" fill="url(#paint2_linear_105_3404)"/>
-<path d="M477.499 483.397C408.305 483.397 346.09 475.886 297.949 462.558C257.175 451.269 232.037 437.294 221.353 422.418C212.469 410.048 214.366 398.034 224.335 386.952C232.921 377.408 247.227 368.914 265.452 361.526C281.004 355.221 298.91 349.929 318.43 345.55C335.215 341.785 353.006 338.733 371.507 336.329C388.652 334.101 406.148 332.463 423.91 331.372C441.601 330.285 459.458 329.75 477.499 329.75C495.541 329.75 513.398 330.285 531.089 331.372C548.851 332.463 566.347 334.101 583.492 336.329C601.993 338.733 619.784 341.785 636.569 345.55C656.089 349.929 673.995 355.221 689.547 361.526C707.771 368.914 722.078 377.408 730.664 386.952C740.633 398.034 742.53 410.048 733.646 422.418C722.962 437.294 697.824 451.269 657.05 462.558C608.908 475.886 546.694 483.397 477.499 483.397ZM477.499 332.335C409.79 332.335 332.638 342.537 291.568 361.526C217.996 395.542 266.477 452.503 477.499 452.503C688.522 452.503 737.002 395.542 663.431 361.526C622.361 342.537 545.209 332.335 477.499 332.335Z" fill="url(#paint3_radial_105_3404)" style="mix-blend-mode:screen"/>
-<path d="M259.918 195.625V396.907C259.918 421.741 335.038 450.272 479.289 450.272C623.54 450.272 694.755 421.741 694.755 396.907V195.625H259.918Z" fill="url(#paint4_radial_105_3404)" style="mix-blend-mode:screen"/>
-</g>
-<rect x="270" width="127.4" height="127.4" rx="63.7" fill="url(#paint5_radial_105_3404)" style="mix-blend-mode:screen"/>
-<path d="M308.683 38.6782V88.7221H358.717V38.6782H308.683ZM333.897 71.9874H331.365V60.4175C331.365 59.6592 331.191 59.0418 330.844 58.5655C330.496 58.0677 329.945 57.8189 329.186 57.8189C328.47 57.8189 327.886 58.0888 327.431 58.6311C326.996 59.1521 326.78 59.9644 326.78 61.0677V71.9874H324.245V60.2883C324.245 59.5724 324.05 58.988 323.661 58.5325C323.271 58.056 322.75 57.8166 322.1 57.8166C321.321 57.8166 320.713 58.0982 320.281 58.6617C319.87 59.2249 319.663 59.962 319.663 60.8704V71.985H317.128V55.8661H319.663V57.6218H320.053C320.335 56.8636 320.746 56.3119 321.288 55.9646C321.83 55.596 322.468 55.4128 323.205 55.4128C323.985 55.4128 324.626 55.6194 325.123 56.0302C325.642 56.4411 326.001 56.9715 326.196 57.6218H326.585C327.323 56.1476 328.492 55.4128 330.095 55.4128C331.308 55.4128 332.24 55.8026 332.89 56.5818C333.562 57.3401 333.897 58.3378 333.897 59.5724V71.9874ZM350.271 64.8814H338.523V62.5192H350.271V64.8814Z" fill="white"/>
-<rect x="582" y="53" width="127.4" height="127.4" rx="63.7" fill="url(#paint6_radial_105_3404)" style="mix-blend-mode:screen"/>
-<path d="M657.129 101.741C648.057 101.741 640.676 109.178 640.676 118.319V131.66H650.723V118.319C650.723 114.76 653.597 111.864 657.129 111.864H664.322V101.741H657.129Z" fill="white"/>
-<path d="M627.078 109.722V119.845H634.27C637.803 119.845 640.677 122.741 640.677 126.3V131.659H650.724V126.3C650.724 117.159 643.343 109.722 634.27 109.722L627.078 109.722Z" fill="white"/>
-<rect x="413" y="142" width="127.4" height="127.4" rx="63.7" fill="url(#paint7_radial_105_3404)" style="mix-blend-mode:screen"/>
-<path d="M474.372 205.716C474.372 215.983 479.546 223.174 482.084 226.069C482.931 227.035 482.713 227.493 481.429 227.384C469.882 226.407 460.826 217.079 460.826 205.716C460.826 194.134 470.236 184.665 482.103 184.001C482.562 183.975 482.807 184.557 482.491 184.89C480.169 187.338 474.372 194.563 474.372 205.716Z" fill="white"/>
-<path d="M492.574 205.7C492.574 213.349 490.099 219.549 487.604 219.549C485.108 219.549 482.634 213.349 482.634 205.7C482.634 198.052 485.108 191.852 487.604 191.852C490.099 191.852 492.574 198.052 492.574 205.7Z" fill="white"/>
-<defs>
-<radialGradient id="paint0_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(477.5 424.02) scale(473.592 126.487)">
-<stop offset="0.21561" stop-opacity="0"/>
-<stop offset="0.35857" stop-color="#000001" stop-opacity="0.01719"/>
-<stop offset="0.41007" stop-color="#000008" stop-opacity="0.07948"/>
-<stop offset="0.44677" stop-color="#000014" stop-opacity="0.18793"/>
-<stop offset="0.47644" stop-color="#000025" stop-opacity="0.34281"/>
-<stop offset="0.50185" stop-color="#00003B" stop-opacity="0.54446"/>
-<stop offset="0.52396" stop-color="#000055" stop-opacity="0.78851"/>
-<stop offset="0.53903" stop-color="#00006D"/>
-<stop offset="0.61684" stop-color="#00004F" stop-opacity="0.73138"/>
-<stop offset="0.72594" stop-color="#00002D" stop-opacity="0.41483"/>
-<stop offset="0.82925" stop-color="#000014" stop-opacity="0.18628"/>
-<stop offset="0.92338" stop-color="#000005" stop-opacity="0.048"/>
-<stop offset="1" stop-opacity="0"/>
-</radialGradient>
-<radialGradient id="paint1_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(476.404 415.324) scale(334.454 101.214)">
-<stop offset="0.37547" stop-opacity="0"/>
-<stop offset="0.52923" stop-color="#000001" stop-opacity="0.01"/>
-<stop offset="0.58463" stop-color="#000308" stop-opacity="0.03399"/>
-<stop offset="0.62411" stop-color="#000914" stop-opacity="0.08036"/>
-<stop offset="0.65606" stop-color="#001025" stop-opacity="0.14667"/>
-<stop offset="0.6834" stop-color="#001A3B" stop-opacity="0.23299"/>
-<stop offset="0.70763" stop-color="#002656" stop-opacity="0.33967"/>
-<stop offset="0.72955" stop-color="#003577" stop-opacity="0.46688"/>
-<stop offset="0.74969" stop-color="#00469C" stop-opacity="0.61488"/>
-<stop offset="0.76843" stop-color="#0059C7" stop-opacity="0.78417"/>
-<stop offset="0.78506" stop-color="#006DF5" stop-opacity="0.96381"/>
-<stop offset="0.7881" stop-color="#0072FF"/>
-<stop offset="0.79431" stop-color="#0067E7" stop-opacity="0.90832"/>
-<stop offset="0.80858" stop-color="#0052B7" stop-opacity="0.71982"/>
-<stop offset="0.82404" stop-color="#003E8B" stop-opacity="0.54822"/>
-<stop offset="0.84034" stop-color="#002D66" stop-opacity="0.40029"/>
-<stop offset="0.8577" stop-color="#001F46" stop-opacity="0.27587"/>
-<stop offset="0.87644" stop-color="#00132C" stop-opacity="0.17473"/>
-<stop offset="0.89707" stop-color="#000B18" stop-opacity="0.09676"/>
-<stop offset="0.92064" stop-color="#00040A" stop-opacity="0.04174"/>
-<stop offset="0.94961" stop-color="#000102" stop-opacity="0.01"/>
-<stop offset="1" stop-opacity="0"/>
-</radialGradient>
-<linearGradient id="paint2_linear_105_3404" x1="215.656" y1="406.574" x2="739.343" y2="406.574" gradientUnits="userSpaceOnUse">
-<stop stop-color="#0F0F4D" stop-opacity="0"/>
-<stop offset="0.06993" stop-color="#09092F" stop-opacity="0.38183"/>
-<stop offset="0.5"/>
-<stop offset="0.93423" stop-color="#141437" stop-opacity="0.3394"/>
-<stop offset="1" stop-color="#1F1F54" stop-opacity="0"/>
-</linearGradient>
-<radialGradient id="paint3_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(479.469 413.466) scale(288.083 84.978)">
-<stop offset="0.34944" stop-color="#0000FF"/>
-<stop offset="0.38473" stop-color="#0000DF" stop-opacity="0.87819"/>
-<stop offset="0.45062" stop-color="#0000AC" stop-opacity="0.67456"/>
-<stop offset="0.51936" stop-color="#00007D" stop-opacity="0.49409"/>
-<stop offset="0.58969" stop-color="#000057" stop-opacity="0.3418"/>
-<stop offset="0.66193" stop-color="#000037" stop-opacity="0.21771"/>
-<stop offset="0.73665" stop-color="#00001F" stop-opacity="0.12169"/>
-<stop offset="0.81499" stop-color="#00000D" stop-opacity="0.05347"/>
-<stop offset="0.89922" stop-color="#000003" stop-opacity="0.01299"/>
-<stop offset="1" stop-opacity="0"/>
-</radialGradient>
-<radialGradient id="paint4_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(476.238 239.456) scale(407.82 212.251)">
-<stop offset="0.52932" stop-opacity="0"/>
-<stop offset="0.55556" stop-color="#000005" stop-opacity="0.02053"/>
-<stop offset="0.58783" stop-color="#020214" stop-opacity="0.07976"/>
-<stop offset="0.62327" stop-color="#04042D" stop-opacity="0.17775"/>
-<stop offset="0.66098" stop-color="#080850" stop-opacity="0.31462"/>
-<stop offset="0.70049" stop-color="#0D0D7D" stop-opacity="0.49051"/>
-<stop offset="0.74152" stop-color="#1313B3" stop-opacity="0.70559"/>
-<stop offset="0.78306" stop-color="#1A1AF3" stop-opacity="0.95483"/>
-<stop offset="0.79009" stop-color="#1C1CFF"/>
-<stop offset="0.88294" stop-color="#0E88FF"/>
-<stop offset="0.96101" stop-color="#04DDFF"/>
-<stop offset="0.99628" stop-color="#00FFFF"/>
-</radialGradient>
-<radialGradient id="paint5_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(333.378 21.9285) scale(119.484 106.189)">
-<stop offset="0.52932" stop-opacity="0"/>
-<stop offset="0.55556" stop-color="#000005" stop-opacity="0.02053"/>
-<stop offset="0.58783" stop-color="#020214" stop-opacity="0.07976"/>
-<stop offset="0.62327" stop-color="#04042D" stop-opacity="0.17775"/>
-<stop offset="0.66098" stop-color="#080850" stop-opacity="0.31462"/>
-<stop offset="0.70049" stop-color="#0D0D7D" stop-opacity="0.49051"/>
-<stop offset="0.74152" stop-color="#1313B3" stop-opacity="0.70559"/>
-<stop offset="0.78306" stop-color="#1A1AF3" stop-opacity="0.95483"/>
-<stop offset="0.79009" stop-color="#1C1CFF"/>
-<stop offset="0.88294" stop-color="#0E88FF"/>
-<stop offset="0.96101" stop-color="#04DDFF"/>
-<stop offset="0.99628" stop-color="#00FFFF"/>
-</radialGradient>
-<radialGradient id="paint6_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(645.378 74.9285) scale(119.484 106.189)">
-<stop offset="0.52932" stop-opacity="0"/>
-<stop offset="0.55556" stop-color="#000005" stop-opacity="0.02053"/>
-<stop offset="0.58783" stop-color="#020214" stop-opacity="0.07976"/>
-<stop offset="0.62327" stop-color="#04042D" stop-opacity="0.17775"/>
-<stop offset="0.66098" stop-color="#080850" stop-opacity="0.31462"/>
-<stop offset="0.70049" stop-color="#0D0D7D" stop-opacity="0.49051"/>
-<stop offset="0.74152" stop-color="#1313B3" stop-opacity="0.70559"/>
-<stop offset="0.78306" stop-color="#1A1AF3" stop-opacity="0.95483"/>
-<stop offset="0.79009" stop-color="#1C1CFF"/>
-<stop offset="0.88294" stop-color="#0E88FF"/>
-<stop offset="0.96101" stop-color="#04DDFF"/>
-<stop offset="0.99628" stop-color="#00FFFF"/>
-</radialGradient>
-<radialGradient id="paint7_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(476.378 163.928) scale(119.484 106.189)">
-<stop offset="0.52932" stop-opacity="0"/>
-<stop offset="0.55556" stop-color="#000005" stop-opacity="0.02053"/>
-<stop offset="0.58783" stop-color="#020214" stop-opacity="0.07976"/>
-<stop offset="0.62327" stop-color="#04042D" stop-opacity="0.17775"/>
-<stop offset="0.66098" stop-color="#080850" stop-opacity="0.31462"/>
-<stop offset="0.70049" stop-color="#0D0D7D" stop-opacity="0.49051"/>
-<stop offset="0.74152" stop-color="#1313B3" stop-opacity="0.70559"/>
-<stop offset="0.78306" stop-color="#1A1AF3" stop-opacity="0.95483"/>
-<stop offset="0.79009" stop-color="#1C1CFF"/>
-<stop offset="0.88294" stop-color="#0E88FF"/>
-<stop offset="0.96101" stop-color="#04DDFF"/>
-<stop offset="0.99628" stop-color="#00FFFF"/>
-</radialGradient>
-<clipPath id="clip0_105_3404">
-<rect width="955" height="356.375" fill="white" transform="translate(0 195.625)"/>
-</clipPath>
-</defs>
-</svg>

docs/commercial/compare.md

@@ -1,7 +1,7 @@
 # Aqua Security is the home of Trivy
 
 Trivy is proudly maintained by [Aqua Security](https://aquasec.com).
-If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
+If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
 In this page you can find a high level comparison between Trivy Open Source and Aqua's commercial product.
 If you'd like to learn more or request a demo, [click here to contact us](./contact.md).
 
@@ -66,7 +66,7 @@ If you'd like to learn more or request a demo, [click here to contact us](./cont
 
 | Feature | Trivy OSS | Aqua |
 | --- | --- | --- |
-| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://trivy.dev/latest/docs/scanner/misconfiguration/policy/builtin/) | In addition, Build Pipeline configuration scanning |
+| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://trivy.dev/latest/docs/scanner/misconfiguration/check/builtin/) | In addition, Build Pipeline configuration scanning |
 | Checks customization | Create custom checks with Rego | Create custom checks in no-code interface <br> Customize existing checks with organizational preferences |
 | Cloud scanning | AWS (subset of services) | AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud |
 | Compliance frameworks | CIS, NSA, vendor guides | More than 25 compliance programs |

docs/community/contribute/pr.md

@@ -54,6 +54,21 @@ Your PR must pass all the integration tests. You can test it as below.
 $ mage test:integration
 ```
 
+### Protocol Buffers
+If you update protobuf files (`.proto`), you need to regenerate the Go code:
+
+```shell
+$ mage protoc:generate
+```
+
+You can also format and lint protobuf files:
+
+```shell
+$ mage protoc:fmt     # Format protobuf files
+$ mage protoc:lint    # Lint protobuf files
+$ mage protoc:breaking # Check for breaking changes against main branch
+```
+
 ### Documentation
 If you update CLI flags, you need to generate the CLI references.
 The test will fail if they are not up-to-date.

docs/docs/advanced/modules.md

@@ -47,8 +47,8 @@ Trivy adheres to the XDG specification, so the location depends on whether XDG_D
 Trivy will now search XDG_DATA_HOME for the location of the Trivy modules cache.
 The preference order is as follows:
 
-- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
-- $HOME/.trivy/plugins
+- XDG_DATA_HOME if set and .trivy/modules exists within the XDG_DATA_HOME dir
+- $HOME/.trivy/modules
 
 For example, to download the WebAssembly module, you can execute the following command:
 
@@ -137,6 +137,10 @@ $ go mod init github.com/aquasecurity/trivy-module-wordpress
 ```go
 package main
 
+import (
+    "github.com/aquasecurity/trivy/pkg/module/wasm"
+)
+
 const (
     version = 1
     name = "wordpress-module"
@@ -145,6 +149,10 @@ const (
 // main is required for Go to compile the Wasm module
 func main() {}  
 
+func init() {
+	wasm.RegisterModule(WordpressModule{})
+}
+
 type WordpressModule struct{
 	// Cannot define fields as modules can't keep state.
 }

docs/docs/advanced/telemetry-flags.md

@@ -1,19 +1,41 @@
 ```
+--clear-cache
 --debug
+--dependency-tree
 --detection-priority
+--distro
+--exit-code
+--exit-on-eol
 --format
 --ignore-status
+--ignore-unfixed
+--image-config-scanners
+--include-deprecated-checks
 --include-dev-deps
+--include-non-failures
 --insecure
+--license-full
 --list-all-pkgs
 --misconfig-scanners
+--offline-scan
+--parallel
+--password-stdin
 --pkg-relationships
 --pkg-types
 --quiet
+--redis-tls
+--removed-pkgs
 --report
 --scanners
 --severity
 --show-suppressed
+--skip-check-update
+--skip-version-check
+--skip-vex-repo-update
+--slow
+--tf-exclude-downloaded-modules
 --timeout
+--trace-http
+--trace-rego
 --vuln-severity-source
 ```

docs/docs/configuration/reporting.md

@@ -118,6 +118,11 @@ Nuances of table contents:
     - `-` means that the scanner didn't scan this target.
     - `0` means that the scanner scanned this target, but found no security issues.
 
+!!! Note
+    For the secret/license scanner, the Trivy report contains only findings.
+    Therefore, we can’t say for sure whether Trivy scanned at least one file or simply didn’t find any findings.
+    That’s why, for these scanners, the summary table uses “-” if no findings are found.
+
 <details>
 <summary>Report Summary</summary>
 
@@ -612,19 +617,15 @@ For more details, please check [here](../plugin/user-guide.md#output-mode-suppor
 To generate multiple reports, you can generate the JSON report first and convert it to other formats with the `convert` subcommand.
 
 ```shell
-$ trivy image --format json -o result.json --list-all-pkgs debian:11
+$ trivy image --format json -o result.json debian:11
 $ trivy convert --format cyclonedx --output result.cdx result.json
 ```
 
-!!! note
-    Please note that if you want to convert to a format that requires a list of packages,
-    such as SBOM, you need to add the `--list-all-pkgs` flag when outputting in JSON.
-
 [Filtering options](./filtering.md) such as `--severity` are also available with `convert`.
 
 ```shell
 # Output all severities in JSON
-$ trivy image --format json -o result.json --list-all-pkgs debian:11
+$ trivy image --format json -o result.json debian:11
 
 # Output only critical issues in table format
 $ trivy convert --format table --severity CRITICAL result.json

docs/docs/coverage/language/python.md

@@ -145,7 +145,7 @@ Trivy parses the manifest files of installed packages in container image scannin
 See [here](https://packaging.python.org/en/latest/discussions/package-formats/) for the detail.
 
 ### Egg
-Trivy looks for `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO` to identify Python packages.
+Trivy looks for `*.egg-info`, `*.egg-info/METADATA`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO` to identify Python packages.
 
 ### Wheel
 Trivy looks for `.dist-info/METADATA` to identify Python packages.

docs/docs/coverage/os/alma.md

@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.

docs/docs/coverage/os/alpine.md

@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Trivy detects packages that have been installed through `apk`.

docs/docs/coverage/os/amazon.md

@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.

docs/docs/coverage/os/azure.md

@@ -28,6 +28,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |    Detect unfixed vulnerabilities    |     ✓     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     -     |
 
 ## SBOM
 Trivy detects packages that have been installed through package managers such as `tdnf`, `dnf` and `yum`.

docs/docs/coverage/os/bottlerocket.md

@@ -9,6 +9,12 @@ Trivy supports the following scanners for OS packages.
 
 Please see [here](index.md#supported-os) for supported versions.
 
+The table below outlines the features offered by Trivy.
+
+|               Feature                | Supported |
+|:------------------------------------:|:---------:|
+|        End of life awareness         |     -     |
+
 ## SBOM
 Trivy detects packages that are listed in the [software inventory].
 

docs/docs/coverage/os/centos.md

@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 | :-----------------------------------: | :-------: |
 |        Unfixed vulnerabilities        |     ✓     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Same as [RHEL](rhel.md#sbom).

docs/docs/coverage/os/chainguard.md

@@ -13,6 +13,7 @@ The table below outlines the features offered by Trivy.
 | :-----------------------------------: | :-------: |
 |    Detect unfixed vulnerabilities     |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     -     |
 
 ## SBOM
 Same as [Alpine Linux](alpine.md#sbom).

docs/docs/coverage/os/coreos.md

@@ -0,0 +1,17 @@
+# CoreOS
+This page describes the deprecated `CoreOS Container Linux` (EOL) and its successor, [Fedora CoreOS][fedora-coreos].
+
+Trivy supports the following scanners for OS packages on these systems.
+
+|    Scanner    | Supported |
+|:-------------:|:---------:|
+|     SBOM      |     ✓     |
+| Vulnerability |     -     |
+|    License    |     -     |
+
+Please see [here](index.md#supported-os) for supported versions.
+
+## SBOM
+Trivy detects packages that are listed in the RPM database.
+
+[fedora-coreos]: https://fedoraproject.org/coreos/

docs/docs/coverage/os/debian.md

@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 | :-----------------------------------: | :-------: |
 |        Unfixed vulnerabilities        |     ✓     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Trivy detects packages that have been installed through package managers such as `apt` and `dpkg`.

docs/docs/coverage/os/echo.md

@@ -13,6 +13,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |    Unfixed vulnerabilities           |     ✓     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     -     |
 
 ## SBOM
 Same as [Debian](debian.md#sbom).

docs/docs/coverage/os/google-distroless.md

@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 | :----------------------------------: | :-------: |
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     -     |
 
 ## SBOM
 Trivy detects packages pre-installed in distroless images.

docs/docs/coverage/os/index.md

@@ -9,42 +9,44 @@ Trivy supports operating systems for
 
 ## Supported OS
 
-| OS                                    | Supported Versions                  | Package Managers |
-|---------------------------------------|-------------------------------------|------------------|
-| [Alpine Linux](alpine.md)             | 2.2 - 2.7, 3.0 - 3.22, edge         | apk              |
-| [Wolfi Linux](wolfi.md)               | (n/a)                               | apk              |
-| [Chainguard](chainguard.md)           | (n/a)                               | apk              |
-| [MinimOS](minimos.md)                 | (n/a)                               | apk              |
-| [Red Hat Enterprise Linux](rhel.md)   | 6, 7, 8, 9                          | dnf/yum/rpm      |
-| [Red Hat Enterprise Linux](rhel.md)   | 10 (SBOM only)                      | dnf/yum/rpm      |
-| [CentOS](centos.md)[^1]               | 6, 7, 8                             | dnf/yum/rpm      |
-| [AlmaLinux](alma.md)                  | 8, 9                                | dnf/yum/rpm      |
-| [Rocky Linux](rocky.md)               | 8, 9                                | dnf/yum/rpm      |
-| [Oracle Linux](oracle.md)             | 5, 6, 7, 8                          | dnf/yum/rpm      |
-| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0                       | tdnf/dnf/yum/rpm |
-| [Amazon Linux](amazon.md)             | 1, 2, 2023                          | dnf/yum/rpm      |
-| [openSUSE Leap](suse.md)              | 42, 15                              | zypper/rpm       |
-| [openSUSE Tumbleweed](suse.md)        | (n/a)                               | zypper/rpm       |
-| [SUSE Linux Enterprise](suse.md)      | 11, 12, 15                          | zypper/rpm       |
-| [SUSE Linux Enterprise Micro](suse.md)| 5, 6                                | zypper/rpm       |
-| [Photon OS](photon.md)                | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
-| [Echo](echo.md)                       | (n/a)                               | apt/dpkg         |
-| [Debian GNU/Linux](debian.md)         | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
-| [Ubuntu](ubuntu.md)                   | All versions supported by Canonical | apt/dpkg         |
-| [Bottlerocket](bottlerocket.md)       | 1.7.0 and upper                     | bottlerocket     |
-| [OSs with installed Conda](../others/conda.md)  | -                                   | conda            |
+| OS                                             | Supported Versions                  | Package Managers |
+|------------------------------------------------|-------------------------------------|------------------|
+| [Alpine Linux](alpine.md)                      | 2.2 - 2.7, 3.0 - 3.22, edge         | apk              |
+| [Wolfi Linux](wolfi.md)                        | (n/a)                               | apk              |
+| [Chainguard](chainguard.md)                    | (n/a)                               | apk              |
+| [MinimOS](minimos.md)                          | (n/a)                               | apk              |
+| [Red Hat Enterprise Linux](rhel.md)            | 6, 7, 8, 9                          | dnf/yum/rpm      |
+| [Red Hat Enterprise Linux](rhel.md)            | 10 (SBOM only)                      | dnf/yum/rpm      |
+| [CentOS](centos.md)[^1]                        | 6, 7, 8                             | dnf/yum/rpm      |
+| [AlmaLinux](alma.md)                           | 8, 9, 10                            | dnf/yum/rpm      |
+| [Rocky Linux](rocky.md)                        | 8, 9                                | dnf/yum/rpm      |
+| [Oracle Linux](oracle.md)                      | 5, 6, 7, 8                          | dnf/yum/rpm      |
+| [Azure Linux (CBL-Mariner)](azure.md)          | 1.0, 2.0, 3.0                       | tdnf/dnf/yum/rpm |
+| [Amazon Linux](amazon.md)                      | 1, 2, 2023                          | dnf/yum/rpm      |
+| [openSUSE Leap](suse.md)                       | 42, 15                              | zypper/rpm       |
+| [openSUSE Tumbleweed](suse.md)                 | (n/a)                               | zypper/rpm       |
+| [SUSE Linux Enterprise](suse.md)               | 11, 12, 15                          | zypper/rpm       |
+| [SUSE Linux Enterprise Micro](suse.md)         | 5, 6                                | zypper/rpm       |
+| [Photon OS](photon.md)                         | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
+| [CoreOS](coreos.md)[^3]                        | All versions (SBOM only)            | rpm              |
+| [Echo](echo.md)                                | (n/a)                               | apt/dpkg         |
+| [Debian GNU/Linux](debian.md)                  | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
+| [Ubuntu](ubuntu.md)                            | All versions supported by Canonical | apt/dpkg         |
+| [Bottlerocket](bottlerocket.md)                | 1.7.0 and upper                     | bottlerocket     |
+| [OSs with installed Conda](../others/conda.md) | -                                   | conda            |
 
 ## Supported container images
 
-| Container image                               | Supported Versions                  | Package Managers |
-|-----------------------------------------------|-------------------------------------|------------------|
-| [Google Distroless](google-distroless.md)[^2] | Any                                 | apt/dpkg         |
-| [Bitnami](../others/bitnami.md)                         | Any                                 | -                |
+| Container image                               | Supported Versions | Package Managers |
+|-----------------------------------------------|--------------------|------------------|
+| [Google Distroless](google-distroless.md)[^2] | Any                | apt/dpkg         |
+| [Bitnami](../others/bitnami.md)               | Any                | -                |
 
 Each page gives more details.
 
 [^1]: CentOS Stream is not supported 
 [^2]: https://github.com/GoogleContainerTools/distroless
+[^3]: Fedora CoreOS and the deprecated CoreOS Container Linux
 
 
 [sbom]: ../../supply-chain/sbom.md

docs/docs/coverage/os/minimos.md

@@ -13,6 +13,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |    Detect unfixed vulnerabilities    |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     -     |
 
 ## SBOM
 Same as [Alpine Linux](alpine.md#sbom).

docs/docs/coverage/os/oracle.md

@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 | :-----------------------------------: | :-------: |
 |        Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.

docs/docs/coverage/os/photon.md

@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Trivy detects packages that have been installed through package managers such as `tdnf` and `yum`.

docs/docs/coverage/os/rhel.md

@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 | :----------------------------------: | :-------: |
 |       Unfixed vulnerabilities        |     ✓     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.

docs/docs/coverage/os/rocky.md

@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.

docs/docs/coverage/os/suse.md

@@ -22,6 +22,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.

docs/docs/coverage/os/ubuntu.md

@@ -15,6 +15,7 @@ The following table provides an outline of the features Trivy offers.
 |:------------------------------------:|:---------:|
 |    Detect unfixed vulnerabilities    |     ✓     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Same as [Debian](debian.md#sbom).

docs/docs/coverage/os/wolfi.md

@@ -13,6 +13,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |    Detect unfixed vulnerabilities    |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     -     |
 
 ## SBOM
 Same as [Alpine Linux](alpine.md#sbom).

docs/docs/coverage/others/index.md

@@ -16,6 +16,7 @@ Trivy supports them for
 | [Conda](conda.md)              | `<conda-root>/envs/<env>/conda-meta/<package>.json` |     ✅     |     ✅      |       -        |       -        |
 |                                | `environment.yml`                                   |     -     |     -      |       ✅        |       ✅        |
 | [Root.io images](rootio.md)    | -                                                   |     ✅     |     ✅      |       -        |       -        |
+| [Seal Security](seal.md)       | -                                                   |     ✅     |     ✅      |       -        |       -        |
 | [RPM Archives](rpm.md)         | `*.rpm`                                             |   ✅[^5]   |   ✅[^5]    |     ✅[^5]      |     ✅[^5]      |
 
 [sbom]: ../../supply-chain/sbom.md

docs/docs/coverage/others/rootio.md

@@ -13,6 +13,9 @@ Root.io patches are detected when Trivy finds packages with specific version suf
 When Root.io patches are detected, Trivy automatically switches to Root.io scanning mode for vulnerability detection.
 Even when the original OS distributor (Debian, Ubuntu, Alpine) has not provided a patch for a vulnerability, Trivy will display Root.io patches if they are available.
 
+!!! note
+    For vulnerabilities, Trivy uses the severity level from the original OS vendor (if the vendor has specified a severity).
+
 For detailed information about supported scanners, features, and functionality, please refer to the documentation for the underlying OS:
 
 - [Debian](../os/debian.md)

docs/docs/coverage/others/seal.md

@@ -0,0 +1,27 @@
+# Seal Security
+
+!!! warning "EXPERIMENTAL"
+    Scanning results may be inaccurate.
+
+While it is not an OS, this page describes the details of the [Seal Security]( https://sealsecurity.io/) vulnerability feed.
+Seal provides security advisories and patched versions for multiple Linux distributions, including [Debian](../os/debian.md), [Ubuntu](../os/ubuntu.md), [Alpine](../os/alpine.md), [Red Hat Enterprise Linux](../os/rhel.md), [CentOS](../os/centos.md), [Oracle Linux](../os/oracle.md), and [Azure Linux (CBL‑Mariner)](../os/azure.md).
+
+Seal advisories are used when Trivy finds packages that indicate Seal-provided components:
+
+- Packages whose name or source name starts with `seal-` (for example, `seal-wget`, `seal-zlib`).
+
+When such Seal packages are detected, Trivy automatically enables Seal scanning for those packages while continuing to use the base OS scanner for the rest.
+
+!!! note
+    For vulnerabilities, Trivy prefers severity from the base OS vendor when available.
+
+For details on supported scanners, features, and behavior for each base OS, refer to their respective pages:
+
+- [Debian](../os/debian.md)
+- [Ubuntu](../os/ubuntu.md)
+- [Alpine](../os/alpine.md)
+- [Red Hat Enterprise Linux](../os/rhel.md)
+- [CentOS](../os/centos.md)
+- [Oracle Linux](../os/oracle.md)
+- [Azure Linux (CBL‑Mariner)](../os/azure.md)
+

docs/docs/references/configuration/cli/trivy_config.md

@@ -76,7 +76,7 @@ trivy config [flags] DIR
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tf-vars strings                   specify paths to override the Terraform tfvars files
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
 ```
 

docs/docs/references/configuration/cli/trivy_convert.md

@@ -10,7 +10,7 @@ trivy convert [flags] RESULT_JSON
 
 ```
   # report conversion
-  $ trivy image --format json --output result.json --list-all-pkgs debian:11
+  $ trivy image --format json --output result.json debian:11
   $ trivy convert --format cyclonedx --output result.cdx result.json
 
 ```
@@ -37,7 +37,7 @@ trivy convert [flags] RESULT_JSON
   -h, --help                       help for convert
       --ignore-policy string       specify the Rego file path to evaluate each vulnerability
       --ignorefile string          specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability (default true)
   -o, --output string              output file name
       --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
       --report string              specify a report format for the output (allowed values: all,summary) (default "all")

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -81,7 +81,7 @@ trivy filesystem [flags] PATH
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
@@ -135,7 +135,7 @@ trivy filesystem [flags] PATH
       --tf-vars strings                   specify paths to override the Terraform tfvars files
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
       --vuln-severity-source strings      order of data sources for selecting vulnerability severity level

docs/docs/references/configuration/cli/trivy_image.md

@@ -99,7 +99,7 @@ trivy image [flags] IMAGE_NAME
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --max-image-size string             [EXPERIMENTAL] maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
@@ -156,7 +156,7 @@ trivy image [flags] IMAGE_NAME
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
       --vuln-severity-source strings      order of data sources for selecting vulnerability severity level

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -91,7 +91,7 @@ trivy kubernetes [flags] [CONTEXT]
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
       --kubeconfig string                 specify the kubeconfig file path to use
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --no-progress                       suppress progress bar
       --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1")
@@ -144,7 +144,7 @@ trivy kubernetes [flags] [CONTEXT]
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tolerations strings               specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
       --vuln-severity-source strings      order of data sources for selecting vulnerability severity level

docs/docs/references/configuration/cli/trivy_repository.md

@@ -80,7 +80,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
@@ -134,7 +134,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --tf-vars strings                   specify paths to override the Terraform tfvars files
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
       --vuln-severity-source strings      order of data sources for selecting vulnerability severity level

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -83,7 +83,7 @@ trivy rootfs [flags] ROOTDIR
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
@@ -136,7 +136,7 @@ trivy rootfs [flags] ROOTDIR
       --tf-vars strings                   specify paths to override the Terraform tfvars files
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
       --vuln-severity-source strings      order of data sources for selecting vulnerability severity level

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -64,7 +64,7 @@ trivy sbom [flags] SBOM_PATH
       --ignored-licenses strings       specify a list of license to ignore
       --ignorefile string              specify .trivyignore file (default ".trivyignore")
       --java-db-repository strings     OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
-      --list-all-pkgs                  output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                  output all packages in the JSON report regardless of vulnerability (default true)
       --no-progress                    suppress progress bar
       --offline-scan                   do not issue API requests to identify dependencies
   -o, --output string                  output file name

docs/docs/references/configuration/cli/trivy_vm.md

@@ -75,7 +75,7 @@ trivy vm [flags] VM_IMAGE
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-non-failures              include successes, available with '--scanners misconfig'
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

docs/docs/references/configuration/config-file.md

@@ -504,7 +504,7 @@ rego:
   # Same as '--skip-check-update'
   skip-check-update: false
 
-  # Same as '--trace'
+  # Same as '--trace-rego'
   trace: false
 
 ```
@@ -530,7 +530,7 @@ ignore-policy: ""
 ignorefile: ".trivyignore"
 
 # Same as '--list-all-pkgs'
-list-all-pkgs: false
+list-all-pkgs: true
 
 # Same as '--output'
 output: ""

docs/docs/references/troubleshooting.md

@@ -78,6 +78,16 @@ Common mistakes include the following, depending on where you are pulling images
 $ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]
 ```
 
+Alternatively, you can specify the location of your certificate using `SSL_CERT_FILE` or `SSL_CERT_DIR` environment variables.
+
+```
+$ SSL_CERT_FILE=/path/to/cert trivy image [YOUR_IMAGE]
+```
+
+```
+$ SSL_CERT_DIR=/path/to/certs trivy image [YOUR_IMAGE]
+```
+
 ### GitHub Rate limiting
 Trivy uses GitHub API for [VEX repositories](../supply-chain/vex/repo.md).
 
@@ -115,14 +125,57 @@ $ trivy image --download-java-db-only
 $ trivy image [YOUR_JAVA_IMAGE]
 ```
 
-### Running in parallel takes same time as series run
-When running trivy on multiple images simultaneously, it will take same time as running trivy in series.
-This is because of a limitation of boltdb.
-> Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it.
+### Database and cache lock errors
 
-Reference : [boltdb: Opening a database][boltdb].
+!!! error
+    ```
+    cache may be in use by another process
+    ```
 
-[boltdb]: https://github.com/boltdb/bolt#opening-a-database
+!!! error
+    ```
+    vulnerability database may be in use by another process
+    ```
+
+By default, Trivy uses BoltDB for its vulnerability database and cache storage. BoltDB creates file locks to prevent data corruption, which means only one process can access the same database file at a time.
+
+As stated in the BoltDB documentation:
+
+> Please note that Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it.
+
+Reference: [BoltDB README](https://github.com/boltdb/bolt#opening-a-database)
+
+These errors occur when:
+
+- Multiple Trivy processes try to use the same cache directory simultaneously
+- A previous Trivy process did not shut down cleanly
+- Trivy server is running and holding locks on the database and cache
+
+#### Important Note
+
+Running multiple Trivy processes on the same machine is **not recommended**. Using the same cache directory for multiple processes does not improve performance and can cause unexpected errors due to BoltDB's locking mechanism.
+
+#### Solutions
+
+**Solution 1: Terminate conflicting processes** (Recommended)
+
+Check for running Trivy processes and terminate them:
+
+```bash
+$ ps aux | grep trivy
+$ kill [process_id]
+```
+
+**Solution 2: Use different cache directories** (If multiple processes are absolutely necessary)
+
+If you must run multiple Trivy processes on the same machine, specify different cache directories for each process:
+
+```bash
+$ trivy image --cache-dir /tmp/trivy-cache-1 debian:11 &
+$ trivy image --cache-dir /tmp/trivy-cache-2 debian:12 &
+```
+
+Note that each cache directory will download its own copy of the vulnerability database and other scan assets, which will increase network traffic and storage usage.
 
 ### Multiple Trivy servers
 
@@ -267,6 +320,25 @@ $ brew install aquasecurity/trivy/trivy
 ```
 
 
+## Debugging
+### HTTP Request/Response Tracing
+
+For debugging network issues, connection problems, or authentication failures, you can enable HTTP request/response tracing using the `--trace-http` flag.
+
+!!! danger "Security Warning"
+    While Trivy attempts to redact known sensitive information such as authentication headers and common secrets, the `--trace-http` flag may still expose sensitive data in HTTP requests and responses.
+    
+    **Never use this flag in production environments or CI/CD pipelines.**
+    This flag is automatically disabled in CI environments for security.
+
+```bash
+# Enable HTTP tracing for debugging registry issues
+$ trivy image --trace-http registry.example.com/my-image:latest
+
+# HTTP tracing with other debugging options
+$ trivy image --trace-http --debug --insecure my-image:tag
+```
+
 ## Others
 ### Unknown error
 

docs/docs/scanner/license.md

@@ -364,6 +364,23 @@ license:
 !!! note
     `regex` is only used for text licenses and can't be used to configure license IDs.
 
+### Enabling a Subset of Package Types
+
+It's possible to only enable certain package types if you prefer.
+You can do so by passing the `--pkg-types` option.
+This flag takes a comma-separated list of package types.
+
+Available values:
+
+- os
+    - Scan OS packages managed by the OS package manager (e.g. `dpkg`, `yum`, `apk`).
+- library
+    - Scan language-specific packages (e.g. packages installed by `pip`, `npm`, or `gem`).
+
+```bash
+$ trivy image --pkg-types os ruby:2.4.0
+```
+
 [^1]: See the list of supported language files [here](../coverage/language/index.md).
 [^2]: Some lock files require additional files (e.g. files from the cache directory) to detect licenses. Check [coverage][coverage] for more information.
 

docs/docs/scanner/misconfiguration/config/config.md

@@ -132,10 +132,17 @@ It is also possible to specify multiple input schemas with `--config-file-schema
 
 ### Filtering resources by inline comments
 
-Trivy supports ignoring misconfigured resources by inline comments for Terraform, CloudFormation and Helm configuration files only.
+Trivy supports ignoring misconfigured resources by inline comments for Terraform, CloudFormation, Helm and Dockerfile configuration files only.
 
 In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to ignore findings from a single source of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). The format for these comments is `trivy:ignore:<rule>` immediately following the format-specific line-comment [token](https://developer.hashicorp.com/terraform/language/syntax/configuration#comments).
 
+
+!!!note
+    Inline ignore rules only work for checks associated with an existing resource.
+    Checks triggered by the absence of a resource (e.g., **AVD-DS-0002** when a Dockerfile lacks a `USER` instruction) cannot be ignored inline.  
+    Use a [.trivyignore.yaml](../../../configuration/filtering.md#trivyignoreyaml) file to ignore such checks.
+
+
 The ignore rule must contain one of the possible check IDs that can be found in its metadata: ID, short code or alias. The `id` from the metadata is not case-sensitive, so you can specify, for example, `AVD-AWS-0089` or `avd-aws-0089`.
 
 For example, to ignore a misconfiguration ID `AVD-GCP-0051` in a Terraform HCL file:

docs/docs/scanner/misconfiguration/custom/data.md

@@ -1,10 +1,10 @@
 # Custom Data
 
-Custom checks may require additional data in order to make a resolution. You can pass arbitrary data files to Trivy to be used when evaluating rego checks using the `--data` flag. 
+Custom checks may require additional data in order to make a resolution. You can pass arbitrary data files to Trivy to be used when evaluating rego checks using the `--config-data` flag. 
 Trivy recursively searches the specified data paths for JSON (`*.json`) and YAML (`*.yaml`) files.
 
 For example, consider an allowed list of resources that can be created. 
-Instead of hardcoding this information inside your policy, you can maintain the list in a separate file.
+Instead of hardcoding this information inside your check, you can maintain the list in a separate file.
 
 Example data file:
 
@@ -29,5 +29,26 @@ ports := services.ports
 Example loading the data file:
 
 ```bash
-trivy config --config-check ./checks --data ./data --namespaces user ./configs
+trivy config --config-check ./checks --config-data ./data --namespaces user ./configs
 ```
+
+## Customizing default checks data
+
+Some checks allow you to customize the default data values. To do this, simply pass a data file via `--config-data` (see the section above).
+
+Table of supported data for customizing and their paths:
+
+| Check ID                                                                                                                                                     | Data path                    | Description                                                  |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|--------------------------------------------------------------|
+| [KSV0125](https://github.com/aquasecurity/trivy-checks/blob/db2e49de5ff5fd5c8e5cd702b7891f9d9e971a65/checks/kubernetes/uses_untrusted_registry.rego#L76-L78) | `ksv0125.trusted_registries` | List of trusted container registries                         |
+| [DS031](https://github.com/aquasecurity/trivy-checks/blob/db2e49de5ff5fd5c8e5cd702b7891f9d9e971a65/checks/docker/leaked_secrets.rego#L135)                   | `ds031.included_envs`        | List of allowed environment variables (merged with defaults) |
+
+
+Example of overriding trusted registries for `KSV0125`:
+
+```yaml
+ksv0125:
+  trusted_registries:
+    - "my-registry.example.com"
+    - "registry.internal.local"
+```

docs/docs/scanner/misconfiguration/custom/debug.md

@@ -1,13 +1,13 @@
 # Debugging checks
 When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied.
-For this purpose you can use the `--trace` flag.
+For this purpose you can use the `--trace-rego` flag.
 This will output a large trace from Open Policy Agent like the following:
 
 !!! tip
     Only failed checks show traces. If you want to debug a passed check, you need to make it fail on purpose.
 
 ```shell
-$ trivy config --trace configs/
+$ trivy config --trace-rego configs/
 2022-05-16T13:47:58.853+0100	INFO	Detected config files: 1
 
 Dockerfile (dockerfile)

docs/docs/scanner/vulnerability.md

@@ -38,6 +38,7 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.
 | OpenSUSE/SLES             | [CVRF][suse]                                                 |
 | Photon OS                 | [Photon Security Advisory][photon]                           |
 | Root.io                   | [Root.io Patch Feed][rootio]                                 |
+| Seal Security             | [Seal Security vulnerability feed][seal]                     |
 
 #### Data Source Selection
 Trivy **only** consumes security advisories from the sources listed in the above table.
@@ -148,28 +149,17 @@ If you have software that is not managed by a package manager, Trivy can still d
 - [Rust Binaries with embedded information](../coverage/language/rust.md#binaries)
 - [SBOM embedded in container images](../supply-chain/sbom.md#sbom-detection-inside-targets)
 
-## Kubernetes
-
-Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md).
-
-### Data Sources
-
-| Vendor     | Source                                      |
-|------------|---------------------------------------------|
-| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] |
-
-[^1]: Some manual triage and correction has been made.
-
-## Databases
-The information from the above sources is collected and stored in databases that Trivy uses for vulnerability scanning. Trivy automatically fetches, maintains, and caches the relevant databases when performing a vulnerability scan
-For more information about Trivy's Databases mechanism and configurations, refer to the [Databases document](../configuration/db.md).
-
 ## Detection Behavior
 Trivy prioritizes precision in vulnerability detection, aiming to minimize false positives while potentially accepting some false negatives.
 This approach is particularly relevant in two key areas:
 
-- Handling Software Installed via OS Packages
-- Handling Packages with Unspecified Versions
+- [Handling Software Installed via OS Packages](#handling-software-installed-via-os-packages)
+- [Handling Packages with Unspecified Versions](#handling-packages-with-unspecified-versions)
+
+Trivy can also detect only specific packages:
+
+- [Subset of Package Types](#enabling-a-subset-of-package-types)
+- [Specific package Relationship](#filtering-by-package-relationships)
 
 ### Handling Software Installed via OS Packages
 For files installed by OS package managers, such as `apt`, Trivy exclusively uses advisories from the OS vendor.
@@ -212,9 +202,29 @@ To detect potential vulnerabilities even with unspecified versions, use [--detec
 This option makes Trivy use the minimum version in the specified range for vulnerability detection.
 While this may increase false positives if the actual version used is not the minimum, it helps reduce false negatives.
 
-## Configuration
-This section describes vulnerability-specific configuration.
-Other common options are documented [here](../configuration/index.md).
+## Package Detection
+Vulnerability detection is based on package detection.
+This section describes the specifics of package detection, which also affect SBOM generation.
+
+### Detection Priority
+
+Trivy provides a `--detection-priority` flag to control the balance between false positives and false negatives in package/vulnerability detection.
+This concept is similar to the relationship between [precision and recall][precision-recall] in machine learning evaluation.
+
+```bash
+$ trivy image --detection-priority {precise|comprehensive} alpine:3.15
+```
+
+- `precise`: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.
+- `comprehensive`: This mode aims to detect more vulnerabilities, potentially including some that might be false positives.
+  It provides broader coverage but may increase the noise in the results.
+
+The default value is `precise`. Also refer to the [detection behavior](#detection-behavior) section for more information.
+
+Regardless of the chosen mode, user review of detected vulnerabilities is crucial:
+
+- `precise`: Review thoroughly, considering potential missed vulnerabilities.
+- `comprehensive`: Carefully investigate each reported vulnerability due to increased false positive possibility.
 
 ### Enabling a Subset of Package Types
 
@@ -284,11 +294,10 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 </details>
 
 !!! info
-    This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
+    This flag filters the packages themselves, so it also affects the list of detected packages in JSON reports and SBOM generation.
 
 ### Filtering by Package Relationships
 
-
 Trivy supports filtering vulnerabilities based on the relationship of packages within a project.
 This is achieved through the `--pkg-relationships` flag.
 This feature allows you to focus on vulnerabilities in specific types of dependencies, such as only those in direct dependencies.
@@ -305,7 +314,7 @@ The available relationships may vary depending on the ecosystem.
 To see which relationships are supported for a particular project, you can use the JSON output format and check the `Relationship` field:
 
 ```
-$ trivy repo -f json --list-all-pkgs /path/to/project
+$ trivy repo -f json /path/to/project
 ```
 
 To scan only the root package and its direct dependencies, you can use the flag as follows:
@@ -317,30 +326,30 @@ $ trivy repo --pkg-relationships root,direct /path/to/project
 By default, all relationships are included in the scan.
 
 !!! info
-    This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
+    This flag filters the packages themselves, so it also affects the list of detected packages in JSON reports and SBOM generation.
 
 !!! warning
     As it may not provide a complete package list, `--pkg-relationships` cannot be used with `--dependency-tree`, `--vex` or SBOM generation.
 
-### Detection Priority
+## Kubernetes
 
-Trivy provides a `--detection-priority` flag to control the balance between false positives and false negatives in vulnerability detection.
-This concept is similar to the relationship between [precision and recall][precision-recall] in machine learning evaluation.
+Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md).
 
-```bash
-$ trivy image --detection-priority {precise|comprehensive} alpine:3.15
-```
+### Data Sources
 
-- `precise`: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.
-- `comprehensive`: This mode aims to detect more vulnerabilities, potentially including some that might be false positives.
-  It provides broader coverage but may increase the noise in the results.
+| Vendor     | Source                                      |
+|------------|---------------------------------------------|
+| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] |
 
-The default value is `precise`. Also refer to the [detection behavior](#detection-behavior) section for more information.
+[^1]: Some manual triage and correction has been made.
 
-Regardless of the chosen mode, user review of detected vulnerabilities is crucial:
+## Databases
+The information from the above sources is collected and stored in databases that Trivy uses for vulnerability scanning. Trivy automatically fetches, maintains, and caches the relevant databases when performing a vulnerability scan
+For more information about Trivy's Databases mechanism and configurations, refer to the [Databases document](../configuration/db.md).
 
-- `precise`: Review thoroughly, considering potential missed vulnerabilities.
-- `comprehensive`: Carefully investigate each reported vulnerability due to increased false positive possibility.
+## Configuration
+This section describes vulnerability-specific configuration.
+Other common options are documented [here](../configuration/index.md).
 
 ### Overriding OS version
 By default, Trivy automatically detects the OS during container image scanning and performs vulnerability detection based on that OS.
@@ -396,6 +405,7 @@ Example logic for the following vendor severity levels when scanning an Alpine i
 [photon]: https://packages.vmware.com/photon/photon_cve_metadata/
 [azure]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
 [rootio]: https://api.root.io/external/patch_feed
+[seal]: http://vulnfeed.sealsecurity.io/v1/osv/renamed/vulnerabilities.zip
 
 [php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
 [python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
@@ -425,4 +435,4 @@ Example logic for the following vendor severity levels when scanning an Alpine i
 [RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520 
 [ghsa]: https://github.com/advisories
 [requests]: https://pypi.org/project/requests/
-[precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall
+[precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall

docs/docs/supply-chain/sbom.md

@@ -185,6 +185,8 @@ Trivy supports the following packages.
 - [OS packages][os_packages]
 - [Language-specific packages][language_packages]
 
+Trivy has a specific logic for package detection.
+See the [package detection](../scanner/vulnerability.md#package-detection) section for more information.
 
 ### Formats
 #### CycloneDX

docs/docs/target/repository.md

@@ -109,6 +109,26 @@ $ trivy repo --scanners license (REPO_PATH | REPO_URL)
 Trivy can generate SBOM for code repositories.
 See [here](../supply-chain/sbom.md) for the detail.
 
+## Git Metadata
+When scanning git repositories (both local and remote), Trivy automatically extracts and includes git metadata in the scan results.
+This metadata provides context about the scanned repository.
+
+The metadata includes information such as:
+
+- Repository URL
+- Branch name
+- Tags
+- Commit details (hash, message, commiter)
+- Author information
+
+This feature works automatically for any git repository.
+When using JSON format output, the git metadata will be included in the `Metadata` field.
+For detailed information about the available fields, please refer to the JSON output of your scan results.
+
+```bash
+$ trivy repo --format json <repo-name>
+```
+
 ## Scan Cache
 When scanning git repositories, it stores analysis results in the cache, using the latest commit hash as the key.
 Note that the cache is not used when the repository is dirty, otherwise Trivy will miss the files that are not committed.

docs/ecosystem/cicd.md

@@ -43,11 +43,11 @@ The Dagger module for Trivy provides functions for scanning container images fro
 
 
 ## Semaphore (Community)
-[Semaphore](https://semaphoreci.com/) is a CI/CD service.
+[Semaphore](https://semaphore.io/) is a CI/CD service.
 
 You can use Trivy in Semaphore for scanning code, containers, infrastructure, and Kubernetes in Semaphore workflow.
 
-👉 Get it at: <https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy>
+👉 Get it at: <https://docs.semaphore.io/using-semaphore/recipes/trivy>
 
 ## CircleCI (Community)
 [CircleCI](https://circleci.com/) is a CI/CD service.

docs/overrides/partners.html

@@ -18,16 +18,14 @@
 			<div class="hero-body">
 				<div class="clearboth container">
 					<div class="header_title_wrap with_columns">
-						<div class="header_title_content_wrap">
-							<h1 class="title page_title is-spaced fadeInUp">
-								Trivy Partners Program
-							</h1>
+						<div class="header_title_content_wrap partners_hero_titles">
+							<h1 class="title page_title fadeInUp">Trivy Partner Connect</h1>
 							<h2 class="subtitle page_subtitle fadeInUp animationDelay_1">
-								Align with the world's most trusted open-source scanner. This premium program gives you priority support, co-branding rights, and access to millions of users who rely on Trivy to secure their cloud-native environments. Don't just integrate; Lead.
+								Partner with the world’s most trusted open-source security scanner through this premium program, which gives you priority support, co&#8209;branding rights, and access to millions of users who rely on Trivy to secure their cloud native environments.
 							</h2>
 						</div><!-- header_title_content_wrap -->	
 						
-						<div class="header_title_content_wrap partners_hero_stage_image"><img src="{{ base_url }}/assets/images/partners_hero_stage_full.svg" alt="" loading="lazy"></div>
+						<div class="header_title_content_wrap partners_hero_stage_image"><img src="{{ base_url }}/assets/images/partners_hero_stage_03.png" alt="" loading="lazy"></div>
 						
 					</div><!-- header_title_wrap -->					
 					
@@ -50,7 +48,7 @@
     <!-- logos starts -->
 	<div class="partners_logos_wrap">
 
-		<h3 class="title generic_title partners_logos_title">Join the Trivy Partners Community</h3>
+		<h3 class="title generic_title partners_logos_title">Join the Trivy Partner Connect Community</h3>
 		<div class="partners_logos">
 			<div class="logo_item"><a href="https://minimus.io" target="_blank"><img src="{{ base_url }}/assets/images/partner_logo_minimus.svg" width="100" height="100" alt="Minimus Logo" loading="lazy"></a></div>
 			<div class="logo_item"><a href="https://root.io" target="_blank"><img src="{{ base_url }}/assets/images/partner_logo_root.svg" width="100" height="100" alt="Root Logo" loading="lazy"></a></div>
@@ -59,6 +57,157 @@
 	</div><!-- partners_logos_wrap -->
 	<!-- logos ends -->
 
+	
+	
+	<div class="partners_benefits_wrap">
+		<div class="clearboth container">
+	
+			<div class="section_title_wrap">
+				<div class="section_title_icon"><img src="{{ base_url }}/assets/images/section_icon_12.png" width="100" height="100" alt="" loading="lazy"></div>
+				<h3 class="title section_title partners_benefits_title">Why Partner with Trivy</h3>
+			</div><!-- section_title_wrap -->
+
+			<div class="benefit_items">
+	
+				<div class="benefit_item glass_v2">
+					
+					    <div class="glass_content">
+							<div class="benefit_icon"><img src="{{ base_url }}/assets/images/partners_icon_01.png" alt="" loading="lazy"></div>
+							<h3 class="title generic_title benefit_title"><span style="display:block;">Boost</span> Credibility</h3>
+							<div class="benefit_content">Show your commitment to security by partnering with the open-source scanner trusted by millions. Gain co-branding rights and be seen as a “secure by design” leader.</div>
+						</div><!-- glass_content -->
+						<div class="glow_topright"></div>
+						<div class="glow_bottomleft"></div>
+				</div>
+		
+				<div class="benefit_item glass_v2">
+
+						<div class="glass_content">
+
+							<div class="benefit_icon"><img src="{{ base_url }}/assets/images/partners_icon_02.png" alt="" loading="lazy"></div>
+							<h3 class="title generic_title benefit_title"><span style="display:block;">Accelerate</span> Growth</h3>
+							<div class="benefit_content">Tap into Trivy’s massive user base, leverage joint marketing opportunities, and unlock new revenue streams by embedding proven security into your offerings.</div>
+
+						</div><!-- glass_content -->
+						<div class="glow_topright"></div>
+						<div class="glow_bottomleft"></div>
+
+				</div>
+		
+				<div class="benefit_item glass_v2">
+						<div class="glass_content">
+
+							<div class="benefit_icon"><img src="{{ base_url }}/assets/images/partners_icon_03.png" alt="" loading="lazy"></div>
+							<h3 class="title generic_title benefit_title"><span style="display:block;">Access Expert</span> Support & Insights</h3>
+							<div class="benefit_content">Get priority technical assistance, exclusive roadmap access, and data-driven insights to enhance your product and stay ahead of emerging threats.</div>
+
+						</div><!-- glass_content -->
+						<div class="glow_topright"></div>
+						<div class="glow_bottomleft"></div>
+
+				</div>
+	
+			</div><!-- benefit_items -->
+	
+		</div><!-- container -->
+
+	</div><!-- partners_benefits_wrap -->
+	
+	
+	<div class="partners_plans_wrap">
+	
+		<div class="clearboth container">
+
+			<div class="section_title_wrap">
+				<div class="section_title_icon"><img src="{{ base_url }}/assets/images/section_icon_12.png" width="100" height="100" alt="" loading="lazy"></div>
+				<h3 class="title section_title partners_plans_title">Connect with Trivy, Your Way</h3>
+				<div class="subtitle section_subtitle">From integration to influence</div>
+			</div><!-- section_title_wrap -->
+
+			<div class="plan_items">
+	
+				<div class="plan_item glass_v2">
+					<div class="glass_content">
+						<div class="plan_titles_wrap">
+							<h3 class="title generic_title plan_title">Authorized Partner</h3>
+							<div class="subtitle generic_subtitle plan_subtitle">Start strong with Trivy.</div>
+						</div>
+						<div class="plan_content">Gain foundational benefits including Trivy trademark usage and public directory listing. Ideal for partners embedding and reselling Trivy who want to build credibility and visibility.</div>
+					 </div>
+    				<div class="glow_topright"></div>
+    				<div class="glow_bottomleft"></div>
+					<div class="plan_level level_1"></div>
+				</div><!-- plan_item -->
+	
+				<div class="plan_item glass_v2">
+					<div class="glass_content">
+						<div class="plan_titles_wrap">
+							<h3 class="title generic_title plan_title">Core Partner</h3>
+							<div class="subtitle generic_subtitle plan_subtitle">Go deeper with technical access and&nbsp;co&#8209;marketing.</div>
+						</div>
+						<div class="plan_content">Includes all Authorized benefits, plus priority support, exclusive access to Trivy maintainers, and opportunities for joint marketing such as blogs, webinars, and events.</div>
+					 </div>
+    				<div class="glow_topright"></div>
+    				<div class="glow_bottomleft"></div>
+					<div class="plan_level level_2"></div>
+				</div><!-- plan_item -->
+	
+				<div class="plan_item glass_v2">
+					<div class="glass_content">
+						<div class="plan_titles_wrap">
+							<h3 class="title generic_title plan_title">Advisor Partner</h3>
+							<div class="subtitle generic_subtitle plan_subtitle">Strategic partnership with visibility and&nbsp;influence.</div>
+						</div>
+						<div class="plan_content">Get all Core benefits, plus shared product insights, feature requests prioritization, and a named account manager. Advisor Partners help shape Trivy’s roadmap and the future of container security.</div>
+					 </div>
+    				<div class="glow_topright"></div>
+    				<div class="glow_bottomleft"></div>
+					<div class="plan_level level_3"></div>
+				</div><!-- plan_item -->
+	
+			</div><!-- plan_items -->
+	
+		</div><!-- container -->
+	
+	</div><!-- partners_plans_wrap -->
+
+
+
+	<div class="partners_contact_wrap">
+	
+		<div class="clearboth container">
+
+			
+			<div class="section_title_wrap">
+				<div class="section_title_icon"><img src="{{ base_url }}/assets/images/section_icon_12.png" width="100" height="100" alt="" loading="lazy"></div>
+				<h3 class="title section_title is_smaller partners_plans_title"><span style="display:block;">Contact us to learn more</span> about the paid partnerships</h3>
+			</div><!-- section_title_wrap -->
+
+			<div class="glass_v2 contact_form_wrap"><!-- light_glass  -->
+				<div class="glass_content">
+
+					<div class="hubspot_form_wrap">
+						<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script>
+						<script>
+						hbspt.forms.create({
+							portalId: "1665891",
+							formId: "572500eb-a595-487c-88a7-c8d933745192",
+							region: "na1"
+						});
+						</script>
+					</div><!-- hubspot_form_wrap -->
+
+				</div><!-- glass_content -->
+				<div class="glow_topright"></div>
+				<div class="glow_bottomleft"></div>
+			</div><!-- contact_form_wrap -->
+
+	
+		</div><!-- container -->
+	
+	</div><!-- partners_contact_wrap -->
+
+
 </div><!-- trivy_v1_homepage_wrap.partners_wrap -->
 
 {% endblock %}

docs/tutorials/misconfiguration/terraform.md

@@ -94,7 +94,7 @@ We have lots of examples in the [documentation](https://trivy.dev/latest/docs/sc
 
 ## Secret and vulnerability scans
 
-The `trivy config` command does not perform secrete and vulnerability checks out of the box. However, you can specify as part of your `trivy fs` scan that you would like to scan you terraform files for exposed secrets and misconfiguraction through the following flags: 
+The `trivy config` command does not perform secret and vulnerability checks out of the box. However, you can specify as part of your `trivy fs` scan that you would like to scan you terraform files for exposed secrets and misconfiguraction through the following flags: 
 
 ```
 trivy fs --scanners secret,misconfig ./
@@ -111,4 +111,4 @@ Note that you need to be able to create a terraform init and plan without any er
 ## Using Trivy in your CI/CD pipeline 
 Similar to tfsec, Trivy can be used either on local developer machines or integrated into your CI/CD pipeline. There are several steps available for different pipelines, including GitHub Actions, Circle CI, GitLab, Travis and more in the tutorials section of the documentation: [https://trivy.dev/latest/tutorials/integrations/](https://trivy.dev/latest/tutorials/integrations/) 
 
- 
+ 

e2e/README.md

@@ -0,0 +1,70 @@
+# End-to-End (E2E) Tests
+
+## Testing Philosophy
+
+The E2E tests in this directory are designed to test Trivy's functionality in realistic environments with **external dependencies and network connectivity**. These tests complement unit tests and integration tests by focusing on scenarios that require real external resources.
+
+### What E2E Tests Should Cover
+
+E2E tests should focus on functionality that involves:
+- **External network connections** (downloading container images, vulnerability databases)
+- **External service dependencies** (Docker daemon, registry access, proxy servers)
+- **Real-world scenarios** that cannot be easily mocked or simulated
+- **Cross-component integration** involving external systems
+
+### What E2E Tests Should NOT Cover
+
+E2E tests should **avoid** detailed assertions and comprehensive validation:
+- **Detailed JSON output validation** - this should be covered by integration tests
+- **Comprehensive vulnerability detection** - this should be covered by unit tests
+- **Complex result comparison** - basic functionality verification is sufficient
+- **Edge cases and error conditions** - these should be covered by unit tests
+
+### Testing Approach
+
+- **Minimal assertions**: Focus on basic functionality rather than detailed output validation
+- **External dependencies**: Use real registries, databases, and services where practical
+- **Environment isolation**: Each test should use isolated cache and working directories
+- **Golden files**: Use -update flag for maintainable output comparison
+- **Conditional execution**: Tests should validate required dependencies during setup
+
+### Dependencies
+
+- **Docker**: Required for local image scanning tests
+- **Internet access**: Required for downloading images and databases
+
+### Test Execution
+
+The E2E tests build and execute trivy in isolated temporary directories. When you run `mage test:e2e`, it automatically:
+1. Builds trivy in a test-specific temporary directory (via `t.TempDir()`)
+2. Adds the temporary directory to the PATH for test execution
+3. Runs the E2E tests using the isolated binary
+
+This approach ensures:
+- No pollution of the global environment
+- Each test run uses a freshly built binary
+- Test isolation between different test runs
+- Clean test environment without side effects
+
+### Running Tests
+
+```bash
+# Run all E2E tests
+mage test:e2e
+
+# Run specific test
+go test -v -tags=e2e ./e2e/ -run TestE2E/image_scan
+
+# Update golden files when output changes
+go test -v -tags=e2e ./e2e/ -update
+```
+
+### Adding New Tests
+
+When adding new E2E tests:
+1. Focus on external dependencies and real-world scenarios
+2. Use minimal assertions - verify functionality, not detailed output
+3. Use golden files with -update flag for output comparison
+4. Validate required dependencies in test setup
+5. Use fixed/pinned versions for reproducible results
+6. Include clear test documentation explaining the scenario being tested

e2e/e2e_test.go

@@ -0,0 +1,94 @@
+//go:build e2e
+
+package e2e
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/rogpeppe/go-internal/testscript"
+)
+
+var update = flag.Bool("update", false, "update golden files")
+
+func TestE2E(t *testing.T) {
+	testscript.Run(t, testscript.Params{
+		Dir: "testdata",
+		Setup: func(env *testscript.Env) error {
+			return setupTestEnvironment(t, env)
+		},
+		UpdateScripts: *update,
+	})
+}
+
+func buildTrivy(t *testing.T) string {
+	t.Helper()
+
+	tmp := t.TempDir() // Test-specific directory
+	exe := filepath.Join(tmp, "trivy")
+	if runtime.GOOS == "windows" {
+		exe += ".exe"
+	}
+
+	cmd := exec.Command("go", "build",
+		"-o", exe,
+		"../cmd/trivy",
+	)
+	// Prevent environment pollution
+	cmd.Env = append(os.Environ(), "CGO_ENABLED=0")
+
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("Trivy build failed: %v\n%s", err, out)
+	}
+	return exe
+}
+
+func setupTestEnvironment(t *testing.T, env *testscript.Env) error {
+	// Validate Docker availability - fail if not available
+	if err := validateDockerAvailability(); err != nil {
+		return fmt.Errorf("Docker validation failed: %v", err)
+	}
+
+	// Build Trivy once and cache it
+	trivyExe := buildTrivy(t)
+
+	// Add directory containing trivy to PATH
+	env.Setenv("PATH", filepath.Dir(trivyExe)+string(os.PathListSeparator)+env.Getenv("PATH"))
+
+	// Set environment variables for test scripts
+	env.Setenv("TRIVY_DB_DIGEST", "sha256:b4d3718a89a78d4a6b02250953e92fcd87776de4774e64e818c1d0e01c928025")
+	// Disable VEX notice in test environment
+	env.Setenv("TRIVY_DISABLE_VEX_NOTICE", "true")
+	
+	// Define test image
+	testImage := "alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b"
+	env.Setenv("TEST_IMAGE", testImage)
+
+	// Pre-pull the test image to Docker daemon
+	t.Logf("Pre-pulling test image: %s", testImage)
+	cmd := exec.Command("docker", "pull", testImage)
+	if output, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("failed to pull test image: %v\nOutput: %s", err, output)
+	}
+
+	// Pass through DOCKER_HOST if set
+	if dockerHost := os.Getenv("DOCKER_HOST"); dockerHost != "" {
+		env.Setenv("DOCKER_HOST", dockerHost)
+	}
+
+	return nil
+}
+
+func validateDockerAvailability() error {
+	cmd := exec.Command("docker", "version")
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("Docker is not available or not running: %v", err)
+	}
+	return nil
+}