release: v0.58.1 [release/v0.58] (#8120)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>

.circleci/config.yml

@@ -1,50 +0,0 @@
-defaults: &defaults
-  docker :
-    - image: knqyf263/ci-trivy:latest
-  environment:
-    CGO_ENABLED: "0"
-
-jobs:
-  test:
-    <<: *defaults
-    steps:
-      - checkout
-      - run:
-          name: Test
-          command: go test ./...
-  release:
-    <<: *defaults
-    steps:
-      - checkout
-      - run:
-          name: Release
-          command: goreleaser --rm-dist
-      - run:
-          name: Clone trivy repository
-          command: git clone git@github.com:knqyf263/trivy-repo.git
-      - run:
-          name: Setup git settings
-          command: |
-            git config --global user.email "knqyf263@gmail.com"
-            git config --global user.name "Teppei Fukuda"
-      - run:
-          name: Create rpm repository
-          command: ci/deploy-rpm.sh
-      - run:
-          name: Import GPG key
-          command: echo -e "$GPG_KEY" | gpg --import
-      - run:
-          name: Create deb repository
-          command: ci/deploy-deb.sh
-            
-workflows:
-  version: 2
-  release:
-    jobs:  
-      - test
-      - release:
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              only: /.*/

.clang-format

@@ -0,0 +1,5 @@
+---
+Language: Proto
+BasedOnStyle: Google
+AlignConsecutiveAssignments: true
+AlignConsecutiveDeclarations: true

.dockerignore

@@ -1 +1,6 @@
+.git
+.github
+.cache
+.circleci
+integration
 imgs

.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf 

.github/CODEOWNERS

@@ -0,0 +1,22 @@
+# Global
+*   @knqyf263
+
+# SBOM/Vulnerability scanning
+pkg/dependency/  @knqyf263 @DmitriyLewen
+pkg/fanal/       @knqyf263 @DmitriyLewen
+pkg/sbom/        @knqyf263 @DmitriyLewen
+pkg/scanner/     @knqyf263 @DmitriyLewen
+
+# Misconfiguration scanning
+docs/docs/scanner/misconfiguration/  @simar7 @nikpivkin
+docs/docs/target/aws.md              @simar7 @nikpivkin
+pkg/fanal/analyzer/config/           @simar7 @nikpivkin
+pkg/cloud/                           @simar7 @nikpivkin
+pkg/iac/                             @simar7 @nikpivkin
+
+# Helm chart
+helm/trivy/ @afdesk
+
+# Kubernetes scanning
+pkg/k8s/                         @afdesk
+docs/docs/target/kubernetes.md   @afdesk

.github/DISCUSSION_TEMPLATE/adopters.yml

@@ -0,0 +1,47 @@
+title: "<company name>"
+labels: ["adopters"]
+body:
+  - type: textarea
+    id: info
+    attributes:
+      label: "[Optional] How do you use Trivy?"
+    validations:
+      required: false
+  - type: textarea
+    id: info
+    attributes:
+      label: "[Optional] Can you provide us with a quote on your favourite part of Trivy? This may be used on the trivy.dev website, posted on Twitter (@AquaTrivy) or similar marketing material."
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: "[Optional] Which targets are you scanning with Trivy?"
+      options:
+        - label: "Container Image"
+        - label: "Filesystem"
+        - label: "Git Repository"
+        - label: "Virtual Machine Image"
+        - label: "Kubernetes"
+        - label: "AWS"
+        - label: "SBOM"
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: "[Optional] What kind of issues are scanning with Trivy?"
+      options:
+        - label: "Software Bill of Materials (SBOM)"
+        - label: "Known vulnerabilities (CVEs)"
+        - label: "IaC issues and misconfigurations"
+        - label: "Sensitive information and secrets"
+        - label: "Software licenses"
+  - type: markdown
+    attributes:
+      value: |
+        ## Get in touch
+        We are always looking for 
+        * User feedback
+        * Collaboration with other companies and organisations
+        * Or just to have a chat with you about trivy. 
+        If any of this interests you or your marketing team, please reach out at: oss@aquasec.com
+        We would love to hear from you!

.github/DISCUSSION_TEMPLATE/bugs.yml

@@ -0,0 +1,124 @@
+labels: ["kind/bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        #### Note
+        Feel free to raise a bug report if something doesn't work as expected.
+        Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
+        If you see any false positives or false negatives, please file a ticket [here](https://github.com/aquasecurity/trivy/discussions/new?category=false-detection).
+        
+        **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
+        
+        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+  - type: textarea
+    attributes:
+      label: Description
+      description: Briefly describe the problem you are having in a few paragraphs.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Desired Behavior
+      description: What did you expect to happen?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Actual Behavior
+      description: What happened instead?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Reproduction Steps
+      description: How do you trigger this bug? Please walk us through it step by step.
+      value: |
+        1.
+        2.
+        3.
+        ...
+      render: bash
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Target
+      description: Which target are you scanning? It is equal to which subcommand you are using.
+      options:
+        - Container Image
+        - Filesystem
+        - Git Repository
+        - Virtual Machine Image
+        - Kubernetes
+        - AWS
+        - SBOM
+    validations:
+      required: false
+  - type: dropdown
+    attributes:
+      label: Scanner
+      description: Which scanner are you using?
+      options:
+        - Vulnerability
+        - Misconfiguration
+        - Secret
+        - License
+    validations:
+      required: false
+  - type: dropdown
+    attributes:
+      label: Output Format
+      description: Which output format are you using?
+      options:
+        - Table
+        - JSON
+        - Template
+        - SARIF
+        - CycloneDX
+        - SPDX
+    validations:
+      required: false
+  - type: dropdown
+    attributes:
+      label: Mode
+      description: Which mode are you using? Specify "Standalone" if you are not using `trivy server`.
+      options:
+        - Standalone
+        - Client/Server
+    validations:
+      required: false
+  - type: textarea
+    attributes:
+      label: Debug Output
+      description: Output of run with `--debug`
+      placeholder: "$ trivy <target> <subject> --debug"
+      render: bash
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Operating System
+      description: On what operating system are you running Trivy?
+      placeholder: "e.g. macOS Big Sur"
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Version
+      description: Output of `trivy --version`
+      placeholder: "$ trivy --version"
+      render: bash
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Checklist
+      description: Have you tried the following?
+      options:
+        - label: Run `trivy clean --all`
+        - label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
+  - type: markdown
+    attributes:
+      value: |
+        We would be happy if you could share how you are using Trivy [here](https://github.com/aquasecurity/trivy/discussions/new?category=adopters).

.github/DISCUSSION_TEMPLATE/documentation.yml

@@ -0,0 +1,28 @@
+labels: ["kind/documentation"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        #### Note
+        Feel free to create a docs report if something doesn't work as expected or is unclear in the documentation.
+        Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
+        
+        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+  - type: textarea
+    attributes:
+      label: Description
+      description: Briefly describe the what has been unclear in the existing documentation
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Link
+      description: Please provide a link to the current documentation or where you thought to find the information you were looking for
+    validations:
+      required: false
+  - type: textarea
+    attributes:
+      label: Suggestions
+      description: What would you like to have added or changed in the documentation?
+    validations:
+      required: true

.github/DISCUSSION_TEMPLATE/false-detection.yml

@@ -0,0 +1,96 @@
+body:
+  - type: markdown
+    attributes:
+      value: |
+        #### Note
+        Feel free to raise a bug report if something doesn't work as expected.
+        Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
+        
+        **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
+        
+        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+  - type: input
+    attributes:
+      label: IDs
+      description: List the IDs of vulnerabilities, misconfigurations, secrets, or licenses that are either not detected or mistakenly detected.
+      placeholder: "e.g. CVE-2021-44228, CVE-2022-22965"
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Description
+      description: Describe the false detection.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Reproduction Steps
+      description: How do you trigger this bug? Please walk us through it step by step.
+      value: |
+        1.
+        2.
+        3.
+        ...
+      render: bash
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Target
+      description: Which target are you scanning? It is equal to which subcommand you are using.
+      options:
+        - Container Image
+        - Filesystem
+        - Git Repository
+        - Virtual Machine Image
+        - Kubernetes
+        - AWS
+        - SBOM
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Scanner
+      description: Which scanner are you using?
+      options:
+        - Vulnerability
+        - Misconfiguration
+        - Secret
+        - License
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Target OS
+      description: What operating system are you scanning? Fill in this field if the scanning target is an operating system.
+      placeholder: "Example: Ubuntu 22.04"
+    validations:
+      required: false
+  - type: textarea
+    attributes:
+      label: Debug Output
+      description: Output of run with `--debug`
+      placeholder: "$ trivy <target> <subject> --debug"
+      render: bash
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Version
+      description: Output of `trivy --version`
+      placeholder: "$ trivy --version"
+      render: bash
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Checklist
+      options:
+        - label: Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection)
+        - label: Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct
+    validations:
+      required: true
+  - type: markdown
+    attributes:
+      value: |
+        We would be happy if you could share how you are using Trivy [here](https://github.com/aquasecurity/trivy/discussions/new?category=adopters).

.github/DISCUSSION_TEMPLATE/ideas.yml

@@ -0,0 +1,47 @@
+labels: ["kind/feature"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        #### Note
+        Feel free to share your idea.
+        Please ensure that you're not creating a duplicate ticket by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
+        
+        **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
+        
+        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+  - type: textarea
+    attributes:
+      label: Description
+      description: Describe your idea.
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Target
+      description: Which target is your idea related to?
+      options:
+        - Container Image
+        - Filesystem
+        - Git Repository
+        - Virtual Machine Image
+        - Kubernetes
+        - AWS
+        - SBOM
+    validations:
+      required: false
+  - type: dropdown
+    attributes:
+      label: Scanner
+      description: Which scanner is your idea related to?
+      options:
+        - Vulnerability
+        - Misconfiguration
+        - Secret
+        - License
+    validations:
+      required: false
+  - type: markdown
+    attributes:
+      value: |
+        We would be happy if you could share how you are using Trivy [here](https://github.com/aquasecurity/trivy/discussions/new?category=adopters).

.github/DISCUSSION_TEMPLATE/q-a.yml

@@ -0,0 +1,84 @@
+labels: ["triage/support"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        #### Note
+        If you have any troubles/questions, feel free to ask.
+        Please ensure that you're not asking a duplicate question by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
+        
+        **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
+        
+        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+  - type: textarea
+    attributes:
+      label: Question
+      description: What kind of problem are you facing? Or, what questions do you have?
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Target
+      description: Which target are you scanning? It is equal to which subcommand you are using.
+      options:
+        - Container Image
+        - Filesystem
+        - Git Repository
+        - Virtual Machine Image
+        - Kubernetes
+        - AWS
+        - SBOM
+    validations:
+      required: false
+  - type: dropdown
+    attributes:
+      label: Scanner
+      description: Which scanner are you using?
+      options:
+        - Vulnerability
+        - Misconfiguration
+        - Secret
+        - License
+    validations:
+      required: false
+  - type: dropdown
+    attributes:
+      label: Output Format
+      description: Which output format are you using?
+      options:
+        - Table
+        - JSON
+        - Template
+        - SARIF
+        - CycloneDX
+        - SPDX
+    validations:
+      required: false
+  - type: dropdown
+    attributes:
+      label: Mode
+      description: Which mode are you using? Specify "Standalone" if you are not using `trivy server`.
+      options:
+        - Standalone
+        - Client/Server
+    validations:
+      required: false
+  - type: input
+    attributes:
+      label: Operating System
+      description: What operating system are you using?
+      placeholder: "Example: macOS Big Sur"
+    validations:
+      required: false
+  - type: textarea
+    attributes:
+      label: Version
+      description: Output of `trivy --version`
+      placeholder: "$ trivy --version"
+      render: bash
+    validations:
+      required: false
+  - type: markdown
+    attributes:
+      value: |
+        We would be happy if you could share how you are using Trivy [here](https://github.com/aquasecurity/trivy/discussions/new?category=adopters.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,17 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Report a false detection
+    url: https://github.com/aquasecurity/trivy/discussions/new?category=false-detection
+    about: Report false positives/negatives
+  - name: Report a bug
+    url: https://github.com/aquasecurity/trivy/discussions/new?category=bugs
+    about: Report bugs
+  - name: Enhance documentation
+    url: https://github.com/aquasecurity/trivy/discussions/new?category=documentation
+    about: Make suggestions to the documentation
+  - name: Request a feature enhancement
+    url: https://github.com/aquasecurity/trivy/discussions/new?category=ideas
+    about: Share ideas for new features
+  - name: Ask the community for help
+    url: https://github.com/aquasecurity/trivy/discussions/new?category=q-a
+    about: Ask questions and discuss with other community members

.github/actions/trivy-triage/Makefile

@@ -0,0 +1,3 @@
+.PHONEY: test
+test: helpers.js helpers.test.js
+	node --test helpers.test.js

.github/actions/trivy-triage/action.yaml

@@ -0,0 +1,29 @@
+name: 'trivy-discussion-triage'
+description: 'automatic triage of Trivy discussions'
+inputs:
+  discussion_num:
+    description: 'Discussion number to triage'
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - name: Conditionally label discussions based on category and content
+      env:
+        GH_TOKEN: ${{ github.token }}
+      uses: actions/github-script@v6
+      with:
+        script: |
+          const {detectDiscussionLabels, fetchDiscussion, labelDiscussion } = require('${{ github.action_path }}/helpers.js');
+          const config = require('${{ github.action_path }}/config.json');
+          discussionNum = parseInt(${{ inputs.discussion_num }});
+          let discussion;
+          if (discussionNum > 0) {
+              discussion = (await fetchDiscussion(github, context.repo.owner, context.repo.repo, discussionNum)).repository.discussion;
+          } else {
+              discussion = context.payload.discussion;
+          }
+          const labels = detectDiscussionLabels(discussion, config.discussionLabels);
+          if (labels.length > 0) {
+              console.log(`Adding labels ${labels} to discussion ${discussion.node_id}`);
+              labelDiscussion(github, discussion.node_id, labels);
+          }

.github/actions/trivy-triage/config.json

@@ -0,0 +1,14 @@
+{
+    "discussionLabels": {
+        "Container Image":"LA_kwDOCsUTCM75TTQU",
+        "Filesystem":"LA_kwDOCsUTCM75TTQX",
+        "Git Repository":"LA_kwDOCsUTCM75TTQk",
+        "Virtual Machine Image":"LA_kwDOCsUTCM8AAAABMpz1bw",
+        "Kubernetes":"LA_kwDOCsUTCM75TTQv",
+        "AWS":"LA_kwDOCsUTCM8AAAABMpz1aA",
+        "Vulnerability":"LA_kwDOCsUTCM75TTPa",
+        "Misconfiguration":"LA_kwDOCsUTCM75TTP8",
+        "License":"LA_kwDOCsUTCM77ztRR",
+        "Secret":"LA_kwDOCsUTCM75TTQL"
+    }
+}

.github/actions/trivy-triage/helpers.js

@@ -0,0 +1,70 @@
+module.exports = {
+    detectDiscussionLabels: (discussion, configDiscussionLabels) => {
+        res = [];
+        const discussionId = discussion.id;
+        const category = discussion.category.name;
+        const body = discussion.body;
+        if (category !== "Ideas") {
+            console.log(`skipping discussion with category ${category} and body ${body}`);
+            return [];
+        }
+        const scannerPattern = /### Scanner\n\n(.+)/;
+        const scannerFound = body.match(scannerPattern);
+        if (scannerFound && scannerFound.length > 1) {
+            res.push(configDiscussionLabels[scannerFound[1]]);
+        }
+        const targetPattern = /### Target\n\n(.+)/;
+        const targetFound = body.match(targetPattern);
+        if (targetFound && targetFound.length > 1) {
+            res.push(configDiscussionLabels[targetFound[1]]);
+        }
+        return res;
+    },
+    fetchDiscussion: async (github, owner, repo, discussionNum) => {
+        const query = `query Discussion ($owner: String!, $repo: String!, $discussion_num: Int!){
+            repository(name: $repo, owner: $owner) {
+                discussion(number: $discussion_num) {
+                    number,
+                    id,
+                    body,
+                    category {
+                        id,
+                        name
+                    },
+                    labels(first: 100) {
+                        edges {
+                            node {
+                                id,
+                                name
+                            }
+                        }
+                    }
+                }
+            }
+        }`;
+        const vars = {
+            owner: owner,
+            repo: repo,
+            discussion_num: discussionNum
+        };
+        return github.graphql(query, vars);
+    },
+    labelDiscussion: async (github, discussionId, labelIds) => {
+        const query = `mutation AddLabels($labelId: ID!, $labelableId:ID!) {
+            addLabelsToLabelable(
+                input: {labelIds: [$labelId], labelableId: $labelableId}
+            ) {
+                clientMutationId
+            }
+        }`;
+        // TODO: add all labels in one call
+        labelIds.forEach((labelId) => {
+            const vars = {
+                labelId: labelId,
+                labelableId: discussionId
+            };
+            github.graphql(query, vars);
+        });
+    }
+};
+

.github/actions/trivy-triage/helpers.test.js

@@ -0,0 +1,87 @@
+const assert = require('node:assert/strict');
+const { describe, it } = require('node:test');
+const {detectDiscussionLabels} = require('./helpers.js');
+
+const configDiscussionLabels = {
+  "Container Image":"ContainerImageLabel",
+  "Filesystem":"FilesystemLabel",
+  "Vulnerability":"VulnerabilityLabel",
+  "Misconfiguration":"MisconfigurationLabel",
+};
+
+describe('trivy-triage', async function() {
+  describe('detectDiscussionLabels', async function() {
+    it('detect scanner label', async function() {
+      const discussion = {
+        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('VulnerabilityLabel'));
+    });
+    it('detect target label', async function() {
+      const discussion = {
+        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+    });
+    it('detect label when it is first', async function() {
+      const discussion = {
+        body: '### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+    });
+    it('detect label when it is last', async function() {
+      const discussion = {
+        body: '### Scanner\n\nVulnerability\n### Target\n\nContainer Image', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+    });
+    it('detect scanner and target labels', async function() {
+      const discussion = {
+        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+      assert(labels.includes('VulnerabilityLabel'));
+    });
+    it('not detect other labels', async function() {
+      const discussion = {
+        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(!labels.includes('FilesystemLabel'));
+      assert(!labels.includes('MisconfigurationLabel'));
+    });
+    it('process only relevant categories', async function() {
+      const discussion = {
+        body: 'hello world', 
+        category: {
+          name: 'Announcements'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.length === 0);
+    });
+  });
+});

.github/actions/trivy-triage/testutils/discussion-payload-sample.json

@@ -0,0 +1,65 @@
+{
+    "active_lock_reason": null,
+    "answer_chosen_at": null,
+    "answer_chosen_by": null,
+    "answer_html_url": null,
+    "author_association": "OWNER",
+    "body": "### Description\n\nlfdjs lfkdj dflsakjfd ';djk \r\nfadfd \r\nasdlkf \r\na;df \r\ndfsal;kfd ;akjl\n\n### Target\n\nContainer Image\n\n### Scanner\n\nMisconfiguration",
+    "category": {
+      "created_at": "2023-07-02T10:14:46.000+03:00",
+      "description": "Share ideas for new features",
+      "emoji": ":bulb:",
+      "id": 39743708,
+      "is_answerable": false,
+      "name": "Ideas",
+      "node_id": "DIC_kwDOE0GiPM4CXnDc",
+      "repository_id": 323068476,
+      "slug": "ideas",
+      "updated_at": "2023-07-02T10:14:46.000+03:00"
+    },
+    "comments": 0,
+    "created_at": "2023-09-11T08:40:11Z",
+    "html_url": "https://github.com/itaysk/testactions/discussions/9",
+    "id": 5614504,
+    "locked": false,
+    "node_id": "D_kwDOE0GiPM4AVauo",
+    "number": 9,
+    "reactions": {
+      "+1": 0,
+      "-1": 0,
+      "confused": 0,
+      "eyes": 0,
+      "heart": 0,
+      "hooray": 0,
+      "laugh": 0,
+      "rocket": 0,
+      "total_count": 0,
+      "url": "https://api.github.com/repos/itaysk/testactions/discussions/9/reactions"
+    },
+    "repository_url": "https://api.github.com/repos/itaysk/testactions",
+    "state": "open",
+    "state_reason": null,
+    "timeline_url": "https://api.github.com/repos/itaysk/testactions/discussions/9/timeline",
+    "title": "Title title",
+    "updated_at": "2023-09-11T08:40:11Z",
+    "user": {
+      "avatar_url": "https://avatars.githubusercontent.com/u/1161307?v=4",
+      "events_url": "https://api.github.com/users/itaysk/events{/privacy}",
+      "followers_url": "https://api.github.com/users/itaysk/followers",
+      "following_url": "https://api.github.com/users/itaysk/following{/other_user}",
+      "gists_url": "https://api.github.com/users/itaysk/gists{/gist_id}",
+      "gravatar_id": "",
+      "html_url": "https://github.com/itaysk",
+      "id": 1161307,
+      "login": "itaysk",
+      "node_id": "MDQ6VXNlcjExNjEzMDc=",
+      "organizations_url": "https://api.github.com/users/itaysk/orgs",
+      "received_events_url": "https://api.github.com/users/itaysk/received_events",
+      "repos_url": "https://api.github.com/users/itaysk/repos",
+      "site_admin": false,
+      "starred_url": "https://api.github.com/users/itaysk/starred{/owner}{/repo}",
+      "subscriptions_url": "https://api.github.com/users/itaysk/subscriptions",
+      "type": "User",
+      "url": "https://api.github.com/users/itaysk"
+    }
+}

.github/actions/trivy-triage/testutils/fetchDiscussion.sh

@@ -0,0 +1,29 @@
+#! /bin/bash
+# fetch discussion by discussion number
+# requires authenticated gh cli, assumes repo but current git repository
+# args:
+#   $1: discussion number, e.g 123, required
+
+discussion_num="$1"
+gh api graphql -F discussion_num="$discussion_num" -F repo="{repo}" -F owner="{owner}" -f query='
+    query Discussion ($owner: String!, $repo: String!, $discussion_num: Int!){
+    repository(name: $repo, owner: $owner) {
+        discussion(number: $discussion_num) {
+        number,
+        id,
+        body,
+        category {
+            id,
+            name
+        },
+        labels(first: 100) {
+            edges {
+            node {
+                id,
+                name
+            }
+            }
+        }
+        }
+    }
+    }'

.github/actions/trivy-triage/testutils/fetchLabels.sh

@@ -0,0 +1,16 @@
+#! /bin/bash
+# fetch labels and their IDs
+# requires authenticated gh cli, assumes repo but current git repository
+
+gh api graphql -F repo="{repo}" -F owner="{owner}" -f query='
+    query GetLabelIds($owner: String!, $repo: String!) {
+    repository(name: $repo, owner: $owner) {
+        id
+        labels(first: 100) {
+        nodes {
+            id
+            name
+        }
+        }
+    }
+    }'

.github/actions/trivy-triage/testutils/labelDiscussion.sh

@@ -0,0 +1,16 @@
+#! /bin/bash
+# add a label to a discussion
+# requires authenticated gh cli, assumes repo but current git repository
+# args:
+#   $1: discussion ID (not number!), e.g DIC_kwDOE0GiPM4CXnDc, required
+#   $2: label ID, e.g. MDU6TGFiZWwzNjIzNjY0MjQ=, required
+discussion_id="$1"
+label_id="$2"
+gh api graphql -F labelableId="$discussion_id" -F labelId="$label_id" -F repo="{repo}" -F owner="{owner}" -f query='
+        mutation AddLabels($labelId: ID!, $labelableId:ID!) {
+            addLabelsToLabelable(
+                input: {labelIds: [$labelId], labelableId: $labelableId}
+            ) {
+                clientMutationId
+            }
+        }'

.github/dependabot.yml

@@ -0,0 +1,41 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly
+    groups:
+      docker:
+        patterns:
+          - "*"
+  - package-ecosystem: gomod
+    open-pull-requests-limit: 10
+    directory: /
+    schedule:
+      interval: weekly
+    ignore:
+      - dependency-name: "github.com/aquasecurity/trivy-*" ## `trivy-*` dependencies are updated manually
+    groups:
+      aws:
+        patterns:
+          - "github.com/aws/*"
+      docker:
+        patterns:
+          - "github.com/docker/*"
+          - "github.com/moby/*"
+      testcontainers:
+        patterns:
+          - "github.com/testcontainers/*"
+      common:
+        exclude-patterns:
+          - "github.com/aquasecurity/trivy-*"
+        patterns:
+          - "*"

.github/pull_request_template.md

@@ -0,0 +1,18 @@
+## Description
+
+## Related issues
+- Close #XXX
+
+## Related PRs
+- [ ] #XXX
+- [ ] #YYY
+
+Remove this section if you don't have related PRs.
+
+## Checklist
+- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
+- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
+- [ ] I've added tests that prove my fix is effective or that my feature works.
+- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
+- [ ] I've added usage information (if the PR introduces new options)
+- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

.github/workflows/auto-close-issue.yaml

@@ -0,0 +1,46 @@
+name: Auto-close issues
+
+on:
+  issues:
+    types: [opened]
+
+jobs:
+  close_issue:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Close issue if user does not have write or admin permissions
+        uses: actions/github-script@v7
+        with:
+          script: |
+            // Get the issue creator's username
+            const issueCreator = context.payload.issue.user.login;
+            
+            // Check the user's permissions for the repository
+            const repoPermissions = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: issueCreator
+            });
+            
+            const permission = repoPermissions.data.permission;
+            
+            // If the user does not have write or admin permissions, leave a comment and close the issue
+            if (permission !== 'write' && permission !== 'admin') {
+              const commentBody = "Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/";
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.issue.number,
+                body: commentBody
+              });
+            
+              await github.rest.issues.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.issue.number,
+                state: 'closed',
+                state_reason: 'not_planned'
+              });
+            
+              console.log(`Issue #${context.payload.issue.number} closed because ${issueCreator} does not have sufficient permissions.`);
+            }

.github/workflows/auto-update-labels.yaml

@@ -0,0 +1,33 @@
+name: Auto-update labels
+on:
+  push:
+    paths:
+      - 'misc/triage/labels.yaml'
+    branches:
+      - main
+env:
+  GO_VERSION: '1.22'
+jobs:
+  deploy:
+    name: Auto-update labels
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          # cf. https://github.com/aquasecurity/trivy/pull/6711
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: Install aqua tools
+        uses: aquaproj/aqua-installer@v3.0.1
+        with:
+          aqua_version: v1.25.0
+
+      - name: update labels
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: mage label

.github/workflows/backport.yaml

@@ -0,0 +1,58 @@
+name: Automatic Backporting
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  check_permission:
+    name: Check comment author permissions
+    runs-on: ubuntu-latest
+    outputs:
+      is_maintainer: ${{ steps.check_permission.outputs.is_maintainer }}
+    steps:
+      - name: Check permission
+        id: check_permission
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission')
+          if [ "$PERMISSION" == "admin" ] || [ "$PERMISSION" == "write" ]; then
+           echo "is_maintainer=true" >> $GITHUB_OUTPUT
+          else
+           echo "is_maintainer=false" >> $GITHUB_OUTPUT
+          fi
+  
+
+  backport:
+    name: Backport PR
+    needs: check_permission # run this job after checking permissions
+    if: |
+      needs.check_permission.outputs.is_maintainer == 'true' &&      
+      github.event.issue.pull_request &&
+      github.event.issue.pull_request.merged_at != null &&
+      startsWith(github.event.comment.body, '@aqua-bot backport release/')
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Extract branch name
+        run: |
+          BRANCH_NAME=$(echo ${{ github.event.comment.body }} | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
+          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
+
+      - name: Set up Git user
+        run: |
+          git config --global user.email "actions@github.com"
+          git config --global user.name "GitHub Actions"
+
+      - name: Run backport script
+        run: ./misc/backport/backport.sh ${{ env.BRANCH_NAME }} ${{ github.event.issue.number }}
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows the created PR to trigger tests and other workflows
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}

.github/workflows/bypass-cla.yaml

@@ -0,0 +1,12 @@
+# This workflow is used to bypass the required status checks in merge queue.
+# cf. https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/troubleshooting-required-status-checks
+name: CLA
+on:
+  merge_group:
+
+jobs:
+  cla:
+    name: license/cla
+    runs-on: ubuntu-latest
+    steps:
+      - run: 'echo "No test required"'

.github/workflows/bypass-test.yaml

@@ -0,0 +1,35 @@
+# This workflow is used to bypass the required status checks.
+# cf. https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/troubleshooting-required-status-checks
+name: Test
+on:
+  push:
+    paths:
+      - '**.md'
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'LICENSE'
+      - '.release-please-manifest.json'
+      - 'helm/trivy/Chart.yaml'
+  pull_request:
+    paths:
+      - '**.md'
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'LICENSE'
+      - '.release-please-manifest.json'
+      - 'helm/trivy/Chart.yaml'
+jobs:
+  test:
+    name: Test
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      matrix:
+        operating-system: [ubuntu-latest, windows-latest, macos-latest]
+    steps:
+      - run: 'echo "No test required"'
+
+  integration:
+    name: Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - run: 'echo "No test required"'

.github/workflows/cache-test-images.yaml

@@ -0,0 +1,88 @@
+name: Cache test images
+on:
+  schedule:
+    - cron: "0 0 * * *" # Run this workflow every day at 00:00 to avoid cache deletion.
+  workflow_dispatch:
+
+jobs:
+  test-images:
+    name: Cache test images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v3.0.1
+        with:
+          aqua_version: v1.25.0
+
+      - name: Generate image list digest
+        if: github.ref_name == 'main'
+        id: image-digest
+        run: |
+          source integration/testimages.ini
+          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      ## We need to work with test image cache only for main branch
+      - name: Restore and save test images cache
+        if: github.ref_name == 'main'
+        uses: actions/cache@v4
+        with:
+          path: integration/testdata/fixtures/images
+          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
+          restore-keys:
+            cache-test-images-
+
+      - name: Download test images
+        if: github.ref_name == 'main'
+        run: mage test:fixtureContainerImages
+
+  test-vm-images:
+    name: Cache test VM images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v3.0.1
+        with:
+          aqua_version: v1.25.0
+
+      - name: Generate image list digest
+        if: github.ref_name == 'main'
+        id: image-digest
+        run: |
+          source integration/testimages.ini
+          IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags | sort' | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      ## We need to work with test VM image cache only for main branch
+      - name: Restore and save test VM images cache
+        if: github.ref_name == 'main'
+        uses: actions/cache@v4
+        with:
+          path: integration/testdata/fixtures/vm-images
+          key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
+          restore-keys:
+            cache-test-vm-images-
+
+      - name: Download test VM images
+        if: github.ref_name == 'main'
+        run: mage test:fixtureVMImages

.github/workflows/canary.yaml

@@ -0,0 +1,60 @@
+name: Canary build
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '**.go'
+      - 'go.mod'
+      - 'Dockerfile.canary'
+      - '.github/workflows/canary.yaml'
+  workflow_dispatch:
+
+jobs:
+  build-binaries:
+    name: Build binaries
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser-canary.yml
+      goreleaser_options: '--snapshot --clean --timeout 60m' # will not release
+    secrets: inherit
+
+  upload-binaries:
+    name: Upload binaries
+    needs: build-binaries # run this job after 'build-binaries' job completes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v4.0.2
+        with:
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+        # Upload artifacts
+      - name: Upload artifacts (trivy_Linux-64bit)
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy_Linux-64bit
+          path: dist/trivy_*_Linux-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_Linux-ARM64)
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy_Linux-ARM64
+          path: dist/trivy_*_Linux-ARM64.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-64bit)
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy_macOS-64bit
+          path: dist/trivy_*_macOS-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-ARM64)
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy_macOS-ARM64
+          path: dist/trivy_*_macOS-ARM64.tar.gz
+          if-no-files-found: error

.github/workflows/mkdocs-dev.yaml

@@ -0,0 +1,34 @@
+name: Deploy the dev documentation
+on:
+  push:
+    paths:
+      - 'docs/**'
+      - mkdocs.yml
+    branches:
+      - main
+jobs:
+  deploy:
+    name: Deploy the dev documentation
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v4.1.6
+        with:
+          fetch-depth: 0
+          persist-credentials: true
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip setuptools wheel
+          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git@9.5.44-insiders-4.53.14
+          pip install -r docs/build/requirements.txt
+        env:
+          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
+      - name: Configure the git user
+        run: |
+          git config user.name "knqyf263"
+          git config user.email "knqyf263@gmail.com"
+      - name: Deploy the dev documents
+        run: mike deploy --push dev

.github/workflows/mkdocs-latest.yaml

@@ -0,0 +1,42 @@
+name: Deploy the latest documentation
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Version to be deployed
+        required: true
+  push:
+    tags:
+      - "v*"
+jobs:
+  deploy:
+    name: Deploy the latest documentation
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v4.1.6
+        with:
+          fetch-depth: 0
+          persist-credentials: true
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip setuptools wheel
+          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git@9.5.44-insiders-4.53.14
+          pip install -r docs/build/requirements.txt
+        env:
+          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
+      - name: Configure the git user
+        run: |
+          git config user.name "knqyf263"
+          git config user.email "knqyf263@gmail.com"
+      - name: Deploy the latest documents from new tag push
+        if: ${{ github.event.inputs.version == '' }}
+        run: |
+          VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
+          mike deploy --push --update-aliases ${VERSION%.*} latest
+      - name: Deploy the latest documents from manual trigger
+        if: ${{ github.event.inputs.version != '' }}
+        run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest

.github/workflows/publish-chart.yaml

@@ -0,0 +1,123 @@
+
+name: Publish Helm chart
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - closed
+    branches:
+      - main
+    paths:
+      - 'helm/trivy/**'
+  push:
+    tags:
+      - "v*"
+env:
+  HELM_REP: helm-charts
+  GH_OWNER: aquasecurity
+  CHART_DIR: helm/trivy
+  KIND_VERSION: "v0.14.0"
+  KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
+jobs:
+  # `test-chart` job starts if a PR with Helm Chart is created, merged etc.
+  test-chart:
+    if: github.event_name != 'push'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.6
+        with:
+          fetch-depth: 0
+      - name: Install Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
+        with:
+          version: v3.14.4
+      - name: Set up python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+          check-latest: true
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992
+      - name: Setup Kubernetes cluster (KIND)
+        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+      - name: Run chart-testing
+        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
+      - name: Run chart-testing (Ingress enabled)
+        run: |
+          sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
+          ct lint-and-install --validate-maintainers=false --charts helm/trivy
+
+  # `update-chart-version` job starts if a new tag is pushed
+  update-chart-version:
+    if: github.event_name == 'push'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.6
+        with:
+          fetch-depth: 0
+      - name: Set up Git user
+        run: |
+          git config --global user.email "actions@github.com"
+          git config --global user.name "GitHub Actions"
+
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v3.0.1
+        with:
+          aqua_version: v1.25.0
+          aqua_opts: ""
+
+      - name: Create a PR with Trivy version
+        run: mage helm:updateVersion
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows the created PR to trigger tests and other workflows
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
+  # `publish-chart` job starts if a PR with a new Helm Chart is merged or manually
+  publish-chart:
+    if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
+    needs:
+      - test-chart
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.6
+        with:
+          fetch-depth: 0
+      - name: Install chart-releaser
+        run: |
+          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
+      - name: Package helm chart
+        run: |
+          ./cr package ${{ env.CHART_DIR }}
+      - name: Upload helm chart
+        # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
+        continue-on-error: true
+        run: |
+          ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
+      - name: Index helm chart
+        run: |
+          ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
+      - name: Push index file
+        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
+        env:
+          API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
+        with:
+          source_file: 'index.yaml'
+          destination_repo: '${{ env.GH_OWNER }}/${{ env.HELM_REP }}'
+          destination_folder: '.'
+          destination_branch: 'gh-pages'
+          user_email: aqua-bot@users.noreply.github.com
+          user_name: 'aqua-bot'

.github/workflows/release-please.yaml

@@ -0,0 +1,109 @@
+name: Release Please
+
+on:
+  push:
+    branches:
+      - main
+      - 'release/v*'
+  workflow_dispatch:
+    inputs:
+      version:
+        required: true
+        description: 'Release version without the "v" prefix (e.g., 0.51.0)'
+        type: string
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    if: ${{ !startsWith(github.event.head_commit.message, 'release:') && !github.event.inputs.version }}
+    steps:
+      - name: Release Please
+        id: release
+        uses: googleapis/release-please-action@v4
+        with:
+          token: ${{ secrets.ORG_REPO_TOKEN }}
+          target-branch: ${{ github.ref_name }}
+
+  manual-release-please:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.inputs.version }}
+    steps:
+      - name: Install Release Please CLI
+        run: npm install release-please -g
+
+      - name: Release Please
+        run: |
+          release-please release-pr --repo-url=${{ github.server_url }}/${{ github.repository }} \
+            --token=${{ secrets.ORG_REPO_TOKEN }} \
+            --release-as=${{ github.event.inputs.version }} \
+            --target-branch=${{ github.ref_name }}
+
+  release-tag:
+    runs-on: ubuntu-latest
+    if: ${{ startsWith(github.event.head_commit.message, 'release:') }}
+    steps:
+      # Since skip-github-release is specified, the outputs of googleapis/release-please-action cannot be used.
+      # Therefore, we need to parse the version ourselves.
+      - name: Extract version and PR number from commit message
+        id: extract_info
+        shell: bash
+        run: |
+          echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
+
+      - name: Tag release
+        if: ${{ steps.extract_info.outputs.version }}
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.ORG_REPO_TOKEN }} # To trigger another workflow
+          script: |
+            await github.rest.git.createRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: `refs/tags/v${{ steps.extract_info.outputs.version }}`,
+              sha: context.sha
+            });
+
+      # When v0.50.0 is released, a release branch "release/v0.50" is created.
+      - name: Create release branch for patch versions
+        if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }} # Should not trigger the workflow again
+          script: |
+            const releaseBranch = '${{ steps.extract_info.outputs.release_branch }}';
+            await github.rest.git.createRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: `refs/heads/${releaseBranch}`,
+              sha: context.sha
+            });
+      
+
+      # Add release branch to rulesets to enable merge queue
+      - name: Add release branch to rulesets
+        if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+        shell: bash
+        run: |
+          RULESET_ID=$(gh api /repos/${{ github.repository }}/rulesets --jq '.[] | select(.name=="release") | .id')
+          gh api /repos/${{ github.repository }}/rulesets/$RULESET_ID | jq '{conditions}' | jq '.conditions.ref_name.include += ["refs/heads/${{ steps.extract_info.outputs.release_branch }}"]' | gh api --method put --input - /repos/${{ github.repository }}/rulesets/$RULESET_ID
+
+      # Since skip-github-release is specified, googleapis/release-please-action doesn't delete the label from PR.
+      # This label prevents the subsequent PRs from being created. Therefore, we need to delete it ourselves.
+      # cf. https://github.com/googleapis/release-please?tab=readme-ov-file#release-please-bot-does-not-create-a-release-pr-why
+      - name: Remove the label from PR
+        if: ${{ steps.extract_info.outputs.pr_number }}
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const prNumber = parseInt('${{ steps.extract_info.outputs.pr_number }}', 10);
+            github.rest.issues.removeLabel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+              name: 'autorelease: pending'
+            });

.github/workflows/release.yaml

@@ -0,0 +1,57 @@
+name: Release
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  release:
+    name: Release
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser.yml
+      goreleaser_options: '--clean --timeout 90m'
+    secrets: inherit
+
+  deploy-packages:
+    name: Deploy rpm/dep packages
+    needs: release # run this job after 'release' job completes
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4.1.6
+        with:
+          fetch-depth: 0
+
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v4.0.2
+        with:
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install rpm reprepro createrepo-c distro-info
+
+      - name: Checkout trivy-repo
+        uses: actions/checkout@v4.1.6
+        with:
+          repository: ${{ github.repository_owner }}/trivy-repo
+          path: trivy-repo
+          fetch-depth: 0
+          token: ${{ secrets.ORG_REPO_TOKEN }}
+
+      - name: Setup git settings
+        run: |
+          git config --global user.email "knqyf263@gmail.com"
+          git config --global user.name "Teppei Fukuda"
+
+      - name: Create rpm repository
+        run: ci/deploy-rpm.sh
+
+      - name: Import GPG key
+        run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import
+
+      - name: Create deb repository
+        run: ci/deploy-deb.sh

.github/workflows/reusable-release.yaml

@@ -0,0 +1,129 @@
+name: Reusable release
+on:
+  workflow_call:
+    inputs:
+      goreleaser_config:
+        description: 'file path to GoReleaser config'
+        required: true
+        type: string
+      goreleaser_options:
+        description: 'GoReleaser options separated by spaces'
+        default: ''
+        required: false
+        type: string
+
+env:
+  GH_USER: "aqua-bot"
+  GO_VERSION: '1.22'
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest-m
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: read  # Not required for public repositories, but for clarity
+    steps:
+      - name: Cosign install
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Show available Docker Buildx platforms
+        run: echo ${{ steps.buildx.outputs.platforms }}
+
+      - name: Login to docker.io registry
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to ghcr.io registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ env.GH_USER }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to ECR
+        uses: docker/login-action@v3
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
+          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
+
+      - name: Checkout code
+        uses: actions/checkout@v4.1.6
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
+
+      - name: Generate SBOM
+        uses: CycloneDX/gh-gomod-generate-sbom@v2
+        with:
+          args: mod -licenses -json -output bom.json
+          version: ^v1
+
+      - name: "save gpg key"
+        env:
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+        run: |
+          echo "$GPG_KEY" > gpg.key
+
+      # Create tmp dir for GoReleaser
+      - name: "create tmp dir"
+        run: |
+          mkdir tmp    
+
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: v2.1.0
+          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
+        env:
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_FILE: "gpg.key"
+          TMPDIR: "tmp"
+
+      - name: "remove gpg key"
+        run: |
+          rm gpg.key
+
+      # Push images to registries (only for canary build)
+      # The custom Dockerfile.canary is necessary
+      # because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
+      - name: Build and push
+        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64, linux/arm64
+          file: ./Dockerfile.canary # path to Dockerfile
+          context: .
+          push: true
+          tags: |
+            aquasec/trivy:canary
+            ghcr.io/aquasecurity/trivy:canary
+            public.ecr.aws/aquasecurity/trivy:canary
+
+      - name: Cache Trivy binaries
+        uses: actions/cache@v4.0.2
+        with:
+          path: dist/
+          # use 'github.sha' to create a unique cache folder for each run.
+          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
+          # e.g. build and release runs
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/roadmap.yaml

@@ -0,0 +1,79 @@
+name: Add issues to the roadmap project
+
+on:
+  issues:
+    types:
+      - labeled
+
+jobs:
+  add-issue-to-roadmap-project:
+    name: Add issue to the roadmap project
+    runs-on: ubuntu-latest
+    steps:
+      # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/backlog
+          label-operator: AND
+        id: add-backlog-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-backlog-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-backlog-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Backlog
+
+      # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/important-longterm
+          label-operator: AND
+        id: add-longterm-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-longterm-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-longterm-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Important (long-term)
+
+      # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/important-soon
+          label-operator: AND
+        id: add-soon-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-soon-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-soon-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Important (soon)
+
+      # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/critical-urgent
+          label-operator: AND
+        id: add-urgent-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-urgent-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-urgent-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Urgent

.github/workflows/scan.yaml

@@ -0,0 +1,23 @@
+name: Scan vulnerabilities
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Scan Go vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4.1.6
+
+      - name: Run Trivy vulnerability scanner and create GitHub issues
+        uses: knqyf263/trivy-issue-action@v0.0.6
+        with:
+          assignee: knqyf263
+          severity: CRITICAL
+          skip-dirs: integration,examples,pkg
+          label: kind/security
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/semantic-pr.yaml

@@ -0,0 +1,107 @@
+name: "Lint PR title"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types: |
+            feat
+            fix
+            docs
+            style
+            refactor
+            perf
+            test
+            build
+            ci
+            chore
+            revert
+            release
+
+          scopes: |
+            vuln
+            misconf
+            secret
+            license
+
+            image
+            fs
+            repo
+            sbom
+            server
+            k8s
+            aws
+            vm
+            plugin
+
+            alpine
+            wolfi
+            chainguard
+            redhat
+            alma
+            rocky
+            mariner
+            oracle
+            debian
+            ubuntu
+            amazon
+            suse
+            photon
+            distroless
+            windows
+
+            ruby
+            php
+            python
+            nodejs
+            rust
+            dotnet
+            java
+            go
+            c
+            c\+\+
+            elixir
+            dart
+            swift
+            bitnami
+            conda
+            julia
+
+            os
+            lang
+
+            kubernetes
+            dockerfile
+            terraform
+            cloudformation
+
+            docker
+            podman
+            containerd
+            oci
+
+            cli
+            flag
+
+            cyclonedx
+            spdx
+            purl
+            vex
+
+            helm
+            report
+            db
+            parser
+            deps

.github/workflows/stale-issues.yaml

@@ -0,0 +1,19 @@
+name: "Stale PR's"
+on:
+  schedule:
+    - cron: '0 0 * * *'
+jobs:
+  stale:
+    timeout-minutes: 1
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/stale@v9
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-pr-message: 'This PR is stale because it has been labeled with inactivity.'
+        exempt-pr-labels: 'lifecycle/active'
+        stale-pr-label: 'lifecycle/stale'
+        days-before-stale: 60
+        days-before-issue-stale: '-1'
+        days-before-close: 20
+        days-before-issue-close: '-1'

.github/workflows/test-docs.yaml

@@ -0,0 +1,29 @@
+name: Test docs
+on:
+  pull_request:
+    paths:
+      - 'docs/**'
+      - 'mkdocs.yml'
+jobs:
+  build-documents:
+    name: Documentation Test
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4.1.6
+      with:
+        fetch-depth: 0
+        persist-credentials: true
+    - uses: actions/setup-python@v5
+      with:
+        python-version: 3.x
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip setuptools wheel
+        pip install -r docs/build/requirements.txt
+    - name: Configure the git user
+      run: |
+        git config user.name "knqyf263"
+        git config user.email "knqyf263@gmail.com"
+    - name: Deploy the dev documents
+      run: mike deploy test

.github/workflows/test.yaml

@@ -0,0 +1,242 @@
+name: Test
+on:
+  pull_request:
+      paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'LICENSE'
+      - '.release-please-manifest.json' ## don't run tests for release-please PRs
+      - 'helm/trivy/Chart.yaml'
+  merge_group:
+  workflow_dispatch:
+
+env:
+  GO_VERSION: '1.22'
+jobs:
+  test:
+    name: Test
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      matrix:
+        operating-system: [ubuntu-latest, windows-latest, macos-latest]
+    steps:
+      - uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: go mod tidy
+        run: |
+          go mod tidy
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'go mod tidy' and push it"
+            exit 1
+          fi
+        if: matrix.operating-system == 'ubuntu-latest'
+
+      - name: Lint
+        id: lint
+        uses: golangci/golangci-lint-action@v6.1.1
+        with:
+          version: v1.61
+          args: --verbose --out-format=line-number
+        if: matrix.operating-system == 'ubuntu-latest'
+
+      - name: Check if linter failed
+        run: |
+          echo "Linter failed, running 'mage lint:fix' might help to correct some errors"
+          exit 1
+        if: ${{ failure() && steps.lint.conclusion == 'failure' }}
+
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v3.0.1
+        with:
+          aqua_version: v1.25.0
+          aqua_opts: ""
+
+      - name: Check if CLI references are up-to-date
+        run: |
+          mage docs:generate
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'mage docs:generate' and push it"
+            exit 1
+          fi
+        if: matrix.operating-system == 'ubuntu-latest'
+
+      - name: Run unit tests
+        run: mage test:unit
+
+  integration:
+    name: Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v3.0.1
+        with:
+          aqua_version: v1.25.0
+
+      - name: Generate image list digest
+        id: image-digest
+        run: |
+          source integration/testimages.ini
+          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Restore test images from cache
+        uses: actions/cache/restore@v4
+        with:
+          path: integration/testdata/fixtures/images
+          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
+          restore-keys:
+            cache-test-images-
+
+      - name: Run integration tests
+        run: mage test:integration
+
+  k8s-integration:
+    name: K8s Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v3.0.1
+        with:
+          aqua_version: v1.25.0
+
+      - name: Run k8s integration tests
+        run: mage test:k8s
+
+  module-test:
+    name: Module Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v3.0.1
+        with:
+          aqua_version: v1.25.0
+
+      - name: Generate image list digest
+        id: image-digest
+        run: |
+          source integration/testimages.ini
+          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Restore test images from cache
+        uses: actions/cache/restore@v4
+        with:
+          path: integration/testdata/fixtures/images
+          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
+          restore-keys:
+            cache-test-images-
+
+      - name: Run module integration tests
+        shell: bash
+        run: |
+          mage test:module
+
+  vm-test:
+    name: VM Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v3.0.1
+        with:
+          aqua_version: v1.25.0
+
+      - name: Generate image list digest
+        id: image-digest
+        run: |
+          source integration/testimages.ini
+          IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags | sort' | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Restore test VM images from cache
+        uses: actions/cache/restore@v4
+        with:
+          path: integration/testdata/fixtures/vm-images
+          key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
+          restore-keys:
+            cache-test-vm-images-
+
+      - name: Run vm integration tests
+        run: |
+          mage test:vm
+
+  build-test:
+    name: Build Test
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      matrix:
+        operating-system: [ubuntu-latest, windows-latest, macos-latest]
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4.1.6
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ env.GO_VERSION }}
+        cache: false
+
+    - name: Determine GoReleaser ID
+      id: goreleaser_id
+      shell: bash
+      run: |
+        if [ "${{ matrix.operating-system }}" == "windows-latest" ]; then
+          echo "id=--id build-windows" >> $GITHUB_OUTPUT
+        elif [ "${{ matrix.operating-system }}" == "macos-latest" ]; then
+          echo "id=--id build-macos --id build-bsd" >> $GITHUB_OUTPUT
+        else
+          echo "id=--id build-linux" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Run GoReleaser
+      uses: goreleaser/goreleaser-action@v6
+      with:
+        version: v2.1.0
+        args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }}

.github/workflows/triage.yaml

@@ -0,0 +1,16 @@
+name: Triage Discussion
+on:
+  discussion:
+    types: [created]
+  workflow_dispatch:
+    inputs:
+      discussion_num:
+        required: true
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/trivy-triage
+        with:
+          discussion_num: ${{ github.event.inputs.discussion_num }}

.gitignore

@@ -4,6 +4,10 @@
 *.dll
 *.so
 *.dylib
+/trivy
+
+## chart release
+.cr-release-packages
 
 # Test binary, build with `go test -c`
 *.test
@@ -12,3 +16,29 @@
 *.out
 
 .idea
+.vscode
+
+# Directory Cache Files
+.DS_Store
+thumbs.db
+
+# test fixtures
+coverage.txt
+integration/testdata/fixtures/images
+integration/testdata/fixtures/vm-images
+
+# SBOMs generated during CI
+/bom.json
+
+# goreleaser output
+dist
+
+# WebAssembly
+*.wasm
+
+# Signing
+gpg.key
+cmd/trivy/trivy
+
+# RPM
+*.rpm

.golangci.yaml

@@ -0,0 +1,144 @@
+linters-settings:
+  depguard:
+    rules:
+      main:
+        list-mode: lax
+        deny:
+          # Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
+          - pkg: "golang.org/x/exp/slices"
+            desc: "Use 'slices' instead"
+          - pkg: "golang.org/x/exp/maps"
+            desc: "Use 'maps' or 'github.com/samber/lo' instead"
+  dupl:
+    threshold: 100
+  errcheck:
+    check-type-assertions: true
+    check-blank: true
+  gci:
+    sections:
+      - standard
+      - default
+      - prefix(github.com/aquasecurity/)
+      - blank
+      - dot
+  goconst:
+    min-len: 3
+    min-occurrences: 3
+  gocritic:
+    disabled-checks:
+      - appendAssign
+      - unnamedResult
+      - whyNoLint
+      - indexAlloc
+      - octalLiteral
+      - hugeParam
+      - rangeValCopy
+      - regexpSimplify
+      - sloppyReassign
+      - commentedOutCode
+    enabled-tags:
+      - diagnostic
+      - style
+      - performance
+      - experimental
+      - opinionated
+    settings:
+      ruleguard:
+        failOn: all
+        rules: '${configDir}/misc/lint/rules.go'
+  gocyclo:
+    min-complexity: 20
+  gofmt:
+    simplify: false
+    rewrite-rules:
+      - pattern: 'interface{}'
+        replacement: 'any'
+  gomodguard:
+    blocked:
+      modules:
+        - github.com/hashicorp/go-version:
+            recommendations:
+              - github.com/aquasecurity/go-version
+            reason: "`aquasecurity/go-version` is designed for our use-cases"
+        - github.com/Masterminds/semver:
+            recommendations:
+              - github.com/aquasecurity/go-version
+            reason: "`aquasecurity/go-version` is designed for our use-cases"
+  gosec:
+    excludes:
+      - G101
+      - G114
+      - G115
+      - G204
+      - G304
+      - G402
+  govet:
+    check-shadowing: false
+  misspell:
+    locale: US
+    ignore-words:
+      - behaviour
+      - licence
+      - optimise
+      - simmilar
+  revive:
+    ignore-generated-header: true
+  testifylint:
+    enable-all: true
+linters:
+  disable-all: true
+  enable:
+    - bodyclose
+    - depguard
+    - gci
+    - goconst
+    - gocritic
+    - gocyclo
+    - gofmt
+    - gomodguard
+    - gosec
+    - govet
+    - ineffassign
+    - misspell
+    - revive
+    - tenv
+    - testifylint
+    - typecheck
+    - unconvert
+    - unused
+    - usestdlibvars
+
+run:
+  go: '1.22'
+  timeout: 30m
+
+issues:
+  exclude-files:
+    - "mock_*.go$"
+    - "examples/*"
+  exclude-dirs:
+    - "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
+  exclude-rules:
+    - path: ".*_test.go$"
+      linters:
+        - goconst
+        - gosec
+        - unused
+    - path: ".*_test.go$"
+      linters:
+        - govet
+      text: "copylocks:"
+    - path: ".*_test.go$"
+      linters:
+        - gocritic
+      text: "commentFormatting:"
+    - path: ".*_test.go$"
+      linters:
+        - gocritic
+      text: "exitAfterDefer:"
+    - path: ".*_test.go$"
+      linters:
+        - gocritic
+      text: "importShadow:"
+  exclude-use-default: false
+  max-same-issues: 0

.release-please-manifest.json

@@ -0,0 +1 @@
+{".":"0.58.1"}

.vex/oci.openvex.json

@@ -0,0 +1,244 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-8e30ed756ae8e4196af93bf43edf68360f396a98c0268787453a3443b26e7d6c",
+  "author": "Aqua Security",
+  "timestamp": "2024-07-10T12:17:44.60495+04:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42363"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42364"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42365"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42366"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2024-4741"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "openssl is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2024-5535"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "openssl is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2024-6119"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "openssl is not used"
+    }
+  ]
+}

.vex/trivy.openvex.json

@@ -0,0 +1,545 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "aquasecurity/trivy:613fd55abbc2857b5ca28b07a26f3cd4c8b0ddc4c8a97c57497a2d4c4880d7fc",
+  "author": "Aqua Security",
+  "timestamp": "2024-07-09T11:38:00.115697+04:00",
+  "version": 1,
+  "tooling": "https://github.com/aquasecurity/trivy/tree/main/magefiles/vex.go",
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2575",
+        "name": "GO-2024-2575",
+        "description": "Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3",
+        "aliases": [
+          "CVE-2024-26147",
+          "GHSA-r53h-jv2g-vpx6"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/helm.sh/helm/v3",
+              "identifiers": {
+                "purl": "pkg:golang/helm.sh/helm/v3"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-1765",
+        "name": "GO-2023-1765",
+        "description": "Leaked shared secret and weak blinding in github.com/cloudflare/circl",
+        "aliases": [
+          "CVE-2023-1732",
+          "GHSA-2q89-485c-9j2x"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/cloudflare/circl",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/cloudflare/circl"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2512",
+        "name": "GO-2024-2512",
+        "description": "Classic builder cache poisoning in github.com/docker/docker",
+        "aliases": [
+          "CVE-2024-24557",
+          "GHSA-xw73-rw38-6vjc"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/docker/docker",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/docker/docker"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2453",
+        "name": "GO-2024-2453",
+        "description": "Timing side channel in github.com/cloudflare/circl",
+        "aliases": [
+          "GHSA-9763-4f94-gfch"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/cloudflare/circl",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/cloudflare/circl"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2048",
+        "name": "GO-2023-2048",
+        "description": "Paths outside of the rootfs could be produced on Windows in github.com/cyphar/filepath-securejoin",
+        "aliases": [
+          "GHSA-6xv5-86q9-7xr8"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/cyphar/filepath-securejoin",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/cyphar/filepath-securejoin"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2497",
+        "name": "GO-2024-2497",
+        "description": "Privilege escalation in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23653",
+          "GHSA-wr6v-9f75-vh2g"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2102",
+        "name": "GO-2023-2102",
+        "description": "HTTP/2 rapid reset can cause excessive work in net/http",
+        "aliases": [
+          "CVE-2023-39325",
+          "GHSA-4374-p667-p6c8"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/net",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/net"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2493",
+        "name": "GO-2024-2493",
+        "description": "Host system file access in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23651",
+          "GHSA-m3r6-h7wv-7xxv"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2491",
+        "name": "GO-2024-2491",
+        "description": "Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc",
+        "aliases": [
+          "CVE-2024-21626",
+          "GHSA-xr7r-f8xq-vfvv"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/opencontainers/runc",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/opencontainers/runc"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2494",
+        "name": "GO-2024-2494",
+        "description": "Host system modification in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23652",
+          "GHSA-4v98-7qmw-rqr8"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2412",
+        "name": "GO-2023-2412",
+        "description": "RAPL accessibility in github.com/containerd/containerd",
+        "aliases": [
+          "GHSA-7ww5-4wqc-m92c"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/containerd/containerd",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/containerd/containerd"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-1988",
+        "name": "GO-2023-1988",
+        "description": "Improper rendering of text nodes in golang.org/x/net/html",
+        "aliases": [
+          "CVE-2023-3978",
+          "GHSA-2wrh-6pvc-2jm9"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/net",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/net"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2492",
+        "name": "GO-2024-2492",
+        "description": "Panic in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23650",
+          "GHSA-9p26-698r-w4hx"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2022-0646",
+        "name": "GO-2022-0646",
+        "description": "Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go",
+        "aliases": [
+          "CVE-2020-8911",
+          "CVE-2020-8912",
+          "GHSA-7f33-f4f5-xwgw",
+          "GHSA-f5pg-7wfw-84q9"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/aws/aws-sdk-go",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/aws/aws-sdk-go"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2153",
+        "name": "GO-2023-2153",
+        "description": "Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc",
+        "aliases": [
+          "GHSA-m425-mq94-257g"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/google.golang.org/grpc",
+              "identifiers": {
+                "purl": "pkg:golang/google.golang.org/grpc"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3105",
+        "name": "GO-2024-3105",
+        "description": "Stack exhaustion in all Parse functions in go/parser",
+        "aliases": [
+          "CVE-2024-34155"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/stdlib",
+              "identifiers": {
+                "purl": "pkg:golang/stdlib"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3106",
+        "name": "GO-2024-3106",
+        "description": "Stack exhaustion in Decoder.Decode in encoding/gob",
+        "aliases": [
+          "CVE-2024-34156"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/stdlib",
+              "identifiers": {
+                "purl": "pkg:golang/stdlib"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck incorrectly marks this vulnerability as affected. The vulnerable code isn't called. See https://github.com/aquasecurity/trivy/issues/7478"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3107",
+        "name": "GO-2024-3107",
+        "description": "Stack exhaustion in Parse in go/build/constraint",
+        "aliases": [
+          "CVE-2024-34158"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/stdlib",
+              "identifiers": {
+                "purl": "pkg:golang/stdlib"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    }
+  ]
+}

CHANGELOG.md

@@ -0,0 +1,356 @@
+# Changelog
+
+## [0.58.1](https://github.com/aquasecurity/trivy/compare/v0.58.0...v0.58.1) (2024-12-24)
+
+
+### Bug Fixes
+
+* handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] ([#8121](https://github.com/aquasecurity/trivy/issues/8121)) ([9a56e7c](https://github.com/aquasecurity/trivy/commit/9a56e7cd6964ffd4187a8e44a36d49b54587db56))
+* **java:** correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] ([#8119](https://github.com/aquasecurity/trivy/issues/8119)) ([4278a09](https://github.com/aquasecurity/trivy/commit/4278a09f59590ee16494e0a1ad31fb374f2e243f))
+* **oracle:** add architectures support for advisories [backport: release/v0.58] ([#8125](https://github.com/aquasecurity/trivy/issues/8125)) ([89b341f](https://github.com/aquasecurity/trivy/commit/89b341f0c6dc7f24239f9a9e4809524ec289a864))
+* **python:** skip dev group's deps for poetry [backport: release/v0.58] ([#8158](https://github.com/aquasecurity/trivy/issues/8158)) ([8b93081](https://github.com/aquasecurity/trivy/commit/8b930816bc527166ced5d57754ad7fccb1cef832))
+* **redhat:** correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] ([#8135](https://github.com/aquasecurity/trivy/issues/8135)) ([33818e1](https://github.com/aquasecurity/trivy/commit/33818e121f989fd12c15aa65affd2d01b867db61))
+* **sbom:** attach nested packages to Application [backport: release/v0.58] ([#8168](https://github.com/aquasecurity/trivy/issues/8168)) ([03160e4](https://github.com/aquasecurity/trivy/commit/03160e4fd1b0a6aef8c4f3d96529e68fed7e70ee))
+* **sbom:** fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] ([#8124](https://github.com/aquasecurity/trivy/issues/8124)) ([f842fe1](https://github.com/aquasecurity/trivy/commit/f842fe1675b434e72a8194628525c42fd3e155af))
+* **sbom:** use root package for `unknown` dependencies (if exists) [backport: release/v0.58] ([#8156](https://github.com/aquasecurity/trivy/issues/8156)) ([18cd1a5](https://github.com/aquasecurity/trivy/commit/18cd1a59cbb32d87371fe8ab24497f06855e0c80))
+
+## [0.58.0](https://github.com/aquasecurity/trivy/compare/v0.57.0...v0.58.0) (2024-12-02)
+
+
+### Features
+
+* add `workspaceRelationship` ([#7889](https://github.com/aquasecurity/trivy/issues/7889)) ([d622ca2](https://github.com/aquasecurity/trivy/commit/d622ca2b1fe40a0eb588478ba9e15d3bd8471a78))
+* add cvss v4 score and vector in scan response ([#7968](https://github.com/aquasecurity/trivy/issues/7968)) ([e0f2054](https://github.com/aquasecurity/trivy/commit/e0f2054f9d12dce87e8a0226350f6317f7167195))
+* **go:** construct dependencies in the parser ([#7973](https://github.com/aquasecurity/trivy/issues/7973)) ([bcdc0bb](https://github.com/aquasecurity/trivy/commit/bcdc0bbf1f63777ff79d3ecadb8d4f916f376b7d))
+* **go:** construct dependencies of `go.mod` main module in the parser ([#7977](https://github.com/aquasecurity/trivy/issues/7977)) ([5448ba2](https://github.com/aquasecurity/trivy/commit/5448ba2a5c1ee36cbcf74ee1c2e83409092c5715))
+* **k8s:** add default commands for unknown platform ([#7863](https://github.com/aquasecurity/trivy/issues/7863)) ([b1c7f55](https://github.com/aquasecurity/trivy/commit/b1c7f5516fc39c6cbb76cbeae5c8677ccc9ce5dd))
+* **misconf:** log causes of HCL file parsing errors ([#7634](https://github.com/aquasecurity/trivy/issues/7634)) ([e9a899a](https://github.com/aquasecurity/trivy/commit/e9a899a3cfe41a622202808a0241b7f40b54d338))
+* **oracle:** add `flavors` support ([#7858](https://github.com/aquasecurity/trivy/issues/7858)) ([b9b383e](https://github.com/aquasecurity/trivy/commit/b9b383eb2714e88357af75900c856db2900b83ec))
+* **secret:** Add built-in secrets rules for Private Packagist ([#7826](https://github.com/aquasecurity/trivy/issues/7826)) ([132d9df](https://github.com/aquasecurity/trivy/commit/132d9dfa19a8835c94f332c6939ab7f64641ee5f))
+* **suse:** Align SUSE/OpenSUSE OS Identifiers ([#7965](https://github.com/aquasecurity/trivy/issues/7965)) ([45d3b40](https://github.com/aquasecurity/trivy/commit/45d3b40044202dec91384847ce2b50a7271f5977))
+* Update registry fallbacks ([#7679](https://github.com/aquasecurity/trivy/issues/7679)) ([5ba9a83](https://github.com/aquasecurity/trivy/commit/5ba9a83a447c4f9e577ae6235c315df71f50b452))
+
+
+### Bug Fixes
+
+* **alpine:** add `UID` for removed packages ([#7887](https://github.com/aquasecurity/trivy/issues/7887)) ([07915da](https://github.com/aquasecurity/trivy/commit/07915da4816d4d9ec8a6c5e4cba17be2a0f4ad65))
+* **aws:** change CPU and Memory type of ContainerDefinition to a string ([#7995](https://github.com/aquasecurity/trivy/issues/7995)) ([aeeba70](https://github.com/aquasecurity/trivy/commit/aeeba70d15c11443d9fe7c26f90fc7d9dcc7f92c))
+* **cli:** Handle empty ignore files more gracefully ([#7962](https://github.com/aquasecurity/trivy/issues/7962)) ([4cfb2a9](https://github.com/aquasecurity/trivy/commit/4cfb2a97b27923182ab45c178544542ec65981d4))
+* **debian:** infinite loop ([#7928](https://github.com/aquasecurity/trivy/issues/7928)) ([d982e6a](https://github.com/aquasecurity/trivy/commit/d982e6ab89967629f71ec09100cdc61e30a27c63))
+* **fs:** add missing defered Cleanup() call to post analyzer fs ([#7882](https://github.com/aquasecurity/trivy/issues/7882)) ([ab32297](https://github.com/aquasecurity/trivy/commit/ab32297e0a8220a427fa330025f8625281e02275))
+* Improve version comparisons when build identifiers are present ([#7873](https://github.com/aquasecurity/trivy/issues/7873)) ([eda4d76](https://github.com/aquasecurity/trivy/commit/eda4d7660d8908705bc08a6edc55d8144d02806a))
+* **k8s:** check all results for vulnerabilities ([#7946](https://github.com/aquasecurity/trivy/issues/7946)) ([797b36f](https://github.com/aquasecurity/trivy/commit/797b36fbad90b8e7f04e16e2cf08d6bdc0255ac7))
+* **misconf:** do not erase variable type for child modules ([#7941](https://github.com/aquasecurity/trivy/issues/7941)) ([de3b7ea](https://github.com/aquasecurity/trivy/commit/de3b7ea24c282bce22ce9cacb49a43d8d90e2bde))
+* **misconf:** handle null properties in CloudFormation templates ([#7813](https://github.com/aquasecurity/trivy/issues/7813)) ([99b2db3](https://github.com/aquasecurity/trivy/commit/99b2db3978562689cef956a71281abb84ff0ce47))
+* **misconf:** load full Terraform module ([#7925](https://github.com/aquasecurity/trivy/issues/7925)) ([fbc42a0](https://github.com/aquasecurity/trivy/commit/fbc42a04ea24e2246f81491434a965846d55ed69))
+* **misconf:** properly resolve local Terraform cache ([#7983](https://github.com/aquasecurity/trivy/issues/7983)) ([fe3a897](https://github.com/aquasecurity/trivy/commit/fe3a8971b6697d896c1ec30b5326a10c20349d14))
+* **misconf:** Update trivy-checks default repo to `mirror.gcr.io` ([#7953](https://github.com/aquasecurity/trivy/issues/7953)) ([9988147](https://github.com/aquasecurity/trivy/commit/9988147b8b0e463464fe494122bfcc66ccdf04e0))
+* **misconf:** wrap AWS EnvVar to iac types ([#7407](https://github.com/aquasecurity/trivy/issues/7407)) ([54130dc](https://github.com/aquasecurity/trivy/commit/54130dcc1d775506d34b83a558952176fc549914))
+* **redhat:** don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files ([#7912](https://github.com/aquasecurity/trivy/issues/7912)) ([38775a5](https://github.com/aquasecurity/trivy/commit/38775a5ed985eefe2b410e72407c454cdad3d075))
+* **report:** handle `git@github.com` schema for misconfigs in `sarif` report ([#7898](https://github.com/aquasecurity/trivy/issues/7898)) ([19aea4b](https://github.com/aquasecurity/trivy/commit/19aea4b01f3ce5a3cd05d5a1091da5b0b3ba4af6))
+* **sbom:** Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details ([#7871](https://github.com/aquasecurity/trivy/issues/7871)) ([461a68a](https://github.com/aquasecurity/trivy/commit/461a68afd60b77dd67e91047b3b4d558fa5bd2ec))
+* **terraform:** set null value as fallback for missing variables ([#7669](https://github.com/aquasecurity/trivy/issues/7669)) ([611558e](https://github.com/aquasecurity/trivy/commit/611558e4ce61818330118684274534f26b1fda99))
+
+## [0.57.0](https://github.com/aquasecurity/trivy/compare/v0.56.0...v0.57.0) (2024-10-31)
+
+
+### ⚠ BREAKING CHANGES
+
+* **k8s:** support k8s multi container ([#7444](https://github.com/aquasecurity/trivy/issues/7444))
+
+### Features
+
+* add end of life date for Ubuntu 24.10 ([#7787](https://github.com/aquasecurity/trivy/issues/7787)) ([ad3c09e](https://github.com/aquasecurity/trivy/commit/ad3c09e006e134f3c5b879ffc34ce9895a8c860f))
+* **cli:** add `trivy auth` ([#7664](https://github.com/aquasecurity/trivy/issues/7664)) ([27117f8](https://github.com/aquasecurity/trivy/commit/27117f81d52483c3ceec56fe56ac298e242fbc9a))
+* **cli:** error out when ignore file cannot be found ([#7624](https://github.com/aquasecurity/trivy/issues/7624)) ([cb0b3a9](https://github.com/aquasecurity/trivy/commit/cb0b3a9279b31810ecd686a385e5140e567ce86f))
+* **cli:** rename `trivy auth` to `trivy registry` ([#7727](https://github.com/aquasecurity/trivy/issues/7727)) ([633a7ab](https://github.com/aquasecurity/trivy/commit/633a7abeea4287899392a24f2705f96dfeb7e312))
+* **cyclonedx:** add file checksums to `CycloneDX` reports ([#7507](https://github.com/aquasecurity/trivy/issues/7507)) ([c225883](https://github.com/aquasecurity/trivy/commit/c225883649f58128a99fa2c1cef327d0e57940be))
+* **db:** append errors ([#7843](https://github.com/aquasecurity/trivy/issues/7843)) ([5e78b6c](https://github.com/aquasecurity/trivy/commit/5e78b6c12fb5740c12dedeea3d335d48ec2f752b))
+* **misconf:** export unresolvable field of IaC types to Rego ([#7765](https://github.com/aquasecurity/trivy/issues/7765)) ([9514148](https://github.com/aquasecurity/trivy/commit/9514148767865baddd73a49245385574927f7a74))
+* **misconf:** public network support for Azure Storage Account ([#7601](https://github.com/aquasecurity/trivy/issues/7601)) ([ad91412](https://github.com/aquasecurity/trivy/commit/ad914123c4d203af1e1da6b7e2d3e49d9d3831d8))
+* **misconf:** Show misconfig ID in output ([#7762](https://github.com/aquasecurity/trivy/issues/7762)) ([f75c0d1](https://github.com/aquasecurity/trivy/commit/f75c0d1f0069d4856cb4826d6049f32c5b9409d9))
+* **misconf:** ssl_mode support for GCP SQL DB instance ([#7564](https://github.com/aquasecurity/trivy/issues/7564)) ([2eaa17e](https://github.com/aquasecurity/trivy/commit/2eaa17e0717940b27a79050e2efd9213b71178c9))
+* **parser:** ignore white space in pom.xml files ([#7747](https://github.com/aquasecurity/trivy/issues/7747)) ([a7baa93](https://github.com/aquasecurity/trivy/commit/a7baa93b00b8636aa097e64cdb8eed97dbd68511))
+* **report:** update gitlab template to populate operating_system value ([#7735](https://github.com/aquasecurity/trivy/issues/7735)) ([c0d79fa](https://github.com/aquasecurity/trivy/commit/c0d79fa09e645f3a3dbff878e393b8631fb17b64))
+
+
+### Bug Fixes
+
+* **cli:** `clean --all` deletes only relevant dirs ([#7704](https://github.com/aquasecurity/trivy/issues/7704)) ([672e886](https://github.com/aquasecurity/trivy/commit/672e886aed152ae0f09a16941706746f3053ca94))
+* **cli:** add config name to skip-policy-update alias ([#7820](https://github.com/aquasecurity/trivy/issues/7820)) ([b661d68](https://github.com/aquasecurity/trivy/commit/b661d680ff0372c8e4beea0db13bf69d6a2203a8))
+* **db:** fix javadb downloading error handling ([#7642](https://github.com/aquasecurity/trivy/issues/7642)) ([2c87f0c](https://github.com/aquasecurity/trivy/commit/2c87f0cb794acd77446a273582ba1a45b9f18980))
+* enable usestdlibvars linter ([#7770](https://github.com/aquasecurity/trivy/issues/7770)) ([57e24aa](https://github.com/aquasecurity/trivy/commit/57e24aa85382f749df7f673e241caaf3fcbb45cb))
+* **go:** Do not trim v prefix from versions in Go Mod Analyzer ([#7733](https://github.com/aquasecurity/trivy/issues/7733)) ([e872ec0](https://github.com/aquasecurity/trivy/commit/e872ec006c0745a5a142728af0096c6d6bb9ddf3))
+* **helm:** properly handle multiple archived dependencies ([#7782](https://github.com/aquasecurity/trivy/issues/7782)) ([6fab88d](https://github.com/aquasecurity/trivy/commit/6fab88dd56c257ef2cc63b617c2a5decb1c4cf98))
+* **java:** correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents ([#7541](https://github.com/aquasecurity/trivy/issues/7541)) ([778df82](https://github.com/aquasecurity/trivy/commit/778df828eaad9827cb833c6285058a33aa2b83ca))
+* **k8s:** skip resources without misconfigs ([#7797](https://github.com/aquasecurity/trivy/issues/7797)) ([7882776](https://github.com/aquasecurity/trivy/commit/78827768a612ab305bf9c55409ce76d6774302a5))
+* **k8s:** support k8s multi container ([#7444](https://github.com/aquasecurity/trivy/issues/7444)) ([c434775](https://github.com/aquasecurity/trivy/commit/c4347759234dcb5f372b07f92fb4230ef391d710))
+* **k8s:** support kubernetes v1.31 ([#7810](https://github.com/aquasecurity/trivy/issues/7810)) ([7a4f4d8](https://github.com/aquasecurity/trivy/commit/7a4f4d8b12996687f3095a2042cdf2f5985332c9))
+* **license:** fix license normalization for Universal Permissive License ([#7766](https://github.com/aquasecurity/trivy/issues/7766)) ([f6acdf7](https://github.com/aquasecurity/trivy/commit/f6acdf713991f8ffdbe765178fcb8a9cde433cba))
+* **misconf:** change default ACL of digitalocean_spaces_bucket to private ([#7577](https://github.com/aquasecurity/trivy/issues/7577)) ([9da84f5](https://github.com/aquasecurity/trivy/commit/9da84f54fadbe6ad0d73983952e945ed63b666f3))
+* **misconf:** check if property is not nil before conversion ([#7578](https://github.com/aquasecurity/trivy/issues/7578)) ([c8c14d3](https://github.com/aquasecurity/trivy/commit/c8c14d36245623019f29d258f813d2325f7490f7))
+* **misconf:** fix for Azure Storage Account network acls adaptation ([#7602](https://github.com/aquasecurity/trivy/issues/7602)) ([35fd018](https://github.com/aquasecurity/trivy/commit/35fd018ae7ad86823f114f0ac2f1376726aee444))
+* **misconf:** properly expand dynamic blocks ([#7612](https://github.com/aquasecurity/trivy/issues/7612)) ([8d5dbc9](https://github.com/aquasecurity/trivy/commit/8d5dbc9fec3569b22ed81a03c40eaf732768718b))
+* **redhat:** include arch in PURL qualifiers ([#7654](https://github.com/aquasecurity/trivy/issues/7654)) ([a585e95](https://github.com/aquasecurity/trivy/commit/a585e95f3398631d9ad10505c5ff642fde21aef7))
+* **repo:** `git clone` output to Stderr ([#7561](https://github.com/aquasecurity/trivy/issues/7561)) ([fdf203c](https://github.com/aquasecurity/trivy/commit/fdf203cd209aeb40f454bd12d121a54d6ed7a542))
+* **report:** Fix invalid URI in SARIF report ([#7645](https://github.com/aquasecurity/trivy/issues/7645)) ([015bb88](https://github.com/aquasecurity/trivy/commit/015bb885ac414b91201fa9791eead395d878149c))
+* **sbom:** add options for DBs in private registries ([#7660](https://github.com/aquasecurity/trivy/issues/7660)) ([1f2e91b](https://github.com/aquasecurity/trivy/commit/1f2e91b02b3606dd11963002a8cfac7962f3478f))
+* **sbom:** use `Annotation` instead of `AttributionTexts` for `SPDX` formats ([#7811](https://github.com/aquasecurity/trivy/issues/7811)) ([f2bb9c6](https://github.com/aquasecurity/trivy/commit/f2bb9c6227743dd61f44eb591d4b15192fe110c6))
+
+## [0.56.0](https://github.com/aquasecurity/trivy/compare/v0.55.0...v0.56.0) (2024-10-03)
+
+
+### Features
+
+* **java:** add empty versions if `pom.xml` dependency versions can't be detected ([#7520](https://github.com/aquasecurity/trivy/issues/7520)) ([b836232](https://github.com/aquasecurity/trivy/commit/b8362321adb2af220830c5de31c29978423d47da))
+* **license:** improve license normalization ([#7131](https://github.com/aquasecurity/trivy/issues/7131)) ([6472e3c](https://github.com/aquasecurity/trivy/commit/6472e3c9da2a8e7ba41598a45c80df8f18e57d4c))
+* **misconf:** add ability to disable checks by ID ([#7536](https://github.com/aquasecurity/trivy/issues/7536)) ([ef0a27d](https://github.com/aquasecurity/trivy/commit/ef0a27d515ff80762bf1959d44a8bde017ae06ec))
+* **misconf:** Register checks only when needed ([#7435](https://github.com/aquasecurity/trivy/issues/7435)) ([f768d3a](https://github.com/aquasecurity/trivy/commit/f768d3a767a99a86b0372f19d9f49a2de35dbe59))
+* **misconf:** Support `--skip-*` for all included modules  ([#7579](https://github.com/aquasecurity/trivy/issues/7579)) ([c0e8da3](https://github.com/aquasecurity/trivy/commit/c0e8da3828e9d3a0b30d1f6568037db8dc827765))
+* **secret:** enhance secret scanning for python binary files ([#7223](https://github.com/aquasecurity/trivy/issues/7223)) ([60725f8](https://github.com/aquasecurity/trivy/commit/60725f879ba014c5c57583db6afc290b78facae8))
+* support multiple DB repositories for vulnerability and Java DB ([#7605](https://github.com/aquasecurity/trivy/issues/7605)) ([3562529](https://github.com/aquasecurity/trivy/commit/3562529ddfb26d301311ed450c192e17011353df))
+* support RPM archives ([#7628](https://github.com/aquasecurity/trivy/issues/7628)) ([69bf7e0](https://github.com/aquasecurity/trivy/commit/69bf7e00ea5ab483692db830fdded26a31f03183))
+* **suse:** added SUSE Linux Enterprise Micro support ([#7294](https://github.com/aquasecurity/trivy/issues/7294)) ([efdb68d](https://github.com/aquasecurity/trivy/commit/efdb68d3b9ddf9dfaf45ea5855b31c43a4366bab))
+
+
+### Bug Fixes
+
+* allow access to '..' in mapfs ([#7575](https://github.com/aquasecurity/trivy/issues/7575)) ([a8fbe46](https://github.com/aquasecurity/trivy/commit/a8fbe46119adbd89f827a75c75b9e97d392f1842))
+* **db:** check `DownloadedAt` for `trivy-java-db` ([#7592](https://github.com/aquasecurity/trivy/issues/7592)) ([13ef3e7](https://github.com/aquasecurity/trivy/commit/13ef3e7d62ba2bcb3a04d7b44f79b1299674b480))
+* **java:** use `dependencyManagement` from root/child pom's for dependencies from parents ([#7497](https://github.com/aquasecurity/trivy/issues/7497)) ([5442949](https://github.com/aquasecurity/trivy/commit/54429497e7d6a87eac236771d4efb8a5a7faaac5))
+* **license:** stop spliting a long license text ([#7336](https://github.com/aquasecurity/trivy/issues/7336)) ([4926da7](https://github.com/aquasecurity/trivy/commit/4926da79de901fba73819d71845ec0355b68ae0f))
+* **misconf:** Disable deprecated checks by default ([#7632](https://github.com/aquasecurity/trivy/issues/7632)) ([82e2adc](https://github.com/aquasecurity/trivy/commit/82e2adc6f8e68d0cc0021031170c2adb60d213ba))
+* **misconf:** disable DS016 check for image history analyzer ([#7540](https://github.com/aquasecurity/trivy/issues/7540)) ([de40df9](https://github.com/aquasecurity/trivy/commit/de40df9408d6d856a3ad384ec9f086edce3aa382))
+* **misconf:** escape all special sequences ([#7558](https://github.com/aquasecurity/trivy/issues/7558)) ([ea0cf03](https://github.com/aquasecurity/trivy/commit/ea0cf0379aff0348fde87356dab37947800fc1b6))
+* **misconf:** Fix logging typo ([#7473](https://github.com/aquasecurity/trivy/issues/7473)) ([56db43c](https://github.com/aquasecurity/trivy/commit/56db43c24f4f6be92891be85faaf9492cad516ac))
+* **misconf:** Fixed scope for China Cloud ([#7560](https://github.com/aquasecurity/trivy/issues/7560)) ([37d549e](https://github.com/aquasecurity/trivy/commit/37d549e5b86a1c5dce6710fbfd2310aec9abe949))
+* **misconf:** not to warn about missing selectors of libraries ([#7638](https://github.com/aquasecurity/trivy/issues/7638)) ([fcaea74](https://github.com/aquasecurity/trivy/commit/fcaea740808d5784c120e5c5d65f5f94e1d931d4))
+* **oracle:** Update EOL date for Oracle 7 ([#7480](https://github.com/aquasecurity/trivy/issues/7480)) ([dd0a64a](https://github.com/aquasecurity/trivy/commit/dd0a64a1cf0cd76e6f81e3ff55fa6ccb95ce3c3d))
+* **report:** change a receiver of MarshalJSON ([#7483](https://github.com/aquasecurity/trivy/issues/7483)) ([927c6e0](https://github.com/aquasecurity/trivy/commit/927c6e0c9d4d4a3f1be00f0f661c1d18325d9440))
+* **report:** fix error with unmarshal of `ExperimentalModifiedFindings` ([#7463](https://github.com/aquasecurity/trivy/issues/7463)) ([7ff9aff](https://github.com/aquasecurity/trivy/commit/7ff9aff2739b2eee4a98175b98914795e4077060))
+* **sbom:** export bom-ref when converting a package to a component ([#7340](https://github.com/aquasecurity/trivy/issues/7340)) ([5dd94eb](https://github.com/aquasecurity/trivy/commit/5dd94ebc1ffe3f1df511dee6381f92a5daefadf2))
+* **sbom:** parse type `framework` as `library` when unmarshalling `CycloneDX` files ([#7527](https://github.com/aquasecurity/trivy/issues/7527)) ([aeb7039](https://github.com/aquasecurity/trivy/commit/aeb7039d7ce090e243d29f0bf16c9e4e24252a01))
+* **secret:** change grafana token regex to find them without unquoted ([#7627](https://github.com/aquasecurity/trivy/issues/7627)) ([3e1fa21](https://github.com/aquasecurity/trivy/commit/3e1fa2100074e840bacdd65947425b08750b7d9a))
+
+
+### Performance Improvements
+
+* **misconf:** use port ranges instead of enumeration ([#7549](https://github.com/aquasecurity/trivy/issues/7549)) ([1f9fc13](https://github.com/aquasecurity/trivy/commit/1f9fc13da4a1e7c76c978e4f8e119bfd61a0480e))
+
+
+### Reverts
+
+* **java:** stop supporting of `test` scope for `pom.xml` files ([#7488](https://github.com/aquasecurity/trivy/issues/7488)) ([b0222fe](https://github.com/aquasecurity/trivy/commit/b0222feeb586ec59904bb321fda8f3f22496d07b))
+
+## [0.55.0](https://github.com/aquasecurity/trivy/compare/v0.54.0...v0.55.0) (2024-09-03)
+
+
+### ⚠ BREAKING CHANGES
+
+* **cli:** delete deprecated SBOM flags ([#7266](https://github.com/aquasecurity/trivy/issues/7266))
+
+### Features
+
+* **cli:** delete deprecated SBOM flags ([#7266](https://github.com/aquasecurity/trivy/issues/7266)) ([7024572](https://github.com/aquasecurity/trivy/commit/70245721372720027b7089bd61c693df48add865))
+* **go:** use `toolchain` as `stdlib` version for `go.mod` files ([#7163](https://github.com/aquasecurity/trivy/issues/7163)) ([2d80769](https://github.com/aquasecurity/trivy/commit/2d80769c34b118851640411fff9dac0b3e353e82))
+* **java:** add `test` scope support for `pom.xml` files ([#7414](https://github.com/aquasecurity/trivy/issues/7414)) ([2d97700](https://github.com/aquasecurity/trivy/commit/2d97700d10665142d2f66d7910202bec82116209))
+* **misconf:** Add support for using spec from on-disk bundle ([#7179](https://github.com/aquasecurity/trivy/issues/7179)) ([be86126](https://github.com/aquasecurity/trivy/commit/be861265cafc89787fda09c59b2ef175e3d04204))
+* **misconf:** ignore duplicate checks ([#7317](https://github.com/aquasecurity/trivy/issues/7317)) ([9ef05fc](https://github.com/aquasecurity/trivy/commit/9ef05fc6b171a264516a025b0b0bcbbc8cff10bc))
+* **misconf:** iterator argument support for dynamic blocks ([#7236](https://github.com/aquasecurity/trivy/issues/7236)) ([fe92072](https://github.com/aquasecurity/trivy/commit/fe9207255a4f7f984ec1447f8a9219ae60e560c4))
+* **misconf:** port and protocol support for EC2 networks ([#7146](https://github.com/aquasecurity/trivy/issues/7146)) ([98e136e](https://github.com/aquasecurity/trivy/commit/98e136eb7baa2b66f4233d96875c1490144e1594))
+* **misconf:** scanning support for YAML and JSON ([#7311](https://github.com/aquasecurity/trivy/issues/7311)) ([efdbd8f](https://github.com/aquasecurity/trivy/commit/efdbd8f19ab0ab0c3b48293d43e51c81b7b03b89))
+* **misconf:** support for ignore by nested attributes ([#7205](https://github.com/aquasecurity/trivy/issues/7205)) ([44e4686](https://github.com/aquasecurity/trivy/commit/44e468603d44b077cc4606327fb3e7d7ca435e05))
+* **misconf:** support for policy and bucket grants ([#7284](https://github.com/aquasecurity/trivy/issues/7284)) ([a817fae](https://github.com/aquasecurity/trivy/commit/a817fae85b7272b391b737ec86673a7cab722bae))
+* **misconf:** variable support for Terraform Plan ([#7228](https://github.com/aquasecurity/trivy/issues/7228)) ([db2c955](https://github.com/aquasecurity/trivy/commit/db2c95598da098ca610825089eb4ab63b789b215))
+* **python:** use minimum version for pip packages ([#7348](https://github.com/aquasecurity/trivy/issues/7348)) ([e9b43f8](https://github.com/aquasecurity/trivy/commit/e9b43f81e67789b067352fcb6aa55bc9478bc518))
+* **report:** export modified findings in JSON ([#7383](https://github.com/aquasecurity/trivy/issues/7383)) ([7aea79d](https://github.com/aquasecurity/trivy/commit/7aea79dd93cfb61453766dbbb2e3fc0fbd317852))
+* **sbom:** set User-Agent header on requests to Rekor ([#7396](https://github.com/aquasecurity/trivy/issues/7396)) ([af1d257](https://github.com/aquasecurity/trivy/commit/af1d257730422d238871beb674767f8f83c5d06a))
+* **server:** add internal `--path-prefix` flag for client/server mode ([#7321](https://github.com/aquasecurity/trivy/issues/7321)) ([24a4563](https://github.com/aquasecurity/trivy/commit/24a45636867b893ff54c5ce07197f3b5c6db1d9b))
+* **server:** Make Trivy Server Multiplexer Exported ([#7389](https://github.com/aquasecurity/trivy/issues/7389)) ([4c6e8ca](https://github.com/aquasecurity/trivy/commit/4c6e8ca9cc9591799907cc73075f2d740e303b8f))
+* **vm:** Support direct filesystem ([#7058](https://github.com/aquasecurity/trivy/issues/7058)) ([45b3f34](https://github.com/aquasecurity/trivy/commit/45b3f344042bcd90ca63ab696b69bff0e9ab4e36))
+* **vm:** support the Ext2/Ext3 filesystems ([#6983](https://github.com/aquasecurity/trivy/issues/6983)) ([35c60f0](https://github.com/aquasecurity/trivy/commit/35c60f030fa48de8d8e57958e5ba379814126831))
+* **vuln:** Add `--detection-priority` flag for accuracy tuning ([#7288](https://github.com/aquasecurity/trivy/issues/7288)) ([fd8348d](https://github.com/aquasecurity/trivy/commit/fd8348d610f20c6c33da81cd7b0e7d5504ce26be))
+
+
+### Bug Fixes
+
+* **aws:** handle ECR repositories in different regions ([#6217](https://github.com/aquasecurity/trivy/issues/6217)) ([feaef96](https://github.com/aquasecurity/trivy/commit/feaef9699df5d8ca399770e701a59d7c0ff979a3))
+* **flag:** incorrect behavior for deprected flag `--clear-cache` ([#7281](https://github.com/aquasecurity/trivy/issues/7281)) ([2a0e529](https://github.com/aquasecurity/trivy/commit/2a0e529c36057b572119815af59c28e4790034ca))
+* **helm:** explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element ([#7362](https://github.com/aquasecurity/trivy/issues/7362)) ([da4ebfa](https://github.com/aquasecurity/trivy/commit/da4ebfa1a741f3f8b0b43289b4028afe763f7d43))
+* **java:** Return error when trying to find a remote pom to avoid segfault ([#7275](https://github.com/aquasecurity/trivy/issues/7275)) ([49d5270](https://github.com/aquasecurity/trivy/commit/49d5270163e305f88fedcf50412973736e69dc69))
+* **license:** add license handling to JUnit template ([#7409](https://github.com/aquasecurity/trivy/issues/7409)) ([f80183c](https://github.com/aquasecurity/trivy/commit/f80183c1139b21bb95bc64e216358f4a76001a65))
+* logger initialization before flags parsing ([#7372](https://github.com/aquasecurity/trivy/issues/7372)) ([c929290](https://github.com/aquasecurity/trivy/commit/c929290c3c0e4e91337264d69e75ccb60522bc65))
+* **misconf:** change default TLS values for the Azure storage account ([#7345](https://github.com/aquasecurity/trivy/issues/7345)) ([aadb090](https://github.com/aquasecurity/trivy/commit/aadb09078843250c66087f46db9a2aa48094a118))
+* **misconf:** do not filter Terraform plan JSON by name ([#7406](https://github.com/aquasecurity/trivy/issues/7406)) ([9d7264a](https://github.com/aquasecurity/trivy/commit/9d7264af8e85bcc0dba600b8366d0470d455251c))
+* **misconf:** do not recreate filesystem map ([#7416](https://github.com/aquasecurity/trivy/issues/7416)) ([3a5d091](https://github.com/aquasecurity/trivy/commit/3a5d091759564496992a83fb2015a21c84a22213))
+* **misconf:** do not register Rego libs in checks registry ([#7420](https://github.com/aquasecurity/trivy/issues/7420)) ([a5aa63e](https://github.com/aquasecurity/trivy/commit/a5aa63eff7e229744090f9ad300c1bec3259397e))
+* **misconf:** do not set default value for default_cache_behavior ([#7234](https://github.com/aquasecurity/trivy/issues/7234)) ([f0ed5e4](https://github.com/aquasecurity/trivy/commit/f0ed5e4ced7e60af35c88d5d084aa4b7237f4973))
+* **misconf:** fix infer type for null value ([#7424](https://github.com/aquasecurity/trivy/issues/7424)) ([0cac3ac](https://github.com/aquasecurity/trivy/commit/0cac3ac7075017628a21a7990941df04cbc16dbe))
+* **misconf:** init frameworks before updating them ([#7376](https://github.com/aquasecurity/trivy/issues/7376)) ([b65b32d](https://github.com/aquasecurity/trivy/commit/b65b32ddfa6fc62ac81ad9fa580e1f5a327864f5))
+* **misconf:** load only submodule if it is specified in source ([#7112](https://github.com/aquasecurity/trivy/issues/7112)) ([a4180bd](https://github.com/aquasecurity/trivy/commit/a4180bddd43d86e479edf0afe0c362021d071482))
+* **misconf:** support deprecating for Go checks ([#7377](https://github.com/aquasecurity/trivy/issues/7377)) ([2a6c7ab](https://github.com/aquasecurity/trivy/commit/2a6c7ab3b338ce4a8f99d6ac3508c2531dcbe812))
+* **misconf:** use module to log when metadata retrieval fails ([#7405](https://github.com/aquasecurity/trivy/issues/7405)) ([0799770](https://github.com/aquasecurity/trivy/commit/0799770b8827a8276ad0d6d9ac7e0381c286757c))
+* **misconf:** wrap Azure PortRange in iac types ([#7357](https://github.com/aquasecurity/trivy/issues/7357)) ([c5c62d5](https://github.com/aquasecurity/trivy/commit/c5c62d5ff05420321f9cdbfb93e2591e0866a342))
+* **nodejs:** check all `importers` to detect dev deps from pnpm-lock.yaml file ([#7387](https://github.com/aquasecurity/trivy/issues/7387)) ([fd9ed3a](https://github.com/aquasecurity/trivy/commit/fd9ed3a330bc66e229bcbdc262dc296a3bf01f54))
+* **plugin:** do not call GitHub content API for releases and tags ([#7274](https://github.com/aquasecurity/trivy/issues/7274)) ([b3ee6da](https://github.com/aquasecurity/trivy/commit/b3ee6dac269bd7847674f3ce985a5ff7f8f0ba38))
+* **report:** escape `Message` field in `asff.tpl` template ([#7401](https://github.com/aquasecurity/trivy/issues/7401)) ([dd9733e](https://github.com/aquasecurity/trivy/commit/dd9733e950d3127aa2ac90c45ec7e2b88a2b47ca))
+* safely check if the directory exists ([#7353](https://github.com/aquasecurity/trivy/issues/7353)) ([05a8297](https://github.com/aquasecurity/trivy/commit/05a829715f99cd90b122c64cd2f40157854e467b))
+* **sbom:** use `NOASSERTION` for licenses fields in SPDX formats ([#7403](https://github.com/aquasecurity/trivy/issues/7403)) ([c96dcdd](https://github.com/aquasecurity/trivy/commit/c96dcdd440a14cdd1b01ac473b2c15e4698e387b))
+* **secret:** use `.eyJ` keyword for JWT secret ([#7410](https://github.com/aquasecurity/trivy/issues/7410)) ([bf64003](https://github.com/aquasecurity/trivy/commit/bf64003ac8b209f34b88f228918a96d4f9dac5e0))
+* **secret:** use only line with secret for long secret lines ([#7412](https://github.com/aquasecurity/trivy/issues/7412)) ([391448a](https://github.com/aquasecurity/trivy/commit/391448aba9fcb0a4138225e5ab305e4e6707c603))
+* **terraform:** add aws_region name to presets ([#7184](https://github.com/aquasecurity/trivy/issues/7184)) ([bb2e26a](https://github.com/aquasecurity/trivy/commit/bb2e26a0ab707b718f6a890cbc87e2492298b6e5))
+
+
+### Performance Improvements
+
+* **misconf:** do not convert contents of a YAML file to string ([#7292](https://github.com/aquasecurity/trivy/issues/7292)) ([85dadf5](https://github.com/aquasecurity/trivy/commit/85dadf56265647c000191561db10b08a4948c140))
+* **misconf:** optimize work with context ([#6968](https://github.com/aquasecurity/trivy/issues/6968)) ([2b6d8d9](https://github.com/aquasecurity/trivy/commit/2b6d8d9227fb6ecc9386a14333964c23c0370a52))
+* **misconf:** use json.Valid to check validity of JSON ([#7308](https://github.com/aquasecurity/trivy/issues/7308)) ([c766831](https://github.com/aquasecurity/trivy/commit/c766831069e188226efafeec184e41498685ed85))
+
+## [0.54.0](https://github.com/aquasecurity/trivy/compare/v0.53.0...v0.54.0) (2024-07-30)
+
+
+### Features
+
+* add `log.FilePath()` function for logger ([#7080](https://github.com/aquasecurity/trivy/issues/7080)) ([1f5f348](https://github.com/aquasecurity/trivy/commit/1f5f34895823fae81bf521fc939bee743a50e304))
+* add openSUSE tumbleweed detection and scanning ([#6965](https://github.com/aquasecurity/trivy/issues/6965)) ([17b5dbf](https://github.com/aquasecurity/trivy/commit/17b5dbfa12180414b87859c6c46bfe6cc5ecf7ba))
+* **cli:** rename `--vuln-type` flag to `--pkg-types` flag ([#7104](https://github.com/aquasecurity/trivy/issues/7104)) ([7cbdb0a](https://github.com/aquasecurity/trivy/commit/7cbdb0a0b5dff33e506e1c1f3119951fa241b432))
+* **mariner:** Add support for Azure Linux ([#7186](https://github.com/aquasecurity/trivy/issues/7186)) ([5cbc452](https://github.com/aquasecurity/trivy/commit/5cbc452a09822d1bf300ead88f0d613d4cf0349a))
+* **misconf:** enabled China configuration for ACRs ([#7156](https://github.com/aquasecurity/trivy/issues/7156)) ([d1ec89d](https://github.com/aquasecurity/trivy/commit/d1ec89d1db4b039f0e31076ccd1ca969fb15628e))
+* **nodejs:** add license parser to pnpm analyser ([#7036](https://github.com/aquasecurity/trivy/issues/7036)) ([03ac93d](https://github.com/aquasecurity/trivy/commit/03ac93dc208f1b40896f3fa11fa1d45293176dca))
+* **sbom:** add image labels into `SPDX` and `CycloneDX` reports ([#7257](https://github.com/aquasecurity/trivy/issues/7257)) ([4a2f492](https://github.com/aquasecurity/trivy/commit/4a2f492c6e685ff577fb96a7006cd0c43755baf4))
+* **sbom:** add vulnerability support for SPDX formats ([#7213](https://github.com/aquasecurity/trivy/issues/7213)) ([efb1f69](https://github.com/aquasecurity/trivy/commit/efb1f6938321eec3529ef4fea6608261f6771ae0))
+* share build-in rules ([#7207](https://github.com/aquasecurity/trivy/issues/7207)) ([bff317c](https://github.com/aquasecurity/trivy/commit/bff317c77bf4a5f615a80d9875d129213bd52f6d))
+* **vex:** retrieve VEX attestations from OCI registries ([#7249](https://github.com/aquasecurity/trivy/issues/7249)) ([c2fd2e0](https://github.com/aquasecurity/trivy/commit/c2fd2e0d89567a0ccd996dda8790f3c3305ea6f7))
+* **vex:** VEX Repository support ([#7206](https://github.com/aquasecurity/trivy/issues/7206)) ([88ba460](https://github.com/aquasecurity/trivy/commit/88ba46047c93e6046292523ae701de774dfdc4dc))
+* **vuln:** add `--pkg-relationships` ([#7237](https://github.com/aquasecurity/trivy/issues/7237)) ([5c37361](https://github.com/aquasecurity/trivy/commit/5c37361600d922db27dd594b2a80c010a19b3a6e))
+
+
+### Bug Fixes
+
+* Add dependencyManagement exclusions to the child exclusions ([#6969](https://github.com/aquasecurity/trivy/issues/6969)) ([dc68a66](https://github.com/aquasecurity/trivy/commit/dc68a662a701980d6529f61a65006f1e4728a3e5))
+* add missing platform and type to spec ([#7149](https://github.com/aquasecurity/trivy/issues/7149)) ([c8a7abd](https://github.com/aquasecurity/trivy/commit/c8a7abd3b508975fcf10c254d13d1a2cd42da657))
+* **cli:** error on missing config file ([#7154](https://github.com/aquasecurity/trivy/issues/7154)) ([7fa5e7d](https://github.com/aquasecurity/trivy/commit/7fa5e7d0ab67f20d434b2922725988695e32e6af))
+* close file when failed to open gzip ([#7164](https://github.com/aquasecurity/trivy/issues/7164)) ([2a577a7](https://github.com/aquasecurity/trivy/commit/2a577a7bae37e5731dceaea8740683573b6b70a5))
+* **dotnet:** don't include non-runtime libraries into report for `*.deps.json` files ([#7039](https://github.com/aquasecurity/trivy/issues/7039)) ([5bc662b](https://github.com/aquasecurity/trivy/commit/5bc662be9a8f072599f90abfd3b400c8ab055ed6))
+* **dotnet:** show `nuget package dir not found` log only when checking `nuget` packages ([#7194](https://github.com/aquasecurity/trivy/issues/7194)) ([d76feba](https://github.com/aquasecurity/trivy/commit/d76febaee107c645e864da0f4d74a8f6ae4ad232))
+* ignore nodes when listing permission is not allowed ([#7107](https://github.com/aquasecurity/trivy/issues/7107)) ([25f8143](https://github.com/aquasecurity/trivy/commit/25f8143f120965c636c5ea8386398b211b082398))
+* **java:** avoid panic if deps from `pom` in `it` dir are not found ([#7245](https://github.com/aquasecurity/trivy/issues/7245)) ([4e54a7e](https://github.com/aquasecurity/trivy/commit/4e54a7e84c33c1be80c52c6db78c634bc3911715))
+* **java:** use `go-mvn-version` to remove `Package` duplicates ([#7088](https://github.com/aquasecurity/trivy/issues/7088)) ([a7a304d](https://github.com/aquasecurity/trivy/commit/a7a304d53e1ce230f881c28c4f35885774cf3b9a))
+* **misconf:** do not evaluate TF when a load error occurs ([#7109](https://github.com/aquasecurity/trivy/issues/7109)) ([f27c236](https://github.com/aquasecurity/trivy/commit/f27c236d6e155cb366aeef619b6ea96d20fb93da))
+* **nodejs:** detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` ([#7110](https://github.com/aquasecurity/trivy/issues/7110)) ([54bb8bd](https://github.com/aquasecurity/trivy/commit/54bb8bdfb934d114b5570005853bf4bc0d40c609))
+* **report:** hide empty table when all secrets/license/misconfigs are ignored ([#7171](https://github.com/aquasecurity/trivy/issues/7171)) ([c3036de](https://github.com/aquasecurity/trivy/commit/c3036de6d7719323d306a9666ccc8d928d936f9a))
+* **secret:** skip regular strings contain secret patterns ([#7182](https://github.com/aquasecurity/trivy/issues/7182)) ([174b1e3](https://github.com/aquasecurity/trivy/commit/174b1e3515a6394cf8d523216d6267c1aefb820a))
+* **secret:** trim excessively long lines ([#7192](https://github.com/aquasecurity/trivy/issues/7192)) ([92b13be](https://github.com/aquasecurity/trivy/commit/92b13be668bd20f8e9dac2f0cb8e5a2708b9b3b5))
+* **secret:** update length of `hugging-face-access-token` ([#7216](https://github.com/aquasecurity/trivy/issues/7216)) ([8c87194](https://github.com/aquasecurity/trivy/commit/8c87194f0a6b194bc5d340c8a65bd99a3132d973))
+* **server:** pass license categories to options ([#7203](https://github.com/aquasecurity/trivy/issues/7203)) ([9d52018](https://github.com/aquasecurity/trivy/commit/9d5201808da89607ae43570bdf1f335b482a6b79))
+
+
+### Performance Improvements
+
+* **debian:** use `bytes.Index` in `emptyLineSplit` to cut allocation ([#7065](https://github.com/aquasecurity/trivy/issues/7065)) ([acbec05](https://github.com/aquasecurity/trivy/commit/acbec053c985388a26d899e73b4b7f5a6d1fa210))
+
+## [0.53.0](https://github.com/aquasecurity/trivy/compare/v0.52.0...v0.53.0) (2024-07-01)
+
+
+### ⚠ BREAKING CHANGES
+
+* **k8s:** node-collector dynamic commands support ([#6861](https://github.com/aquasecurity/trivy/issues/6861))
+* add clean subcommand ([#6993](https://github.com/aquasecurity/trivy/issues/6993))
+* **aws:** Remove aws subcommand ([#6995](https://github.com/aquasecurity/trivy/issues/6995))
+
+### Features
+
+* add clean subcommand ([#6993](https://github.com/aquasecurity/trivy/issues/6993)) ([8d0ae1f](https://github.com/aquasecurity/trivy/commit/8d0ae1f5de72d92a043dcd6b7c164d30e51b6047))
+* Add local ImageID to SARIF metadata ([#6522](https://github.com/aquasecurity/trivy/issues/6522)) ([f144e91](https://github.com/aquasecurity/trivy/commit/f144e912d34234f00b5a13b7a11a0019fa978b27))
+* add memory cache backend ([#7048](https://github.com/aquasecurity/trivy/issues/7048)) ([55ccd06](https://github.com/aquasecurity/trivy/commit/55ccd06df43f6ff28685f46d215ccb70f55916d2))
+* **aws:** Remove aws subcommand ([#6995](https://github.com/aquasecurity/trivy/issues/6995)) ([979e118](https://github.com/aquasecurity/trivy/commit/979e118a9e0ca8943bef9143f492d7eb1fd4d863))
+* **conda:** add licenses support for `environment.yml` files ([#6953](https://github.com/aquasecurity/trivy/issues/6953)) ([654217a](https://github.com/aquasecurity/trivy/commit/654217a65485ca0a07771ea61071977894eb4920))
+* **dart:** use first version of constraint for dependencies using SDK version ([#6239](https://github.com/aquasecurity/trivy/issues/6239)) ([042d6b0](https://github.com/aquasecurity/trivy/commit/042d6b08c283105c258a3dda98983b345a5305c3))
+* **image:** Set User-Agent header for Trivy container registry requests ([#6868](https://github.com/aquasecurity/trivy/issues/6868)) ([9b31697](https://github.com/aquasecurity/trivy/commit/9b31697274c8743d6e5a8f7a1a05daf60cd15910))
+* **java:** add support for `maven-metadata.xml` files for remote snapshot repositories. ([#6950](https://github.com/aquasecurity/trivy/issues/6950)) ([1f8fca1](https://github.com/aquasecurity/trivy/commit/1f8fca1fc77b989bb4e3ba820b297464dbdd825f))
+* **java:** add support for sbt projects using sbt-dependency-lock ([#6882](https://github.com/aquasecurity/trivy/issues/6882)) ([f18d035](https://github.com/aquasecurity/trivy/commit/f18d035ae13b281c96aa4ed69ca32e507d336e66))
+* **k8s:** node-collector dynamic commands support ([#6861](https://github.com/aquasecurity/trivy/issues/6861)) ([8d618e4](https://github.com/aquasecurity/trivy/commit/8d618e48a2f1b60c2e4c49cdd9deb8eb45c972b0))
+* **misconf:** add metadata to Cloud schema ([#6831](https://github.com/aquasecurity/trivy/issues/6831)) ([02d5404](https://github.com/aquasecurity/trivy/commit/02d540478d495416b50d7e8b187ff9f5bba41f45))
+* **misconf:** add support for AWS::EC2::SecurityGroupIngress/Egress ([#6755](https://github.com/aquasecurity/trivy/issues/6755)) ([55fa610](https://github.com/aquasecurity/trivy/commit/55fa6109cd0463fd3221aae41ca7b1d8c44ad430))
+* **misconf:** API Gateway V1 support for CloudFormation ([#6874](https://github.com/aquasecurity/trivy/issues/6874)) ([8491469](https://github.com/aquasecurity/trivy/commit/8491469f0b35bd9df706a433669f5b62239d4ef3))
+* **misconf:** support of selectors for all providers for Rego ([#6905](https://github.com/aquasecurity/trivy/issues/6905)) ([bc3741a](https://github.com/aquasecurity/trivy/commit/bc3741ae2c68cdd00fc0aef7e51985568b2eb78a))
+* **php:** add installed.json file support ([#4865](https://github.com/aquasecurity/trivy/issues/4865)) ([edc556b](https://github.com/aquasecurity/trivy/commit/edc556b85e3554c31e19b1ece189effb9ba2be12))
+* **plugin:** add support for nested archives ([#6845](https://github.com/aquasecurity/trivy/issues/6845)) ([622c67b](https://github.com/aquasecurity/trivy/commit/622c67b7647f94d0a0ca3acf711d8f847cdd8d98))
+* **sbom:** migrate to `CycloneDX v1.6` ([#6903](https://github.com/aquasecurity/trivy/issues/6903)) ([09e50ce](https://github.com/aquasecurity/trivy/commit/09e50ce6a82073ba62f1732d5aa0cd2701578693))
+
+
+### Bug Fixes
+
+* **c:** don't skip conan files from `file-patterns` and scan `.conan2` cache dir ([#6949](https://github.com/aquasecurity/trivy/issues/6949)) ([38b35dd](https://github.com/aquasecurity/trivy/commit/38b35dd3c804027e7a6e6a9d3c87b7ac333896c5))
+* **cli:** show info message only when --scanners is available ([#7032](https://github.com/aquasecurity/trivy/issues/7032)) ([e9fc3e3](https://github.com/aquasecurity/trivy/commit/e9fc3e3397564512038ddeca2adce0efcb3f93c5))
+* **cyclonedx:** trim non-URL info for `advisory.url` ([#6952](https://github.com/aquasecurity/trivy/issues/6952)) ([417212e](https://github.com/aquasecurity/trivy/commit/417212e0930aa52a27ebdc1b9370d2943ce0f8fa))
+* **debian:** take installed files from the origin layer ([#6849](https://github.com/aquasecurity/trivy/issues/6849)) ([089b953](https://github.com/aquasecurity/trivy/commit/089b953462260f01c40bdf588b2568ae0ef658bc))
+* **image:** parse `image.inspect.Created` field only for non-empty values ([#6948](https://github.com/aquasecurity/trivy/issues/6948)) ([0af5730](https://github.com/aquasecurity/trivy/commit/0af5730cbe56686417389c2fad643c1bdbb33999))
+* **license:** return license separation using separators  `,`, `or`, etc. ([#6916](https://github.com/aquasecurity/trivy/issues/6916)) ([52f7aa5](https://github.com/aquasecurity/trivy/commit/52f7aa54b520a90a19736703f8ea63cc20fab104))
+* **misconf:** fix caching of modules in subdirectories ([#6814](https://github.com/aquasecurity/trivy/issues/6814)) ([0bcfedb](https://github.com/aquasecurity/trivy/commit/0bcfedbcaa9bbe30ee5ecade5b98e9ce3cc54c9b))
+* **misconf:** fix parsing of engine links and frameworks ([#6937](https://github.com/aquasecurity/trivy/issues/6937)) ([ec68c9a](https://github.com/aquasecurity/trivy/commit/ec68c9ab4580d057720179173d58734402c92af4))
+* **misconf:** handle source prefix to ignore ([#6945](https://github.com/aquasecurity/trivy/issues/6945)) ([c3192f0](https://github.com/aquasecurity/trivy/commit/c3192f061d7e84eaf38df8df7c879dc00b4ca137))
+* **misconf:** parsing numbers without fraction as int ([#6834](https://github.com/aquasecurity/trivy/issues/6834)) ([8141a13](https://github.com/aquasecurity/trivy/commit/8141a137ba50b553a9da877d95c7ccb491d041c6))
+* **nodejs:** fix infinite loop when package link from `package-lock.json` file is broken ([#6858](https://github.com/aquasecurity/trivy/issues/6858)) ([cf5aa33](https://github.com/aquasecurity/trivy/commit/cf5aa336e660e4c98481ebf8d15dd4e54c38581e))
+* **nodejs:** fix infinity loops for `pnpm` with cyclic imports ([#6857](https://github.com/aquasecurity/trivy/issues/6857)) ([7d083bc](https://github.com/aquasecurity/trivy/commit/7d083bc890eccc3bf32765c6d7e922cab2e2ef94))
+* **plugin:** respect `--insecure` ([#7022](https://github.com/aquasecurity/trivy/issues/7022)) ([3d02a31](https://github.com/aquasecurity/trivy/commit/3d02a31b44924f9e2495aae087f7ca9de3314db4))
+* **purl:** add missed os types ([#6955](https://github.com/aquasecurity/trivy/issues/6955)) ([2d85a00](https://github.com/aquasecurity/trivy/commit/2d85a003b22298d1101f84559f7c6b470f2b3909))
+* **python:** compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase ([#6852](https://github.com/aquasecurity/trivy/issues/6852)) ([faa9d92](https://github.com/aquasecurity/trivy/commit/faa9d92cfeb8d924deda2dac583b6c97099c08d9))
+* **sbom:** don't overwrite `srcEpoch` when decoding SBOM files ([#6866](https://github.com/aquasecurity/trivy/issues/6866)) ([04af59c](https://github.com/aquasecurity/trivy/commit/04af59c2906bcfc7f7970b4e8f45a90f04313170))
+* **sbom:** fix panic when scanning SBOM file without root component into SBOM format ([#7051](https://github.com/aquasecurity/trivy/issues/7051)) ([3d4ae8b](https://github.com/aquasecurity/trivy/commit/3d4ae8b5be94cd9b00badeece8d86c2258b2cd90))
+* **sbom:** take pkg name from `purl` for maven pkgs ([#7008](https://github.com/aquasecurity/trivy/issues/7008)) ([a76e328](https://github.com/aquasecurity/trivy/commit/a76e3286c413de3dec55394fb41dd627dfee37ae))
+* **sbom:** use `purl` for `bitnami` pkg names ([#6982](https://github.com/aquasecurity/trivy/issues/6982)) ([7eabb92](https://github.com/aquasecurity/trivy/commit/7eabb92ec2e617300433445718be07ac74956454))
+* **sbom:** use package UIDs for uniqueness ([#7042](https://github.com/aquasecurity/trivy/issues/7042)) ([14d71ba](https://github.com/aquasecurity/trivy/commit/14d71ba63c39e51dd4179ba2d6002b46e1816e90))
+* **secret:** `Asymmetric Private Key` shouldn't start with space ([#6867](https://github.com/aquasecurity/trivy/issues/6867)) ([bb26445](https://github.com/aquasecurity/trivy/commit/bb26445e3df198df77930329f532ac5ab7a67af2))
+* **suse:** Add SLES 15.6 and Leap 15.6 ([#6964](https://github.com/aquasecurity/trivy/issues/6964)) ([5ee4e9d](https://github.com/aquasecurity/trivy/commit/5ee4e9d30ea814f60fd5705361cabf2e83a47a78))
+* use embedded when command path not found ([#7037](https://github.com/aquasecurity/trivy/issues/7037)) ([137c916](https://github.com/aquasecurity/trivy/commit/137c9164238ffd989a0c5ed24f23a55bbf341f6e))
+
+## [0.52.0](https://github.com/aquasecurity/trivy/compare/v0.51.1...v0.52.0) (2024-06-03)
+
+
+### Features
+
+* Add Julia language analyzer support ([#5635](https://github.com/aquasecurity/trivy/issues/5635)) ([fecafb1](https://github.com/aquasecurity/trivy/commit/fecafb1fc5bb129c7485342a0775f0dd8bedd28e))
+* add support for plugin index ([#6674](https://github.com/aquasecurity/trivy/issues/6674)) ([26faf8f](https://github.com/aquasecurity/trivy/commit/26faf8f3f04b1c5f9f81c03ffc6b2008732207e2))
+* **misconf:** Add support for deprecating a check ([#6664](https://github.com/aquasecurity/trivy/issues/6664)) ([88702cf](https://github.com/aquasecurity/trivy/commit/88702cfd5918b093defc5b5580f7cbf16f5f2417))
+* **misconf:** add Terraform 'removed' block to schema ([#6640](https://github.com/aquasecurity/trivy/issues/6640)) ([b7a0a13](https://github.com/aquasecurity/trivy/commit/b7a0a131a03ed49c08d3b0d481bc9284934fd6e1))
+* **misconf:** register builtin Rego funcs from trivy-checks ([#6616](https://github.com/aquasecurity/trivy/issues/6616)) ([7c22ee3](https://github.com/aquasecurity/trivy/commit/7c22ee3df5ee51beb90e44428a99541b3d19ab98))
+* **misconf:** resolve tf module from OpenTofu compatible registry ([#6743](https://github.com/aquasecurity/trivy/issues/6743)) ([ac74520](https://github.com/aquasecurity/trivy/commit/ac7452009bf7ca0fa8ee1de8807c792eabad405a))
+* **misconf:** support for VPC resources for inbound/outbound rules ([#6779](https://github.com/aquasecurity/trivy/issues/6779)) ([349caf9](https://github.com/aquasecurity/trivy/commit/349caf96bc3dd81551d488044f1adfdb947f39fb))
+* **misconf:** support symlinks inside of Helm archives ([#6621](https://github.com/aquasecurity/trivy/issues/6621)) ([4eae37c](https://github.com/aquasecurity/trivy/commit/4eae37c52b035b3576361c12f70d3d9517d0a73c))
+* **nodejs:** add v9 pnpm lock file support ([#6617](https://github.com/aquasecurity/trivy/issues/6617)) ([1e08648](https://github.com/aquasecurity/trivy/commit/1e0864842e32a709941d4b4e8f521602bcee684d))
+* **plugin:** specify plugin version ([#6683](https://github.com/aquasecurity/trivy/issues/6683)) ([d6dc567](https://github.com/aquasecurity/trivy/commit/d6dc56732babbc9d7f788c280a768d8648aa093d))
+* **python:** add license support for `requirement.txt` files ([#6782](https://github.com/aquasecurity/trivy/issues/6782)) ([29615be](https://github.com/aquasecurity/trivy/commit/29615be85e8bfeaf5a0cd51829b1898c55fa4274))
+* **python:** add line number support for `requirement.txt` files ([#6729](https://github.com/aquasecurity/trivy/issues/6729)) ([2bc54ad](https://github.com/aquasecurity/trivy/commit/2bc54ad2752aba5de4380cb92c13b09c0abefd73))
+* **report:** Include licenses and secrets filtered by rego to ModifiedFindings ([#6483](https://github.com/aquasecurity/trivy/issues/6483)) ([fa3cf99](https://github.com/aquasecurity/trivy/commit/fa3cf993eace4be793f85907b42365269c597b91))
+* **vex:** improve relationship support in CSAF VEX ([#6735](https://github.com/aquasecurity/trivy/issues/6735)) ([a447f6b](https://github.com/aquasecurity/trivy/commit/a447f6ba94b6f8b14177dc5e4369a788e2020d90))
+* **vex:** support non-root components for products in OpenVEX ([#6728](https://github.com/aquasecurity/trivy/issues/6728)) ([9515695](https://github.com/aquasecurity/trivy/commit/9515695d45e9b5c20890e27e21e3ab45bfd4ce5f))
+
+
+### Bug Fixes
+
+* clean up golangci lint configuration ([#6797](https://github.com/aquasecurity/trivy/issues/6797)) ([62de6f3](https://github.com/aquasecurity/trivy/commit/62de6f3feba6e4c56ad3922441d5b0f150c3d6b7))
+* **cli:** always output fatal errors to stderr ([#6827](https://github.com/aquasecurity/trivy/issues/6827)) ([c2b9132](https://github.com/aquasecurity/trivy/commit/c2b9132a7e933a68df4cc0eb86aab23719ded1b5))
+* close APKINDEX archive file ([#6672](https://github.com/aquasecurity/trivy/issues/6672)) ([5caf437](https://github.com/aquasecurity/trivy/commit/5caf4377f3a7fcb1f6e1a84c67136ae62d100be3))
+* close settings.xml ([#6768](https://github.com/aquasecurity/trivy/issues/6768)) ([9c3e895](https://github.com/aquasecurity/trivy/commit/9c3e895fcb0852c00ac03ed21338768f76b5273b))
+* close testfile ([#6830](https://github.com/aquasecurity/trivy/issues/6830)) ([aa0c413](https://github.com/aquasecurity/trivy/commit/aa0c413814e8915b38d2285c6a8ba5bc3f0705b4))
+* **conda:** add support `pip` deps for `environment.yml` files ([#6675](https://github.com/aquasecurity/trivy/issues/6675)) ([150a773](https://github.com/aquasecurity/trivy/commit/150a77313e980cd63797a89a03afcbc97b285f38))
+* **go:** add only non-empty root modules for `gobinaries` ([#6710](https://github.com/aquasecurity/trivy/issues/6710)) ([c96f2a5](https://github.com/aquasecurity/trivy/commit/c96f2a5b3de820da37e14594dd537c3b0949ae9c))
+* **go:** include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` ([#6705](https://github.com/aquasecurity/trivy/issues/6705)) ([afb4f9d](https://github.com/aquasecurity/trivy/commit/afb4f9dc4730671ba004e1734fa66422c4c86dad))
+* Golang version parsing from binaries w/GOEXPERIMENT ([#6696](https://github.com/aquasecurity/trivy/issues/6696)) ([696f2ae](https://github.com/aquasecurity/trivy/commit/696f2ae0ecdd4f90303f41249924a09ace70dd78))
+* include packages unless it is not needed ([#6765](https://github.com/aquasecurity/trivy/issues/6765)) ([56dbe1f](https://github.com/aquasecurity/trivy/commit/56dbe1f6768fe67fbc1153b74fde0f83eaa1b281))
+* **misconf:** don't shift ignore rule related to code ([#6708](https://github.com/aquasecurity/trivy/issues/6708)) ([39a746c](https://github.com/aquasecurity/trivy/commit/39a746c77837f873e87b81be40676818030f44c5))
+* **misconf:** skip Rego errors with a nil location ([#6638](https://github.com/aquasecurity/trivy/issues/6638)) ([a2c522d](https://github.com/aquasecurity/trivy/commit/a2c522ddb229f049999c4ce74ef75a0e0f9fdc62))
+* **misconf:** skip Rego errors with a nil location ([#6666](https://github.com/aquasecurity/trivy/issues/6666)) ([a126e10](https://github.com/aquasecurity/trivy/commit/a126e1075a44ef0e40c0dc1e214d1c5955f80242))
+* node-collector high and critical cves ([#6707](https://github.com/aquasecurity/trivy/issues/6707)) ([ff32deb](https://github.com/aquasecurity/trivy/commit/ff32deb7bf9163c06963f557228260b3b8c161ed))
+* **plugin:** initialize logger ([#6836](https://github.com/aquasecurity/trivy/issues/6836)) ([728e77a](https://github.com/aquasecurity/trivy/commit/728e77a7261dc3fcda1e61e79be066c789bbba0c))
+* **python:** add package name and version validation for `requirements.txt` files. ([#6804](https://github.com/aquasecurity/trivy/issues/6804)) ([ea3a124](https://github.com/aquasecurity/trivy/commit/ea3a124fc7162c30c7f1a59bdb28db0b3c8bb86d))
+* **report:** hide empty tables if all vulns has been filtered ([#6352](https://github.com/aquasecurity/trivy/issues/6352)) ([3d388d8](https://github.com/aquasecurity/trivy/commit/3d388d8552ef42d4d54176309a38c1879008527b))
+* **sbom:** fix panic for `convert` mode when scanning json file derived from sbom file ([#6808](https://github.com/aquasecurity/trivy/issues/6808)) ([f92ea09](https://github.com/aquasecurity/trivy/commit/f92ea096856c7c262b05bd4d31c62689ebafac82))
+* use of specified context to obtain cluster name ([#6645](https://github.com/aquasecurity/trivy/issues/6645)) ([39ebed4](https://github.com/aquasecurity/trivy/commit/39ebed45f8c218509d264bd3f3ca548fc33d2b3a))
+
+
+### Performance Improvements
+
+* **misconf:** parse rego input once ([#6615](https://github.com/aquasecurity/trivy/issues/6615)) ([67c6b1d](https://github.com/aquasecurity/trivy/commit/67c6b1d473999003d682bdb42657bbf3a4a69a9c))

CONTRIBUTING.md

@@ -0,0 +1 @@
+See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)

Dockerfile

@@ -1,14 +1,5 @@
-FROM golang:1.12-alpine AS builder
-ADD go.mod go.sum /app/
-WORKDIR /app/
-RUN apk --no-cache add git
-RUN go mod download
-ADD . /app/
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o /trivy cmd/trivy/main.go
-
-FROM alpine:3.9
+FROM alpine:3.20.3
 RUN apk --no-cache add ca-certificates git
-COPY --from=builder /trivy /usr/local/bin/trivy
-RUN chmod +x /usr/local/bin/trivy
-
-CMD ["trivy"]
+COPY trivy /usr/local/bin/trivy
+COPY contrib/*.tpl contrib/
+ENTRYPOINT ["trivy"]

Dockerfile.canary

@@ -0,0 +1,11 @@
+FROM alpine:3.20.0
+RUN apk --no-cache add ca-certificates git
+
+# binaries were created with GoReleaser
+# need to copy binaries from folder with correct architecture
+# example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
+# GoReleaser adds _v* to the folder name, but only when GOARCH is amd64 
+ARG TARGETARCH
+COPY "dist/trivy_canary_build_linux_${TARGETARCH}*/trivy" /usr/local/bin/trivy
+COPY contrib/*.tpl contrib/
+ENTRYPOINT ["trivy"]

Dockerfile.protoc

@@ -0,0 +1,20 @@
+FROM --platform=linux/amd64 golang:1.22
+
+# Set environment variable for protoc
+ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
+
+# Install unzip for protoc installation and clean up cache
+RUN apt-get update && apt-get install -y unzip && rm -rf /var/lib/apt/lists/*
+
+# Download and install protoc
+RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
+    && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
+    && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \
+    && rm -f $PROTOC_ZIP
+
+# Install Go tools
+RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.0
+RUN go install github.com/magefile/mage@v1.15.0
+
+ENV TRIVY_PROTOC_CONTAINER=true

LICENSE

@@ -1,21 +1,201 @@
-MIT License
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
 
-Copyright (c) 2019 Teppei Fukuda
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+   1. Definitions.
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

NOTICE

@@ -0,0 +1,4 @@
+Trivy
+Copyright 2019-2020 Aqua Security Software Ltd. 
+
+This product includes software developed by Aqua Security (https://aquasec.com).

README.md

@@ -1,255 +1,149 @@
-<img src="imgs/logo.png" width="300">
+<div align="center">
+<img src="docs/imgs/logo.png" width="200">
 
-[![GitHub release](https://img.shields.io/github/release/knqyf263/trivy.svg)](https://github.com/knqyf263/trivy/releases/latest)
-[![CircleCI](https://circleci.com/gh/knqyf263/trivy.svg?style=svg)](https://circleci.com/gh/knqyf263/trivy)
-[![Go Report Card](https://goreportcard.com/badge/github.com/knqyf263/trivy)](https://goreportcard.com/report/github.com/knqyf263/trivy)
-[![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/knqyf263/trivy/blob/master/LICENSE)
+[![GitHub Release][release-img]][release]
+[![Test][test-img]][test]
+[![Go Report Card][go-report-img]][go-report]
+[![License: Apache-2.0][license-img]][license]
+[![GitHub Downloads][github-downloads-img]][release]
+![Docker Pulls][docker-pulls]
 
-A Simple and Comprehensive Vulnerability Scanner for Containers, Compatible with CI
+[📖 Documentation][docs]
+</div>
 
-# Abstract
-`Trivy` is a simple and comprehensive vulnerability scanner for containers.
-`Trivy` detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, etc.).
-`Trivy` is easy to use. Just install the binary and you're ready to scan. It can be scanned just by specifying a container image name.
+Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner.
+Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.
 
-It is considered to be used in CI. Before pushing to a container registry, you can scan your local container image easily.
-See [here](#continuous-integration-ci) for details.
+Targets (what Trivy can scan):
 
+- Container Image
+- Filesystem
+- Git Repository (remote)
+- Virtual Machine Image
+- Kubernetes
 
-# Features
-- Detect comprehensive vulnerabilities
-  - OS packages (Alpine, Red Hat Enterprise Linux, CentOS, Debian, Ubuntu)
-  - **Application dependencies** (Bundler, Composer, Pipenv, npm, Cargo)
-- Simple
-  - Specify only an image name
-- Easy installation
-  - **No need for prerequirements** such as installation of DB, libraries, etc.
-  - `apt-get install`, `yum install` and `brew install` is possible (See [Installation](#installation))
-- High accuracy
-  - Especially Alpine
-- **Compatible with CI**
-  - See [CI Example](#continuous-integration-ci)
+Scanners (what Trivy can find there):
 
+- OS packages and software dependencies in use (SBOM)
+- Known vulnerabilities (CVEs)
+- IaC issues and misconfigurations
+- Sensitive information and secrets
+- Software licenses
 
-# Installation
+Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the [Scanning Coverage] page.
 
-## RHEL/CentOS
+To learn more, go to the [Trivy homepage][homepage] for feature highlights, or to the [Documentation site][docs] for detailed information.
 
-Add repository setting to `/etc/yum.repos.d`.
+## Quick Start
 
-```
-$ sudo vim /etc/yum.repos.d/trivy.repo
-[trivy]
-name=Trivy repository
-baseurl=https://knqyf263.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
-gpgcheck=0
-enabled=1
-$ sudo yum -y update
-$ sudo yum -y install trivy
+### Get Trivy
+
+Trivy is available in most common distribution channels. The full list of installation options is available in the [Installation] page. Here are a few popular examples:
+
+- `brew install trivy`
+- `docker run aquasec/trivy`
+- Download binary from <https://github.com/aquasecurity/trivy/releases/latest/>
+- See [Installation] for more
+
+Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem] page. Here are a few popular examples:
+
+- [GitHub Actions](https://github.com/aquasecurity/trivy-action)
+- [Kubernetes operator](https://github.com/aquasecurity/trivy-operator)
+- [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)
+- See [Ecosystem] for more
+
+### Canary builds
+There are canary builds ([Docker Hub](https://hub.docker.com/r/aquasec/trivy/tags?page=1&name=canary), [GitHub](https://github.com/aquasecurity/trivy/pkgs/container/trivy/75776514?tag=canary), [ECR](https://gallery.ecr.aws/aquasecurity/trivy#canary) images and [binaries](https://github.com/aquasecurity/trivy/actions/workflows/canary.yaml)) as generated every push to main branch.
+
+Please be aware: canary builds might have critical bugs, it's not recommended for use in production.
+
+### General usage
+
+```bash
+trivy <target> [--scanners <scanner1,scanner2>] <subject>
 ```
 
-or
+Examples:
 
-```
-$ rpm -ivh https://github.com/knqyf263/trivy/releases/download/v0.0.3/trivy_0.0.3_Linux-64bit.rpm
+```bash
+trivy image python:3.4-alpine
 ```
 
-## Debian/Ubuntu
+<details>
+<summary>Result</summary>
 
-Replace `[CODE_NAME]` with your code name
+https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov
 
-CODE_NAME: wheezy, jessie, stretch, buster, trusty, xenial, bionic
+</details>
 
-```
-$ sudo apt-get install apt-transport-https gnupg
-$ wget -qO - https://knqyf263.github.io/trivy-repo/deb/public.key | sudo apt-key add -
-$ echo deb https://knqyf263.github.io/trivy-repo/deb [CODE_NAME] main | sudo tee -a /etc/apt/sources.list
-$ sudo apt-get update
-$ sudo apt-get install trivy
+```bash
+trivy fs --scanners vuln,secret,misconfig myproject/
 ```
 
-or
+<details>
+<summary>Result</summary>
 
-```
-$ sudo apt-get install rpm
-$ wget https://github.com/knqyf263/trivy/releases/download/v0.0.3/trivy_0.0.3_Linux-64bit.deb
-$ sudo dpkg -i trivy_0.0.3_Linux-64bit.deb
+https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov
+
+</details>
+
+```bash
+trivy k8s --report summary cluster
 ```
 
-## Mac OS X / Homebrew
-You can use homebrew on OS X.
-```
-$ brew tap knqyf263/trivy
-$ brew install knqyf263/trivy/trivy
-```
+<details>
+<summary>Result</summary>
 
-## Binary (Including Windows)
-Go to [the releases page](https://github.com/knqyf263/trivy/releases), find the version you want, and download the zip file. Unpack the zip file, and put the binary to somewhere you want (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.
+![k8s summary](docs/imgs/trivy-k8s.png)
 
-## From source
+</details>
 
-```sh
-$ go get -u github.com/knqyf263/trivy
-```
+## FAQ
 
-# Examples
-## Continuous Integration (CI)
-Scan your image built in Travis CI/CircleCI. The test will fail if a vulnerability is found. When you don't want to fail the test, specify `--exit-code 0` .
+### How to pronounce the name "Trivy"?
 
-**Note**: The first time take a while (faster by cache after the second time)
-### Travis CI
+`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.
 
-```
-$ cat .travis.yml
-services:
-  - docker
+## Want more? Check out Aqua
 
-before_install:
-  - docker build -t trivy-ci-test:latest .
-  - wget https://github.com/knqyf263/trivy/releases/download/v0.0.3/trivy_0.0.3_Linux-64bit.tar.gz
-  - tar zxvf trivy_0.0.3_Linux-64bit.tar.gz
-script:
-  - ./trivy --exit-code 1 --quiet trivy-ci-test:latest
-cache:
-  directories:
-    - $HOME/.cache/trivy
-```
+If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
+You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).  
+In addition check out the <https://aquasec.com> website for more information about our products and services.
+If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>
 
-example: https://travis-ci.org/knqyf263/trivy-ci-test  
-repository: https://github.com/knqyf263/trivy-ci-test
+## Community
 
-### Circle CI
+Trivy is an [Aqua Security][aquasec] open source project.  
+Learn about our open source work and portfolio [here][oss].  
+Contact us about any matter by opening a GitHub Discussion [here][discussions]
+Join our [Slack community][slack] to stay up to date with community efforts.
 
-```
-$ cat .circleci/config.yml
-jobs:
-  build:
-    docker:
-      - image: docker:18.09-git
-    steps:
-      - checkout
-      - setup_remote_docker
-      - restore_cache:
-          key: vulnerability-db
-      - run:
-          name: Build image
-          command: docker build -t trivy-ci-test:latest .
-      - run:
-          name: Install trivy
-          command: |
-            wget https://github.com/knqyf263/trivy/releases/download/v0.0.4/trivy_0.0.4_Linux-64bit.tar.gz
-            tar zxvf trivy_0.0.4_Linux-64bit.tar.gz
-            mv trivy /usr/local/bin
-      - run:
-          name: Scan the local image with trivy
-          command: trivy --exit-code 1 --quiet trivy-ci-test:latest
-      - save_cache:
-          key: vulnerability-db
-          paths:
-            - $HOME/.cache/trivy
-workflows:
-  version: 2
-  release:
-    jobs:
-      - build
-```
+Please ensure to abide by our [Code of Conduct][code-of-conduct] during all interactions.
 
-example: https://circleci.com/gh/knqyf263/trivy-ci-test  
-repository: https://github.com/knqyf263/trivy-ci-test
+[test]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml
+[test-img]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml/badge.svg
+[go-report]: https://goreportcard.com/report/github.com/aquasecurity/trivy
+[go-report-img]: https://goreportcard.com/badge/github.com/aquasecurity/trivy
+[release]: https://github.com/aquasecurity/trivy/releases
+[release-img]: https://img.shields.io/github/release/aquasecurity/trivy.svg?logo=github
+[github-downloads-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
+[docker-pulls]: https://img.shields.io/docker/pulls/aquasec/trivy?logo=docker&label=docker%20pulls%20%2F%20trivy
+[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
+[license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
+[homepage]: https://trivy.dev
+[docs]: https://aquasecurity.github.io/trivy
+[pronunciation]: #how-to-pronounce-the-name-trivy
+[slack]: https://slack.aquasec.com
+[code-of-conduct]: https://github.com/aquasecurity/community/blob/main/CODE_OF_CONDUCT.md
 
-# Usage
+[Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
+[Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
+[Scanning Coverage]: https://aquasecurity.github.io/trivy/latest/docs/coverage/
 
-```
-NAME:
-  trivy - A simple and comprehensive vulnerability scanner for containers
-USAGE:
-  trivy [options] image_name
-VERSION:
-  0.0.3
-OPTIONS:
-  --format value, -f value    format (table, json) (default: "table")
-  --input value, -i value     input file path instead of image name
-  --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-  --output value, -o value    output file name
-  --exit-code value           Exit code when vulnerabilities were found (default: 0)
-  --skip-update               skip db update
-  --clean, -c                 clean all cache
-  --quiet, -q                 suppress progress bar
-  --ignore-unfixed            display only fixed vulnerabilities
-  --refresh                   refresh DB (usually used after version update of trivy
-  --debug, -d                 debug mode
-  --help, -h                  show help
-  --version, -v               print the version
-```
+[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
+[rego]: https://www.openpolicyagent.org/docs/latest/#rego
+[sigstore]: https://www.sigstore.dev/
 
-# Q&A
-## Homebrew
-### Error: Your macOS keychain GitHub credentials do not have sufficient scope!
-
-```
-$ brew tap knqyf263/trivy
-Error: Your macOS keychain GitHub credentials do not have sufficient scope!
-Scopes they need: none
-Scopes they have:
-Create a personal access token:
-  https://github.com/settings/tokens/new?scopes=gist,public_repo&description=Homebrew
-echo 'export HOMEBREW_GITHUB_API_TOKEN=your_token_here' >> ~/.zshrc
-```
-
-Try:
-```
-$ printf "protocol=https\nhost=github.com\n" | git credential-osxkeychain erase
-```
-
-### Error: knqyf263/trivy/trivy 64 already installed
-
-```
-$ brew upgrade
-...
-Error: knqyf263/trivy/trivy 64 already installed
-```
-
-Try:
-
-```
-$ brew unlink trivy && brew uninstall trivy
-($ rm -rf /usr/local/Cellar/trivy/64)
-$ brew install knqyf263/trivy/trivy
-```
-
-## Others
-### Detected version update of trivy. Please try again with --refresh option
-Try again with `--refresh` option
-
-```
-$ trivy --refresh alpine:3.9
-```
-
-### Unknown error
-Try again with `--clean` option
-
-```
-$ trivy --clean
-```
-
-# Contribute
-
-1. fork a repository: github.com/knqyf263/trivy to github.com/you/repo
-2. get original code: `go get github.com/knqyf263/trivy`
-3. work on original code
-4. add remote to your repo: git remote add myfork https://github.com/you/repo.git
-5. push your changes: git push myfork
-6. create a new Pull Request
-
-- see [GitHub and Go: forking, pull requests, and go-getting](http://blog.campoy.cat/2014/03/github-and-go-forking-pull-requests-and.html)
-
-----
-
-# Credits
-Special thanks to [Tomoya Amachi](https://github.com/tomoyamachi)
-
-# License
-MIT
-
-# Author
-Teppei Fukuda (knqyf263)
+[aquasec]: https://aquasec.com
+[oss]: https://www.aquasec.com/products/open-source-projects/
+[discussions]: https://github.com/aquasecurity/trivy/discussions

SECURITY.md

@@ -0,0 +1,10 @@
+# Security Policy
+
+## Supported Versions
+
+This is an open source project that is provided as-is without warrenty or liability.  
+As such no supportability commitment. The maintainers will do the best they can to address any report promptly and responsibly.
+
+## Reporting a Vulnerability
+
+Please use the "Private vulnerability reporting" feature in the GitHub repository (under the "Security" tab). 

aqua.yaml

@@ -0,0 +1,10 @@
+---
+# aqua - Declarative CLI Version Manager
+# https://aquaproj.github.io/
+registries:
+- type: standard
+  ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
+packages:
+- name: tinygo-org/tinygo@v0.31.1
+- name: WebAssembly/binaryen@version_112
+- name: magefile/mage@v1.14.0

brand/Trivy-OSS-Logo-Color-Horizontal-RGB.svg

@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 28.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#031730;}
+	.st1{fill:#08B1D5;}
+	.st2{fill:#1904DA;}
+	.st3{fill:#FFC900;}
+	.st4{fill:#FF0036;}
+</style>
+<g>
+	<g>
+		<g>
+			<g>
+				<g>
+					<path class="st0" d="M1437.8,277.53h-46.05c-25.39,0-46.05-20.66-46.05-46.05c0-25.39,20.66-46.05,46.05-46.05
+						c25.39,0,46.05,20.66,46.05,46.05V277.53z M1391.75,204.13c-15.08,0-27.35,12.27-27.35,27.35c0,15.08,12.27,27.35,27.35,27.35
+						h27.35v-27.35C1419.1,216.4,1406.84,204.13,1391.75,204.13z"/>
+				</g>
+			</g>
+			<g>
+				<g>
+					<path class="st0" d="M1746.82,277.53h-46.05c-25.39,0-46.05-20.66-46.05-46.05c0-25.39,20.66-46.05,46.05-46.05
+						c25.39,0,46.05,20.66,46.05,46.05V277.53z M1700.77,204.13c-15.08,0-27.35,12.27-27.35,27.35c0,15.08,12.27,27.35,27.35,27.35
+						h27.35v-27.35C1728.12,216.4,1715.85,204.13,1700.77,204.13z"/>
+				</g>
+			</g>
+			<g>
+				<path class="st0" d="M1597.76,277.55c-25.4,0-46.07-20.66-46.07-46.07v-43.22h18.71v43.22c0,15.09,12.28,27.36,27.36,27.36
+					s27.36-12.28,27.36-27.36v-43.22h18.71v43.22C1643.83,256.88,1623.16,277.55,1597.76,277.55z"/>
+			</g>
+			<g>
+				<path class="st0" d="M1494.75,185.43c-25.39,0-46.05,20.66-46.05,46.05c0,25.39,20.66,46.05,46.05,46.05l18.7-18.7h-18.7
+					c-15.08,0-27.35-12.27-27.35-27.35c0-15.08,12.27-27.35,27.35-27.35s27.35,12.27,27.35,27.35v90h18.7v-90
+					C1540.8,206.09,1520.14,185.43,1494.75,185.43z"/>
+			</g>
+		</g>
+	</g>
+	<g>
+		<g>
+			<path class="st0" d="M968.09,578.05v45.38c-30.92,0-58.76-11.12-80.72-29.55c-27.59-23.17-45.14-57.93-45.14-96.78V269.82h45.14
+				v103.14h80.72v45.68h-80.72v79.6C887.98,542.42,923.77,578.05,968.09,578.05z"/>
+			<path class="st0" d="M1128.93,372.97v45.08c-42.79,0.09-77.63,34.03-79.2,76.45v128.94h-45.21V372.96h45.21v28.59
+				C1071.24,383.73,1098.84,373.01,1128.93,372.97z"/>
+			<path class="st0" d="M1157.94,347.93v-39.5h45.14v39.5H1157.94z M1157.94,623.44V372.96h45.14v250.48H1157.94z"/>
+			<path class="st0" d="M1479.86,372.96l-125.14,250.48l-125.3-250.48h51.3l73.99,147.93l73.84-147.93H1479.86z"/>
+			<path class="st0" d="M1750.5,372.96c0,0,0,273.85,0,291.97c0,69.91-57.37,125.75-125.32,125.69
+				c-31.84,0.03-61.33-12.05-83.7-32.11l32.45-32.45c13.85,11.74,31.73,18.85,51.25,18.82c43.98,0,79.58-35.97,79.58-79.95v-69.99
+				c-21.82,18.06-49.68,28.52-79.58,28.49c-68.1,0.06-125.44-54.9-125.44-125.35c0-1.49,0-125.13,0-125.13h45.73
+				c0,0,0.02,121.79,0.02,125.13c0,43.8,35.68,80,79.69,79.96c43.98,0,79.58-35.97,79.58-79.96V372.96H1750.5z"/>
+		</g>
+	</g>
+	<g>
+		<g>
+			<g>
+				<path class="st1" d="M463.95,358.89c0.04,0,0.08,0,0.12,0c6.43,0.01,11.75-4.93,11.75-11.36V134.47l-11.99-6.7l-11.94,6.67
+					v213.1c0,6.43,5.32,11.38,11.75,11.35C463.73,358.89,463.84,358.89,463.95,358.89z"/>
+				<path class="st2" d="M392.02,455.6L194.35,588.27v15.11l11.26,6.17L405.34,475.5c5.13-3.44,6.41-10.31,3.09-15.52
+					c-0.14-0.22-0.28-0.44-0.42-0.67C404.58,453.78,397.42,451.98,392.02,455.6z"/>
+				<path class="st3" d="M522.51,475.6l199.56,133.93l11.23-6.15v-15.14L535.83,455.71c-5.4-3.62-12.56-1.83-16,3.69
+					c-0.13,0.21-0.26,0.42-0.4,0.63C516.09,465.26,517.36,472.15,522.51,475.6z"/>
+				<path class="st0" d="M757.23,277.9V264.2l-12.26-6.85l-0.91-0.48L475.5,106.89l-11.68-6.51l-11.63,6.51L183.58,256.88
+					l-0.91,0.48l-12.25,6.85v13.69l-0.91,0.53l0.91,0.48v13.64v325.01l12.45,6.8l261.62,143.33l3.3,1.82l16.08,8.81l16.04-8.81
+					l3.3-1.82l261.62-143.33l12.4-6.8V292.55v-13.6l0.96-0.53L757.23,277.9z M476.11,744.33V502.51c0-6.59-5.39-11.98-11.98-11.97
+					l-0.18,0l-0.12,0c-6.59-0.01-11.98,5.38-11.98,11.97v241.81L205.61,609.55l-11.26-6.17v-15.11V290.06l196.06,107.42
+					c5.66,3.1,12.84,1.02,15.97-4.63l0.14-0.25c3.16-5.71,1.06-12.96-4.67-16.1L208.33,270.47l243.55-136.03l11.94-6.67l11.99,6.7
+					l243.5,136.01L525.64,376.58c-5.7,3.12-7.48,10.25-4.32,15.92c0.05,0.1,0.11,0.19,0.16,0.29c3.1,5.62,10.02,7.85,15.65,4.77
+					l196.16-107.5v298.19v15.14l-11.23,6.15L476.11,744.33z"/>
+			</g>
+			<circle class="st4" cx="463.95" cy="424.72" r="34.73"/>
+		</g>
+		<path class="st1" d="M649.35,258.97L461.77,153.83c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59
+			l187.58,105.15c5.77,3.23,7.82,10.53,4.59,16.29v0C662.41,260.15,655.12,262.2,649.35,258.97z"/>
+		<path class="st1" d="M567.15,267.09l-105.38-59.07c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59
+			l105.38,59.07c5.77,3.23,7.82,10.53,4.59,16.29l0,0C580.21,268.26,572.92,270.32,567.15,267.09z"/>
+		<path class="st1" d="M601.67,286.44L601.67,286.44c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59l0,0
+			c5.77,3.23,7.82,10.53,4.59,16.29v0C614.73,287.61,607.44,289.67,601.67,286.44z"/>
+		<path class="st1" d="M497.04,283.82l-35-19.62c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59l35,19.62
+			c5.77,3.23,7.82,10.53,4.59,16.29l0,0C510.1,284.99,502.8,287.05,497.04,283.82z"/>
+		<path class="st1" d="M549.85,316.05l-20.26-11.36c-5.77-3.23-7.82-10.53-4.59-16.29h0c3.23-5.77,10.53-7.82,16.29-4.59
+			l20.26,11.36c5.77,3.23,7.82,10.53,4.59,16.29v0C562.91,317.23,555.61,319.28,549.85,316.05z"/>
+	</g>
+</g>
+</svg>

brand/Trivy-OSS-Logo-White-Horizontal-RGB.svg

@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 28.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#FFFFFF;}
+	.st1{fill:#50F0FF;}
+	.st2{fill:#0744DD;}
+	.st3{fill:#FFC900;}
+	.st4{fill:#FF0036;}
+</style>
+<g>
+	<g>
+		<path class="st0" d="M1421.86,281.92h-46.97c-25.9,0-46.97-21.07-46.97-46.97c0-25.9,21.07-46.97,46.97-46.97
+			c25.9,0,46.97,21.07,46.97,46.97V281.92z M1374.89,207.05c-15.38,0-27.9,12.52-27.9,27.9c0,15.38,12.52,27.9,27.9,27.9h27.9v-27.9
+			C1402.79,219.57,1390.28,207.05,1374.89,207.05z"/>
+		<path class="st0" d="M1737.06,281.92h-46.97c-25.9,0-46.97-21.07-46.97-46.97c0-25.9,21.07-46.97,46.97-46.97
+			c25.9,0,46.97,21.07,46.97,46.97V281.92z M1690.09,207.05c-15.38,0-27.9,12.52-27.9,27.9c0,15.38,12.52,27.9,27.9,27.9h27.9v-27.9
+			C1717.98,219.57,1705.47,207.05,1690.09,207.05z"/>
+		<path class="st0" d="M1585.02,281.94c-25.91,0-46.99-21.08-46.99-46.99v-44.08h19.08v44.08c0,15.39,12.52,27.91,27.91,27.91
+			c15.39,0,27.91-12.52,27.91-27.91v-44.08h19.09v44.08C1632.01,260.86,1610.92,281.94,1585.02,281.94z"/>
+		<path class="st0" d="M1479.94,187.98c-25.9,0-46.97,21.07-46.97,46.97c0,25.9,21.07,46.97,46.97,46.97l19.07-19.07h-19.07
+			c-15.38,0-27.9-12.52-27.9-27.9c0-15.38,12.52-27.9,27.9-27.9c15.38,0,27.9,12.52,27.9,27.9v91.8h19.07v-91.8
+			C1526.91,209.05,1505.84,187.98,1479.94,187.98z"/>
+	</g>
+	<g>
+		<path class="st0" d="M942.76,588.45v46.29c-31.53,0-59.94-11.34-82.34-30.14c-28.15-23.63-46.04-59.08-46.04-98.71V274.06h46.04
+			v105.2h82.34v46.59h-82.34v81.19C861.05,552.1,897.55,588.45,942.76,588.45z"/>
+		<path class="st0" d="M1106.82,379.26v45.98c-43.65,0.1-79.18,34.71-80.78,77.98v131.52h-46.12V379.26h46.12v29.16
+			C1047.97,390.24,1076.12,379.3,1106.82,379.26z"/>
+		<path class="st0" d="M1136.4,353.72v-40.29h46.05v40.29H1136.4z M1136.4,634.74V379.26h46.05v255.48H1136.4z"/>
+		<path class="st0" d="M1464.76,379.26l-127.64,255.48l-127.8-255.48h52.33l75.47,150.88l75.31-150.88H1464.76z"/>
+		<path class="st0" d="M1740.81,379.26c0,0,0,279.32,0,297.8c0,71.31-58.52,128.26-127.83,128.2
+			c-32.47,0.03-62.55-12.29-85.37-32.76l33.1-33.09c14.13,11.97,32.36,19.22,52.28,19.2c44.86,0,81.17-36.69,81.17-81.55v-71.39
+			c-22.26,18.42-50.67,29.09-81.17,29.06c-69.46,0.06-127.95-56-127.95-127.85c0-1.51,0-127.64,0-127.64h46.64
+			c0,0,0.02,124.23,0.02,127.64c0,44.67,36.39,81.6,81.28,81.55c44.86,0,81.17-36.69,81.17-81.55V379.26H1740.81z"/>
+	</g>
+	<g>
+		<g>
+			<g>
+				<path class="st1" d="M428.54,364.9c0.04,0,0.08,0,0.12,0c6.56,0.01,11.98-5.03,11.98-11.58V135.99l-12.23-6.83l-12.18,6.8
+					v217.36c0,6.56,5.43,11.61,11.98,11.58C428.32,364.9,428.43,364.9,428.54,364.9z"/>
+				<path class="st2" d="M355.18,463.55L153.55,598.87v15.41l11.49,6.29l203.73-136.73c5.23-3.51,6.53-10.52,3.15-15.84
+					c-0.14-0.23-0.29-0.45-0.43-0.68C367.99,461.7,360.68,459.86,355.18,463.55z"/>
+				<path class="st3" d="M488.27,483.95l203.55,136.61l11.45-6.28v-15.44L501.86,463.66c-5.51-3.7-12.82-1.87-16.32,3.76
+					c-0.13,0.21-0.27,0.43-0.4,0.64C481.73,473.4,483.02,480.43,488.27,483.95z"/>
+				<path class="st0" d="M727.69,282.29v-13.96l-12.5-6.98l-0.93-0.49L440.33,107.87l-11.92-6.64l-11.87,6.64L142.56,260.86
+					l-0.93,0.49l-12.5,6.98v13.96l-0.93,0.54l0.93,0.49v13.92v331.5l12.69,6.94l266.85,146.2l3.37,1.85l16.41,8.98l16.36-8.98
+					l3.37-1.85l266.85-146.2l12.65-6.94v-331.5v-13.87l0.98-0.54L727.69,282.29z M440.95,758.05V511.4c0-6.72-5.5-12.22-12.22-12.21
+					l-0.19,0l-0.13,0c-6.72-0.01-12.22,5.49-12.22,12.21v246.64L165.04,620.57l-11.49-6.29v-15.41V294.7l199.98,109.56
+					c5.77,3.16,13.1,1.04,16.28-4.72l0.14-0.26c3.22-5.83,1.08-13.22-4.76-16.42L167.81,274.72l248.42-138.75l12.18-6.8l12.23,6.83
+					l248.37,138.73L491.47,382.95c-5.81,3.18-7.63,10.45-4.41,16.24c0.05,0.1,0.11,0.2,0.16,0.29c3.16,5.73,10.22,8.01,15.96,4.86
+					L703.27,294.7v304.15v15.44l-11.45,6.28L440.95,758.05z"/>
+			</g>
+			<circle class="st4" cx="428.54" cy="432.05" r="35.42"/>
+		</g>
+		<path class="st1" d="M617.65,262.99L426.32,155.74c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68
+			l191.33,107.25c5.88,3.3,7.98,10.74,4.68,16.62l0,0C630.97,264.19,623.53,266.29,617.65,262.99z"/>
+		<path class="st1" d="M533.81,271.27l-107.48-60.25c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68
+			l107.48,60.25c5.88,3.3,7.98,10.74,4.68,16.62v0C547.13,272.47,539.69,274.56,533.81,271.27z"/>
+		<path class="st1" d="M569.02,291L569.02,291c-5.88-3.3-7.98-10.74-4.68-16.62l0,0c3.3-5.88,10.74-7.98,16.62-4.68v0
+			c5.88,3.3,7.98,10.74,4.68,16.62v0C582.34,292.2,574.9,294.3,569.02,291z"/>
+		<path class="st1" d="M462.29,288.33l-35.7-20.01c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68l35.7,20.01
+			c5.88,3.3,7.98,10.74,4.68,16.62v0C475.61,289.53,468.17,291.63,462.29,288.33z"/>
+		<path class="st1" d="M516.16,321.21l-20.67-11.58c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68l20.67,11.58
+			c5.88,3.3,7.98,10.74,4.68,16.62v0C529.48,322.41,522.04,324.51,516.16,321.21z"/>
+	</g>
+</g>
+</svg>

brand/readme.md

@@ -0,0 +1,2 @@
+This directory contains media assets, such as the Trivy logo.
+Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>

ci/Dockerfile

@@ -1,20 +0,0 @@
-FROM bepsays/ci-goreleaser:1.12-2
-
-RUN apt-get -y update \
-    && apt-get -y install vim rpm reprepro createrepo \
-    && wget https://dl.bintray.com/homebrew/mirror/berkeley-db-18.1.32.tar.gz \
-
-    # Berkeley DB
-    && tar zxvf berkeley-db-18.1.32.tar.gz \
-    && cd db-18.1.32/build_unix \
-
-    # Linux
-    && ../dist/configure --prefix=/usr/local --host=x86_64-linux \
-    && make \
-    && make install \
-
-    # Darwin
-    && make clean \
-    && ../dist/configure --prefix=/usr/local --host=x86_64-apple-darwin15 \
-    && make \
-    && make install

ci/deploy-deb.sh

@@ -1,17 +1,24 @@
 #!/bin/bash
 
-RELEASES=(wheezy jessie stretch buster trusty xenial bionic)
+DEBIAN_RELEASES=$(debian-distro-info --supported)
+UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))
 
 cd trivy-repo/deb
 
-for release in ${RELEASES[@]}; do
-  echo "Adding deb package to $release"
+for release in generic ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
+  echo "Removing deb package of $release"
   reprepro -A i386 remove $release trivy
   reprepro -A amd64 remove $release trivy
-  reprepro includedeb $release ../../dist/*Linux-64bit.deb
+  reprepro -A arm64 remove $release trivy
+done
+
+for release in generic ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
+  echo "Adding deb package to $release"
   reprepro includedeb $release ../../dist/*Linux-32bit.deb
+  reprepro includedeb $release ../../dist/*Linux-64bit.deb
+  reprepro includedeb $release ../../dist/*Linux-ARM64.deb
 done
 
 git add .
 git commit -m "Update deb packages"
-git push origin master
+git push origin main

ci/deploy-rpm.sh

@@ -1,20 +1,51 @@
-#!/bin/sh
+#!/bin/bash
 
-RPM_EL6=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -e 's/_/-/g' -e 's/-Linux/.el6/' -e 's/-64bit/.x86_64/')
-RPM_EL7=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -e 's/_/-/g' -e 's/-Linux/.el7/' -e 's/-64bit/.x86_64/')
+TRIVY_VERSION=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -nre 's/^[^0-9]*(([0-9]+\.)*[0-9]+).*/\1/p')
+
+function create_common_rpm_repo () {
+        rpm_path=$1
+
+        ARCHES=("x86_64" "aarch64")
+        for arch in ${ARCHES[@]}; do
+                prefix=$arch
+                if [ "$arch" == "x86_64" ]; then
+                        prefix="64bit"
+                elif [ "$arch" == "aarch64" ]; then
+                        prefix="ARM64"
+                fi
+
+                mkdir -p $rpm_path/$arch
+                cp ../dist/*${prefix}.rpm ${rpm_path}/$arch/
+                createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path/$arch
+                rm ${rpm_path}/$arch/*${prefix}.rpm
+        done
+}
+
+function create_rpm_repo () {
+        version=$1
+        rpm_path=rpm/releases/${version}/x86_64
+
+        mkdir -p $rpm_path
+        cp ../dist/*64bit.rpm ${rpm_path}/
+
+        createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
+
+        rm ${rpm_path}/*64bit.rpm
+}
+
+echo "Create RPM releases for Trivy v$TRIVY_VERSION"
 
 cd trivy-repo
-mkdir -p rpm/releases/6/x86_64
-mkdir -p rpm/releases/7/x86_64
 
-cd rpm
-cp ../../dist/*64bit.rpm releases/6/x86_64/${RPM_EL6}
-cp ../../dist/*64bit.rpm releases/7/x86_64/${RPM_EL7}
+echo "Processing common repository for RHEL/CentOS..."
+create_common_rpm_repo rpm/releases
 
-createrepo --update releases/6/x86_64/
-createrepo --update releases/7/x86_64/
+VERSIONS=(5 6 7 8 9)
+for version in ${VERSIONS[@]}; do
+        echo "Processing RHEL/CentOS $version..."
+        create_rpm_repo $version
+done
 
 git add .
-git commit -m "Update rpm packages"
-git push origin master
-
+git commit -m "Update rpm packages for Trivy v$TRIVY_VERSION"
+git push origin main

cmd/trivy/main.go

@@ -1,105 +1,43 @@
 package main
 
 import (
-	l "log"
+	"context"
+	"errors"
 	"os"
-	"strings"
 
-	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
+	"golang.org/x/xerrors"
 
-	"github.com/urfave/cli"
+	"github.com/aquasecurity/trivy/pkg/commands"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/plugin"
+	"github.com/aquasecurity/trivy/pkg/types"
 
-	"github.com/knqyf263/trivy/pkg"
-	"github.com/knqyf263/trivy/pkg/log"
-)
-
-var (
-	version = "dev"
+	_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB
 )
 
 func main() {
-	cli.AppHelpTemplate = `NAME:
-  {{.Name}}{{if .Usage}} - {{.Usage}}{{end}}
-USAGE:
-  {{if .UsageText}}{{.UsageText}}{{else}}{{.HelpName}} {{if .VisibleFlags}}[options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}{{end}}{{if .Version}}{{if not .HideVersion}}
-VERSION:
-  {{.Version}}{{end}}{{end}}{{if .Description}}
-DESCRIPTION:
-  {{.Description}}{{end}}{{if len .Authors}}
-AUTHOR{{with $length := len .Authors}}{{if ne 1 $length}}S{{end}}{{end}}:
-  {{range $index, $author := .Authors}}{{if $index}}
-  {{end}}{{$author}}{{end}}{{end}}{{if .VisibleCommands}}
-OPTIONS:
-  {{range $index, $option := .VisibleFlags}}{{if $index}}
-  {{end}}{{$option}}{{end}}{{end}}
-`
-	app := cli.NewApp()
-	app.Name = "trivy"
-	app.Version = version
-	app.ArgsUsage = "image_name"
-
-	app.Usage = "A simple and comprehensive vulnerability scanner for containers"
-
-	app.Flags = []cli.Flag{
-		cli.StringFlag{
-			Name:  "format, f",
-			Value: "table",
-			Usage: "format (table, json)",
-		},
-		cli.StringFlag{
-			Name:  "input, i",
-			Value: "",
-			Usage: "input file path instead of image name",
-		},
-		cli.StringFlag{
-			Name:  "severity, s",
-			Value: strings.Join(vulnerability.SeverityNames, ","),
-			Usage: "severities of vulnerabilities to be displayed (comma separated)",
-		},
-		cli.StringFlag{
-			Name:  "output, o",
-			Usage: "output file name",
-		},
-		cli.IntFlag{
-			Name:  "exit-code",
-			Usage: "Exit code when vulnerabilities were found",
-			Value: 0,
-		},
-		cli.BoolFlag{
-			Name:  "skip-update",
-			Usage: "skip db update",
-		},
-		cli.BoolFlag{
-			Name:  "clean, c",
-			Usage: "clean all cache",
-		},
-		cli.BoolFlag{
-			Name:  "quiet, q",
-			Usage: "suppress progress bar",
-		},
-		cli.BoolFlag{
-			Name:  "ignore-unfixed",
-			Usage: "display only fixed vulnerabilities",
-		},
-		cli.BoolFlag{
-			Name:  "refresh",
-			Usage: "refresh DB (usually used after version update of trivy)",
-		},
-		cli.BoolFlag{
-			Name:  "debug, d",
-			Usage: "debug mode",
-		},
-	}
-
-	app.Action = func(c *cli.Context) error {
-		return pkg.Run(c)
-	}
-
-	err := app.Run(os.Args)
-	if err != nil {
-		if log.Logger != nil {
-			log.Logger.Fatal(err)
+	if err := run(); err != nil {
+		var exitError *types.ExitError
+		if errors.As(err, &exitError) {
+			os.Exit(exitError.Code)
 		}
-		l.Fatal(err)
+		log.Fatal("Fatal error", log.Err(err))
 	}
 }
+
+func run() error {
+	// Trivy behaves as the specified plugin.
+	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
+		log.InitLogger(false, false)
+		if err := plugin.Run(context.Background(), runAsPlugin, plugin.Options{Args: os.Args[1:]}); err != nil {
+			return xerrors.Errorf("plugin error: %w", err)
+		}
+		return nil
+	}
+
+	app := commands.NewApp()
+	if err := app.Execute(); err != nil {
+		return err
+	}
+	return nil
+}

contrib/Trivy.gitlab-ci.yml

@@ -0,0 +1,29 @@
+Trivy_container_scanning:
+  stage: test
+  image:
+    name: alpine:3.11
+  variables:
+    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
+    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
+    # for details
+    GIT_STRATEGY: none
+    IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
+  allow_failure: true
+  before_script:
+    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
+    - apk add --no-cache curl docker-cli
+    - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
+    - curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/${TRIVY_VERSION}/contrib/gitlab.tpl
+    - trivy registry login --username "$CI_REGISTRY_USER" --password "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+  script:
+    - trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
+  cache:
+    paths:
+      - .trivycache/
+  artifacts:
+    reports:
+      container_scanning: gl-container-scanning-report.json
+  dependencies: []
+  only:
+    refs:
+      - branches

contrib/asff.tpl

@@ -0,0 +1,161 @@
+{
+    "Findings": [
+    {{- $t_first := true -}}
+    {{- range . -}}
+    {{- $target := .Target -}}
+    {{- $image := .Target -}}
+    {{- if gt (len $image) 127 -}}
+        {{- $image = $image | regexFind ".{124}$" | printf "...%v" -}}
+    {{- end}}
+    {{- range .Vulnerabilities -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{- else -}}
+      ,
+    {{- end -}}
+    {{- $severity := .Severity -}}
+    {{- if eq $severity "UNKNOWN" -}}
+    {{- $severity = "INFORMATIONAL" -}}
+    {{- end -}}
+    {{- $description := .Description -}}
+    {{- if gt (len $description ) 512 -}}
+        {{- $description = (substr 0 512 $description) | printf "%v .." -}}
+    {{- end}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}/{{ .VulnerabilityID }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy/{{ .VulnerabilityID }}",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}, related to {{ .PkgName }}",
+            "Description": {{ escapeString $description | printf "%q" }},
+            {{ if not (empty .PrimaryURL) -}}
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "More information on this vulnerability is provided in the hyperlink",
+                    "Url": "{{ .PrimaryURL }}"
+                }
+            },
+            {{ end -}}
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Container",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_REGION" }}",
+                    "Details": {
+                        "Container": { "ImageName": "{{ $image }}" },
+                        "Other": {
+                            "CVE ID": "{{ .VulnerabilityID }}",
+                            "CVE Title": {{ .Title | printf "%q" }},
+                            "PkgName": "{{ .PkgName }}",
+                            "Installed Package": "{{ .InstalledVersion }}",
+                            "Patched Package": "{{ .FixedVersion }}",
+                            "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
+                            "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
+                            "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
+                            "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
+                        }
+                    }
+                }
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
+        {{- range .Misconfigurations -}}
+            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
+            {{- $severity := .Severity -}}
+            {{- if eq $severity "UNKNOWN" -}}
+                {{- $severity = "INFORMATIONAL" -}}
+            {{- end -}}
+            {{- $description := .Description -}}
+            {{- if gt (len $description ) 512 -}}
+                {{- $description = (substr 0 512 $description) | printf "%v .." -}}
+            {{- end}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}/{{ .ID }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy/{{ .ID }}",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Software and Configuration Checks" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a misconfiguration in {{ $target }}: {{ escapeString .Title }}",
+            "Description": {{ escapeString $description | printf "%q" }},
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "{{ .Resolution }}",
+                    "Url": "{{ .PrimaryURL }}"
+                }
+            },
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Other",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_REGION" }}",
+                    "Details": {
+                        "Other": {
+                            "Message": "{{ escapeString .Message }}",
+                            "Filename": "{{ $target }}",
+                            "StartLine": "{{ .CauseMetadata.StartLine }}",
+                            "EndLine": "{{ .CauseMetadata.EndLine }}"
+                        }
+                    }
+                }
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
+        {{- range .Secrets -}}
+            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
+            {{- $severity := .Severity -}}
+            {{- if eq $severity "UNKNOWN" -}}
+                {{- $severity = "INFORMATIONAL" -}}
+            {{- end -}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Sensitive Data Identifications" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a secret in {{ $target }}: {{ .Title }}",
+            "Description": "Trivy found a secret in {{ $target }}: {{ .Title }}",
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Other",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_REGION" }}",
+                    "Details": {
+                        "Other": {
+                            "Filename": "{{ $target }}"
+                        }
+                    }
+                }
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
+      {{- end }}
+    ]
+}

contrib/gitlab-codequality.tpl

@@ -0,0 +1,103 @@
+{{- /* Template based on https://github.com/codeclimate/platform/blob/master/spec/analyzers/SPEC.md#data-types */ -}}
+[
+  {{- $t_first := true }}
+  {{- range . }}
+  {{- $target := .Target }}
+    {{- range .Vulnerabilities -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list .VulnerabilityID .PkgName .InstalledVersion .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .VulnerabilityID .PkgName .InstalledVersion $target | join "" | sha1sum }}",
+      "content": {{ .Description | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": 0
+        }
+      }
+    }
+    {{- end -}}
+    {{- range .Misconfigurations -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Misconfig" .ID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Description | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .CauseMetadata.StartLine }}
+        }
+      }
+    }
+    {{- end -}}
+    {{- range .Secrets -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Secret" .RuleID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .RuleID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Title | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .StartLine }}
+        }
+      }
+    }
+    {{- end -}}
+  {{- end }}
+]

contrib/gitlab.tpl

@@ -0,0 +1,112 @@
+{{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
+{
+  "version": "15.0.7",
+  "scan": {
+    "analyzer": {
+      "id": "trivy",
+      "name": "Trivy",
+      "vendor": {
+        "name": "Aqua Security"
+      },
+      "version": "{{ appVersion }}"
+    },
+    "end_time": "{{ now | date "2006-01-02T15:04:05" }}",
+    "scanner": {
+      "id": "trivy",
+      "name": "Trivy",
+      "url": "https://github.com/aquasecurity/trivy/",
+      "vendor": {
+        "name": "Aqua Security"
+      },
+      "version": "{{ appVersion }}"
+    },
+    "start_time": "{{ now | date "2006-01-02T15:04:05" }}",
+    "status": "success",
+    "type": "container_scanning"
+  },
+  {{- $image := "Unknown" -}}
+  {{- $os := "Unknown" -}}
+  {{- range . }}
+    {{- if eq .Class "os-pkgs" -}}
+      {{- $target := .Target }}
+        {{- $image = $target | regexFind "[^\\s]+" }}
+        {{- $os = $target | splitList "(" | last | trimSuffix ")" }}
+    {{- end }}
+  {{- end }}
+  "vulnerabilities": [
+  {{- $t_first := true }}
+  {{- range . }}
+    {{- range .Vulnerabilities -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "id": "{{ .VulnerabilityID }}",
+      "name": {{ .Title | printf "%q" }},
+      "description": {{ .Description | printf "%q" }},
+      "severity": {{ if eq .Severity "UNKNOWN" -}}
+                    "Unknown"
+                  {{- else if eq .Severity "LOW" -}}
+                    "Low"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "Medium"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "High"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "Critical"
+                  {{-  else -}}
+                    "{{ .Severity }}"
+                  {{- end }},
+      "solution": {{ if .FixedVersion -}}
+                    "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
+                  {{- else -}}
+                    "No solution provided"
+                  {{- end }},
+      "location": {
+        "dependency": {
+          "package": {
+            "name": "{{ .PkgName }}"
+          },
+          "version": "{{ .InstalledVersion }}"
+        },
+        {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
+        "operating_system": "{{ $os }}",
+        "image": "{{ $image }}"
+      },
+      "identifiers": [
+        {
+	  {{- /* TODO: Type not extractable - https://github.com/aquasecurity/trivy-db/pull/24 */}}
+          "type": "cve",
+          "name": "{{ .VulnerabilityID }}",
+          "value": "{{ .VulnerabilityID }}"
+          {{- /* cf. https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/e3d280d7f0862ca66a1555ea8b24016a004bb914/dist/container-scanning-report-format.json#L157-179 */}}
+          {{- if .PrimaryURL | regexMatch "^(https?|ftp)://.+" -}},
+          "url": "{{ .PrimaryURL }}"
+          {{- end }}
+        }
+      ],
+      "links": [
+        {{- $l_first := true -}}
+        {{- range .References -}}
+        {{- if $l_first -}}
+          {{- $l_first = false }}
+        {{- else -}}
+          ,
+        {{- end -}}
+        {{- if . | regexMatch "^(https?|ftp)://.+" -}}
+        {
+          "url": "{{ . }}"
+        }
+        {{- else -}}
+          {{- $l_first = true }}
+        {{- end -}}
+        {{- end }}
+      ]
+    }
+    {{- end -}}
+  {{- end }}
+  ],
+  "remediations": []
+}

contrib/html.tpl

@@ -0,0 +1,148 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+{{- if . }}
+    <style>
+      * {
+        font-family: Arial, Helvetica, sans-serif;
+      }
+      h1 {
+        text-align: center;
+      }
+      .group-header th {
+        font-size: 200%;
+      }
+      .sub-header th {
+        font-size: 150%;
+      }
+      table, th, td {
+        border: 1px solid black;
+        border-collapse: collapse;
+        white-space: nowrap;
+        padding: .3em;
+      }
+      table {
+        margin: 0 auto;
+      }
+      .severity {
+        text-align: center;
+        font-weight: bold;
+        color: #fafafa;
+      }
+      .severity-LOW .severity { background-color: #5fbb31; }
+      .severity-MEDIUM .severity { background-color: #e9c600; }
+      .severity-HIGH .severity { background-color: #ff8800; }
+      .severity-CRITICAL .severity { background-color: #e40000; }
+      .severity-UNKNOWN .severity { background-color: #747474; }
+      .severity-LOW { background-color: #5fbb3160; }
+      .severity-MEDIUM { background-color: #e9c60060; }
+      .severity-HIGH { background-color: #ff880060; }
+      .severity-CRITICAL { background-color: #e4000060; }
+      .severity-UNKNOWN { background-color: #74747460; }
+      table tr td:first-of-type {
+        font-weight: bold;
+      }
+      .links a,
+      .links[data-more-links=on] a {
+        display: block;
+      }
+      .links[data-more-links=off] a:nth-of-type(1n+5) {
+        display: none;
+      }
+      a.toggle-more-links { cursor: pointer; }
+    </style>
+    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
+    <script>
+      window.onload = function() {
+        document.querySelectorAll('td.links').forEach(function(linkCell) {
+          var links = [].concat.apply([], linkCell.querySelectorAll('a'));
+          [].sort.apply(links, function(a, b) {
+            return a.href > b.href ? 1 : -1;
+          });
+          links.forEach(function(link, idx) {
+            if (links.length > 3 && 3 === idx) {
+              var toggleLink = document.createElement('a');
+              toggleLink.innerText = "Toggle more links";
+              toggleLink.href = "#toggleMore";
+              toggleLink.setAttribute("class", "toggle-more-links");
+              linkCell.appendChild(toggleLink);
+            }
+            linkCell.appendChild(link);
+          });
+        });
+        document.querySelectorAll('a.toggle-more-links').forEach(function(toggleLink) {
+          toggleLink.onclick = function() {
+            var expanded = toggleLink.parentElement.getAttribute("data-more-links");
+            toggleLink.parentElement.setAttribute("data-more-links", "on" === expanded ? "off" : "on");
+            return false;
+          };
+        });
+      };
+    </script>
+  </head>
+  <body>
+    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
+    <table>
+    {{- range . }}
+      <tr class="group-header"><th colspan="6">{{ .Type | toString | escapeXML }}</th></tr>
+      {{- if (eq (len .Vulnerabilities) 0) }}
+      <tr><th colspan="6">No Vulnerabilities found</th></tr>
+      {{- else }}
+      <tr class="sub-header">
+        <th>Package</th>
+        <th>Vulnerability ID</th>
+        <th>Severity</th>
+        <th>Installed Version</th>
+        <th>Fixed Version</th>
+        <th>Links</th>
+      </tr>
+        {{- range .Vulnerabilities }}
+      <tr class="severity-{{ escapeXML .Vulnerability.Severity }}">
+        <td class="pkg-name">{{ escapeXML .PkgName }}</td>
+        <td>{{ escapeXML .VulnerabilityID }}</td>
+        <td class="severity">{{ escapeXML .Vulnerability.Severity }}</td>
+        <td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
+        <td>{{ escapeXML .FixedVersion }}</td>
+        <td class="links" data-more-links="off">
+          {{- range .Vulnerability.References }}
+          <a href={{ escapeXML . | printf "%q" }}>{{ escapeXML . }}</a>
+          {{- end }}
+        </td>
+      </tr>
+        {{- end }}
+      {{- end }}
+      {{- if (eq (len .Misconfigurations ) 0) }}
+      <tr><th colspan="6">No Misconfigurations found</th></tr>
+      {{- else }}
+      <tr class="sub-header">
+        <th>Type</th>
+        <th>Misconf ID</th>
+        <th>Check</th>
+        <th>Severity</th>
+        <th>Message</th>
+      </tr>
+        {{- range .Misconfigurations }}
+      <tr class="severity-{{ escapeXML .Severity }}">
+        <td class="misconf-type">{{ escapeXML .Type }}</td>
+        <td>{{ escapeXML .ID }}</td>
+        <td class="misconf-check">{{ escapeXML .Title }}</td>
+        <td class="severity">{{ escapeXML .Severity }}</td>
+        <td class="link" data-more-links="off"  style="white-space:normal;">
+          {{ escapeXML .Message }}
+          <br>
+            <a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
+          </br>
+        </td>
+      </tr>
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    </table>
+{{- else }}
+  </head>
+  <body>
+    <h1>Trivy Returned Empty Report</h1>
+{{- end }}
+  </body>
+</html>

contrib/install.sh

@@ -0,0 +1,422 @@
+#!/bin/sh
+set -e
+# Code generated by godownloader on 2020-01-14T10:03:29Z. DO NOT EDIT.
+#
+
+usage() {
+  this=$1
+  cat <<EOF
+$this: download go binaries for aquasecurity/trivy
+
+Usage: $this [-b] bindir [-d] [tag]
+  -b sets bindir or installation directory, Defaults to ./bin
+  -d turns on debug logging
+   [tag] is a tag from
+   https://github.com/aquasecurity/trivy/releases
+   If tag is missing, then the latest will be used.
+
+ Generated by godownloader
+  https://github.com/goreleaser/godownloader
+
+EOF
+  exit 2
+}
+
+parse_args() {
+  #BINDIR is ./bin unless set be ENV
+  # over-ridden by flag below
+
+  BINDIR=${BINDIR:-./bin}
+  while getopts "b:dh?x" arg; do
+    case "$arg" in
+      b) BINDIR="$OPTARG" ;;
+      d) log_set_priority 10 ;;
+      h | \?) usage "$0" ;;
+      x) set -x ;;
+    esac
+  done
+  shift $((OPTIND - 1))
+  TAG=$1
+}
+# this function wraps all the destructive operations
+# if a curl|bash cuts off the end of the script due to
+# network, either nothing will happen or will syntax error
+# out preventing half-done work
+execute() {
+  tmpdir=$(mktemp -d)
+  log_debug "downloading files into ${tmpdir}"
+  http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
+  http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
+  hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"
+  srcdir="${tmpdir}"
+  (cd "${tmpdir}" && untar "${TARBALL}")
+  test ! -d "${BINDIR}" && install -d "${BINDIR}"
+  for binexe in $BINARIES; do
+    if [ "$OS" = "windows" ]; then
+      binexe="${binexe}.exe"
+    fi
+    install "${srcdir}/${binexe}" "${BINDIR}/"
+    log_info "installed ${BINDIR}/${binexe}"
+  done
+  rm -rf "${tmpdir}"
+}
+get_binaries() {
+  case "$PLATFORM" in
+    darwin/386) BINARIES="trivy" ;;
+    darwin/amd64) BINARIES="trivy" ;;
+    darwin/arm64) BINARIES="trivy" ;;
+    darwin/armv7) BINARIES="trivy" ;;
+    freebsd/386) BINARIES="trivy" ;;
+    freebsd/amd64) BINARIES="trivy" ;;
+    freebsd/arm64) BINARIES="trivy" ;;
+    freebsd/armv7) BINARIES="trivy" ;;
+    linux/386) BINARIES="trivy" ;;
+    linux/amd64) BINARIES="trivy" ;;
+    linux/ppc64le) BINARIES="trivy" ;;
+    linux/arm64) BINARIES="trivy" ;;
+    linux/armv7) BINARIES="trivy" ;;
+    linux/s390x) BINARIES="trivy" ;;
+    openbsd/386) BINARIES="trivy" ;;
+    openbsd/amd64) BINARIES="trivy" ;;
+    openbsd/arm64) BINARIES="trivy" ;;
+    openbsd/armv7) BINARIES="trivy" ;;
+    windows/amd64) BINARIES="trivy" ;;
+    *)
+      log_crit "platform $PLATFORM is not supported.  Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new"
+      exit 1
+      ;;
+  esac
+}
+tag_to_version() {
+  if [ -z "${TAG}" ]; then
+    log_info "checking GitHub for latest tag"
+  else
+    log_info "checking GitHub for tag '${TAG}'"
+  fi
+  REALTAG=$(github_release "$OWNER/$REPO" "${TAG}") && true
+  if test -z "$REALTAG"; then
+    log_crit "unable to find '${TAG}' - use 'latest' or see https://github.com/${PREFIX}/releases for details"
+    exit 1
+  fi
+  # if version starts with 'v', remove it
+  TAG="$REALTAG"
+  VERSION=${TAG#v}
+}
+adjust_format() {
+  # change format (tar.gz or zip) based on OS
+  case ${OS} in
+    windows) FORMAT=zip ;;
+  esac
+  true
+}
+adjust_os() {
+  # adjust archive name based on OS
+  case ${OS} in
+    386) OS=32bit ;;
+    amd64) OS=64bit ;;
+    arm) OS=ARM ;;
+    arm64) OS=ARM64 ;;
+    ppc64le) OS=Linux ;;
+    s390x) OS=Linux ;;
+    darwin) OS=macOS ;;
+    dragonfly) OS=DragonFlyBSD ;;
+    freebsd) OS=FreeBSD ;;
+    linux) OS=Linux ;;
+    netbsd) OS=NetBSD ;;
+    openbsd) OS=OpenBSD ;;
+  esac
+  true
+}
+adjust_arch() {
+  # adjust archive name based on ARCH
+  case ${ARCH} in
+    386) ARCH=32bit ;;
+    amd64) ARCH=64bit ;;
+    arm) ARCH=ARM ;;
+    armv7) ARCH=ARM ;;
+    arm64) ARCH=ARM64 ;;
+    ppc64le) ARCH=PPC64LE ;;
+    s390x) ARCH=s390x ;;
+    darwin) ARCH=macOS ;;
+    dragonfly) ARCH=DragonFlyBSD ;;
+    freebsd) ARCH=FreeBSD ;;
+    linux) ARCH=Linux ;;
+    netbsd) ARCH=NetBSD ;;
+    openbsd) ARCH=OpenBSD ;;
+  esac
+  true
+}
+
+cat /dev/null <<EOF
+------------------------------------------------------------------------
+https://github.com/client9/shlib - portable posix shell functions
+Public domain - http://unlicense.org
+https://github.com/client9/shlib/blob/master/LICENSE.md
+but credit (and pull requests) appreciated.
+------------------------------------------------------------------------
+EOF
+is_command() {
+  command -v "$1" >/dev/null
+}
+echoerr() {
+  echo "$@" 1>&2
+}
+log_prefix() {
+  echo "$0"
+}
+_logp=6
+log_set_priority() {
+  _logp="$1"
+}
+log_priority() {
+  if test -z "$1"; then
+    echo "$_logp"
+    return
+  fi
+  [ "$1" -le "$_logp" ]
+}
+log_tag() {
+  case $1 in
+    0) echo "emerg" ;;
+    1) echo "alert" ;;
+    2) echo "crit" ;;
+    3) echo "err" ;;
+    4) echo "warning" ;;
+    5) echo "notice" ;;
+    6) echo "info" ;;
+    7) echo "debug" ;;
+    *) echo "$1" ;;
+  esac
+}
+log_debug() {
+  log_priority 7 || return 0
+  echo "$(log_prefix)" "$(log_tag 7)" "$@"
+}
+log_info() {
+  log_priority 6 || return 0
+  echo "$(log_prefix)" "$(log_tag 6)" "$@"
+}
+log_err() {
+  log_priority 3 || return 0
+  echoerr "$(log_prefix)" "$(log_tag 3)" "$@"
+}
+log_crit() {
+  log_priority 2 || return 0
+  echoerr "$(log_prefix)" "$(log_tag 2)" "$@"
+}
+uname_os() {
+  os=$(uname -s | tr '[:upper:]' '[:lower:]')
+  case "$os" in
+    cygwin_nt*) os="windows" ;;
+    mingw*) os="windows" ;;
+    msys_nt*) os="windows" ;;
+  esac
+  echo "$os"
+}
+uname_arch() {
+  arch=$(uname -m)
+  case $arch in
+    x86_64) arch="amd64" ;;
+    x86) arch="386" ;;
+    i686) arch="386" ;;
+    i386) arch="386" ;;
+    ppc64le) arch="ppc64le" ;;
+    aarch64) arch="arm64" ;;
+    armv5*) arch="armv5" ;;
+    armv6*) arch="armv6" ;;
+    armv7*) arch="armv7" ;;
+    s390*) arch="s390x" ;;
+  esac
+  echo ${arch}
+}
+uname_os_check() {
+  os=$(uname_os)
+  case "$os" in
+    darwin) return 0 ;;
+    dragonfly) return 0 ;;
+    freebsd) return 0 ;;
+    linux) return 0 ;;
+    android) return 0 ;;
+    nacl) return 0 ;;
+    netbsd) return 0 ;;
+    openbsd) return 0 ;;
+    plan9) return 0 ;;
+    solaris) return 0 ;;
+    windows) return 0 ;;
+  esac
+  log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib"
+  return 1
+}
+uname_arch_check() {
+  arch=$(uname_arch)
+  case "$arch" in
+    386) return 0 ;;
+    amd64) return 0 ;;
+    arm64) return 0 ;;
+    armv5) return 0 ;;
+    armv6) return 0 ;;
+    armv7) return 0 ;;
+    ppc64) return 0 ;;
+    ppc64le) return 0 ;;
+    mips) return 0 ;;
+    mipsle) return 0 ;;
+    mips64) return 0 ;;
+    mips64le) return 0 ;;
+    s390x) return 0 ;;
+    amd64p32) return 0 ;;
+  esac
+  log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value.  Please file bug report at https://github.com/client9/shlib"
+  return 1
+}
+untar() {
+  tarball=$1
+  case "${tarball}" in
+    *.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;;
+    *.tar) tar --no-same-owner -xf "${tarball}" ;;
+    *.zip) unzip "${tarball}" ;;
+    *)
+      log_err "untar unknown archive format for ${tarball}"
+      return 1
+      ;;
+  esac
+}
+http_download_curl() {
+  local_file=$1
+  source_url=$2
+  header=$3
+  if [ -z "$header" ]; then
+    code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url")
+  else
+    code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url")
+  fi
+  if [ "$code" != "200" ]; then
+    log_debug "http_download_curl received HTTP status $code"
+    return 1
+  fi
+  return 0
+}
+http_download_wget() {
+  local_file=$1
+  source_url=$2
+  header=$3
+  if [ -z "$header" ]; then
+    wget -q -O "$local_file" "$source_url"
+  else
+    wget -q --header "$header" -O "$local_file" "$source_url"
+  fi
+}
+http_download() {
+  log_debug "http_download $2"
+  if is_command curl; then
+    http_download_curl "$@"
+    return
+  elif is_command wget; then
+    http_download_wget "$@"
+    return
+  fi
+  log_crit "http_download unable to find wget or curl"
+  return 1
+}
+http_copy() {
+  tmp=$(mktemp)
+  http_download "${tmp}" "$1" "$2" || return 1
+  body=$(cat "$tmp")
+  rm -f "${tmp}"
+  echo "$body"
+}
+github_release() {
+  owner_repo=$1
+  version=$2
+  test -z "$version" && version="latest"
+  giturl="https://github.com/${owner_repo}/releases/${version}"
+  json=$(http_copy "$giturl" "Accept:application/json")
+  test -z "$json" && return 1
+  version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//')
+  test -z "$version" && return 1
+  echo "$version"
+}
+hash_sha256() {
+  TARGET=${1:-/dev/stdin}
+  if is_command gsha256sum; then
+    hash=$(gsha256sum "$TARGET") || return 1
+    echo "$hash" | cut -d ' ' -f 1
+  elif is_command sha256sum; then
+    hash=$(sha256sum "$TARGET") || return 1
+    echo "$hash" | cut -d ' ' -f 1
+  elif is_command shasum; then
+    hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1
+    echo "$hash" | cut -d ' ' -f 1
+  elif is_command openssl; then
+    hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1
+    echo "$hash" | cut -d ' ' -f a
+  else
+    log_crit "hash_sha256 unable to find command to compute sha-256 hash"
+    return 1
+  fi
+}
+hash_sha256_verify() {
+  TARGET=$1
+  checksums=$2
+  if [ -z "$checksums" ]; then
+    log_err "hash_sha256_verify checksum file not specified in arg2"
+    return 1
+  fi
+  BASENAME=${TARGET##*/}
+  want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
+  if [ -z "$want" ]; then
+    log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'"
+    return 1
+  fi
+  got=$(hash_sha256 "$TARGET")
+  if [ "$want" != "$got" ]; then
+    log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got"
+    return 1
+  fi
+}
+cat /dev/null <<EOF
+------------------------------------------------------------------------
+End of functions from https://github.com/client9/shlib
+------------------------------------------------------------------------
+EOF
+
+PROJECT_NAME="trivy"
+OWNER=aquasecurity
+REPO="trivy"
+BINARY=trivy
+FORMAT=tar.gz
+OS=$(uname_os)
+ARCH=$(uname_arch)
+PREFIX="$OWNER/$REPO"
+
+# use in logging routines
+log_prefix() {
+	echo "$PREFIX"
+}
+PLATFORM="${OS}/${ARCH}"
+GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download
+
+uname_os_check "$OS"
+uname_arch_check "$ARCH"
+
+parse_args "$@"
+
+get_binaries
+
+tag_to_version
+
+adjust_format
+
+adjust_os
+
+adjust_arch
+
+log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}"
+
+NAME=${PROJECT_NAME}_${VERSION}_${OS}-${ARCH}
+TARBALL=${NAME}.${FORMAT}
+TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
+CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
+CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}
+
+
+execute

contrib/junit.tpl

@@ -0,0 +1,48 @@
+<?xml version="1.0" ?>
+<testsuites name="trivy">
+{{- range . -}}
+{{- $failures := len .Vulnerabilities }}
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ range .Vulnerabilities }}
+        <testcase classname="{{ .PkgName }}-{{ .InstalledVersion }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
+            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
+        </testcase>
+    {{- end }}
+    </testsuite>
+
+{{- if .MisconfSummary }}
+    <testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{  .Target }}" errors="0" time="">
+{{- else }}
+    <testsuite tests="0" failures="0" name="{{  .Target }}" errors="0" skipped="0" time="">
+{{- end }}
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ range .Misconfigurations }}
+        <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
+        {{- if (eq .Status "FAIL") }}
+            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
+        {{- end }}
+        </testcase>
+    {{- end }}
+    </testsuite>
+
+{{- if .Licenses }}
+    {{- $licenses := len .Licenses }}
+    <testsuite tests="{{ $licenses }}" failures="{{ $licenses }}" name="{{ .Target }}" time="0">{{ range .Licenses }}
+        <testcase classname="{{ .PkgName }}" name="[{{ .Severity }}] {{ .Name }}">
+            <failure/>
+        </testcase>
+    {{- end }}
+    </testsuite>
+{{- end }}
+
+{{- end }}
+</testsuites>

docs/assets/css/trivy_v1_homepage.scss

@@ -0,0 +1,693 @@
+/* trivy homepage */
+
+//aqua brand colors
+$aq-royal-blue: #1904da;
+$aq-legacy-blue: #08b1d5;
+$aq-coral-red: #ff445f;
+$aq-starfish-yellow: #ffc900;
+$aq-dark-abyss: #07242d;
+$aq-deep-sea-blue: #183278;
+$aq-ocean-ash: #405a75;
+$aq-sea-foam: #00ffe4;
+
+$aq-neo-background: #ebf3fa;
+$aq-neo-background-hover: #f0f8ff;
+
+
+$aq-royal-blue-dark: #1503ba;
+
+$aq-trivy-dark: #0a0b23;
+
+
+$weight-normal: 400;
+$weight-semibold: 600;
+$weight-bold: 700;
+
+
+
+$gap: 32px;
+// 960, 1152, and 1344 have been chosen because they are divisible by both 12 and 16
+$tablet: 769px;
+
+// 960px container + 4rem
+$desktop: 960px + 2 * $gap;
+
+// 1152px container + 4rem
+$widescreen: 1152px + 2 * $gap;
+$widescreen-enabled: true;
+
+// 1344px container + 4rem
+$fullhd: 1344px + 2 * $gap;
+$fullhd-enabled: true;
+
+
+
+body {
+
+	font-family: "Inter", sans-serif;
+}
+
+.trivy_v1_homepage_wrap {
+	position: relative;
+ 	z-index: 3;
+
+	* {
+		transition: all 0.2s ease !important;
+	}
+
+	.container {
+		width: 100%;
+		margin: 0 auto;
+		max-width: 1440px;
+
+		@media screen and (max-width: $tablet), print { //769
+			padding: 0 24px;
+			max-width: $tablet; //769
+		} //until tablet
+	}
+
+	.button {
+	
+		background-color: #ebf3fa;
+		border: 1px solid #dbdbdb;
+		border-width: 1px;
+		color: #363636;
+		cursor: pointer;
+		justify-content: center;
+		padding-bottom: calc(.5em - 1px);
+		padding-left: 1em;
+		padding-right: 1em;
+		padding-top: calc(.5em - 1px);
+		text-align: center;
+		white-space: nowrap;
+		border-radius: 4px;
+		transition: all .2s ease;
+		font-size: 16px;
+		display: inline-block;
+		font-weight: 700;
+		
+		&.is-seafoam {
+			background-color: $aq-sea-foam;
+			border-color: $aq-sea-foam;
+			color: $aq-dark-abyss;
+
+
+			&.is-outlined {
+				background-color: rgba(0,0,0,0);
+				border-color: $aq-sea-foam;
+				color: $aq-sea-foam;
+				border-width: 2px;
+
+				&:hover {
+					background-color: $aq-sea-foam;
+					color: $aq-dark-abyss;
+				}
+			} //is-outlines
+			
+		} //is-seafoam
+
+		&.large_btn {
+			font-size: 22px;
+			padding: 16px 27px;
+			margin-right: 12px;
+
+			@media screen and (max-width: $tablet), print {
+				font-size: 18px;
+			} //until tablet
+		}
+		
+
+
+		&.solidseafoamarrowbutton {
+			
+			background-color: $aq-sea-foam;
+			font-weight: 700;
+			border: 2px solid $aq-sea-foam;
+			font-size: 22px; //1.375rem; //1.125rem;
+			padding: 16px 27px;
+			color: $aq-dark-abyss;
+
+
+			&:after {
+					content: "";
+					border: solid $aq-dark-abyss;
+					border-width: 0 2px 2px 0;
+					display: inline-block;
+					padding: 4px;
+					transform: rotate(-45deg);
+					margin-left: 30px;
+					vertical-align: middle;
+					transition: all .2s;
+			}
+		} //solidseafoamarrowbutton
+
+	} //button
+
+	.margin-bottom-20 {
+		margin-bottom: 20px;
+	}
+
+	.hero_wrap {
+		background-color: $aq-trivy-dark;
+		background-image: radial-gradient(1600px at 70% 120%, #031145 10%, $aq-trivy-dark 100%);
+		min-height: 1050px;
+		position: relative;
+		z-index: 10;
+
+
+
+		
+
+
+		.homepage_background_image_wrap {
+			position: absolute;
+			left: 0px;
+			top: 0px;
+			width: 100%;
+			height: 100%;
+			z-index: 1;
+			pointer-events: none;
+
+
+			.stars_wrap {
+				position: absolute;
+				left: 0px;
+				top: 0px;
+				width: 100%;
+				height: 100%;
+				z-index: 1;
+				overflow: hidden;
+				
+				.stars_bg {
+					position: absolute;
+					width: 400vw;
+					height: 400vh;
+					top: 50%;
+					left: 50%;
+					margin-top: -200vh;
+					margin-left: -200vw;
+					animation: stars_ani 240s linear infinite;
+					background-size: 240px;
+					backface-visibility: visible;
+					background-image:url(../images/homepage_hero_stars_02.svg);
+					background-repeat: repeat;
+					
+				}
+
+
+				@keyframes stars_ani {
+					0% { transform: rotate(0deg); }
+					100% { transform: rotate(360deg); }
+				}
+
+			} //stars_wrap
+
+			.terrain_wrap {
+				position: absolute;
+				left: 0px;
+				bottom: 0px;
+				width: 100%;
+				height: 680px;
+				background-image:url(../images/homepage_hero_terrain_08.svg);
+				background-repeat: no-repeat;
+				background-position: center top;
+				background-size: cover;
+				z-index: 2;
+			} // terrain_wrap
+
+
+			.beams_wrap {
+				position: absolute;
+				left: 0px;
+				bottom: 0px;
+				width: 100%;
+				height: 100%;
+				z-index: 3;
+				overflow: hidden;
+
+				.beam {
+					position: absolute;
+					right: 200px;
+					top: 270px;
+					width: 3px;
+					height: 350%;
+					background: rgba(#3eabff,0.6);
+					box-shadow: 0px 0px 55px 0px rgba(#3eabff,1);
+					transform-origin: 0 0;
+					animation: beam_ani 10s infinite;
+					
+					&.num2 {animation: beam_ani 11s infinite;}
+					&.num3 {animation: beam_ani 12s infinite;}
+					&.num4 {animation: beam_ani 13s infinite;}
+				} //beam
+							
+				@keyframes beam_ani {
+					0% { transform: rotate(75deg); }
+					50% { transform: rotate(-15deg); }
+					100% { transform: rotate(75deg); }
+				}
+
+				.sphere {
+					z-index:999;
+					position: absolute;
+					top: 60px;
+					right: 50px;
+					width: 280px;
+					height: 280px;
+					background-image:url(../images/homepage_hero_orb_03.png);
+					background-position: center center;
+					background-repeat: no-repeat;
+				}
+
+			} //beams_wrap
+
+
+			.person_wrap {
+				position: absolute;
+				left: 0px;
+				bottom: 0px;
+				width: 100%;
+				height: 595px;
+				background-image:url(../images/homepage_v1_hero_person_01.png);
+				background-repeat: no-repeat;
+				background-position: center bottom;
+				z-index: 4;
+
+			} // person_wrap				
+			
+
+
+		} //hero_background_image_wrap
+	}
+
+
+
+	.hero {
+
+		
+		.hero-body {
+			padding: 80px 0px;
+			// border: 1px solid red;
+
+			.header_title_wrap {
+				.header_title_content_wrap {
+
+					width: 50%;
+					position: relative;
+					z-index: 3;
+
+					.page_title {
+						color: #ffffff;
+						font-weight: $weight-bold;
+						font-size: 48px; //3rem;
+						line-height: 1.3;
+					}//page_title
+			
+					.page_subtitle {
+						color: #ffffff;
+						font-weight: $weight-normal;
+						font-size: 24px; //1.5rem;
+						line-height: 1.3;
+						margin-bottom: 30px;
+					} //page_subtitle
+
+
+					@media screen and (max-width: $widescreen), print {
+						width: 70%;
+					} //until widescreen
+
+					@media screen and (max-width: $tablet), print { //769
+
+						width: 100%;
+
+						.page_title {
+							font-size: 32px; //2rem;
+						}//page_title
+			
+						.page_subtitle {
+							font-size: 18px; //1.125rem;
+						}//page_subtitle
+			
+					} //until tablet
+
+
+				} //header_title_content_wrap
+
+			} //header_title_wrap
+
+			@media screen and (min-width: $tablet), print { //769
+				padding: 48px 24px; //3rem 1.5rem;
+			}
+		}
+
+	} //hero
+
+
+
+
+
+	// } //page-trivy_homepage
+
+
+
+
+	/* homepage_community */
+	.homepage_community_wrap {
+	position: relative;
+	background-color: $aq-trivy-dark;
+	color: #ffffff;
+	z-index: 5;
+	padding-top: 60px;
+	padding-bottom: 20px;
+
+
+	.container.wide_container {
+		max-width: 1640px;
+		padding-left: 20px;
+		padding-right: 20px;
+		display: flex;
+		flex-direction: row;
+		flex-wrap: wrap;
+	}
+
+
+	.community_titles_column {
+		width: 33.3333%;
+		padding-right: 32px;
+
+		@media screen and (max-width: $desktop), print {
+			width: 41.6666666667%;
+		} //until desktop
+
+		@media screen and (max-width: $tablet), print {
+			width: 100%;
+		} //until tablet
+	}
+
+	.community_slider_column {
+		width: 66.6666%;
+
+		@media screen and (max-width: $desktop), print {
+			width: 58.3333333333%;
+		} //until desktop
+
+		@media screen and (max-width: $tablet), print {
+			width: 100%;
+		} //until tablet
+	}
+
+
+	.community_title {
+		color: $aq-sea-foam;
+		font-size: 60px; //3.75rem;
+		font-weight: $weight-bold;
+		margin-bottom: 24px; ////1.5rem;
+		line-height: 1.2;
+		
+
+	}
+
+	.community_subtitle  {
+		color: #ffffff;
+		font-size: 26px; //1.625rem;
+		margin-bottom: 24px; ////1.5rem;
+		
+
+	}
+
+	.community_cta_wrap {
+
+		.button {
+			font-weight: $weight-bold;
+			margin-right: 10px;
+		}
+		
+	}
+
+	.community_quotes_wrap {
+		position: relative;
+		
+
+		.community_quotes {
+			column-count: 3;
+			column-gap: 20px;
+
+			@media screen and (max-width: $widescreen), print { //1216
+				column-count: 2;
+			}
+
+			@media screen and (max-width: $tablet), print { //769
+				column-count: 1;
+			}
+
+			.quote_item_wrap {
+				display: inline-block;
+				margin: 0px 0px 20px 0px;
+				width: 100%;
+			}
+
+			.quote_item {
+
+				display: block;
+				position: relative;
+				color: #ffffff;
+				border: 1px solid rgba($aq-sea-foam,0.2);
+				background-color: rgba($aq-sea-foam,0.05);
+				border-radius: 4px;
+				padding: 25px;
+
+				.quote_name {
+					font-size: 16px; //1rem;
+					font-weight: $weight-semibold;
+				}
+
+				.quote_twitter_handle {
+					opacity: 0.6;
+					font-size: 13px; //0.8125rem;
+				}
+
+				.quote_company {
+					opacity: 0.6;
+					font-size: 13px; //0.8125rem;
+				}
+
+				.quote_text {
+					font-size: 16px; //1rem;
+					font-weight: $weight-normal;
+					line-height: 1.3;
+				}
+
+				.quote_avatar {
+					display: block;
+					position: absolute;
+					top: 25px;
+					left: 25px;
+					width: 40px;
+					height: 40px;
+					border-radius: 50%;
+					background-repeat: no-repeat;
+					background-position: center center;
+					background-size: cover;
+
+				}
+
+				&.is_tweet {
+
+					.quote_text {
+						padding-top: 10px;
+					}
+					
+
+					&.has_avatar {
+						.quote_name,
+						.quote_twitter_handle {
+							padding-left: 50px;
+						}
+					} //has_avatar
+
+				} //&is_tweet
+
+				&.is_quote {
+
+					.quote_text {
+						position: relative;
+						padding-top: 40px;
+						padding-bottom: 10px;
+
+						&:before {
+							content: "";
+							display: block;
+							position: absolute;
+							top: -10px;
+							left: 0px;
+							width: 56px;
+							height: 42px;
+							background-image: url(../images/community_quote.png);
+							background-position: center center;
+							background-repeat: no-repeat;
+						}
+					} //quote_text
+					
+				} //&is_quote
+
+			} //quote_item
+
+		}
+
+	} //community_quotes_wrap
+
+	@media screen and (max-width: $tablet), print { //tablet
+
+		.community_title {
+			font-size: 32px; //2rem;
+		}
+		.community_subtitle {
+			font-size: 18px; //1.125rem;
+		}
+
+	} //until
+
+
+	} //homepage_community_wrap
+
+} //trivy_homepage_wrap
+
+
+
+
+
+/* Slider */
+.slick-slider{position:relative;display:block;box-sizing:border-box;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;-webkit-touch-callout:none;-khtml-user-select:none;-ms-touch-action:pan-y;touch-action:pan-y;-webkit-tap-highlight-color:transparent;}
+.slick-list{position:relative;display:block;overflow:hidden;margin:0;padding:0;}
+.slick-list:focus{outline:none;}
+.slick-list.dragging{cursor:hand;}
+.slick-slider .slick-track,.slick-slider .slick-list{transform:translate3d(0,0,0);}
+.slick-track{position:relative;top:0;left:0;display:block;margin-left:auto;margin-right:auto;}
+.slick-track:before,.slick-track:after{display:table;content:'';}
+.slick-track:after{clear:both;}
+.slick-loading .slick-track{visibility:hidden;}
+.slick-slide{display:none;float:left;height:100%;min-height:1px;}
+.slick-slide:focus{outline:none;}
+.slick-slide img{display:block;}
+.slick-slide.slick-loading img{display:none;}
+.slick-slide.dragging img{pointer-events:none;}
+.slick-initialized .slick-slide{display:block;}
+.slick-loading .slick-slide{visibility:hidden;}
+.slick-vertical .slick-slide{display:block;height:auto;border:1px solid transparent;}
+.slick-arrow.slick-hidden{display:none;}
+
+.slick-arrow {display:block;background-color:transparent;border:none;color:transparent;cursor:pointer;position:absolute;top:0px;height:330px;width:80px;z-index:20;outline:none;}
+.slick-arrow:focus, .slick-arrow:active {outline:none;}
+.slick-arrow.slick-prev {left:0px;background-image:linear-gradient(to right, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
+.slick-arrow.slick-next {right:0px;background-image:linear-gradient(to left, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
+.slick-arrow:before {content:"";display:block;position:absolute;left:0px;top:0px;width:100%;height:100%;z-index:21;background-repeat:no-repeat;}
+.slick-arrow.slick-prev:before {background-image:url(../images/arrow_left.png);background-position:center left;}
+.slick-arrow.slick-next:before {background-image:url(../images/arrow_right.png);background-position:center right;}
+
+
+
+/* dots */
+.slick-dotted.slick-slider
+{
+	margin-bottom: 0px;
+}
+
+
+.slick-dots
+{
+	//position: absolute;
+	//bottom: -25px;
+	position: relative;
+	display: block;
+
+	width: 100%;
+	padding: 0;
+	margin: 0;
+
+	list-style: none;
+
+	text-align: center;
+}
+
+
+.slick-dots li {
+	position: relative;
+	display: inline-block;
+	width: 24px;
+	height: 24px;
+	margin: 0px 4px;
+	padding: 0;
+	cursor: pointer;
+}
+
+.slick-dots li button
+{
+	font-size: 0;
+	line-height: 0;
+
+	display: block;
+
+	width: 24px;
+	height: 24px;
+	padding: 0px;
+
+	cursor: pointer;
+
+	color: transparent;
+	border: 0;
+	outline: none;
+	background: transparent;
+
+	&:before {
+
+		position: relative;
+		top: 0px;
+		left: 0px;
+		width: 20px;
+		height: 20px;
+		content: "";
+		background-color: transparent;
+		border: 2px solid $aq-sea-foam;
+		border-radius: 50%;
+		display: block;
+		opacity: 0.7;
+	}
+
+	&:after {
+
+		position: absolute;
+		top: 7px;
+		left: 5px;
+		width: 10px;
+		height: 10px;
+		content: "";
+		background-color: $aq-sea-foam;
+		//border: 1px solid #666;
+		border-radius: 50%;
+		//box-shadow: inset 1px 1px 1px #888;
+		display: block;
+		opacity: 0;
+		transition: 0.2s ease-out;
+
+	}
+
+
+	
+
+}
+.slick-dots li button:hover,
+.slick-dots li button:focus
+{
+	outline: none;
+	&:after {
+		opacity: 1;
+	}
+}
+
+.slick-dots li.slick-active button:after {
+		opacity: 1;
+}
+
+
+
+

docs/assets/images/homepage_hero_stars_02.svg

@@ -0,0 +1 @@
+<svg version="1.1" id="Layer_2" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 240 240" enable-background="new 0 0 240 240" xml:space="preserve"><rect x="106" y="90" fill="#00ffe4" width="2" height="2"/><rect x="74" y="63" fill="#00ffe4" width="1" height="1"/><rect x="23" y="66" fill="#00ffe4" width="1" height="1"/><rect x="50" y="110" fill="#00ffe4" width="1" height="1"/><rect x="63" y="128" fill="#00ffe4" width="1" height="1"/><rect x="45" y="149" fill="#00ffe4" width="1" height="1"/><rect x="92" y="151" fill="#00ffe4" width="1" height="1"/><rect x="58" y="8" fill="#00ffe4" width="1" height="1"/><rect x="147" y="33" fill="#00ffe4" width="2" height="2"/><rect x="91" y="43" fill="#00ffe4" width="1" height="1"/><rect x="169" y="29" fill="#ffffff" width="1" height="1"/><rect x="182" y="19" fill="#00ffe4" width="1" height="1"/><rect x="161" y="59" fill="#00ffe4" width="1" height="1"/><rect x="138" y="95" fill="#00ffe4" width="1" height="1"/><rect x="199" y="71" fill="#ffffff" width="3" height="3"/><rect x="213" y="153" fill="#00ffe4" width="2" height="2"/><rect x="128" y="163" fill="#ffffff" width="1" height="1"/><rect x="205" y="174" fill="#00ffe4" width="1" height="1"/><rect x="152" y="200" fill="#00ffe4" width="1" height="1"/><rect x="52" y="211" fill="#00ffe4" width="2" height="2"/><rect y="191" fill="#00ffe4" width="1" height="1"/><rect x="110" y="184" fill="#00ffe4" width="1" height="1"/></svg>

docs/assets/images/trivy_logo_horizontal_white.svg

@@ -0,0 +1 @@
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" x="0" y="0" viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891" xml:space="preserve"><style>.st0{fill:#fff}.st1{fill:#50f0ff}</style><path class="st0" d="M1421.86 281.92h-46.97c-25.9 0-46.97-21.07-46.97-46.97s21.07-46.97 46.97-46.97 46.97 21.07 46.97 46.97v46.97zm-46.97-74.87c-15.38 0-27.9 12.52-27.9 27.9 0 15.38 12.52 27.9 27.9 27.9h27.9v-27.9c0-15.38-12.51-27.9-27.9-27.9zM1737.06 281.92h-46.97c-25.9 0-46.97-21.07-46.97-46.97s21.07-46.97 46.97-46.97 46.97 21.07 46.97 46.97v46.97zm-46.97-74.87c-15.38 0-27.9 12.52-27.9 27.9 0 15.38 12.52 27.9 27.9 27.9h27.9v-27.9c-.01-15.38-12.52-27.9-27.9-27.9zM1585.02 281.94c-25.91 0-46.99-21.08-46.99-46.99v-44.08h19.08v44.08c0 15.39 12.52 27.91 27.91 27.91s27.91-12.52 27.91-27.91v-44.08h19.09v44.08c-.01 25.91-21.1 46.99-47 46.99zM1479.94 187.98c-25.9 0-46.97 21.07-46.97 46.97s21.07 46.97 46.97 46.97l19.07-19.07h-19.07c-15.38 0-27.9-12.52-27.9-27.9 0-15.38 12.52-27.9 27.9-27.9 15.38 0 27.9 12.52 27.9 27.9v91.8h19.07v-91.8c0-25.9-21.07-46.97-46.97-46.97zM942.76 588.45v46.29c-31.53 0-59.94-11.34-82.34-30.14-28.15-23.63-46.04-59.08-46.04-98.71V274.06h46.04v105.2h82.34v46.59h-82.34v81.19c.63 45.06 37.13 81.41 82.34 81.41zM1106.82 379.26v45.98c-43.65.1-79.18 34.71-80.78 77.98v131.52h-46.12V379.26h46.12v29.16c21.93-18.18 50.08-29.12 80.78-29.16zM1136.4 353.72v-40.29h46.05v40.29h-46.05zm0 281.02V379.26h46.05v255.48h-46.05zM1464.76 379.26l-127.64 255.48-127.8-255.48h52.33l75.47 150.88 75.31-150.88h52.33zM1740.81 379.26v297.8c0 71.31-58.52 128.26-127.83 128.2-32.47.03-62.55-12.29-85.37-32.76l33.1-33.09c14.13 11.97 32.36 19.22 52.28 19.2 44.86 0 81.17-36.69 81.17-81.55v-71.39c-22.26 18.42-50.67 29.09-81.17 29.06-69.46.06-127.95-56-127.95-127.85V379.24h46.64l.02 127.64c0 44.67 36.39 81.6 81.28 81.55 44.86 0 81.17-36.69 81.17-81.55V379.26h46.66z"/><path class="st1" d="M428.54 364.9h.12c6.56.01 11.98-5.03 11.98-11.58V135.99l-12.23-6.83-12.18 6.8v217.36c0 6.56 5.43 11.61 11.98 11.58h.33z"/><path d="M355.18 463.55 153.55 598.87v15.41l11.49 6.29 203.73-136.73c5.23-3.51 6.53-10.52 3.15-15.84-.14-.23-.29-.45-.43-.68-3.5-5.62-10.81-7.46-16.31-3.77z" style="fill:#0744dd"/><path d="m488.27 483.95 203.55 136.61 11.45-6.28v-15.44L501.86 463.66c-5.51-3.7-12.82-1.87-16.32 3.76-.13.21-.27.43-.4.64-3.41 5.34-2.12 12.37 3.13 15.89z" style="fill:#ffc900"/><path class="st0" d="M727.69 282.29v-13.96l-12.5-6.98-.93-.49-273.93-152.99-11.92-6.64-11.87 6.64-273.98 152.99-.93.49-12.5 6.98v13.96l-.93.54.93.49v345.42l12.69 6.94 266.85 146.2 3.37 1.85 16.41 8.98 16.36-8.98 3.37-1.85 266.85-146.2 12.65-6.94V283.37l.98-.54-.97-.54zM440.95 758.05V511.4c0-6.72-5.5-12.22-12.22-12.21h-.32c-6.72-.01-12.22 5.49-12.22 12.21v246.64L165.04 620.57l-11.49-6.29V294.7l199.98 109.56c5.77 3.16 13.1 1.04 16.28-4.72l.14-.26c3.22-5.83 1.08-13.22-4.76-16.42L167.81 274.72l248.42-138.75 12.18-6.8 12.23 6.83 248.37 138.73-197.54 108.22c-5.81 3.18-7.63 10.45-4.41 16.24.05.1.11.2.16.29 3.16 5.73 10.22 8.01 15.96 4.86L703.27 294.7v319.59l-11.45 6.28-250.87 137.48z"/><circle cx="428.54" cy="432.05" r="35.42" style="fill:#ff0036"/><path class="st1" d="M617.65 262.99 426.32 155.74c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l191.33 107.25c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM533.81 271.27l-107.48-60.25c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l107.48 60.25c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.97-16.62 4.68zM569.02 291c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68 5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM462.29 288.33l-35.7-20.01c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l35.7 20.01c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM516.16 321.21l-20.67-11.58c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l20.67 11.58c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68z"/></svg>

docs/build/Dockerfile

@@ -0,0 +1,6 @@
+FROM squidfunk/mkdocs-material:9.5.44
+
+# https://squidfunk.github.io/mkdocs-material/getting-started/?h=macros#with-docker-material-for-mkdocs
+
+COPY requirements.txt .
+RUN pip install -r requirements.txt

docs/build/requirements.in

@@ -0,0 +1,3 @@
+mkdocs-material==9.5.44
+mkdocs-macros-plugin
+mike

docs/build/requirements.txt

@@ -0,0 +1,114 @@
+#
+# This file is autogenerated by pip-compile with Python 3.13
+# by the following command:
+#
+#    pip-compile --output-file=docs/build/requirements.txt docs/build/requirements.in
+#
+babel==2.16.0
+    # via mkdocs-material
+certifi==2024.8.30
+    # via requests
+charset-normalizer==3.4.0
+    # via requests
+click==8.1.7
+    # via mkdocs
+colorama==0.4.6
+    # via mkdocs-material
+ghp-import==2.1.0
+    # via mkdocs
+hjson==3.1.0
+    # via
+    #   mkdocs-macros-plugin
+    #   super-collections
+idna==3.10
+    # via requests
+importlib-metadata==8.5.0
+    # via mike
+importlib-resources==6.4.5
+    # via mike
+jinja2==3.1.4
+    # via
+    #   mike
+    #   mkdocs
+    #   mkdocs-macros-plugin
+    #   mkdocs-material
+markdown==3.7
+    # via
+    #   mkdocs
+    #   mkdocs-material
+    #   pymdown-extensions
+markupsafe==3.0.2
+    # via
+    #   jinja2
+    #   mkdocs
+mergedeep==1.3.4
+    # via
+    #   mkdocs
+    #   mkdocs-get-deps
+mike==2.1.3
+    # via -r docs/build/requirements.in
+mkdocs==1.6.1
+    # via
+    #   mike
+    #   mkdocs-macros-plugin
+    #   mkdocs-material
+mkdocs-get-deps==0.2.0
+    # via mkdocs
+mkdocs-macros-plugin==1.3.7
+    # via -r docs/build/requirements.in
+mkdocs-material==9.5.44
+    # via -r docs/build/requirements.in
+mkdocs-material-extensions==1.3.1
+    # via mkdocs-material
+packaging==24.2
+    # via
+    #   mkdocs
+    #   mkdocs-macros-plugin
+paginate==0.5.7
+    # via mkdocs-material
+pathspec==0.12.1
+    # via
+    #   mkdocs
+    #   mkdocs-macros-plugin
+platformdirs==4.3.6
+    # via mkdocs-get-deps
+pygments==2.18.0
+    # via mkdocs-material
+pymdown-extensions==10.12
+    # via mkdocs-material
+pyparsing==3.2.0
+    # via mike
+python-dateutil==2.9.0.post0
+    # via
+    #   ghp-import
+    #   mkdocs-macros-plugin
+pyyaml==6.0.2
+    # via
+    #   mike
+    #   mkdocs
+    #   mkdocs-get-deps
+    #   mkdocs-macros-plugin
+    #   pymdown-extensions
+    #   pyyaml-env-tag
+pyyaml-env-tag==0.1
+    # via
+    #   mike
+    #   mkdocs
+regex==2024.11.6
+    # via mkdocs-material
+requests==2.32.3
+    # via mkdocs-material
+six==1.16.0
+    # via python-dateutil
+super-collections==0.5.3
+    # via mkdocs-macros-plugin
+termcolor==2.5.0
+    # via mkdocs-macros-plugin
+urllib3==2.2.3
+    # via requests
+verspec==0.1.0
+    # via mike
+watchdog==6.0.0
+    # via mkdocs
+zipp==3.21.0
+    # via importlib-metadata

docs/community/contribute/checks/overview.md

@@ -0,0 +1,130 @@
+# Contribute Rego Checks
+
+The following guide provides an overview of contributing checks to the default checks in Trivy. 
+
+All of the checks in Trivy can be found in the [trivy-checks](https://github.com/aquasecurity/trivy-checks/tree/main) repository on GitHub. Before you begin writing a check, ensure:
+
+1. The check does not already exist as part of the default checks in the [trivy-checks](https://github.com/aquasecurity/trivy-checks/tree/main) repository.
+2. The pull requests in the [trivy-checks](https://github.com/aquasecurity/trivy-checks/pulls) repository to see  whether someone else is already contributing the check that you wanted to add. 
+3. The [issues in Trivy](https://github.com/aquasecurity/trivy/issues) to see whether any specific checks are missing in Trivy that you can contribute.
+
+If anything is unclear, please [start a discussion](https://github.com/aquasecurity/trivy/discussions/new) and we will do our best to help.
+
+## Check structure
+
+Checks are written in Rego and follow a particular structure in Trivy. Below is an example check for AWS:
+
+```rego
+# METADATA
+# title: "RDS IAM Database Authentication Disabled"
+# description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access"
+# scope: package
+# schemas:
+# - input: schema["aws"]
+# related_resources:
+# - https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html
+# custom:
+#   id: AVD-AWS-0176
+#   avd_id: AVD-AWS-0176
+#   provider: aws
+#   service: rds
+#   severity: MEDIUM
+#   short_code: enable-iam-auth
+#   recommended_action: "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication."
+#   input:
+#     selector:
+#     - type: cloud
+#       subtypes:
+#         - service: rds
+#           provider: aws
+
+package builtin.aws.rds.aws0176
+
+deny[res] {
+	instance := input.aws.rds.instances[_]
+	instance.engine.value == ["postgres", "mysql"][_]
+	not instance.iamauthenabled.value
+	res := result.new("Instance does not have IAM Authentication enabled", instance.iamauthenabled)
+}
+```
+
+## Verify the provider and service exists
+
+Every check for a cloud service references a cloud provider. The list of providers are found in the [Trivy](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/providers) repository. 
+
+Before writing a new check for a cloud provider, you need to verify if the cloud provider or resource type that your check targets is supported by Trivy. If it's not, you'll need to add support for it. Additionally, if the provider that you want to target exists, you need to check whether the service your policy will target is supported. As a reference you can take a look at the AWS provider [here](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/providers/aws/aws.go).
+
+???+ note
+    New Kubernetes and Dockerfile checks do not require any additional provider definitions. You can find an example of a Dockerfile check [here](https://github.com/aquasecurity/trivy-checks/blob/main/checks/docker/add_instead_of_copy.rego) and a Kubernetes check [here](https://github.com/aquasecurity/trivy-checks/blob/main/checks/kubernetes/general/CPU_not_limited.rego).
+
+
+### Add Support for a New Service in an existing Provider
+
+[Please reference the documentation on adding Support for a New Service](./service-support.md).
+
+This guide also showcases how to add new properties for an existing Service.
+
+## Create a new .rego file
+
+The following directory in the trivy-checks repository contains all of our custom checks. Depending on what type of check you want to create, you will need to nest a new `.rego` file in either of the [subdirectories](https://github.com/aquasecurity/trivy-checks/tree/main/checks):
+
+* cloud: All checks related to cloud providers and their services
+* docker: Docker specific checks
+* kubernetes: Kubernetes specific checks
+
+## Check Package name
+
+Have a look at the existing package names in the [built in checks](https://github.com/aquasecurity/trivy-checks/tree/main/checks). 
+
+The package name should be in the format `builtin.PROVIDER.SERVICE.ID`, e.g. `builtin.aws.rds.aws0176`.
+
+## Generating an ID
+
+Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribue your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID. 
+
+Running `make id` in the root of the trivy-checks repository will provide you with the next available _ID_ for your rule. 
+
+## Check Schemas
+
+Rego Checks for Trivy can utilise Schemas to map the input to specific objects. The schemas available are listed [here.](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas). 
+
+More information on using the builtin schemas is provided in the [main documentation.](../../../docs/scanner/misconfiguration/custom/schema.md)
+
+## Check Metadata
+
+The metadata is the top section that starts with `# METADATA`, and has to be placed on top of the check. You can copy and paste from another check as a starting point. This format is effectively _yaml_ within a Rego comment, and is [defined as part of Rego itself](https://www.openpolicyagent.org/docs/latest/policy-language/#metadata).
+
+For detailed information on each component of the Check Metadata, please refer to the [main documentation.](../../../docs/scanner/misconfiguration/custom/index.md)
+
+Note that while the Metadata is optional in your own custom checks for Trivy, if you are contributing your check to the Trivy builtin checks, the Metadata section will be required.
+
+
+## Writing Rego Rules
+
+Rules are defined using _OPA Rego_. You can find a number of examples in the `checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). The [OPA documentation](https://www.openpolicyagent.org/docs/latest/policy-language/) is a great place to start learning Rego. You can also check out the [Rego Playground](https://play.openpolicyagent.org/) to experiment with Rego, and [join the OPA Slack](https://slack.openpolicyagent.org/).
+
+
+```rego
+deny[res] {
+	instance := input.aws.rds.instances[_]
+	instance.engine.value == ["postgres", "mysql"][_]
+	not instance.iamauthenabled.value
+	res := result.new("Instance does not have IAM Authentication enabled", instance.iamauthenabled)
+}
+```
+
+The rule should return a result, which can be created using `result.new`. This function does not need to be imported, it is defined internally and provided at runtime. The first argument is the message to display and the second argument is the resource that the issue was detected on.
+
+It is possible to pass any rego variable that references a field of the input document.
+
+## Generate docs
+
+Finally, you'll want to generate documentation for your newly added rule. Please run `make docs` in the [trivy-checks](https://github.com/aquasecurity/trivy-checks) directory to generate the documentation for your new policy and submit a PR for us to take a look at.
+
+## Adding Tests
+
+All Rego checks need to have tests. There are many examples of these in the `checks` directory for each check ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). More information on how to write tests for Rego checks is provided in the [custom misconfiguration](../../../docs/scanner/misconfiguration/custom/testing.md) section of the docs.
+
+## Example PR
+
+You can see a full example PR for a new rule being added here: [https://github.com/aquasecurity/defsec/pull/1000](https://github.com/aquasecurity/defsec/pull/1000).

docs/community/contribute/checks/service-support.md

@@ -0,0 +1,69 @@
+# Add Service Support
+
+A service refers to a service by a cloud provider. This section details how to add a new service to an existing provider. All contributions need to be made to the [trivy repository](https://github.com/aquasecurity/trivy/).
+
+## Prerequisites
+
+Before you begin, verify that the [provider](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/providers) does not already have the service that you plan to add.
+
+## Adding a new service to an existing provider
+
+Adding a new service involves two steps. The service will need a data structure to store information about the required resources that will be scanned. Additionally, the service will require one or more adapters to convert the scan targetes as input(s) into the aforementioned data structure.
+
+### Create a new file in the provider directory
+
+In this example, we are adding the CodeBuild service to the AWS provider.
+
+First, create a new directory and file for your new service under the provider directory: e.g. [aws/codebuild/codebuild.go](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/providers/aws/codebuild/codebuild.go)
+
+The CodeBuild service will require a structure `struct` to hold the information on the input that is scanned. The input is the CodeBuild resource that a user configured and wants to scan for misconfiguration.
+
+```
+type CodeBuild struct {
+	Projects []Project
+}
+```
+
+The CodeBuild service manages `Project` resources. The `Project` struct has been added to hold information about each Project resources; `Project` Resources in turn manage `ArtifactSettings`:
+
+```
+type Project struct {
+	Metadata                  iacTypes.Metadata
+	ArtifactSettings          ArtifactSettings
+	SecondaryArtifactSettings []ArtifactSettings
+}
+
+type ArtifactSettings struct {
+	Metadata          iacTypes.Metadata
+	EncryptionEnabled iacTypes.BoolValue
+}
+```
+
+The `iacTypes.Metadata` struct is embedded in all of the Trivy types and provides a common set of metadata for all resources. This includes the file and line number where the resource was defined and the name of the resource.
+
+A resource in this example `Project` can have a name and can optionally be encrypted. Instead of using raw string and bool types respectively, we use the trivy types `iacTypes.Metadata` and `iacTypes.BoolValue`. These types wrap the raw values and provide additional metadata about the value. For instance, whether it was set by the user and the file and line number where the resource was defined. 
+
+Have a look at the other providers and services in the [`iac/providers`](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/providers) directory in Trivy.
+
+Next you'll need to add a reference to your new service struct in the [provider struct](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/providers/aws/aws.go) at `pkg/iac/providers/aws/aws.go`:
+
+```
+type AWS struct {
+	...
+	CodeBuild      codebuild.CodeBuild
+    ...
+}
+```
+
+### Update Adapters
+
+Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adatper as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
+
+Another example for updating the adapters is provided in the [following PR.](https://github.com/aquasecurity/defsec/pull/1000/files) Additionally, please refer to the respective Terraform documentation on the provider to which you are adding the service. For instance, the Terraform documentation for AWS CodeBuild is provided [here.](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project)
+
+
+## Create a new Schema for your provider
+
+Once the new service has been added to the provider, you need to create the schema for the service as part of the provider schema. 
+
+This process has been automated with mage commands. In the Trivy root directory run `mage schema:generate` to generate the schema for your new service and `mage schema:verify`.

docs/community/contribute/discussion.md

@@ -0,0 +1,49 @@
+# Discussions
+Thank you for taking interest in contributing to Trivy!
+
+Trivy uses [GitHub Discussion](https://github.com/aquasecurity/trivy/discussions) for bug reports, feature requests, and questions.
+If maintainers decide to accept a new feature or confirm that it is a bug, they will close the discussion and create a [GitHub Issue](https://github.com/aquasecurity/trivy/issues) associated with that discussion.
+
+- Feel free to open discussions for any reason. When you open a new discussion, you'll have to select a discussion category as described below.
+- Please spend a small amount of time giving due diligence to the issue/discussion tracker. Your discussion might be a duplicate. If it is, please add your comment to the existing issue/discussion.
+- Remember that users might search for your issue/discussion in the future, so please give it a meaningful title to help others.
+- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
+
+There are 4 categories:
+
+- 💡 [Ideas](https://github.com/aquasecurity/trivy/discussions/categories/ideas)
+    - Share ideas for new features
+- 🔎 [False Detection](https://github.com/aquasecurity/trivy/discussions/categories/false-detection)
+    - Report false positives/negatives
+- 🐛 [Bugs](https://github.com/aquasecurity/trivy/discussions/categories/bugs)
+    - Report something that is not working as expected
+- 🙏 [Q&A](https://github.com/aquasecurity/trivy/discussions/categories/q-a)
+    - Ask the community for help
+
+!!! note
+    If you find any false positives or false negatives, please make sure to report them under the "False Detection" category, not "Bugs".
+
+## False detection
+Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#data-sources).
+Sometime these databases contain mistakes.
+
+If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
+
+1. Run Trivy with `-f json` that shows data sources.
+2. According to the shown data source, make sure that the security advisory in the data source is correct.
+
+If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
+
+### GitHub Advisory Database
+Visit [here](https://github.com/advisories) and search CVE-ID.
+
+If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
+
+### GitLab Advisory Database
+Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
+
+If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues)
+
+### Red Hat CVE Database
+Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
+

docs/community/contribute/issue.md

@@ -0,0 +1,7 @@
+# Issues
+Thank you for taking interest in contributing to Trivy!
+
+Trivy uses [GitHub Discussion](./discussion.md) for bug reports, feature requests, and questions.
+
+!!! warning
+    Issues created by non-maintainers will be immediately closed.

docs/community/contribute/pr.md

@@ -0,0 +1,227 @@
+Thank you for taking interest in contributing to Trivy!
+
+1. Every Pull Request should have an associated GitHub issue link in the PR description. Note that issues are created by Trivy maintainers based on feedback provided in a GitHub discussion. Please refer to the [issue](./issue.md) and [discussion](./discussion.md) pages for explanation about this process. If you think your change is trivial enough, you can skip the issue and instead add justification and explanation in the PR description.
+1. Your PR is more likely to be accepted if it focuses on just one change.
+1. There's no need to add or tag reviewers.
+1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
+1. Please include a comment with the results before and after your change.
+1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
+1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
+
+## Development
+Install the necessary tools for development by following their respective installation instructions.
+
+- [Go](https://go.dev/doc/install)
+- [Mage](https://magefile.org/)
+
+### Build
+After making changes to the Go source code, build the project with the following command:
+
+```shell
+$ mage build
+$ ./trivy -h
+```
+
+### Lint
+You must pass the linter checks:
+
+```shell
+$ mage lint:run
+```
+
+Additionally, you need to have run `go mod tidy`, so execute the following command as well:
+
+```shell
+$ mage tidy
+```
+
+To autofix linters use the following command:
+```shell
+$ mage lint:fix
+```
+
+### Unit tests
+Your PR must pass all the unit tests. You can test it as below.
+
+```
+$ mage test:unit
+```
+
+### Integration tests
+Your PR must pass all the integration tests. You can test it as below.
+
+```
+$ mage test:integration
+```
+
+### Documentation
+If you update CLI flags, you need to generate the CLI references.
+The test will fail if they are not up-to-date.
+
+```shell
+$ mage docs:generate
+```
+
+You can build the documents as below and view it at http://localhost:8000.
+
+```
+$ mage docs:serve
+```
+
+## Title
+It is not that strict, but we use the title conventions in this repository.
+Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
+
+### Format of the title
+
+```
+<type>(<scope>): <subject>
+```
+
+The `type` and `scope` should always be lowercase as shown below.
+
+**Allowed `<type>` values:**
+
+- **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
+- **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
+- **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
+- **docs** for changes to the documentation.
+- **style** for formatting changes, missing semicolons, etc.
+- **refactor** for refactoring production code, e.g. renaming a variable.
+- **test** for adding missing tests, refactoring tests; no production code change.
+- **build** for updating build configuration, development tools or other changes irrelevant to the user.
+- **chore** for updates that do not apply to the above, such as dependency updates.
+- **ci** for changes to CI configuration files and scripts
+- **revert** for revert to a previous commit
+
+**Allowed `<scope>` values:**
+
+checks:
+
+- vuln
+- misconf
+- secret
+- license
+
+mode:
+
+- image
+- fs
+- repo
+- sbom
+- k8s
+- server
+- aws
+- vm
+- plugin
+
+os:
+
+- alpine
+- redhat
+- alma
+- rocky
+- azure
+- oracle
+- debian
+- ubuntu
+- amazon
+- suse
+- photon
+- distroless
+
+language:
+
+- ruby
+- php
+- python
+- nodejs
+- rust
+- dotnet
+- java
+- go
+- elixir
+- dart
+- julia
+
+vuln:
+
+- os
+- lang
+
+config:
+
+- kubernetes
+- dockerfile
+- terraform
+- cloudformation
+
+container
+
+- docker
+- podman
+- containerd
+- oci
+
+cli:
+
+- cli
+- flag
+
+SBOM:
+
+- cyclonedx
+- spdx
+- purl
+
+others:
+
+- helm
+- report
+- db
+- parser
+- deps
+
+The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
+
+**Breaking changes**
+
+A PR, introducing a breaking API change, needs to append a `!` after the type/scope.
+
+### Example titles
+
+```
+feat(alma): add support for AlmaLinux
+```
+
+```
+feat(vuln)!: delete the existing CLI flag
+```
+
+```
+fix(oracle): handle advisories with ksplice versions
+```
+
+```
+docs(misconf): add comparison with Conftest and TFsec
+```
+
+```
+chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
+```
+
+**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
+The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
+
+## Commits
+
+
+## Understand where your pull request belongs
+
+Trivy is composed of several repositories that work together:
+
+- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
+- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerability database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
+- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
+- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
+- [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.

docs/community/maintainer/backporting.md

@@ -0,0 +1,59 @@
+# Backporting Process
+
+This document outlines the backporting process for Trivy, including when to create patch releases and how to perform the backporting.
+
+## When to Create Patch Releases
+
+In general, small changes should not be backported and should be included in the next minor release.
+However, patch releases should be made in the following cases:
+
+* Fixes for HIGH or CRITICAL vulnerabilities in Trivy itself or Trivy's dependencies
+* Fixes for bugs that cause panic during Trivy execution or otherwise interfere with normal usage
+
+In these cases, the fixes should be backported using the procedure [described below](#backporting-procedure).
+At the maintainer's discretion, other bug fixes may be included in the patch release containing these hotfixes.
+
+## Versioning
+
+Trivy follows [Semantic Versioning](https://semver.org/), using version numbers in the format MAJOR.MINOR.PATCH.
+When creating a patch release, the PATCH part of the version number is incremented.
+For example, if a fix is being distributed for v0.50.0, the patch release would be v0.50.1.
+
+## Backporting Procedure
+
+1. A release branch (e.g., `release/v0.50`) is automatically created when a new minor version is released.
+1. Create a pull request (PR) against the main branch with the necessary fixes. If the fixes are already merged into the main branch, skip this step.
+1. Once the PR with the fixes is merged, comment `@aqua-bot backport <release-branch>` on the PR (e.g., `@aqua-bot backport release/v0.50`). This will trigger the automated backporting process using GitHub Actions.
+1. The automated process will create a new PR with the backported changes. Ensure that all tests pass for this PR.
+1. Once the tests pass, merge the automatically created PR into the release branch.
+1. Merge [a release PR](release-flow.md) on the release branch and release the patch version.
+
+!!! note
+    Even if a conflict occurs, a PR is created by forceful commit, in which case the conflict should be resolved manually.
+    If you want to re-run a backport of the same PR, close the existing PR, delete the branch and re-run it.
+
+### Example
+To better understand the backporting procedure, let's walk through an example using the releases of v0.50.
+
+```mermaid
+gitGraph:
+  commit id:"Feature 1"
+  commit id:"v0.50.0 release" tag:"v0.50.0"
+
+  branch "release/v0.50"
+  
+  checkout main
+  commit id:"Bugfix 1"
+
+  checkout "release/v0.50"
+  cherry-pick id:"Bugfix 1"
+
+  checkout main
+  commit id:"Feature 2"
+  commit id:"Bugfix 2"
+  commit id:"Feature 3"
+
+  checkout "release/v0.50"
+  cherry-pick id:"Bugfix 2"
+  commit id:"v0.50.1 release" tag:"v0.50.1"
+```

docs/community/maintainer/help-wanted.md

@@ -0,0 +1,78 @@
+# Overview
+
+We use two labels [help wanted](#help-wanted) and [good first
+issue](#good-first-issue) to identify issues that have been specially groomed
+for new contributors. The `good first issue` label is a subset of `help wanted`
+label, indicating that members have committed to providing extra assistance for
+new contributors. All `good first issue` items also have the `help wanted`
+label.
+
+## Help Wanted
+
+Items marked with the `help wanted` label need to ensure that they are:
+
+- **Low Barrier to Entry**
+
+  It should be tractable for new contributors. Documentation on how that type of
+  change should be made should already exist.
+
+- **Clear Task**
+
+  The task is agreed upon and does not require further discussions in the
+  community. Call out if that area of code is untested and requires new
+  fixtures.
+
+  API / CLI behavior is decided and included in the OP issue, for example: "The
+  new command syntax is `trivy --format yaml IMAGE_NAME`"_ with
+  expected validations called out.
+
+- **Goldilocks priority**
+
+  Not too high that a core contributor should do it, but not too low that it
+  isn't useful enough for a core contributor to spend time to review it, answer
+  questions, help get it into a release, etc.
+
+- **Up-To-Date**
+
+  Often these issues become obsolete and have already been done, are no longer
+  desired, no longer make sense, have changed priority or difficulty , etc.
+
+
+## Good First Issue
+
+Items marked with the `good first issue` label are intended for _first-time
+contributors_. It indicates that members will keep an eye out for these pull
+requests and shepherd it through our processes.
+
+These items need to ensure that they follow the guidelines for `help wanted`
+labels (above) in addition to meeting the following criteria:
+
+- **No Barrier to Entry**
+
+  The task is something that a new contributor can tackle without advanced
+  setup, or domain knowledge.
+
+- **Solution Explained**
+
+  The recommended solution is clearly described in the issue.
+
+- **Provides Context**
+
+  If background knowledge is required, this should be explicitly mentioned and a
+  list of suggested readings included.
+
+- **Gives Examples**
+
+  Link to examples of similar implementations so new contributors have a
+  reference guide for their changes.
+
+- **Identifies Relevant Code**
+
+  The relevant code and tests to be changed should be linked in the issue.
+
+- **Ready to Test**
+
+  There should be existing tests that can be modified, or existing test cases
+  fit to be copied. If the area of code doesn't have tests, before labeling the
+  issue, add a test fixture. This prep often makes a great `help wanted` task!
+  

docs/community/maintainer/release-flow.md

@@ -0,0 +1,83 @@
+# Release Flow
+
+## Overview
+Trivy adopts [conventional commit messages][conventional-commits], and [Release Please][release-please] automatically creates a [release PR](https://github.com/googleapis/release-please?tab=readme-ov-file#whats-a-release-pr) based on the messages of the merged commits.
+This release PR is automatically updated every time a new commit is added to the release branch.
+
+If a commit has the prefix `feat:`, a PR is automatically created to increment the minor version, and if a commit has the prefix `fix:`, a PR is created to increment the patch version.
+When the PR is merged, GitHub Actions automatically creates a version tag and the release is performed.
+For detailed behavior, please refer to [the GitHub Actions configuration][workflows].
+
+!!! note
+    Commits with prefixes like `chore` or `build` are not considered releasable, and no release PR is created.
+    To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release-pr-creation).
+
+## Flow
+The release flow consists of the following main steps:
+
+1. Creating the release PR (automatically or manually)
+1. Drafting the release notes in GitHub Discussions
+1. Merging the release PR
+1. Updating the release notes in GitHub Discussions
+1. Navigating to the release notes in GitHub Releases page
+
+### Automatic Release PR Creation
+When a releasable commit (a commit with `feat` or `fix` prefix) is merged, a release PR is automatically created.
+These Release PRs are kept up-to-date as additional work is merged.
+When it's ready to tag a release, simply merge the release PR.
+See the [Release Please documentation][release-please] for more information.
+
+The title of the PR will be in the format `release: v${version} [${branch}]` (e.g., `release: v0.51.0 [main]`).
+The format of the PR title is important for identifying the release commit, so it should not be changed.
+
+The `release/vX.Y` release branches are also subject to automatic release PR creation for patch releases.
+The PR title will be like `release: v0.51.1 [release/v0.51]`.
+
+### Manual Release PR Creation
+If you want to release commits like `chore`, a release PR is not automatically created, so you need to manually trigger the creation of a release PR.
+The [Release Please workflow](https://github.com/aquasecurity/trivy/actions/workflows/release-please.yaml) supports `workflow_dispatch` and can be triggered manually.
+Click "Run workflow" in the top right corner and specify the release branch.
+In Trivy, the following branches are the release branches.
+
+- `main`
+- `release/vX.Y` (e.g. `release/v0.51`)
+
+Specify the release version (without the `v` prefix) and click "Run workflow" to create a release PR for the specified version.
+
+### Drafting the Release Notes
+Next, create release notes for this version.
+Draft a new post in GitHub Discussions, and maintainers edit these release notes (e.g., https://github.com/aquasecurity/trivy/discussions/6605).
+Currently, the creation of this draft is done manually.
+For patch version updates, this step can be skipped since they only involve bug fixes.
+
+### Merging the Release PR
+Once the draft of the release notes is complete, merge the release PR.
+When the PR is merged, a tag is automatically created, and [GoReleaser][goreleaser] releases binaries, container images, etc.
+
+### Updating the Release Notes
+If the release completes without errors, a page for the release notes is created in GitHub Discussions (e.g., https://github.com/aquasecurity/trivy/discussions/6622).
+Copy the draft release notes, adjust the formatting, and finalize the release notes.
+
+### Navigating to the Release Notes
+To navigate to the release highlights and summary in GitHub Discussions, place a link in the GitHub Releases page as below:
+
+```
+## ⚡Release highlights and summary⚡
+
+👉 https://github.com/aquasecurity/trivy/discussions/6838
+
+## Changelog
+https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03
+```
+
+Replace URLs with appropriate ones.
+
+Example: https://github.com/aquasecurity/trivy/releases/tag/v0.52.0
+
+
+The release is now complete.
+
+[conventional-commits]: https://www.conventionalcommits.org/en/v1.0.0/
+[release-please]: https://github.com/googleapis/release-please 
+[goreleaser]: https://goreleaser.com/
+[workflows]: https://github.com/aquasecurity/trivy/tree/main/.github/workflows

docs/community/maintainer/triage.md

@@ -0,0 +1,198 @@
+# Triage
+
+Triage is an important part of maintaining the health of the trivy repo.
+A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible.
+
+Triage includes:
+
+- Labeling issues
+- Responding to issues
+- Closing issues
+
+# Daily Triage
+Daily triage has two goals:
+
+1. Responsiveness for new issues
+1. Responsiveness when explicitly requested information was provided
+
+It covers:
+
+1. Issues without a `kind/` or `triage/` label
+1. Issues without a `priority/` label
+1. `triage/needs-information` issues which the user has followed up on, and now require a response.
+
+## Categorization
+
+The most important level of categorizing the issue is defining what type it is.
+We typically want at least one of the following labels on every issue, and some issues may fall into multiple categories:
+
+- `triage/support`   - The default for most incoming issues
+- `kind/bug` - When it’s a bug or we aren’t delivering the best user experience
+
+Other possibilities: 
+- `kind/feature`- Identify new feature requests
+- `kind/testing` - Update or fix unit/integration tests
+- `kind/cleanup` - Cleaning up/refactoring the codebase
+- `kind/documentation` - Updates or additions to trivy documentation
+
+If the issue is specific to a driver for OS packages or libraries:
+
+**co/[driver for OS packages]**
+
+  - `co/alpine`
+  - `co/amazon`
+  - `co/debian`
+  - `co/oracle`
+  - `co/photon`
+  - `co/redhat`
+  - `co/suse`
+  - `co/ubuntu`
+
+**co/[driver for libraries of programming languages]** 
+
+  - `co/bundler`
+  - `co/cargo`
+  - `co/composer`
+  - `co/npm`
+  - `co/yarn`
+  - `co/pipenv`
+  - `co/poetry`
+ 
+
+**Help wanted?**
+
+`Good First Issue` - bug has a proposed solution, can be implemented w/o further discussion.
+
+`Help wanted` - if the bug could use help from a contributor
+
+
+## Prioritization
+If the issue is not `triage/support`, it needs a priority label.
+
+`priority/critical-urgent` - someones top priority ASAP, such as security issue, user-visible bug, or build breakage. Rarely used.
+
+`priority/important-soon`: in time for the next two releases. It should be attached to a milestone.
+
+`priority/important-longterm`: 2-4 releases from now
+
+`priority/backlog`: agreed that this would be good to have, but no one is available at the moment. Consider tagging as `help wanted`
+
+`priority/awaiting-more-evidence`: may be useful, but there is not yet enough support.
+
+
+# Weekly Triage
+
+Weekly triage has three goals:
+
+1. Catching up on unresponded issues
+1. Reviewing and closing PR’s
+1. Closing stale issues
+
+
+## Post-Release Triage
+
+Post-release triage occurs after a major release (around every 4-6 weeks).
+It focuses on:
+
+1. Closing bugs that have been resolved by the release
+1. Reprioritizing bugs that have not been resolved by the release
+1. Letting users know if we believe that there is still an issue
+
+This includes reviewing:
+
+1. Every issue that hasn’t been touched in the last 2 days
+1. Re-evaluation of long-term issues
+1. Re-evaluation of short-term issues
+
+
+## Responding to Issues
+
+### Needs More Information
+A sample response to ask for more info:
+
+> I don’t yet have a clear way to replicate this issue. Do you mind adding some additional details. Here is additional information that would be helpful:
+>
+> \*  The exact `trivy` command line used
+>
+> \*  The exact image you want to scan
+>
+> \*  The full output of the `trivy` command, preferably with `--debug` for extra logging.
+>
+>
+> Thank you for sharing your experience!
+
+
+Then: Label with `triage/needs-information`.
+
+### Issue might be resolved
+If you think a release may have resolved an issue, ask the author to see if their issue has been resolved:
+
+> Could you please check to see if trivy <x> addresses this issue? We've made some changes with how this is handled, and improved the trivy logs output to help us debug tricky cases like this.
+
+Then: Label with `triage/needs-information`.
+
+
+## Closing with Care
+
+Issues typically need to be closed for the following reasons:
+
+- The issue has been addressed
+- The issue is a duplicate of an existing issue
+- There has been a lack of information over a long period of time
+
+In any of these situations, we aim to be kind when closing the issue, and offer the author action items should they need to reopen their issue or still require a solution.
+
+Samples responses for these situations include:
+
+### Issue has been addressed
+
+>@author: I believe this issue is now addressed by trivy v1.0.0, as it <reason>. If you still see this issue with trivy v1.0 or higher, please reopen this issue.
+>
+>Thank you for reporting this issue!
+
+Then: Close the issue
+
+### Duplicate Issue
+
+>This issue appears to be a duplicate of #X, do you mind if we move the conversation there?
+>
+>This way we can centralize the content relating to the issue. If you feel that this issue is not in fact a duplicate, please re-open it. If you have additional information to share, please add it to the new issue.
+>
+>Thank you for reporting this!
+
+Then: Label with `triage/duplicate` and close the issue.
+
+### Lack of Information
+If an issue hasn't been active for more than four weeks, and the author has been pinged at least once, then the issue can be closed.
+
+>Hey @author -- hopefully it's OK if I close this - there wasn't enough information to make it actionable, and some time has already passed. If you are able to provide additional details, you may reopen it at any point.
+> 
+>Here is additional information that may be helpful to us:
+>
+>\* Whether the issue occurs with the latest trivy release
+>
+>\* The exact `trivy` command line used
+>
+>\* The exact image you want to scan
+>
+>\* The full output of the `trivy` command, preferably with `--debug` for extra logging.
+>
+>
+>Thank you for sharing your experience!
+
+Then: Close the issue.
+
+## Help Wanted issues
+
+We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22)
+and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
+to identify issues that have been specially groomed for new contributors.
+
+We have specific [guidelines](./help-wanted.md)
+for how to use these labels. If you see an issue that satisfies these
+guidelines, you can add the `help wanted` label and the `good first issue` label.
+Please note that adding the `good first issue` label must also 
+add the `help wanted` label.
+
+If an issue has these labels but does not satisfy the guidelines, please
+ask for more details to be added to the issue or remove the labels.

docs/community/principles.md

@@ -0,0 +1,53 @@
+# Trivy Project Principles
+This document outlines the guiding principles and governance framework for the Trivy project.
+
+## Core Principles
+Trivy is a security scanner focused on static analysis and designed with simplicity and security at its core.
+All new proposals to the project must adhere to the following principles.
+
+### Static Analysis (No Runtime Required)
+Trivy operates without requiring container or VM image startups, eliminating the need for Docker or similar runtimes, except for scanning images stored within a container runtime.
+This approach enhances security and efficiency by minimizing dependencies.
+
+### External Dependency Free (Single Binary)
+Operating as a single binary, Trivy is independent of external environments and avoids executing external OS commands or processes.
+If specific functionality, like Maven's, is needed, Trivy opts for internal reimplementations or processing outputs of the tool without direct execution of external tools.
+
+This approach obviously requires more effort but significantly reduces security risks associated with executing OS commands and dependency errors due to external environment versions.
+Simplifying the scanner's use by making it operational immediately upon binary download facilitates easier initiation of scans.
+
+### No Setup Required
+Trivy must be ready to use immediately after installation.
+It's unacceptable for Trivy not to function without setting up a database or writing configuration files by default.
+Such setups should only be necessary for users requiring specific customizations.
+
+Security often isn't a top priority for many organizations and can be easily deferred.
+Trivy aims to lower the barrier to entry by simplifying the setup process, making it easier for users to start securing their projects.
+
+### Security Focus
+Trivy prioritizes the identification of security issues, excluding features unrelated to security, such as performance metrics or content listings of container images.
+It can, however, produce and output intermediate representations like SBOMs for comprehensive security assessments.
+
+Trivy serves as a tool with opinions on security, used to warn users about potential issues.
+
+### Detecting Unintended States
+Trivy is designed to detect unintended vulnerable states in projects, such as the use of vulnerable versions of dependencies or misconfigurations in Infrastructure as Code (IaC) that may unintentionally expose servers to the internet.
+The focus is on identifying developer mistakes or undesirable states, not on detecting intentional attacks, such as malicious images and malware.
+
+## Out of Scope Features
+Aqua Security offers a premium version with several features not available in the open-source Trivy project. 
+While detailed information can be found [here][trivy-aqua], it's beneficial to highlight specific functionalities frequently inquired about:
+
+### Runtime Security
+As mentioned in [the Core Principles](#static-analysis-no-runtime-required), Trivy is a static analysis security scanner, making runtime security outside its scope.
+Runtime security needs are addressed by [Tracee][tracee] or [the commercial version of Aqua Security]().
+
+### Intentional Attacks
+As mentioned in [the Core Principles](#detecting-unintended-states), detection of intentional attacks, such as malware or malicious container images, is not covered by Trivy and is supported in [the commercial version][aqua].
+
+### User Interface
+Trivy primarily operates via CLI for displaying results, with a richer UI available in [the commercial version][aqua].
+
+[trivy-aqua]: https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md
+[tracee]: https://github.com/aquasecurity/tracee
+[aqua]: https://www.aquasec.com/

docs/docs/advanced/air-gap.md

@@ -0,0 +1,77 @@
+# Connectivity and Network considerations
+
+Trivy requires internet connectivity in order to function normally. If your organizations blocks or restricts network traffic, that could prevent Trivy from working correctly.
+This document explains Trivy's network connectivity requirements, and how to configure Trivy to work in restricted networks environments, including completely air-gapped environments.
+
+The following table lists all external resources that are required by Trivy:
+
+External Resource | Feature | Details
+--- | --- | ---
+Vulnerability Database | Vulnerability scanning | [Trivy DB](../scanner/vulnerability.md)
+Java Vulnerability Database | Java vulnerability scanning | [Trivy Java DB](../coverage/language/java.md)
+Checks Bundle | Misconfigurations scanning | [Trivy Checks](../scanner/misconfiguration/check/builtin.md)
+VEX Hub | VEX Hub | [VEX Hub](../supply-chain/vex/repo/#vex-hub)
+Maven Central / Remote Repositories | Java vulnerability scanning | [Java Scanner/Remote Repositories](../coverage/language/java.md#remote-repositories)
+
+!!! note
+    Trivy is an open source project that relies on public free infrastructure. In case of extreme load, you may encounter rate limiting when Trivy attempts to connect to external resources.
+
+The rest of this document details each resource's connectivity requirements and network related considerations.
+
+## OCI Databases
+
+Trivy's Vulnerability, Java, and Checks Bundle are packaged as OCI images and stored in public container registries.
+
+### Connectivity requirements
+
+The specific registries and locations are detailed in the [databases document](../configuration/db.md).
+
+Communication with OCI Registries follows the [OCI Distribution](https://github.com/opencontainers/distribution-spec) spec.
+
+The following hosts are known to be used by the default container registries:
+
+Registry | Hosts | Additional info
+--- | --- | ---
+Google Artifact Registry | <ul><li>`mirror.gcr.io`</li><li>`googlecode.l.googleusercontent.com`</li></ul> | [Google's IP addresses](https://support.google.com/a/answer/10026322?hl=en)
+GitHub Container Registry | <ul><li>`ghcr.io`</li><li>`pkg-containers.githubusercontent.com`</li></ul> | [GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses)
+
+### Self-hosting
+
+You can host Trivy's databases in your own container registry. Please refer to [Self-hosting document](./self-hosting.md#oci-databases) for a detailed guide.
+
+## Embedded Checks
+
+Checks Bundle is embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the database from the time of the Trivy release you are using.
+
+## VEX Hub
+
+### Connectivity Requirements
+
+VEX Hub is hosted as at <https://github.com/aquasecurity/vexhub>.
+
+Trivy is fetching VEX Hub GitHub Repository directly using simple HTTPS requests.
+
+The following hosts are known to be used by GitHub's services:
+
+- `api.github.com`
+- `codeload.github.com`
+
+For more information about GitHub connectivity (including specific IP addresses), please refer to [GitHub's connectivity troubleshooting guide](https://docs.github.com/en/get-started/using-github/troubleshooting-connectivity-problems).
+
+### Self-hosting
+
+You can host a copy of VEX Hub on your own internal server. Please refer to the [self-hosting document](./self-hosting.md#vex-hub) for a detailed guide.
+
+## Maven Central / Remote Repositories
+
+Trivy might call out to Maven central or other remote repositories to fetch in order to correctly identify Java packages during a vulnerability scan.
+
+### Connectivity requirements
+
+Trivy might attempt to connect (over HTTPS) to the following URLs:
+
+- `https://repo.maven.apache.org/maven2`
+
+### Offline mode
+
+There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Trivy from trying to connect to it by using the `--offline-scan` flag.