BREAKING: use normalized trivy-java-db (#3583)

Co-authored-by: knqyf263 <knqyf263@gmail.com>

.circleci/config.yml

@@ -1,65 +0,0 @@
-version: 2.1
-orbs:
-  codecov: codecov/codecov@1.1.0
-
-defaults: &defaults
-  docker :
-    - image: aquasec/trivy-ci:latest
-  environment:
-    CGO_ENABLED: "0"
-
-jobs:
-  unit-test:
-    <<: *defaults
-    steps:
-      - checkout
-      - run:
-          name: Test
-          command: make test
-      - codecov/upload:
-          file: ./coverage.txt
-
-  release:
-    <<: *defaults
-    steps:
-      - checkout
-      - setup_remote_docker:
-          version: 19.03.13
-      - run:
-          name: login to Docker Hub
-          command: echo $DOCKER_PASS | docker login --username $DOCKER_USER --password-stdin
-      - run:
-          name: login to GitHub Container Registry
-          command: echo $GITHUB_TOKEN | docker login ghcr.io -u $GITHUB_USER --password-stdin
-      - run:
-          name: Release
-          command: goreleaser --rm-dist
-      - run:
-          name: Clone trivy repository
-          command: git clone git@github.com:aquasecurity/trivy-repo.git
-      - run:
-          name: Setup git settings
-          command: |
-            git config --global user.email "knqyf263@gmail.com"
-            git config --global user.name "Teppei Fukuda"
-      - run:
-          name: Create rpm repository
-          command: ci/deploy-rpm.sh
-      - run:
-          name: Import GPG key
-          command: echo -e "$GPG_KEY" | gpg --import
-      - run:
-          name: Create deb repository
-          command: ci/deploy-deb.sh
-
-workflows:
-  version: 2
-  release:
-    jobs:
-      - unit-test
-      - release:
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              only: /.*/

.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf 

.github/CODEOWNERS

@@ -0,0 +1,24 @@
+# Global
+*   @knqyf263
+
+# Docs
+/docs/** @knqyf263 @AnaisUrlichs @itaysk
+/mkdocs.yml @knqyf263 @AnaisUrlichs @itaysk
+/README.md @knqyf263 @AnaisUrlichs @itaysk
+
+# Helm chart
+helm/trivy/ @chen-keinan
+
+# Misconfiguration scanning
+examples/misconf/           @knqyf263
+docs/docs/misconfiguration  @knqyf263
+docs/docs/cloud             @knqyf263
+pkg/fanal/analyzer/config   @knqyf263
+pkg/fanal/handler/misconf   @knqyf263
+pkg/cloud                   @knqyf263
+pkg/flag/aws_flags.go       @knqyf263
+pkg/flag/misconf_flags.go   @knqyf263
+
+# Kubernetes scanning
+pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
+docs/docs/kubernetes/   @josedonizetti @chen-keinan @knqyf263

.github/DISCUSSION_TEMPLATE/show-and-tell.yml

@@ -0,0 +1,53 @@
+title: "<company name> "
+labels: ["adopters"]
+body:
+  - type: textarea
+    id: links
+    attributes:
+      label: "Share Links"
+      description: "If you would like to share a link to your project or company, please paste it below 🌐"
+      value: |
+        ...
+    validations:
+      required: false
+  - type: textarea
+    id: logo
+    attributes:
+      label: "Share Logo"
+      description: "If you have a link to your logo, please provide it in the following text-box 🌐"
+      value: |
+        ...
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: Please select all the scan targets that you are using
+      options:
+        - label: Container Images
+        - label: Filesystem
+        - label: Git Repository
+        - label: Virtual Machine Images
+        - label: Kubernetes
+        - label: AWS
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: Which scanners are you using on those scan targets?
+      options:
+        - label: OS packages and software dependencies in use (SBOM)
+        - label: Known vulnerabilities (CVEs)
+        - label: IaC issues and misconfigurations
+        - label: Sensitive information and secrets
+        - label: Software licenses
+    validations:
+      required: false
+  - type: textarea
+    id: info
+    attributes:
+      label: "Additional Information"
+      description: "Please tell us more about your use case of Trivy -- anything that you would like to share 🎉"
+      value: |
+        ...
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/WRONG_DETECTION.md

@@ -0,0 +1,33 @@
+---
+name: Wrong Detection
+labels: ["kind/bug"]
+about: If Trivy doesn't detect something, or shows false positive detection
+---
+
+## Checklist
+- [ ] I've read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/#wrong-detection).
+- [ ] I've confirmed that a security advisory in data sources was correct.
+    - Run Trivy with `-f json` that shows data sources and make sure that the security advisory is correct.
+
+
+## Description
+
+<!--
+Briefly describe the CVE that aren't detected and information about artifacts with this CVE.
+-->
+
+## JSON Output of run with `-debug`:
+
+```
+(paste your output here)
+```
+
+## Output of `trivy -v`:
+
+```
+(paste your output here)
+```
+
+## Additional details (base image name, container registry info...):
+
+

.github/dependabot.yml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly
+  - package-ecosystem: gomod
+    open-pull-requests-limit: 10
+    directory: /
+    schedule:
+      interval: monthly

.github/pull_request_template.md

@@ -0,0 +1,18 @@
+## Description
+
+## Related issues
+- Close #XXX
+
+## Related PRs
+- [ ] #XXX
+- [ ] #YYY
+
+Remove this section if you don't have related PRs.
+
+## Checklist
+- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
+- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
+- [ ] I've added tests that prove my fix is effective or that my feature works.
+- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
+- [ ] I've added usage information (if the PR introduces new options)
+- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

.github/workflows/canary.yaml

@@ -0,0 +1,60 @@
+name: Canary build
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '**.go'
+      - 'go.mod'
+      - 'Dockerfile.canary'
+      - '.github/workflows/canary.yaml'
+  workflow_dispatch:
+
+jobs:
+  build-binaries:
+    name: Build binaries
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser-canary.yml
+      goreleaser_options: '--snapshot --rm-dist --timeout 60m' # will not release
+    secrets: inherit
+
+  upload-binaries:
+    name: Upload binaries
+    needs: build-binaries # run this job after 'build-binaries' job completes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.2.4
+        with:
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+        # Upload artifacts
+      - name: Upload artifacts (trivy_Linux-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-64bit
+          path: dist/trivy_*_Linux-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_Linux-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-ARM64
+          path: dist/trivy_*_Linux-ARM64.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-64bit
+          path: dist/trivy_*_macOS-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-ARM64
+          path: dist/trivy_*_macOS-ARM64.tar.gz
+          if-no-files-found: error

.github/workflows/mkdocs-dev.yaml

@@ -0,0 +1,33 @@
+name: Deploy the dev documentation
+on:
+  push:
+    paths:
+      - 'docs/**'
+      - mkdocs.yml
+    branches:
+      - main
+jobs:
+  deploy:
+    name: Deploy the dev documentation
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          persist-credentials: true
+      - uses: actions/setup-python@v4
+        with:
+          python-version: 3.x
+      - name: Install dependencies
+        run: |
+          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
+          pip install -r docs/build/requirements.txt
+        env:
+          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
+      - name: Configure the git user
+        run: |
+          git config user.name "knqyf263"
+          git config user.email "knqyf263@gmail.com"
+      - name: Deploy the dev documents
+        run: mike deploy --push dev

.github/workflows/mkdocs-latest.yaml

@@ -0,0 +1,41 @@
+name: Deploy the latest documentation
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Version to be deployed
+        required: true
+  push:
+    tags:
+      - "v*"
+jobs:
+  deploy:
+    name: Deploy the latest documentation
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          persist-credentials: true
+      - uses: actions/setup-python@v4
+        with:
+          python-version: 3.x
+      - name: Install dependencies
+        run: |
+          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
+          pip install -r docs/build/requirements.txt
+        env:
+          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
+      - name: Configure the git user
+        run: |
+          git config user.name "knqyf263"
+          git config user.email "knqyf263@gmail.com"
+      - name: Deploy the latest documents from new tag push
+        if: ${{ github.event.inputs.version == '' }}
+        run: |
+          VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
+          mike deploy --push --update-aliases ${VERSION%.*} latest
+      - name: Deploy the latest documents from manual trigger
+        if: ${{ github.event.inputs.version != '' }}
+        run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest

.github/workflows/publish-chart.yaml

@@ -0,0 +1,87 @@
+
+name: Publish Helm chart
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'helm/trivy/**'
+  push:
+    tags:
+      - "v*"
+env:
+  HELM_REP: helm-charts
+  GH_OWNER: aquasecurity
+  CHART_DIR: helm/trivy
+  KIND_VERSION: "v0.14.0"
+  KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
+jobs:
+  test-chart:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        with:
+          fetch-depth: 0
+      - name: Install Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
+        with:
+          version: v3.5.0
+      - name: Set up python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.7
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec
+      - name: Setup Kubernetes cluster (KIND)
+        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+      - name: Run chart-testing
+        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
+      - name: Run chart-testing (Ingress enabled)
+        run: |
+          sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
+          ct lint-and-install --validate-maintainers=false --charts helm/trivy
+
+  publish-chart:
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    needs:
+      - test-chart
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        with:
+          fetch-depth: 0
+      - name: Install chart-releaser
+        run: |
+          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
+      - name: Package helm chart
+        run: |
+          ./cr package ${{ env.CHART_DIR }}
+      - name: Upload helm chart
+        # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
+        continue-on-error: true
+        run: |
+          ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
+      - name: Index helm chart
+        run: |
+          ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
+      - name: Push index file
+        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
+        env:
+          API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
+        with:
+          source_file: 'index.yaml'
+          destination_repo: '${{ env.GH_OWNER }}/${{ env.HELM_REP }}'
+          destination_folder: '.'
+          destination_branch: 'gh-pages'
+          user_email: aqua-bot@users.noreply.github.com
+          user_name: 'aqua-bot'

.github/workflows/release.yaml

@@ -0,0 +1,57 @@
+name: Release
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  release:
+    name: Release
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser.yml
+      goreleaser_options: '--rm-dist --timeout 90m'
+    secrets: inherit
+
+  deploy-packages:
+    name: Deploy rpm/dep packages
+    needs: release # run this job after 'release' job completes
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.2.4
+        with:
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install rpm reprepro createrepo-c distro-info
+
+      - name: Checkout trivy-repo
+        uses: actions/checkout@v3
+        with:
+          repository: ${{ github.repository_owner }}/trivy-repo
+          path: trivy-repo
+          fetch-depth: 0
+          token: ${{ secrets.ORG_REPO_TOKEN }}
+
+      - name: Setup git settings
+        run: |
+          git config --global user.email "knqyf263@gmail.com"
+          git config --global user.name "Teppei Fukuda"
+
+      - name: Create rpm repository
+        run: ci/deploy-rpm.sh
+
+      - name: Import GPG key
+        run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import
+
+      - name: Create deb repository
+        run: ci/deploy-deb.sh

.github/workflows/reusable-release.yaml

@@ -0,0 +1,108 @@
+name: Reusable release
+on:
+  workflow_call:
+    inputs:
+      goreleaser_config:
+        description: 'file path to GoReleaser config'
+        required: true
+        type: string
+      goreleaser_options:
+        description: 'GoReleaser options separated by spaces'
+        default: ''
+        required: false
+        type: string
+
+env:
+  GH_USER: "aqua-bot"
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: read  # Not required for public repositories, but for clarity
+    steps:
+      - name: Cosign install
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Show available Docker Buildx platforms
+        run: echo ${{ steps.buildx.outputs.platforms }}
+
+      - name: Login to docker.io registry
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to ghcr.io registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ env.GH_USER }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to ECR
+        uses: docker/login-action@v2
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
+          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: Generate SBOM
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
+        with:
+          args: mod -licenses -json -output bom.json
+          version: ^v1
+
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          version: v1.4.1
+          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
+        env:
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
+      ## push images to registries
+      ## only for canary build
+      - name: Build and push
+        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
+        uses: docker/build-push-action@v4
+        with:
+          platforms: linux/amd64, linux/arm64
+          file: ./Dockerfile.canary # path to Dockerfile
+          context: .
+          push: true
+          tags: |
+            aquasec/trivy:canary
+            ghcr.io/aquasecurity/trivy:canary
+            public.ecr.aws/aquasecurity/trivy:canary
+
+      - name: Cache Trivy binaries
+        uses: actions/cache@v3.2.4
+        with:
+          path: dist/
+          # use 'github.sha' to create a unique cache folder for each run.
+          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
+          # e.g. build and release runs
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/roadmap.yaml

@@ -0,0 +1,79 @@
+name: Add issues to the roadmap project
+
+on:
+  issues:
+    types:
+      - labeled
+
+jobs:
+  add-issue-to-roadmap-project:
+    name: Add issue to the roadmap project
+    runs-on: ubuntu-latest
+    steps:
+      # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/backlog
+          label-operator: AND
+        id: add-backlog-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-backlog-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-backlog-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Backlog
+
+      # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/important-longterm
+          label-operator: AND
+        id: add-longterm-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-longterm-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-longterm-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Important (long-term)
+
+      # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/important-soon
+          label-operator: AND
+        id: add-soon-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-soon-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-soon-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Important (soon)
+
+      # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/critical-urgent
+          label-operator: AND
+        id: add-urgent-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-urgent-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-urgent-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Urgent

.github/workflows/scan.yaml

@@ -0,0 +1,23 @@
+name: Scan vulnerabilities
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Scan Go vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner and create GitHub issues
+        uses: knqyf263/trivy-issue-action@v0.0.4
+        with:
+          assignee: knqyf263
+          severity: CRITICAL
+          skip-dirs: integration,examples
+          label: kind/security
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/semantic-pr.yaml

@@ -0,0 +1,99 @@
+name: "Lint PR title"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types: |
+            feat
+            fix
+            docs
+            style
+            refactor
+            perf
+            test
+            build
+            ci
+            chore
+            revert
+            BREAKING
+
+          scopes: |
+            vuln
+            misconf
+            secret
+            license
+
+            image
+            fs
+            repo
+            sbom
+            server
+            k8s
+            aws
+            vm
+
+            alpine
+            wolfi
+            redhat
+            alma
+            rocky
+            mariner
+            oracle
+            debian
+            ubuntu
+            amazon
+            suse
+            photon
+            distroless
+            windows
+
+            ruby
+            php
+            python
+            nodejs
+            rust
+            dotnet
+            java
+            go
+            c
+            c++
+            elixir
+            dart
+
+            os
+            lang
+
+            kubernetes
+            dockerfile
+            terraform
+            cloudformation
+
+            docker
+            podman
+            containerd
+            oci
+
+            cli
+            flag
+
+            cyclonedx
+            spdx
+            purl
+
+            helm
+            report
+            db
+            deps

.github/workflows/stale-issues.yaml

@@ -0,0 +1,20 @@
+name: "Stale issues"
+on:
+  schedule:
+    - cron: '0 0 * * *'
+jobs:
+  stale:
+    timeout-minutes: 1
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/stale@v7
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'
+        stale-pr-message: 'This PR is stale because it has been labeled with inactivity.'
+        exempt-issue-labels: 'lifecycle/frozen,lifecycle/active,priority/critical-urgent,priority/important-soon,priority/important-longterm,priority/backlog,priority/awaiting-more-evidence'
+        exempt-pr-labels: 'lifecycle/active'
+        stale-pr-label: 'lifecycle/stale'
+        stale-issue-label: 'lifecycle/stale'
+        days-before-stale: 60
+        days-before-close: 20

.github/workflows/test-docs.yaml

@@ -0,0 +1,28 @@
+name: Test docs
+on:
+  pull_request:
+    paths:
+      - 'docs/**'
+      - 'mkdocs.yml'
+jobs:
+  build-documents:
+    name: Documentation Test
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        persist-credentials: true
+    - uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+    - name: Install dependencies
+      run: |
+        pip install -r docs/build/requirements.txt
+    - name: Configure the git user
+      run: |
+        git config user.name "knqyf263"
+        git config user.email "knqyf263@gmail.com"
+    - name: Deploy the dev documents
+      run: mike deploy test

.github/workflows/test.yaml

@@ -1,48 +1,123 @@
 name: Test
-on: pull_request
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'LICENSE'
+  pull_request:
+      paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'LICENSE'
 jobs:
-  golangci:
-    name: lint
-    runs-on: ubuntu-latest
+  test:
+    name: Test
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      matrix:
+        operating-system: [ubuntu-latest, windows-latest, macos-latest]
     steps:
-      - uses: actions/checkout@v2
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+      - uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
         with:
-          version: v1.31
+          go-version: oldstable
+
+      - name: go mod tidy
+        run: |
+          go mod tidy
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'go mod tidy' and push it"
+            exit 1
+          fi
+        if: matrix.operating-system == 'ubuntu-latest'
+
+      - name: Lint
+        uses: golangci/golangci-lint-action@v3.4.0
+        with:
+          version: v1.49
           args: --deadline=30m
+          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
+        if: matrix.operating-system == 'ubuntu-latest'
+
+      # Install tools
+      - uses: aquaproj/aqua-installer@v2.0.2
+        with:
+          aqua_version: v1.25.0
+
+      - name: Run unit tests
+        run: make test
 
   integration:
     name: Integration Test
     runs-on: ubuntu-latest
     steps:
-    - name: Set up Go
-      uses: actions/setup-go@v1
-      with:
-        go-version: 1.15.x
-      id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
 
-    - name: Run integration tests
-      run: make test-integration
+      - name: Run integration tests
+        run: make test-integration
+
+  module-test:
+    name: Module Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      # Install tools
+      - uses: aquaproj/aqua-installer@v2.0.2
+        with:
+          aqua_version: v1.25.0
+
+      - name: Run module integration tests
+        shell: bash
+        run: |
+          make test-module-integration
 
   build-test:
     name: Build Test
     runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v2
+
+    - name: Set up Docker Buildx
+      id: buildx
+      uses: docker/setup-buildx-action@v2
+
+    - name: Show available Docker Buildx platforms
+      run: echo ${{ steps.buildx.outputs.platforms }}
+
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v3
       with:
-        go-version: 1.15.x
+        go-version-file: go.mod
 
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v1
+      uses: goreleaser/goreleaser-action@v4
       with:
-        version: latest
-        args: release --snapshot --rm-dist --skip-publish
+        version: v1.4.1
+        args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m
 

.github/workflows/vm-test.yaml

@@ -0,0 +1,32 @@
+name: VM Test
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'pkg/fanal/vm/**'
+      - 'pkg/fanal/walker/vm.go'
+      - 'pkg/fanal/artifact/vm/**'
+      - 'integration/vm_test.go'
+  pull_request:
+    paths:
+      - 'pkg/fanal/vm/**'
+      - 'pkg/fanal/walker/vm.go'
+      - 'pkg/fanal/artifact/vm/**'
+      - 'integration/vm_test.go'
+
+jobs:
+  vm-test:
+    name: VM Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+      - name: Run vm integration tests
+        run: |
+          make test-vm-integration

.gitignore

@@ -4,6 +4,10 @@
 *.dll
 *.so
 *.dylib
+/trivy
+
+## chart release
+.cr-release-packages
 
 # Test binary, build with `go test -c`
 *.test
@@ -12,6 +16,7 @@
 *.out
 
 .idea
+.vscode
 
 # Directory Cache Files
 .DS_Store
@@ -19,4 +24,14 @@ thumbs.db
 
 # test fixtures
 coverage.txt
-integration/testdata/fixtures/
+integration/testdata/fixtures/images
+integration/testdata/fixtures/vm-images
+
+# SBOMs generated during CI
+/bom.json
+
+# goreleaser output
+dist
+
+# WebAssembly
+*.wasm

.golangci.yaml

@@ -6,12 +6,10 @@ linters-settings:
     check-shadowing: false
   gofmt:
     simplify: false
-  golint:
-    min-confidence: 0
+  revive:
+    ignore-generated-header: true
   gocyclo:
-    min-complexity: 10
-  maligned:
-    suggest-new: true
+    min-complexity: 20
   dupl:
     threshold: 100
   goconst:
@@ -21,32 +19,36 @@ linters-settings:
     locale: US
   goimports:
     local-prefixes: github.com/aquasecurity
+  gosec:
+    excludes:
+      - G101
+      - G114
+      - G204
+      - G402
 
 linters:
   disable-all: true
   enable:
-    - structcheck
+    - unused
     - ineffassign
     - typecheck
     - govet
-    - errcheck
-    - varcheck
-    - deadcode
-    - golint
+    - revive
     - gosec
     - unconvert
     - goconst
     - gocyclo
     - gofmt
     - goimports
-    - maligned
     - misspell
 
 run:
+  go: 1.19
   skip-files:
     - ".*._mock.go$"
     - ".*._test.go$"
     - "integration/*"
+    - "examples/*"
 
 issues:
   exclude-rules:
@@ -68,4 +70,4 @@ issues:
   exclude:
     - "should have a package comment, unless it's in another file for this package"
   exclude-use-default: false
-  max-same-issues: 0
+  max-same-issues: 0

CONTRIBUTING.md

@@ -1,28 +1 @@
-Thank you for taking interest in contributing to Trivy !
-
-## Issues
-- Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
-- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
-- Remember users might be searching for your issue in the future, so please give it a meaningful title to help others.
-- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
-
-## Pull Requests
-
-1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
-1. Your PR is more likely to be accepted if it focuses on just one change.
-1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that starts with "fix"/"add"/"improve"/"remove" are good examples.
-1. Please add the associated Issue in the PR description.
-1. There's no need to add or tag reviewers.
-1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
-1. Please include a comment with the results before and after your change.
-1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
-1. If your PR affects the user experience in some way, please update the Readme and the CLI help accordingly.
-
-## Understand where your pull request belongs
-
-Trivy is composed of several different repositories that work together:
-
-- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
-- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. This of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
-- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
-- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information containers. It is being used by Trivy to find testable subjects in the container image.
+See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.12
+FROM alpine:3.17.1
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.canary

@@ -0,0 +1,10 @@
+FROM alpine:3.17.1
+RUN apk --no-cache add ca-certificates git
+
+# binaries were created with GoReleaser
+# need to copy binaries from folder with correct architecture
+# example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
+ARG TARGETARCH
+COPY "dist/trivy_canary_build_linux_${TARGETARCH}/trivy" /usr/local/bin/trivy
+COPY contrib/*.tpl contrib/
+ENTRYPOINT ["trivy"]

Dockerfile.protoc

@@ -0,0 +1,12 @@
+FROM golang:1.19
+
+# Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
+ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
+RUN apt-get update && apt-get install -y unzip
+RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
+    && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
+    && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \ 
+    && rm -f $PROTOC_ZIP
+
+RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1

Makefile

@@ -1,18 +1,44 @@
-VERSION := $(shell git describe --tags)
-LDFLAGS=-ldflags "-s -w -X=main.version=$(VERSION)"
+VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
+LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"
 
-GOPATH=$(shell go env GOPATH)
-GOBIN=$(GOPATH)/bin
-GOSRC=$(GOPATH)/src
+GOPATH := $(firstword $(subst :, ,$(shell go env GOPATH)))
+GOBIN := $(GOPATH)/bin
+GOSRC := $(GOPATH)/src
+
+TEST_MODULE_DIR := pkg/module/testdata
+TEST_MODULE_SRCS := $(wildcard $(TEST_MODULE_DIR)/*/*.go)
+TEST_MODULES := $(patsubst %.go,%.wasm,$(TEST_MODULE_SRCS))
+
+EXAMPLE_MODULE_DIR := examples/module
+EXAMPLE_MODULE_SRCS := $(wildcard $(EXAMPLE_MODULE_DIR)/*/*.go)
+EXAMPLE_MODULES := $(patsubst %.go,%.wasm,$(EXAMPLE_MODULE_SRCS))
+
+MKDOCS_IMAGE := aquasec/mkdocs-material:dev
+MKDOCS_PORT := 8000
+
+export CGO_ENABLED := 0 
 
 u := $(if $(update),-u)
 
+# Tools
 $(GOBIN)/wire:
-	GO111MODULE=off go get github.com/google/wire/cmd/wire
+	go install github.com/google/wire/cmd/wire@v0.5.0
+
+$(GOBIN)/crane:
+	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0
+
+$(GOBIN)/golangci-lint:
+	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
+
+$(GOBIN)/labeler:
+	go install github.com/knqyf263/labeler@latest
+
+$(GOBIN)/easyjson:
+	go install github.com/mailru/easyjson/...@v0.7.7
 
 .PHONY: wire
 wire: $(GOBIN)/wire
-	wire gen ./pkg/... ./internal/...
+	wire gen ./pkg/commands/... ./pkg/rpc/...
 
 .PHONY: mock
 mock: $(GOBIN)/mockery
@@ -23,23 +49,48 @@ deps:
 	go get ${u} -d
 	go mod tidy
 
-$(GOBIN)/golangci-lint:
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.21.0
+.PHONY: generate-test-modules
+generate-test-modules: $(TEST_MODULES)
 
+# Compile WASM modules for unit and integration tests
+%.wasm:%.go
+	@if !(type "tinygo" > /dev/null 2>&1); then \
+		echo "Need to install TinyGo. Follow https://tinygo.org/getting-started/install/"; \
+		exit 1; \
+	fi
+	go generate $<
+
+# Run unit tests
 .PHONY: test
-test:
+test: $(TEST_MODULES)
 	go test -v -short -coverprofile=coverage.txt -covermode=atomic ./...
 
-integration/testdata/fixtures/*.tar.gz:
-	git clone https://github.com/aquasecurity/trivy-test-images.git integration/testdata/fixtures
+integration/testdata/fixtures/images/*.tar.gz: $(GOBIN)/crane
+	mkdir -p integration/testdata/fixtures/images/
+	integration/scripts/download-images.sh
 
+# Run integration tests
 .PHONY: test-integration
-test-integration: integration/testdata/fixtures/*.tar.gz
-	go test -v -tags=integration ./integration/...
+test-integration: integration/testdata/fixtures/images/*.tar.gz
+	go test -v -tags=integration ./integration/... ./pkg/fanal/test/integration/...
+
+# Run WASM integration tests
+.PHONY: test-module-integration
+test-module-integration: integration/testdata/fixtures/images/*.tar.gz $(EXAMPLE_MODULES)
+	go test -v -tags=module_integration ./integration/...
+
+# Run VM integration tests
+.PHONY: test-vm-integration
+test-vm-integration: integration/testdata/fixtures/vm-images/*.img.gz
+	go test -v -tags=vm_integration ./integration/...
+
+integration/testdata/fixtures/vm-images/*.img.gz:
+	integration/scripts/download-vm-images.sh
+
 
 .PHONY: lint
 lint: $(GOBIN)/golangci-lint
-	$(GOBIN)/golangci-lint run
+	$(GOBIN)/golangci-lint run --timeout 5m
 
 .PHONY: fmt
 fmt:
@@ -51,7 +102,13 @@ build:
 
 .PHONY: protoc
 protoc:
-	find ./rpc/ -name "*.proto" -type f -exec protoc --proto_path=$(GOSRC):. --twirp_out=. --go_out=. {} \;
+	docker build -t trivy-protoc - < Dockerfile.protoc
+	docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@
+
+_protoc:
+	for path in `find ./rpc/ -name "*.proto" -type f`; do \
+		protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative $${path} || exit; \
+	done
 
 .PHONY: install
 install:
@@ -59,11 +116,20 @@ install:
 
 .PHONY: clean
 clean:
-	rm -rf integration/testdata/fixtures/
-
-$(GOBIN)/labeler:
-	GO111MODULE=off go get github.com/knqyf263/labeler
+	rm -rf integration/testdata/fixtures/images
 
+# Create labels on GitHub
 .PHONY: label
 label: $(GOBIN)/labeler
 	labeler apply misc/triage/labels.yaml -r aquasecurity/trivy -l 5
+
+# Run MkDocs development server to preview the documentation page
+.PHONY: mkdocs-serve
+mkdocs-serve:
+	docker build -t $(MKDOCS_IMAGE) -f docs/build/Dockerfile docs/build
+	docker run --name mkdocs-serve --rm -v $(PWD):/docs -p $(MKDOCS_PORT):8000 $(MKDOCS_IMAGE)
+
+# Generate JSON marshaler/unmarshaler for TinyGo/WebAssembly as TinyGo doesn't support encoding/json.
+.PHONY: easyjson
+easyjson: $(GOBIN)/easyjson
+	easyjson pkg/module/serialize/types.go

aqua.yaml

@@ -0,0 +1,8 @@
+---
+# aqua - Declarative CLI Version Manager
+# https://aquaproj.github.io/
+registries:
+- type: standard
+  ref: v3.106.0 # renovate: depName=aquaproj/aqua-registry
+packages:
+- name: tinygo-org/tinygo@v0.26.0

brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g>
+	<path fill="#07242D" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#07242D" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#07242D" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#07242D" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#07242D" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.106-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.151,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#07242D" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#07242D" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#07242D" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>

brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg

@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g display="none">
+	<g display="inline">
+		<path fill="#07242D" d="M-483.763,450.803h-11.559l-22.557-22.807c-0.919,0.114-1.853,0.174-2.802,0.174v22.632h-8.238v-63.931
+			h8.239c0,0-0.016,33.158,0,33.158c4.013,0,7.684-1.656,10.29-4.32l9.86-10.073h11.814l-16.032,15.918
+			c-1.42,1.421-3.031,2.655-4.787,3.659L-483.763,450.803z"/>
+		<path fill="#07242D" d="M-438.316,405.517v22.819c0,0,0,0.033,0,0.049c0,12.39-10.039,22.418-22.429,22.418
+			c-12.389,0-22.421-10.059-22.421-22.448c0-0.017,0-22.837,0-22.837h7.989v22.819c0,7.967,6.466,14.457,14.433,14.457
+			c7.966,0,14.424-6.491,14.424-14.457v-22.819H-438.316z"/>
+		<path fill="#07242D" d="M-385.244,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.217l-0.004,23.854c3.918-3.246,8.947-5.196,14.432-5.196
+			C-395.377,405.529-385.242,415.664-385.244,428.166z M-393.437,428.166c0-7.976-6.466-14.441-14.442-14.441
+			c-7.793,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-399.903,442.607-393.437,436.142-393.437,428.166z"/>
+		<path fill="#07242D" d="M-335.539,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-344.426,405.411-333.664,417.688-335.539,431.11z M-344.611,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-344.611z"/>
+		<path fill="#07242D" d="M-306.194,420.895v7.548h-23.302v-7.548H-306.194z"/>
+		<path fill="#07242D" d="M-252.987,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.218l-0.004,23.854c3.918-3.246,8.946-5.196,14.431-5.196
+			C-263.12,405.529-252.985,415.664-252.987,428.166z M-261.181,428.166c0-7.976-6.467-14.441-14.442-14.441
+			c-7.794,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-267.647,442.607-261.181,436.142-261.181,428.166z"/>
+		<path fill="#07242D" d="M-203.283,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-212.17,405.411-201.408,417.688-203.283,431.11z M-212.355,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-212.355z"/>
+		<path fill="#07242D" d="M-151.113,428.114c0,15.871,0,22.688,0,22.688h-8.262c0,0,0-14.878,0-22.688
+			c0-8.095-6.591-14.327-14.363-14.327c-7.772,0-14.393,6.163-14.393,14.327c0,7.814,0,22.688,0,22.688h-8.26v-45.285
+			c0,0,3.539,0,8.26,0v5.101c0,0,5.421-5.101,14.393-5.101C-163.095,405.517-151.113,413.789-151.113,428.114z"/>
+		<path fill="#07242D" d="M-112.598,438.373l5.799,5.798c-4.098,4.097-9.758,6.632-16.01,6.632c-6.252,0-11.912-2.534-16.01-6.632
+			c-4.097-4.098-6.632-9.758-6.632-16.01s2.534-11.912,6.632-16.01c4.098-4.097,9.758-6.632,16.01-6.632
+			c6.252,0,11.912,2.534,16.01,6.632l-5.799,5.799c-2.613-2.615-6.224-4.231-10.212-4.231c-3.988,0-7.599,1.617-10.212,4.231
+			c-2.614,2.613-4.23,6.224-4.23,10.212s1.616,7.599,4.23,10.213c2.613,2.613,6.224,4.229,10.212,4.229
+			C-118.821,442.602-115.211,440.986-112.598,438.373z"/>
+		<path fill="#07242D" d="M-55.678,428.174c0,15.827,0,22.626,0,22.626h-8.239c0,0,0-14.838,0-22.626
+			c0-8.072-6.575-14.287-14.324-14.287c-7.751,0-14.353,6.146-14.353,14.287c0,7.793,0,22.626,0,22.626h-8.238v-63.929h8.238v23.856
+			c0,0,5.405-5.086,14.353-5.086C-67.626,405.641-55.678,413.889-55.678,428.174z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M186.582,442.579v8.203c-5.588,0-10.623-2.012-14.594-5.346c-4.989-4.186-8.157-10.469-8.157-17.489
+			v-41.085h8.157v18.642h14.594v8.257h-14.594v14.386C172.1,436.134,178.571,442.579,186.582,442.579z"/>
+		<path fill="#07242D" d="M215.674,405.503v8.149c-7.739,0.015-14.037,6.152-14.317,13.818v23.312h-8.176v-45.279h8.176v5.169
+			C205.243,407.446,210.232,405.51,215.674,405.503z"/>
+		<path fill="#07242D" d="M220.928,395.003v-8.165h8.161v8.165H220.928z M220.928,450.782v-45.279h8.161v45.279H220.928z"/>
+		<path fill="#07242D" d="M279.137,405.503l-22.624,45.279l-22.647-45.279h9.271l13.376,26.737l13.349-26.737H279.137z"/>
+		<path fill="#07242D" d="M328.08,405.503c0,0,0,49.504,0,52.776c0,12.643-10.369,22.736-22.655,22.728
+			c-5.753,0-11.084-2.181-15.131-5.807l5.868-5.868c2.504,2.12,5.734,3.41,9.263,3.403c7.95,0,14.386-6.498,14.386-14.456v-12.651
+			c-3.944,3.264-8.979,5.154-14.386,5.154c-12.309,0.008-22.674-9.924-22.674-22.659c0-0.269,0-22.62,0-22.62h8.265
+			c0,0,0.004,22.014,0.004,22.62c0,7.919,6.448,14.463,14.406,14.456c7.95,0,14.386-6.506,14.386-14.456v-22.62H328.08z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1186.898,438.384c-0.411,4.687-4.656,12.67-15.302,12.67c-10.092,0-16.135-6.761-16.135-6.761
+			l5.797-5.801c4.906,4.664,10.338,4.372,10.338,4.372c3.473-0.238,6.258-2.643,6.469-5.471c0.242-3.235-2.009-5.486-6.469-6.124
+			c-2.098-0.307-7.184-0.791-11.36-4.533c-1.36-1.222-6.489-6.577-2.217-14.191c0.834-1.491,4.556-6.769,13.577-6.769
+			c0,0,7.434-0.53,14.311,5.086l-5.866,5.863c-1.16-0.96-4.46-2.904-8.444-2.881c-7.207,0.046-7.007,4.011-7.007,4.011
+			c0.061,3.166,2.874,4.864,7.007,5.409C1185.672,425.114,1187.309,433.743,1186.898,438.384z"/>
+		<path fill="#07242D" d="M1215.419,442.848v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495v-41.099
+			h8.16v18.648h14.599v8.26h-14.599v14.391C1200.932,436.401,1207.405,442.848,1215.419,442.848z"/>
+		<path fill="#07242D" d="M1263.522,428.372v22.682h-22.705c-0.5,0-0.999-0.015-1.495-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1263.068,423.132,1263.522,425.76,1263.522,428.372z M1255.131,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1255.131,432.352,1255.131,428.372z"/>
+		<path fill="#07242D" d="M1293.898,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1283.464,407.704,1288.454,405.767,1293.898,405.76z"/>
+		<path fill="#07242D" d="M1344.448,428.411c0,12.509-10.135,22.643-22.639,22.643c-5.486,0-10.515-1.952-14.433-5.194v5.194h-8.221
+			c0.008-0.515,0.008-63.942,0.008-63.942h8.217l-0.004,23.857c3.919-3.25,8.947-5.202,14.433-5.202
+			C1334.313,405.767,1344.452,415.91,1344.448,428.411z M1336.254,428.411c0-7.975-6.466-14.445-14.445-14.445
+			c-7.795,0-14.445,6.331-14.445,14.422c0,8.091,6.65,14.468,14.445,14.468C1329.788,442.856,1336.254,436.394,1336.254,428.411z"/>
+		<path fill="#07242D" d="M1394.394,428.411c0,12.509-10.15,22.643-22.643,22.643s-22.651-10.135-22.651-22.643
+			s10.157-22.651,22.651-22.651S1394.394,415.91,1394.394,428.411z M1386.127,428.411c0-7.937-6.431-14.376-14.376-14.376
+			c-7.941,0-14.387,6.431-14.387,14.376s6.446,14.383,14.387,14.383C1379.696,442.794,1386.127,436.355,1386.127,428.411z"/>
+		<path fill="#07242D" d="M1444.414,428.372v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054
+			c-6.431-0.423-12.128-3.527-15.985-8.214c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1443.961,423.132,1444.414,425.76,1444.414,428.372z M1436.024,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1436.024,432.352,1436.024,428.372z"/>
+		<path fill="#07242D" d="M1474.791,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1464.356,407.704,1469.347,405.767,1474.791,405.76z"/>
+		<path fill="#07242D" d="M1521.556,451.031h-8.214v-5.194c-3.919,3.242-8.951,5.194-14.43,5.194
+			c-12.501,0-22.635-10.127-22.635-22.628s10.135-22.636,22.635-22.636c5.478,0,10.511,1.952,14.43,5.194l0.008-23.85h8.221
+			C1521.572,387.112,1521.556,450.516,1521.556,451.031z M1513.35,428.38c0-8.091-6.646-14.422-14.437-14.422
+			c-7.975,0-14.445,6.469-14.445,14.445s6.469,14.437,14.445,14.437C1506.704,442.84,1513.35,436.471,1513.35,428.38z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1711.171,438.276l5.802,5.802c-4.1,4.096-9.763,6.632-16.014,6.632c-6.255,0-11.918-2.536-16.018-6.632
+			c-4.1-4.103-6.635-9.759-6.635-16.014s2.536-11.918,6.635-16.022c4.1-4.096,9.763-6.632,16.018-6.632
+			c6.251,0,11.915,2.536,16.014,6.632l-5.802,5.802c-2.613-2.613-6.224-4.234-10.213-4.234c-3.992,0-7.604,1.621-10.216,4.234
+			c-2.617,2.613-4.234,6.224-4.234,10.22c0,3.988,1.618,7.6,4.234,10.213c2.613,2.613,6.224,4.234,10.216,4.234
+			C1704.947,442.511,1708.559,440.889,1711.171,438.276z"/>
+		<path fill="#07242D" d="M1722.967,450.71v-63.95h8.241v63.95H1722.967z"/>
+		<path fill="#07242D" d="M1783.282,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C1773.131,405.41,1783.282,415.561,1783.282,428.064z M1775.013,428.064
+			c0-7.938-6.432-14.378-14.378-14.378c-7.942,0-14.389,6.432-14.389,14.378c0,7.946,6.447,14.385,14.389,14.385
+			C1768.581,442.449,1775.013,436.01,1775.013,428.064z"/>
+		<path fill="#07242D" d="M1833.833,405.41v22.823c0,0,0,0.038,0,0.054c0,12.395-10.04,22.423-22.435,22.423
+			c-12.395,0-22.427-10.059-22.427-22.454c0-0.015,0-22.846,0-22.846h7.992v22.823c0,7.976,6.466,14.462,14.435,14.462
+			c7.969,0,14.431-6.486,14.431-14.462V405.41H1833.833z"/>
+		<path fill="#07242D" d="M1884.777,450.687h-8.218v-5.195c-3.915,3.243-8.945,5.195-14.431,5.195
+			c-12.503,0-22.634-10.128-22.634-22.631c0-12.503,10.132-22.638,22.634-22.638c5.487,0,10.516,1.952,14.431,5.195l0.011-23.852
+			h8.219C1884.789,386.76,1884.773,450.172,1884.777,450.687z M1876.574,428.033c0-8.092-6.651-14.424-14.447-14.424
+			c-7.973,0-14.443,6.47-14.443,14.447c0,7.976,6.466,14.439,14.443,14.439C1869.923,442.495,1876.574,436.125,1876.574,428.033z"/>
+		<path fill="#07242D" d="M1922.865,438.038c-0.411,4.687-4.657,12.672-15.303,12.672c-10.094,0-16.137-6.762-16.137-6.762
+			l5.798-5.802c4.906,4.664,10.339,4.372,10.339,4.372c3.473-0.238,6.259-2.643,6.47-5.471c0.242-3.235-2.009-5.487-6.47-6.124
+			c-2.098-0.307-7.185-0.792-11.361-4.534c-1.36-1.222-6.489-6.578-2.217-14.193c0.834-1.491,4.557-6.77,13.578-6.77
+			c0,0,7.435-0.53,14.312,5.087l-5.867,5.863c-1.16-0.961-4.461-2.905-8.445-2.882c-7.208,0.046-7.008,4.011-7.008,4.011
+			c0.062,3.166,2.874,4.864,7.008,5.41C1921.639,424.767,1923.276,433.397,1922.865,438.038z"/>
+		<path fill="#07242D" d="M1975.107,428.041c0,12.526-10.151,22.73-22.661,22.73c-5.471,0-10.493-1.952-14.416-5.195v35.371h-8.276
+			V405.41h8.276v5.156c3.923-3.22,8.945-5.156,14.416-5.156C1964.956,405.41,1975.107,415.523,1975.107,428.041z M1966.831,428.041
+			c0-7.953-6.432-14.347-14.385-14.347s-14.416,6.393-14.416,14.347s6.463,14.462,14.416,14.462S1966.831,435.994,1966.831,428.041z
+			"/>
+		<path fill="#07242D" d="M1981.877,450.71v-63.95h8.245v63.95H1981.877z"/>
+		<path fill="#07242D" d="M2042.192,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C2032.041,405.41,2042.192,415.561,2042.192,428.064z M2033.916,428.064
+			c0-7.938-6.432-14.378-14.37-14.378c-7.946,0-14.393,6.432-14.393,14.378c0,7.946,6.447,14.385,14.393,14.385
+			C2027.484,442.449,2033.916,436.01,2033.916,428.064z"/>
+		<path fill="#07242D" d="M2049.016,394.906v-8.168h8.168v8.168H2049.016z M2049.016,450.71v-45.3h8.168v45.3H2049.016z"/>
+		<path fill="#07242D" d="M2087.737,442.503v8.207c-5.594,0-10.627-2.013-14.6-5.348c-4.987-4.188-8.161-10.474-8.161-17.497V386.76
+			h8.161v18.65h14.6v8.261h-14.6v14.393C2073.252,436.056,2079.722,442.503,2087.737,442.503z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M690.837,442.596v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495V386.86
+			h8.16v18.648h14.599v8.26h-14.599v14.391C676.35,436.15,682.823,442.596,690.837,442.596z"/>
+		<path fill="#07242D" d="M719.939,405.508v8.152c-7.737,0.015-14.042,6.154-14.322,13.823v23.319h-8.179v-45.294h8.179v5.171
+			C709.504,407.452,714.495,405.516,719.939,405.508z"/>
+		<path fill="#07242D" d="M766.789,428.12v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.183-14.414c0.523-25.548,35.102-31.264,44.026-7.699C766.335,422.88,766.789,425.508,766.789,428.12z
+			 M758.398,428.12c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008c-2.609,2.605-4.226,6.17-4.226,10.142
+			c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0S758.398,432.101,758.398,428.12z"/>
+		<path fill="#07242D" d="M805.36,438.37l5.801,5.801c-4.099,4.095-9.762,6.631-16.016,6.631c-6.254,0-11.913-2.536-16.012-6.631
+			c-4.099-4.103-6.631-9.766-6.631-16.02c0-6.247,2.532-11.909,6.631-16.012c4.099-4.095,9.758-6.631,16.012-6.631
+			c6.254,0,11.917,2.536,16.016,6.631l-5.801,5.801c-2.612-2.612-6.224-4.234-10.215-4.234c-3.988,0-7.599,1.621-10.211,4.234
+			c-2.616,2.612-4.234,6.224-4.234,10.211c0,3.995,1.617,7.607,4.234,10.219c2.612,2.612,6.224,4.234,10.211,4.234
+			C799.136,442.604,802.747,440.983,805.36,438.37z"/>
+		<path fill="#07242D" d="M858.664,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C849.774,405.4,860.539,417.679,858.664,431.109z M849.59,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H849.59z"/>
+		<path fill="#07242D" d="M908.514,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C899.625,405.4,910.389,417.679,908.514,431.109z M899.44,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H899.44z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#07242D" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#07242D" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#07242D" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#07242D" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#07242D" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#07242D" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#07242D" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>

brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg

@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g display="none">
+	<polygon display="inline" fill="#FFFFFF" points="65.469,9.61 12.669,40.117 12.669,101.621 65.463,132.371 118.268,101.639 
+		118.268,40.115 	"/>
+	<g display="inline">
+		<path fill="#08B1D5" d="M64.511,80.035c-5.972-2.687-9.502-8.433-9.313-14.534l-12.765-7.371c-0.952,7.062,0.569,14.449,4.4,20.85
+			c4.078,6.813,9.966,11.887,17.678,14.825V80.035L64.511,80.035z"/>
+		<path fill="#08B1D5" d="M64.511,111.257V95.432c-8.26-3.017-14.588-8.448-18.931-15.703c-4.108-6.864-5.671-14.819-4.507-22.384
+			l-11.864-6.851C22.412,75.299,37.662,101.72,64.511,111.257z"/>
+		<path fill="#0D819B" d="M66.259,95.288v15.969c26.352-9.758,42.17-36.132,35.489-60.682l-11.8,6.874
+			c1.473,8.16,0.189,16.115-3.759,22.77C82.134,87.057,75.052,92.189,66.259,95.288z"/>
+		<path fill="#0D819B" d="M75.879,65.569c0.053,5.924-3.429,11.136-9.62,14.466v13.769c8.227-2.999,14.873-7.918,18.675-14.329
+			c3.681-6.207,4.934-13.613,3.671-21.243L75.879,65.569z"/>
+		<path fill="#F69421" d="M77.717,44.4c4.977,2.427,9.031,6.315,11.724,11.244c0.035,0.065,0.069,0.132,0.104,0.198l11.574-6.684
+			c-0.184-0.232-0.361-0.466-0.506-0.701c-4.246-6.868-9.855-12.036-16.673-15.361c-19.245-9.385-42.827-2.309-54.094,16.087
+			l11.546,6.665C49.232,43.242,65.013,38.204,77.717,44.4z"/>
+		<path fill="#F69421" d="M70.489,59.089c2.06,1.005,3.731,2.627,4.832,4.692c0.037,0.07,0.07,0.143,0.105,0.214l12.854-7.423
+			c-0.04-0.076-0.079-0.153-0.12-0.228c-2.546-4.662-6.379-8.339-11.082-10.632c-12.018-5.861-26.965-1.08-34.421,10.866
+			l12.783,7.379C58.771,58.613,65.217,56.518,70.489,59.089z"/>
+		<path fill="#0D819B" d="M116.672,41.881l-13.621,7.936c7.185,25.544-9.291,53.076-36.791,62.992v17.294l50.413-29.381V41.881z"/>
+		<path fill="#08B1D5" d="M14.265,41.864v58.842l50.245,29.397v-17.294C36.51,103.127,20.607,75.545,27.905,49.74l-13.001-7.508
+			L14.265,41.864z"/>
+		<path fill="#F69421" d="M14.987,40.606l1.484,0.857l12.109,6.989C40.23,29.398,64.649,22.066,84.579,31.784
+			c7.069,3.448,12.881,8.799,17.274,15.904c0.139,0.225,0.333,0.472,0.543,0.731l13.542-7.82l-50.47-29.146L14.987,40.606z"/>
+		<path fill="#F0DF36" d="M66.202,78.433c4.968-2.778,7.95-7.226,8.141-12.159c0,0,0.022-0.489-0.015-1.283
+			c-0.007-0.163-1.102-2.766-4.435-4.583c-4.476-2.441-10.828-0.093-13.372,4.583c0,0-0.061,0.574-0.033,1.283
+			c0.182,4.483,2.945,9.749,7.836,12.159l0.991,0.473L66.202,78.433z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#FFFFFF" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#FFFFFF" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#FFFFFF" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#FFFFFF" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.105-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.15,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#FFFFFF" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#FFFFFF" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#FFFFFF" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>

brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g>
+	<path fill="#FFFFFF" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#FFFFFF" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#FFFFFF" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#FFFFFF" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#FFFFFF" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#FFFFFF" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#FFFFFF" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#FFFFFF" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>

brand/readme.md

@@ -0,0 +1,2 @@
+This directory contains media assets, such as the Trivy logo.
+Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>

ci/Dockerfile

@@ -1,10 +0,0 @@
-FROM circleci/golang:1.15-buster
-
-RUN sudo apt-get -y update \
-    && sudo apt-get -y install rpm reprepro createrepo distro-info
-
-ARG GORELEASER_VERSION=0.124.1
-ARG GORELEASER_ARTIFACT=goreleaser_Linux_x86_64.tar.gz
-RUN wget https://github.com/goreleaser/goreleaser/releases/download/v${GORELEASER_VERSION}/${GORELEASER_ARTIFACT} \
-    && sudo tar -xzf ${GORELEASER_ARTIFACT} -C /usr/bin/ goreleaser \
-    && rm ${GORELEASER_ARTIFACT}

ci/deploy-deb.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 DEBIAN_RELEASES=$(debian-distro-info --supported)
-UBUNTU_RELEASES=$(ubuntu-distro-info --supported)
+UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))
 
 cd trivy-repo/deb
 
@@ -9,12 +9,14 @@ for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Removing deb package of $release"
   reprepro -A i386 remove $release trivy
   reprepro -A amd64 remove $release trivy
+  reprepro -A arm64 remove $release trivy
 done
 
 for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Adding deb package to $release"
   reprepro includedeb $release ../../dist/*Linux-64bit.deb
   reprepro includedeb $release ../../dist/*Linux-32bit.deb
+  reprepro includedeb $release ../../dist/*Linux-ARM64.deb
 done
 
 git add .

ci/deploy-rpm.sh

@@ -1,27 +1,29 @@
 #!/bin/bash
 
+TRIVY_VERSION=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -nre 's/^[^0-9]*(([0-9]+\.)*[0-9]+).*/\1/p')
+
 function create_rpm_repo () {
         version=$1
         rpm_path=rpm/releases/${version}/x86_64
 
-        RPM_EL=$(find ../dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -e "s/_/-/g" -e "s/-Linux/.el$version/" -e "s/-64bit/.x86_64/")
-        echo $RPM_EL
-
         mkdir -p $rpm_path
-        cp ../dist/*64bit.rpm ${rpm_path}/${RPM_EL}
+        cp ../dist/*64bit.rpm ${rpm_path}/
 
-        createrepo --update $rpm_path
+        createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
+
+        rm ${rpm_path}/*64bit.rpm
 }
 
+echo "Create RPM releases for Trivy v$TRIVY_VERSION"
+
 cd trivy-repo
 
-VERSIONS=(5 6 7 8)
+VERSIONS=(5 6 7 8 9)
 for version in ${VERSIONS[@]}; do
         echo "Processing RHEL/CentOS $version..."
         create_rpm_repo $version
 done
 
 git add .
-git commit -m "Update rpm packages"
+git commit -m "Update rpm packages for Trivy v$TRIVY_VERSION"
 git push origin main
-

cmd/trivy/main.go

@@ -1,12 +1,16 @@
 package main
 
 import (
-	l "log"
+	"context"
 	"os"
 
-	"github.com/aquasecurity/trivy/internal"
+	"golang.org/x/xerrors"
 
+	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/plugin"
+
+	_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB
 )
 
 var (
@@ -14,12 +18,26 @@ var (
 )
 
 func main() {
-	app := internal.NewApp(version)
-	err := app.Run(os.Args)
-	if err != nil {
-		if log.Logger != nil {
-			log.Fatal(err)
-		}
-		l.Fatal(err)
+	if err := run(); err != nil {
+		log.Fatal(err)
 	}
 }
+
+func run() error {
+	// Trivy behaves as the specified plugin.
+	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
+		if !plugin.IsPredefined(runAsPlugin) {
+			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
+		}
+		if err := plugin.RunWithArgs(context.Background(), runAsPlugin, os.Args[1:]); err != nil {
+			return xerrors.Errorf("plugin error: %w", err)
+		}
+		return nil
+	}
+
+	app := commands.NewApp(version)
+	if err := app.Execute(); err != nil {
+		return err
+	}
+	return nil
+}

codecov.yml

@@ -1,12 +0,0 @@
-coverage:
-  status:
-    project:
-      default:
-        informational: true
-        target: auto
-        threshold: 100%
-    patch:
-      default:
-        informational: true
-        target: auto
-        threshold: 100%

contrib/Trivy.gitlab-ci.yml

@@ -10,7 +10,7 @@ Trivy_container_scanning:
     IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
   allow_failure: true
   before_script:
-    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.4.3}
+    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
     - apk add --no-cache curl docker-cli
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
     - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}

contrib/asff.tpl

@@ -1,78 +1,161 @@
-[
-{{- $t_first := true -}}
-{{- range . -}}
-{{- $target := .Target -}}
-{{- range .Vulnerabilities -}}
-{{- if $t_first -}}
-  {{- $t_first = false -}}
-{{- else -}}
-  ,
-{{- end -}}
-{{- $trivyProductSev := 0 -}}
-{{- $trivyNormalizedSev := 0 -}}
-{{- if eq .Severity "LOW" -}}
-    {{- $trivyProductSev = 1 -}}
-    {{- $trivyNormalizedSev = 10 -}}
-  {{- else if eq .Severity "MEDIUM" -}}
-    {{- $trivyProductSev = 4 -}}
-    {{- $trivyNormalizedSev = 40 -}}
-  {{- else if eq .Severity "HIGH" -}}
-    {{- $trivyProductSev = 7 -}}
-    {{- $trivyNormalizedSev = 70 -}}
-  {{- else if eq .Severity "CRITICAL" -}}
-    {{- $trivyProductSev = 9 -}}
-    {{- $trivyNormalizedSev = 90 -}}
-{{- end }}
-{{- $description := .Description -}}
-{{- if gt (len $description ) 1021 -}}
-    {{- $description = (slice $description 0 1021) | printf "%v .." -}}
-{{- end}}
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "{{ $target }}/{{ .VulnerabilityID }}",
-        "ProductArn": "arn:aws:securityhub:{{ getEnv "AWS_REGION" }}::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "{{ getEnv "AWS_ACCOUNT_ID" }}",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "{{ getCurrentTime }}",
-        "UpdatedAt": "{{ getCurrentTime }}",
-        "Severity": {
-            "Product": {{ $trivyProductSev }},
-            "Normalized": {{ $trivyNormalizedSev }}
-        },
-        "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
-        "Description": {{ escapeString $description | printf "%q" }},
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "{{ .PrimaryURL }}"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "{{ $target }}",
-                "Partition": "aws",
-                "Region": "{{ getEnv "AWS_REGION" }}",
-                "Details": {
-                    "Container": { "ImageName": "{{ $target }}" },
-                    "Other": {
-                        "CVE ID": "{{ .VulnerabilityID }}",
-                        "CVE Title": {{ .Title | printf "%q" }},
-                        "PkgName": "{{ .PkgName }}",
-                        "Installed Package": "{{ .InstalledVersion }}",
-                        "Patched Package": "{{ .FixedVersion }}",
-                        "NvdCvssScoreV3": "{{ (index .CVSS "nvd").V3Score }}",
-                        "NvdCvssVectorV3": "{{ (index .CVSS "nvd").V3Vector }}",
-                        "NvdCvssScoreV2": "{{ (index .CVSS "nvd").V2Score }}",
-                        "NvdCvssVectorV2": "{{ (index .CVSS "nvd").V2Vector }}"
+{
+    "Findings": [
+    {{- $t_first := true -}}
+    {{- range . -}}
+    {{- $target := .Target -}}
+    {{- $image := .Target -}}
+    {{- if gt (len $image) 127 -}}
+        {{- $image = $image | regexFind ".{124}$" | printf "...%v" -}}
+    {{- end}}
+    {{- range .Vulnerabilities -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{- else -}}
+      ,
+    {{- end -}}
+    {{- $severity := .Severity -}}
+    {{- if eq $severity "UNKNOWN" -}}
+    {{- $severity = "INFORMATIONAL" -}}
+    {{- end -}}
+    {{- $description := .Description -}}
+    {{- if gt (len $description ) 512 -}}
+        {{- $description = (substr 0 512 $description) | printf "%v .." -}}
+    {{- end}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}/{{ .VulnerabilityID }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy/{{ .VulnerabilityID }}",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}, related to {{ .PkgName }}",
+            "Description": {{ escapeString $description | printf "%q" }},
+            {{ if not (empty .PrimaryURL) -}}
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "More information on this vulnerability is provided in the hyperlink",
+                    "Url": "{{ .PrimaryURL }}"
+                }
+            },
+            {{ end -}}
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Container",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_REGION" }}",
+                    "Details": {
+                        "Container": { "ImageName": "{{ $image }}" },
+                        "Other": {
+                            "CVE ID": "{{ .VulnerabilityID }}",
+                            "CVE Title": {{ .Title | printf "%q" }},
+                            "PkgName": "{{ .PkgName }}",
+                            "Installed Package": "{{ .InstalledVersion }}",
+                            "Patched Package": "{{ .FixedVersion }}",
+                            "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
+                            "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
+                            "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
+                            "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
+                        }
                     }
                 }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    }
-   {{- end -}}
-  {{- end }}
-]
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
+        {{- range .Misconfigurations -}}
+            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
+            {{- $severity := .Severity -}}
+            {{- if eq $severity "UNKNOWN" -}}
+                {{- $severity = "INFORMATIONAL" -}}
+            {{- end -}}
+            {{- $description := .Description -}}
+            {{- if gt (len $description ) 512 -}}
+                {{- $description = (substr 0 512 $description) | printf "%v .." -}}
+            {{- end}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}/{{ .ID }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy/{{ .ID }}",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Software and Configuration Checks" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a misconfiguration in {{ $target }}: {{ .Title }}",
+            "Description": {{ escapeString $description | printf "%q" }},
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "{{ .Resolution }}",
+                    "Url": "{{ .PrimaryURL }}"
+                }
+            },
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Other",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_REGION" }}",
+                    "Details": {
+                        "Other": {
+                            "Message": "{{ .Message }}",
+                            "Filename": "{{ $target }}",
+                            "StartLine": "{{ .CauseMetadata.StartLine }}",
+                            "EndLine": "{{ .CauseMetadata.EndLine }}"
+                        }
+                    }
+                }
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
+        {{- range .Secrets -}}
+            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
+            {{- $severity := .Severity -}}
+            {{- if eq $severity "UNKNOWN" -}}
+                {{- $severity = "INFORMATIONAL" -}}
+            {{- end -}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_DEFAULT_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Sensitive Data Identifications" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a secret in {{ $target }}: {{ .Title }}",
+            "Description": "Trivy found a secret in {{ $target }}: {{ .Title }}",
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Other",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_DEFAULT_REGION" }}",
+                    "Details": {
+                        "Other": {
+                            "Filename": "{{ $target }}"
+                        }
+                    }
+                }
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
+      {{- end }}
+    ]
+}

contrib/example_policy/advanced.rego

@@ -5,30 +5,42 @@ import data.lib.trivy
 default ignore = false
 
 nvd_v3_vector = v {
-	v := input.CVSS.nvd.v3
+	v := input.CVSS.nvd.V3Vector
+}
+
+redhat_v3_vector = v {
+	v := input.CVSS.redhat.V3Vector
 }
 
 # Ignore a vulnerability which requires high privilege
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.PrivilegesRequired == "High"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.PrivilegesRequired == "High"
+
+        # Check against RedHat scores as well as NVD
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.PrivilegesRequired == "High"
 }
 
 # Ignore a vulnerability which requires user interaction
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.UserInteraction == "Required"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.UserInteraction == "Required"
+
+        # Check against RedHat scores as well as NVD
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.UserInteraction == "Required"
 }
 
 ignore {
 	input.PkgName == "openssl"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 }
 
 ignore {
@@ -50,11 +62,11 @@ ignore {
 	input.PkgName == "bash"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local", "Adjacent"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
@@ -64,11 +76,11 @@ ignore {
 	input.PkgName == "django"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM"}[_]
@@ -86,7 +98,7 @@ ignore {
 	input.PkgName == "jquery"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate CWE-ID
 	deny_cwe_ids := {"CWE-79"} # XSS

contrib/example_policy/basic.rego

@@ -9,7 +9,11 @@ ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
 ignore_severities := {"LOW", "MEDIUM"}
 
 nvd_v3_vector = v {
-	v := input.CVSS.nvd.v3
+	v := input.CVSS.nvd.V3Vector
+}
+
+redhat_v3_vector = v {
+	v := input.CVSS.redhat.V3Vector
 }
 
 ignore {
@@ -22,20 +26,29 @@ ignore {
 
 # Ignore a vulnerability which is not remotely exploitable
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.AttackVector != "Network"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.AttackVector != "Network"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.AttackVector != "Network"
 }
 
 # Ignore a vulnerability which requires high privilege
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.PrivilegesRequired == "High"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.PrivilegesRequired == "High"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.PrivilegesRequired == "High"
 }
 
 # Ignore a vulnerability which requires user interaction
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.UserInteraction == "Required"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.UserInteraction == "Required"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.UserInteraction == "Required"
 }
 
 # Ignore CSRF

contrib/gitlab-codequality.tpl

@@ -0,0 +1,103 @@
+{{- /* Template based on https://github.com/codeclimate/platform/blob/master/spec/analyzers/SPEC.md#data-types */ -}}
+[
+  {{- $t_first := true }}
+  {{- range . }}
+  {{- $target := .Target }}
+    {{- range .Vulnerabilities -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list .VulnerabilityID .PkgName .InstalledVersion .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .VulnerabilityID .PkgName .InstalledVersion $target | join "" | sha1sum }}",
+      "content": {{ .Description | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": 0
+        }
+      }
+    }
+    {{- end -}}
+    {{- range .Misconfigurations -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Misconfig" .ID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Description | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .CauseMetadata.StartLine }}
+        }
+      }
+    }
+    {{- end -}}
+    {{- range .Secrets -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Secret" .RuleID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .RuleID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Title | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .StartLine }}
+        }
+      }
+    }
+    {{- end -}}
+  {{- end }}
+]

contrib/gitlab.tpl

@@ -1,10 +1,11 @@
 {{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
 {
-  "version": "2.3",
+  "version": "14.0.6",
   "vulnerabilities": [
   {{- $t_first := true }}
   {{- range . }}
   {{- $target := .Target }}
+    {{- $image := $target | regexFind "[^\\s]+" }}
     {{- range .Vulnerabilities -}}
     {{- if $t_first -}}
       {{- $t_first = false -}}
@@ -31,8 +32,6 @@
                   {{-  else -}}
                     "{{ .Severity }}"
                   {{- end }},
-      {{- /* TODO: Define confidence */}}
-      "confidence": "Unknown",
       "solution": {{ if .FixedVersion -}}
                     "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
                   {{- else -}}
@@ -51,7 +50,7 @@
         },
         {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
         "operating_system": "Unknown",
-        "image": "{{ $target }}"
+        "image": "{{ $image }}"
       },
       "identifiers": [
         {
@@ -71,7 +70,7 @@
           ,
         {{- end -}}
         {
-          "url": "{{ . }}"
+          "url": "{{ regexFind "[^ ]+" . }}"
         }
         {{- end }}
       ]

contrib/html.tpl

@@ -52,7 +52,7 @@
       }
       a.toggle-more-links { cursor: pointer; }
     </style>
-    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</title>
+    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
     <script>
       window.onload = function() {
         document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -82,7 +82,7 @@
     </script>
   </head>
   <body>
-    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</h1>
+    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
     <table>
     {{- range . }}
       <tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>
@@ -112,6 +112,31 @@
       </tr>
         {{- end }}
       {{- end }}
+      {{- if (eq (len .Misconfigurations ) 0) }}
+      <tr><th colspan="6">No Misconfigurations found</th></tr>
+      {{- else }}
+      <tr class="sub-header">
+        <th>Type</th>
+        <th>Misconf ID</th>
+        <th>Check</th>
+        <th>Severity</th>
+        <th>Message</th>
+      </tr>
+        {{- range .Misconfigurations }}
+      <tr class="severity-{{ escapeXML .Severity }}">
+        <td class="misconf-type">{{ escapeXML .Type }}</td>
+        <td>{{ escapeXML .ID }}</td>
+        <td class="misconf-check">{{ escapeXML .Title }}</td>
+        <td class="severity">{{ escapeXML .Severity }}</td>
+        <td class="link" data-more-links="off"  style="white-space:normal;"">
+          {{ escapeXML .Message }}
+          <br>
+            <a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
+          </br>
+        </td>
+      </tr>
+        {{- end }}
+      {{- end }}
     {{- end }}
     </table>
 {{- else }}

contrib/install.sh

@@ -182,11 +182,11 @@ log_tag() {
 }
 log_debug() {
   log_priority 7 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
+  echo "$(log_prefix)" "$(log_tag 7)" "$@"
 }
 log_info() {
   log_priority 6 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
+  echo "$(log_prefix)" "$(log_tag 6)" "$@"
 }
 log_err() {
   log_priority 3 || return 0

contrib/junit.tpl

@@ -1,8 +1,8 @@
 <?xml version="1.0" ?>
-<testsuites>
+<testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
-    <testsuite tests="1" failures="{{ $failures }}" time="" name="{{  .Target }}">
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
     {{- if not (eq .Type "") }}
         <properties>
             <property name="type" value="{{ .Type }}"></property>
@@ -10,9 +10,22 @@
         {{- end -}}
         {{ range .Vulnerabilities }}
         <testcase classname="{{ .PkgName }}-{{ .InstalledVersion }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
-            <failure message={{escapeXML .Title | printf "%q" }} type="description">{{escapeXML .Description | printf "%q" }}</failure>
+            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
+        </testcase>
+    {{- end }}
+    </testsuite>
+{{- $failures := len .Misconfigurations }}
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ range .Misconfigurations }}
+        <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
+            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
         </testcase>
     {{- end }}
     </testsuite>
 {{- end }}
-</testsuites>
+</testsuites>

contrib/sarif.tpl

@@ -1,81 +0,0 @@
-{
-  "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json",
-  "version": "2.1.0",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "Trivy",
-          "fullName": "Trivy Vulnerability Scanner",
-          "rules": [
-        {{- $t_first := true }}
-        {{- range . }}
-            {{- range .Vulnerabilities -}}
-              {{- if $t_first -}}
-                {{- $t_first = false -}}
-              {{ else -}}
-                ,
-              {{- end }}
-            {
-              "id": "[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}",
-              "name": "dockerfile_scan",
-              "shortDescription": {
-                "text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
-              },
-              "fullDescription": {
-                "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
-              },
-              "help": {
-                "text": {{ printf "Vulnerability %v\nSeverity: %v\nPackage: %v\nInstalled Version: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},
-                "markdown": {{ printf "**Vulnerability %v**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|%v|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "{{ .Vulnerability.Severity }}",
-                  {{ .PkgName | printf "%q" }}
-                ],
-                "precision": "very-high"
-              }
-            }
-            {{- end -}}
-         {{- end -}}
-          ]
-        }
-      },
-      "results": [
-    {{- $t_first := true }}
-    {{- range . }}
-        {{- range $index, $vulnerability := .Vulnerabilities -}}
-          {{- if $t_first -}}
-            {{- $t_first = false -}}
-          {{ else -}}
-            ,
-          {{- end }}
-        {
-          "ruleId": "[{{ $vulnerability.Vulnerability.Severity }}] {{ $vulnerability.VulnerabilityID }}",
-          "ruleIndex": {{ $index }},
-          "level": "error",
-          "message": {
-            "text": {{ endWithPeriod (escapeString $vulnerability.Description) | printf "%q" }}
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "Dockerfile"
-              },
-              "region": {
-                "startLine": 1,
-                "startColumn": 1,
-                "endColumn": 1
-              }
-            }
-          }]
-        }
-        {{- end -}}
-      {{- end -}}
-      ],
-      "columnKind": "utf16CodeUnits"
-    }
-  ]
-}

docs/air-gap.md

@@ -1,55 +0,0 @@
-# Air-gapped environment
-Trivy can be used in air-gapped environments.
-
-## Download the vulnerability database
-At first, you need to download the vulnerability database for use in air-gapped environments.
-Go to [trivy-db](https://github.com/aquasecurity/trivy-db/releases) and download `trivy-offline.db.tgz` in the latest release.
-If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--light` option.
-
-```
-$ wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz
-```
-
-
-## Transfer the DB file into the air-gapped environment
-The way of transfer depends on the environment.
-
-```
-$ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst
-```
-
-## Put the DB file in Trivy's cache directory
-You have to know where to put the DB file. The following command shows the default cache directory.
-
-```
-$ ssh user@host
-$ trivy -h | grep cache
-   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
-```
-
-Put the DB file in the cache directory + `/db`.
-
-```
-$ mkdir -p /home/myuser/.cache/trivy/db
-$ cd /home/myuser/.cache/trivy/db
-$ mv /path/to/trivy-offline.db.tgz .
-```
-
-Then, decompress it.
-`trivy-offline.db.tgz` file includes two files, `trivy.db` and `metadata.json`.
-
-```
-$ tar xvf trivy-offline.db.tgz
-x trivy.db
-x metadata.json
-$ rm trivy-offline.db.tgz
-```
-
-In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
-
-## Run Trivy with --skip-update option
-In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
-
-```
-$ trivy image --skip-update alpine:3.12
-```

docs/build/Dockerfile

@@ -0,0 +1,10 @@
+FROM squidfunk/mkdocs-material:8.3.9
+
+## If you want to see exactly the same version as is published to GitHub pages
+## use a private image for insiders, which requires authentication.
+
+# docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN} ghcr.io
+# FROM ghcr.io/squidfunk/mkdocs-material-insiders
+
+COPY requirements.txt .
+RUN pip install -r requirements.txt

docs/build/requirements.txt

@@ -0,0 +1,30 @@
+click==8.1.2
+csscompressor==0.9.5
+ghp-import==2.0.2
+htmlmin==0.1.12
+importlib-metadata==4.11.3
+Jinja2==3.1.1
+jsmin==3.0.1
+Markdown==3.3.6
+MarkupSafe==2.1.1
+mergedeep==1.3.4
+mike==1.1.2
+mkdocs==1.3.0
+mkdocs-macros-plugin==0.7.0
+mkdocs-material==8.3.9
+mkdocs-material-extensions==1.0.3
+mkdocs-minify-plugin==0.5.0
+mkdocs-redirects==1.0.4
+packaging==21.3
+Pygments==2.12.0
+pymdown-extensions==9.5
+pyparsing==3.0.8
+python-dateutil==2.8.2
+PyYAML==6.0
+pyyaml-env-tag==0.1
+six==1.16.0
+termcolor==1.1.0
+verspec==0.1.0
+watchdog==2.1.7
+zipp==3.8.0
+

docs/community/contribute/issue.md

@@ -0,0 +1,31 @@
+Thank you for taking interest in contributing to Trivy!
+
+- Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
+- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
+- Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
+- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
+
+## Wrong detection
+Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
+Sometime these databases contain mistakes.
+
+If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
+
+1. Run Trivy with `-f json` that shows data sources.
+2. According to the shown data source, make sure that the security advisory in the data source is correct.
+
+If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
+
+### GitHub Advisory Database
+Visit [here](https://github.com/advisories) and search CVE-ID.
+
+If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
+ 
+### GitLab Advisory Database
+Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
+
+If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
+ 
+### Red Hat CVE Database
+Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
+

docs/community/contribute/pr.md

@@ -0,0 +1,175 @@
+Thank you for taking interest in contributing to Trivy!
+
+1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
+1. Please add the associated Issue link in the PR description.
+1. Your PR is more likely to be accepted if it focuses on just one change.
+1. There's no need to add or tag reviewers.
+1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
+1. Please include a comment with the results before and after your change.
+1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
+1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
+
+### Title
+It is not that strict, but we use the title conventions in this repository.
+Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
+
+#### Format of the title
+
+```
+<type>(<scope>): <subject>
+```
+
+The `type` and `scope` should always be lowercase as shown below.
+
+**Allowed `<type>` values:**
+
+- **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
+- **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
+- **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
+- **docs** for changes to the documentation.
+- **style** for formatting changes, missing semicolons, etc.
+- **refactor** for refactoring production code, e.g. renaming a variable.
+- **test** for adding missing tests, refactoring tests; no production code change.
+- **build** for updating build configuration, development tools or other changes irrelevant to the user.
+- **chore** for updates that do not apply to the above, such as dependency updates.
+- **ci** for changes to CI configuration files and scripts
+- **revert** for revert to a previous commit
+
+**Allowed `<scope>` values:**
+
+checks:
+
+- vuln
+- misconf
+- secret
+- license
+
+mode:
+
+- image
+- fs
+- repo
+- sbom
+- k8s
+- server
+- aws
+- vm
+
+os:
+
+- alpine
+- redhat
+- alma
+- rocky
+- mariner
+- oracle
+- debian
+- ubuntu
+- amazon
+- suse
+- photon
+- distroless
+
+language:
+
+- ruby
+- php
+- python
+- nodejs
+- rust
+- dotnet
+- java
+- go
+- elixir
+- dart
+
+vuln:
+
+- os
+- lang
+
+config:
+
+- kubernetes
+- dockerfile
+- terraform
+- cloudformation
+
+container
+
+- docker
+- podman
+- containerd
+- oci
+
+cli:
+
+- cli
+- flag
+
+SBOM:
+
+- cyclonedx
+- spdx
+- purl
+
+others:
+
+- helm
+- report
+- db
+- deps
+
+The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
+
+#### Example titles
+
+```
+feat(alma): add support for AlmaLinux
+```
+
+```
+fix(oracle): handle advisories with ksplice versions
+```
+
+```
+docs(misconf): add comparison with Conftest and TFsec
+```
+
+```
+chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
+```
+
+**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
+The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
+
+### Unit tests
+Your PR must pass all the unit tests. You can test it as below.
+
+```
+$ make test
+```
+
+### Integration tests
+Your PR must pass all the integration tests. You can test it as below.
+
+```
+$ make test-integration
+```
+
+### Documentation
+You can build the documents as below and view it at http://localhost:8000.
+
+```
+$ make mkdocs-serve
+```
+
+## Understand where your pull request belongs
+
+Trivy is composed of several repositories that work together:
+
+- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
+- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
+- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
+- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
+- [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.

docs/community/maintainer/triage.md

@@ -1,7 +1,10 @@
+# Triage
+
 Triage is an important part of maintaining the health of the trivy repo.
 A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible.
 
 Triage includes:
+
 - Labeling issues
 - Responding to issues
 - Closing issues
@@ -185,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
 and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
 to identify issues that have been specially groomed for new contributors.
 
-We have specific [guidelines](/docs/contrib/help-wanted.md)
+We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
 for how to use these labels. If you see an issue that satisfies these
 guidelines, you can add the `help wanted` label and the `good first issue` label.
 Please note that adding the `good first issue` label must also 

docs/docs/advanced/air-gap.md

@@ -0,0 +1,142 @@
+# Air-Gapped Environment
+
+Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
+
+## Air-Gapped Environment for vulnerabilities
+
+### Download the vulnerability database
+At first, you need to download the vulnerability database for use in air-gapped environments.
+
+=== "Trivy"
+
+    ```
+    TRIVY_TEMP_DIR=$(mktemp -d)
+    trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+    tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+    rm -rf $TRIVY_TEMP_DIR
+    ```
+
+=== "oras >= v0.13.0"
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull ghcr.io/aquasecurity/trivy-db:2
+    ```
+
+=== "oras < v0.13.0"
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
+    ```
+
+### Download the Java index database[^1]
+Java users also need to download the Java index database for use in air-gapped environments.
+
+!!! note
+    You container image may contain JAR files even though you don't use Java directly.
+    In that case, you also need to download the Java index database.
+
+=== "Trivy"
+
+    ```
+    TRIVY_TEMP_DIR=$(mktemp -d)
+    trivy --cache-dir $TRIVY_TEMP_DIR image --download-java-db-only
+    tar -cf ./javadb.tar.gz -C $TRIVY_TEMP_DIR/java-db metadata.json trivy-java.db
+    rm -rf $TRIVY_TEMP_DIR
+    ```
+=== "oras >= v0.13.0"
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull ghcr.io/aquasecurity/trivy-java-db:1
+    ```
+
+=== "oras < v0.13.0"
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull -a ghcr.io/aquasecurity/trivy-java-db:1
+    ```
+
+
+### Transfer the DB files into the air-gapped environment
+The way of transfer depends on the environment.
+
+=== "Vulnerability db"
+    ```
+    $ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
+    ```
+
+=== "Java index db[^1]"
+    ```
+    $ rsync -av -e ssh /path/to/javadb.tar.gz [user]@[host]:dst
+    ```
+
+### Put the DB files in Trivy's cache directory
+You have to know where to put the DB files. The following command shows the default cache directory.
+
+```
+$ ssh user@host
+$ trivy -h | grep cache
+   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
+```
+=== "Vulnerability db"
+    Put the DB file in the cache directory + `/db`.
+    
+    ```
+    $ mkdir -p /home/myuser/.cache/trivy/db
+    $ cd /home/myuser/.cache/trivy/db
+    $ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
+    x trivy.db
+    x metadata.json
+    $ rm /path/to/db.tar.gz
+    ```
+
+=== "Java index db[^1]"
+    Put the DB file in the cache directory + `/java-db`.
+
+    ```
+    $ mkdir -p /home/myuser/.cache/trivy/java-db
+    $ cd /home/myuser/.cache/trivy/java-db
+    $ tar xvf /path/to/javadb.tar.gz -C /home/myuser/.cache/trivy/java-db
+    x trivy-java.db
+    x metadata.json
+    $ rm /path/to/javadb.tar.gz
+    ```
+
+
+
+In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
+
+### Run Trivy with the specific flags.
+In an air-gapped environment, you have to specify `--skip-db-update` and `--skip-java-db-update`[^1] so that Trivy doesn't attempt to download the latest database files.
+In addition, if you want to scan `pom.xml` dependencies, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
+
+```
+$ trivy image --skip-update --skip-java-db-update --offline-scan alpine:3.12
+```
+
+## Air-Gapped Environment for misconfigurations
+
+No special measures are required to detect misconfigurations in an air-gapped environment.
+
+### Run Trivy with `--skip-policy-update` option
+In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
+
+```
+$ trivy conf --skip-policy-update /path/to/conf
+```
+
+[allowlist]: ../references/troubleshooting.md
+[oras]: https://oras.land/cli/
+
+[^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../vulnerability/languages/java.md)

docs/docs/advanced/container/embed-in-dockerfile.md

@@ -0,0 +1,28 @@
+# Embed in Dockerfile
+
+Scan your image as part of the build process by embedding Trivy in the
+Dockerfile. This approach can be used to update Dockerfiles currently using
+Aqua’s [Microscanner][microscanner].
+
+```bash
+$ cat Dockerfile
+FROM alpine:3.7
+
+RUN apk add curl \
+    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
+    && trivy rootfs --exit-code 1 --no-progress /
+
+$ docker build -t vulnerable-image .
+```
+Alternatively you can use Trivy in a multistage build. Thus avoiding the
+insecure `curl | sh`. Also the image is not changed.
+```bash
+[...]
+# Run vulnerability scan on build image
+FROM build AS vulnscan
+COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
+RUN trivy rootfs --exit-code 1 --no-progress /
+[...]
+```
+
+[microscanner]: https://github.com/aquasecurity/microscanner

docs/docs/advanced/container/unpacked-filesystem.md

@@ -0,0 +1,116 @@
+# Unpacked Filesystem
+
+Scan an unpacked container image filesystem.
+
+In this case, Trivy works the same way when scanning containers
+
+```bash
+$ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
+$ trivy rootfs /tmp/rootfs
+```
+
+<details>
+<summary>Result</summary>
+
+```bash
+2021-03-08T05:22:26.378Z        INFO    Need to update DB
+2021-03-08T05:22:26.380Z        INFO    Downloading DB...
+20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
+2021-03-08T05:22:30.134Z        INFO    Detecting Alpine vulnerabilities...
+
+/tmp/rootfs (alpine 3.10.2)
+===========================
+Total: 20 (UNKNOWN: 0, LOW: 2, MEDIUM: 10, HIGH: 8, CRITICAL: 0)
+
++--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
++--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+| libcrypto1.1 | CVE-2020-1967    | HIGH     | 1.1.1c-r0         | 1.1.1g-r0     | openssl: Segmentation                 |
+|              |                  |          |                   |               | fault in SSL_check_chain              |
+|              |                  |          |                   |               | causes denial of service              |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1967  |
++              +------------------+          +                   +---------------+---------------------------------------+
+|              | CVE-2021-23839   |          |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
+|              |                  |          |                   |               | rollback protection                   |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
++              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
+|              |                  |          |                   |               | overflow in CipherUpdate              |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
++              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
+|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
++              +------------------+----------+                   +---------------+---------------------------------------+
+|              | CVE-2019-1547    | MEDIUM   |                   | 1.1.1d-r0     | openssl: side-channel weak            |
+|              |                  |          |                   |               | encryption vulnerability              |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1547  |
++              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2019-1549    |          |                   |               | openssl: information                  |
+|              |                  |          |                   |               | disclosure in fork()                  |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1549  |
++              +------------------+          +                   +---------------+---------------------------------------+
+|              | CVE-2019-1551    |          |                   | 1.1.1d-r2     | openssl: Integer overflow in RSAZ     |
+|              |                  |          |                   |               | modular exponentiation on x86_64      |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1551  |
++              +------------------+          +                   +---------------+---------------------------------------+
+|              | CVE-2020-1971    |          |                   | 1.1.1i-r0     | openssl: EDIPARTYNAME                 |
+|              |                  |          |                   |               | NULL pointer de-reference             |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971  |
++              +------------------+----------+                   +---------------+---------------------------------------+
+|              | CVE-2019-1563    | LOW      |                   | 1.1.1d-r0     | openssl: information                  |
+|              |                  |          |                   |               | disclosure in PKCS7_dataDecode        |
+|              |                  |          |                   |               | and CMS_decrypt_set1_pkey             |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1563  |
++--------------+------------------+----------+                   +---------------+---------------------------------------+
+| libssl1.1    | CVE-2020-1967    | HIGH     |                   | 1.1.1g-r0     | openssl: Segmentation                 |
+|              |                  |          |                   |               | fault in SSL_check_chain              |
+|              |                  |          |                   |               | causes denial of service              |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1967  |
++              +------------------+          +                   +---------------+---------------------------------------+
+|              | CVE-2021-23839   |          |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
+|              |                  |          |                   |               | rollback protection                   |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
++              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
+|              |                  |          |                   |               | overflow in CipherUpdate              |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
++              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
+|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
++              +------------------+----------+                   +---------------+---------------------------------------+
+|              | CVE-2019-1547    | MEDIUM   |                   | 1.1.1d-r0     | openssl: side-channel weak            |
+|              |                  |          |                   |               | encryption vulnerability              |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1547  |
++              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2019-1549    |          |                   |               | openssl: information                  |
+|              |                  |          |                   |               | disclosure in fork()                  |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1549  |
++              +------------------+          +                   +---------------+---------------------------------------+
+|              | CVE-2019-1551    |          |                   | 1.1.1d-r2     | openssl: Integer overflow in RSAZ     |
+|              |                  |          |                   |               | modular exponentiation on x86_64      |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1551  |
++              +------------------+          +                   +---------------+---------------------------------------+
+|              | CVE-2020-1971    |          |                   | 1.1.1i-r0     | openssl: EDIPARTYNAME                 |
+|              |                  |          |                   |               | NULL pointer de-reference             |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971  |
++              +------------------+----------+                   +---------------+---------------------------------------+
+|              | CVE-2019-1563    | LOW      |                   | 1.1.1d-r0     | openssl: information                  |
+|              |                  |          |                   |               | disclosure in PKCS7_dataDecode        |
+|              |                  |          |                   |               | and CMS_decrypt_set1_pkey             |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1563  |
++--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+| musl         | CVE-2020-28928   | MEDIUM   | 1.1.22-r3         | 1.1.22-r4     | In musl libc through 1.2.1,           |
+|              |                  |          |                   |               | wcsnrtombs mishandles particular      |
+|              |                  |          |                   |               | combinations of destination buffer... |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28928 |
++--------------+                  +          +                   +               +                                       +
+| musl-utils   |                  |          |                   |               |                                       |
+|              |                  |          |                   |               |                                       |
+|              |                  |          |                   |               |                                       |
+|              |                  |          |                   |               |                                       |
++--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+```
+
+</details>

docs/docs/advanced/modules.md

@@ -0,0 +1,358 @@
+# Modules
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy provides a module feature to allow others to extend the Trivy CLI without the need to change the Trivy code base.
+It changes the behavior during scanning by WebAssembly.
+
+## Overview
+Trivy modules are add-on tools that integrate seamlessly with Trivy.
+They provide a way to extend the core feature set of Trivy, but without updating the Trivy binary.
+
+- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
+- They can be written in any programming language supporting WebAssembly.
+  - It supports only [TinyGo][tinygo] at the moment.
+
+You can write your own detection logic.
+
+- Evaluate complex vulnerability conditions like [Spring4Shell][spring4shell]
+- Detect a shell script communicating with malicious domains
+- Detect malicious python install script (setup.py)
+- Even detect misconfigurations in WordPress setting
+- etc.
+
+Then, you can update the scan result however you want.
+
+- Change a severity
+- Remove a vulnerability
+- Add a new vulnerability
+- etc.
+
+Modules should be distributed in OCI registries like GitHub Container Registry.
+
+!!! warning
+    WebAssembly doesn't allow file access and network access by default.
+    Modules can read required files only, but cannot overwrite them.
+    WebAssembly is sandboxed and secure by design, but Trivy modules available in public are not audited for security.
+    You should install and run third-party modules at your own risk even though 
+
+Under the hood Trivy leverages [wazero][wazero] to run WebAssembly modules without CGO.
+
+## Installing a Module
+A module can be installed using the `trivy module install` command.
+This command takes an url. It will download the module and install it in the module cache.
+
+Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
+Trivy will now search XDG_DATA_HOME for the location of the Trivy modules cache.
+The preference order is as follows:
+
+- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
+- $HOME/.trivy/plugins
+
+For example, to download the WebAssembly module, you can execute the following command:
+
+```bash
+$ trivy module install ghcr.io/aquasecurity/trivy-module-spring4shell
+```
+
+## Using Modules
+Once the module is installed, Trivy will load all available modules in the cache on the start of the next Trivy execution.
+The modules may inject custom logic into scanning and change the result.
+You can run Trivy as usual and modules are loaded automatically.
+
+You will see the log messages about WASM modules.
+
+```shell
+$ trivy image ghcr.io/aquasecurity/trivy-test-images:spring4shell-jre8
+2022-06-12T12:57:13.210+0300    INFO    Loading ghcr.io/aquasecurity/trivy-module-spring4shell/spring4shell.wasm...
+2022-06-12T12:57:13.596+0300    INFO    Registering WASM module: spring4shell@v1
+...
+2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: Java Version: 8, Tomcat Version: 8.5.77
+2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: change CVE-2022-22965 severity from CRITICAL to LOW
+
+Java (jar)
+
+Total: 9 (UNKNOWN: 1, LOW: 3, MEDIUM: 2, HIGH: 3, CRITICAL: 0)
+
+┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────────┐
+│                           Library                            │    Vulnerability    │ Severity │ Installed Version │     Fixed Version      │                           Title                            │
+├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
+│ org.springframework.boot:spring-boot (helloworld.war)        │ CVE-2022-22965      │ LOW      │ 2.6.3             │ 2.5.12, 2.6.6          │ spring-framework: RCE via Data Binding on JDK 9+           │
+│                                                              │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22965                 │
+├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
+...(snip)...
+```
+
+In the above example, the Spring4Shell module changed the severity from CRITICAL to LOW because the application doesn't satisfy one of conditions.
+
+## Uninstalling Modules
+Specify a module repository with `trivy module uninstall` command.
+
+```bash
+$ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
+```
+
+## Building Modules
+It supports TinyGo only at the moment.
+
+### TinyGo
+Trivy provides Go SDK including three interfaces.
+Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.
+
+```go
+type Module interface {
+    Version() int
+    Name() string
+}
+
+type Analyzer interface {
+    RequiredFiles() []string
+    Analyze(filePath string) (*serialize.AnalysisResult, error)
+}
+
+type PostScanner interface {
+    PostScanSpec() serialize.PostScanSpec
+    PostScan(serialize.Results) (serialize.Results, error)
+}
+```
+
+In the following tutorial, it creates a WordPress module that detects a WordPress version and a critical vulnerability accordingly.
+
+!!! tips
+    You can use logging functions such as `Debug` and `Info` for debugging.
+    See [examples](#examples) for the detail.
+
+#### Initialize your module
+Replace the repository name with yours.
+
+```
+$ go mod init github.com/aquasecurity/trivy-module-wordpress
+```
+
+#### Module interface
+`Version()` returns your module version and should be incremented after updates.
+`Name()` returns your module name.
+
+```go
+package main
+
+const (
+    version = 1
+    name = "wordpress-module"
+)
+
+type WordpressModule struct{
+	// Cannot define fields as modules can't keep state.
+}
+
+func (WordpressModule) Version() int {
+    return version
+}
+
+func (WordpressModule) Name() string {
+    return name
+}
+```
+
+!!! info
+    A struct cannot have any fields. Each method invocation is performed in different states.
+
+#### Analyzer interface
+If you implement the `Analyzer` interface, `Analyze` method is called when the file path is matched to file patterns returned by `RequiredFiles()`.
+A file pattern must be a regular expression. The syntax detail is [here][regexp].
+
+`Analyze` takes the matched file path, then the file can be opened by `os.Open()`.
+
+```go
+const typeWPVersion = "wordpress-version"
+
+func (WordpressModule) RequiredFiles() []string {
+    return []string{
+        `wp-includes\/version.php`,
+    }
+}
+
+func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, error) {
+    f, err := os.Open(filePath) // e.g. filePath: /usr/src/wordpress/wp-includes/version.php
+    if err != nil {
+        return nil, err
+    }
+    defer f.Close()
+
+    var wpVersion string
+    scanner := bufio.NewScanner(f)
+    for scanner.Scan() {
+        line := scanner.Text()
+        if !strings.HasPrefix(line, "$wp_version=") {
+            continue
+        }
+
+        ss := strings.Split(line, "=")
+        if len(ss) != 2 {
+            return nil, fmt.Errorf("invalid wordpress version: %s", line)
+        }
+
+        // NOTE: it is an example; you actually need to handle comments, etc
+        ss[1] = strings.TrimSpace(ss[1])
+        wpVersion = strings.Trim(ss[1], `";`)
+    }
+
+    if err = scanner.Err(); err != nil {
+        return nil, err
+    }
+	
+    return &serialize.AnalysisResult{
+        CustomResources: []serialize.CustomResource{
+            {
+                Type:     typeWPVersion,
+                FilePath: filePath,
+                Data:     wpVersion,
+            },
+        },
+    }, nil
+}
+```
+
+!!! tips
+    Trivy caches analysis results according to the module version.
+    We'd recommend cleaning the cache or changing the module version every time you update `Analyzer`.
+
+
+#### PostScanner interface
+`PostScan` is called after scanning and takes the scan result as an argument from Trivy.
+In post scanning, your module can perform one of three actions:
+
+- Insert
+    - Add a new security finding
+    - e.g. Add a new vulnerability and misconfiguration
+- Update
+    - Update the detected vulnerability and misconfiguration
+    - e.g. Change a severity
+- Delete
+    - Delete the detected vulnerability and misconfiguration
+    - e.g. Remove Spring4Shell because it is not actually affected.
+ 
+`PostScanSpec()` returns which action the module does.
+If it is `Update` or `Delete`, it also needs to return IDs such as CVE-ID and misconfiguration ID, which your module wants to update or delete.
+
+`serialize.Results` contains the filtered results matching IDs you specified.
+Also, it includes `CustomResources` with the values your `Analyze` returns, so you can modify the scan result according to the custom resources.
+
+```go
+func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
+    return serialize.PostScanSpec{
+        Action: api.ActionInsert, // Add new vulnerabilities
+    }
+}
+
+func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
+    // e.g. results
+    // [
+    //   {
+    //     "Target": "",
+    //     "Class": "custom",
+    //     "CustomResources": [
+    //       {
+    //         "Type": "wordpress-version",
+    //         "FilePath": "/usr/src/wordpress/wp-includes/version.php",
+    //         "Layer": {
+    //           "DiffID": "sha256:057649e61046e02c975b84557c03c6cca095b8c9accd3bd20eb4e432f7aec887"
+    //         },
+    //         "Data": "5.7.1"
+    //       }
+    //     ]
+    //   }
+    // ]   
+    var wpVersion int
+    for _, result := range results {
+        if result.Class != types.ClassCustom {
+            continue
+        }
+		
+        for _, c := range result.CustomResources {
+            if c.Type != typeWPVersion {
+                continue
+            }
+            wpVersion = c.Data.(string)
+            wasm.Info(fmt.Sprintf("WordPress Version: %s", wpVersion))
+
+            ...snip...
+			
+            if affectedVersion.Check(ver) {
+                vulnerable = true
+            }
+            break
+        }
+    }
+
+    if vulnerable {
+        // Add CVE-2020-36326
+        results = append(results, serialize.Result{
+            Target: wpPath,
+            Class:  types.ClassLangPkg,
+			Type:   "wordpress",
+            Vulnerabilities: []types.DetectedVulnerability {
+                {
+                    VulnerabilityID:  "CVE-2020-36326",
+                    PkgName:          "wordpress",
+                    InstalledVersion: wpVersion,
+                    FixedVersion:     "5.7.2",
+                    Vulnerability: dbTypes.Vulnerability{
+                        Title:    "PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.",
+                        Severity: "CRITICAL",
+                    },
+                },
+            },
+        })
+    }
+    return results, nil
+}
+```
+
+The new vulnerability will be added to the scan results.
+This example shows how the module inserts a new finding.
+If you are interested in `Update`, you can see an example of [Spring4Shell][trivy-module-spring4shell].
+
+In the `Delete` action, `PostScan` needs to return results you want to delete.
+If `PostScan` returns an empty, Trivy will not delete anything.
+
+#### Build
+Follow [the install guide][tinygo-installation] and install TinyGo.
+
+```bash
+$ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
+```
+
+Put the built binary to the module directory that is under the home directory by default.
+
+```bash
+$ mkdir -p ~/.trivy/modules
+$ cp spring4shell.wasm ~/.trivy/modules
+```
+
+## Distribute Your Module
+You can distribute your own module in OCI registries. Please follow [the oras installation instruction][oras].
+
+```bash
+oras push ghcr.io/aquasecurity/trivy-module-wordpress:latest wordpress.wasm:application/vnd.module.wasm.content.layer.v1+wasm
+Uploading 3daa3dac086b wordpress.wasm
+Pushed ghcr.io/aquasecurity/trivy-module-wordpress:latest
+Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
+```
+
+## Examples
+- [Spring4Shell][trivy-module-spring4shell]
+- [WordPress][trivy-module-wordpress]
+
+[regexp]: https://github.com/google/re2/wiki/Syntax
+
+[tinygo]: https://tinygo.org/
+[spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
+[wazero]: https://github.com/tetratelabs/wazero
+
+[trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
+[trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
+
+[tinygo-installation]: https://tinygo.org/getting-started/install/
+[oras]: https://oras.land/cli/

docs/docs/advanced/plugins.md

@@ -0,0 +1,173 @@
+# Plugins
+Trivy provides a plugin feature to allow others to extend the Trivy CLI without the need to change the Trivycode base.
+This plugin system was inspired by the plugin system used in [kubectl][kubectl], [Helm][helm], and [Conftest][conftest].
+
+## Overview
+Trivy plugins are add-on tools that integrate seamlessly with Trivy.
+They provide a way to extend the core feature set of Trivy, but without requiring every new feature to be written in Go and added to the core tool.
+
+- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
+- They can be written in any programming language.
+- They integrate with Trivy, and will show up in Trivy help and subcommands.
+
+!!! warning
+    Trivy plugins available in public are not audited for security.
+    You should install and run third-party plugins at your own risk, since they are arbitrary programs running on your machine.
+
+
+## Installing a Plugin
+A plugin can be installed using the `trivy plugin install` command.
+This command takes a url and will download the plugin and install it in the plugin cache.
+
+Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
+Trivy will now search XDG_DATA_HOME for the location of the Trivy plugins cache.
+The preference order is as follows:
+
+- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
+- ~/.trivy/plugins
+
+Under the hood Trivy leverages [go-getter][go-getter] to download plugins.
+This means the following protocols are supported for downloading plugins:
+
+- OCI Registries
+- Local Files
+- Git
+- HTTP/HTTPS
+- Mercurial
+- Amazon S3
+- Google Cloud Storage
+
+For example, to download the Kubernetes Trivy plugin you can execute the following command:
+
+```bash
+$ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
+```
+## Using Plugins
+Once the plugin is installed, Trivy will load all available plugins in the cache on the start of the next Trivy execution.
+A plugin will be made in the Trivy CLI based on the plugin name.
+To display all plugins, you can list them by `trivy --help`
+
+```bash
+$ trivy --help
+NAME:
+   trivy - A simple and comprehensive vulnerability scanner for containers
+
+USAGE:
+   trivy [global options] command [command options] target
+
+VERSION:
+   dev
+
+COMMANDS:
+   image, i          scan an image
+   filesystem, fs    scan local filesystem
+   repository, repo  scan remote repository
+   client, c         client mode
+   server, s         server mode
+   plugin, p         manage plugins
+   kubectl           scan kubectl resources
+   help, h           Shows a list of commands or help for one command
+```
+
+As shown above, `kubectl` subcommand exists in the `COMMANDS` section.
+To call the kubectl plugin and scan existing Kubernetes deployments, you can execute the following command:
+
+```
+$ trivy kubectl deployment <deployment-id> -- --ignore-unfixed --severity CRITICAL
+```
+
+Internally the kubectl plugin calls the kubectl binary to fetch information about that deployment and passes the using images to Trivy.
+You can see the detail [here][trivy-plugin-kubectl].
+
+If you want to omit even the subcommand, you can use `TRIVY_RUN_AS_PLUGIN` environment variable.
+
+```bash
+$ TRIVY_RUN_AS_PLUGIN=kubectl trivy job your-job -- --format json
+```
+
+## Installing and Running Plugins on the fly
+`trivy plugin run` installs a plugin and runs it on the fly.
+If the plugin is already present in the cache, the installation is skipped.
+
+```bash
+trivy plugin run github.com/aquasecurity/trivy-plugin-kubectl pod your-pod -- --exit-code 1
+```
+
+## Uninstalling Plugins
+Specify a plugin name with `trivy plugin uninstall` command.
+
+```bash
+$ trivy plugin uninstall kubectl
+```
+
+## Building Plugins
+Each plugin has a top-level directory, and then a plugin.yaml file.
+
+```bash
+your-plugin/
+  |
+  |- plugin.yaml
+  |- your-plugin.sh
+```
+
+In the example above, the plugin is contained inside of a directory named `your-plugin`.
+It has two files: plugin.yaml (required) and an executable script, your-plugin.sh (optional).
+
+The core of a plugin is a simple YAML file named plugin.yaml.
+Here is an example YAML of trivy-plugin-kubectl plugin that adds support for Kubernetes scanning.
+
+```yaml
+name: "kubectl"
+repository: github.com/aquasecurity/trivy-plugin-kubectl
+version: "0.1.0"
+usage: scan kubectl resources
+description: |-
+  A Trivy plugin that scans the images of a kubernetes resource.
+  Usage: trivy kubectl TYPE[.VERSION][.GROUP] NAME
+platforms:
+  - selector: # optional
+      os: darwin
+      arch: amd64
+    uri: ./trivy-kubectl # where the execution file is (local file, http, git, etc.)
+    bin: ./trivy-kubectl # path to the execution file
+  - selector: # optional
+      os: linux
+      arch: amd64
+    uri: https://github.com/aquasecurity/trivy-plugin-kubectl/releases/download/v0.1.0/trivy-kubectl.tar.gz
+    bin: ./trivy-kubectl
+```
+
+The `plugin.yaml` field should contain the following information:
+
+- name: The name of the plugin. This also determines how the plugin will be made available in the Trivy CLI. For example, if the plugin is named kubectl, you can call the plugin with `trivy kubectl`. (required)
+- version: The version of the plugin. (required)
+- usage: A short usage description. (required)
+- description: A long description of the plugin. This is where you could provide a helpful documentation of your plugin. (required)
+- platforms: (required)
+  - selector: The OS/Architecture specific variations of a execution file. (optional)
+    - os: OS information based on GOOS (linux, darwin, etc.) (optional)
+    - arch: The architecture information based on GOARCH (amd64, arm64, etc.) (optional)
+  - uri: Where the executable file is. Relative path from the root directory of the plugin or remote URL such as HTTP and S3. (required)
+  - bin: Which file to call when the plugin is executed. Relative path from the root directory of the plugin. (required)
+
+The following rules will apply in deciding which platform to select:
+
+- If both `os` and `arch` under `selector` match the current platform, search will stop and the platform will be used.
+- If `selector` is not present, the platform will be used.
+- If `os` matches and there is no more specific `arch` match, the platform will be used.
+- If no `platform` match is found, Trivy will exit with an error.
+
+After determining platform, Trivy will download the execution file from `uri` and store it in the plugin cache.
+When the plugin is called via Trivy CLI, `bin` command will be executed.
+
+The plugin is responsible for handling flags and arguments. Any arguments are passed to the plugin from the `trivy` command.
+
+## Example
+https://github.com/aquasecurity/trivy-plugin-kubectl
+
+[kubectl]: https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/
+[helm]: https://helm.sh/docs/topics/plugins/
+[conftest]: https://www.conftest.dev/plugins/
+[go-getter]: https://github.com/hashicorp/go-getter
+[trivy-plugin-kubectl]: https://github.com/aquasecurity/trivy-plugin-kubectl
+

docs/docs/advanced/private-registries/acr.md

@@ -0,0 +1,27 @@
+# Requirements
+None, Trivy uses Azure SDK for Go. You don't need to install `az` command.
+
+# Privileges
+Service principal must have the `AcrPull` permissions.
+
+## Creation of a service principal
+```bash
+export SP_DATA=$(az ad sp create-for-rbac --name TrivyTest --role AcrPull --scope "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ContainerRegistry/registries/<registry_name>")
+```
+
+# Usage
+```bash
+# must set TRIVY_USERNAME empty char
+export AZURE_CLIENT_ID$(echo $SP_DATA | jq -r .appId)
+export AZURE_CLIENT_SECRET$(echo $SP_DATA | jq -r .password)
+export AZURE_TENANT_ID$(echo $SP_DATA | jq -r .tenant)
+```
+
+# Testing
+You can test credentials in the following manner.
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e AZURE_CLIENT_ID=${AZURE_CLIENT_ID} -e AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} \
+  -e AZURE_TENANT_ID=${AZURE_TENANT_ID} aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag
+```

docs/docs/advanced/private-registries/docker-hub.md

@@ -0,0 +1,7 @@
+Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
+You don't need to set ENV vars when download from public repository.
+
+```bash
+export TRIVY_USERNAME={DOCKERHUB_USERNAME}
+export TRIVY_PASSWORD={DOCKERHUB_PASSWORD}
+```

docs/docs/advanced/private-registries/ecr.md

@@ -0,0 +1,35 @@
+Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
+You can use [AWS CLI's ENV Vars][env-var].
+
+[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
+
+### AWS private registry permissions
+
+You may need to grant permissions to allow Trivy to pull images from private ECR.
+
+It depends on how you want to provide AWS Role to trivy.
+
+- [IAM Role Service account](https://github.com/aws/amazon-eks-pod-identity-webhook)
+- [Kube2iam](https://github.com/jtblin/kube2iam) or [Kiam](https://github.com/uswitch/kiam)
+
+#### IAM Role Service account
+
+Add the AWS role in trivy's service account annotations:
+
+```yaml
+trivy:
+
+  serviceAccount:
+    annotations: {}
+      # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
+```
+
+#### Kube2iam or Kiam
+
+Add the AWS role to pod's annotations:
+
+```yaml
+podAnnotations: {}
+  ## kube2iam/kiam annotation
+  # iam.amazonaws.com/role: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
+```

docs/docs/advanced/private-registries/gcr.md

@@ -0,0 +1,40 @@
+# Requirements
+None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
+
+# Privileges
+Credential file must have the `roles/storage.objectViewer` permissions.
+More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
+
+## JSON File Format
+The JSON file specified should have the following format provided by google's service account mechanisms:
+
+```json
+{
+  "type": "service_account",
+  "project_id": "your_special_project",
+  "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
+  "client_email": "somedude@your_special_project.iam.gserviceaccount.com",
+  "client_id": "1234567890",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
+}
+```
+
+# Usage
+If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
+```bash
+# must set TRIVY_USERNAME empty char
+export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
+```
+
+# Testing
+You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
+  aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
+```

docs/docs/advanced/private-registries/index.md

@@ -0,0 +1,4 @@
+Trivy can download images from a private registry, without installing `Docker` or any other 3rd party tools.
+That's because it's easy to run in a CI process.
+
+All you have to do is install `Trivy` and set ENV vars.

docs/docs/advanced/private-registries/self.md

@@ -0,0 +1,9 @@
+BasicAuth server needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
+
+```bash
+export TRIVY_USERNAME={USERNAME}
+export TRIVY_PASSWORD={PASSWORD}
+
+# if you want to use 80 port, use NonSSL
+export TRIVY_NON_SSL=true
+```

docs/docs/attestation/rekor.md

@@ -0,0 +1,147 @@
+# Scan SBOM attestation in Rekor
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+## Container images
+Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+ 
+
+### Scanning
+You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor.
+
+!!! note
+    `--sbom-sources` can be used only with `trivy image` at the moment.
+
+```bash
+$ trivy image --sbom-sources rekor otms61/alpine:3.7.3                                                                            [~/src/github.com/aquasecurity/trivy]
+2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
+2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
+2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
+2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
+2022-09-16T17:37:14.903+0900	INFO	Detecting Alpine vulnerabilities...
+2022-09-16T17:37:14.907+0900	INFO	Number of language-specific files: 0
+2022-09-16T17:37:14.908+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
+2022-09-16T17:37:14.908+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided
+
+otms61/alpine:3.7.3 (alpine 3.7.3)
+==================================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+
+```
+
+If you have your own Rekor instance, you can specify the URL via `--rekor-url`.
+
+```bash
+$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3
+```
+
+## Non-packaged binaries
+Trivy can retrieve SBOM attestation of non-packaged binaries in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+
+Cosign currently does not support keyless signing for blob attestation, so use our plugin at the moment.
+This example uses a cat clone [bat][bat] written in Rust.
+You need to generate SBOM from lock files like `Cargo.lock` at first.
+
+```bash
+$ git clone -b v0.20.0 https://github.com/sharkdp/bat
+$ trivy fs --format cyclonedx --output bat.cdx ./bat/Cargo.lock
+```
+
+Then [our attestation plugin][plugin-attest] allows you to store the SBOM attestation linking to a `bat` binary in the Rekor instance.
+
+```bash
+$ wget https://github.com/sharkdp/bat/releases/download/v0.20.0/bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ tar xvf bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ trivy plugin install github.com/aquasecurity/trivy-plugin-attest
+$ trivy attest --predicate ./bat.cdx --type cyclonedx ./bat-v0.20.0-x86_64-apple-darwin/bat
+```
+
+!!! note
+    The public instance of the Rekor maintained by the Sigstore team limits the attestation size.
+    If you are using the public instance, please make sure that your SBOM is small enough.
+    To get more detail, please refer to the Rekor project's [documentation](https://github.com/sigstore/rekor#public-instance).
+
+### Scan a non-packaged binary
+Trivy calculates the digest of the `bat` binary and searches for the SBOM attestation by the digest in Rekor.
+If it is found, Trivy uses that for vulnerability scanning.
+
+```bash
+$ trivy fs --sbom-sources rekor ./bat-v0.20.0-x86_64-apple-darwin/bat
+2022-10-25T13:27:25.950+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:27:25.993+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:27:25.993+0300    INFO    Detecting cargo vulnerabilities...
+
+bat (cargo)
+===========
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+Also, it is applied to non-packaged binaries even in container images.
+
+```bash
+$ trivy image --sbom-sources rekor --scanners vuln alpine-with-bat
+2022-10-25T13:40:14.920+0300    INFO    Vulnerability scanning is enabled
+2022-10-25T13:40:18.047+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:40:18.186+0300    INFO    Detected OS: alpine
+2022-10-25T13:40:18.186+0300    INFO    Detecting Alpine vulnerabilities...
+2022-10-25T13:40:18.199+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:40:18.199+0300    INFO    Detecting cargo vulnerabilities...
+
+alpine-with-bat (alpine 3.15.6)
+===============================
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+
+bat (cargo)
+===========
+Total: 4 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+
+!!! note
+    The `--sbom-sources rekor` flag slows down the scanning as it queries Rekor on the Internet for all non-packaged binaries.
+
+[rekor]: https://github.com/sigstore/rekor
+[sbom-attest]: sbom.md#keyless-signing
+
+[plugin-attest]: https://github.com/aquasecurity/trivy-plugin-attest
+
+[bat]: https://github.com/sharkdp/bat

docs/docs/attestation/sbom.md

@@ -0,0 +1,87 @@
+# SBOM attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify SBOM attestation.
+And, Trivy can take an SBOM attestation as input and scan for vulnerabilities
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+## Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates an SBOM in the CycloneDX format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE>
+```
+
+You can also create attestations of other formatted SBOM.
+
+```bash
+# spdx
+$ trivy image --format spdx -o sbom.spdx <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx <IMAGE>
+
+# spdx-json
+$ trivy image --format spdx-json -o sbom.spdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json <IMAGE>
+```
+
+## Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+# The following command uploads SBOM attestation to the public Rekor instance.
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
+```
+
+You can verify attestations.
+```bash
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>
+```
+
+## Scanning
+
+Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
+
+In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it.
+You must create CycloneDX-type attestation before trying the example.
+To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+```

docs/docs/attestation/vuln.md

@@ -0,0 +1,190 @@
+# Cosign Vulnerability Attestation
+
+## Generate Cosign Vulnerability Scan Record
+
+Trivy generates reports in the [Cosign vulnerability scan record format][vuln-attest-spec].
+
+You can use the regular subcommands (like image, fs and rootfs) and specify `cosign-vuln` with the --format option.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json alpine:3.10
+```
+
+<details>
+<summary>Result</summary>
+
+```json
+{
+  "invocation": {
+    "parameters": null,
+    "uri": "",
+    "event_id": "",
+    "builder.id": ""
+  },
+  "scanner": {
+    "uri": "pkg:github/aquasecurity/trivy@v0.30.1-8-gf9cb8a28",
+    "version": "v0.30.1-8-gf9cb8a28",
+    "db": {
+      "uri": "",
+      "version": ""
+    },
+    "result": {
+      "SchemaVersion": 2,
+      "ArtifactName": "alpine:3.10",
+      "ArtifactType": "container_image",
+      "Metadata": {
+        "OS": {
+          "Family": "alpine",
+          "Name": "3.10.9",
+          "EOSL": true
+        },
+        "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
+        "DiffIDs": [
+          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+        ],
+        "RepoTags": [
+          "alpine:3.10"
+        ],
+        "RepoDigests": [
+          "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
+        ],
+        "ImageConfig": {
+          "architecture": "amd64",
+          "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
+          "created": "2021-04-14T19:20:05.338397761Z",
+          "docker_version": "19.03.12",
+          "history": [
+            {
+              "created": "2021-04-14T19:20:04.987219124Z",
+              "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
+            },
+            {
+              "created": "2021-04-14T19:20:05.338397761Z",
+              "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+              "empty_layer": true
+            }
+          ],
+          "os": "linux",
+          "rootfs": {
+            "type": "layers",
+            "diff_ids": [
+              "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+            ]
+          },
+          "config": {
+            "Cmd": [
+              "/bin/sh"
+            ],
+            "Env": [
+              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+            ],
+            "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
+          }
+        }
+      },
+      "Results": [
+        {
+          "Target": "alpine:3.10 (alpine 3.10.9)",
+          "Class": "os-pkgs",
+          "Type": "alpine",
+          "Vulnerabilities": [
+            {
+              "VulnerabilityID": "CVE-2021-36159",
+              "PkgName": "apk-tools",
+              "InstalledVersion": "2.10.6-r0",
+              "FixedVersion": "2.10.7-r0",
+              "Layer": {
+                "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
+                "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+              },
+              "SeveritySource": "nvd",
+              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
+              "DataSource": {
+                "ID": "alpine",
+                "Name": "Alpine Secdb",
+                "URL": "https://secdb.alpinelinux.org/"
+              },
+              "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
+              "Severity": "CRITICAL",
+              "CweIDs": [
+                "CWE-125"
+              ],
+              "CVSS": {
+                "nvd": {
+                  "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
+                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
+                  "V2Score": 6.4,
+                  "V3Score": 9.1
+                }
+              },
+              "References": [
+                "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
+                "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
+              ],
+              "PublishedDate": "2021-08-03T14:15:00Z",
+              "LastModifiedDate": "2021-10-18T12:19:00Z"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "metadata": {
+    "scanStartedOn": "2022-07-24T17:14:04.864682+09:00",
+    "scanFinishedOn": "2022-07-24T17:14:04.864682+09:00"
+  }
+}
+```
+
+</details>
+
+## Create Cosign Vulnerability Attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify Cosign vulnerability attestation.
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+
+### Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates a cosign vulnerability scan record, and then Cosign attaches an attestation of it to a container image with a local key pair.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type vuln --predicate vuln.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```
+$ cosign verify-attestation --key /path/to/cosign.pub --type vuln <IMAGE>
+```
+
+### Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```
+$ trivy image --format cosign-vuln -o vuln.json <IMAGE>
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>
+```
+
+You can verify attestations.
+
+```
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type vuln <IMAGE>
+```
+
+[vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md

docs/docs/compliance/compliance.md

@@ -0,0 +1,70 @@
+# Compliance Reports
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy’s compliance flag lets you curate a specific set of checks into a report. In a typical Trivy scan, there are hundreds of different checks for many different components and configurations, but sometimes you already know which specific checks you are interested in. Often this would be an industry accepted set of checks such as CIS, or some vendor specific guideline, or your own organization policy that you want to comply with. These are all possible using the flexible compliance infrastructure that's built into Trivy. Compliance reports are defined as simple YAML documents that select checks to include in the report.
+
+## Usage
+
+Compliance report is currently supported in the following targets (trivy sub-commands):
+
+- `trivy image`
+- `trivy aws`
+- `trivy k8s`
+
+Add the `--compliance` flag to the command line, and set it's value to desired report.
+For example: `trivy k8s cluster --compliance k8s-nsa` (see below for built-in and custom reports)
+
+### Options
+
+The following flags are compatible with `--compliance` flag and allows customizing it's output:
+
+| flag               | effect                                                                               |
+|--------------------|--------------------------------------------------------------------------------------|
+| `--report summary` | shows a summary of the results. for every control shows the number of failed checks. |
+| `--report all`     | shows fully detailed results. for every control shows where it failed and why.       |
+| `--format table`   | shows results in textual table format (good for human readability).                  |
+| `--format json`    | shows results in json format (good for machine readability).                         |
+
+## Built-in compliance
+
+Trivy has a number of built-in compliance reports that you can asses right out of the box.
+to specify a built-in compliance report, select it by ID like `trivy --compliance <compliance_id>`.
+
+For the list of built-in compliance reports, please see the relevant section:
+
+- [Docker compliance](../target/container_image.md#compliance)
+- [Kubernetes compliance](../target/kubernetes.md#compliance) 
+- [AWS compliance](../target/aws.md#compliance)
+
+## Custom compliance
+
+You can create your own custom compliance report. A compliance report is a simple YAML document in the following format:
+
+```yaml
+spec:
+  id: "k8s-myreport" # report unique identifier. this should not container spaces.
+  title: "My custom Kubernetes report" # report title. Any one-line title.
+  description: "Describe your report" # description of the report. Any text.
+  relatedResources :
+    - https://some.url # useful references. URLs only.
+  version: "1.0" # spec version (string)
+  controls:
+    - name: "Non-root containers" # Name for the control (appears in the report as is). Any one-line name.
+      description: 'Check that container is not running as root' # Description (appears in the report as is). Any text.
+      id: "1.0" # control identifier (string)
+      checks:   # list of existing Trivy checks that define the control
+        - id: AVD-KSV-0012 # check ID. Must start with `AVD-` or `CVE-` 
+      severity: "MEDIUM" # Severity for the control (note that checks severity isn't used)
+    - name: "Immutable container file systems"
+      description: 'Check that container root file system is immutable'
+      id: "1.1"
+      checks:
+        - id: AVD-KSV-0014
+      severity: "LOW"
+```
+
+The check id field (`controls[].checks[].id`) is referring to existing check by it's "AVD ID". This AVD ID is easily located in the check's source code metadata header, or by browsing [Aqua vulnerability DB](https://avd.aquasec.com/), specifically in the [Misconfigurations](https://avd.aquasec.com/misconfig/) and [Vulnerabilities](https://avd.aquasec.com/nvd) sections.
+
+Once you have a compliance spec, you can select it by file path: `trivy --compliance @</path/to/compliance.yaml>` (note the `@` indicating file path instead of report id).

docs/docs/index.md

@@ -0,0 +1,5 @@
+# Docs
+
+In this section you can find the complete reference documentation for all of the different features and settings that Trivy has to offer.
+
+👈 Please use the side-navigation on the left in order to browse the different topics.

docs/docs/licenses/scanning.md

@@ -0,0 +1,320 @@
+# License Scanning
+
+Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
+
+License are classified using the [Google License Classification][google-license-classification] -
+
+ - Forbidden
+ - Restricted 
+ - Reciprocal
+ - Notice
+ - Permissive
+ - Unencumbered
+ - Unknown
+
+!!! tip
+    Licenses that Trivy fails to recognize are classified as UNKNOWN.
+    As those licenses may be in violation, it is recommended to check those unknown licenses as well.    
+
+By default, Trivy scans licenses for packages installed by `apk`, `apt-get`, `dnf`, `npm`, `pip`, `gem`, etc.
+To enable extended license scanning, you can use `--license-full`.
+In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
+
+!!! note
+    The full license scanning is expensive. It takes a while.
+
+Currently, the standard license scanning doesn't support filesystem and repository scanning.
+
+|   License scanning    | Image | Rootfs    | Filesystem | Repository |
+|:---------------------:|:-----:|:---------:|:----------:|:----------:|
+|       Standard        |  ✅   |     ✅    |   -        |      -     |
+| Full (--license-full) |  ✅   |     ✅    |     ✅     |     ✅     |
+
+
+License checking classifies the identified licenses and map the classification to severity.
+
+| Classification | Severity |
+|----------------|----------|
+| Forbidden      | CRITICAL |
+| Restricted     | HIGH     |
+| Reciprocal     | MEDIUM   |
+| Notice         | LOW      |
+| Permissive     | LOW      |
+| Unencumbered   | LOW      |
+| Unknown        | UNKNOWN  |
+
+## Quick start
+This section shows how to scan license in container image and filesystem.
+
+### Standard scanning
+Specify an image name with `--scanners license`.
+
+``` shell
+$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
+2022-07-13T17:28:39.526+0300    INFO    License scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
+
+┌───────────────────┬─────────┬────────────────┬──────────┐
+│      Package      │ License │ Classification │ Severity │
+├───────────────────┼─────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
+├───────────────────┤         │                │          │
+│ apk-tools         │         │                │          │
+├───────────────────┤         │                │          │
+│ busybox           │         │                │          │
+├───────────────────┤         │                │          │
+│ musl-utils        │         │                │          │
+├───────────────────┤         │                │          │
+│ scanelf           │         │                │          │
+├───────────────────┤         │                │          │
+│ ssl_client        │         │                │          │
+└───────────────────┴─────────┴────────────────┴──────────┘
+```
+
+### Full scanning
+Specify `--license-full`
+
+``` shell
+$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
+2022-07-13T17:48:40.905+0300    INFO    Full license scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 20 (UNKNOWN: 9, HIGH: 11, CRITICAL: 0)
+
+┌───────────────────┬───────────────────┬────────────────┬──────────┐
+│      Package      │      License      │ Classification │ Severity │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0           │ Restricted     │ HIGH     │
+├───────────────────┤                   │                │          │
+│ apk-tools         │                   │                │          │
+├───────────────────┼───────────────────┤                │          │
+│ bash              │ GPL-3.0           │                │          │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ keyutils-libs     │ GPL-2.0           │ Restricted     │ HIGH     │
+│                   ├───────────────────┼────────────────┼──────────┤
+│                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
+├───────────────────┼───────────────────┤                │          │
+│ libaio            │ LGPL-2.1-or-later │                │          │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ libcom_err        │ GPL-2.0           │ Restricted     │ HIGH     │
+│                   ├───────────────────┼────────────────┼──────────┤
+│                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ tzdata            │ Public-Domain     │ Non Standard   │ UNKNOWN  │
+└───────────────────┴───────────────────┴────────────────┴──────────┘
+
+Loose File License(s) (license)
+===============================
+Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)
+
+┌────────────────┬──────────┬──────────────┬──────────────────────────────────────────────────────────────┐
+│ Classification │ Severity │   License    │                        File Location                         │
+├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
+│ Forbidden      │ CRITICAL │ AGPL-3.0     │ /usr/share/grafana/LICENSE                                   │
+│                │          │              │                                                              │
+│                │          │              │                                                              │
+├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
+│ Non Standard   │ UNKNOWN  │ BSD-0-Clause │ /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/7889.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/canvasPanel.d6aae9dd11d49c7- │
+│                │          │              │ 41a80.js.LICENSE.txt                                         │
+└────────────────┴──────────┴──────────────┴──────────────────────────────────────────────────────────────┘
+```
+
+## Configuration
+
+Trivy has number of configuration flags for use with license scanning;
+                                 
+### Ignored Licenses
+
+Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the `--ignored-licenses` flag;
+
+```shell
+$ trivy image --scanners license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
+2022-07-13T18:15:28.605Z        INFO    License scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 2 (HIGH: 2, CRITICAL: 0)
+
+┌───────────────────┬─────────┬────────────────┬──────────┐
+│      Package      │ License │ Classification │ Severity │
+├───────────────────┼─────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
+├───────────────────┤         │                │          │
+│ ssl_client        │         │                │          │
+└───────────────────┴─────────┴────────────────┴──────────┘
+
+```
+
+### Custom Classification
+You can generate the default config by the `--generate-default-config` flag and customize the license classification.
+For example, if you want to forbid only AGPL-3.0, you can leave it under `forbidden` and move other licenses to another classification.
+
+```shell
+$ trivy image --generate-default-config
+$ vim trivy.yaml
+license:
+  forbidden:
+  - AGPL-3.0
+  
+  restricted:
+  - AGPL-1.0
+  - CC-BY-NC-1.0
+  - CC-BY-NC-2.0
+  - CC-BY-NC-2.5
+  - CC-BY-NC-3.0
+  - CC-BY-NC-4.0
+  - CC-BY-NC-ND-1.0
+  - CC-BY-NC-ND-2.0
+  - CC-BY-NC-ND-2.5
+  - CC-BY-NC-ND-3.0
+  - CC-BY-NC-ND-4.0
+  - CC-BY-NC-SA-1.0
+  - CC-BY-NC-SA-2.0
+  - CC-BY-NC-SA-2.5
+  - CC-BY-NC-SA-3.0
+  - CC-BY-NC-SA-4.0
+  - Commons-Clause
+  - Facebook-2-Clause
+  - Facebook-3-Clause
+  - Facebook-Examples
+  - WTFPL
+  - BCL
+  - CC-BY-ND-1.0
+  - CC-BY-ND-2.0
+  - CC-BY-ND-2.5
+  - CC-BY-ND-3.0
+  - CC-BY-ND-4.0
+  - CC-BY-SA-1.0
+  - CC-BY-SA-2.0
+  - CC-BY-SA-2.5
+  - CC-BY-SA-3.0
+  - CC-BY-SA-4.0
+  - GPL-1.0
+  - GPL-2.0
+  - GPL-2.0-with-autoconf-exception
+  - GPL-2.0-with-bison-exception
+  - GPL-2.0-with-classpath-exception
+  - GPL-2.0-with-font-exception
+  - GPL-2.0-with-GCC-exception
+  - GPL-3.0
+  - GPL-3.0-with-autoconf-exception
+  - GPL-3.0-with-GCC-exception
+  - LGPL-2.0
+  - LGPL-2.1
+  - LGPL-3.0
+  - NPL-1.0
+  - NPL-1.1
+  - OSL-1.0
+  - OSL-1.1
+  - OSL-2.0
+  - OSL-2.1
+  - OSL-3.0
+  - QPL-1.0
+  - Sleepycat
+  
+  reciprocal:
+  - APSL-1.0
+  - APSL-1.1
+  - APSL-1.2
+  - APSL-2.0
+  - CDDL-1.0
+  - CDDL-1.1
+  - CPL-1.0
+  - EPL-1.0
+  - EPL-2.0
+  - FreeImage
+  - IPL-1.0
+  - MPL-1.0
+  - MPL-1.1
+  - MPL-2.0
+  - Ruby
+  
+  notice:
+  - AFL-1.1
+  - AFL-1.2
+  - AFL-2.0
+  - AFL-2.1
+  - AFL-3.0
+  - Apache-1.0
+  - Apache-1.1
+  - Apache-2.0
+  - Artistic-1.0-cl8
+  - Artistic-1.0-Perl
+  - Artistic-1.0
+  - Artistic-2.0
+  - BSL-1.0
+  - BSD-2-Clause-FreeBSD
+  - BSD-2-Clause-NetBSD
+  - BSD-2-Clause
+  - BSD-3-Clause-Attribution
+  - BSD-3-Clause-Clear
+  - BSD-3-Clause-LBNL
+  - BSD-3-Clause
+  - BSD-4-Clause
+  - BSD-4-Clause-UC
+  - BSD-Protection
+  - CC-BY-1.0
+  - CC-BY-2.0
+  - CC-BY-2.5
+  - CC-BY-3.0
+  - CC-BY-4.0
+  - FTL
+  - ISC
+  - ImageMagick
+  - Libpng
+  - Lil-1.0
+  - Linux-OpenIB
+  - LPL-1.02
+  - LPL-1.0
+  - MS-PL
+  - MIT
+  - NCSA
+  - OpenSSL
+  - PHP-3.01
+  - PHP-3.0
+  - PIL
+  - Python-2.0
+  - Python-2.0-complete
+  - PostgreSQL
+  - SGI-B-1.0
+  - SGI-B-1.1
+  - SGI-B-2.0
+  - Unicode-DFS-2015
+  - Unicode-DFS-2016
+  - Unicode-TOU
+  - UPL-1.0
+  - W3C-19980720
+  - W3C-20150513
+  - W3C
+  - X11
+  - Xnet
+  - Zend-2.0
+  - zlib-acknowledgement
+  - Zlib
+  - ZPL-1.1
+  - ZPL-2.0
+  - ZPL-2.1
+  
+  unencumbered:
+  - CC0-1.0
+  - Unlicense
+  - 0BSD
+  
+  permissive: []
+```
+
+
+[google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses

docs/docs/misconfiguration/custom/combine.md

@@ -0,0 +1,44 @@
+# Combined input
+
+## Overview
+Trivy usually scans each configuration file individually. 
+Sometimes it might be useful to compare values from different configuration files simultaneously.
+
+When `combine` is set to true, all config files under the specified directory are combined into one input data structure.
+
+!!! example
+    ```
+    __rego_input__ := {
+        "combine": false,
+    }
+    ```
+
+In "combine" mode, the `input` document becomes an array, where each element is an object with two fields:
+
+- `"path": "path/to/file"`: the relative file path of the respective file
+- `"contents": ...`: the parsed content of the respective file
+
+Now you can ensure that duplicate values match across the entirety of your configuration files.
+
+## Return value
+In "combine" mode, the `deny` entrypoint must return an object with two keys
+
+`filepath` (required)
+: the relative file path of the file being evaluated
+
+`msg` (required)
+: the message describing an issue
+
+!!! example
+    ```
+    deny[res] {
+        resource := input[i].contents
+        ... some logic ...
+
+    	res := {
+    		"filepath": input[i].path,
+    		"msg": "something bad",
+    	}
+    }
+    ```
+

docs/docs/misconfiguration/custom/data.md

@@ -0,0 +1,35 @@
+# Custom Data
+
+Custom policies may require additional data in order to determine an answer.
+
+For example, an allowed list of resources that can be created. 
+Instead of hardcoding this information inside of your policy, Trivy allows passing paths to data files with the `--data` flag.
+
+Given the following yaml file:
+
+```bash
+$ cd examples/misconf/custom-data
+$ cat data/ports.yaml                                                                                                                                                                      [~/src/github.com/aquasecurity/trivy/examples/misconf/custom-data]
+services:
+  ports:
+    - "20"
+    - "20/tcp"
+    - "20/udp"
+    - "23"
+    - "23/tcp"
+```
+
+This can be imported into your policy:
+
+```rego
+import data.services
+
+ports := services.ports
+```
+
+Then, you need to pass data paths through `--data` option.
+Trivy recursively searches the specified paths for JSON (`*.json`) and YAML (`*.yaml`) files.
+
+```bash
+$ trivy conf --policy ./policy --data data --namespaces user ./configs
+```

docs/docs/misconfiguration/custom/debug.md

@@ -0,0 +1,304 @@
+# Debugging policies
+When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied.
+For this purpose you can use the `--trace` flag.
+This will output a large trace from Open Policy Agent like the following:
+
+!!! tip
+    Only failed policies show traces. If you want to debug a passed policy, you need to make it fail on purpose.
+
+```shell
+$ trivy conf --trace configs/
+2022-05-16T13:47:58.853+0100	INFO	Detected config files: 1
+
+Dockerfile (dockerfile)
+=======================
+Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
+Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
+
+MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
+
+See https://avd.aquasec.com/misconfig/ds001
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ Dockerfile:1
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   1 [ FROM alpine:latest
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+HIGH: Last USER command in Dockerfile should not be 'root'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+
+See https://avd.aquasec.com/misconfig/ds002
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ Dockerfile:3
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   3 [ USER root
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+
+ID: DS001
+File: Dockerfile
+Namespace: builtin.dockerfile.DS001
+Query: data.builtin.dockerfile.DS001.deny
+Message: Specify a tag in the 'FROM' statement for image 'alpine'
+TRACE  Enter data.builtin.dockerfile.DS001.deny = _
+TRACE  | Eval data.builtin.dockerfile.DS001.deny = _
+TRACE  | Index data.builtin.dockerfile.DS001.deny (matched 1 rule)
+TRACE  | Enter data.builtin.dockerfile.DS001.deny
+TRACE  | | Eval output = data.builtin.dockerfile.DS001.fail_latest[_]
+TRACE  | | Index data.builtin.dockerfile.DS001.fail_latest (matched 1 rule)
+TRACE  | | Enter data.builtin.dockerfile.DS001.fail_latest
+TRACE  | | | Eval output = data.builtin.dockerfile.DS001.image_tags[_]
+TRACE  | | | Index data.builtin.dockerfile.DS001.image_tags (matched 2 rules)
+TRACE  | | | Enter data.builtin.dockerfile.DS001.image_tags
+TRACE  | | | | Eval from = data.lib.docker.from[_]
+TRACE  | | | | Index data.lib.docker.from (matched 1 rule)
+TRACE  | | | | Enter data.lib.docker.from
+TRACE  | | | | | Eval instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "from"
+TRACE  | | | | | Exit data.lib.docker.from
+TRACE  | | | | Redo data.lib.docker.from
+TRACE  | | | | | Redo instruction.Cmd = "from"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "from"
+TRACE  | | | | | Fail instruction.Cmd = "from"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "from"
+TRACE  | | | | | Fail instruction.Cmd = "from"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | Eval name = from.Value[0]
+TRACE  | | | | Eval not startswith(name, "$")
+TRACE  | | | | Enter startswith(name, "$")
+TRACE  | | | | | Eval startswith(name, "$")
+TRACE  | | | | | Fail startswith(name, "$")
+TRACE  | | | | Eval data.builtin.dockerfile.DS001.parse_tag(name, __local505__)
+TRACE  | | | | Index data.builtin.dockerfile.DS001.parse_tag (matched 2 rules)
+TRACE  | | | | Enter data.builtin.dockerfile.DS001.parse_tag
+TRACE  | | | | | Eval split(name, ":", __local504__)
+TRACE  | | | | | Eval [img, tag] = __local504__
+TRACE  | | | | | Exit data.builtin.dockerfile.DS001.parse_tag
+TRACE  | | | | Eval [img, tag] = __local505__
+TRACE  | | | | Eval output = {"cmd": from, "img": img, "tag": tag}
+TRACE  | | | | Exit data.builtin.dockerfile.DS001.image_tags
+TRACE  | | | Redo data.builtin.dockerfile.DS001.image_tags
+TRACE  | | | | Redo output = {"cmd": from, "img": img, "tag": tag}
+TRACE  | | | | Redo [img, tag] = __local505__
+TRACE  | | | | Redo data.builtin.dockerfile.DS001.parse_tag(name, __local505__)
+TRACE  | | | | Redo data.builtin.dockerfile.DS001.parse_tag
+TRACE  | | | | | Redo [img, tag] = __local504__
+TRACE  | | | | | Redo split(name, ":", __local504__)
+TRACE  | | | | Enter data.builtin.dockerfile.DS001.parse_tag
+TRACE  | | | | | Eval tag = "latest"
+TRACE  | | | | | Eval not contains(img, ":")
+TRACE  | | | | | Enter contains(img, ":")
+TRACE  | | | | | | Eval contains(img, ":")
+TRACE  | | | | | | Exit contains(img, ":")
+TRACE  | | | | | Redo contains(img, ":")
+TRACE  | | | | | | Redo contains(img, ":")
+TRACE  | | | | | Fail not contains(img, ":")
+TRACE  | | | | | Redo tag = "latest"
+TRACE  | | | | Redo name = from.Value[0]
+TRACE  | | | | Redo from = data.lib.docker.from[_]
+TRACE  | | | Enter data.builtin.dockerfile.DS001.image_tags
+TRACE  | | | | Eval from = data.lib.docker.from[i]
+TRACE  | | | | Index data.lib.docker.from (matched 1 rule)
+TRACE  | | | | Eval name = from.Value[0]
+TRACE  | | | | Eval cmd_obj = input.stages[j][k]
+TRACE  | | | | Eval possibilities = {"arg", "env"}
+TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Redo possibilities = {"arg", "env"}
+TRACE  | | | | Redo cmd_obj = input.stages[j][k]
+TRACE  | | | | Eval possibilities = {"arg", "env"}
+TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Redo possibilities = {"arg", "env"}
+TRACE  | | | | Redo cmd_obj = input.stages[j][k]
+TRACE  | | | | Eval possibilities = {"arg", "env"}
+TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Redo possibilities = {"arg", "env"}
+TRACE  | | | | Redo cmd_obj = input.stages[j][k]
+TRACE  | | | | Redo name = from.Value[0]
+TRACE  | | | | Redo from = data.lib.docker.from[i]
+TRACE  | | | Eval __local752__ = output.img
+TRACE  | | | Eval neq(__local752__, "scratch")
+TRACE  | | | Eval __local753__ = output.img
+TRACE  | | | Eval not data.builtin.dockerfile.DS001.is_alias(__local753__)
+TRACE  | | | Enter data.builtin.dockerfile.DS001.is_alias(__local753__)
+TRACE  | | | | Eval data.builtin.dockerfile.DS001.is_alias(__local753__)
+TRACE  | | | | Index data.builtin.dockerfile.DS001.is_alias (matched 1 rule, early exit)
+TRACE  | | | | Enter data.builtin.dockerfile.DS001.is_alias
+TRACE  | | | | | Eval img = data.builtin.dockerfile.DS001.get_aliases[_]
+TRACE  | | | | | Index data.builtin.dockerfile.DS001.get_aliases (matched 1 rule)
+TRACE  | | | | | Enter data.builtin.dockerfile.DS001.get_aliases
+TRACE  | | | | | | Eval from_cmd = data.lib.docker.from[_]
+TRACE  | | | | | | Index data.lib.docker.from (matched 1 rule)
+TRACE  | | | | | | Eval __local749__ = from_cmd.Value
+TRACE  | | | | | | Eval data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)
+TRACE  | | | | | | Index data.builtin.dockerfile.DS001.get_alias (matched 1 rule)
+TRACE  | | | | | | Enter data.builtin.dockerfile.DS001.get_alias
+TRACE  | | | | | | | Eval __local748__ = values[i]
+TRACE  | | | | | | | Eval lower(__local748__, __local501__)
+TRACE  | | | | | | | Eval "as" = __local501__
+TRACE  | | | | | | | Fail "as" = __local501__
+TRACE  | | | | | | | Redo lower(__local748__, __local501__)
+TRACE  | | | | | | | Redo __local748__ = values[i]
+TRACE  | | | | | | Fail data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)
+TRACE  | | | | | | Redo __local749__ = from_cmd.Value
+TRACE  | | | | | | Redo from_cmd = data.lib.docker.from[_]
+TRACE  | | | | | Fail img = data.builtin.dockerfile.DS001.get_aliases[_]
+TRACE  | | | | Fail data.builtin.dockerfile.DS001.is_alias(__local753__)
+TRACE  | | | Eval output.tag = "latest"
+TRACE  | | | Exit data.builtin.dockerfile.DS001.fail_latest
+TRACE  | | Redo data.builtin.dockerfile.DS001.fail_latest
+TRACE  | | | Redo output.tag = "latest"
+TRACE  | | | Redo __local753__ = output.img
+TRACE  | | | Redo neq(__local752__, "scratch")
+TRACE  | | | Redo __local752__ = output.img
+TRACE  | | | Redo output = data.builtin.dockerfile.DS001.image_tags[_]
+TRACE  | | Eval __local754__ = output.img
+TRACE  | | Eval sprintf("Specify a tag in the 'FROM' statement for image '%s'", [__local754__], __local509__)
+TRACE  | | Eval msg = __local509__
+TRACE  | | Eval __local755__ = output.cmd
+TRACE  | | Eval data.lib.docker.result(msg, __local755__, __local510__)
+TRACE  | | Index data.lib.docker.result (matched 1 rule)
+TRACE  | | Enter data.lib.docker.result
+TRACE  | | | Eval object.get(cmd, "EndLine", 0, __local470__)
+TRACE  | | | Eval object.get(cmd, "Path", "", __local471__)
+TRACE  | | | Eval object.get(cmd, "StartLine", 0, __local472__)
+TRACE  | | | Eval result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
+TRACE  | | | Exit data.lib.docker.result
+TRACE  | | Eval res = __local510__
+TRACE  | | Exit data.builtin.dockerfile.DS001.deny
+TRACE  | Redo data.builtin.dockerfile.DS001.deny
+TRACE  | | Redo res = __local510__
+TRACE  | | Redo data.lib.docker.result(msg, __local755__, __local510__)
+TRACE  | | Redo data.lib.docker.result
+TRACE  | | | Redo result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
+TRACE  | | | Redo object.get(cmd, "StartLine", 0, __local472__)
+TRACE  | | | Redo object.get(cmd, "Path", "", __local471__)
+TRACE  | | | Redo object.get(cmd, "EndLine", 0, __local470__)
+TRACE  | | Redo __local755__ = output.cmd
+TRACE  | | Redo msg = __local509__
+TRACE  | | Redo sprintf("Specify a tag in the 'FROM' statement for image '%s'", [__local754__], __local509__)
+TRACE  | | Redo __local754__ = output.img
+TRACE  | | Redo output = data.builtin.dockerfile.DS001.fail_latest[_]
+TRACE  | Exit data.builtin.dockerfile.DS001.deny = _
+TRACE  Redo data.builtin.dockerfile.DS001.deny = _
+TRACE  | Redo data.builtin.dockerfile.DS001.deny = _
+TRACE
+
+
+ID: DS002
+File: Dockerfile
+Namespace: builtin.dockerfile.DS002
+Query: data.builtin.dockerfile.DS002.deny
+Message: Last USER command in Dockerfile should not be 'root'
+TRACE  Enter data.builtin.dockerfile.DS002.deny = _
+TRACE  | Eval data.builtin.dockerfile.DS002.deny = _
+TRACE  | Index data.builtin.dockerfile.DS002.deny (matched 2 rules)
+TRACE  | Enter data.builtin.dockerfile.DS002.deny
+TRACE  | | Eval data.builtin.dockerfile.DS002.fail_user_count
+TRACE  | | Index data.builtin.dockerfile.DS002.fail_user_count (matched 1 rule, early exit)
+TRACE  | | Enter data.builtin.dockerfile.DS002.fail_user_count
+TRACE  | | | Eval __local771__ = data.builtin.dockerfile.DS002.get_user
+TRACE  | | | Index data.builtin.dockerfile.DS002.get_user (matched 1 rule)
+TRACE  | | | Enter data.builtin.dockerfile.DS002.get_user
+TRACE  | | | | Eval user = data.lib.docker.user[_]
+TRACE  | | | | Index data.lib.docker.user (matched 1 rule)
+TRACE  | | | | Enter data.lib.docker.user
+TRACE  | | | | | Eval instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "user"
+TRACE  | | | | | Fail instruction.Cmd = "user"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "user"
+TRACE  | | | | | Exit data.lib.docker.user
+TRACE  | | | | Redo data.lib.docker.user
+TRACE  | | | | | Redo instruction.Cmd = "user"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "user"
+TRACE  | | | | | Fail instruction.Cmd = "user"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | Eval username = user.Value[_]
+TRACE  | | | | Exit data.builtin.dockerfile.DS002.get_user
+TRACE  | | | Redo data.builtin.dockerfile.DS002.get_user
+TRACE  | | | | Redo username = user.Value[_]
+TRACE  | | | | Redo user = data.lib.docker.user[_]
+TRACE  | | | Eval count(__local771__, __local536__)
+TRACE  | | | Eval lt(__local536__, 1)
+TRACE  | | | Fail lt(__local536__, 1)
+TRACE  | | | Redo count(__local771__, __local536__)
+TRACE  | | | Redo __local771__ = data.builtin.dockerfile.DS002.get_user
+TRACE  | | Fail data.builtin.dockerfile.DS002.fail_user_count
+TRACE  | Enter data.builtin.dockerfile.DS002.deny
+TRACE  | | Eval cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]
+TRACE  | | Index data.builtin.dockerfile.DS002.fail_last_user_root (matched 1 rule)
+TRACE  | | Enter data.builtin.dockerfile.DS002.fail_last_user_root
+TRACE  | | | Eval stage_users = data.lib.docker.stage_user[_]
+TRACE  | | | Index data.lib.docker.stage_user (matched 1 rule)
+TRACE  | | | Enter data.lib.docker.stage_user
+TRACE  | | | | Eval stage = input.stages[stage_name]
+TRACE  | | | | Eval users = [cmd | cmd = stage[_]; cmd.Cmd = "user"]
+TRACE  | | | | Enter cmd = stage[_]; cmd.Cmd = "user"
+TRACE  | | | | | Eval cmd = stage[_]
+TRACE  | | | | | Eval cmd.Cmd = "user"
+TRACE  | | | | | Fail cmd.Cmd = "user"
+TRACE  | | | | | Redo cmd = stage[_]
+TRACE  | | | | | Eval cmd.Cmd = "user"
+TRACE  | | | | | Exit cmd = stage[_]; cmd.Cmd = "user"
+TRACE  | | | | Redo cmd = stage[_]; cmd.Cmd = "user"
+TRACE  | | | | | Redo cmd.Cmd = "user"
+TRACE  | | | | | Redo cmd = stage[_]
+TRACE  | | | | | Eval cmd.Cmd = "user"
+TRACE  | | | | | Fail cmd.Cmd = "user"
+TRACE  | | | | | Redo cmd = stage[_]
+TRACE  | | | | Exit data.lib.docker.stage_user
+TRACE  | | | Redo data.lib.docker.stage_user
+TRACE  | | | | Redo users = [cmd | cmd = stage[_]; cmd.Cmd = "user"]
+TRACE  | | | | Redo stage = input.stages[stage_name]
+TRACE  | | | Eval count(stage_users, __local537__)
+TRACE  | | | Eval len = __local537__
+TRACE  | | | Eval minus(len, 1, __local538__)
+TRACE  | | | Eval last = stage_users[__local538__]
+TRACE  | | | Eval user = last.Value[0]
+TRACE  | | | Eval user = "root"
+TRACE  | | | Exit data.builtin.dockerfile.DS002.fail_last_user_root
+TRACE  | | Redo data.builtin.dockerfile.DS002.fail_last_user_root
+TRACE  | | | Redo user = "root"
+TRACE  | | | Redo user = last.Value[0]
+TRACE  | | | Redo last = stage_users[__local538__]
+TRACE  | | | Redo minus(len, 1, __local538__)
+TRACE  | | | Redo len = __local537__
+TRACE  | | | Redo count(stage_users, __local537__)
+TRACE  | | | Redo stage_users = data.lib.docker.stage_user[_]
+TRACE  | | Eval msg = "Last USER command in Dockerfile should not be 'root'"
+TRACE  | | Eval data.lib.docker.result(msg, cmd, __local540__)
+TRACE  | | Index data.lib.docker.result (matched 1 rule)
+TRACE  | | Enter data.lib.docker.result
+TRACE  | | | Eval object.get(cmd, "EndLine", 0, __local470__)
+TRACE  | | | Eval object.get(cmd, "Path", "", __local471__)
+TRACE  | | | Eval object.get(cmd, "StartLine", 0, __local472__)
+TRACE  | | | Eval result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
+TRACE  | | | Exit data.lib.docker.result
+TRACE  | | Eval res = __local540__
+TRACE  | | Exit data.builtin.dockerfile.DS002.deny
+TRACE  | Redo data.builtin.dockerfile.DS002.deny
+TRACE  | | Redo res = __local540__
+TRACE  | | Redo data.lib.docker.result(msg, cmd, __local540__)
+TRACE  | | Redo data.lib.docker.result
+TRACE  | | | Redo result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
+TRACE  | | | Redo object.get(cmd, "StartLine", 0, __local472__)
+TRACE  | | | Redo object.get(cmd, "Path", "", __local471__)
+TRACE  | | | Redo object.get(cmd, "EndLine", 0, __local470__)
+TRACE  | | Redo msg = "Last USER command in Dockerfile should not be 'root'"
+TRACE  | | Redo cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]
+TRACE  | Exit data.builtin.dockerfile.DS002.deny = _
+TRACE  Redo data.builtin.dockerfile.DS002.deny = _
+TRACE  | Redo data.builtin.dockerfile.DS002.deny = _
+TRACE
+```

docs/docs/misconfiguration/custom/examples.md

@@ -0,0 +1,296 @@
+# Examples
+
+## Custom Policy
+### Kubernetes
+See [here][k8s].
+
+The custom policy is defined in `user.kubernetes.ID001` package.
+You need to pass the package prefix you want to evaluate through `--namespaces` option.
+In this case, the package prefix should be `user`, `user.kubernetes`, or `user.kubernetes.ID001`.
+
+### Dockerfile
+See [here][dockerfile].
+
+The input will be a dictionary of stages.
+
+#### Single Stage
+
+??? example
+    Dockerfile
+    ```dockerfile
+    FROM foo
+    COPY . /
+    RUN echo hello
+    ```
+
+    Rego Input
+    ```json
+    {
+        "stages": {
+            "foo": [
+                {
+                    "Cmd": "from",
+                    "EndLine": 1,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "FROM foo",
+                    "Stage": 0,
+                    "StartLine": 1,
+                    "SubCmd": "",
+                    "Value": [
+                        "foo"
+                    ]
+                },
+                {
+                    "Cmd": "copy",
+                    "EndLine": 2,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "COPY . /",
+                    "Stage": 0,
+                    "StartLine": 2,
+                    "SubCmd": "",
+                    "Value": [
+                        ".",
+                        "/"
+                    ]
+                },
+                {
+                    "Cmd": "run",
+                    "EndLine": 3,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "RUN echo hello",
+                    "Stage": 0,
+                    "StartLine": 3,
+                    "SubCmd": "",
+                    "Value": [
+                        "echo hello"
+                    ]
+                }
+            ]
+        }
+    }
+    ```
+
+#### Multi Stage
+
+??? example
+    Dockerfile
+    ```dockerfile
+    FROM golang:1.16 AS builder
+    WORKDIR /go/src/github.com/alexellis/href-counter/
+    RUN go get -d -v golang.org/x/net/html
+    COPY app.go .
+    RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
+    
+    FROM alpine:latest
+    RUN apk --no-cache add ca-certificates \
+    && apk add --no-cache bash
+    WORKDIR /root/
+    COPY --from=builder /go/src/github.com/alexellis/href-counter/app .
+    CMD ["./app"]
+    ```
+
+    Rego Input
+    ```json
+    {
+        "stages": {
+            "alpine:latest": [
+                {
+                    "Cmd": "from",
+                    "EndLine": 7,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "FROM alpine:latest",
+                    "Stage": 1,
+                    "StartLine": 7,
+                    "SubCmd": "",
+                    "Value": [
+                        "alpine:latest"
+                    ]
+                },
+                {
+                    "Cmd": "run",
+                    "EndLine": 9,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "RUN apk --no-cache add ca-certificates     \u0026\u0026 apk add --no-cache bash",
+                    "Stage": 1,
+                    "StartLine": 8,
+                    "SubCmd": "",
+                    "Value": [
+                        "apk --no-cache add ca-certificates     \u0026\u0026 apk add --no-cache bash"
+                    ]
+                },
+                {
+                    "Cmd": "workdir",
+                    "EndLine": 10,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "WORKDIR /root/",
+                    "Stage": 1,
+                    "StartLine": 10,
+                    "SubCmd": "",
+                    "Value": [
+                        "/root/"
+                    ]
+                },
+                {
+                    "Cmd": "copy",
+                    "EndLine": 11,
+                    "Flags": [
+                        "--from=builder"
+                    ],
+                    "JSON": false,
+                    "Original": "COPY --from=builder /go/src/github.com/alexellis/href-counter/app .",
+                    "Stage": 1,
+                    "StartLine": 11,
+                    "SubCmd": "",
+                    "Value": [
+                        "/go/src/github.com/alexellis/href-counter/app",
+                        "."
+                    ]
+                },
+                {
+                    "Cmd": "cmd",
+                    "EndLine": 12,
+                    "Flags": [],
+                    "JSON": true,
+                    "Original": "CMD [\"./app\"]",
+                    "Stage": 1,
+                    "StartLine": 12,
+                    "SubCmd": "",
+                    "Value": [
+                        "./app"
+                    ]
+                }
+            ],
+            "golang:1.16 AS builder": [
+                {
+                    "Cmd": "from",
+                    "EndLine": 1,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "FROM golang:1.16 AS builder",
+                    "Stage": 0,
+                    "StartLine": 1,
+                    "SubCmd": "",
+                    "Value": [
+                        "golang:1.16",
+                        "AS",
+                        "builder"
+                    ]
+                },
+                {
+                    "Cmd": "workdir",
+                    "EndLine": 2,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "WORKDIR /go/src/github.com/alexellis/href-counter/",
+                    "Stage": 0,
+                    "StartLine": 2,
+                    "SubCmd": "",
+                    "Value": [
+                        "/go/src/github.com/alexellis/href-counter/"
+                    ]
+                    },
+                {
+                    "Cmd": "run",
+                    "EndLine": 3,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "RUN go get -d -v golang.org/x/net/html",
+                    "Stage": 0,
+                    "StartLine": 3,
+                    "SubCmd": "",
+                    "Value": [
+                        "go get -d -v golang.org/x/net/html"
+                    ]
+                },
+                {
+                    "Cmd": "copy",
+                    "EndLine": 4,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "COPY app.go .",
+                    "Stage": 0,
+                    "StartLine": 4,
+                    "SubCmd": "",
+                    "Value": [
+                        "app.go",
+                        "."
+                    ]
+                },
+                {
+                    "Cmd": "run",
+                    "EndLine": 5,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .",
+                    "Stage": 0,
+                    "StartLine": 5,
+                    "SubCmd": "",
+                    "Value": [
+                        "CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app ."
+                    ]
+                }
+            ]
+        }
+    }
+    ```
+
+### Docker Compose
+See [here][compose].
+
+Docker Compose uses YAML format for configurations. You can apply your Rego policies to `docker-compose.yml`.
+
+### HCL
+See [here][hcl].
+
+Trivy parses HCL files and converts into structured data.
+
+!!! warning
+    Terraform HCL files are not supported yet.
+
+### Terraform Plan
+See [here][tfplan].
+
+Use the command [terraform show][terraform-show] to convert the Terraform plan into JSON so that OPA can read the plan.
+
+```bash
+$ terraform init
+$ terraform plan --out tfplan.binary
+$ terraform show -json tfplan.binary > tfplan.json
+```
+
+For more details, see also [OPA document][opa-terraform].
+
+### Serverless Framework
+See [here][serverless].
+
+Server Framework uses YAML format for configurations. You can apply your Rego policies to `serverless.yaml`.
+
+## Custom Data
+See [here][data].
+
+## Combined Input
+See [here][combine].
+
+## Go Testing
+See [here][go-testing].
+
+[k8s]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/kubernetes/
+[dockerfile]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/dockerfile/
+[compose]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/docker-compose/
+[hcl]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/hcl/
+[serverless]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/serverless/
+[tfplan]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/terraform-plan/
+[terraform-show]: https://www.terraform.io/docs/cli/commands/show.html
+[opa-terraform]: https://www.openpolicyagent.org/docs/latest/terraform/
+
+[custom]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy
+[data]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-data
+[combine]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/combine
+[go-testing]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/go-testing
+

docs/docs/misconfiguration/custom/index.md

@@ -0,0 +1,209 @@
+# Custom Policies
+
+## Overview
+You can write custom policies in [Rego][rego].
+Once you finish writing custom policies, you can pass the directory where those policies are stored with `--policy` option.
+
+``` bash
+trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
+```
+
+As for `--namespaces` option, the detail is described as below.
+
+### File formats
+If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.
+
+| File format   | File pattern                                              |
+|---------------|-----------------------------------------------------------|
+| JSON          | `*.json`                                                  |
+| YAML          | `*.yaml` and `*.yml`                                      |
+| Dockerfile    | `Dockerfile`, `Dockerfile.*`, and `*.Dockerfile`          |
+| Containerfile | `Containerfile`, `Containerfile.*`, and `*.Containerfile` |
+| Terraform     | `*.tf` and `*.tf.json`                                    |
+
+### Configuration languages
+In the above general file formats, Trivy automatically identifies the following types of configuration files:
+
+- CloudFormation (JSON/YAML)
+- Kubernetes (JSON/YAML)
+- Helm (YAML)
+- Terraform Plan (JSON)
+
+This is useful for filtering inputs, as described below.
+
+## Rego format
+A single package must contain only one policy.
+
+!!!example
+    ``` rego
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # schemas:
+    #   - input: schema.input
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector: 
+    #     - type: kubernetes
+    package user.kubernetes.ID001
+    
+    deny[res] {
+        input.kind == "Deployment"
+        msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name])
+        res := result.new(msg, input.kind)
+    }
+    ```
+
+In this example, ID001 "Deployment not allowed" is defined under `user.kubernetes.ID001`.
+If you add a new custom policy, it must be defined under a new package like `user.kubernetes.ID002`.
+
+### Policy structure
+
+`# METADATA` (optional)
+:   - SHOULD be defined for clarity since these values will be displayed in the scan results
+    - `custom.input` SHOULD be set to indicate the input type the policy should be applied to. See [list of available types](https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
+
+`package` (required)
+:   - MUST follow the Rego's [specification][package]
+    - MUST be unique per policy
+    - SHOULD include policy id for uniqueness
+    - MAY include the group name such as `kubernetes` for clarity
+        - Group name has no effect on policy evaluation
+
+`deny` (required)
+:   - SHOULD be `deny` or start with `deny_`
+        - Although `warn`, `warn_*`, `violation`, `violation_` also work for compatibility, `deny` is recommended as severity can be defined in `__rego_metadata__`.
+    - SHOULD return ONE OF:
+        - The result of a call to `result.new(msg, cause)`. The `msg` is a `string` describing the issue occurrence, and the `cause` is the property/object where the issue occurred. Providing this allows Trivy to ascertain line numbers and highlight code in the output. 
+        - A `string` denoting the detected issue
+            - Although `object` with `msg` field is accepted, other fields are dropped and `string` is recommended if `result.new()` is not utilised.
+            - e.g. `{"msg": "deny message", "details": "something"}`
+    
+
+### Package
+A package name must be unique per policy.
+
+!!!example
+    ``` rego
+    package user.kubernetes.ID001
+    ```
+
+By default, only `builtin.*` packages will be evaluated.
+If you define custom packages, you have to specify the package prefix via `--namespaces` option. 
+
+``` bash
+trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
+```
+
+In this case, `user.*` will be evaluated.
+Any package prefixes such as `main` and `user` are allowed.
+
+### Metadata
+Metadata helps enrich Trivy's scan results with useful information.
+
+The annotation format is described in the [OPA documentation](https://www.openpolicyagent.org/docs/latest/annotations/).
+
+Trivy supports extra fields in the `custom` section as described below.
+
+!!!example
+    ``` rego
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector:
+    #     - type: kubernetes
+    ```
+  
+All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The 
+schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are 
+correct and do not reference incorrect properties/values.
+
+| Field name                 | Allowed values                           |        Default value         |     In table     |     In JSON      |
+|----------------------------|------------------------------------------|:----------------------------:|:----------------:|:----------------:|
+| title                      | Any characters                           |             N/A              | :material-check: | :material-check: |
+| description                | Any characters                           |                              | :material-close: | :material-check: |
+| schemas.input              | `schema.input`                           | (applied to all input types) | :material-close: | :material-close: |
+| custom.id                  | Any characters                           |             N/A              | :material-check: | :material-check: |
+| custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`      |           UNKNOWN            | :material-check: | :material-check: |
+| custom.recommended_actions | Any characters                           |                              | :material-close: | :material-check: | 
+| custom.input.selector.type | Any item(s) in [this list][source-types] |                              | :material-close: | :material-check: | 
+| url                        | Any characters                           |                              | :material-close: | :material-check: |
+
+
+Some fields are displayed in scan results.
+
+``` bash
+k.yaml (kubernetes)
+───────────────────
+
+Tests: 32 (SUCCESSES: 31, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+LOW: Found deployment 'my-deployment' but deployments are not allowed
+════════════════════════════════════════════════════════════════════════
+Deployments are not allowed because of some reasons.
+────────────────────────────────────────────────────────────────────────
+ k.yaml:1-2
+────────────────────────────────────────────────────────────────────────
+   1 ┌ apiVersion: v1
+   2 └ kind: Deployment
+────────────────────────────────────────────────────────────────────────
+```
+
+### Input
+You can specify input format via the `custom.input` annotation.
+
+!!!example
+    ``` rego
+    # METADATA
+    # custom:
+    #   input:
+    #     combine: false
+    #     selector:
+    #     - type: kubernetes
+    ```
+
+`combine` (boolean)
+: The details are [here](combine.md).
+
+`selector` (array)
+:   This option filters the input by file format or configuration language. 
+    In the above example, Trivy passes only Kubernetes files to this policy.
+    Even if a Dockerfile exists in the specified directory, it will not be passed to the policy as input.
+
+    Possible values for input types are:
+    - `dockerfile` (Dockerfile)
+    - `kubernetes` (Kubernetes YAML/JSON)
+    - `rbac` (Kubernetes RBAC YAML/JSON)
+    - `cloud` (Cloud format, as defined by defsec - this is used for Terraform, CloudFormation, and Cloud/AWS scanning)
+    - `yaml` (Generic YAML)
+    - `json` (Generic JSON)
+    - `toml` (Generic TOML)
+
+    When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as `type`.
+    When a configuration language is identified, it will overwrite `type`.
+    
+    !!! example
+        `pod.yaml` including Kubernetes Pod will be handled as `kubernetes`, not `yaml`.
+        `type` is overwritten by `kubernetes` from `yaml`.
+
+    `type` accepts `kubernetes`, `dockerfile`, `cloudformation`, `terraform`, `terraformplan`, `json`, or `yaml`.
+
+### Schemas
+
+You can explore the format of input documents by browsing the schema for the relevant input type:
+
+- [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
+- [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
+- [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
+- [RBAC](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/rbac.json)
+
+[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
+[package]: https://www.openpolicyagent.org/docs/latest/policy-language/#packages
+[source-types]: https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)

docs/docs/misconfiguration/custom/testing.md

@@ -0,0 +1,90 @@
+# Testing
+It is highly recommended to write tests for your custom policies.
+
+## Rego testing
+To help you verify the correctness of your custom policies, OPA gives you a framework that you can use to write tests for your policies. 
+By writing tests for your custom policies you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve.
+
+For more details, see [Policy Testing][opa-testing].
+
+!!! example
+    ```
+    package user.dockerfile.ID002
+
+    test_add_denied {
+        r := deny with input as {"stages": {"alpine:3.13": [
+            {"Cmd": "add", "Value": ["/target/resources.tar.gz", "resources.jar"]},
+            {"Cmd": "add", "Value": ["/target/app.jar", "app.jar"]},
+        ]}}
+
+        count(r) == 1
+        r[_] == "Consider using 'COPY /target/app.jar app.jar' command instead of 'ADD /target/app.jar app.jar'"
+    }
+    ```
+
+To write tests for custom policies, you can refer to existing tests under [defsec][defsec].
+
+## Go testing
+[Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
+You can scan config files in Go and test your custom policies using Go's testing methods, such as [table-driven tests][table].
+This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom policies work in practice.
+
+In particular, Dockerfile and HCL need to be converted to structural data as input, which may be different from the expected input format.
+
+!!! tip
+    We recommend writing OPA and Go tests both since they have different roles, like unit tests and integration tests.
+
+The following example stores allowed and denied configuration files in a directory.
+`Successes` contains the result of successes, and `Failures` contains the result of failures.
+
+``` go
+{
+	name:  "disallowed ports",
+	input: "configs/",
+	fields: fields{
+		policyPaths: []string{"policy"},
+		dataPaths:   []string{"data"},
+		namespaces:  []string{"user"},
+	},
+	want: []types.Misconfiguration{
+		{
+			FileType: types.Dockerfile,
+			FilePath: "Dockerfile.allowed",
+			Successes: types.MisconfResults{
+				{
+					Namespace: "user.dockerfile.ID002",
+					PolicyMetadata: types.PolicyMetadata{
+						ID:          "ID002",
+						Type:        "Docker Custom Check",
+						Title:       "Disallowed ports exposed",
+						Severity:    "HIGH",
+					},
+				},
+			},
+		},
+		{
+			FileType: types.Dockerfile,
+			FilePath: "Dockerfile.denied",
+			Failures: types.MisconfResults{
+				{
+					Namespace: "user.dockerfile.ID002",
+					Message:   "Port 23 should not be exposed",
+					PolicyMetadata: types.PolicyMetadata{
+						ID:          "ID002",
+						Type:        "Docker Custom Check",
+						Title:       "Disallowed ports exposed",
+						Severity:    "HIGH",
+					},
+				},
+			},
+		},
+	},
+},
+```
+
+`Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.
+
+[opa-testing]: https://www.openpolicyagent.org/docs/latest/policy-testing/
+[defsec]: https://github.com/aquasecurity/defsec
+[table]: https://github.com/golang/go/wiki/TableDrivenTests
+[fanal]: https://github.com/aquasecurity/fanal

docs/docs/misconfiguration/options/filter.md

@@ -0,0 +1,60 @@
+# Filter Misconfigurations
+
+## By Severity
+
+Use `--severity` option.
+
+```bash
+trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
+```
+
+<details>
+<summary>Result</summary>
+
+```shell
+2022-05-16T13:50:42.718+0100	INFO	Detected config files: 3
+
+Dockerfile (dockerfile)
+=======================
+Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (HIGH: 1, CRITICAL: 0)
+
+HIGH: Last USER command in Dockerfile should not be 'root'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+
+See https://avd.aquasec.com/misconfig/ds002
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ Dockerfile:3
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   3 [ USER root
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+
+deployment.yaml (kubernetes)
+============================
+Tests: 8 (SUCCESSES: 8, FAILURES: 0, EXCEPTIONS: 0)
+Failures: 0 (HIGH: 0, CRITICAL: 0)
+
+
+main.tf (terraform)
+===================
+Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (HIGH: 0, CRITICAL: 1)
+
+CRITICAL: Classic resources should not be used.
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run
+resources in a VPC instead.
+
+See https://avd.aquasec.com/misconfig/avd-aws-0081
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ main.tf:2-4
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   2 ┌ resource "aws_db_security_group" "sg" {
+   3 │
+   4 └ }
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+```
+</details>

docs/docs/misconfiguration/options/others.md

@@ -0,0 +1,4 @@
+# Others
+
+!!! hint
+    See also [Others](../../vulnerability/examples/others.md) in Vulnerability section.

docs/docs/misconfiguration/options/policy.md

@@ -0,0 +1,35 @@
+# Policy
+
+## Pass custom policies
+You can pass directories including your custom policies through `--policy` option.
+This can be repeated for specifying multiple directories.
+
+```bash
+cd examplex/misconf/
+trivy conf --policy custom-policy/policy --policy combine/policy --namespaces user misconf/mixed
+```
+
+For more details, see [Custom Policies](../custom/index.md).
+
+!!! tip
+    You also need to specify `--namespaces` option.
+
+## Pass custom data
+You can pass directories including your custom data through `--data` option.
+This can be repeated for specifying multiple directories.
+
+```bash
+cd examples/misconf/custom-data
+trivy conf --policy ./policy --data ./data --namespaces user ./configs
+```
+
+For more details, see [Custom Data](../custom/data.md).
+
+## Pass namespaces
+By default, Trivy evaluates policies defined in `builtin.*`.
+If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option.
+This can be repeated for specifying multiple packages.
+
+``` bash
+trivy conf --policy ./policy --namespaces main --namespaces user ./configs
+```

docs/docs/misconfiguration/options/report.md

@@ -0,0 +1,6 @@
+# Report Formats
+
+See [Reports Formats](../../vulnerability/examples/report.md) in Vulnerability section.
+
+!!! caution
+    Misconfiguration scanning doesn't support default templates such as XML for now.

docs/docs/misconfiguration/options/values.md

@@ -0,0 +1,48 @@
+# Value Overrides
+
+Value files can be passed for supported scannable config files.
+
+## Terraform value overrides
+You can pass `tf-vars` files to Trivy to override default values found in the Terraform HCL code.
+
+```bash
+trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
+```
+
+## Helm value overrides
+There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
+
+### Setting inline value overrides
+Overrides can be set inline on the command line
+
+```bash
+trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
+```
+
+### Setting value file overrides
+Overrides can be in a file that has the key=value set. 
+
+```yaml
+# Example override file (overrides.yaml)
+
+securityContext:
+  runAsUser: 0
+```
+
+```bash
+trivy conf --helm-values overrides.yaml ./charts/mySql
+``` 
+
+### Setting value as explicit string
+the `--helm-set-string` is the same as `--helm-set` but explicitly retains the value as a string
+
+```bash
+trivy config --helm-set-string name=false ./infrastructure/tf
+```
+
+### Setting specific values from files
+Specific override values can come from specific files
+
+```bash
+trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
+```

docs/docs/misconfiguration/policy/builtin.md

@@ -0,0 +1,38 @@
+# Built-in Policies
+
+## Policy Sources
+
+Built-in policies are mainly written in [Rego][rego] and Go.
+Those policies are managed under [defsec repository][defsec].
+
+| Config type               | Source               |
+|---------------------------|----------------------|
+| Kubernetes                | [defsec][kubernetes] |
+| Dockerfile, Containerfile | [defsec][docker]     |
+| Terraform                 | [defsec][defsec]     |
+| CloudFormation            | [defsec][defsec]     |
+| Azure ARM Template        | [defsec][defsec]     |
+| Helm Chart                | [defsec][kubernetes] |      
+| RBAC                      | [defsec][rbac]       |      
+
+For suggestions or issues regarding policy content, please open an issue under the [defsec][defsec] repository.
+
+Helm Chart scanning will resolve the chart to Kubernetes manifests then run the [kubernetes][kubernetes] checks.
+
+Ansible scanning is coming soon.
+
+## Policy Distribution
+defsec policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
+When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
+Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.
+If Trivy is unable to pull down newer policies, it will use the embedded set of policies as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
+
+## Update Interval
+Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
+
+[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
+[defsec]: https://github.com/aquasecurity/defsec
+[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/kubernetes
+[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/rbac
+[docker]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/docker
+[ghcr]: https://github.com/aquasecurity/defsec/pkgs/container/defsec

docs/docs/misconfiguration/policy/exceptions.md

@@ -0,0 +1,98 @@
+# Exceptions
+Exceptions let you specify cases where you allow policy violations.
+Trivy supports two types of exceptions.
+
+!!! info
+    Exceptions can be applied to built-in policies as well as custom policies.
+
+## Namespace-based exceptions
+There are some cases where you need to disable built-in policies partially or fully.
+Namespace-based exceptions lets you rough choose which individual packages to exempt.
+
+To use namespace-based exceptions, create a Rego rule with the name `exception` that returns the package names to exempt.
+The `exception` rule must be defined under `namespace.exceptions`.
+`data.namespaces` includes all package names.
+
+
+!!! example
+    ``` rego
+    package namespace.exceptions
+
+    import data.namespaces
+        
+    exception[ns] {
+        ns := data.namespaces[_]
+        startswith(ns, "builtin.kubernetes")
+    }
+    ```
+
+This example exempts all built-in policies for Kubernetes.
+
+For more details, see [an example][ns-example].
+
+## Rule-based exceptions
+There are some cases where you need more flexibility and granularity in defining which cases to exempt.
+Rule-based exceptions lets you granularly choose which individual rules to exempt, while also declaring under which conditions to exempt them.
+
+To use rule-based exceptions, create a Rego rule with the name `exception` that returns the rule name suffixes to exempt, prefixed by `deny_` (for example, returning `foo` will exempt `deny_foo`). 
+The rule can make any other assertion, for example, on the input or data documents. 
+This is useful to specify the exemption for a specific case.
+
+Note that if you specify the empty string, the exception will match all rules named `deny`.
+
+```
+exception[rules] {
+    # Logic
+
+    rules = ["foo","bar"]
+}
+```
+
+The above would provide an exception from `deny_foo` and `deny_bar`.
+
+
+!!! example
+    ```
+    package user.kubernetes.ID100
+
+    __rego_metadata := {
+        "id": "ID100",
+        "title": "Deployment not allowed",
+        "severity": "HIGH",
+        "type": "Kubernetes Custom Check",
+    }
+    
+    deny_deployment[msg] {
+        input.kind == "Deployment"
+    	msg = sprintf("Found deployment '%s' but deployments are not allowed", [name])
+    }
+    
+    exception[rules] {
+        input.kind == "Deployment"
+        input.metadata.name == "allow-deployment"
+        
+        rules := ["deployment"]
+    }
+    ```
+
+If you want to apply rule-based exceptions to built-in policies, you have to define the exception under the same package.
+
+!!! example
+    ``` rego
+    package builtin.kubernetes.KSV012
+
+    exception[rules] {
+        input.metadata.name == "can-run-as-root"
+        rules := [""]
+    }
+    ```
+
+This exception is applied to [KSV012][ksv012] in defsec.
+You can get the package names in the [defsec repository][defsec] or the JSON output from Trivy.
+
+For more details, see [an example][rule-example].
+
+[ns-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/namespace-exception
+[rule-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/rule-exception
+[ksv012]: https://github.com/aquasecurity/defsec/blob/master/internal/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego
+[defsec]: https://github.com/aquasecurity/defsec/

docs/docs/misconfiguration/scanning.md

@@ -0,0 +1,319 @@
+# Misconfiguration Scanning
+Trivy provides built-in policies to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. 
+In addition to built-in policies, you can write your own custom policies, as you can see [here][custom].
+
+![misconf](../../imgs/misconf.png)
+
+## Quick start
+
+Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.
+
+``` bash
+$ trivy config [YOUR_IaC_DIRECTORY]
+```
+
+
+!!! example
+    ```
+    $ ls build/
+    Dockerfile
+    $ trivy config ./build
+    2022-05-16T13:29:29.952+0100	INFO	Detected config files: 1
+    
+    Dockerfile (dockerfile)
+    =======================
+    Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
+    Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+    
+    MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
+    ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+    When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
+    
+    See https://avd.aquasec.com/misconfig/ds001
+    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    Dockerfile:1
+    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    1 [ FROM alpine:latest
+    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    ```
+
+You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--scanners config`.
+
+```bash
+$ trivy image --scanners config IMAGE_NAME
+```
+
+```bash
+$ trivy fs --scanners config /path/to/dir
+```
+
+!!! note
+    Misconfiguration detection is not enabled by default in `image`, `fs` and `repo` subcommands.
+
+Unlike the `config` subcommand, `image`, `fs` and `repo` subcommands can also scan for vulnerabilities and secrets at the same time. 
+You can specify `--scanners vuln,config,secret` to enable vulnerability and secret detection as well as misconfiguration detection.
+
+
+!!! example
+    ``` bash
+    $ ls myapp/
+    Dockerfile Pipfile.lock
+    $ trivy fs --scanners vuln,config,secret --severity HIGH,CRITICAL myapp/
+    2022-05-16T13:42:21.440+0100	INFO	Number of language-specific files: 1
+    2022-05-16T13:42:21.440+0100	INFO	Detecting pipenv vulnerabilities...
+    2022-05-16T13:42:21.440+0100	INFO	Detected config files: 1
+    
+    Pipfile.lock (pipenv)
+    =====================
+    Total: 1 (HIGH: 1, CRITICAL: 0)
+    
+    ┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
+    │ Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
+    ├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
+    │ httplib2 │ CVE-2021-21240 │ HIGH     │ 0.12.1            │ 0.19.0        │ python-httplib2: Regular expression denial of service via │
+    │          │                │          │                   │               │ malicious header                                          │
+    │          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-21240                │
+    └──────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
+    
+    Dockerfile (dockerfile)
+    =======================
+    Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
+    Failures: 1 (HIGH: 1, CRITICAL: 0)
+    
+    HIGH: Last USER command in Dockerfile should not be 'root'
+    ════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+    Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+    
+    See https://avd.aquasec.com/misconfig/ds002
+    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    Dockerfile:3
+    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    3 [ USER root
+    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    ```
+
+In the above example, Trivy detected vulnerabilities of Python dependencies and misconfigurations in Dockerfile.
+
+## Type detection
+The specified directory can contain mixed types of IaC files.
+Trivy automatically detects config types and applies relevant policies.
+
+For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, Helm Charts, and Dockerfile in the same directory.
+
+``` bash
+$ ls iac/
+Dockerfile  deployment.yaml  main.tf mysql-8.8.26.tar
+$ trivy conf --severity HIGH,CRITICAL ./iac
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2022-06-06T11:01:21.142+0100	INFO	Detected config files: 8
+
+Dockerfile (dockerfile)
+
+Tests: 21 (SUCCESSES: 20, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+
+See https://avd.aquasec.com/misconfig/ds002
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+
+deployment.yaml (kubernetes)
+
+Tests: 20 (SUCCESSES: 15, FAILURES: 5, EXCEPTIONS: 0)
+Failures: 5 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)
+
+MEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.allowPrivilegeEscalation' to false
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
+
+See https://avd.aquasec.com/misconfig/ksv001
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:16-19
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  16 ┌       - name: hello-kubernetes
+  17 │         image: hello-kubernetes:1.5
+  18 │         ports:
+  19 └         - containerPort: 8080
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+HIGH: Deployment 'hello-kubernetes' should not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Mounting docker.sock from the host can give the container full root access to the host.
+
+See https://avd.aquasec.com/misconfig/ksv006
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:6-29
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   6 ┌   replicas: 3
+   7 │   selector:
+   8 │     matchLabels:
+   9 │       app: hello-kubernetes
+  10 │   template:
+  11 │     metadata:
+  12 │       labels:
+  13 │         app: hello-kubernetes
+  14 └     spec:
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+MEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.runAsNonRoot' to true
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
+
+See https://avd.aquasec.com/misconfig/ksv012
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:16-19
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  16 ┌       - name: hello-kubernetes
+  17 │         image: hello-kubernetes:1.5
+  18 │         ports:
+  19 └         - containerPort: 8080
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+MEDIUM: Deployment 'hello-kubernetes' should not set 'spec.template.volumes.hostPath'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+HostPath volumes must be forbidden.
+
+See https://avd.aquasec.com/misconfig/ksv023
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:6-29
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   6 ┌   replicas: 3
+   7 │   selector:
+   8 │     matchLabels:
+   9 │       app: hello-kubernetes
+  10 │   template:
+  11 │     metadata:
+  12 │       labels:
+  13 │         app: hello-kubernetes
+  14 └     spec:
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+MEDIUM: Deployment 'hello-kubernetes' should set 'securityContext.sysctl' to the allowed values
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.
+
+See https://avd.aquasec.com/misconfig/ksv026
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:6-29
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   6 ┌   replicas: 3
+   7 │   selector:
+   8 │     matchLabels:
+   9 │       app: hello-kubernetes
+  10 │   template:
+  11 │     metadata:
+  12 │       labels:
+  13 │         app: hello-kubernetes
+  14 └     spec:
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+
+mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
+
+Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
+Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
+
+MEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.allowPrivilegeEscalation' to false
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
+
+See https://avd.aquasec.com/misconfig/ksv001
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  56 ┌         - name: mysql
+  57 │           image: docker.io/bitnami/mysql:8.0.28-debian-10-r23
+  58 │           imagePullPolicy: "IfNotPresent"
+  59 │           securityContext:
+  60 │             runAsUser: 1001
+  61 │           env:
+  62 │             - name: BITNAMI_DEBUG
+  63 │               value: "false"
+  64 └             - name: MYSQL_ROOT_PASSWORD
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+MEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.runAsNonRoot' to true
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
+
+See https://avd.aquasec.com/misconfig/ksv012
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  56 ┌         - name: mysql
+  57 │           image: docker.io/bitnami/mysql:8.0.28-debian-10-r23
+  58 │           imagePullPolicy: "IfNotPresent"
+  59 │           securityContext:
+  60 │             runAsUser: 1001
+  61 │           env:
+  62 │             - name: BITNAMI_DEBUG
+  63 │               value: "false"
+  64 └             - name: MYSQL_ROOT_PASSWORD
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+```
+
+</details>
+
+You can see the config type next to each file name.
+
+!!! example
+``` bash
+Dockerfile (dockerfile)
+=======================
+Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (HIGH: 1, CRITICAL: 0)
+
+...
+
+deployment.yaml (kubernetes)
+============================
+Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
+Failures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)
+
+...
+
+main.tf (terraform)
+===================
+Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
+Failures: 9 (HIGH: 6, CRITICAL: 1)
+
+...
+
+bucket.yaml (cloudformation)
+============================
+Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
+Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
+
+...
+
+mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
+==========================================================
+Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
+Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
+```
+
+## Examples
+See [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/misconf/mixed)
+
+[custom]: ./custom/index.md

docs/docs/references/cli/client.md

@@ -0,0 +1,72 @@
+# Client
+
+```bash
+Usage:
+  trivy client [flags] IMAGE_NAME
+
+Aliases:
+  client, c
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+      --report string          specify a report format for the output. (all,summary) (default "all")
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --remote string            server address (default "http://localhost:4954")
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```

docs/docs/references/cli/config.md

@@ -0,0 +1,49 @@
+# Config
+
+``` bash
+Scan config files for misconfigurations
+
+Usage:
+  trivy config [flags] DIR
+
+Aliases:
+  config, conf
+
+Scan Flags
+      --skip-dirs strings    specify the directories where the traversal is skipped
+      --skip-files strings   specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int       specify exit code when any security issues are found
+  -f, --format string       format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignorefile string   specify .trivyignore file (default ".trivyignore")
+  -o, --output string       output file name
+  -s, --severity string     severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string     output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```

docs/docs/references/cli/fs.md

@@ -0,0 +1,87 @@
+# Filesystem
+
+```bash
+Scan local filesystem
+
+Usage:
+  trivy filesystem [flags] PATH
+
+Aliases:
+  filesystem, fs
+
+Examples:
+  # Scan a local project including language-specific files
+  $ trivy fs /path/to/your_project
+
+  # Scan a single file
+  $ trivy fs ./trivy-ci-test/Pipfile.lock
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```

docs/docs/references/cli/image.md

@@ -0,0 +1,105 @@
+# Image
+
+```bash
+Scan a container image
+
+Usage:
+  trivy image [flags] IMAGE_NAME
+
+Aliases:
+  image, i
+
+Examples:
+  # Scan a container image
+  $ trivy image python:3.4-alpine
+
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
+
+  # Filter by severities
+  $ trivy image --severity HIGH,CRITICAL alpine:3.15
+
+  # Ignore unfixed/unpatched vulnerabilities
+  $ trivy image --ignore-unfixed alpine:3.15
+
+  # Scan a container image in client mode
+  $ trivy image --server http://127.0.0.1:4954 alpine:latest
+
+  # Generate json result
+  $ trivy image --format json --output result.json alpine:3.15
+
+  # Generate a report in the CycloneDX format
+  $ trivy image --format cyclonedx --output result.cdx alpine:3.15
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
+
+Image Flags
+      --input string   input file path instead of image name
+      --removed-pkgs   detect vulnerabilities of removed packages (only for Alpine)
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```

docs/docs/references/cli/index.md

@@ -0,0 +1,50 @@
+Trivy has several sub commands, image, fs, repo, client and server.
+
+``` bash
+Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
+
+Usage:
+  trivy [global flags] command [flags] target
+  trivy [command]
+
+Examples:
+  # Scan a container image
+  $ trivy image python:3.4-alpine
+
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
+
+  # Scan local filesystem
+  $ trivy fs .
+
+  # Run in server mode
+  $ trivy server
+
+Available Commands:
+  config      Scan config files for misconfigurations
+  filesystem  Scan local filesystem
+  help        Help about any command
+  image       Scan a container image
+  kubernetes  scan kubernetes cluster
+  module      Manage modules
+  plugin      Manage plugins
+  repository  Scan a remote repository
+  rootfs      Scan rootfs
+  sbom        Scan SBOM for vulnerabilities
+  server      Server mode
+  version     Print the version
+
+Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+  -f, --format string             version format (json)
+      --generate-default-config   write the default config to trivy-default.yaml
+  -h, --help                      help for trivy
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy [command] --help" for more information about a command.
+```

docs/docs/references/cli/module.md

@@ -0,0 +1,30 @@
+# Module
+
+```bash
+Manage modules
+
+Usage:
+  trivy module [command]
+
+Aliases:
+  module, m
+
+Available Commands:
+  install     Install a module
+  uninstall   Uninstall a module
+
+Flags:
+  -h, --help   help for module
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy module [command] --help" for more information about a command.
+```

docs/docs/references/cli/plugin.md

@@ -0,0 +1,34 @@
+# Plugin
+
+```bash
+Manage plugins
+
+Usage:
+  trivy plugin [command]
+
+Aliases:
+  plugin, p
+
+Available Commands:
+  info        Show information about the specified plugin
+  install     Install a plugin
+  list        List installed plugin
+  run         Run a plugin on the fly
+  uninstall   Uninstall a plugin
+  update      Update an existing plugin
+
+Flags:
+  -h, --help   help for plugin
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy plugin [command] --help" for more information about a command.
+```

docs/docs/references/cli/repo.md

@@ -0,0 +1,89 @@
+# Repository
+
+```bash
+Scan a remote repository
+
+Usage:
+  trivy repository [flags] REPO_URL
+
+Aliases:
+  repository, repo
+
+Examples:
+  # Scan your remote git repository
+  $ trivy repo https://github.com/knqyf263/trivy-ci-test
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Repository Flags
+      --branch string   pass the branch name to be scanned
+      --commit string   pass the commit hash to be scanned
+      --tag string      pass the tag name to be scanned
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```

docs/docs/references/cli/rootfs.md

@@ -0,0 +1,96 @@
+# Rootfs
+
+```bash
+Scan rootfs
+
+Usage:
+  trivy rootfs [flags] ROOTDIR
+
+Examples:
+  # Scan unpacked filesystem
+  $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
+  $ trivy rootfs /tmp/rootfs
+
+  # Scan from inside a container
+  $ docker run --rm -it alpine:3.11
+  / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+  / # trivy rootfs /
+
+Scan Flags
+      --file-patterns strings     specify config file patterns
+      --offline-scan              do not issue API requests to identify dependencies
+      --rekor-url string          [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --sbom-sources strings      [EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)
+      --scanners strings          comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --skip-dirs strings         specify the directories where the traversal is skipped
+      --skip-files strings        specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --helm-set strings          specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings     specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings   specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings       specify paths to override the Helm values.yaml files
+      --include-non-failures      include successes and exceptions, available with '--scanners config'
+      --tf-vars strings           specify paths to override the Terraform tfvars files
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Rego Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```