BREAKING: use normalized trivy-java-db (#3583)

Co-authored-by: knqyf263 <knqyf263@gmail.com>

.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf 

.github/CODEOWNERS

@@ -0,0 +1,24 @@
+# Global
+*   @knqyf263
+
+# Docs
+/docs/** @knqyf263 @AnaisUrlichs @itaysk
+/mkdocs.yml @knqyf263 @AnaisUrlichs @itaysk
+/README.md @knqyf263 @AnaisUrlichs @itaysk
+
+# Helm chart
+helm/trivy/ @chen-keinan
+
+# Misconfiguration scanning
+examples/misconf/           @knqyf263
+docs/docs/misconfiguration  @knqyf263
+docs/docs/cloud             @knqyf263
+pkg/fanal/analyzer/config   @knqyf263
+pkg/fanal/handler/misconf   @knqyf263
+pkg/cloud                   @knqyf263
+pkg/flag/aws_flags.go       @knqyf263
+pkg/flag/misconf_flags.go   @knqyf263
+
+# Kubernetes scanning
+pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
+docs/docs/kubernetes/   @josedonizetti @chen-keinan @knqyf263

.github/DISCUSSION_TEMPLATE/show-and-tell.yml

@@ -0,0 +1,53 @@
+title: "<company name> "
+labels: ["adopters"]
+body:
+  - type: textarea
+    id: links
+    attributes:
+      label: "Share Links"
+      description: "If you would like to share a link to your project or company, please paste it below 🌐"
+      value: |
+        ...
+    validations:
+      required: false
+  - type: textarea
+    id: logo
+    attributes:
+      label: "Share Logo"
+      description: "If you have a link to your logo, please provide it in the following text-box 🌐"
+      value: |
+        ...
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: Please select all the scan targets that you are using
+      options:
+        - label: Container Images
+        - label: Filesystem
+        - label: Git Repository
+        - label: Virtual Machine Images
+        - label: Kubernetes
+        - label: AWS
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: Which scanners are you using on those scan targets?
+      options:
+        - label: OS packages and software dependencies in use (SBOM)
+        - label: Known vulnerabilities (CVEs)
+        - label: IaC issues and misconfigurations
+        - label: Sensitive information and secrets
+        - label: Software licenses
+    validations:
+      required: false
+  - type: textarea
+    id: info
+    attributes:
+      label: "Additional Information"
+      description: "Please tell us more about your use case of Trivy -- anything that you would like to share 🎉"
+      value: |
+        ...
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/WRONG_DETECTION.md

@@ -0,0 +1,33 @@
+---
+name: Wrong Detection
+labels: ["kind/bug"]
+about: If Trivy doesn't detect something, or shows false positive detection
+---
+
+## Checklist
+- [ ] I've read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/#wrong-detection).
+- [ ] I've confirmed that a security advisory in data sources was correct.
+    - Run Trivy with `-f json` that shows data sources and make sure that the security advisory is correct.
+
+
+## Description
+
+<!--
+Briefly describe the CVE that aren't detected and information about artifacts with this CVE.
+-->
+
+## JSON Output of run with `-debug`:
+
+```
+(paste your output here)
+```
+
+## Output of `trivy -v`:
+
+```
+(paste your output here)
+```
+
+## Additional details (base image name, container registry info...):
+
+

.github/dependabot.yml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly
+  - package-ecosystem: gomod
+    open-pull-requests-limit: 10
+    directory: /
+    schedule:
+      interval: monthly

.github/pull_request_template.md

@@ -0,0 +1,18 @@
+## Description
+
+## Related issues
+- Close #XXX
+
+## Related PRs
+- [ ] #XXX
+- [ ] #YYY
+
+Remove this section if you don't have related PRs.
+
+## Checklist
+- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
+- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
+- [ ] I've added tests that prove my fix is effective or that my feature works.
+- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
+- [ ] I've added usage information (if the PR introduces new options)
+- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

.github/workflows/canary.yaml

@@ -0,0 +1,60 @@
+name: Canary build
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '**.go'
+      - 'go.mod'
+      - 'Dockerfile.canary'
+      - '.github/workflows/canary.yaml'
+  workflow_dispatch:
+
+jobs:
+  build-binaries:
+    name: Build binaries
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser-canary.yml
+      goreleaser_options: '--snapshot --rm-dist --timeout 60m' # will not release
+    secrets: inherit
+
+  upload-binaries:
+    name: Upload binaries
+    needs: build-binaries # run this job after 'build-binaries' job completes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.2.4
+        with:
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+        # Upload artifacts
+      - name: Upload artifacts (trivy_Linux-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-64bit
+          path: dist/trivy_*_Linux-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_Linux-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-ARM64
+          path: dist/trivy_*_Linux-ARM64.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-64bit
+          path: dist/trivy_*_macOS-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-ARM64
+          path: dist/trivy_*_macOS-ARM64.tar.gz
+          if-no-files-found: error

.github/workflows/mkdocs-dev.yaml

@@ -9,21 +9,20 @@ on:
 jobs:
   deploy:
     name: Deploy the dev documentation
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.x
       - name: Install dependencies
         run: |
           pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
-          pip install mike
-          pip install mkdocs-macros-plugin
+          pip install -r docs/build/requirements.txt
         env:
           GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
       - name: Configure the git user

.github/workflows/mkdocs-latest.yaml

@@ -1,33 +1,41 @@
 name: Deploy the latest documentation
 on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Version to be deployed
+        required: true
   push:
     tags:
       - "v*"
 jobs:
   deploy:
     name: Deploy the latest documentation
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.x
       - name: Install dependencies
         run: |
           pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
-          pip install mike
-          pip install mkdocs-macros-plugin
+          pip install -r docs/build/requirements.txt
         env:
           GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
       - name: Configure the git user
         run: |
           git config user.name "knqyf263"
           git config user.email "knqyf263@gmail.com"
-      - name: Deploy the latest documents
+      - name: Deploy the latest documents from new tag push
+        if: ${{ github.event.inputs.version == '' }}
         run: |
           VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
-          mike deploy --push --update-aliases $VERSION latest
+          mike deploy --push --update-aliases ${VERSION%.*} latest
+      - name: Deploy the latest documents from manual trigger
+        if: ${{ github.event.inputs.version != '' }}
+        run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest

.github/workflows/publish-chart.yaml

@@ -1,47 +1,83 @@
-name: Publish Chart Helm
+
+name: Publish Helm chart
+
 on:
-  push:
-    branches: [main]
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
     paths:
       - 'helm/trivy/**'
-  workflow_dispatch:
+  push:
+    tags:
+      - "v*"
 env:
   HELM_REP: helm-charts
   GH_OWNER: aquasecurity
   CHART_DIR: helm/trivy
+  KIND_VERSION: "v0.14.0"
+  KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
 jobs:
-  release:
+  test-chart:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
         with:
           version: v3.5.0
+      - name: Set up python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.7
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec
+      - name: Setup Kubernetes cluster (KIND)
+        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+      - name: Run chart-testing
+        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
+      - name: Run chart-testing (Ingress enabled)
+        run: |
+          sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
+          ct lint-and-install --validate-maintainers=false --charts helm/trivy
+
+  publish-chart:
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    needs:
+      - test-chart
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        with:
+          fetch-depth: 0
       - name: Install chart-releaser
         run: |
-          wget https://github.com/helm/chart-releaser/releases/download/v1.1.1/chart-releaser_1.1.1_linux_amd64.tar.gz
-          tar xzvf chart-releaser_1.1.1_linux_amd64.tar.gz cr
+          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
       - name: Package helm chart
         run: |
           ./cr package ${{ env.CHART_DIR }}
       - name: Upload helm chart
         # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
         continue-on-error: true
-        ## Upload the tar in the Releases repository
         run: |
-          ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_GITHUB_TOKEN }} -p .cr-release-packages
+          ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
       - name: Index helm chart
         run: |
           ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
-
       - name: Push index file
-        uses: dmnemec/copy_file_to_another_repo_action@v1.0.4
+        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
         env:
-          API_TOKEN_GITHUB: ${{ secrets.ORG_GITHUB_TOKEN }}
+          API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
         with:
           source_file: 'index.yaml'
           destination_repo: '${{ env.GH_OWNER }}/${{ env.HELM_REP }}'

.github/workflows/release.yaml

@@ -3,80 +3,55 @@ on:
   push:
     tags:
       - "v*"
-env:
-  GO_VERSION: "1.16"
-  GH_USER: "aqua-bot"
+
 jobs:
   release:
     name: Release
-    runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
-    env:
-      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser.yml
+      goreleaser_options: '--rm-dist --timeout 90m'
+    secrets: inherit
+
+  deploy-packages:
+    name: Deploy rpm/dep packages
+    needs: release # run this job after 'release' job completes
+    runs-on: ubuntu-22.04
     steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.2.4
+        with:
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
       - name: Install dependencies
         run: |
           sudo apt-get -y update
-          sudo apt-get -y install rpm reprepro createrepo distro-info
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Show available Docker Buildx platforms
-        run: echo ${{ steps.buildx.outputs.platforms }}
-      - name: Setup Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ env.GO_VERSION }}
-      - name: Checkout code
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Cache Go modules
-        uses: actions/cache@v2
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: Login to docker.io registry
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to ghcr.io registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ env.GH_USER }}
-          password: ${{ secrets.ORG_GITHUB_TOKEN }}
-      - name: Login to ECR
-        uses: docker/login-action@v1
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
-          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
-      - name: Release
-        uses: goreleaser/goreleaser-action@v2
-        with:
-          version: v0.164.0
-          args: release --rm-dist
-        env:
-          GITHUB_TOKEN: ${{ secrets.ORG_GITHUB_TOKEN }}
+          sudo apt-get -y install rpm reprepro createrepo-c distro-info
+
       - name: Checkout trivy-repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           repository: ${{ github.repository_owner }}/trivy-repo
           path: trivy-repo
           fetch-depth: 0
-          token: ${{ secrets.ORG_GITHUB_TOKEN }}
+          token: ${{ secrets.ORG_REPO_TOKEN }}
+
       - name: Setup git settings
         run: |
           git config --global user.email "knqyf263@gmail.com"
           git config --global user.name "Teppei Fukuda"
+
       - name: Create rpm repository
         run: ci/deploy-rpm.sh
+
       - name: Import GPG key
         run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import
+
       - name: Create deb repository
         run: ci/deploy-deb.sh

.github/workflows/reusable-release.yaml

@@ -0,0 +1,108 @@
+name: Reusable release
+on:
+  workflow_call:
+    inputs:
+      goreleaser_config:
+        description: 'file path to GoReleaser config'
+        required: true
+        type: string
+      goreleaser_options:
+        description: 'GoReleaser options separated by spaces'
+        default: ''
+        required: false
+        type: string
+
+env:
+  GH_USER: "aqua-bot"
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: read  # Not required for public repositories, but for clarity
+    steps:
+      - name: Cosign install
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Show available Docker Buildx platforms
+        run: echo ${{ steps.buildx.outputs.platforms }}
+
+      - name: Login to docker.io registry
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to ghcr.io registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ env.GH_USER }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to ECR
+        uses: docker/login-action@v2
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
+          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: Generate SBOM
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
+        with:
+          args: mod -licenses -json -output bom.json
+          version: ^v1
+
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          version: v1.4.1
+          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
+        env:
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
+      ## push images to registries
+      ## only for canary build
+      - name: Build and push
+        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
+        uses: docker/build-push-action@v4
+        with:
+          platforms: linux/amd64, linux/arm64
+          file: ./Dockerfile.canary # path to Dockerfile
+          context: .
+          push: true
+          tags: |
+            aquasec/trivy:canary
+            ghcr.io/aquasecurity/trivy:canary
+            public.ecr.aws/aquasecurity/trivy:canary
+
+      - name: Cache Trivy binaries
+        uses: actions/cache@v3.2.4
+        with:
+          path: dist/
+          # use 'github.sha' to create a unique cache folder for each run.
+          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
+          # e.g. build and release runs
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/roadmap.yaml

@@ -0,0 +1,79 @@
+name: Add issues to the roadmap project
+
+on:
+  issues:
+    types:
+      - labeled
+
+jobs:
+  add-issue-to-roadmap-project:
+    name: Add issue to the roadmap project
+    runs-on: ubuntu-latest
+    steps:
+      # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/backlog
+          label-operator: AND
+        id: add-backlog-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-backlog-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-backlog-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Backlog
+
+      # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/important-longterm
+          label-operator: AND
+        id: add-longterm-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-longterm-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-longterm-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Important (long-term)
+
+      # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/important-soon
+          label-operator: AND
+        id: add-soon-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-soon-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-soon-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Important (soon)
+
+      # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/critical-urgent
+          label-operator: AND
+        id: add-urgent-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-urgent-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-urgent-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Urgent

.github/workflows/scan.yaml

@@ -0,0 +1,23 @@
+name: Scan vulnerabilities
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Scan Go vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner and create GitHub issues
+        uses: knqyf263/trivy-issue-action@v0.0.4
+        with:
+          assignee: knqyf263
+          severity: CRITICAL
+          skip-dirs: integration,examples
+          label: kind/security
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/semantic-pr.yaml

@@ -0,0 +1,99 @@
+name: "Lint PR title"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types: |
+            feat
+            fix
+            docs
+            style
+            refactor
+            perf
+            test
+            build
+            ci
+            chore
+            revert
+            BREAKING
+
+          scopes: |
+            vuln
+            misconf
+            secret
+            license
+
+            image
+            fs
+            repo
+            sbom
+            server
+            k8s
+            aws
+            vm
+
+            alpine
+            wolfi
+            redhat
+            alma
+            rocky
+            mariner
+            oracle
+            debian
+            ubuntu
+            amazon
+            suse
+            photon
+            distroless
+            windows
+
+            ruby
+            php
+            python
+            nodejs
+            rust
+            dotnet
+            java
+            go
+            c
+            c++
+            elixir
+            dart
+
+            os
+            lang
+
+            kubernetes
+            dockerfile
+            terraform
+            cloudformation
+
+            docker
+            podman
+            containerd
+            oci
+
+            cli
+            flag
+
+            cyclonedx
+            spdx
+            purl
+
+            helm
+            report
+            db
+            deps

.github/workflows/stale-issues.yaml

@@ -7,7 +7,7 @@ jobs:
     timeout-minutes: 1
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v3
+    - uses: actions/stale@v7
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'

.github/workflows/test-docs.yaml

@@ -0,0 +1,28 @@
+name: Test docs
+on:
+  pull_request:
+    paths:
+      - 'docs/**'
+      - 'mkdocs.yml'
+jobs:
+  build-documents:
+    name: Documentation Test
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        persist-credentials: true
+    - uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+    - name: Install dependencies
+      run: |
+        pip install -r docs/build/requirements.txt
+    - name: Configure the git user
+      run: |
+        git config user.name "knqyf263"
+        git config user.email "knqyf263@gmail.com"
+    - name: Deploy the dev documents
+      run: mike deploy test

.github/workflows/test.yaml

@@ -1,48 +1,95 @@
 name: Test
-on: pull_request
-env:
-  GO_VERSION: "1.16"
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'LICENSE'
+  pull_request:
+      paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'LICENSE'
 jobs:
   test:
     name: Test
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      matrix:
+        operating-system: [ubuntu-latest, windows-latest, macos-latest]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: oldstable
+
+      - name: go mod tidy
+        run: |
+          go mod tidy
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'go mod tidy' and push it"
+            exit 1
+          fi
+        if: matrix.operating-system == 'ubuntu-latest'
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3.4.0
         with:
-          version: v1.31
+          version: v1.49
           args: --deadline=30m
+          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
+        if: matrix.operating-system == 'ubuntu-latest'
+
+      # Install tools
+      - uses: aquaproj/aqua-installer@v2.0.2
+        with:
+          aqua_version: v1.25.0
 
       - name: Run unit tests
         run: make test
 
-      - name: Upload code coverage
-        uses: codecov/codecov-action@v1
-        with:
-          files: ./coverage.txt
-
   integration:
     name: Integration Test
     runs-on: ubuntu-latest
     steps:
-    - name: Set up Go
-      uses: actions/setup-go@v2
-      with:
-        go-version: ${{ env.GO_VERSION }}
-      id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
 
-    - name: Run integration tests
-      run: make test-integration
+      - name: Run integration tests
+        run: make test-integration
+
+  module-test:
+    name: Module Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      # Install tools
+      - uses: aquaproj/aqua-installer@v2.0.2
+        with:
+          aqua_version: v1.25.0
+
+      - name: Run module integration tests
+        shell: bash
+        run: |
+          make test-module-integration
 
   build-test:
     name: Build Test
@@ -51,49 +98,26 @@ jobs:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
+      uses: docker/setup-qemu-action@v2
 
     - name: Set up Docker Buildx
       id: buildx
-      uses: docker/setup-buildx-action@v1
+      uses: docker/setup-buildx-action@v2
 
     - name: Show available Docker Buildx platforms
       run: echo ${{ steps.buildx.outputs.platforms }}
 
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Set up Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v3
       with:
-        go-version: ${{ env.GO_VERSION }}
+        go-version-file: go.mod
 
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v2
+      uses: goreleaser/goreleaser-action@v4
       with:
-        version: v0.164.0
-        args: release --snapshot --rm-dist --skip-publish
+        version: v1.4.1
+        args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m
 
-  build-documents:
-    name: Documentation Test
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v2
-      with:
-        fetch-depth: 0
-        persist-credentials: true
-    - uses: actions/setup-python@v2
-      with:
-        python-version: 3.x
-    - name: Install dependencies
-      run: |
-        pip install mkdocs-material
-        pip install mike
-        pip install mkdocs-macros-plugin
-    - name: Configure the git user
-      run: |
-        git config user.name "knqyf263"
-        git config user.email "knqyf263@gmail.com"
-    - name: Deploy the dev documents
-      run: mike deploy test

.github/workflows/vm-test.yaml

@@ -0,0 +1,32 @@
+name: VM Test
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'pkg/fanal/vm/**'
+      - 'pkg/fanal/walker/vm.go'
+      - 'pkg/fanal/artifact/vm/**'
+      - 'integration/vm_test.go'
+  pull_request:
+    paths:
+      - 'pkg/fanal/vm/**'
+      - 'pkg/fanal/walker/vm.go'
+      - 'pkg/fanal/artifact/vm/**'
+      - 'integration/vm_test.go'
+
+jobs:
+  vm-test:
+    name: VM Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+      - name: Run vm integration tests
+        run: |
+          make test-vm-integration

.gitignore

@@ -4,7 +4,7 @@
 *.dll
 *.so
 *.dylib
-trivy
+/trivy
 
 ## chart release
 .cr-release-packages
@@ -16,6 +16,7 @@ trivy
 *.out
 
 .idea
+.vscode
 
 # Directory Cache Files
 .DS_Store
@@ -23,4 +24,14 @@ thumbs.db
 
 # test fixtures
 coverage.txt
-integration/testdata/fixtures/
+integration/testdata/fixtures/images
+integration/testdata/fixtures/vm-images
+
+# SBOMs generated during CI
+/bom.json
+
+# goreleaser output
+dist
+
+# WebAssembly
+*.wasm

.golangci.yaml

@@ -6,12 +6,10 @@ linters-settings:
     check-shadowing: false
   gofmt:
     simplify: false
-  golint:
-    min-confidence: 0
+  revive:
+    ignore-generated-header: true
   gocyclo:
-    min-complexity: 10
-  maligned:
-    suggest-new: true
+    min-complexity: 20
   dupl:
     threshold: 100
   goconst:
@@ -21,32 +19,36 @@ linters-settings:
     locale: US
   goimports:
     local-prefixes: github.com/aquasecurity
+  gosec:
+    excludes:
+      - G101
+      - G114
+      - G204
+      - G402
 
 linters:
   disable-all: true
   enable:
-    - structcheck
+    - unused
     - ineffassign
     - typecheck
     - govet
-    - errcheck
-    - varcheck
-    - deadcode
-    - golint
+    - revive
     - gosec
     - unconvert
     - goconst
     - gocyclo
     - gofmt
     - goimports
-    - maligned
     - misspell
 
 run:
+  go: 1.19
   skip-files:
     - ".*._mock.go$"
     - ".*._test.go$"
     - "integration/*"
+    - "examples/*"
 
 issues:
   exclude-rules:
@@ -56,9 +58,6 @@ issues:
     - linters:
         - gosec
       text: "Deferring unsafe method"
-    - linters:
-        - gosec
-      text: "G204: Subprocess launched with variable"
     - linters:
         - errcheck
       text: "Close` is not checked"

CONTRIBUTING.md

@@ -1,28 +1 @@
-Thank you for taking interest in contributing to Trivy !
-
-## Issues
-- Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
-- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
-- Remember users might be searching for your issue in the future, so please give it a meaningful title to help others.
-- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
-
-## Pull Requests
-
-1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
-1. Your PR is more likely to be accepted if it focuses on just one change.
-1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that starts with "fix"/"add"/"improve"/"remove" are good examples.
-1. Please add the associated Issue in the PR description.
-1. There's no need to add or tag reviewers.
-1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
-1. Please include a comment with the results before and after your change.
-1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
-1. If your PR affects the user experience in some way, please update the Readme and the CLI help accordingly.
-
-## Understand where your pull request belongs
-
-Trivy is composed of several different repositories that work together:
-
-- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
-- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. This of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
-- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
-- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information containers. It is being used by Trivy to find testable subjects in the container image.
+See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.12
+FROM alpine:3.17.1
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.canary

@@ -0,0 +1,10 @@
+FROM alpine:3.17.1
+RUN apk --no-cache add ca-certificates git
+
+# binaries were created with GoReleaser
+# need to copy binaries from folder with correct architecture
+# example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
+ARG TARGETARCH
+COPY "dist/trivy_canary_build_linux_${TARGETARCH}/trivy" /usr/local/bin/trivy
+COPY contrib/*.tpl contrib/
+ENTRYPOINT ["trivy"]

Dockerfile.protoc

@@ -0,0 +1,12 @@
+FROM golang:1.19
+
+# Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
+ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
+RUN apt-get update && apt-get install -y unzip
+RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
+    && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
+    && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \ 
+    && rm -f $PROTOC_ZIP
+
+RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1

Makefile

@@ -1,21 +1,44 @@
-VERSION := $(shell git describe --tags)
-LDFLAGS=-ldflags "-s -w -X=main.version=$(VERSION)"
+VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
+LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"
 
-GOPATH=$(shell go env GOPATH)
-GOBIN=$(GOPATH)/bin
-GOSRC=$(GOPATH)/src
+GOPATH := $(firstword $(subst :, ,$(shell go env GOPATH)))
+GOBIN := $(GOPATH)/bin
+GOSRC := $(GOPATH)/src
+
+TEST_MODULE_DIR := pkg/module/testdata
+TEST_MODULE_SRCS := $(wildcard $(TEST_MODULE_DIR)/*/*.go)
+TEST_MODULES := $(patsubst %.go,%.wasm,$(TEST_MODULE_SRCS))
+
+EXAMPLE_MODULE_DIR := examples/module
+EXAMPLE_MODULE_SRCS := $(wildcard $(EXAMPLE_MODULE_DIR)/*/*.go)
+EXAMPLE_MODULES := $(patsubst %.go,%.wasm,$(EXAMPLE_MODULE_SRCS))
 
 MKDOCS_IMAGE := aquasec/mkdocs-material:dev
 MKDOCS_PORT := 8000
 
+export CGO_ENABLED := 0 
+
 u := $(if $(update),-u)
 
+# Tools
 $(GOBIN)/wire:
-	GO111MODULE=off go get github.com/google/wire/cmd/wire
+	go install github.com/google/wire/cmd/wire@v0.5.0
+
+$(GOBIN)/crane:
+	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0
+
+$(GOBIN)/golangci-lint:
+	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
+
+$(GOBIN)/labeler:
+	go install github.com/knqyf263/labeler@latest
+
+$(GOBIN)/easyjson:
+	go install github.com/mailru/easyjson/...@v0.7.7
 
 .PHONY: wire
 wire: $(GOBIN)/wire
-	wire gen ./pkg/... ./internal/...
+	wire gen ./pkg/commands/... ./pkg/rpc/...
 
 .PHONY: mock
 mock: $(GOBIN)/mockery
@@ -26,23 +49,48 @@ deps:
 	go get ${u} -d
 	go mod tidy
 
-$(GOBIN)/golangci-lint:
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.21.0
+.PHONY: generate-test-modules
+generate-test-modules: $(TEST_MODULES)
 
+# Compile WASM modules for unit and integration tests
+%.wasm:%.go
+	@if !(type "tinygo" > /dev/null 2>&1); then \
+		echo "Need to install TinyGo. Follow https://tinygo.org/getting-started/install/"; \
+		exit 1; \
+	fi
+	go generate $<
+
+# Run unit tests
 .PHONY: test
-test:
+test: $(TEST_MODULES)
 	go test -v -short -coverprofile=coverage.txt -covermode=atomic ./...
 
-integration/testdata/fixtures/*.tar.gz:
-	git clone https://github.com/aquasecurity/trivy-test-images.git integration/testdata/fixtures
+integration/testdata/fixtures/images/*.tar.gz: $(GOBIN)/crane
+	mkdir -p integration/testdata/fixtures/images/
+	integration/scripts/download-images.sh
 
+# Run integration tests
 .PHONY: test-integration
-test-integration: integration/testdata/fixtures/*.tar.gz
-	go test -v -tags=integration ./integration/...
+test-integration: integration/testdata/fixtures/images/*.tar.gz
+	go test -v -tags=integration ./integration/... ./pkg/fanal/test/integration/...
+
+# Run WASM integration tests
+.PHONY: test-module-integration
+test-module-integration: integration/testdata/fixtures/images/*.tar.gz $(EXAMPLE_MODULES)
+	go test -v -tags=module_integration ./integration/...
+
+# Run VM integration tests
+.PHONY: test-vm-integration
+test-vm-integration: integration/testdata/fixtures/vm-images/*.img.gz
+	go test -v -tags=vm_integration ./integration/...
+
+integration/testdata/fixtures/vm-images/*.img.gz:
+	integration/scripts/download-vm-images.sh
+
 
 .PHONY: lint
 lint: $(GOBIN)/golangci-lint
-	$(GOBIN)/golangci-lint run
+	$(GOBIN)/golangci-lint run --timeout 5m
 
 .PHONY: fmt
 fmt:
@@ -54,7 +102,13 @@ build:
 
 .PHONY: protoc
 protoc:
-	find ./rpc/ -name "*.proto" -type f -exec protoc --proto_path=$(GOSRC):. --twirp_out=. --go_out=. {} \;
+	docker build -t trivy-protoc - < Dockerfile.protoc
+	docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@
+
+_protoc:
+	for path in `find ./rpc/ -name "*.proto" -type f`; do \
+		protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative $${path} || exit; \
+	done
 
 .PHONY: install
 install:
@@ -62,17 +116,20 @@ install:
 
 .PHONY: clean
 clean:
-	rm -rf integration/testdata/fixtures/
-
-$(GOBIN)/labeler:
-	GO111MODULE=off go get github.com/knqyf263/labeler
+	rm -rf integration/testdata/fixtures/images
 
+# Create labels on GitHub
 .PHONY: label
 label: $(GOBIN)/labeler
 	labeler apply misc/triage/labels.yaml -r aquasecurity/trivy -l 5
 
+# Run MkDocs development server to preview the documentation page
 .PHONY: mkdocs-serve
-## Runs MkDocs development server to preview the documentation page
 mkdocs-serve:
 	docker build -t $(MKDOCS_IMAGE) -f docs/build/Dockerfile docs/build
 	docker run --name mkdocs-serve --rm -v $(PWD):/docs -p $(MKDOCS_PORT):8000 $(MKDOCS_IMAGE)
+
+# Generate JSON marshaler/unmarshaler for TinyGo/WebAssembly as TinyGo doesn't support encoding/json.
+.PHONY: easyjson
+easyjson: $(GOBIN)/easyjson
+	easyjson pkg/module/serialize/types.go

README.md

@@ -1,134 +1,130 @@
-<img src="docs/imgs/logo.png" width="150">
-
+<div align="center">
+<img src="docs/imgs/logo.png" width="200">
 
 [![GitHub Release][release-img]][release]
-[![Go Report Card](https://goreportcard.com/badge/github.com/aquasecurity/trivy)](https://goreportcard.com/report/github.com/aquasecurity/trivy)
-[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)][license]
-[![codecov](https://codecov.io/gh/aquasecurity/trivy/branch/main/graph/badge.svg)](https://codecov.io/gh/aquasecurity/trivy)
-[![GitHub All Releases][github-all-releases-img]][release]
+[![Test][test-img]][test]
+[![Go Report Card][go-report-img]][go-report]
+[![License: Apache-2.0][license-img]][license]
+[![GitHub Downloads][github-downloads-img]][release]
 ![Docker Pulls][docker-pulls]
 
-[release]: https://github.com/aquasecurity/trivy/releases
-[release-img]: https://img.shields.io/github/release/aquasecurity/trivy.svg?logo=github
-[github-all-releases-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
-[docker-pulls]: https://img.shields.io/docker/pulls/aquasec/trivy?logo=docker&label=docker%20pulls%20%2F%20trivy
-[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
+[📖 Documentation][docs]
+</div>
 
+Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner.
+Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.
 
-A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.
+Targets (what Trivy can scan):
 
-# Abstract
-`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive vulnerability scanner for containers and other artifacts.
-A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System.
-`Trivy` detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.).
-`Trivy` is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify a target such as an image name of the container.
+- Container Image
+- Filesystem
+- Git Repository (remote)
+- Virtual Machine Image
+- Kubernetes
+- AWS
 
-<img src="docs/imgs/overview.png" width="700">
+Scanners (what Trivy can find there):
 
-Trivy can be run in two different modes:
+- OS packages and software dependencies in use (SBOM)
+- Known vulnerabilities (CVEs)
+- IaC issues and misconfigurations
+- Sensitive information and secrets
+- Software licenses
 
-- [Standalone](https://aquasecurity.github.io/trivy/latest/modes/standalone/)
-- [Client/Server](https://aquasecurity.github.io/trivy/latest/modes/client-server/)
+To learn more, go to the [Trivy homepage][homepage] for feature highlights, or to the [Documentation site][docs] for detailed information.
 
-Trivy can scan three different artifacts:
+## Quick Start
 
-- [Container Images](https://aquasecurity.github.io/trivy/latest/scanning/image/)
-- [Filesystem](https://aquasecurity.github.io/trivy/latest/scanning/filesystem/)
-- [Git Repositories](https://aquasecurity.github.io/trivy/latest/scanning/git-repository/)
+### Get Trivy
 
-<img src="docs/imgs/usage.gif" width="700">
-<img src="docs/imgs/usage1.png" width="600">
-<img src="docs/imgs/usage2.png" width="600">
+Trivy is available in most common distribution channels. The full list of installation options is available in the [Installation] page. Here are a few popular examples:
 
-It is considered to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
-See [here](https://aquasecurity.github.io/trivy/latest/integrations/) for details.
+- `brew install trivy`
+- `docker run aquasec/trivy`
+- Download binary from <https://github.com/aquasecurity/trivy/releases/latest/>
+- See [Installation] for more
 
-# Features
+Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem] page. Here are a few popular examples:
 
-- Detect comprehensive vulnerabilities
-  - OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-  - **Application dependencies** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
-- Simple
-  - Specify only an image name or artifact name
-  - See [Quick Start](#quick-start) and [Examples](#examples)
-- Fast
-  - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
-  - Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
-- Easy installation
-  - `apt-get install`, `yum install` and `brew install` is possible (See [Installation](#installation))
-  - **No pre-requisites** such as installation of DB, libraries, etc.
-- High accuracy
-  - **Especially Alpine Linux and RHEL/CentOS**
-  - Other OSes are also high
-- DevSecOps
-  - **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
-  - See [CI Example](#continuous-integration-ci)
-- Support multiple formats
-  - container image
-    - A local image in Docker Engine which is running as a daemon
-    - A local image in Podman (>=2.0) which is exposing a socket
-    - A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
-    - A tar archive stored in the `docker save` / `podman save` formatted file
-    - An image directory compliant with [OCI Image Format](https://github.com/opencontainers/image-spec)
-  - local filesystem
-  - remote git repository
+- [GitHub Actions](https://github.com/aquasecurity/trivy-action)
+- [Kubernetes operator](https://github.com/aquasecurity/trivy-operator)
+- [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)
+- See [Ecosystem] for more
 
-Please see [LICENSE][license] for Trivy licensing information. Note that Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
+### General usage
 
-# Documentation
-The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.
-
-# Installation
-See [here](https://aquasecurity.github.io/trivy/latest/installation/)
-
-
-# Quick Start
-
-Simply specify an image name (and a tag).
-
-```
-$ trivy image [YOUR_IMAGE_NAME]
+```bash
+trivy <target> [--scanners <scanner1,scanner2>] <subject>
 ```
 
-For example:
+Examples:
 
-```
-$ trivy image python:3.4-alpine
+```bash
+trivy image python:3.4-alpine
 ```
 
 <details>
 <summary>Result</summary>
 
-```
-2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
-2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...
-
-python:3.4-alpine3.9 (alpine 3.9.2)
-===================================
-Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
-
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
-|         |                  |          |                   |               | with long nonces               |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-```
+https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov
 
 </details>
 
-# Examples
-See [here](https://aquasecurity.github.io/trivy/latest/examples/filter/)
+```bash
+trivy fs --scanners vuln,secret,config myproject/
+```
 
-# Continuous Integration (CI)
-See [here](https://aquasecurity.github.io/trivy/latest/integrations/)
+<details>
+<summary>Result</summary>
 
-# Vulnerability Detection
-See [here](https://aquasecurity.github.io/trivy/latest/vuln-detection/)
+https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov
 
-# Usage
-See [here](https://aquasecurity.github.io/trivy/latest/usage/)
+</details>
 
-# Author
+```bash
+trivy k8s --report summary cluster
+```
 
-[Teppei Fukuda](https://github.com/knqyf263) (knqyf263)
+<details>
+<summary>Result</summary>
+
+![k8s summary](docs/imgs/trivy-k8s.png)
+
+</details>
+
+## FAQ
+
+### How to pronounce the name "Trivy"?
+
+`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.
+
+---
+
+Trivy is an [Aqua Security][aquasec] open source project.  
+Learn about our open source work and portfolio [here][oss].  
+Contact us about any matter by opening a GitHub Discussion [here][discussions]
+
+[test]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml
+[test-img]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml/badge.svg
+[go-report]: https://goreportcard.com/report/github.com/aquasecurity/trivy
+[go-report-img]: https://goreportcard.com/badge/github.com/aquasecurity/trivy
+[release]: https://github.com/aquasecurity/trivy/releases
+[release-img]: https://img.shields.io/github/release/aquasecurity/trivy.svg?logo=github
+[github-downloads-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
+[docker-pulls]: https://img.shields.io/docker/pulls/aquasec/trivy?logo=docker&label=docker%20pulls%20%2F%20trivy
+[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
+[license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
+[homepage]: https://trivy.dev
+[docs]: https://aquasecurity.github.io/trivy
+[pronunciation]: #how-to-pronounce-the-name-trivy
+
+[Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
+[Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
+
+[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
+[rego]: https://www.openpolicyagent.org/docs/latest/#rego
+[sigstore]: https://www.sigstore.dev/
+
+[aquasec]: https://aquasec.com
+[oss]: https://www.aquasec.com/products/open-source-projects/
+[discussions]: https://github.com/aquasecurity/trivy/discussions

aqua.yaml

@@ -0,0 +1,8 @@
+---
+# aqua - Declarative CLI Version Manager
+# https://aquaproj.github.io/
+registries:
+- type: standard
+  ref: v3.106.0 # renovate: depName=aquaproj/aqua-registry
+packages:
+- name: tinygo-org/tinygo@v0.26.0

brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g>
+	<path fill="#07242D" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#07242D" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#07242D" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#07242D" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#07242D" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.106-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.151,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#07242D" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#07242D" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#07242D" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>

brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg

@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g display="none">
+	<g display="inline">
+		<path fill="#07242D" d="M-483.763,450.803h-11.559l-22.557-22.807c-0.919,0.114-1.853,0.174-2.802,0.174v22.632h-8.238v-63.931
+			h8.239c0,0-0.016,33.158,0,33.158c4.013,0,7.684-1.656,10.29-4.32l9.86-10.073h11.814l-16.032,15.918
+			c-1.42,1.421-3.031,2.655-4.787,3.659L-483.763,450.803z"/>
+		<path fill="#07242D" d="M-438.316,405.517v22.819c0,0,0,0.033,0,0.049c0,12.39-10.039,22.418-22.429,22.418
+			c-12.389,0-22.421-10.059-22.421-22.448c0-0.017,0-22.837,0-22.837h7.989v22.819c0,7.967,6.466,14.457,14.433,14.457
+			c7.966,0,14.424-6.491,14.424-14.457v-22.819H-438.316z"/>
+		<path fill="#07242D" d="M-385.244,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.217l-0.004,23.854c3.918-3.246,8.947-5.196,14.432-5.196
+			C-395.377,405.529-385.242,415.664-385.244,428.166z M-393.437,428.166c0-7.976-6.466-14.441-14.442-14.441
+			c-7.793,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-399.903,442.607-393.437,436.142-393.437,428.166z"/>
+		<path fill="#07242D" d="M-335.539,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-344.426,405.411-333.664,417.688-335.539,431.11z M-344.611,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-344.611z"/>
+		<path fill="#07242D" d="M-306.194,420.895v7.548h-23.302v-7.548H-306.194z"/>
+		<path fill="#07242D" d="M-252.987,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.218l-0.004,23.854c3.918-3.246,8.946-5.196,14.431-5.196
+			C-263.12,405.529-252.985,415.664-252.987,428.166z M-261.181,428.166c0-7.976-6.467-14.441-14.442-14.441
+			c-7.794,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-267.647,442.607-261.181,436.142-261.181,428.166z"/>
+		<path fill="#07242D" d="M-203.283,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-212.17,405.411-201.408,417.688-203.283,431.11z M-212.355,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-212.355z"/>
+		<path fill="#07242D" d="M-151.113,428.114c0,15.871,0,22.688,0,22.688h-8.262c0,0,0-14.878,0-22.688
+			c0-8.095-6.591-14.327-14.363-14.327c-7.772,0-14.393,6.163-14.393,14.327c0,7.814,0,22.688,0,22.688h-8.26v-45.285
+			c0,0,3.539,0,8.26,0v5.101c0,0,5.421-5.101,14.393-5.101C-163.095,405.517-151.113,413.789-151.113,428.114z"/>
+		<path fill="#07242D" d="M-112.598,438.373l5.799,5.798c-4.098,4.097-9.758,6.632-16.01,6.632c-6.252,0-11.912-2.534-16.01-6.632
+			c-4.097-4.098-6.632-9.758-6.632-16.01s2.534-11.912,6.632-16.01c4.098-4.097,9.758-6.632,16.01-6.632
+			c6.252,0,11.912,2.534,16.01,6.632l-5.799,5.799c-2.613-2.615-6.224-4.231-10.212-4.231c-3.988,0-7.599,1.617-10.212,4.231
+			c-2.614,2.613-4.23,6.224-4.23,10.212s1.616,7.599,4.23,10.213c2.613,2.613,6.224,4.229,10.212,4.229
+			C-118.821,442.602-115.211,440.986-112.598,438.373z"/>
+		<path fill="#07242D" d="M-55.678,428.174c0,15.827,0,22.626,0,22.626h-8.239c0,0,0-14.838,0-22.626
+			c0-8.072-6.575-14.287-14.324-14.287c-7.751,0-14.353,6.146-14.353,14.287c0,7.793,0,22.626,0,22.626h-8.238v-63.929h8.238v23.856
+			c0,0,5.405-5.086,14.353-5.086C-67.626,405.641-55.678,413.889-55.678,428.174z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M186.582,442.579v8.203c-5.588,0-10.623-2.012-14.594-5.346c-4.989-4.186-8.157-10.469-8.157-17.489
+			v-41.085h8.157v18.642h14.594v8.257h-14.594v14.386C172.1,436.134,178.571,442.579,186.582,442.579z"/>
+		<path fill="#07242D" d="M215.674,405.503v8.149c-7.739,0.015-14.037,6.152-14.317,13.818v23.312h-8.176v-45.279h8.176v5.169
+			C205.243,407.446,210.232,405.51,215.674,405.503z"/>
+		<path fill="#07242D" d="M220.928,395.003v-8.165h8.161v8.165H220.928z M220.928,450.782v-45.279h8.161v45.279H220.928z"/>
+		<path fill="#07242D" d="M279.137,405.503l-22.624,45.279l-22.647-45.279h9.271l13.376,26.737l13.349-26.737H279.137z"/>
+		<path fill="#07242D" d="M328.08,405.503c0,0,0,49.504,0,52.776c0,12.643-10.369,22.736-22.655,22.728
+			c-5.753,0-11.084-2.181-15.131-5.807l5.868-5.868c2.504,2.12,5.734,3.41,9.263,3.403c7.95,0,14.386-6.498,14.386-14.456v-12.651
+			c-3.944,3.264-8.979,5.154-14.386,5.154c-12.309,0.008-22.674-9.924-22.674-22.659c0-0.269,0-22.62,0-22.62h8.265
+			c0,0,0.004,22.014,0.004,22.62c0,7.919,6.448,14.463,14.406,14.456c7.95,0,14.386-6.506,14.386-14.456v-22.62H328.08z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1186.898,438.384c-0.411,4.687-4.656,12.67-15.302,12.67c-10.092,0-16.135-6.761-16.135-6.761
+			l5.797-5.801c4.906,4.664,10.338,4.372,10.338,4.372c3.473-0.238,6.258-2.643,6.469-5.471c0.242-3.235-2.009-5.486-6.469-6.124
+			c-2.098-0.307-7.184-0.791-11.36-4.533c-1.36-1.222-6.489-6.577-2.217-14.191c0.834-1.491,4.556-6.769,13.577-6.769
+			c0,0,7.434-0.53,14.311,5.086l-5.866,5.863c-1.16-0.96-4.46-2.904-8.444-2.881c-7.207,0.046-7.007,4.011-7.007,4.011
+			c0.061,3.166,2.874,4.864,7.007,5.409C1185.672,425.114,1187.309,433.743,1186.898,438.384z"/>
+		<path fill="#07242D" d="M1215.419,442.848v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495v-41.099
+			h8.16v18.648h14.599v8.26h-14.599v14.391C1200.932,436.401,1207.405,442.848,1215.419,442.848z"/>
+		<path fill="#07242D" d="M1263.522,428.372v22.682h-22.705c-0.5,0-0.999-0.015-1.495-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1263.068,423.132,1263.522,425.76,1263.522,428.372z M1255.131,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1255.131,432.352,1255.131,428.372z"/>
+		<path fill="#07242D" d="M1293.898,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1283.464,407.704,1288.454,405.767,1293.898,405.76z"/>
+		<path fill="#07242D" d="M1344.448,428.411c0,12.509-10.135,22.643-22.639,22.643c-5.486,0-10.515-1.952-14.433-5.194v5.194h-8.221
+			c0.008-0.515,0.008-63.942,0.008-63.942h8.217l-0.004,23.857c3.919-3.25,8.947-5.202,14.433-5.202
+			C1334.313,405.767,1344.452,415.91,1344.448,428.411z M1336.254,428.411c0-7.975-6.466-14.445-14.445-14.445
+			c-7.795,0-14.445,6.331-14.445,14.422c0,8.091,6.65,14.468,14.445,14.468C1329.788,442.856,1336.254,436.394,1336.254,428.411z"/>
+		<path fill="#07242D" d="M1394.394,428.411c0,12.509-10.15,22.643-22.643,22.643s-22.651-10.135-22.651-22.643
+			s10.157-22.651,22.651-22.651S1394.394,415.91,1394.394,428.411z M1386.127,428.411c0-7.937-6.431-14.376-14.376-14.376
+			c-7.941,0-14.387,6.431-14.387,14.376s6.446,14.383,14.387,14.383C1379.696,442.794,1386.127,436.355,1386.127,428.411z"/>
+		<path fill="#07242D" d="M1444.414,428.372v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054
+			c-6.431-0.423-12.128-3.527-15.985-8.214c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1443.961,423.132,1444.414,425.76,1444.414,428.372z M1436.024,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1436.024,432.352,1436.024,428.372z"/>
+		<path fill="#07242D" d="M1474.791,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1464.356,407.704,1469.347,405.767,1474.791,405.76z"/>
+		<path fill="#07242D" d="M1521.556,451.031h-8.214v-5.194c-3.919,3.242-8.951,5.194-14.43,5.194
+			c-12.501,0-22.635-10.127-22.635-22.628s10.135-22.636,22.635-22.636c5.478,0,10.511,1.952,14.43,5.194l0.008-23.85h8.221
+			C1521.572,387.112,1521.556,450.516,1521.556,451.031z M1513.35,428.38c0-8.091-6.646-14.422-14.437-14.422
+			c-7.975,0-14.445,6.469-14.445,14.445s6.469,14.437,14.445,14.437C1506.704,442.84,1513.35,436.471,1513.35,428.38z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1711.171,438.276l5.802,5.802c-4.1,4.096-9.763,6.632-16.014,6.632c-6.255,0-11.918-2.536-16.018-6.632
+			c-4.1-4.103-6.635-9.759-6.635-16.014s2.536-11.918,6.635-16.022c4.1-4.096,9.763-6.632,16.018-6.632
+			c6.251,0,11.915,2.536,16.014,6.632l-5.802,5.802c-2.613-2.613-6.224-4.234-10.213-4.234c-3.992,0-7.604,1.621-10.216,4.234
+			c-2.617,2.613-4.234,6.224-4.234,10.22c0,3.988,1.618,7.6,4.234,10.213c2.613,2.613,6.224,4.234,10.216,4.234
+			C1704.947,442.511,1708.559,440.889,1711.171,438.276z"/>
+		<path fill="#07242D" d="M1722.967,450.71v-63.95h8.241v63.95H1722.967z"/>
+		<path fill="#07242D" d="M1783.282,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C1773.131,405.41,1783.282,415.561,1783.282,428.064z M1775.013,428.064
+			c0-7.938-6.432-14.378-14.378-14.378c-7.942,0-14.389,6.432-14.389,14.378c0,7.946,6.447,14.385,14.389,14.385
+			C1768.581,442.449,1775.013,436.01,1775.013,428.064z"/>
+		<path fill="#07242D" d="M1833.833,405.41v22.823c0,0,0,0.038,0,0.054c0,12.395-10.04,22.423-22.435,22.423
+			c-12.395,0-22.427-10.059-22.427-22.454c0-0.015,0-22.846,0-22.846h7.992v22.823c0,7.976,6.466,14.462,14.435,14.462
+			c7.969,0,14.431-6.486,14.431-14.462V405.41H1833.833z"/>
+		<path fill="#07242D" d="M1884.777,450.687h-8.218v-5.195c-3.915,3.243-8.945,5.195-14.431,5.195
+			c-12.503,0-22.634-10.128-22.634-22.631c0-12.503,10.132-22.638,22.634-22.638c5.487,0,10.516,1.952,14.431,5.195l0.011-23.852
+			h8.219C1884.789,386.76,1884.773,450.172,1884.777,450.687z M1876.574,428.033c0-8.092-6.651-14.424-14.447-14.424
+			c-7.973,0-14.443,6.47-14.443,14.447c0,7.976,6.466,14.439,14.443,14.439C1869.923,442.495,1876.574,436.125,1876.574,428.033z"/>
+		<path fill="#07242D" d="M1922.865,438.038c-0.411,4.687-4.657,12.672-15.303,12.672c-10.094,0-16.137-6.762-16.137-6.762
+			l5.798-5.802c4.906,4.664,10.339,4.372,10.339,4.372c3.473-0.238,6.259-2.643,6.47-5.471c0.242-3.235-2.009-5.487-6.47-6.124
+			c-2.098-0.307-7.185-0.792-11.361-4.534c-1.36-1.222-6.489-6.578-2.217-14.193c0.834-1.491,4.557-6.77,13.578-6.77
+			c0,0,7.435-0.53,14.312,5.087l-5.867,5.863c-1.16-0.961-4.461-2.905-8.445-2.882c-7.208,0.046-7.008,4.011-7.008,4.011
+			c0.062,3.166,2.874,4.864,7.008,5.41C1921.639,424.767,1923.276,433.397,1922.865,438.038z"/>
+		<path fill="#07242D" d="M1975.107,428.041c0,12.526-10.151,22.73-22.661,22.73c-5.471,0-10.493-1.952-14.416-5.195v35.371h-8.276
+			V405.41h8.276v5.156c3.923-3.22,8.945-5.156,14.416-5.156C1964.956,405.41,1975.107,415.523,1975.107,428.041z M1966.831,428.041
+			c0-7.953-6.432-14.347-14.385-14.347s-14.416,6.393-14.416,14.347s6.463,14.462,14.416,14.462S1966.831,435.994,1966.831,428.041z
+			"/>
+		<path fill="#07242D" d="M1981.877,450.71v-63.95h8.245v63.95H1981.877z"/>
+		<path fill="#07242D" d="M2042.192,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C2032.041,405.41,2042.192,415.561,2042.192,428.064z M2033.916,428.064
+			c0-7.938-6.432-14.378-14.37-14.378c-7.946,0-14.393,6.432-14.393,14.378c0,7.946,6.447,14.385,14.393,14.385
+			C2027.484,442.449,2033.916,436.01,2033.916,428.064z"/>
+		<path fill="#07242D" d="M2049.016,394.906v-8.168h8.168v8.168H2049.016z M2049.016,450.71v-45.3h8.168v45.3H2049.016z"/>
+		<path fill="#07242D" d="M2087.737,442.503v8.207c-5.594,0-10.627-2.013-14.6-5.348c-4.987-4.188-8.161-10.474-8.161-17.497V386.76
+			h8.161v18.65h14.6v8.261h-14.6v14.393C2073.252,436.056,2079.722,442.503,2087.737,442.503z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M690.837,442.596v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495V386.86
+			h8.16v18.648h14.599v8.26h-14.599v14.391C676.35,436.15,682.823,442.596,690.837,442.596z"/>
+		<path fill="#07242D" d="M719.939,405.508v8.152c-7.737,0.015-14.042,6.154-14.322,13.823v23.319h-8.179v-45.294h8.179v5.171
+			C709.504,407.452,714.495,405.516,719.939,405.508z"/>
+		<path fill="#07242D" d="M766.789,428.12v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.183-14.414c0.523-25.548,35.102-31.264,44.026-7.699C766.335,422.88,766.789,425.508,766.789,428.12z
+			 M758.398,428.12c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008c-2.609,2.605-4.226,6.17-4.226,10.142
+			c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0S758.398,432.101,758.398,428.12z"/>
+		<path fill="#07242D" d="M805.36,438.37l5.801,5.801c-4.099,4.095-9.762,6.631-16.016,6.631c-6.254,0-11.913-2.536-16.012-6.631
+			c-4.099-4.103-6.631-9.766-6.631-16.02c0-6.247,2.532-11.909,6.631-16.012c4.099-4.095,9.758-6.631,16.012-6.631
+			c6.254,0,11.917,2.536,16.016,6.631l-5.801,5.801c-2.612-2.612-6.224-4.234-10.215-4.234c-3.988,0-7.599,1.621-10.211,4.234
+			c-2.616,2.612-4.234,6.224-4.234,10.211c0,3.995,1.617,7.607,4.234,10.219c2.612,2.612,6.224,4.234,10.211,4.234
+			C799.136,442.604,802.747,440.983,805.36,438.37z"/>
+		<path fill="#07242D" d="M858.664,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C849.774,405.4,860.539,417.679,858.664,431.109z M849.59,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H849.59z"/>
+		<path fill="#07242D" d="M908.514,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C899.625,405.4,910.389,417.679,908.514,431.109z M899.44,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H899.44z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#07242D" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#07242D" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#07242D" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#07242D" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#07242D" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#07242D" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#07242D" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>

brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg

@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g display="none">
+	<polygon display="inline" fill="#FFFFFF" points="65.469,9.61 12.669,40.117 12.669,101.621 65.463,132.371 118.268,101.639 
+		118.268,40.115 	"/>
+	<g display="inline">
+		<path fill="#08B1D5" d="M64.511,80.035c-5.972-2.687-9.502-8.433-9.313-14.534l-12.765-7.371c-0.952,7.062,0.569,14.449,4.4,20.85
+			c4.078,6.813,9.966,11.887,17.678,14.825V80.035L64.511,80.035z"/>
+		<path fill="#08B1D5" d="M64.511,111.257V95.432c-8.26-3.017-14.588-8.448-18.931-15.703c-4.108-6.864-5.671-14.819-4.507-22.384
+			l-11.864-6.851C22.412,75.299,37.662,101.72,64.511,111.257z"/>
+		<path fill="#0D819B" d="M66.259,95.288v15.969c26.352-9.758,42.17-36.132,35.489-60.682l-11.8,6.874
+			c1.473,8.16,0.189,16.115-3.759,22.77C82.134,87.057,75.052,92.189,66.259,95.288z"/>
+		<path fill="#0D819B" d="M75.879,65.569c0.053,5.924-3.429,11.136-9.62,14.466v13.769c8.227-2.999,14.873-7.918,18.675-14.329
+			c3.681-6.207,4.934-13.613,3.671-21.243L75.879,65.569z"/>
+		<path fill="#F69421" d="M77.717,44.4c4.977,2.427,9.031,6.315,11.724,11.244c0.035,0.065,0.069,0.132,0.104,0.198l11.574-6.684
+			c-0.184-0.232-0.361-0.466-0.506-0.701c-4.246-6.868-9.855-12.036-16.673-15.361c-19.245-9.385-42.827-2.309-54.094,16.087
+			l11.546,6.665C49.232,43.242,65.013,38.204,77.717,44.4z"/>
+		<path fill="#F69421" d="M70.489,59.089c2.06,1.005,3.731,2.627,4.832,4.692c0.037,0.07,0.07,0.143,0.105,0.214l12.854-7.423
+			c-0.04-0.076-0.079-0.153-0.12-0.228c-2.546-4.662-6.379-8.339-11.082-10.632c-12.018-5.861-26.965-1.08-34.421,10.866
+			l12.783,7.379C58.771,58.613,65.217,56.518,70.489,59.089z"/>
+		<path fill="#0D819B" d="M116.672,41.881l-13.621,7.936c7.185,25.544-9.291,53.076-36.791,62.992v17.294l50.413-29.381V41.881z"/>
+		<path fill="#08B1D5" d="M14.265,41.864v58.842l50.245,29.397v-17.294C36.51,103.127,20.607,75.545,27.905,49.74l-13.001-7.508
+			L14.265,41.864z"/>
+		<path fill="#F69421" d="M14.987,40.606l1.484,0.857l12.109,6.989C40.23,29.398,64.649,22.066,84.579,31.784
+			c7.069,3.448,12.881,8.799,17.274,15.904c0.139,0.225,0.333,0.472,0.543,0.731l13.542-7.82l-50.47-29.146L14.987,40.606z"/>
+		<path fill="#F0DF36" d="M66.202,78.433c4.968-2.778,7.95-7.226,8.141-12.159c0,0,0.022-0.489-0.015-1.283
+			c-0.007-0.163-1.102-2.766-4.435-4.583c-4.476-2.441-10.828-0.093-13.372,4.583c0,0-0.061,0.574-0.033,1.283
+			c0.182,4.483,2.945,9.749,7.836,12.159l0.991,0.473L66.202,78.433z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#FFFFFF" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#FFFFFF" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#FFFFFF" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#FFFFFF" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.105-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.15,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#FFFFFF" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#FFFFFF" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#FFFFFF" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>

brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g>
+	<path fill="#FFFFFF" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#FFFFFF" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#FFFFFF" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#FFFFFF" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#FFFFFF" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#FFFFFF" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#FFFFFF" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#FFFFFF" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>

brand/readme.md

@@ -0,0 +1,2 @@
+This directory contains media assets, such as the Trivy logo.
+Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>

ci/deploy-deb.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 DEBIAN_RELEASES=$(debian-distro-info --supported)
-UBUNTU_RELEASES=$(ubuntu-distro-info --supported)
+UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))
 
 cd trivy-repo/deb
 
@@ -9,12 +9,14 @@ for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Removing deb package of $release"
   reprepro -A i386 remove $release trivy
   reprepro -A amd64 remove $release trivy
+  reprepro -A arm64 remove $release trivy
 done
 
 for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Adding deb package to $release"
   reprepro includedeb $release ../../dist/*Linux-64bit.deb
   reprepro includedeb $release ../../dist/*Linux-32bit.deb
+  reprepro includedeb $release ../../dist/*Linux-ARM64.deb
 done
 
 git add .

ci/deploy-rpm.sh

@@ -1,27 +1,29 @@
 #!/bin/bash
 
+TRIVY_VERSION=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -nre 's/^[^0-9]*(([0-9]+\.)*[0-9]+).*/\1/p')
+
 function create_rpm_repo () {
         version=$1
         rpm_path=rpm/releases/${version}/x86_64
 
-        RPM_EL=$(find ../dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -e "s/_/-/g" -e "s/-Linux/.el$version/" -e "s/-64bit/.x86_64/")
-        echo $RPM_EL
-
         mkdir -p $rpm_path
-        cp ../dist/*64bit.rpm ${rpm_path}/${RPM_EL}
+        cp ../dist/*64bit.rpm ${rpm_path}/
 
-        createrepo --update $rpm_path
+        createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
+
+        rm ${rpm_path}/*64bit.rpm
 }
 
+echo "Create RPM releases for Trivy v$TRIVY_VERSION"
+
 cd trivy-repo
 
-VERSIONS=(5 6 7 8)
+VERSIONS=(5 6 7 8 9)
 for version in ${VERSIONS[@]}; do
         echo "Processing RHEL/CentOS $version..."
         create_rpm_repo $version
 done
 
 git add .
-git commit -m "Update rpm packages"
+git commit -m "Update rpm packages for Trivy v$TRIVY_VERSION"
 git push origin main
-

cmd/trivy/main.go

@@ -1,10 +1,16 @@
 package main
 
 import (
+	"context"
 	"os"
 
+	"golang.org/x/xerrors"
+
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/plugin"
+
+	_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB
 )
 
 var (
@@ -12,9 +18,26 @@ var (
 )
 
 func main() {
-	app := commands.NewApp(version)
-	err := app.Run(os.Args)
-	if err != nil {
+	if err := run(); err != nil {
 		log.Fatal(err)
 	}
 }
+
+func run() error {
+	// Trivy behaves as the specified plugin.
+	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
+		if !plugin.IsPredefined(runAsPlugin) {
+			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
+		}
+		if err := plugin.RunWithArgs(context.Background(), runAsPlugin, os.Args[1:]); err != nil {
+			return xerrors.Errorf("plugin error: %w", err)
+		}
+		return nil
+	}
+
+	app := commands.NewApp(version)
+	if err := app.Execute(); err != nil {
+		return err
+	}
+	return nil
+}

codecov.yml

@@ -1,12 +0,0 @@
-coverage:
-  status:
-    project:
-      default:
-        informational: true
-        target: auto
-        threshold: 100%
-    patch:
-      default:
-        informational: true
-        target: auto
-        threshold: 100%

contrib/Trivy.gitlab-ci.yml

@@ -10,7 +10,7 @@ Trivy_container_scanning:
     IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
   allow_failure: true
   before_script:
-    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.4.3}
+    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
     - apk add --no-cache curl docker-cli
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
     - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}

contrib/asff.tpl

@@ -1,78 +1,161 @@
-[
-{{- $t_first := true -}}
-{{- range . -}}
-{{- $target := .Target -}}
-{{- range .Vulnerabilities -}}
-{{- if $t_first -}}
-  {{- $t_first = false -}}
-{{- else -}}
-  ,
-{{- end -}}
-{{- $trivyProductSev := 0 -}}
-{{- $trivyNormalizedSev := 0 -}}
-{{- if eq .Severity "LOW" -}}
-    {{- $trivyProductSev = 1 -}}
-    {{- $trivyNormalizedSev = 10 -}}
-  {{- else if eq .Severity "MEDIUM" -}}
-    {{- $trivyProductSev = 4 -}}
-    {{- $trivyNormalizedSev = 40 -}}
-  {{- else if eq .Severity "HIGH" -}}
-    {{- $trivyProductSev = 7 -}}
-    {{- $trivyNormalizedSev = 70 -}}
-  {{- else if eq .Severity "CRITICAL" -}}
-    {{- $trivyProductSev = 9 -}}
-    {{- $trivyNormalizedSev = 90 -}}
-{{- end }}
-{{- $description := .Description -}}
-{{- if gt (len $description ) 1021 -}}
-    {{- $description = (slice $description 0 1021) | printf "%v .." -}}
-{{- end}}
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "{{ $target }}/{{ .VulnerabilityID }}",
-        "ProductArn": "arn:aws:securityhub:{{ getEnv "AWS_REGION" }}::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "{{ getEnv "AWS_ACCOUNT_ID" }}",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "{{ getCurrentTime }}",
-        "UpdatedAt": "{{ getCurrentTime }}",
-        "Severity": {
-            "Product": {{ $trivyProductSev }},
-            "Normalized": {{ $trivyNormalizedSev }}
-        },
-        "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
-        "Description": {{ escapeString $description | printf "%q" }},
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "{{ .PrimaryURL }}"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "{{ $target }}",
-                "Partition": "aws",
-                "Region": "{{ getEnv "AWS_REGION" }}",
-                "Details": {
-                    "Container": { "ImageName": "{{ $target }}" },
-                    "Other": {
-                        "CVE ID": "{{ .VulnerabilityID }}",
-                        "CVE Title": {{ .Title | printf "%q" }},
-                        "PkgName": "{{ .PkgName }}",
-                        "Installed Package": "{{ .InstalledVersion }}",
-                        "Patched Package": "{{ .FixedVersion }}",
-                        "NvdCvssScoreV3": "{{ (index .CVSS "nvd").V3Score }}",
-                        "NvdCvssVectorV3": "{{ (index .CVSS "nvd").V3Vector }}",
-                        "NvdCvssScoreV2": "{{ (index .CVSS "nvd").V2Score }}",
-                        "NvdCvssVectorV2": "{{ (index .CVSS "nvd").V2Vector }}"
+{
+    "Findings": [
+    {{- $t_first := true -}}
+    {{- range . -}}
+    {{- $target := .Target -}}
+    {{- $image := .Target -}}
+    {{- if gt (len $image) 127 -}}
+        {{- $image = $image | regexFind ".{124}$" | printf "...%v" -}}
+    {{- end}}
+    {{- range .Vulnerabilities -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{- else -}}
+      ,
+    {{- end -}}
+    {{- $severity := .Severity -}}
+    {{- if eq $severity "UNKNOWN" -}}
+    {{- $severity = "INFORMATIONAL" -}}
+    {{- end -}}
+    {{- $description := .Description -}}
+    {{- if gt (len $description ) 512 -}}
+        {{- $description = (substr 0 512 $description) | printf "%v .." -}}
+    {{- end}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}/{{ .VulnerabilityID }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy/{{ .VulnerabilityID }}",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}, related to {{ .PkgName }}",
+            "Description": {{ escapeString $description | printf "%q" }},
+            {{ if not (empty .PrimaryURL) -}}
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "More information on this vulnerability is provided in the hyperlink",
+                    "Url": "{{ .PrimaryURL }}"
+                }
+            },
+            {{ end -}}
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Container",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_REGION" }}",
+                    "Details": {
+                        "Container": { "ImageName": "{{ $image }}" },
+                        "Other": {
+                            "CVE ID": "{{ .VulnerabilityID }}",
+                            "CVE Title": {{ .Title | printf "%q" }},
+                            "PkgName": "{{ .PkgName }}",
+                            "Installed Package": "{{ .InstalledVersion }}",
+                            "Patched Package": "{{ .FixedVersion }}",
+                            "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
+                            "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
+                            "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
+                            "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
+                        }
                     }
                 }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    }
-   {{- end -}}
-  {{- end }}
-]
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
+        {{- range .Misconfigurations -}}
+            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
+            {{- $severity := .Severity -}}
+            {{- if eq $severity "UNKNOWN" -}}
+                {{- $severity = "INFORMATIONAL" -}}
+            {{- end -}}
+            {{- $description := .Description -}}
+            {{- if gt (len $description ) 512 -}}
+                {{- $description = (substr 0 512 $description) | printf "%v .." -}}
+            {{- end}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}/{{ .ID }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy/{{ .ID }}",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Software and Configuration Checks" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a misconfiguration in {{ $target }}: {{ .Title }}",
+            "Description": {{ escapeString $description | printf "%q" }},
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "{{ .Resolution }}",
+                    "Url": "{{ .PrimaryURL }}"
+                }
+            },
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Other",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_REGION" }}",
+                    "Details": {
+                        "Other": {
+                            "Message": "{{ .Message }}",
+                            "Filename": "{{ $target }}",
+                            "StartLine": "{{ .CauseMetadata.StartLine }}",
+                            "EndLine": "{{ .CauseMetadata.EndLine }}"
+                        }
+                    }
+                }
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
+        {{- range .Secrets -}}
+            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
+            {{- $severity := .Severity -}}
+            {{- if eq $severity "UNKNOWN" -}}
+                {{- $severity = "INFORMATIONAL" -}}
+            {{- end -}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_DEFAULT_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Sensitive Data Identifications" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a secret in {{ $target }}: {{ .Title }}",
+            "Description": "Trivy found a secret in {{ $target }}: {{ .Title }}",
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Other",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_DEFAULT_REGION" }}",
+                    "Details": {
+                        "Other": {
+                            "Filename": "{{ $target }}"
+                        }
+                    }
+                }
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
+      {{- end }}
+    ]
+}

contrib/example_policy/advanced.rego

@@ -5,30 +5,42 @@ import data.lib.trivy
 default ignore = false
 
 nvd_v3_vector = v {
-	v := input.CVSS.nvd.v3
+	v := input.CVSS.nvd.V3Vector
+}
+
+redhat_v3_vector = v {
+	v := input.CVSS.redhat.V3Vector
 }
 
 # Ignore a vulnerability which requires high privilege
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.PrivilegesRequired == "High"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.PrivilegesRequired == "High"
+
+        # Check against RedHat scores as well as NVD
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.PrivilegesRequired == "High"
 }
 
 # Ignore a vulnerability which requires user interaction
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.UserInteraction == "Required"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.UserInteraction == "Required"
+
+        # Check against RedHat scores as well as NVD
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.UserInteraction == "Required"
 }
 
 ignore {
 	input.PkgName == "openssl"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 }
 
 ignore {
@@ -50,11 +62,11 @@ ignore {
 	input.PkgName == "bash"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local", "Adjacent"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
@@ -64,11 +76,11 @@ ignore {
 	input.PkgName == "django"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM"}[_]
@@ -86,7 +98,7 @@ ignore {
 	input.PkgName == "jquery"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate CWE-ID
 	deny_cwe_ids := {"CWE-79"} # XSS

contrib/example_policy/basic.rego

@@ -9,7 +9,11 @@ ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
 ignore_severities := {"LOW", "MEDIUM"}
 
 nvd_v3_vector = v {
-	v := input.CVSS.nvd.v3
+	v := input.CVSS.nvd.V3Vector
+}
+
+redhat_v3_vector = v {
+	v := input.CVSS.redhat.V3Vector
 }
 
 ignore {
@@ -22,20 +26,29 @@ ignore {
 
 # Ignore a vulnerability which is not remotely exploitable
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.AttackVector != "Network"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.AttackVector != "Network"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.AttackVector != "Network"
 }
 
 # Ignore a vulnerability which requires high privilege
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.PrivilegesRequired == "High"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.PrivilegesRequired == "High"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.PrivilegesRequired == "High"
 }
 
 # Ignore a vulnerability which requires user interaction
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.UserInteraction == "Required"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.UserInteraction == "Required"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.UserInteraction == "Required"
 }
 
 # Ignore CSRF

contrib/gitlab-codequality.tpl

@@ -0,0 +1,103 @@
+{{- /* Template based on https://github.com/codeclimate/platform/blob/master/spec/analyzers/SPEC.md#data-types */ -}}
+[
+  {{- $t_first := true }}
+  {{- range . }}
+  {{- $target := .Target }}
+    {{- range .Vulnerabilities -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list .VulnerabilityID .PkgName .InstalledVersion .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .VulnerabilityID .PkgName .InstalledVersion $target | join "" | sha1sum }}",
+      "content": {{ .Description | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": 0
+        }
+      }
+    }
+    {{- end -}}
+    {{- range .Misconfigurations -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Misconfig" .ID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Description | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .CauseMetadata.StartLine }}
+        }
+      }
+    }
+    {{- end -}}
+    {{- range .Secrets -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Secret" .RuleID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .RuleID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Title | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .StartLine }}
+        }
+      }
+    }
+    {{- end -}}
+  {{- end }}
+]

contrib/gitlab.tpl

@@ -1,10 +1,11 @@
 {{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
 {
-  "version": "2.3",
+  "version": "14.0.6",
   "vulnerabilities": [
   {{- $t_first := true }}
   {{- range . }}
   {{- $target := .Target }}
+    {{- $image := $target | regexFind "[^\\s]+" }}
     {{- range .Vulnerabilities -}}
     {{- if $t_first -}}
       {{- $t_first = false -}}
@@ -31,8 +32,6 @@
                   {{-  else -}}
                     "{{ .Severity }}"
                   {{- end }},
-      {{- /* TODO: Define confidence */}}
-      "confidence": "Unknown",
       "solution": {{ if .FixedVersion -}}
                     "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
                   {{- else -}}
@@ -51,7 +50,7 @@
         },
         {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
         "operating_system": "Unknown",
-        "image": "{{ $target }}"
+        "image": "{{ $image }}"
       },
       "identifiers": [
         {
@@ -71,7 +70,7 @@
           ,
         {{- end -}}
         {
-          "url": "{{ . }}"
+          "url": "{{ regexFind "[^ ]+" . }}"
         }
         {{- end }}
       ]

contrib/html.tpl

@@ -52,7 +52,7 @@
       }
       a.toggle-more-links { cursor: pointer; }
     </style>
-    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</title>
+    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
     <script>
       window.onload = function() {
         document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -82,7 +82,7 @@
     </script>
   </head>
   <body>
-    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</h1>
+    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
     <table>
     {{- range . }}
       <tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>
@@ -112,6 +112,31 @@
       </tr>
         {{- end }}
       {{- end }}
+      {{- if (eq (len .Misconfigurations ) 0) }}
+      <tr><th colspan="6">No Misconfigurations found</th></tr>
+      {{- else }}
+      <tr class="sub-header">
+        <th>Type</th>
+        <th>Misconf ID</th>
+        <th>Check</th>
+        <th>Severity</th>
+        <th>Message</th>
+      </tr>
+        {{- range .Misconfigurations }}
+      <tr class="severity-{{ escapeXML .Severity }}">
+        <td class="misconf-type">{{ escapeXML .Type }}</td>
+        <td>{{ escapeXML .ID }}</td>
+        <td class="misconf-check">{{ escapeXML .Title }}</td>
+        <td class="severity">{{ escapeXML .Severity }}</td>
+        <td class="link" data-more-links="off"  style="white-space:normal;"">
+          {{ escapeXML .Message }}
+          <br>
+            <a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
+          </br>
+        </td>
+      </tr>
+        {{- end }}
+      {{- end }}
     {{- end }}
     </table>
 {{- else }}

contrib/install.sh

@@ -182,11 +182,11 @@ log_tag() {
 }
 log_debug() {
   log_priority 7 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
+  echo "$(log_prefix)" "$(log_tag 7)" "$@"
 }
 log_info() {
   log_priority 6 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
+  echo "$(log_prefix)" "$(log_tag 6)" "$@"
 }
 log_err() {
   log_priority 3 || return 0

contrib/junit.tpl

@@ -1,5 +1,5 @@
 <?xml version="1.0" ?>
-<testsuites>
+<testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
     <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
@@ -14,5 +14,18 @@
         </testcase>
     {{- end }}
     </testsuite>
+{{- $failures := len .Misconfigurations }}
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ range .Misconfigurations }}
+        <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
+            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
+        </testcase>
+    {{- end }}
+    </testsuite>
 {{- end }}
-</testsuites>
+</testsuites>

contrib/sarif.tpl

@@ -1,95 +0,0 @@
-{
-  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
-  "version": "2.1.0",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "Trivy",
-          "informationUri": "https://github.com/aquasecurity/trivy",
-          "fullName": "Trivy Vulnerability Scanner",
-          "version": "0.15.0",
-          "rules": [
-        {{- $t_first := true }}
-        {{- range . }}
-            {{- $vulnerabilityType := .Type }}
-            {{- range .Vulnerabilities -}}
-              {{- if $t_first -}}
-                {{- $t_first = false -}}
-              {{ else -}}
-                ,
-              {{- end }}
-            {
-              "id": "{{ .VulnerabilityID }}/{{ .PkgName }}",
-              "name": "{{ toSarifRuleName $vulnerabilityType }}",
-              "shortDescription": {
-                "text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
-              },
-              "fullDescription": {
-                "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
-              },
-              "defaultConfiguration": {
-                "level": "{{ toSarifErrorLevel .Vulnerability.Severity }}"
-              }
-              {{- with $help_uri := .PrimaryURL -}}
-              ,
-              {{ $help_uri | printf "\"helpUri\": %q," -}}
-              {{- else -}}
-              ,
-              {{- end }}
-              "help": {
-                "text": {{ printf "Vulnerability %v\nSeverity: %v\nPackage: %v\nInstalled Version: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},
-                "markdown": {{ printf "**Vulnerability %v**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|%v|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "{{ .Vulnerability.Severity }}",
-                  {{ .PkgName | printf "%q" }}
-                ],
-                "precision": "very-high"
-              }
-            }
-            {{- end -}}
-         {{- end -}}
-          ]
-        }
-      },
-      "results": [
-    {{- $t_first := true }}
-    {{- range . }}
-        {{- $filePath := .Target }}
-        {{- range $index, $vulnerability := .Vulnerabilities -}}
-          {{- if $t_first -}}
-            {{- $t_first = false -}}
-          {{ else -}}
-            ,
-          {{- end }}
-        {
-          "ruleId": "{{ $vulnerability.VulnerabilityID }}/{{ $vulnerability.PkgName }}",
-          "ruleIndex": {{ $index }},
-          "level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
-          "message": {
-            "text": {{ endWithPeriod (escapeString $vulnerability.Description) | printf "%q" }}
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "{{ toPathUri $filePath }}",
-                "uriBaseId": "ROOTPATH"
-              }
-            }
-          }]
-        }
-        {{- end -}}
-      {{- end -}}
-      ],
-      "columnKind": "utf16CodeUnits",
-      "originalUriBaseIds": {
-        "ROOTPATH": {
-          "uri": "/"
-        }
-      }
-    }
-  ]
-}

docs/air-gap.md

@@ -1,57 +0,0 @@
-# Air-Gapped Environment
-
-Trivy can be used in air-gapped environments.
-
-## Download the vulnerability database
-At first, you need to download the vulnerability database for use in air-gapped environments.
-Go to [trivy-db][trivy-db] and download `trivy-offline.db.tgz` in the latest release.
-If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--light` option.
-
-```
-$ wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz
-```
-
-## Transfer the DB file into the air-gapped environment
-The way of transfer depends on the environment.
-
-```
-$ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst
-```
-
-## Put the DB file in Trivy's cache directory
-You have to know where to put the DB file. The following command shows the default cache directory.
-
-```
-$ ssh user@host
-$ trivy -h | grep cache
-   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
-```
-
-Put the DB file in the cache directory + `/db`.
-
-```
-$ mkdir -p /home/myuser/.cache/trivy/db
-$ cd /home/myuser/.cache/trivy/db
-$ mv /path/to/trivy-offline.db.tgz .
-```
-
-Then, decompress it.
-`trivy-offline.db.tgz` file includes two files, `trivy.db` and `metadata.json`.
-
-```
-$ tar xvf trivy-offline.db.tgz
-x trivy.db
-x metadata.json
-$ rm trivy-offline.db.tgz
-```
-
-In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
-
-## Run Trivy with --skip-update option
-In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
-
-```
-$ trivy image --skip-update alpine:3.12
-```
-
-[trivy-db]: https://github.com/aquasecurity/trivy-db/releases

docs/build/Dockerfile

@@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material
+FROM squidfunk/mkdocs-material:8.3.9
 
 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.
@@ -6,4 +6,5 @@ FROM squidfunk/mkdocs-material
 # docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN} ghcr.io
 # FROM ghcr.io/squidfunk/mkdocs-material-insiders
 
-RUN pip install mike mkdocs-macros-plugin
+COPY requirements.txt .
+RUN pip install -r requirements.txt

docs/build/requirements.txt

@@ -0,0 +1,30 @@
+click==8.1.2
+csscompressor==0.9.5
+ghp-import==2.0.2
+htmlmin==0.1.12
+importlib-metadata==4.11.3
+Jinja2==3.1.1
+jsmin==3.0.1
+Markdown==3.3.6
+MarkupSafe==2.1.1
+mergedeep==1.3.4
+mike==1.1.2
+mkdocs==1.3.0
+mkdocs-macros-plugin==0.7.0
+mkdocs-material==8.3.9
+mkdocs-material-extensions==1.0.3
+mkdocs-minify-plugin==0.5.0
+mkdocs-redirects==1.0.4
+packaging==21.3
+Pygments==2.12.0
+pymdown-extensions==9.5
+pyparsing==3.0.8
+python-dateutil==2.8.2
+PyYAML==6.0
+pyyaml-env-tag==0.1
+six==1.16.0
+termcolor==1.1.0
+verspec==0.1.0
+watchdog==2.1.7
+zipp==3.8.0
+

docs/community/contribute/issue.md

@@ -0,0 +1,31 @@
+Thank you for taking interest in contributing to Trivy!
+
+- Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
+- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
+- Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
+- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
+
+## Wrong detection
+Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
+Sometime these databases contain mistakes.
+
+If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
+
+1. Run Trivy with `-f json` that shows data sources.
+2. According to the shown data source, make sure that the security advisory in the data source is correct.
+
+If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
+
+### GitHub Advisory Database
+Visit [here](https://github.com/advisories) and search CVE-ID.
+
+If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
+ 
+### GitLab Advisory Database
+Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
+
+If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
+ 
+### Red Hat CVE Database
+Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
+

docs/community/contribute/pr.md

@@ -0,0 +1,175 @@
+Thank you for taking interest in contributing to Trivy!
+
+1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
+1. Please add the associated Issue link in the PR description.
+1. Your PR is more likely to be accepted if it focuses on just one change.
+1. There's no need to add or tag reviewers.
+1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
+1. Please include a comment with the results before and after your change.
+1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
+1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
+
+### Title
+It is not that strict, but we use the title conventions in this repository.
+Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
+
+#### Format of the title
+
+```
+<type>(<scope>): <subject>
+```
+
+The `type` and `scope` should always be lowercase as shown below.
+
+**Allowed `<type>` values:**
+
+- **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
+- **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
+- **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
+- **docs** for changes to the documentation.
+- **style** for formatting changes, missing semicolons, etc.
+- **refactor** for refactoring production code, e.g. renaming a variable.
+- **test** for adding missing tests, refactoring tests; no production code change.
+- **build** for updating build configuration, development tools or other changes irrelevant to the user.
+- **chore** for updates that do not apply to the above, such as dependency updates.
+- **ci** for changes to CI configuration files and scripts
+- **revert** for revert to a previous commit
+
+**Allowed `<scope>` values:**
+
+checks:
+
+- vuln
+- misconf
+- secret
+- license
+
+mode:
+
+- image
+- fs
+- repo
+- sbom
+- k8s
+- server
+- aws
+- vm
+
+os:
+
+- alpine
+- redhat
+- alma
+- rocky
+- mariner
+- oracle
+- debian
+- ubuntu
+- amazon
+- suse
+- photon
+- distroless
+
+language:
+
+- ruby
+- php
+- python
+- nodejs
+- rust
+- dotnet
+- java
+- go
+- elixir
+- dart
+
+vuln:
+
+- os
+- lang
+
+config:
+
+- kubernetes
+- dockerfile
+- terraform
+- cloudformation
+
+container
+
+- docker
+- podman
+- containerd
+- oci
+
+cli:
+
+- cli
+- flag
+
+SBOM:
+
+- cyclonedx
+- spdx
+- purl
+
+others:
+
+- helm
+- report
+- db
+- deps
+
+The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
+
+#### Example titles
+
+```
+feat(alma): add support for AlmaLinux
+```
+
+```
+fix(oracle): handle advisories with ksplice versions
+```
+
+```
+docs(misconf): add comparison with Conftest and TFsec
+```
+
+```
+chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
+```
+
+**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
+The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
+
+### Unit tests
+Your PR must pass all the unit tests. You can test it as below.
+
+```
+$ make test
+```
+
+### Integration tests
+Your PR must pass all the integration tests. You can test it as below.
+
+```
+$ make test-integration
+```
+
+### Documentation
+You can build the documents as below and view it at http://localhost:8000.
+
+```
+$ make mkdocs-serve
+```
+
+## Understand where your pull request belongs
+
+Trivy is composed of several repositories that work together:
+
+- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
+- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
+- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
+- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
+- [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.

docs/community/maintainer/triage.md

@@ -1,7 +1,10 @@
+# Triage
+
 Triage is an important part of maintaining the health of the trivy repo.
 A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible.
 
 Triage includes:
+
 - Labeling issues
 - Responding to issues
 - Closing issues
@@ -185,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
 and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
 to identify issues that have been specially groomed for new contributors.
 
-We have specific [guidelines](/docs/contrib/help-wanted.md)
+We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
 for how to use these labels. If you see an issue that satisfies these
 guidelines, you can add the `help wanted` label and the `good first issue` label.
 Please note that adding the `good first issue` label must also 

docs/comparison.md

@@ -1,17 +0,0 @@
-# Comparison with other scanners
-
-| Scanner        | OS<br>Packages  | Application<br>Dependencies | Easy to use  | Accuracy    | Suitable<br>for CI  |
-| -------------- | :-------------: | :-------------------------: | :----------: | :---------: | :-----------------: |
-| Trivy          |       ✅        |       ✅<br>(8 languages)   |    ⭐ ⭐ ⭐    |  ⭐ ⭐ ⭐    |      ⭐ ⭐ ⭐         |
-| Clair          |       ✅        |              ×              |      ⭐       |   ⭐ ⭐      |      ⭐ ⭐           |
-| Anchore Engine |       ✅        |       ✅<br>(4 languages)   |     ⭐ ⭐      |   ⭐ ⭐      |     ⭐ ⭐ ⭐         |
-| Quay           |       ✅        |              ×              |    ⭐ ⭐ ⭐    |   ⭐ ⭐      |        ×            |
-| Docker Hub     |       ✅        |              ×              |    ⭐ ⭐ ⭐    |    ⭐        |        ×            |
-| GCR            |       ✅        |              ×              |    ⭐ ⭐ ⭐    |   ⭐ ⭐      |        ×            |
-
-- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
-- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
-- [Research Spike: evaluate Trivy for scanning running containers](https://gitlab.com/gitlab-org/gitlab/-/issues/270888)
-
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/

docs/credit.md

@@ -1,14 +0,0 @@
-# Special Thanks to 
-
-- [Tomoya Amachi][tomoyamachi]
-- [Masahiro Fujimura][masahiro331]
-- [Naoki Harima][XapiMa]
-
-# Author
-
-[Teppei Fukuda][knqyf263] (knqyf263)
-
-[tomoyamachi]: https://github.com/tomoyamachi
-[masahiro331]: https://github.com/masahiro331
-[XapiMa]: https://github.com/XapiMa
-[knqyf263]: https://github.com/knqyf263

docs/docs/advanced/air-gap.md

@@ -0,0 +1,142 @@
+# Air-Gapped Environment
+
+Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
+
+## Air-Gapped Environment for vulnerabilities
+
+### Download the vulnerability database
+At first, you need to download the vulnerability database for use in air-gapped environments.
+
+=== "Trivy"
+
+    ```
+    TRIVY_TEMP_DIR=$(mktemp -d)
+    trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+    tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+    rm -rf $TRIVY_TEMP_DIR
+    ```
+
+=== "oras >= v0.13.0"
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull ghcr.io/aquasecurity/trivy-db:2
+    ```
+
+=== "oras < v0.13.0"
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
+    ```
+
+### Download the Java index database[^1]
+Java users also need to download the Java index database for use in air-gapped environments.
+
+!!! note
+    You container image may contain JAR files even though you don't use Java directly.
+    In that case, you also need to download the Java index database.
+
+=== "Trivy"
+
+    ```
+    TRIVY_TEMP_DIR=$(mktemp -d)
+    trivy --cache-dir $TRIVY_TEMP_DIR image --download-java-db-only
+    tar -cf ./javadb.tar.gz -C $TRIVY_TEMP_DIR/java-db metadata.json trivy-java.db
+    rm -rf $TRIVY_TEMP_DIR
+    ```
+=== "oras >= v0.13.0"
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull ghcr.io/aquasecurity/trivy-java-db:1
+    ```
+
+=== "oras < v0.13.0"
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull -a ghcr.io/aquasecurity/trivy-java-db:1
+    ```
+
+
+### Transfer the DB files into the air-gapped environment
+The way of transfer depends on the environment.
+
+=== "Vulnerability db"
+    ```
+    $ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
+    ```
+
+=== "Java index db[^1]"
+    ```
+    $ rsync -av -e ssh /path/to/javadb.tar.gz [user]@[host]:dst
+    ```
+
+### Put the DB files in Trivy's cache directory
+You have to know where to put the DB files. The following command shows the default cache directory.
+
+```
+$ ssh user@host
+$ trivy -h | grep cache
+   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
+```
+=== "Vulnerability db"
+    Put the DB file in the cache directory + `/db`.
+    
+    ```
+    $ mkdir -p /home/myuser/.cache/trivy/db
+    $ cd /home/myuser/.cache/trivy/db
+    $ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
+    x trivy.db
+    x metadata.json
+    $ rm /path/to/db.tar.gz
+    ```
+
+=== "Java index db[^1]"
+    Put the DB file in the cache directory + `/java-db`.
+
+    ```
+    $ mkdir -p /home/myuser/.cache/trivy/java-db
+    $ cd /home/myuser/.cache/trivy/java-db
+    $ tar xvf /path/to/javadb.tar.gz -C /home/myuser/.cache/trivy/java-db
+    x trivy-java.db
+    x metadata.json
+    $ rm /path/to/javadb.tar.gz
+    ```
+
+
+
+In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
+
+### Run Trivy with the specific flags.
+In an air-gapped environment, you have to specify `--skip-db-update` and `--skip-java-db-update`[^1] so that Trivy doesn't attempt to download the latest database files.
+In addition, if you want to scan `pom.xml` dependencies, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
+
+```
+$ trivy image --skip-update --skip-java-db-update --offline-scan alpine:3.12
+```
+
+## Air-Gapped Environment for misconfigurations
+
+No special measures are required to detect misconfigurations in an air-gapped environment.
+
+### Run Trivy with `--skip-policy-update` option
+In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
+
+```
+$ trivy conf --skip-policy-update /path/to/conf
+```
+
+[allowlist]: ../references/troubleshooting.md
+[oras]: https://oras.land/cli/
+
+[^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../vulnerability/languages/java.md)

docs/docs/advanced/container/embed-in-dockerfile.md

@@ -10,7 +10,7 @@ FROM alpine:3.7
 
 RUN apk add curl \
     && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
-    && trivy filesystem --exit-code 1 --no-progress /
+    && trivy rootfs --exit-code 1 --no-progress /
 
 $ docker build -t vulnerable-image .
 ```
@@ -21,7 +21,7 @@ insecure `curl | sh`. Also the image is not changed.
 # Run vulnerability scan on build image
 FROM build AS vulnscan
 COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
-RUN trivy filesystem --exit-code 1 --no-progress /
+RUN trivy rootfs --exit-code 1 --no-progress /
 [...]
 ```
 

docs/docs/advanced/container/unpacked-filesystem.md

@@ -1,12 +1,12 @@
 # Unpacked Filesystem
 
-Scan aan unpacked container image filesystem.
+Scan an unpacked container image filesystem.
 
 In this case, Trivy works the same way when scanning containers
 
 ```bash
 $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
-$ trivy fs /tmp/rootfs
+$ trivy rootfs /tmp/rootfs
 ```
 
 <details>

docs/docs/advanced/modules.md

@@ -0,0 +1,358 @@
+# Modules
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy provides a module feature to allow others to extend the Trivy CLI without the need to change the Trivy code base.
+It changes the behavior during scanning by WebAssembly.
+
+## Overview
+Trivy modules are add-on tools that integrate seamlessly with Trivy.
+They provide a way to extend the core feature set of Trivy, but without updating the Trivy binary.
+
+- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
+- They can be written in any programming language supporting WebAssembly.
+  - It supports only [TinyGo][tinygo] at the moment.
+
+You can write your own detection logic.
+
+- Evaluate complex vulnerability conditions like [Spring4Shell][spring4shell]
+- Detect a shell script communicating with malicious domains
+- Detect malicious python install script (setup.py)
+- Even detect misconfigurations in WordPress setting
+- etc.
+
+Then, you can update the scan result however you want.
+
+- Change a severity
+- Remove a vulnerability
+- Add a new vulnerability
+- etc.
+
+Modules should be distributed in OCI registries like GitHub Container Registry.
+
+!!! warning
+    WebAssembly doesn't allow file access and network access by default.
+    Modules can read required files only, but cannot overwrite them.
+    WebAssembly is sandboxed and secure by design, but Trivy modules available in public are not audited for security.
+    You should install and run third-party modules at your own risk even though 
+
+Under the hood Trivy leverages [wazero][wazero] to run WebAssembly modules without CGO.
+
+## Installing a Module
+A module can be installed using the `trivy module install` command.
+This command takes an url. It will download the module and install it in the module cache.
+
+Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
+Trivy will now search XDG_DATA_HOME for the location of the Trivy modules cache.
+The preference order is as follows:
+
+- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
+- $HOME/.trivy/plugins
+
+For example, to download the WebAssembly module, you can execute the following command:
+
+```bash
+$ trivy module install ghcr.io/aquasecurity/trivy-module-spring4shell
+```
+
+## Using Modules
+Once the module is installed, Trivy will load all available modules in the cache on the start of the next Trivy execution.
+The modules may inject custom logic into scanning and change the result.
+You can run Trivy as usual and modules are loaded automatically.
+
+You will see the log messages about WASM modules.
+
+```shell
+$ trivy image ghcr.io/aquasecurity/trivy-test-images:spring4shell-jre8
+2022-06-12T12:57:13.210+0300    INFO    Loading ghcr.io/aquasecurity/trivy-module-spring4shell/spring4shell.wasm...
+2022-06-12T12:57:13.596+0300    INFO    Registering WASM module: spring4shell@v1
+...
+2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: Java Version: 8, Tomcat Version: 8.5.77
+2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: change CVE-2022-22965 severity from CRITICAL to LOW
+
+Java (jar)
+
+Total: 9 (UNKNOWN: 1, LOW: 3, MEDIUM: 2, HIGH: 3, CRITICAL: 0)
+
+┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────────┐
+│                           Library                            │    Vulnerability    │ Severity │ Installed Version │     Fixed Version      │                           Title                            │
+├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
+│ org.springframework.boot:spring-boot (helloworld.war)        │ CVE-2022-22965      │ LOW      │ 2.6.3             │ 2.5.12, 2.6.6          │ spring-framework: RCE via Data Binding on JDK 9+           │
+│                                                              │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22965                 │
+├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
+...(snip)...
+```
+
+In the above example, the Spring4Shell module changed the severity from CRITICAL to LOW because the application doesn't satisfy one of conditions.
+
+## Uninstalling Modules
+Specify a module repository with `trivy module uninstall` command.
+
+```bash
+$ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
+```
+
+## Building Modules
+It supports TinyGo only at the moment.
+
+### TinyGo
+Trivy provides Go SDK including three interfaces.
+Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.
+
+```go
+type Module interface {
+    Version() int
+    Name() string
+}
+
+type Analyzer interface {
+    RequiredFiles() []string
+    Analyze(filePath string) (*serialize.AnalysisResult, error)
+}
+
+type PostScanner interface {
+    PostScanSpec() serialize.PostScanSpec
+    PostScan(serialize.Results) (serialize.Results, error)
+}
+```
+
+In the following tutorial, it creates a WordPress module that detects a WordPress version and a critical vulnerability accordingly.
+
+!!! tips
+    You can use logging functions such as `Debug` and `Info` for debugging.
+    See [examples](#examples) for the detail.
+
+#### Initialize your module
+Replace the repository name with yours.
+
+```
+$ go mod init github.com/aquasecurity/trivy-module-wordpress
+```
+
+#### Module interface
+`Version()` returns your module version and should be incremented after updates.
+`Name()` returns your module name.
+
+```go
+package main
+
+const (
+    version = 1
+    name = "wordpress-module"
+)
+
+type WordpressModule struct{
+	// Cannot define fields as modules can't keep state.
+}
+
+func (WordpressModule) Version() int {
+    return version
+}
+
+func (WordpressModule) Name() string {
+    return name
+}
+```
+
+!!! info
+    A struct cannot have any fields. Each method invocation is performed in different states.
+
+#### Analyzer interface
+If you implement the `Analyzer` interface, `Analyze` method is called when the file path is matched to file patterns returned by `RequiredFiles()`.
+A file pattern must be a regular expression. The syntax detail is [here][regexp].
+
+`Analyze` takes the matched file path, then the file can be opened by `os.Open()`.
+
+```go
+const typeWPVersion = "wordpress-version"
+
+func (WordpressModule) RequiredFiles() []string {
+    return []string{
+        `wp-includes\/version.php`,
+    }
+}
+
+func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, error) {
+    f, err := os.Open(filePath) // e.g. filePath: /usr/src/wordpress/wp-includes/version.php
+    if err != nil {
+        return nil, err
+    }
+    defer f.Close()
+
+    var wpVersion string
+    scanner := bufio.NewScanner(f)
+    for scanner.Scan() {
+        line := scanner.Text()
+        if !strings.HasPrefix(line, "$wp_version=") {
+            continue
+        }
+
+        ss := strings.Split(line, "=")
+        if len(ss) != 2 {
+            return nil, fmt.Errorf("invalid wordpress version: %s", line)
+        }
+
+        // NOTE: it is an example; you actually need to handle comments, etc
+        ss[1] = strings.TrimSpace(ss[1])
+        wpVersion = strings.Trim(ss[1], `";`)
+    }
+
+    if err = scanner.Err(); err != nil {
+        return nil, err
+    }
+	
+    return &serialize.AnalysisResult{
+        CustomResources: []serialize.CustomResource{
+            {
+                Type:     typeWPVersion,
+                FilePath: filePath,
+                Data:     wpVersion,
+            },
+        },
+    }, nil
+}
+```
+
+!!! tips
+    Trivy caches analysis results according to the module version.
+    We'd recommend cleaning the cache or changing the module version every time you update `Analyzer`.
+
+
+#### PostScanner interface
+`PostScan` is called after scanning and takes the scan result as an argument from Trivy.
+In post scanning, your module can perform one of three actions:
+
+- Insert
+    - Add a new security finding
+    - e.g. Add a new vulnerability and misconfiguration
+- Update
+    - Update the detected vulnerability and misconfiguration
+    - e.g. Change a severity
+- Delete
+    - Delete the detected vulnerability and misconfiguration
+    - e.g. Remove Spring4Shell because it is not actually affected.
+ 
+`PostScanSpec()` returns which action the module does.
+If it is `Update` or `Delete`, it also needs to return IDs such as CVE-ID and misconfiguration ID, which your module wants to update or delete.
+
+`serialize.Results` contains the filtered results matching IDs you specified.
+Also, it includes `CustomResources` with the values your `Analyze` returns, so you can modify the scan result according to the custom resources.
+
+```go
+func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
+    return serialize.PostScanSpec{
+        Action: api.ActionInsert, // Add new vulnerabilities
+    }
+}
+
+func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
+    // e.g. results
+    // [
+    //   {
+    //     "Target": "",
+    //     "Class": "custom",
+    //     "CustomResources": [
+    //       {
+    //         "Type": "wordpress-version",
+    //         "FilePath": "/usr/src/wordpress/wp-includes/version.php",
+    //         "Layer": {
+    //           "DiffID": "sha256:057649e61046e02c975b84557c03c6cca095b8c9accd3bd20eb4e432f7aec887"
+    //         },
+    //         "Data": "5.7.1"
+    //       }
+    //     ]
+    //   }
+    // ]   
+    var wpVersion int
+    for _, result := range results {
+        if result.Class != types.ClassCustom {
+            continue
+        }
+		
+        for _, c := range result.CustomResources {
+            if c.Type != typeWPVersion {
+                continue
+            }
+            wpVersion = c.Data.(string)
+            wasm.Info(fmt.Sprintf("WordPress Version: %s", wpVersion))
+
+            ...snip...
+			
+            if affectedVersion.Check(ver) {
+                vulnerable = true
+            }
+            break
+        }
+    }
+
+    if vulnerable {
+        // Add CVE-2020-36326
+        results = append(results, serialize.Result{
+            Target: wpPath,
+            Class:  types.ClassLangPkg,
+			Type:   "wordpress",
+            Vulnerabilities: []types.DetectedVulnerability {
+                {
+                    VulnerabilityID:  "CVE-2020-36326",
+                    PkgName:          "wordpress",
+                    InstalledVersion: wpVersion,
+                    FixedVersion:     "5.7.2",
+                    Vulnerability: dbTypes.Vulnerability{
+                        Title:    "PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.",
+                        Severity: "CRITICAL",
+                    },
+                },
+            },
+        })
+    }
+    return results, nil
+}
+```
+
+The new vulnerability will be added to the scan results.
+This example shows how the module inserts a new finding.
+If you are interested in `Update`, you can see an example of [Spring4Shell][trivy-module-spring4shell].
+
+In the `Delete` action, `PostScan` needs to return results you want to delete.
+If `PostScan` returns an empty, Trivy will not delete anything.
+
+#### Build
+Follow [the install guide][tinygo-installation] and install TinyGo.
+
+```bash
+$ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
+```
+
+Put the built binary to the module directory that is under the home directory by default.
+
+```bash
+$ mkdir -p ~/.trivy/modules
+$ cp spring4shell.wasm ~/.trivy/modules
+```
+
+## Distribute Your Module
+You can distribute your own module in OCI registries. Please follow [the oras installation instruction][oras].
+
+```bash
+oras push ghcr.io/aquasecurity/trivy-module-wordpress:latest wordpress.wasm:application/vnd.module.wasm.content.layer.v1+wasm
+Uploading 3daa3dac086b wordpress.wasm
+Pushed ghcr.io/aquasecurity/trivy-module-wordpress:latest
+Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
+```
+
+## Examples
+- [Spring4Shell][trivy-module-spring4shell]
+- [WordPress][trivy-module-wordpress]
+
+[regexp]: https://github.com/google/re2/wiki/Syntax
+
+[tinygo]: https://tinygo.org/
+[spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
+[wazero]: https://github.com/tetratelabs/wazero
+
+[trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
+[trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
+
+[tinygo-installation]: https://tinygo.org/getting-started/install/
+[oras]: https://oras.land/cli/

docs/docs/advanced/private-registries/acr.md

@@ -0,0 +1,27 @@
+# Requirements
+None, Trivy uses Azure SDK for Go. You don't need to install `az` command.
+
+# Privileges
+Service principal must have the `AcrPull` permissions.
+
+## Creation of a service principal
+```bash
+export SP_DATA=$(az ad sp create-for-rbac --name TrivyTest --role AcrPull --scope "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ContainerRegistry/registries/<registry_name>")
+```
+
+# Usage
+```bash
+# must set TRIVY_USERNAME empty char
+export AZURE_CLIENT_ID$(echo $SP_DATA | jq -r .appId)
+export AZURE_CLIENT_SECRET$(echo $SP_DATA | jq -r .password)
+export AZURE_TENANT_ID$(echo $SP_DATA | jq -r .tenant)
+```
+
+# Testing
+You can test credentials in the following manner.
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e AZURE_CLIENT_ID=${AZURE_CLIENT_ID} -e AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} \
+  -e AZURE_TENANT_ID=${AZURE_TENANT_ID} aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag
+```

docs/docs/advanced/private-registries/ecr.md

@@ -0,0 +1,35 @@
+Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
+You can use [AWS CLI's ENV Vars][env-var].
+
+[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
+
+### AWS private registry permissions
+
+You may need to grant permissions to allow Trivy to pull images from private ECR.
+
+It depends on how you want to provide AWS Role to trivy.
+
+- [IAM Role Service account](https://github.com/aws/amazon-eks-pod-identity-webhook)
+- [Kube2iam](https://github.com/jtblin/kube2iam) or [Kiam](https://github.com/uswitch/kiam)
+
+#### IAM Role Service account
+
+Add the AWS role in trivy's service account annotations:
+
+```yaml
+trivy:
+
+  serviceAccount:
+    annotations: {}
+      # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
+```
+
+#### Kube2iam or Kiam
+
+Add the AWS role to pod's annotations:
+
+```yaml
+podAnnotations: {}
+  ## kube2iam/kiam annotation
+  # iam.amazonaws.com/role: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
+```

docs/docs/advanced/private-registries/gcr.md

@@ -0,0 +1,40 @@
+# Requirements
+None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
+
+# Privileges
+Credential file must have the `roles/storage.objectViewer` permissions.
+More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
+
+## JSON File Format
+The JSON file specified should have the following format provided by google's service account mechanisms:
+
+```json
+{
+  "type": "service_account",
+  "project_id": "your_special_project",
+  "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
+  "client_email": "somedude@your_special_project.iam.gserviceaccount.com",
+  "client_id": "1234567890",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
+}
+```
+
+# Usage
+If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
+```bash
+# must set TRIVY_USERNAME empty char
+export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
+```
+
+# Testing
+You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
+  aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
+```

docs/docs/attestation/rekor.md

@@ -0,0 +1,147 @@
+# Scan SBOM attestation in Rekor
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+## Container images
+Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+ 
+
+### Scanning
+You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor.
+
+!!! note
+    `--sbom-sources` can be used only with `trivy image` at the moment.
+
+```bash
+$ trivy image --sbom-sources rekor otms61/alpine:3.7.3                                                                            [~/src/github.com/aquasecurity/trivy]
+2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
+2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
+2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
+2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
+2022-09-16T17:37:14.903+0900	INFO	Detecting Alpine vulnerabilities...
+2022-09-16T17:37:14.907+0900	INFO	Number of language-specific files: 0
+2022-09-16T17:37:14.908+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
+2022-09-16T17:37:14.908+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided
+
+otms61/alpine:3.7.3 (alpine 3.7.3)
+==================================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+
+```
+
+If you have your own Rekor instance, you can specify the URL via `--rekor-url`.
+
+```bash
+$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3
+```
+
+## Non-packaged binaries
+Trivy can retrieve SBOM attestation of non-packaged binaries in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+
+Cosign currently does not support keyless signing for blob attestation, so use our plugin at the moment.
+This example uses a cat clone [bat][bat] written in Rust.
+You need to generate SBOM from lock files like `Cargo.lock` at first.
+
+```bash
+$ git clone -b v0.20.0 https://github.com/sharkdp/bat
+$ trivy fs --format cyclonedx --output bat.cdx ./bat/Cargo.lock
+```
+
+Then [our attestation plugin][plugin-attest] allows you to store the SBOM attestation linking to a `bat` binary in the Rekor instance.
+
+```bash
+$ wget https://github.com/sharkdp/bat/releases/download/v0.20.0/bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ tar xvf bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ trivy plugin install github.com/aquasecurity/trivy-plugin-attest
+$ trivy attest --predicate ./bat.cdx --type cyclonedx ./bat-v0.20.0-x86_64-apple-darwin/bat
+```
+
+!!! note
+    The public instance of the Rekor maintained by the Sigstore team limits the attestation size.
+    If you are using the public instance, please make sure that your SBOM is small enough.
+    To get more detail, please refer to the Rekor project's [documentation](https://github.com/sigstore/rekor#public-instance).
+
+### Scan a non-packaged binary
+Trivy calculates the digest of the `bat` binary and searches for the SBOM attestation by the digest in Rekor.
+If it is found, Trivy uses that for vulnerability scanning.
+
+```bash
+$ trivy fs --sbom-sources rekor ./bat-v0.20.0-x86_64-apple-darwin/bat
+2022-10-25T13:27:25.950+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:27:25.993+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:27:25.993+0300    INFO    Detecting cargo vulnerabilities...
+
+bat (cargo)
+===========
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+Also, it is applied to non-packaged binaries even in container images.
+
+```bash
+$ trivy image --sbom-sources rekor --scanners vuln alpine-with-bat
+2022-10-25T13:40:14.920+0300    INFO    Vulnerability scanning is enabled
+2022-10-25T13:40:18.047+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:40:18.186+0300    INFO    Detected OS: alpine
+2022-10-25T13:40:18.186+0300    INFO    Detecting Alpine vulnerabilities...
+2022-10-25T13:40:18.199+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:40:18.199+0300    INFO    Detecting cargo vulnerabilities...
+
+alpine-with-bat (alpine 3.15.6)
+===============================
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+
+bat (cargo)
+===========
+Total: 4 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+
+!!! note
+    The `--sbom-sources rekor` flag slows down the scanning as it queries Rekor on the Internet for all non-packaged binaries.
+
+[rekor]: https://github.com/sigstore/rekor
+[sbom-attest]: sbom.md#keyless-signing
+
+[plugin-attest]: https://github.com/aquasecurity/trivy-plugin-attest
+
+[bat]: https://github.com/sharkdp/bat

docs/docs/attestation/sbom.md

@@ -0,0 +1,87 @@
+# SBOM attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify SBOM attestation.
+And, Trivy can take an SBOM attestation as input and scan for vulnerabilities
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+## Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates an SBOM in the CycloneDX format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE>
+```
+
+You can also create attestations of other formatted SBOM.
+
+```bash
+# spdx
+$ trivy image --format spdx -o sbom.spdx <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx <IMAGE>
+
+# spdx-json
+$ trivy image --format spdx-json -o sbom.spdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json <IMAGE>
+```
+
+## Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+# The following command uploads SBOM attestation to the public Rekor instance.
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
+```
+
+You can verify attestations.
+```bash
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>
+```
+
+## Scanning
+
+Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
+
+In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it.
+You must create CycloneDX-type attestation before trying the example.
+To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+```

docs/docs/attestation/vuln.md

@@ -0,0 +1,190 @@
+# Cosign Vulnerability Attestation
+
+## Generate Cosign Vulnerability Scan Record
+
+Trivy generates reports in the [Cosign vulnerability scan record format][vuln-attest-spec].
+
+You can use the regular subcommands (like image, fs and rootfs) and specify `cosign-vuln` with the --format option.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json alpine:3.10
+```
+
+<details>
+<summary>Result</summary>
+
+```json
+{
+  "invocation": {
+    "parameters": null,
+    "uri": "",
+    "event_id": "",
+    "builder.id": ""
+  },
+  "scanner": {
+    "uri": "pkg:github/aquasecurity/trivy@v0.30.1-8-gf9cb8a28",
+    "version": "v0.30.1-8-gf9cb8a28",
+    "db": {
+      "uri": "",
+      "version": ""
+    },
+    "result": {
+      "SchemaVersion": 2,
+      "ArtifactName": "alpine:3.10",
+      "ArtifactType": "container_image",
+      "Metadata": {
+        "OS": {
+          "Family": "alpine",
+          "Name": "3.10.9",
+          "EOSL": true
+        },
+        "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
+        "DiffIDs": [
+          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+        ],
+        "RepoTags": [
+          "alpine:3.10"
+        ],
+        "RepoDigests": [
+          "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
+        ],
+        "ImageConfig": {
+          "architecture": "amd64",
+          "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
+          "created": "2021-04-14T19:20:05.338397761Z",
+          "docker_version": "19.03.12",
+          "history": [
+            {
+              "created": "2021-04-14T19:20:04.987219124Z",
+              "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
+            },
+            {
+              "created": "2021-04-14T19:20:05.338397761Z",
+              "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+              "empty_layer": true
+            }
+          ],
+          "os": "linux",
+          "rootfs": {
+            "type": "layers",
+            "diff_ids": [
+              "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+            ]
+          },
+          "config": {
+            "Cmd": [
+              "/bin/sh"
+            ],
+            "Env": [
+              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+            ],
+            "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
+          }
+        }
+      },
+      "Results": [
+        {
+          "Target": "alpine:3.10 (alpine 3.10.9)",
+          "Class": "os-pkgs",
+          "Type": "alpine",
+          "Vulnerabilities": [
+            {
+              "VulnerabilityID": "CVE-2021-36159",
+              "PkgName": "apk-tools",
+              "InstalledVersion": "2.10.6-r0",
+              "FixedVersion": "2.10.7-r0",
+              "Layer": {
+                "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
+                "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+              },
+              "SeveritySource": "nvd",
+              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
+              "DataSource": {
+                "ID": "alpine",
+                "Name": "Alpine Secdb",
+                "URL": "https://secdb.alpinelinux.org/"
+              },
+              "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
+              "Severity": "CRITICAL",
+              "CweIDs": [
+                "CWE-125"
+              ],
+              "CVSS": {
+                "nvd": {
+                  "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
+                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
+                  "V2Score": 6.4,
+                  "V3Score": 9.1
+                }
+              },
+              "References": [
+                "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
+                "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
+              ],
+              "PublishedDate": "2021-08-03T14:15:00Z",
+              "LastModifiedDate": "2021-10-18T12:19:00Z"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "metadata": {
+    "scanStartedOn": "2022-07-24T17:14:04.864682+09:00",
+    "scanFinishedOn": "2022-07-24T17:14:04.864682+09:00"
+  }
+}
+```
+
+</details>
+
+## Create Cosign Vulnerability Attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify Cosign vulnerability attestation.
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+
+### Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates a cosign vulnerability scan record, and then Cosign attaches an attestation of it to a container image with a local key pair.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type vuln --predicate vuln.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```
+$ cosign verify-attestation --key /path/to/cosign.pub --type vuln <IMAGE>
+```
+
+### Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```
+$ trivy image --format cosign-vuln -o vuln.json <IMAGE>
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>
+```
+
+You can verify attestations.
+
+```
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type vuln <IMAGE>
+```
+
+[vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md

docs/docs/compliance/compliance.md

@@ -0,0 +1,70 @@
+# Compliance Reports
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy’s compliance flag lets you curate a specific set of checks into a report. In a typical Trivy scan, there are hundreds of different checks for many different components and configurations, but sometimes you already know which specific checks you are interested in. Often this would be an industry accepted set of checks such as CIS, or some vendor specific guideline, or your own organization policy that you want to comply with. These are all possible using the flexible compliance infrastructure that's built into Trivy. Compliance reports are defined as simple YAML documents that select checks to include in the report.
+
+## Usage
+
+Compliance report is currently supported in the following targets (trivy sub-commands):
+
+- `trivy image`
+- `trivy aws`
+- `trivy k8s`
+
+Add the `--compliance` flag to the command line, and set it's value to desired report.
+For example: `trivy k8s cluster --compliance k8s-nsa` (see below for built-in and custom reports)
+
+### Options
+
+The following flags are compatible with `--compliance` flag and allows customizing it's output:
+
+| flag               | effect                                                                               |
+|--------------------|--------------------------------------------------------------------------------------|
+| `--report summary` | shows a summary of the results. for every control shows the number of failed checks. |
+| `--report all`     | shows fully detailed results. for every control shows where it failed and why.       |
+| `--format table`   | shows results in textual table format (good for human readability).                  |
+| `--format json`    | shows results in json format (good for machine readability).                         |
+
+## Built-in compliance
+
+Trivy has a number of built-in compliance reports that you can asses right out of the box.
+to specify a built-in compliance report, select it by ID like `trivy --compliance <compliance_id>`.
+
+For the list of built-in compliance reports, please see the relevant section:
+
+- [Docker compliance](../target/container_image.md#compliance)
+- [Kubernetes compliance](../target/kubernetes.md#compliance) 
+- [AWS compliance](../target/aws.md#compliance)
+
+## Custom compliance
+
+You can create your own custom compliance report. A compliance report is a simple YAML document in the following format:
+
+```yaml
+spec:
+  id: "k8s-myreport" # report unique identifier. this should not container spaces.
+  title: "My custom Kubernetes report" # report title. Any one-line title.
+  description: "Describe your report" # description of the report. Any text.
+  relatedResources :
+    - https://some.url # useful references. URLs only.
+  version: "1.0" # spec version (string)
+  controls:
+    - name: "Non-root containers" # Name for the control (appears in the report as is). Any one-line name.
+      description: 'Check that container is not running as root' # Description (appears in the report as is). Any text.
+      id: "1.0" # control identifier (string)
+      checks:   # list of existing Trivy checks that define the control
+        - id: AVD-KSV-0012 # check ID. Must start with `AVD-` or `CVE-` 
+      severity: "MEDIUM" # Severity for the control (note that checks severity isn't used)
+    - name: "Immutable container file systems"
+      description: 'Check that container root file system is immutable'
+      id: "1.1"
+      checks:
+        - id: AVD-KSV-0014
+      severity: "LOW"
+```
+
+The check id field (`controls[].checks[].id`) is referring to existing check by it's "AVD ID". This AVD ID is easily located in the check's source code metadata header, or by browsing [Aqua vulnerability DB](https://avd.aquasec.com/), specifically in the [Misconfigurations](https://avd.aquasec.com/misconfig/) and [Vulnerabilities](https://avd.aquasec.com/nvd) sections.
+
+Once you have a compliance spec, you can select it by file path: `trivy --compliance @</path/to/compliance.yaml>` (note the `@` indicating file path instead of report id).

docs/docs/index.md

@@ -0,0 +1,5 @@
+# Docs
+
+In this section you can find the complete reference documentation for all of the different features and settings that Trivy has to offer.
+
+👈 Please use the side-navigation on the left in order to browse the different topics.

docs/docs/licenses/scanning.md

@@ -0,0 +1,320 @@
+# License Scanning
+
+Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
+
+License are classified using the [Google License Classification][google-license-classification] -
+
+ - Forbidden
+ - Restricted 
+ - Reciprocal
+ - Notice
+ - Permissive
+ - Unencumbered
+ - Unknown
+
+!!! tip
+    Licenses that Trivy fails to recognize are classified as UNKNOWN.
+    As those licenses may be in violation, it is recommended to check those unknown licenses as well.    
+
+By default, Trivy scans licenses for packages installed by `apk`, `apt-get`, `dnf`, `npm`, `pip`, `gem`, etc.
+To enable extended license scanning, you can use `--license-full`.
+In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
+
+!!! note
+    The full license scanning is expensive. It takes a while.
+
+Currently, the standard license scanning doesn't support filesystem and repository scanning.
+
+|   License scanning    | Image | Rootfs    | Filesystem | Repository |
+|:---------------------:|:-----:|:---------:|:----------:|:----------:|
+|       Standard        |  ✅   |     ✅    |   -        |      -     |
+| Full (--license-full) |  ✅   |     ✅    |     ✅     |     ✅     |
+
+
+License checking classifies the identified licenses and map the classification to severity.
+
+| Classification | Severity |
+|----------------|----------|
+| Forbidden      | CRITICAL |
+| Restricted     | HIGH     |
+| Reciprocal     | MEDIUM   |
+| Notice         | LOW      |
+| Permissive     | LOW      |
+| Unencumbered   | LOW      |
+| Unknown        | UNKNOWN  |
+
+## Quick start
+This section shows how to scan license in container image and filesystem.
+
+### Standard scanning
+Specify an image name with `--scanners license`.
+
+``` shell
+$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
+2022-07-13T17:28:39.526+0300    INFO    License scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
+
+┌───────────────────┬─────────┬────────────────┬──────────┐
+│      Package      │ License │ Classification │ Severity │
+├───────────────────┼─────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
+├───────────────────┤         │                │          │
+│ apk-tools         │         │                │          │
+├───────────────────┤         │                │          │
+│ busybox           │         │                │          │
+├───────────────────┤         │                │          │
+│ musl-utils        │         │                │          │
+├───────────────────┤         │                │          │
+│ scanelf           │         │                │          │
+├───────────────────┤         │                │          │
+│ ssl_client        │         │                │          │
+└───────────────────┴─────────┴────────────────┴──────────┘
+```
+
+### Full scanning
+Specify `--license-full`
+
+``` shell
+$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
+2022-07-13T17:48:40.905+0300    INFO    Full license scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 20 (UNKNOWN: 9, HIGH: 11, CRITICAL: 0)
+
+┌───────────────────┬───────────────────┬────────────────┬──────────┐
+│      Package      │      License      │ Classification │ Severity │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0           │ Restricted     │ HIGH     │
+├───────────────────┤                   │                │          │
+│ apk-tools         │                   │                │          │
+├───────────────────┼───────────────────┤                │          │
+│ bash              │ GPL-3.0           │                │          │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ keyutils-libs     │ GPL-2.0           │ Restricted     │ HIGH     │
+│                   ├───────────────────┼────────────────┼──────────┤
+│                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
+├───────────────────┼───────────────────┤                │          │
+│ libaio            │ LGPL-2.1-or-later │                │          │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ libcom_err        │ GPL-2.0           │ Restricted     │ HIGH     │
+│                   ├───────────────────┼────────────────┼──────────┤
+│                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ tzdata            │ Public-Domain     │ Non Standard   │ UNKNOWN  │
+└───────────────────┴───────────────────┴────────────────┴──────────┘
+
+Loose File License(s) (license)
+===============================
+Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)
+
+┌────────────────┬──────────┬──────────────┬──────────────────────────────────────────────────────────────┐
+│ Classification │ Severity │   License    │                        File Location                         │
+├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
+│ Forbidden      │ CRITICAL │ AGPL-3.0     │ /usr/share/grafana/LICENSE                                   │
+│                │          │              │                                                              │
+│                │          │              │                                                              │
+├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
+│ Non Standard   │ UNKNOWN  │ BSD-0-Clause │ /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/7889.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/canvasPanel.d6aae9dd11d49c7- │
+│                │          │              │ 41a80.js.LICENSE.txt                                         │
+└────────────────┴──────────┴──────────────┴──────────────────────────────────────────────────────────────┘
+```
+
+## Configuration
+
+Trivy has number of configuration flags for use with license scanning;
+                                 
+### Ignored Licenses
+
+Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the `--ignored-licenses` flag;
+
+```shell
+$ trivy image --scanners license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
+2022-07-13T18:15:28.605Z        INFO    License scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 2 (HIGH: 2, CRITICAL: 0)
+
+┌───────────────────┬─────────┬────────────────┬──────────┐
+│      Package      │ License │ Classification │ Severity │
+├───────────────────┼─────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
+├───────────────────┤         │                │          │
+│ ssl_client        │         │                │          │
+└───────────────────┴─────────┴────────────────┴──────────┘
+
+```
+
+### Custom Classification
+You can generate the default config by the `--generate-default-config` flag and customize the license classification.
+For example, if you want to forbid only AGPL-3.0, you can leave it under `forbidden` and move other licenses to another classification.
+
+```shell
+$ trivy image --generate-default-config
+$ vim trivy.yaml
+license:
+  forbidden:
+  - AGPL-3.0
+  
+  restricted:
+  - AGPL-1.0
+  - CC-BY-NC-1.0
+  - CC-BY-NC-2.0
+  - CC-BY-NC-2.5
+  - CC-BY-NC-3.0
+  - CC-BY-NC-4.0
+  - CC-BY-NC-ND-1.0
+  - CC-BY-NC-ND-2.0
+  - CC-BY-NC-ND-2.5
+  - CC-BY-NC-ND-3.0
+  - CC-BY-NC-ND-4.0
+  - CC-BY-NC-SA-1.0
+  - CC-BY-NC-SA-2.0
+  - CC-BY-NC-SA-2.5
+  - CC-BY-NC-SA-3.0
+  - CC-BY-NC-SA-4.0
+  - Commons-Clause
+  - Facebook-2-Clause
+  - Facebook-3-Clause
+  - Facebook-Examples
+  - WTFPL
+  - BCL
+  - CC-BY-ND-1.0
+  - CC-BY-ND-2.0
+  - CC-BY-ND-2.5
+  - CC-BY-ND-3.0
+  - CC-BY-ND-4.0
+  - CC-BY-SA-1.0
+  - CC-BY-SA-2.0
+  - CC-BY-SA-2.5
+  - CC-BY-SA-3.0
+  - CC-BY-SA-4.0
+  - GPL-1.0
+  - GPL-2.0
+  - GPL-2.0-with-autoconf-exception
+  - GPL-2.0-with-bison-exception
+  - GPL-2.0-with-classpath-exception
+  - GPL-2.0-with-font-exception
+  - GPL-2.0-with-GCC-exception
+  - GPL-3.0
+  - GPL-3.0-with-autoconf-exception
+  - GPL-3.0-with-GCC-exception
+  - LGPL-2.0
+  - LGPL-2.1
+  - LGPL-3.0
+  - NPL-1.0
+  - NPL-1.1
+  - OSL-1.0
+  - OSL-1.1
+  - OSL-2.0
+  - OSL-2.1
+  - OSL-3.0
+  - QPL-1.0
+  - Sleepycat
+  
+  reciprocal:
+  - APSL-1.0
+  - APSL-1.1
+  - APSL-1.2
+  - APSL-2.0
+  - CDDL-1.0
+  - CDDL-1.1
+  - CPL-1.0
+  - EPL-1.0
+  - EPL-2.0
+  - FreeImage
+  - IPL-1.0
+  - MPL-1.0
+  - MPL-1.1
+  - MPL-2.0
+  - Ruby
+  
+  notice:
+  - AFL-1.1
+  - AFL-1.2
+  - AFL-2.0
+  - AFL-2.1
+  - AFL-3.0
+  - Apache-1.0
+  - Apache-1.1
+  - Apache-2.0
+  - Artistic-1.0-cl8
+  - Artistic-1.0-Perl
+  - Artistic-1.0
+  - Artistic-2.0
+  - BSL-1.0
+  - BSD-2-Clause-FreeBSD
+  - BSD-2-Clause-NetBSD
+  - BSD-2-Clause
+  - BSD-3-Clause-Attribution
+  - BSD-3-Clause-Clear
+  - BSD-3-Clause-LBNL
+  - BSD-3-Clause
+  - BSD-4-Clause
+  - BSD-4-Clause-UC
+  - BSD-Protection
+  - CC-BY-1.0
+  - CC-BY-2.0
+  - CC-BY-2.5
+  - CC-BY-3.0
+  - CC-BY-4.0
+  - FTL
+  - ISC
+  - ImageMagick
+  - Libpng
+  - Lil-1.0
+  - Linux-OpenIB
+  - LPL-1.02
+  - LPL-1.0
+  - MS-PL
+  - MIT
+  - NCSA
+  - OpenSSL
+  - PHP-3.01
+  - PHP-3.0
+  - PIL
+  - Python-2.0
+  - Python-2.0-complete
+  - PostgreSQL
+  - SGI-B-1.0
+  - SGI-B-1.1
+  - SGI-B-2.0
+  - Unicode-DFS-2015
+  - Unicode-DFS-2016
+  - Unicode-TOU
+  - UPL-1.0
+  - W3C-19980720
+  - W3C-20150513
+  - W3C
+  - X11
+  - Xnet
+  - Zend-2.0
+  - zlib-acknowledgement
+  - Zlib
+  - ZPL-1.1
+  - ZPL-2.0
+  - ZPL-2.1
+  
+  unencumbered:
+  - CC0-1.0
+  - Unlicense
+  - 0BSD
+  
+  permissive: []
+```
+
+
+[google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses

docs/docs/misconfiguration/custom/combine.md

@@ -0,0 +1,44 @@
+# Combined input
+
+## Overview
+Trivy usually scans each configuration file individually. 
+Sometimes it might be useful to compare values from different configuration files simultaneously.
+
+When `combine` is set to true, all config files under the specified directory are combined into one input data structure.
+
+!!! example
+    ```
+    __rego_input__ := {
+        "combine": false,
+    }
+    ```
+
+In "combine" mode, the `input` document becomes an array, where each element is an object with two fields:
+
+- `"path": "path/to/file"`: the relative file path of the respective file
+- `"contents": ...`: the parsed content of the respective file
+
+Now you can ensure that duplicate values match across the entirety of your configuration files.
+
+## Return value
+In "combine" mode, the `deny` entrypoint must return an object with two keys
+
+`filepath` (required)
+: the relative file path of the file being evaluated
+
+`msg` (required)
+: the message describing an issue
+
+!!! example
+    ```
+    deny[res] {
+        resource := input[i].contents
+        ... some logic ...
+
+    	res := {
+    		"filepath": input[i].path,
+    		"msg": "something bad",
+    	}
+    }
+    ```
+

docs/docs/misconfiguration/custom/data.md

@@ -0,0 +1,35 @@
+# Custom Data
+
+Custom policies may require additional data in order to determine an answer.
+
+For example, an allowed list of resources that can be created. 
+Instead of hardcoding this information inside of your policy, Trivy allows passing paths to data files with the `--data` flag.
+
+Given the following yaml file:
+
+```bash
+$ cd examples/misconf/custom-data
+$ cat data/ports.yaml                                                                                                                                                                      [~/src/github.com/aquasecurity/trivy/examples/misconf/custom-data]
+services:
+  ports:
+    - "20"
+    - "20/tcp"
+    - "20/udp"
+    - "23"
+    - "23/tcp"
+```
+
+This can be imported into your policy:
+
+```rego
+import data.services
+
+ports := services.ports
+```
+
+Then, you need to pass data paths through `--data` option.
+Trivy recursively searches the specified paths for JSON (`*.json`) and YAML (`*.yaml`) files.
+
+```bash
+$ trivy conf --policy ./policy --data data --namespaces user ./configs
+```

docs/docs/misconfiguration/custom/debug.md

@@ -0,0 +1,304 @@
+# Debugging policies
+When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied.
+For this purpose you can use the `--trace` flag.
+This will output a large trace from Open Policy Agent like the following:
+
+!!! tip
+    Only failed policies show traces. If you want to debug a passed policy, you need to make it fail on purpose.
+
+```shell
+$ trivy conf --trace configs/
+2022-05-16T13:47:58.853+0100	INFO	Detected config files: 1
+
+Dockerfile (dockerfile)
+=======================
+Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
+Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
+
+MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
+
+See https://avd.aquasec.com/misconfig/ds001
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ Dockerfile:1
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   1 [ FROM alpine:latest
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+HIGH: Last USER command in Dockerfile should not be 'root'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+
+See https://avd.aquasec.com/misconfig/ds002
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ Dockerfile:3
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   3 [ USER root
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+
+ID: DS001
+File: Dockerfile
+Namespace: builtin.dockerfile.DS001
+Query: data.builtin.dockerfile.DS001.deny
+Message: Specify a tag in the 'FROM' statement for image 'alpine'
+TRACE  Enter data.builtin.dockerfile.DS001.deny = _
+TRACE  | Eval data.builtin.dockerfile.DS001.deny = _
+TRACE  | Index data.builtin.dockerfile.DS001.deny (matched 1 rule)
+TRACE  | Enter data.builtin.dockerfile.DS001.deny
+TRACE  | | Eval output = data.builtin.dockerfile.DS001.fail_latest[_]
+TRACE  | | Index data.builtin.dockerfile.DS001.fail_latest (matched 1 rule)
+TRACE  | | Enter data.builtin.dockerfile.DS001.fail_latest
+TRACE  | | | Eval output = data.builtin.dockerfile.DS001.image_tags[_]
+TRACE  | | | Index data.builtin.dockerfile.DS001.image_tags (matched 2 rules)
+TRACE  | | | Enter data.builtin.dockerfile.DS001.image_tags
+TRACE  | | | | Eval from = data.lib.docker.from[_]
+TRACE  | | | | Index data.lib.docker.from (matched 1 rule)
+TRACE  | | | | Enter data.lib.docker.from
+TRACE  | | | | | Eval instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "from"
+TRACE  | | | | | Exit data.lib.docker.from
+TRACE  | | | | Redo data.lib.docker.from
+TRACE  | | | | | Redo instruction.Cmd = "from"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "from"
+TRACE  | | | | | Fail instruction.Cmd = "from"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "from"
+TRACE  | | | | | Fail instruction.Cmd = "from"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | Eval name = from.Value[0]
+TRACE  | | | | Eval not startswith(name, "$")
+TRACE  | | | | Enter startswith(name, "$")
+TRACE  | | | | | Eval startswith(name, "$")
+TRACE  | | | | | Fail startswith(name, "$")
+TRACE  | | | | Eval data.builtin.dockerfile.DS001.parse_tag(name, __local505__)
+TRACE  | | | | Index data.builtin.dockerfile.DS001.parse_tag (matched 2 rules)
+TRACE  | | | | Enter data.builtin.dockerfile.DS001.parse_tag
+TRACE  | | | | | Eval split(name, ":", __local504__)
+TRACE  | | | | | Eval [img, tag] = __local504__
+TRACE  | | | | | Exit data.builtin.dockerfile.DS001.parse_tag
+TRACE  | | | | Eval [img, tag] = __local505__
+TRACE  | | | | Eval output = {"cmd": from, "img": img, "tag": tag}
+TRACE  | | | | Exit data.builtin.dockerfile.DS001.image_tags
+TRACE  | | | Redo data.builtin.dockerfile.DS001.image_tags
+TRACE  | | | | Redo output = {"cmd": from, "img": img, "tag": tag}
+TRACE  | | | | Redo [img, tag] = __local505__
+TRACE  | | | | Redo data.builtin.dockerfile.DS001.parse_tag(name, __local505__)
+TRACE  | | | | Redo data.builtin.dockerfile.DS001.parse_tag
+TRACE  | | | | | Redo [img, tag] = __local504__
+TRACE  | | | | | Redo split(name, ":", __local504__)
+TRACE  | | | | Enter data.builtin.dockerfile.DS001.parse_tag
+TRACE  | | | | | Eval tag = "latest"
+TRACE  | | | | | Eval not contains(img, ":")
+TRACE  | | | | | Enter contains(img, ":")
+TRACE  | | | | | | Eval contains(img, ":")
+TRACE  | | | | | | Exit contains(img, ":")
+TRACE  | | | | | Redo contains(img, ":")
+TRACE  | | | | | | Redo contains(img, ":")
+TRACE  | | | | | Fail not contains(img, ":")
+TRACE  | | | | | Redo tag = "latest"
+TRACE  | | | | Redo name = from.Value[0]
+TRACE  | | | | Redo from = data.lib.docker.from[_]
+TRACE  | | | Enter data.builtin.dockerfile.DS001.image_tags
+TRACE  | | | | Eval from = data.lib.docker.from[i]
+TRACE  | | | | Index data.lib.docker.from (matched 1 rule)
+TRACE  | | | | Eval name = from.Value[0]
+TRACE  | | | | Eval cmd_obj = input.stages[j][k]
+TRACE  | | | | Eval possibilities = {"arg", "env"}
+TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Redo possibilities = {"arg", "env"}
+TRACE  | | | | Redo cmd_obj = input.stages[j][k]
+TRACE  | | | | Eval possibilities = {"arg", "env"}
+TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Redo possibilities = {"arg", "env"}
+TRACE  | | | | Redo cmd_obj = input.stages[j][k]
+TRACE  | | | | Eval possibilities = {"arg", "env"}
+TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Redo possibilities = {"arg", "env"}
+TRACE  | | | | Redo cmd_obj = input.stages[j][k]
+TRACE  | | | | Redo name = from.Value[0]
+TRACE  | | | | Redo from = data.lib.docker.from[i]
+TRACE  | | | Eval __local752__ = output.img
+TRACE  | | | Eval neq(__local752__, "scratch")
+TRACE  | | | Eval __local753__ = output.img
+TRACE  | | | Eval not data.builtin.dockerfile.DS001.is_alias(__local753__)
+TRACE  | | | Enter data.builtin.dockerfile.DS001.is_alias(__local753__)
+TRACE  | | | | Eval data.builtin.dockerfile.DS001.is_alias(__local753__)
+TRACE  | | | | Index data.builtin.dockerfile.DS001.is_alias (matched 1 rule, early exit)
+TRACE  | | | | Enter data.builtin.dockerfile.DS001.is_alias
+TRACE  | | | | | Eval img = data.builtin.dockerfile.DS001.get_aliases[_]
+TRACE  | | | | | Index data.builtin.dockerfile.DS001.get_aliases (matched 1 rule)
+TRACE  | | | | | Enter data.builtin.dockerfile.DS001.get_aliases
+TRACE  | | | | | | Eval from_cmd = data.lib.docker.from[_]
+TRACE  | | | | | | Index data.lib.docker.from (matched 1 rule)
+TRACE  | | | | | | Eval __local749__ = from_cmd.Value
+TRACE  | | | | | | Eval data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)
+TRACE  | | | | | | Index data.builtin.dockerfile.DS001.get_alias (matched 1 rule)
+TRACE  | | | | | | Enter data.builtin.dockerfile.DS001.get_alias
+TRACE  | | | | | | | Eval __local748__ = values[i]
+TRACE  | | | | | | | Eval lower(__local748__, __local501__)
+TRACE  | | | | | | | Eval "as" = __local501__
+TRACE  | | | | | | | Fail "as" = __local501__
+TRACE  | | | | | | | Redo lower(__local748__, __local501__)
+TRACE  | | | | | | | Redo __local748__ = values[i]
+TRACE  | | | | | | Fail data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)
+TRACE  | | | | | | Redo __local749__ = from_cmd.Value
+TRACE  | | | | | | Redo from_cmd = data.lib.docker.from[_]
+TRACE  | | | | | Fail img = data.builtin.dockerfile.DS001.get_aliases[_]
+TRACE  | | | | Fail data.builtin.dockerfile.DS001.is_alias(__local753__)
+TRACE  | | | Eval output.tag = "latest"
+TRACE  | | | Exit data.builtin.dockerfile.DS001.fail_latest
+TRACE  | | Redo data.builtin.dockerfile.DS001.fail_latest
+TRACE  | | | Redo output.tag = "latest"
+TRACE  | | | Redo __local753__ = output.img
+TRACE  | | | Redo neq(__local752__, "scratch")
+TRACE  | | | Redo __local752__ = output.img
+TRACE  | | | Redo output = data.builtin.dockerfile.DS001.image_tags[_]
+TRACE  | | Eval __local754__ = output.img
+TRACE  | | Eval sprintf("Specify a tag in the 'FROM' statement for image '%s'", [__local754__], __local509__)
+TRACE  | | Eval msg = __local509__
+TRACE  | | Eval __local755__ = output.cmd
+TRACE  | | Eval data.lib.docker.result(msg, __local755__, __local510__)
+TRACE  | | Index data.lib.docker.result (matched 1 rule)
+TRACE  | | Enter data.lib.docker.result
+TRACE  | | | Eval object.get(cmd, "EndLine", 0, __local470__)
+TRACE  | | | Eval object.get(cmd, "Path", "", __local471__)
+TRACE  | | | Eval object.get(cmd, "StartLine", 0, __local472__)
+TRACE  | | | Eval result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
+TRACE  | | | Exit data.lib.docker.result
+TRACE  | | Eval res = __local510__
+TRACE  | | Exit data.builtin.dockerfile.DS001.deny
+TRACE  | Redo data.builtin.dockerfile.DS001.deny
+TRACE  | | Redo res = __local510__
+TRACE  | | Redo data.lib.docker.result(msg, __local755__, __local510__)
+TRACE  | | Redo data.lib.docker.result
+TRACE  | | | Redo result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
+TRACE  | | | Redo object.get(cmd, "StartLine", 0, __local472__)
+TRACE  | | | Redo object.get(cmd, "Path", "", __local471__)
+TRACE  | | | Redo object.get(cmd, "EndLine", 0, __local470__)
+TRACE  | | Redo __local755__ = output.cmd
+TRACE  | | Redo msg = __local509__
+TRACE  | | Redo sprintf("Specify a tag in the 'FROM' statement for image '%s'", [__local754__], __local509__)
+TRACE  | | Redo __local754__ = output.img
+TRACE  | | Redo output = data.builtin.dockerfile.DS001.fail_latest[_]
+TRACE  | Exit data.builtin.dockerfile.DS001.deny = _
+TRACE  Redo data.builtin.dockerfile.DS001.deny = _
+TRACE  | Redo data.builtin.dockerfile.DS001.deny = _
+TRACE
+
+
+ID: DS002
+File: Dockerfile
+Namespace: builtin.dockerfile.DS002
+Query: data.builtin.dockerfile.DS002.deny
+Message: Last USER command in Dockerfile should not be 'root'
+TRACE  Enter data.builtin.dockerfile.DS002.deny = _
+TRACE  | Eval data.builtin.dockerfile.DS002.deny = _
+TRACE  | Index data.builtin.dockerfile.DS002.deny (matched 2 rules)
+TRACE  | Enter data.builtin.dockerfile.DS002.deny
+TRACE  | | Eval data.builtin.dockerfile.DS002.fail_user_count
+TRACE  | | Index data.builtin.dockerfile.DS002.fail_user_count (matched 1 rule, early exit)
+TRACE  | | Enter data.builtin.dockerfile.DS002.fail_user_count
+TRACE  | | | Eval __local771__ = data.builtin.dockerfile.DS002.get_user
+TRACE  | | | Index data.builtin.dockerfile.DS002.get_user (matched 1 rule)
+TRACE  | | | Enter data.builtin.dockerfile.DS002.get_user
+TRACE  | | | | Eval user = data.lib.docker.user[_]
+TRACE  | | | | Index data.lib.docker.user (matched 1 rule)
+TRACE  | | | | Enter data.lib.docker.user
+TRACE  | | | | | Eval instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "user"
+TRACE  | | | | | Fail instruction.Cmd = "user"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "user"
+TRACE  | | | | | Exit data.lib.docker.user
+TRACE  | | | | Redo data.lib.docker.user
+TRACE  | | | | | Redo instruction.Cmd = "user"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "user"
+TRACE  | | | | | Fail instruction.Cmd = "user"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | Eval username = user.Value[_]
+TRACE  | | | | Exit data.builtin.dockerfile.DS002.get_user
+TRACE  | | | Redo data.builtin.dockerfile.DS002.get_user
+TRACE  | | | | Redo username = user.Value[_]
+TRACE  | | | | Redo user = data.lib.docker.user[_]
+TRACE  | | | Eval count(__local771__, __local536__)
+TRACE  | | | Eval lt(__local536__, 1)
+TRACE  | | | Fail lt(__local536__, 1)
+TRACE  | | | Redo count(__local771__, __local536__)
+TRACE  | | | Redo __local771__ = data.builtin.dockerfile.DS002.get_user
+TRACE  | | Fail data.builtin.dockerfile.DS002.fail_user_count
+TRACE  | Enter data.builtin.dockerfile.DS002.deny
+TRACE  | | Eval cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]
+TRACE  | | Index data.builtin.dockerfile.DS002.fail_last_user_root (matched 1 rule)
+TRACE  | | Enter data.builtin.dockerfile.DS002.fail_last_user_root
+TRACE  | | | Eval stage_users = data.lib.docker.stage_user[_]
+TRACE  | | | Index data.lib.docker.stage_user (matched 1 rule)
+TRACE  | | | Enter data.lib.docker.stage_user
+TRACE  | | | | Eval stage = input.stages[stage_name]
+TRACE  | | | | Eval users = [cmd | cmd = stage[_]; cmd.Cmd = "user"]
+TRACE  | | | | Enter cmd = stage[_]; cmd.Cmd = "user"
+TRACE  | | | | | Eval cmd = stage[_]
+TRACE  | | | | | Eval cmd.Cmd = "user"
+TRACE  | | | | | Fail cmd.Cmd = "user"
+TRACE  | | | | | Redo cmd = stage[_]
+TRACE  | | | | | Eval cmd.Cmd = "user"
+TRACE  | | | | | Exit cmd = stage[_]; cmd.Cmd = "user"
+TRACE  | | | | Redo cmd = stage[_]; cmd.Cmd = "user"
+TRACE  | | | | | Redo cmd.Cmd = "user"
+TRACE  | | | | | Redo cmd = stage[_]
+TRACE  | | | | | Eval cmd.Cmd = "user"
+TRACE  | | | | | Fail cmd.Cmd = "user"
+TRACE  | | | | | Redo cmd = stage[_]
+TRACE  | | | | Exit data.lib.docker.stage_user
+TRACE  | | | Redo data.lib.docker.stage_user
+TRACE  | | | | Redo users = [cmd | cmd = stage[_]; cmd.Cmd = "user"]
+TRACE  | | | | Redo stage = input.stages[stage_name]
+TRACE  | | | Eval count(stage_users, __local537__)
+TRACE  | | | Eval len = __local537__
+TRACE  | | | Eval minus(len, 1, __local538__)
+TRACE  | | | Eval last = stage_users[__local538__]
+TRACE  | | | Eval user = last.Value[0]
+TRACE  | | | Eval user = "root"
+TRACE  | | | Exit data.builtin.dockerfile.DS002.fail_last_user_root
+TRACE  | | Redo data.builtin.dockerfile.DS002.fail_last_user_root
+TRACE  | | | Redo user = "root"
+TRACE  | | | Redo user = last.Value[0]
+TRACE  | | | Redo last = stage_users[__local538__]
+TRACE  | | | Redo minus(len, 1, __local538__)
+TRACE  | | | Redo len = __local537__
+TRACE  | | | Redo count(stage_users, __local537__)
+TRACE  | | | Redo stage_users = data.lib.docker.stage_user[_]
+TRACE  | | Eval msg = "Last USER command in Dockerfile should not be 'root'"
+TRACE  | | Eval data.lib.docker.result(msg, cmd, __local540__)
+TRACE  | | Index data.lib.docker.result (matched 1 rule)
+TRACE  | | Enter data.lib.docker.result
+TRACE  | | | Eval object.get(cmd, "EndLine", 0, __local470__)
+TRACE  | | | Eval object.get(cmd, "Path", "", __local471__)
+TRACE  | | | Eval object.get(cmd, "StartLine", 0, __local472__)
+TRACE  | | | Eval result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
+TRACE  | | | Exit data.lib.docker.result
+TRACE  | | Eval res = __local540__
+TRACE  | | Exit data.builtin.dockerfile.DS002.deny
+TRACE  | Redo data.builtin.dockerfile.DS002.deny
+TRACE  | | Redo res = __local540__
+TRACE  | | Redo data.lib.docker.result(msg, cmd, __local540__)
+TRACE  | | Redo data.lib.docker.result
+TRACE  | | | Redo result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
+TRACE  | | | Redo object.get(cmd, "StartLine", 0, __local472__)
+TRACE  | | | Redo object.get(cmd, "Path", "", __local471__)
+TRACE  | | | Redo object.get(cmd, "EndLine", 0, __local470__)
+TRACE  | | Redo msg = "Last USER command in Dockerfile should not be 'root'"
+TRACE  | | Redo cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]
+TRACE  | Exit data.builtin.dockerfile.DS002.deny = _
+TRACE  Redo data.builtin.dockerfile.DS002.deny = _
+TRACE  | Redo data.builtin.dockerfile.DS002.deny = _
+TRACE
+```

docs/docs/misconfiguration/custom/examples.md

@@ -0,0 +1,296 @@
+# Examples
+
+## Custom Policy
+### Kubernetes
+See [here][k8s].
+
+The custom policy is defined in `user.kubernetes.ID001` package.
+You need to pass the package prefix you want to evaluate through `--namespaces` option.
+In this case, the package prefix should be `user`, `user.kubernetes`, or `user.kubernetes.ID001`.
+
+### Dockerfile
+See [here][dockerfile].
+
+The input will be a dictionary of stages.
+
+#### Single Stage
+
+??? example
+    Dockerfile
+    ```dockerfile
+    FROM foo
+    COPY . /
+    RUN echo hello
+    ```
+
+    Rego Input
+    ```json
+    {
+        "stages": {
+            "foo": [
+                {
+                    "Cmd": "from",
+                    "EndLine": 1,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "FROM foo",
+                    "Stage": 0,
+                    "StartLine": 1,
+                    "SubCmd": "",
+                    "Value": [
+                        "foo"
+                    ]
+                },
+                {
+                    "Cmd": "copy",
+                    "EndLine": 2,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "COPY . /",
+                    "Stage": 0,
+                    "StartLine": 2,
+                    "SubCmd": "",
+                    "Value": [
+                        ".",
+                        "/"
+                    ]
+                },
+                {
+                    "Cmd": "run",
+                    "EndLine": 3,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "RUN echo hello",
+                    "Stage": 0,
+                    "StartLine": 3,
+                    "SubCmd": "",
+                    "Value": [
+                        "echo hello"
+                    ]
+                }
+            ]
+        }
+    }
+    ```
+
+#### Multi Stage
+
+??? example
+    Dockerfile
+    ```dockerfile
+    FROM golang:1.16 AS builder
+    WORKDIR /go/src/github.com/alexellis/href-counter/
+    RUN go get -d -v golang.org/x/net/html
+    COPY app.go .
+    RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
+    
+    FROM alpine:latest
+    RUN apk --no-cache add ca-certificates \
+    && apk add --no-cache bash
+    WORKDIR /root/
+    COPY --from=builder /go/src/github.com/alexellis/href-counter/app .
+    CMD ["./app"]
+    ```
+
+    Rego Input
+    ```json
+    {
+        "stages": {
+            "alpine:latest": [
+                {
+                    "Cmd": "from",
+                    "EndLine": 7,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "FROM alpine:latest",
+                    "Stage": 1,
+                    "StartLine": 7,
+                    "SubCmd": "",
+                    "Value": [
+                        "alpine:latest"
+                    ]
+                },
+                {
+                    "Cmd": "run",
+                    "EndLine": 9,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "RUN apk --no-cache add ca-certificates     \u0026\u0026 apk add --no-cache bash",
+                    "Stage": 1,
+                    "StartLine": 8,
+                    "SubCmd": "",
+                    "Value": [
+                        "apk --no-cache add ca-certificates     \u0026\u0026 apk add --no-cache bash"
+                    ]
+                },
+                {
+                    "Cmd": "workdir",
+                    "EndLine": 10,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "WORKDIR /root/",
+                    "Stage": 1,
+                    "StartLine": 10,
+                    "SubCmd": "",
+                    "Value": [
+                        "/root/"
+                    ]
+                },
+                {
+                    "Cmd": "copy",
+                    "EndLine": 11,
+                    "Flags": [
+                        "--from=builder"
+                    ],
+                    "JSON": false,
+                    "Original": "COPY --from=builder /go/src/github.com/alexellis/href-counter/app .",
+                    "Stage": 1,
+                    "StartLine": 11,
+                    "SubCmd": "",
+                    "Value": [
+                        "/go/src/github.com/alexellis/href-counter/app",
+                        "."
+                    ]
+                },
+                {
+                    "Cmd": "cmd",
+                    "EndLine": 12,
+                    "Flags": [],
+                    "JSON": true,
+                    "Original": "CMD [\"./app\"]",
+                    "Stage": 1,
+                    "StartLine": 12,
+                    "SubCmd": "",
+                    "Value": [
+                        "./app"
+                    ]
+                }
+            ],
+            "golang:1.16 AS builder": [
+                {
+                    "Cmd": "from",
+                    "EndLine": 1,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "FROM golang:1.16 AS builder",
+                    "Stage": 0,
+                    "StartLine": 1,
+                    "SubCmd": "",
+                    "Value": [
+                        "golang:1.16",
+                        "AS",
+                        "builder"
+                    ]
+                },
+                {
+                    "Cmd": "workdir",
+                    "EndLine": 2,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "WORKDIR /go/src/github.com/alexellis/href-counter/",
+                    "Stage": 0,
+                    "StartLine": 2,
+                    "SubCmd": "",
+                    "Value": [
+                        "/go/src/github.com/alexellis/href-counter/"
+                    ]
+                    },
+                {
+                    "Cmd": "run",
+                    "EndLine": 3,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "RUN go get -d -v golang.org/x/net/html",
+                    "Stage": 0,
+                    "StartLine": 3,
+                    "SubCmd": "",
+                    "Value": [
+                        "go get -d -v golang.org/x/net/html"
+                    ]
+                },
+                {
+                    "Cmd": "copy",
+                    "EndLine": 4,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "COPY app.go .",
+                    "Stage": 0,
+                    "StartLine": 4,
+                    "SubCmd": "",
+                    "Value": [
+                        "app.go",
+                        "."
+                    ]
+                },
+                {
+                    "Cmd": "run",
+                    "EndLine": 5,
+                    "Flags": [],
+                    "JSON": false,
+                    "Original": "RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .",
+                    "Stage": 0,
+                    "StartLine": 5,
+                    "SubCmd": "",
+                    "Value": [
+                        "CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app ."
+                    ]
+                }
+            ]
+        }
+    }
+    ```
+
+### Docker Compose
+See [here][compose].
+
+Docker Compose uses YAML format for configurations. You can apply your Rego policies to `docker-compose.yml`.
+
+### HCL
+See [here][hcl].
+
+Trivy parses HCL files and converts into structured data.
+
+!!! warning
+    Terraform HCL files are not supported yet.
+
+### Terraform Plan
+See [here][tfplan].
+
+Use the command [terraform show][terraform-show] to convert the Terraform plan into JSON so that OPA can read the plan.
+
+```bash
+$ terraform init
+$ terraform plan --out tfplan.binary
+$ terraform show -json tfplan.binary > tfplan.json
+```
+
+For more details, see also [OPA document][opa-terraform].
+
+### Serverless Framework
+See [here][serverless].
+
+Server Framework uses YAML format for configurations. You can apply your Rego policies to `serverless.yaml`.
+
+## Custom Data
+See [here][data].
+
+## Combined Input
+See [here][combine].
+
+## Go Testing
+See [here][go-testing].
+
+[k8s]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/kubernetes/
+[dockerfile]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/dockerfile/
+[compose]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/docker-compose/
+[hcl]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/hcl/
+[serverless]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/serverless/
+[tfplan]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/terraform-plan/
+[terraform-show]: https://www.terraform.io/docs/cli/commands/show.html
+[opa-terraform]: https://www.openpolicyagent.org/docs/latest/terraform/
+
+[custom]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy
+[data]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-data
+[combine]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/combine
+[go-testing]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/go-testing
+

docs/docs/misconfiguration/custom/index.md

@@ -0,0 +1,209 @@
+# Custom Policies
+
+## Overview
+You can write custom policies in [Rego][rego].
+Once you finish writing custom policies, you can pass the directory where those policies are stored with `--policy` option.
+
+``` bash
+trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
+```
+
+As for `--namespaces` option, the detail is described as below.
+
+### File formats
+If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.
+
+| File format   | File pattern                                              |
+|---------------|-----------------------------------------------------------|
+| JSON          | `*.json`                                                  |
+| YAML          | `*.yaml` and `*.yml`                                      |
+| Dockerfile    | `Dockerfile`, `Dockerfile.*`, and `*.Dockerfile`          |
+| Containerfile | `Containerfile`, `Containerfile.*`, and `*.Containerfile` |
+| Terraform     | `*.tf` and `*.tf.json`                                    |
+
+### Configuration languages
+In the above general file formats, Trivy automatically identifies the following types of configuration files:
+
+- CloudFormation (JSON/YAML)
+- Kubernetes (JSON/YAML)
+- Helm (YAML)
+- Terraform Plan (JSON)
+
+This is useful for filtering inputs, as described below.
+
+## Rego format
+A single package must contain only one policy.
+
+!!!example
+    ``` rego
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # schemas:
+    #   - input: schema.input
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector: 
+    #     - type: kubernetes
+    package user.kubernetes.ID001
+    
+    deny[res] {
+        input.kind == "Deployment"
+        msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name])
+        res := result.new(msg, input.kind)
+    }
+    ```
+
+In this example, ID001 "Deployment not allowed" is defined under `user.kubernetes.ID001`.
+If you add a new custom policy, it must be defined under a new package like `user.kubernetes.ID002`.
+
+### Policy structure
+
+`# METADATA` (optional)
+:   - SHOULD be defined for clarity since these values will be displayed in the scan results
+    - `custom.input` SHOULD be set to indicate the input type the policy should be applied to. See [list of available types](https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
+
+`package` (required)
+:   - MUST follow the Rego's [specification][package]
+    - MUST be unique per policy
+    - SHOULD include policy id for uniqueness
+    - MAY include the group name such as `kubernetes` for clarity
+        - Group name has no effect on policy evaluation
+
+`deny` (required)
+:   - SHOULD be `deny` or start with `deny_`
+        - Although `warn`, `warn_*`, `violation`, `violation_` also work for compatibility, `deny` is recommended as severity can be defined in `__rego_metadata__`.
+    - SHOULD return ONE OF:
+        - The result of a call to `result.new(msg, cause)`. The `msg` is a `string` describing the issue occurrence, and the `cause` is the property/object where the issue occurred. Providing this allows Trivy to ascertain line numbers and highlight code in the output. 
+        - A `string` denoting the detected issue
+            - Although `object` with `msg` field is accepted, other fields are dropped and `string` is recommended if `result.new()` is not utilised.
+            - e.g. `{"msg": "deny message", "details": "something"}`
+    
+
+### Package
+A package name must be unique per policy.
+
+!!!example
+    ``` rego
+    package user.kubernetes.ID001
+    ```
+
+By default, only `builtin.*` packages will be evaluated.
+If you define custom packages, you have to specify the package prefix via `--namespaces` option. 
+
+``` bash
+trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
+```
+
+In this case, `user.*` will be evaluated.
+Any package prefixes such as `main` and `user` are allowed.
+
+### Metadata
+Metadata helps enrich Trivy's scan results with useful information.
+
+The annotation format is described in the [OPA documentation](https://www.openpolicyagent.org/docs/latest/annotations/).
+
+Trivy supports extra fields in the `custom` section as described below.
+
+!!!example
+    ``` rego
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector:
+    #     - type: kubernetes
+    ```
+  
+All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The 
+schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are 
+correct and do not reference incorrect properties/values.
+
+| Field name                 | Allowed values                           |        Default value         |     In table     |     In JSON      |
+|----------------------------|------------------------------------------|:----------------------------:|:----------------:|:----------------:|
+| title                      | Any characters                           |             N/A              | :material-check: | :material-check: |
+| description                | Any characters                           |                              | :material-close: | :material-check: |
+| schemas.input              | `schema.input`                           | (applied to all input types) | :material-close: | :material-close: |
+| custom.id                  | Any characters                           |             N/A              | :material-check: | :material-check: |
+| custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`      |           UNKNOWN            | :material-check: | :material-check: |
+| custom.recommended_actions | Any characters                           |                              | :material-close: | :material-check: | 
+| custom.input.selector.type | Any item(s) in [this list][source-types] |                              | :material-close: | :material-check: | 
+| url                        | Any characters                           |                              | :material-close: | :material-check: |
+
+
+Some fields are displayed in scan results.
+
+``` bash
+k.yaml (kubernetes)
+───────────────────
+
+Tests: 32 (SUCCESSES: 31, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+LOW: Found deployment 'my-deployment' but deployments are not allowed
+════════════════════════════════════════════════════════════════════════
+Deployments are not allowed because of some reasons.
+────────────────────────────────────────────────────────────────────────
+ k.yaml:1-2
+────────────────────────────────────────────────────────────────────────
+   1 ┌ apiVersion: v1
+   2 └ kind: Deployment
+────────────────────────────────────────────────────────────────────────
+```
+
+### Input
+You can specify input format via the `custom.input` annotation.
+
+!!!example
+    ``` rego
+    # METADATA
+    # custom:
+    #   input:
+    #     combine: false
+    #     selector:
+    #     - type: kubernetes
+    ```
+
+`combine` (boolean)
+: The details are [here](combine.md).
+
+`selector` (array)
+:   This option filters the input by file format or configuration language. 
+    In the above example, Trivy passes only Kubernetes files to this policy.
+    Even if a Dockerfile exists in the specified directory, it will not be passed to the policy as input.
+
+    Possible values for input types are:
+    - `dockerfile` (Dockerfile)
+    - `kubernetes` (Kubernetes YAML/JSON)
+    - `rbac` (Kubernetes RBAC YAML/JSON)
+    - `cloud` (Cloud format, as defined by defsec - this is used for Terraform, CloudFormation, and Cloud/AWS scanning)
+    - `yaml` (Generic YAML)
+    - `json` (Generic JSON)
+    - `toml` (Generic TOML)
+
+    When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as `type`.
+    When a configuration language is identified, it will overwrite `type`.
+    
+    !!! example
+        `pod.yaml` including Kubernetes Pod will be handled as `kubernetes`, not `yaml`.
+        `type` is overwritten by `kubernetes` from `yaml`.
+
+    `type` accepts `kubernetes`, `dockerfile`, `cloudformation`, `terraform`, `terraformplan`, `json`, or `yaml`.
+
+### Schemas
+
+You can explore the format of input documents by browsing the schema for the relevant input type:
+
+- [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
+- [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
+- [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
+- [RBAC](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/rbac.json)
+
+[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
+[package]: https://www.openpolicyagent.org/docs/latest/policy-language/#packages
+[source-types]: https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)

docs/docs/misconfiguration/custom/testing.md

@@ -0,0 +1,90 @@
+# Testing
+It is highly recommended to write tests for your custom policies.
+
+## Rego testing
+To help you verify the correctness of your custom policies, OPA gives you a framework that you can use to write tests for your policies. 
+By writing tests for your custom policies you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve.
+
+For more details, see [Policy Testing][opa-testing].
+
+!!! example
+    ```
+    package user.dockerfile.ID002
+
+    test_add_denied {
+        r := deny with input as {"stages": {"alpine:3.13": [
+            {"Cmd": "add", "Value": ["/target/resources.tar.gz", "resources.jar"]},
+            {"Cmd": "add", "Value": ["/target/app.jar", "app.jar"]},
+        ]}}
+
+        count(r) == 1
+        r[_] == "Consider using 'COPY /target/app.jar app.jar' command instead of 'ADD /target/app.jar app.jar'"
+    }
+    ```
+
+To write tests for custom policies, you can refer to existing tests under [defsec][defsec].
+
+## Go testing
+[Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
+You can scan config files in Go and test your custom policies using Go's testing methods, such as [table-driven tests][table].
+This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom policies work in practice.
+
+In particular, Dockerfile and HCL need to be converted to structural data as input, which may be different from the expected input format.
+
+!!! tip
+    We recommend writing OPA and Go tests both since they have different roles, like unit tests and integration tests.
+
+The following example stores allowed and denied configuration files in a directory.
+`Successes` contains the result of successes, and `Failures` contains the result of failures.
+
+``` go
+{
+	name:  "disallowed ports",
+	input: "configs/",
+	fields: fields{
+		policyPaths: []string{"policy"},
+		dataPaths:   []string{"data"},
+		namespaces:  []string{"user"},
+	},
+	want: []types.Misconfiguration{
+		{
+			FileType: types.Dockerfile,
+			FilePath: "Dockerfile.allowed",
+			Successes: types.MisconfResults{
+				{
+					Namespace: "user.dockerfile.ID002",
+					PolicyMetadata: types.PolicyMetadata{
+						ID:          "ID002",
+						Type:        "Docker Custom Check",
+						Title:       "Disallowed ports exposed",
+						Severity:    "HIGH",
+					},
+				},
+			},
+		},
+		{
+			FileType: types.Dockerfile,
+			FilePath: "Dockerfile.denied",
+			Failures: types.MisconfResults{
+				{
+					Namespace: "user.dockerfile.ID002",
+					Message:   "Port 23 should not be exposed",
+					PolicyMetadata: types.PolicyMetadata{
+						ID:          "ID002",
+						Type:        "Docker Custom Check",
+						Title:       "Disallowed ports exposed",
+						Severity:    "HIGH",
+					},
+				},
+			},
+		},
+	},
+},
+```
+
+`Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.
+
+[opa-testing]: https://www.openpolicyagent.org/docs/latest/policy-testing/
+[defsec]: https://github.com/aquasecurity/defsec
+[table]: https://github.com/golang/go/wiki/TableDrivenTests
+[fanal]: https://github.com/aquasecurity/fanal

docs/docs/misconfiguration/options/filter.md

@@ -0,0 +1,60 @@
+# Filter Misconfigurations
+
+## By Severity
+
+Use `--severity` option.
+
+```bash
+trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
+```
+
+<details>
+<summary>Result</summary>
+
+```shell
+2022-05-16T13:50:42.718+0100	INFO	Detected config files: 3
+
+Dockerfile (dockerfile)
+=======================
+Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (HIGH: 1, CRITICAL: 0)
+
+HIGH: Last USER command in Dockerfile should not be 'root'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+
+See https://avd.aquasec.com/misconfig/ds002
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ Dockerfile:3
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   3 [ USER root
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+
+deployment.yaml (kubernetes)
+============================
+Tests: 8 (SUCCESSES: 8, FAILURES: 0, EXCEPTIONS: 0)
+Failures: 0 (HIGH: 0, CRITICAL: 0)
+
+
+main.tf (terraform)
+===================
+Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (HIGH: 0, CRITICAL: 1)
+
+CRITICAL: Classic resources should not be used.
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run
+resources in a VPC instead.
+
+See https://avd.aquasec.com/misconfig/avd-aws-0081
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ main.tf:2-4
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   2 ┌ resource "aws_db_security_group" "sg" {
+   3 │
+   4 └ }
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+```
+</details>

docs/docs/misconfiguration/options/others.md

@@ -0,0 +1,4 @@
+# Others
+
+!!! hint
+    See also [Others](../../vulnerability/examples/others.md) in Vulnerability section.

docs/docs/misconfiguration/options/policy.md

@@ -0,0 +1,35 @@
+# Policy
+
+## Pass custom policies
+You can pass directories including your custom policies through `--policy` option.
+This can be repeated for specifying multiple directories.
+
+```bash
+cd examplex/misconf/
+trivy conf --policy custom-policy/policy --policy combine/policy --namespaces user misconf/mixed
+```
+
+For more details, see [Custom Policies](../custom/index.md).
+
+!!! tip
+    You also need to specify `--namespaces` option.
+
+## Pass custom data
+You can pass directories including your custom data through `--data` option.
+This can be repeated for specifying multiple directories.
+
+```bash
+cd examples/misconf/custom-data
+trivy conf --policy ./policy --data ./data --namespaces user ./configs
+```
+
+For more details, see [Custom Data](../custom/data.md).
+
+## Pass namespaces
+By default, Trivy evaluates policies defined in `builtin.*`.
+If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option.
+This can be repeated for specifying multiple packages.
+
+``` bash
+trivy conf --policy ./policy --namespaces main --namespaces user ./configs
+```

docs/docs/misconfiguration/options/report.md

@@ -0,0 +1,6 @@
+# Report Formats
+
+See [Reports Formats](../../vulnerability/examples/report.md) in Vulnerability section.
+
+!!! caution
+    Misconfiguration scanning doesn't support default templates such as XML for now.

docs/docs/misconfiguration/options/values.md

@@ -0,0 +1,48 @@
+# Value Overrides
+
+Value files can be passed for supported scannable config files.
+
+## Terraform value overrides
+You can pass `tf-vars` files to Trivy to override default values found in the Terraform HCL code.
+
+```bash
+trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
+```
+
+## Helm value overrides
+There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
+
+### Setting inline value overrides
+Overrides can be set inline on the command line
+
+```bash
+trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
+```
+
+### Setting value file overrides
+Overrides can be in a file that has the key=value set. 
+
+```yaml
+# Example override file (overrides.yaml)
+
+securityContext:
+  runAsUser: 0
+```
+
+```bash
+trivy conf --helm-values overrides.yaml ./charts/mySql
+``` 
+
+### Setting value as explicit string
+the `--helm-set-string` is the same as `--helm-set` but explicitly retains the value as a string
+
+```bash
+trivy config --helm-set-string name=false ./infrastructure/tf
+```
+
+### Setting specific values from files
+Specific override values can come from specific files
+
+```bash
+trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
+```

docs/docs/misconfiguration/policy/builtin.md

@@ -0,0 +1,38 @@
+# Built-in Policies
+
+## Policy Sources
+
+Built-in policies are mainly written in [Rego][rego] and Go.
+Those policies are managed under [defsec repository][defsec].
+
+| Config type               | Source               |
+|---------------------------|----------------------|
+| Kubernetes                | [defsec][kubernetes] |
+| Dockerfile, Containerfile | [defsec][docker]     |
+| Terraform                 | [defsec][defsec]     |
+| CloudFormation            | [defsec][defsec]     |
+| Azure ARM Template        | [defsec][defsec]     |
+| Helm Chart                | [defsec][kubernetes] |      
+| RBAC                      | [defsec][rbac]       |      
+
+For suggestions or issues regarding policy content, please open an issue under the [defsec][defsec] repository.
+
+Helm Chart scanning will resolve the chart to Kubernetes manifests then run the [kubernetes][kubernetes] checks.
+
+Ansible scanning is coming soon.
+
+## Policy Distribution
+defsec policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
+When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
+Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.
+If Trivy is unable to pull down newer policies, it will use the embedded set of policies as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
+
+## Update Interval
+Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
+
+[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
+[defsec]: https://github.com/aquasecurity/defsec
+[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/kubernetes
+[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/rbac
+[docker]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/docker
+[ghcr]: https://github.com/aquasecurity/defsec/pkgs/container/defsec

docs/docs/misconfiguration/policy/exceptions.md

@@ -0,0 +1,98 @@
+# Exceptions
+Exceptions let you specify cases where you allow policy violations.
+Trivy supports two types of exceptions.
+
+!!! info
+    Exceptions can be applied to built-in policies as well as custom policies.
+
+## Namespace-based exceptions
+There are some cases where you need to disable built-in policies partially or fully.
+Namespace-based exceptions lets you rough choose which individual packages to exempt.
+
+To use namespace-based exceptions, create a Rego rule with the name `exception` that returns the package names to exempt.
+The `exception` rule must be defined under `namespace.exceptions`.
+`data.namespaces` includes all package names.
+
+
+!!! example
+    ``` rego
+    package namespace.exceptions
+
+    import data.namespaces
+        
+    exception[ns] {
+        ns := data.namespaces[_]
+        startswith(ns, "builtin.kubernetes")
+    }
+    ```
+
+This example exempts all built-in policies for Kubernetes.
+
+For more details, see [an example][ns-example].
+
+## Rule-based exceptions
+There are some cases where you need more flexibility and granularity in defining which cases to exempt.
+Rule-based exceptions lets you granularly choose which individual rules to exempt, while also declaring under which conditions to exempt them.
+
+To use rule-based exceptions, create a Rego rule with the name `exception` that returns the rule name suffixes to exempt, prefixed by `deny_` (for example, returning `foo` will exempt `deny_foo`). 
+The rule can make any other assertion, for example, on the input or data documents. 
+This is useful to specify the exemption for a specific case.
+
+Note that if you specify the empty string, the exception will match all rules named `deny`.
+
+```
+exception[rules] {
+    # Logic
+
+    rules = ["foo","bar"]
+}
+```
+
+The above would provide an exception from `deny_foo` and `deny_bar`.
+
+
+!!! example
+    ```
+    package user.kubernetes.ID100
+
+    __rego_metadata := {
+        "id": "ID100",
+        "title": "Deployment not allowed",
+        "severity": "HIGH",
+        "type": "Kubernetes Custom Check",
+    }
+    
+    deny_deployment[msg] {
+        input.kind == "Deployment"
+    	msg = sprintf("Found deployment '%s' but deployments are not allowed", [name])
+    }
+    
+    exception[rules] {
+        input.kind == "Deployment"
+        input.metadata.name == "allow-deployment"
+        
+        rules := ["deployment"]
+    }
+    ```
+
+If you want to apply rule-based exceptions to built-in policies, you have to define the exception under the same package.
+
+!!! example
+    ``` rego
+    package builtin.kubernetes.KSV012
+
+    exception[rules] {
+        input.metadata.name == "can-run-as-root"
+        rules := [""]
+    }
+    ```
+
+This exception is applied to [KSV012][ksv012] in defsec.
+You can get the package names in the [defsec repository][defsec] or the JSON output from Trivy.
+
+For more details, see [an example][rule-example].
+
+[ns-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/namespace-exception
+[rule-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/rule-exception
+[ksv012]: https://github.com/aquasecurity/defsec/blob/master/internal/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego
+[defsec]: https://github.com/aquasecurity/defsec/

docs/docs/misconfiguration/scanning.md

@@ -0,0 +1,319 @@
+# Misconfiguration Scanning
+Trivy provides built-in policies to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. 
+In addition to built-in policies, you can write your own custom policies, as you can see [here][custom].
+
+![misconf](../../imgs/misconf.png)
+
+## Quick start
+
+Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.
+
+``` bash
+$ trivy config [YOUR_IaC_DIRECTORY]
+```
+
+
+!!! example
+    ```
+    $ ls build/
+    Dockerfile
+    $ trivy config ./build
+    2022-05-16T13:29:29.952+0100	INFO	Detected config files: 1
+    
+    Dockerfile (dockerfile)
+    =======================
+    Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
+    Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+    
+    MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
+    ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+    When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
+    
+    See https://avd.aquasec.com/misconfig/ds001
+    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    Dockerfile:1
+    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    1 [ FROM alpine:latest
+    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    ```
+
+You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--scanners config`.
+
+```bash
+$ trivy image --scanners config IMAGE_NAME
+```
+
+```bash
+$ trivy fs --scanners config /path/to/dir
+```
+
+!!! note
+    Misconfiguration detection is not enabled by default in `image`, `fs` and `repo` subcommands.
+
+Unlike the `config` subcommand, `image`, `fs` and `repo` subcommands can also scan for vulnerabilities and secrets at the same time. 
+You can specify `--scanners vuln,config,secret` to enable vulnerability and secret detection as well as misconfiguration detection.
+
+
+!!! example
+    ``` bash
+    $ ls myapp/
+    Dockerfile Pipfile.lock
+    $ trivy fs --scanners vuln,config,secret --severity HIGH,CRITICAL myapp/
+    2022-05-16T13:42:21.440+0100	INFO	Number of language-specific files: 1
+    2022-05-16T13:42:21.440+0100	INFO	Detecting pipenv vulnerabilities...
+    2022-05-16T13:42:21.440+0100	INFO	Detected config files: 1
+    
+    Pipfile.lock (pipenv)
+    =====================
+    Total: 1 (HIGH: 1, CRITICAL: 0)
+    
+    ┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
+    │ Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
+    ├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
+    │ httplib2 │ CVE-2021-21240 │ HIGH     │ 0.12.1            │ 0.19.0        │ python-httplib2: Regular expression denial of service via │
+    │          │                │          │                   │               │ malicious header                                          │
+    │          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-21240                │
+    └──────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
+    
+    Dockerfile (dockerfile)
+    =======================
+    Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
+    Failures: 1 (HIGH: 1, CRITICAL: 0)
+    
+    HIGH: Last USER command in Dockerfile should not be 'root'
+    ════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+    Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+    
+    See https://avd.aquasec.com/misconfig/ds002
+    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    Dockerfile:3
+    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    3 [ USER root
+    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    ```
+
+In the above example, Trivy detected vulnerabilities of Python dependencies and misconfigurations in Dockerfile.
+
+## Type detection
+The specified directory can contain mixed types of IaC files.
+Trivy automatically detects config types and applies relevant policies.
+
+For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, Helm Charts, and Dockerfile in the same directory.
+
+``` bash
+$ ls iac/
+Dockerfile  deployment.yaml  main.tf mysql-8.8.26.tar
+$ trivy conf --severity HIGH,CRITICAL ./iac
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2022-06-06T11:01:21.142+0100	INFO	Detected config files: 8
+
+Dockerfile (dockerfile)
+
+Tests: 21 (SUCCESSES: 20, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+
+See https://avd.aquasec.com/misconfig/ds002
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+
+deployment.yaml (kubernetes)
+
+Tests: 20 (SUCCESSES: 15, FAILURES: 5, EXCEPTIONS: 0)
+Failures: 5 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)
+
+MEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.allowPrivilegeEscalation' to false
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
+
+See https://avd.aquasec.com/misconfig/ksv001
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:16-19
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  16 ┌       - name: hello-kubernetes
+  17 │         image: hello-kubernetes:1.5
+  18 │         ports:
+  19 └         - containerPort: 8080
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+HIGH: Deployment 'hello-kubernetes' should not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Mounting docker.sock from the host can give the container full root access to the host.
+
+See https://avd.aquasec.com/misconfig/ksv006
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:6-29
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   6 ┌   replicas: 3
+   7 │   selector:
+   8 │     matchLabels:
+   9 │       app: hello-kubernetes
+  10 │   template:
+  11 │     metadata:
+  12 │       labels:
+  13 │         app: hello-kubernetes
+  14 └     spec:
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+MEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.runAsNonRoot' to true
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
+
+See https://avd.aquasec.com/misconfig/ksv012
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:16-19
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  16 ┌       - name: hello-kubernetes
+  17 │         image: hello-kubernetes:1.5
+  18 │         ports:
+  19 └         - containerPort: 8080
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+MEDIUM: Deployment 'hello-kubernetes' should not set 'spec.template.volumes.hostPath'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+HostPath volumes must be forbidden.
+
+See https://avd.aquasec.com/misconfig/ksv023
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:6-29
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   6 ┌   replicas: 3
+   7 │   selector:
+   8 │     matchLabels:
+   9 │       app: hello-kubernetes
+  10 │   template:
+  11 │     metadata:
+  12 │       labels:
+  13 │         app: hello-kubernetes
+  14 └     spec:
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+MEDIUM: Deployment 'hello-kubernetes' should set 'securityContext.sysctl' to the allowed values
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.
+
+See https://avd.aquasec.com/misconfig/ksv026
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:6-29
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   6 ┌   replicas: 3
+   7 │   selector:
+   8 │     matchLabels:
+   9 │       app: hello-kubernetes
+  10 │   template:
+  11 │     metadata:
+  12 │       labels:
+  13 │         app: hello-kubernetes
+  14 └     spec:
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+
+mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
+
+Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
+Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
+
+MEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.allowPrivilegeEscalation' to false
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
+
+See https://avd.aquasec.com/misconfig/ksv001
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  56 ┌         - name: mysql
+  57 │           image: docker.io/bitnami/mysql:8.0.28-debian-10-r23
+  58 │           imagePullPolicy: "IfNotPresent"
+  59 │           securityContext:
+  60 │             runAsUser: 1001
+  61 │           env:
+  62 │             - name: BITNAMI_DEBUG
+  63 │               value: "false"
+  64 └             - name: MYSQL_ROOT_PASSWORD
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+MEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.runAsNonRoot' to true
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
+
+See https://avd.aquasec.com/misconfig/ksv012
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  56 ┌         - name: mysql
+  57 │           image: docker.io/bitnami/mysql:8.0.28-debian-10-r23
+  58 │           imagePullPolicy: "IfNotPresent"
+  59 │           securityContext:
+  60 │             runAsUser: 1001
+  61 │           env:
+  62 │             - name: BITNAMI_DEBUG
+  63 │               value: "false"
+  64 └             - name: MYSQL_ROOT_PASSWORD
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+```
+
+</details>
+
+You can see the config type next to each file name.
+
+!!! example
+``` bash
+Dockerfile (dockerfile)
+=======================
+Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (HIGH: 1, CRITICAL: 0)
+
+...
+
+deployment.yaml (kubernetes)
+============================
+Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
+Failures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)
+
+...
+
+main.tf (terraform)
+===================
+Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
+Failures: 9 (HIGH: 6, CRITICAL: 1)
+
+...
+
+bucket.yaml (cloudformation)
+============================
+Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
+Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
+
+...
+
+mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
+==========================================================
+Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
+Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
+```
+
+## Examples
+See [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/misconf/mixed)
+
+[custom]: ./custom/index.md

docs/docs/references/cli/client.md

@@ -0,0 +1,72 @@
+# Client
+
+```bash
+Usage:
+  trivy client [flags] IMAGE_NAME
+
+Aliases:
+  client, c
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+      --report string          specify a report format for the output. (all,summary) (default "all")
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --remote string            server address (default "http://localhost:4954")
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```

docs/docs/references/cli/config.md

@@ -0,0 +1,49 @@
+# Config
+
+``` bash
+Scan config files for misconfigurations
+
+Usage:
+  trivy config [flags] DIR
+
+Aliases:
+  config, conf
+
+Scan Flags
+      --skip-dirs strings    specify the directories where the traversal is skipped
+      --skip-files strings   specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int       specify exit code when any security issues are found
+  -f, --format string       format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignorefile string   specify .trivyignore file (default ".trivyignore")
+  -o, --output string       output file name
+  -s, --severity string     severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string     output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```

docs/docs/references/cli/fs.md

@@ -0,0 +1,87 @@
+# Filesystem
+
+```bash
+Scan local filesystem
+
+Usage:
+  trivy filesystem [flags] PATH
+
+Aliases:
+  filesystem, fs
+
+Examples:
+  # Scan a local project including language-specific files
+  $ trivy fs /path/to/your_project
+
+  # Scan a single file
+  $ trivy fs ./trivy-ci-test/Pipfile.lock
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```

docs/docs/references/cli/image.md

@@ -0,0 +1,105 @@
+# Image
+
+```bash
+Scan a container image
+
+Usage:
+  trivy image [flags] IMAGE_NAME
+
+Aliases:
+  image, i
+
+Examples:
+  # Scan a container image
+  $ trivy image python:3.4-alpine
+
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
+
+  # Filter by severities
+  $ trivy image --severity HIGH,CRITICAL alpine:3.15
+
+  # Ignore unfixed/unpatched vulnerabilities
+  $ trivy image --ignore-unfixed alpine:3.15
+
+  # Scan a container image in client mode
+  $ trivy image --server http://127.0.0.1:4954 alpine:latest
+
+  # Generate json result
+  $ trivy image --format json --output result.json alpine:3.15
+
+  # Generate a report in the CycloneDX format
+  $ trivy image --format cyclonedx --output result.cdx alpine:3.15
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
+
+Image Flags
+      --input string   input file path instead of image name
+      --removed-pkgs   detect vulnerabilities of removed packages (only for Alpine)
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```

docs/docs/references/cli/index.md

@@ -0,0 +1,50 @@
+Trivy has several sub commands, image, fs, repo, client and server.
+
+``` bash
+Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
+
+Usage:
+  trivy [global flags] command [flags] target
+  trivy [command]
+
+Examples:
+  # Scan a container image
+  $ trivy image python:3.4-alpine
+
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
+
+  # Scan local filesystem
+  $ trivy fs .
+
+  # Run in server mode
+  $ trivy server
+
+Available Commands:
+  config      Scan config files for misconfigurations
+  filesystem  Scan local filesystem
+  help        Help about any command
+  image       Scan a container image
+  kubernetes  scan kubernetes cluster
+  module      Manage modules
+  plugin      Manage plugins
+  repository  Scan a remote repository
+  rootfs      Scan rootfs
+  sbom        Scan SBOM for vulnerabilities
+  server      Server mode
+  version     Print the version
+
+Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+  -f, --format string             version format (json)
+      --generate-default-config   write the default config to trivy-default.yaml
+  -h, --help                      help for trivy
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy [command] --help" for more information about a command.
+```

docs/docs/references/cli/module.md

@@ -0,0 +1,30 @@
+# Module
+
+```bash
+Manage modules
+
+Usage:
+  trivy module [command]
+
+Aliases:
+  module, m
+
+Available Commands:
+  install     Install a module
+  uninstall   Uninstall a module
+
+Flags:
+  -h, --help   help for module
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy module [command] --help" for more information about a command.
+```

docs/docs/references/cli/plugin.md

@@ -0,0 +1,34 @@
+# Plugin
+
+```bash
+Manage plugins
+
+Usage:
+  trivy plugin [command]
+
+Aliases:
+  plugin, p
+
+Available Commands:
+  info        Show information about the specified plugin
+  install     Install a plugin
+  list        List installed plugin
+  run         Run a plugin on the fly
+  uninstall   Uninstall a plugin
+  update      Update an existing plugin
+
+Flags:
+  -h, --help   help for plugin
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy plugin [command] --help" for more information about a command.
+```

docs/docs/references/cli/repo.md

@@ -0,0 +1,89 @@
+# Repository
+
+```bash
+Scan a remote repository
+
+Usage:
+  trivy repository [flags] REPO_URL
+
+Aliases:
+  repository, repo
+
+Examples:
+  # Scan your remote git repository
+  $ trivy repo https://github.com/knqyf263/trivy-ci-test
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Repository Flags
+      --branch string   pass the branch name to be scanned
+      --commit string   pass the commit hash to be scanned
+      --tag string      pass the tag name to be scanned
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```

docs/docs/references/cli/rootfs.md

@@ -0,0 +1,96 @@
+# Rootfs
+
+```bash
+Scan rootfs
+
+Usage:
+  trivy rootfs [flags] ROOTDIR
+
+Examples:
+  # Scan unpacked filesystem
+  $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
+  $ trivy rootfs /tmp/rootfs
+
+  # Scan from inside a container
+  $ docker run --rm -it alpine:3.11
+  / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+  / # trivy rootfs /
+
+Scan Flags
+      --file-patterns strings     specify config file patterns
+      --offline-scan              do not issue API requests to identify dependencies
+      --rekor-url string          [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --sbom-sources strings      [EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)
+      --scanners strings          comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --skip-dirs strings         specify the directories where the traversal is skipped
+      --skip-files strings        specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --helm-set strings          specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings     specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings   specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings       specify paths to override the Helm values.yaml files
+      --include-non-failures      include successes and exceptions, available with '--scanners config'
+      --tf-vars strings           specify paths to override the Terraform tfvars files
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Rego Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```