BREAKING: use normalized trivy-java-db (#3583 )

Co-authored-by: knqyf263 <knqyf263@gmail.com>
fix(image): add timeout for remote images (#3582 )
2025-12-13 16:10:56 -08:00 · 2023-02-10 02:16:37 +02:00 · 2023-02-09 14:19:17 +02:00 · 2023-02-07 08:38:25 +02:00 · 2023-02-07 06:51:49 +02:00 · 2023-02-05 09:10:10 +09:00
1407 changed files with 293805 additions and 146415 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
 * text=auto eol=lf 
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -0,0 +1,24 @@
 # Global
 *   @knqyf263
 # Docs
 /docs/** @knqyf263 @AnaisUrlichs @itaysk
 /mkdocs.yml @knqyf263 @AnaisUrlichs @itaysk
 /README.md @knqyf263 @AnaisUrlichs @itaysk
 # Helm chart
 helm/trivy/ @chen-keinan
 # Misconfiguration scanning
 examples/misconf/           @knqyf263
 docs/docs/misconfiguration  @knqyf263
 docs/docs/cloud             @knqyf263
 pkg/fanal/analyzer/config   @knqyf263
 pkg/fanal/handler/misconf   @knqyf263
 pkg/cloud                   @knqyf263
 pkg/flag/aws_flags.go       @knqyf263
 pkg/flag/misconf_flags.go   @knqyf263
 # Kubernetes scanning
 pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
 docs/docs/kubernetes/   @josedonizetti @chen-keinan @knqyf263
--- a/.github/DISCUSSION_TEMPLATE/show-and-tell.yml
+++ b/.github/DISCUSSION_TEMPLATE/show-and-tell.yml
@@ -0,0 +1,53 @@
 title: "<company name> "
 labels: ["adopters"]
 body:
  - type: textarea
    id: links
    attributes:
      label: "Share Links"
      description: "If you would like to share a link to your project or company, please paste it below 🌐"
      value: |
        ...
    validations:
      required: false
  - type: textarea
    id: logo
    attributes:
      label: "Share Logo"
      description: "If you have a link to your logo, please provide it in the following text-box 🌐"
      value: |
        ...
    validations:
      required: false
  - type: checkboxes
    attributes:
      label: Please select all the scan targets that you are using
      options:
        - label: Container Images
        - label: Filesystem
        - label: Git Repository
        - label: Virtual Machine Images
        - label: Kubernetes
        - label: AWS
    validations:
      required: false
  - type: checkboxes
    attributes:
      label: Which scanners are you using on those scan targets?
      options:
        - label: OS packages and software dependencies in use (SBOM)
        - label: Known vulnerabilities (CVEs)
        - label: IaC issues and misconfigurations
        - label: Sensitive information and secrets
        - label: Software licenses
    validations:
      required: false
  - type: textarea
    id: info
    attributes:
      label: "Additional Information"
      description: "Please tell us more about your use case of Trivy -- anything that you would like to share 🎉"
      value: |
        ...
    validations:
      required: false
--- a/.github/ISSUE_TEMPLATE/WRONG_DETECTION.md
+++ b/.github/ISSUE_TEMPLATE/WRONG_DETECTION.md
@@ -0,0 +1,33 @@
 ---
 name: Wrong Detection
 labels: ["kind/bug"]
 about: If Trivy doesn't detect something, or shows false positive detection
 ---
 ## Checklist
 - [ ] I've read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/#wrong-detection).
 - [ ] I've confirmed that a security advisory in data sources was correct.
    - Run Trivy with `-f json` that shows data sources and make sure that the security advisory is correct.
 ## Description
 <!--
 Briefly describe the CVE that aren't detected and information about artifacts with this CVE.
 -->
 ## JSON Output of run with `-debug`:
 ```
 (paste your output here)
 ```
 ## Output of `trivy -v`:
 ```
 (paste your output here)
 ```
 ## Additional details (base image name, container registry info...):
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
 version: 2
 updates:
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: monthly
  - package-ecosystem: docker
    directory: /
    schedule:
      interval: monthly
  - package-ecosystem: gomod
    open-pull-requests-limit: 10
    directory: /
    schedule:
      interval: monthly
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -0,0 +1,18 @@
 ## Description
 ## Related issues
 - Close #XXX
 ## Related PRs
 - [ ] #XXX
 - [ ] #YYY
 Remove this section if you don't have related PRs.
 ## Checklist
 - [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
 - [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
 - [ ] I've added tests that prove my fix is effective or that my feature works.
 - [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
 - [ ] I've added usage information (if the PR introduces new options)
 - [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
--- a/.github/workflows/canary.yaml
+++ b/.github/workflows/canary.yaml
@@ -0,0 +1,60 @@
 name: Canary build
 on:
  push:
    branches:
      - 'main'
    paths:
      - '**.go'
      - 'go.mod'
      - 'Dockerfile.canary'
      - '.github/workflows/canary.yaml'
  workflow_dispatch:
 jobs:
  build-binaries:
    name: Build binaries
    uses: ./.github/workflows/reusable-release.yaml
    with:
      goreleaser_config: goreleaser-canary.yml
      goreleaser_options: '--snapshot --rm-dist --timeout 60m' # will not release
    secrets: inherit
  upload-binaries:
    name: Upload binaries
    needs: build-binaries # run this job after 'build-binaries' job completes
    runs-on: ubuntu-latest
    steps:
      - name: Restore Trivy binaries from cache
        uses: actions/cache@v3.2.4
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
        # Upload artifacts
      - name: Upload artifacts (trivy_Linux-64bit)
        uses: actions/upload-artifact@v3
        with:
          name: trivy_Linux-64bit
          path: dist/trivy_*_Linux-64bit.tar.gz
          if-no-files-found: error
      - name: Upload artifacts (trivy_Linux-ARM64)
        uses: actions/upload-artifact@v3
        with:
          name: trivy_Linux-ARM64
          path: dist/trivy_*_Linux-ARM64.tar.gz
          if-no-files-found: error
      - name: Upload artifacts (trivy_macOS-64bit)
        uses: actions/upload-artifact@v3
        with:
          name: trivy_macOS-64bit
          path: dist/trivy_*_macOS-64bit.tar.gz
          if-no-files-found: error
      - name: Upload artifacts (trivy_macOS-ARM64)
        uses: actions/upload-artifact@v3
        with:
          name: trivy_macOS-ARM64
          path: dist/trivy_*_macOS-ARM64.tar.gz
          if-no-files-found: error
--- a/.github/workflows/mkdocs-dev.yaml
+++ b/.github/workflows/mkdocs-dev.yaml
@@ -9,21 +9,20 @@ on:
 jobs:
  deploy:
    name: Deploy the dev documentation
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout main
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          persist-credentials: true
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v4
        with:
          python-version: 3.x
      - name: Install dependencies
        run: |
          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
-          pip install mike
+          pip install -r docs/build/requirements.txt
          pip install mkdocs-macros-plugin
        env:
          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
      - name: Configure the git user
--- a/.github/workflows/mkdocs-latest.yaml
+++ b/.github/workflows/mkdocs-latest.yaml
@@ -1,33 +1,41 @@
 name: Deploy the latest documentation
 on:
  workflow_dispatch:
    inputs:
      version:
        description: Version to be deployed
        required: true
  push:
    tags:
      - "v*"
 jobs:
  deploy:
    name: Deploy the latest documentation
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout main
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          persist-credentials: true
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v4
        with:
          python-version: 3.x
      - name: Install dependencies
        run: |
          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
-          pip install mike
+          pip install -r docs/build/requirements.txt
          pip install mkdocs-macros-plugin
        env:
          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
      - name: Configure the git user
        run: |
          git config user.name "knqyf263"
          git config user.email "knqyf263@gmail.com"
-      - name: Deploy the latest documents
+      - name: Deploy the latest documents from new tag push
        if: ${{ github.event.inputs.version == '' }}
        run: |
          VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
-          mike deploy --push --update-aliases $VERSION latest
+          mike deploy --push --update-aliases ${VERSION%.*} latest
      - name: Deploy the latest documents from manual trigger
        if: ${{ github.event.inputs.version != '' }}
        run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -1,47 +1,83 @@
-name: Publish Chart Helm
+
 name: Publish Helm chart
 on:
-  push:
+  workflow_dispatch:
-    branches: [main]
+  pull_request:
    branches:
      - main
    paths:
      - 'helm/trivy/**'
-  workflow_dispatch:
+  push:
    tags:
      - "v*"
 env:
  HELM_REP: helm-charts
  GH_OWNER: aquasecurity
  CHART_DIR: helm/trivy
  KIND_VERSION: "v0.14.0"
  KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
 jobs:
-  release:
+  test-chart:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
        with:
          version: v3.5.0
      - name: Set up python
        uses: actions/setup-python@v4
        with:
          python-version: 3.7
      - name: Setup Chart Linting
        id: lint
        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec
      - name: Setup Kubernetes cluster (KIND)
        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00
        with:
          version: ${{ env.KIND_VERSION }}
          image: ${{ env.KIND_IMAGE }}
      - name: Run chart-testing
        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
      - name: Run chart-testing (Ingress enabled)
        run: |
          sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
          ct lint-and-install --validate-maintainers=false --charts helm/trivy
  publish-chart:
    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
    needs:
      - test-chart
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
        with:
          fetch-depth: 0
      - name: Install chart-releaser
        run: |
-          wget https://github.com/helm/chart-releaser/releases/download/v1.1.1/chart-releaser_1.1.1_linux_amd64.tar.gz
+          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
-          tar xzvf chart-releaser_1.1.1_linux_amd64.tar.gz cr
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
      - name: Package helm chart
        run: |
          ./cr package ${{ env.CHART_DIR }}
      - name: Upload helm chart
        # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
        continue-on-error: true
        ## Upload the tar in the Releases repository
        run: |
-          ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_GITHUB_TOKEN }} -p .cr-release-packages
+          ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
      - name: Index helm chart
        run: |
          ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
      - name: Push index file
-        uses: dmnemec/copy_file_to_another_repo_action@v1.0.4
+        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
        env:
-          API_TOKEN_GITHUB: ${{ secrets.ORG_GITHUB_TOKEN }}
+          API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
        with:
          source_file: 'index.yaml'
          destination_repo: '${{ env.GH_OWNER }}/${{ env.HELM_REP }}'
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,80 +3,55 @@ on:
  push:
    tags:
      - "v*"
-env:
+
  GO_VERSION: "1.16"
  GH_USER: "aqua-bot"
 jobs:
  release:
    name: Release
-    runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
+    uses: ./.github/workflows/reusable-release.yaml
-    env:
+    with:
-      DOCKER_CLI_EXPERIMENTAL: "enabled"
+      goreleaser_config: goreleaser.yml
      goreleaser_options: '--rm-dist --timeout 90m'
    secrets: inherit
  deploy-packages:
    name: Deploy rpm/dep packages
    needs: release # run this job after 'release' job completes
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Restore Trivy binaries from cache
        uses: actions/cache@v3.2.4
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
      - name: Install dependencies
        run: |
          sudo apt-get -y update
-          sudo apt-get -y install rpm reprepro createrepo distro-info
+          sudo apt-get -y install rpm reprepro createrepo-c distro-info
-      - name: Set up QEMU
+
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v1
      - name: Show available Docker Buildx platforms
        run: echo ${{ steps.buildx.outputs.platforms }}
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Checkout code
        uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - name: Cache Go modules
        uses: actions/cache@v2
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Login to docker.io registry
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to ghcr.io registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ env.GH_USER }}
          password: ${{ secrets.ORG_GITHUB_TOKEN }}
      - name: Login to ECR
        uses: docker/login-action@v1
        with:
          registry: public.ecr.aws
          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
      - name: Release
        uses: goreleaser/goreleaser-action@v2
        with:
          version: v0.164.0
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.ORG_GITHUB_TOKEN }}
      - name: Checkout trivy-repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          repository: ${{ github.repository_owner }}/trivy-repo
          path: trivy-repo
          fetch-depth: 0
-          token: ${{ secrets.ORG_GITHUB_TOKEN }}
+          token: ${{ secrets.ORG_REPO_TOKEN }}
      - name: Setup git settings
        run: |
          git config --global user.email "knqyf263@gmail.com"
          git config --global user.name "Teppei Fukuda"
      - name: Create rpm repository
        run: ci/deploy-rpm.sh
      - name: Import GPG key
        run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import
      - name: Create deb repository
        run: ci/deploy-deb.sh
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -0,0 +1,108 @@
 name: Reusable release
 on:
  workflow_call:
    inputs:
      goreleaser_config:
        description: 'file path to GoReleaser config'
        required: true
        type: string
      goreleaser_options:
        description: 'GoReleaser options separated by spaces'
        default: ''
        required: false
        type: string
 env:
  GH_USER: "aqua-bot"
 jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    permissions:
      id-token: write # For cosign
      packages: write # For GHCR
      contents: read  # Not required for public repositories, but for clarity
    steps:
      - name: Cosign install
        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v2
      - name: Show available Docker Buildx platforms
        run: echo ${{ steps.buildx.outputs.platforms }}
      - name: Login to docker.io registry
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to ghcr.io registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ env.GH_USER }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to ECR
        uses: docker/login-action@v2
        with:
          registry: public.ecr.aws
          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v3
        with:
          go-version-file: go.mod
      - name: Generate SBOM
        uses: CycloneDX/gh-gomod-generate-sbom@v1
        with:
          args: mod -licenses -json -output bom.json
          version: ^v1
      - name: GoReleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          version: v1.4.1
          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
        env:
          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
      ## push images to registries
      ## only for canary build
      - name: Build and push
        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
        uses: docker/build-push-action@v4
        with:
          platforms: linux/amd64, linux/arm64
          file: ./Dockerfile.canary # path to Dockerfile
          context: .
          push: true
          tags: |
            aquasec/trivy:canary
            ghcr.io/aquasecurity/trivy:canary
            public.ecr.aws/aquasecurity/trivy:canary
      - name: Cache Trivy binaries
        uses: actions/cache@v3.2.4
        with:
          path: dist/
          # use 'github.sha' to create a unique cache folder for each run.
          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
          # e.g. build and release runs
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/roadmap.yaml
+++ b/.github/workflows/roadmap.yaml
@@ -0,0 +1,79 @@
 name: Add issues to the roadmap project
 on:
  issues:
    types:
      - labeled
 jobs:
  add-issue-to-roadmap-project:
    name: Add issue to the roadmap project
    runs-on: ubuntu-latest
    steps:
      # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
      - uses: actions/add-to-project@v0.4.0 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
          labeled: kind/feature, priority/backlog
          label-operator: AND
        id: add-backlog-issue
      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
        if: ${{ steps.add-backlog-issue.outputs.itemId }}
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
          item-id: ${{ steps.add-backlog-issue.outputs.itemId }} # Use the item-id output of the previous step
          field-keys: Priority
          field-values: Backlog
      # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
      - uses: actions/add-to-project@v0.4.0 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
          labeled: kind/feature, priority/important-longterm
          label-operator: AND
        id: add-longterm-issue
      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
        if: ${{ steps.add-longterm-issue.outputs.itemId }}
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
          item-id: ${{ steps.add-longterm-issue.outputs.itemId }} # Use the item-id output of the previous step
          field-keys: Priority
          field-values: Important (long-term)
      # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
      - uses: actions/add-to-project@v0.4.0 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
          labeled: kind/feature, priority/important-soon
          label-operator: AND
        id: add-soon-issue
      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
        if: ${{ steps.add-soon-issue.outputs.itemId }}
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
          item-id: ${{ steps.add-soon-issue.outputs.itemId }} # Use the item-id output of the previous step
          field-keys: Priority
          field-values: Important (soon)
      # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
      - uses: actions/add-to-project@v0.4.0 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
          labeled: kind/feature, priority/critical-urgent
          label-operator: AND
        id: add-urgent-issue
      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
        if: ${{ steps.add-urgent-issue.outputs.itemId }}
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
          item-id: ${{ steps.add-urgent-issue.outputs.itemId }} # Use the item-id output of the previous step
          field-keys: Priority
          field-values: Urgent
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -0,0 +1,23 @@
 name: Scan vulnerabilities
 on:
  schedule:
    - cron: '0 0 * * *'
  workflow_dispatch:
 jobs:
  build:
    name: Scan Go vulnerabilities
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Run Trivy vulnerability scanner and create GitHub issues
        uses: knqyf263/trivy-issue-action@v0.0.4
        with:
          assignee: knqyf263
          severity: CRITICAL
          skip-dirs: integration,examples
          label: kind/security
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/semantic-pr.yaml
+++ b/.github/workflows/semantic-pr.yaml
@@ -0,0 +1,99 @@
 name: "Lint PR title"
 on:
  pull_request_target:
    types:
      - opened
      - edited
      - synchronize
 jobs:
  main:
    name: Validate PR title
    runs-on: ubuntu-latest
    steps:
      - uses: amannn/action-semantic-pull-request@v5
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          types: |
            feat
            fix
            docs
            style
            refactor
            perf
            test
            build
            ci
            chore
            revert
            BREAKING
          scopes: |
            vuln
            misconf
            secret
            license
            image
            fs
            repo
            sbom
            server
            k8s
            aws
            vm
            alpine
            wolfi
            redhat
            alma
            rocky
            mariner
            oracle
            debian
            ubuntu
            amazon
            suse
            photon
            distroless
            windows
            ruby
            php
            python
            nodejs
            rust
            dotnet
            java
            go
            c
            c++
            elixir
            dart
            os
            lang
            kubernetes
            dockerfile
            terraform
            cloudformation
            docker
            podman
            containerd
            oci
            cli
            flag
            cyclonedx
            spdx
            purl
            helm
            report
            db
            deps
--- a/.github/workflows/stale-issues.yaml
+++ b/.github/workflows/stale-issues.yaml
@@ -7,7 +7,7 @@ jobs:
    timeout-minutes: 1
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/stale@v3
+    - uses: actions/stale@v7
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'
--- a/.github/workflows/test-docs.yaml
+++ b/.github/workflows/test-docs.yaml
@@ -0,0 +1,28 @@
 name: Test docs
 on:
  pull_request:
    paths:
      - 'docs/**'
      - 'mkdocs.yml'
 jobs:
  build-documents:
    name: Documentation Test
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v3
      with:
        fetch-depth: 0
        persist-credentials: true
    - uses: actions/setup-python@v4
      with:
        python-version: 3.x
    - name: Install dependencies
      run: |
        pip install -r docs/build/requirements.txt
    - name: Configure the git user
      run: |
        git config user.name "knqyf263"
        git config user.email "knqyf263@gmail.com"
    - name: Deploy the dev documents
      run: mike deploy test
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -1,48 +1,95 @@
 name: Test
-on: pull_request
+on:
-env:
+  push:
-  GO_VERSION: "1.16"
+    branches:
      - main
    paths-ignore:
      - '**.md'
      - 'docs/**'
      - 'mkdocs.yml'
      - 'LICENSE'
  pull_request:
      paths-ignore:
      - '**.md'
      - 'docs/**'
      - 'mkdocs.yml'
      - 'LICENSE'
 jobs:
  test:
    name: Test
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.operating-system }}
    strategy:
      matrix:
        operating-system: [ubuntu-latest, windows-latest, macos-latest]
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: oldstable
      - name: go mod tidy
        run: |
          go mod tidy
          if [ -n "$(git status --porcelain)" ]; then
            echo "Run 'go mod tidy' and push it"
            exit 1
          fi
        if: matrix.operating-system == 'ubuntu-latest'
      - name: Lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3.4.0
        with:
-          version: v1.31
+          version: v1.49
          args: --deadline=30m
          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
        if: matrix.operating-system == 'ubuntu-latest'
      # Install tools
      - uses: aquaproj/aqua-installer@v2.0.2
        with:
          aqua_version: v1.25.0
      - name: Run unit tests
        run: make test
      - name: Upload code coverage
        uses: codecov/codecov-action@v1
        with:
          files: ./coverage.txt
  integration:
    name: Integration Test
    runs-on: ubuntu-latest
    steps:
-    - name: Set up Go
+      - name: Check out code into the Go module directory
-      uses: actions/setup-go@v2
+        uses: actions/checkout@v3
      with:
        go-version: ${{ env.GO_VERSION }}
      id: go
-    - name: Check out code into the Go module directory
+      - name: Set up Go
-      uses: actions/checkout@v2
+        uses: actions/setup-go@v3
        with:
          go-version-file: go.mod
-    - name: Run integration tests
+      - name: Run integration tests
-      run: make test-integration
+        run: make test-integration
  module-test:
    name: Module Integration Test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version-file: go.mod
      # Install tools
      - uses: aquaproj/aqua-installer@v2.0.2
        with:
          aqua_version: v1.25.0
      - name: Run module integration tests
        shell: bash
        run: |
          make test-module-integration
  build-test:
    name: Build Test
@@ -51,49 +98,26 @@ jobs:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    steps:
    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
+      uses: docker/setup-qemu-action@v2
    - name: Set up Docker Buildx
      id: buildx
-      uses: docker/setup-buildx-action@v1
+      uses: docker/setup-buildx-action@v2
    - name: Show available Docker Buildx platforms
      run: echo ${{ steps.buildx.outputs.platforms }}
    - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Set up Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v3
      with:
-        go-version: ${{ env.GO_VERSION }}
+        go-version-file: go.mod
    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v2
+      uses: goreleaser/goreleaser-action@v4
      with:
-        version: v0.164.0
+        version: v1.4.1
-        args: release --snapshot --rm-dist --skip-publish
+        args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m
  build-documents:
    name: Documentation Test
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v2
      with:
        fetch-depth: 0
        persist-credentials: true
    - uses: actions/setup-python@v2
      with:
        python-version: 3.x
    - name: Install dependencies
      run: |
        pip install mkdocs-material
        pip install mike
        pip install mkdocs-macros-plugin
    - name: Configure the git user
      run: |
        git config user.name "knqyf263"
        git config user.email "knqyf263@gmail.com"
    - name: Deploy the dev documents
      run: mike deploy test
--- a/.github/workflows/vm-test.yaml
+++ b/.github/workflows/vm-test.yaml
@@ -0,0 +1,32 @@
 name: VM Test
 on:
  push:
    branches:
      - main
    paths:
      - 'pkg/fanal/vm/**'
      - 'pkg/fanal/walker/vm.go'
      - 'pkg/fanal/artifact/vm/**'
      - 'integration/vm_test.go'
  pull_request:
    paths:
      - 'pkg/fanal/vm/**'
      - 'pkg/fanal/walker/vm.go'
      - 'pkg/fanal/artifact/vm/**'
      - 'integration/vm_test.go'
 jobs:
  vm-test:
    name: VM Integration Test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version-file: go.mod
      - name: Run vm integration tests
        run: |
          make test-vm-integration
--- a/.gitignore
+++ b/.gitignore
@@ -4,7 +4,7 @@
 *.dll
 *.so
 *.dylib
-trivy
+/trivy
 ## chart release
 .cr-release-packages
@@ -16,6 +16,7 @@ trivy
 *.out
 .idea
 .vscode
 # Directory Cache Files
 .DS_Store
@@ -23,4 +24,14 @@ thumbs.db
 # test fixtures
 coverage.txt
-integration/testdata/fixtures/
+integration/testdata/fixtures/images
 integration/testdata/fixtures/vm-images
 # SBOMs generated during CI
 /bom.json
 # goreleaser output
 dist
 # WebAssembly
 *.wasm
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -6,12 +6,10 @@ linters-settings:
    check-shadowing: false
  gofmt:
    simplify: false
-  golint:
+  revive:
-    min-confidence: 0
+    ignore-generated-header: true
  gocyclo:
-    min-complexity: 10
+    min-complexity: 20
  maligned:
    suggest-new: true
  dupl:
    threshold: 100
  goconst:
@@ -21,32 +19,36 @@ linters-settings:
    locale: US
  goimports:
    local-prefixes: github.com/aquasecurity
  gosec:
    excludes:
      - G101
      - G114
      - G204
      - G402
 linters:
  disable-all: true
  enable:
-    - structcheck
+    - unused
    - ineffassign
    - typecheck
    - govet
-    - errcheck
+    - revive
    - varcheck
    - deadcode
    - golint
    - gosec
    - unconvert
    - goconst
    - gocyclo
    - gofmt
    - goimports
    - maligned
    - misspell
 run:
  go: 1.19
  skip-files:
    - ".*._mock.go$"
    - ".*._test.go$"
    - "integration/*"
    - "examples/*"
 issues:
  exclude-rules:
@@ -56,9 +58,6 @@ issues:
    - linters:
        - gosec
      text: "Deferring unsafe method"
    - linters:
        - gosec
      text: "G204: Subprocess launched with variable"
    - linters:
        - errcheck
      text: "Close` is not checked"
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,28 +1 @@
-Thank you for taking interest in contributing to Trivy !
+See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)
 ## Issues
 - Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
 - Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
 - Remember users might be searching for your issue in the future, so please give it a meaningful title to help others.
 - The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
 ## Pull Requests
 1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
 1. Your PR is more likely to be accepted if it focuses on just one change.
 1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that starts with "fix"/"add"/"improve"/"remove" are good examples.
 1. Please add the associated Issue in the PR description.
 1. There's no need to add or tag reviewers.
 1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
 1. Please include a comment with the results before and after your change.
 1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
 1. If your PR affects the user experience in some way, please update the Readme and the CLI help accordingly.
 ## Understand where your pull request belongs
 Trivy is composed of several different repositories that work together:
 - [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
 - [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. This of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
 - [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
 - [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information containers. It is being used by Trivy to find testable subjects in the container image.
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.12
+FROM alpine:3.17.1
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -0,0 +1,10 @@
 FROM alpine:3.17.1
 RUN apk --no-cache add ca-certificates git
 # binaries were created with GoReleaser
 # need to copy binaries from folder with correct architecture
 # example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
 ARG TARGETARCH
 COPY "dist/trivy_canary_build_linux_${TARGETARCH}/trivy" /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
 ENTRYPOINT ["trivy"]
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -0,0 +1,12 @@
 FROM golang:1.19
 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
 RUN apt-get update && apt-get install -y unzip
 RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
    && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
    && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \ 
    && rm -f $PROTOC_ZIP
 RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
 RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1
--- a/99
+++ b/99
@@ -1,21 +1,44 @@
-VERSION := $(shell git describe --tags)
+VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
-LDFLAGS=-ldflags "-s -w -X=main.version=$(VERSION)"
+LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"
-GOPATH=$(shell go env GOPATH)
+GOPATH := $(firstword $(subst :, ,$(shell go env GOPATH)))
-GOBIN=$(GOPATH)/bin
+GOBIN := $(GOPATH)/bin
-GOSRC=$(GOPATH)/src
+GOSRC := $(GOPATH)/src
 TEST_MODULE_DIR := pkg/module/testdata
 TEST_MODULE_SRCS := $(wildcard $(TEST_MODULE_DIR)/*/*.go)
 TEST_MODULES := $(patsubst %.go,%.wasm,$(TEST_MODULE_SRCS))
 EXAMPLE_MODULE_DIR := examples/module
 EXAMPLE_MODULE_SRCS := $(wildcard $(EXAMPLE_MODULE_DIR)/*/*.go)
 EXAMPLE_MODULES := $(patsubst %.go,%.wasm,$(EXAMPLE_MODULE_SRCS))
 MKDOCS_IMAGE := aquasec/mkdocs-material:dev
 MKDOCS_PORT := 8000
 export CGO_ENABLED := 0 
 u := $(if $(update),-u)
 # Tools
 $(GOBIN)/wire:
-	GO111MODULE=off go get github.com/google/wire/cmd/wire
+	go install github.com/google/wire/cmd/wire@v0.5.0
 $(GOBIN)/crane:
 	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0
 $(GOBIN)/golangci-lint:
 	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
 $(GOBIN)/labeler:
 	go install github.com/knqyf263/labeler@latest
 $(GOBIN)/easyjson:
 	go install github.com/mailru/easyjson/...@v0.7.7
 .PHONY: wire
 wire: $(GOBIN)/wire
-	wire gen ./pkg/... ./internal/...
+	wire gen ./pkg/commands/... ./pkg/rpc/...
 .PHONY: mock
 mock: $(GOBIN)/mockery
@@ -26,23 +49,48 @@ deps:
 	go get ${u} -d
 	go mod tidy
-$(GOBIN)/golangci-lint:
+.PHONY: generate-test-modules
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.21.0
+generate-test-modules: $(TEST_MODULES)
 # Compile WASM modules for unit and integration tests
 %.wasm:%.go
 	@if !(type "tinygo" > /dev/null 2>&1); then \
 		echo "Need to install TinyGo. Follow https://tinygo.org/getting-started/install/"; \
 		exit 1; \
 	fi
 	go generate $<
 # Run unit tests
 .PHONY: test
-test:
+test: $(TEST_MODULES)
 	go test -v -short -coverprofile=coverage.txt -covermode=atomic ./...
-integration/testdata/fixtures/*.tar.gz:
+integration/testdata/fixtures/images/*.tar.gz: $(GOBIN)/crane
-	git clone https://github.com/aquasecurity/trivy-test-images.git integration/testdata/fixtures
+	mkdir -p integration/testdata/fixtures/images/
 	integration/scripts/download-images.sh
 # Run integration tests
 .PHONY: test-integration
-test-integration: integration/testdata/fixtures/*.tar.gz
+test-integration: integration/testdata/fixtures/images/*.tar.gz
-	go test -v -tags=integration ./integration/...
+	go test -v -tags=integration ./integration/... ./pkg/fanal/test/integration/...
 # Run WASM integration tests
 .PHONY: test-module-integration
 test-module-integration: integration/testdata/fixtures/images/*.tar.gz $(EXAMPLE_MODULES)
 	go test -v -tags=module_integration ./integration/...
 # Run VM integration tests
 .PHONY: test-vm-integration
 test-vm-integration: integration/testdata/fixtures/vm-images/*.img.gz
 	go test -v -tags=vm_integration ./integration/...
 integration/testdata/fixtures/vm-images/*.img.gz:
 	integration/scripts/download-vm-images.sh
 .PHONY: lint
 lint: $(GOBIN)/golangci-lint
-	$(GOBIN)/golangci-lint run
+	$(GOBIN)/golangci-lint run --timeout 5m
 .PHONY: fmt
 fmt:
@@ -54,7 +102,13 @@ build:
 .PHONY: protoc
 protoc:
-	find ./rpc/ -name "*.proto" -type f -exec protoc --proto_path=$(GOSRC):. --twirp_out=. --go_out=. {} \;
+	docker build -t trivy-protoc - < Dockerfile.protoc
 	docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@
 _protoc:
 	for path in `find ./rpc/ -name "*.proto" -type f`; do \
 		protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative $${path} || exit; \
 	done
 .PHONY: install
 install:
@@ -62,17 +116,20 @@ install:
 .PHONY: clean
 clean:
-	rm -rf integration/testdata/fixtures/
+	rm -rf integration/testdata/fixtures/images
 $(GOBIN)/labeler:
 	GO111MODULE=off go get github.com/knqyf263/labeler
 # Create labels on GitHub
 .PHONY: label
 label: $(GOBIN)/labeler
 	labeler apply misc/triage/labels.yaml -r aquasecurity/trivy -l 5
 # Run MkDocs development server to preview the documentation page
 .PHONY: mkdocs-serve
 ## Runs MkDocs development server to preview the documentation page
 mkdocs-serve:
 	docker build -t $(MKDOCS_IMAGE) -f docs/build/Dockerfile docs/build
 	docker run --name mkdocs-serve --rm -v $(PWD):/docs -p $(MKDOCS_PORT):8000 $(MKDOCS_IMAGE)
 # Generate JSON marshaler/unmarshaler for TinyGo/WebAssembly as TinyGo doesn't support encoding/json.
 .PHONY: easyjson
 easyjson: $(GOBIN)/easyjson
 	easyjson pkg/module/serialize/types.go
--- a/README.md
+++ b/README.md
@@ -1,134 +1,130 @@
-<img src="docs/imgs/logo.png" width="150">
+<div align="center">
-
+<img src="docs/imgs/logo.png" width="200">
 [![GitHub Release][release-img]][release]
-[![Go Report Card](https://goreportcard.com/badge/github.com/aquasecurity/trivy)](https://goreportcard.com/report/github.com/aquasecurity/trivy)
+[![Test][test-img]][test]
-[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)][license]
+[![Go Report Card][go-report-img]][go-report]
-[![codecov](https://codecov.io/gh/aquasecurity/trivy/branch/main/graph/badge.svg)](https://codecov.io/gh/aquasecurity/trivy)
+[![License: Apache-2.0][license-img]][license]
-[![GitHub All Releases][github-all-releases-img]][release]
+[![GitHub Downloads][github-downloads-img]][release]
 ![Docker Pulls][docker-pulls]
-[release]: https://github.com/aquasecurity/trivy/releases
+[📖 Documentation][docs]
-[release-img]: https://img.shields.io/github/release/aquasecurity/trivy.svg?logo=github
+</div>
 [github-all-releases-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
 [docker-pulls]: https://img.shields.io/docker/pulls/aquasec/trivy?logo=docker&label=docker%20pulls%20%2F%20trivy
 [license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
 Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner.
 Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.
-A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.
+Targets (what Trivy can scan):
-# Abstract
+- Container Image
-`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive vulnerability scanner for containers and other artifacts.
+- Filesystem
-A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System.
+- Git Repository (remote)
-`Trivy` detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.).
+- Virtual Machine Image
-`Trivy` is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify a target such as an image name of the container.
+- Kubernetes
 - AWS
-<img src="docs/imgs/overview.png" width="700">
+Scanners (what Trivy can find there):
-Trivy can be run in two different modes:
+- OS packages and software dependencies in use (SBOM)
 - Known vulnerabilities (CVEs)
 - IaC issues and misconfigurations
 - Sensitive information and secrets
 - Software licenses
- [Standalone](https://aquasecurity.github.io/trivy/latest/modes/standalone/)
+To learn more, go to the [Trivy homepage][homepage] for feature highlights, or to the [Documentation site][docs] for detailed information.
 - [Client/Server](https://aquasecurity.github.io/trivy/latest/modes/client-server/)
-Trivy can scan three different artifacts:
+## Quick Start
- [Container Images](https://aquasecurity.github.io/trivy/latest/scanning/image/)
+### Get Trivy
 - [Filesystem](https://aquasecurity.github.io/trivy/latest/scanning/filesystem/)
 - [Git Repositories](https://aquasecurity.github.io/trivy/latest/scanning/git-repository/)
-<img src="docs/imgs/usage.gif" width="700">
+Trivy is available in most common distribution channels. The full list of installation options is available in the [Installation] page. Here are a few popular examples:
 <img src="docs/imgs/usage1.png" width="600">
 <img src="docs/imgs/usage2.png" width="600">
-It is considered to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
+- `brew install trivy`
-See [here](https://aquasecurity.github.io/trivy/latest/integrations/) for details.
+- `docker run aquasec/trivy`
 - Download binary from <https://github.com/aquasecurity/trivy/releases/latest/>
 - See [Installation] for more
-# Features
+Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem] page. Here are a few popular examples:
- Detect comprehensive vulnerabilities
+- [GitHub Actions](https://github.com/aquasecurity/trivy-action)
-  - OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+- [Kubernetes operator](https://github.com/aquasecurity/trivy-operator)
-  - **Application dependencies** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
+- [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)
- Simple
+- See [Ecosystem] for more
  - Specify only an image name or artifact name
  - See [Quick Start](#quick-start) and [Examples](#examples)
 - Fast
  - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
  - Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
 - Easy installation
  - `apt-get install`, `yum install` and `brew install` is possible (See [Installation](#installation))
  - **No pre-requisites** such as installation of DB, libraries, etc.
 - High accuracy
  - **Especially Alpine Linux and RHEL/CentOS**
  - Other OSes are also high
 - DevSecOps
  - **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
  - See [CI Example](#continuous-integration-ci)
 - Support multiple formats
  - container image
    - A local image in Docker Engine which is running as a daemon
    - A local image in Podman (>=2.0) which is exposing a socket
    - A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
    - A tar archive stored in the `docker save` / `podman save` formatted file
    - An image directory compliant with [OCI Image Format](https://github.com/opencontainers/image-spec)
  - local filesystem
  - remote git repository
-Please see [LICENSE][license] for Trivy licensing information. Note that Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
+### General usage
-# Documentation
+```bash
-The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.
+trivy <target> [--scanners <scanner1,scanner2>] <subject>
 # Installation
 See [here](https://aquasecurity.github.io/trivy/latest/installation/)
 # Quick Start
 Simply specify an image name (and a tag).
 ```
 $ trivy image [YOUR_IMAGE_NAME]
 ```
-For example:
+Examples:
-```
+```bash
-$ trivy image python:3.4-alpine
+trivy image python:3.4-alpine
 ```
 <details>
 <summary>Result</summary>
-```
+https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov
 2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
 2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...
 python:3.4-alpine3.9 (alpine 3.9.2)
 ===================================
 Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
 +---------+------------------+----------+-------------------+---------------+--------------------------------+
 | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
 +---------+------------------+----------+-------------------+---------------+--------------------------------+
 | openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
 |         |                  |          |                   |               | with long nonces               |
 +---------+------------------+----------+-------------------+---------------+--------------------------------+
 ```
 </details>
-# Examples
+```bash
-See [here](https://aquasecurity.github.io/trivy/latest/examples/filter/)
+trivy fs --scanners vuln,secret,config myproject/
 ```
-# Continuous Integration (CI)
+<details>
-See [here](https://aquasecurity.github.io/trivy/latest/integrations/)
+<summary>Result</summary>
-# Vulnerability Detection
+https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov
 See [here](https://aquasecurity.github.io/trivy/latest/vuln-detection/)
-# Usage
+</details>
 See [here](https://aquasecurity.github.io/trivy/latest/usage/)
-# Author
+```bash
 trivy k8s --report summary cluster
 ```
-[Teppei Fukuda](https://github.com/knqyf263) (knqyf263)
+<details>
 <summary>Result</summary>
 ![k8s summary](docs/imgs/trivy-k8s.png)
 </details>
 ## FAQ
 ### How to pronounce the name "Trivy"?
 `tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.
 ---
 Trivy is an [Aqua Security][aquasec] open source project.  
 Learn about our open source work and portfolio [here][oss].  
 Contact us about any matter by opening a GitHub Discussion [here][discussions]
 [test]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml
 [test-img]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml/badge.svg
 [go-report]: https://goreportcard.com/report/github.com/aquasecurity/trivy
 [go-report-img]: https://goreportcard.com/badge/github.com/aquasecurity/trivy
 [release]: https://github.com/aquasecurity/trivy/releases
 [release-img]: https://img.shields.io/github/release/aquasecurity/trivy.svg?logo=github
 [github-downloads-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
 [docker-pulls]: https://img.shields.io/docker/pulls/aquasec/trivy?logo=docker&label=docker%20pulls%20%2F%20trivy
 [license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
 [license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
 [homepage]: https://trivy.dev
 [docs]: https://aquasecurity.github.io/trivy
 [pronunciation]: #how-to-pronounce-the-name-trivy
 [Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
 [Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
 [rego]: https://www.openpolicyagent.org/docs/latest/#rego
 [sigstore]: https://www.sigstore.dev/
 [aquasec]: https://aquasec.com
 [oss]: https://www.aquasec.com/products/open-source-projects/
 [discussions]: https://github.com/aquasecurity/trivy/discussions
--- a/aqua.yaml
+++ b/aqua.yaml
@@ -0,0 +1,8 @@
 ---
 # aqua - Declarative CLI Version Manager
 # https://aquaproj.github.io/
 registries:
 - type: standard
  ref: v3.106.0 # renovate: depName=aquaproj/aqua-registry
 packages:
 - name: tinygo-org/tinygo@v0.26.0
--- a/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg
@@ -0,0 +1,56 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
 <!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 <svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
 	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
 <g>
 	<path fill="#07242D" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
 		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
 	<path fill="#07242D" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
 		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
 	<path fill="#07242D" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
 	<path fill="#07242D" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
 	<path fill="#07242D" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
 		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
 		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
 		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
 </g>
 <g>
 	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
 	<g>
 		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
 			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
 		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
 			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
 		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
 			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
 		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
 			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
 		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.106-0.146-0.211-0.211-0.316
 			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
 			C48.47,40.151,65.268,34.975,78.53,41.442z"/>
 		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
 			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
 			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
 		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
 		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
 		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
 			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
 		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
 			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
 			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
 	</g>
 </g>
 <g>
 	<path fill="#07242D" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
 		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
 		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
 	<path fill="#07242D" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
 		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
 		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
 	<path fill="#07242D" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
 		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
 	<path fill="#07242D" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
 		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
 		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
 </g>
 </svg>
--- a/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg
@@ -0,0 +1,202 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
 <!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 <svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
 	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
 <g display="none">
 	<g display="inline">
 		<path fill="#07242D" d="M-483.763,450.803h-11.559l-22.557-22.807c-0.919,0.114-1.853,0.174-2.802,0.174v22.632h-8.238v-63.931
 			h8.239c0,0-0.016,33.158,0,33.158c4.013,0,7.684-1.656,10.29-4.32l9.86-10.073h11.814l-16.032,15.918
 			c-1.42,1.421-3.031,2.655-4.787,3.659L-483.763,450.803z"/>
 		<path fill="#07242D" d="M-438.316,405.517v22.819c0,0,0,0.033,0,0.049c0,12.39-10.039,22.418-22.429,22.418
 			c-12.389,0-22.421-10.059-22.421-22.448c0-0.017,0-22.837,0-22.837h7.989v22.819c0,7.967,6.466,14.457,14.433,14.457
 			c7.966,0,14.424-6.491,14.424-14.457v-22.819H-438.316z"/>
 		<path fill="#07242D" d="M-385.244,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
 			c0.005-0.516,0.005-63.931,0.005-63.931h8.217l-0.004,23.854c3.918-3.246,8.947-5.196,14.432-5.196
 			C-395.377,405.529-385.242,415.664-385.244,428.166z M-393.437,428.166c0-7.976-6.466-14.441-14.442-14.441
 			c-7.793,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-399.903,442.607-393.437,436.142-393.437,428.166z"/>
 		<path fill="#07242D" d="M-335.539,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
 			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
 			C-344.426,405.411-333.664,417.688-335.539,431.11z M-344.611,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
 			c-6.076,0-11.275,3.746-13.382,9.06H-344.611z"/>
 		<path fill="#07242D" d="M-306.194,420.895v7.548h-23.302v-7.548H-306.194z"/>
 		<path fill="#07242D" d="M-252.987,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
 			c0.005-0.516,0.005-63.931,0.005-63.931h8.218l-0.004,23.854c3.918-3.246,8.946-5.196,14.431-5.196
 			C-263.12,405.529-252.985,415.664-252.987,428.166z M-261.181,428.166c0-7.976-6.467-14.441-14.442-14.441
 			c-7.794,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-267.647,442.607-261.181,436.142-261.181,428.166z"/>
 		<path fill="#07242D" d="M-203.283,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
 			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
 			C-212.17,405.411-201.408,417.688-203.283,431.11z M-212.355,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
 			c-6.076,0-11.275,3.746-13.382,9.06H-212.355z"/>
 		<path fill="#07242D" d="M-151.113,428.114c0,15.871,0,22.688,0,22.688h-8.262c0,0,0-14.878,0-22.688
 			c0-8.095-6.591-14.327-14.363-14.327c-7.772,0-14.393,6.163-14.393,14.327c0,7.814,0,22.688,0,22.688h-8.26v-45.285
 			c0,0,3.539,0,8.26,0v5.101c0,0,5.421-5.101,14.393-5.101C-163.095,405.517-151.113,413.789-151.113,428.114z"/>
 		<path fill="#07242D" d="M-112.598,438.373l5.799,5.798c-4.098,4.097-9.758,6.632-16.01,6.632c-6.252,0-11.912-2.534-16.01-6.632
 			c-4.097-4.098-6.632-9.758-6.632-16.01s2.534-11.912,6.632-16.01c4.098-4.097,9.758-6.632,16.01-6.632
 			c6.252,0,11.912,2.534,16.01,6.632l-5.799,5.799c-2.613-2.615-6.224-4.231-10.212-4.231c-3.988,0-7.599,1.617-10.212,4.231
 			c-2.614,2.613-4.23,6.224-4.23,10.212s1.616,7.599,4.23,10.213c2.613,2.613,6.224,4.229,10.212,4.229
 			C-118.821,442.602-115.211,440.986-112.598,438.373z"/>
 		<path fill="#07242D" d="M-55.678,428.174c0,15.827,0,22.626,0,22.626h-8.239c0,0,0-14.838,0-22.626
 			c0-8.072-6.575-14.287-14.324-14.287c-7.751,0-14.353,6.146-14.353,14.287c0,7.793,0,22.626,0,22.626h-8.238v-63.929h8.238v23.856
 			c0,0,5.405-5.086,14.353-5.086C-67.626,405.641-55.678,413.889-55.678,428.174z"/>
 	</g>
 	<g display="inline">
 		<path fill="#07242D" d="M186.582,442.579v8.203c-5.588,0-10.623-2.012-14.594-5.346c-4.989-4.186-8.157-10.469-8.157-17.489
 			v-41.085h8.157v18.642h14.594v8.257h-14.594v14.386C172.1,436.134,178.571,442.579,186.582,442.579z"/>
 		<path fill="#07242D" d="M215.674,405.503v8.149c-7.739,0.015-14.037,6.152-14.317,13.818v23.312h-8.176v-45.279h8.176v5.169
 			C205.243,407.446,210.232,405.51,215.674,405.503z"/>
 		<path fill="#07242D" d="M220.928,395.003v-8.165h8.161v8.165H220.928z M220.928,450.782v-45.279h8.161v45.279H220.928z"/>
 		<path fill="#07242D" d="M279.137,405.503l-22.624,45.279l-22.647-45.279h9.271l13.376,26.737l13.349-26.737H279.137z"/>
 		<path fill="#07242D" d="M328.08,405.503c0,0,0,49.504,0,52.776c0,12.643-10.369,22.736-22.655,22.728
 			c-5.753,0-11.084-2.181-15.131-5.807l5.868-5.868c2.504,2.12,5.734,3.41,9.263,3.403c7.95,0,14.386-6.498,14.386-14.456v-12.651
 			c-3.944,3.264-8.979,5.154-14.386,5.154c-12.309,0.008-22.674-9.924-22.674-22.659c0-0.269,0-22.62,0-22.62h8.265
 			c0,0,0.004,22.014,0.004,22.62c0,7.919,6.448,14.463,14.406,14.456c7.95,0,14.386-6.506,14.386-14.456v-22.62H328.08z"/>
 	</g>
 	<g display="inline">
 		<path fill="#07242D" d="M1186.898,438.384c-0.411,4.687-4.656,12.67-15.302,12.67c-10.092,0-16.135-6.761-16.135-6.761
 			l5.797-5.801c4.906,4.664,10.338,4.372,10.338,4.372c3.473-0.238,6.258-2.643,6.469-5.471c0.242-3.235-2.009-5.486-6.469-6.124
 			c-2.098-0.307-7.184-0.791-11.36-4.533c-1.36-1.222-6.489-6.577-2.217-14.191c0.834-1.491,4.556-6.769,13.577-6.769
 			c0,0,7.434-0.53,14.311,5.086l-5.866,5.863c-1.16-0.96-4.46-2.904-8.444-2.881c-7.207,0.046-7.007,4.011-7.007,4.011
 			c0.061,3.166,2.874,4.864,7.007,5.409C1185.672,425.114,1187.309,433.743,1186.898,438.384z"/>
 		<path fill="#07242D" d="M1215.419,442.848v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495v-41.099
 			h8.16v18.648h14.599v8.26h-14.599v14.391C1200.932,436.401,1207.405,442.848,1215.419,442.848z"/>
 		<path fill="#07242D" d="M1263.522,428.372v22.682h-22.705c-0.5,0-0.999-0.015-1.495-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
 			c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
 			C1263.068,423.132,1263.522,425.76,1263.522,428.372z M1255.131,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
 			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
 			S1255.131,432.352,1255.131,428.372z"/>
 		<path fill="#07242D" d="M1293.898,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
 			C1283.464,407.704,1288.454,405.767,1293.898,405.76z"/>
 		<path fill="#07242D" d="M1344.448,428.411c0,12.509-10.135,22.643-22.639,22.643c-5.486,0-10.515-1.952-14.433-5.194v5.194h-8.221
 			c0.008-0.515,0.008-63.942,0.008-63.942h8.217l-0.004,23.857c3.919-3.25,8.947-5.202,14.433-5.202
 			C1334.313,405.767,1344.452,415.91,1344.448,428.411z M1336.254,428.411c0-7.975-6.466-14.445-14.445-14.445
 			c-7.795,0-14.445,6.331-14.445,14.422c0,8.091,6.65,14.468,14.445,14.468C1329.788,442.856,1336.254,436.394,1336.254,428.411z"/>
 		<path fill="#07242D" d="M1394.394,428.411c0,12.509-10.15,22.643-22.643,22.643s-22.651-10.135-22.651-22.643
 			s10.157-22.651,22.651-22.651S1394.394,415.91,1394.394,428.411z M1386.127,428.411c0-7.937-6.431-14.376-14.376-14.376
 			c-7.941,0-14.387,6.431-14.387,14.376s6.446,14.383,14.387,14.383C1379.696,442.794,1386.127,436.355,1386.127,428.411z"/>
 		<path fill="#07242D" d="M1444.414,428.372v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054
 			c-6.431-0.423-12.128-3.527-15.985-8.214c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
 			C1443.961,423.132,1444.414,425.76,1444.414,428.372z M1436.024,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
 			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
 			S1436.024,432.352,1436.024,428.372z"/>
 		<path fill="#07242D" d="M1474.791,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
 			C1464.356,407.704,1469.347,405.767,1474.791,405.76z"/>
 		<path fill="#07242D" d="M1521.556,451.031h-8.214v-5.194c-3.919,3.242-8.951,5.194-14.43,5.194
 			c-12.501,0-22.635-10.127-22.635-22.628s10.135-22.636,22.635-22.636c5.478,0,10.511,1.952,14.43,5.194l0.008-23.85h8.221
 			C1521.572,387.112,1521.556,450.516,1521.556,451.031z M1513.35,428.38c0-8.091-6.646-14.422-14.437-14.422
 			c-7.975,0-14.445,6.469-14.445,14.445s6.469,14.437,14.445,14.437C1506.704,442.84,1513.35,436.471,1513.35,428.38z"/>
 	</g>
 	<g display="inline">
 		<path fill="#07242D" d="M1711.171,438.276l5.802,5.802c-4.1,4.096-9.763,6.632-16.014,6.632c-6.255,0-11.918-2.536-16.018-6.632
 			c-4.1-4.103-6.635-9.759-6.635-16.014s2.536-11.918,6.635-16.022c4.1-4.096,9.763-6.632,16.018-6.632
 			c6.251,0,11.915,2.536,16.014,6.632l-5.802,5.802c-2.613-2.613-6.224-4.234-10.213-4.234c-3.992,0-7.604,1.621-10.216,4.234
 			c-2.617,2.613-4.234,6.224-4.234,10.22c0,3.988,1.618,7.6,4.234,10.213c2.613,2.613,6.224,4.234,10.216,4.234
 			C1704.947,442.511,1708.559,440.889,1711.171,438.276z"/>
 		<path fill="#07242D" d="M1722.967,450.71v-63.95h8.241v63.95H1722.967z"/>
 		<path fill="#07242D" d="M1783.282,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
 			s10.159-22.654,22.654-22.654C1773.131,405.41,1783.282,415.561,1783.282,428.064z M1775.013,428.064
 			c0-7.938-6.432-14.378-14.378-14.378c-7.942,0-14.389,6.432-14.389,14.378c0,7.946,6.447,14.385,14.389,14.385
 			C1768.581,442.449,1775.013,436.01,1775.013,428.064z"/>
 		<path fill="#07242D" d="M1833.833,405.41v22.823c0,0,0,0.038,0,0.054c0,12.395-10.04,22.423-22.435,22.423
 			c-12.395,0-22.427-10.059-22.427-22.454c0-0.015,0-22.846,0-22.846h7.992v22.823c0,7.976,6.466,14.462,14.435,14.462
 			c7.969,0,14.431-6.486,14.431-14.462V405.41H1833.833z"/>
 		<path fill="#07242D" d="M1884.777,450.687h-8.218v-5.195c-3.915,3.243-8.945,5.195-14.431,5.195
 			c-12.503,0-22.634-10.128-22.634-22.631c0-12.503,10.132-22.638,22.634-22.638c5.487,0,10.516,1.952,14.431,5.195l0.011-23.852
 			h8.219C1884.789,386.76,1884.773,450.172,1884.777,450.687z M1876.574,428.033c0-8.092-6.651-14.424-14.447-14.424
 			c-7.973,0-14.443,6.47-14.443,14.447c0,7.976,6.466,14.439,14.443,14.439C1869.923,442.495,1876.574,436.125,1876.574,428.033z"/>
 		<path fill="#07242D" d="M1922.865,438.038c-0.411,4.687-4.657,12.672-15.303,12.672c-10.094,0-16.137-6.762-16.137-6.762
 			l5.798-5.802c4.906,4.664,10.339,4.372,10.339,4.372c3.473-0.238,6.259-2.643,6.47-5.471c0.242-3.235-2.009-5.487-6.47-6.124
 			c-2.098-0.307-7.185-0.792-11.361-4.534c-1.36-1.222-6.489-6.578-2.217-14.193c0.834-1.491,4.557-6.77,13.578-6.77
 			c0,0,7.435-0.53,14.312,5.087l-5.867,5.863c-1.16-0.961-4.461-2.905-8.445-2.882c-7.208,0.046-7.008,4.011-7.008,4.011
 			c0.062,3.166,2.874,4.864,7.008,5.41C1921.639,424.767,1923.276,433.397,1922.865,438.038z"/>
 		<path fill="#07242D" d="M1975.107,428.041c0,12.526-10.151,22.73-22.661,22.73c-5.471,0-10.493-1.952-14.416-5.195v35.371h-8.276
 			V405.41h8.276v5.156c3.923-3.22,8.945-5.156,14.416-5.156C1964.956,405.41,1975.107,415.523,1975.107,428.041z M1966.831,428.041
 			c0-7.953-6.432-14.347-14.385-14.347s-14.416,6.393-14.416,14.347s6.463,14.462,14.416,14.462S1966.831,435.994,1966.831,428.041z
 			"/>
 		<path fill="#07242D" d="M1981.877,450.71v-63.95h8.245v63.95H1981.877z"/>
 		<path fill="#07242D" d="M2042.192,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
 			s10.159-22.654,22.654-22.654C2032.041,405.41,2042.192,415.561,2042.192,428.064z M2033.916,428.064
 			c0-7.938-6.432-14.378-14.37-14.378c-7.946,0-14.393,6.432-14.393,14.378c0,7.946,6.447,14.385,14.393,14.385
 			C2027.484,442.449,2033.916,436.01,2033.916,428.064z"/>
 		<path fill="#07242D" d="M2049.016,394.906v-8.168h8.168v8.168H2049.016z M2049.016,450.71v-45.3h8.168v45.3H2049.016z"/>
 		<path fill="#07242D" d="M2087.737,442.503v8.207c-5.594,0-10.627-2.013-14.6-5.348c-4.987-4.188-8.161-10.474-8.161-17.497V386.76
 			h8.161v18.65h14.6v8.261h-14.6v14.393C2073.252,436.056,2079.722,442.503,2087.737,442.503z"/>
 	</g>
 	<g display="inline">
 		<path fill="#07242D" d="M690.837,442.596v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495V386.86
 			h8.16v18.648h14.599v8.26h-14.599v14.391C676.35,436.15,682.823,442.596,690.837,442.596z"/>
 		<path fill="#07242D" d="M719.939,405.508v8.152c-7.737,0.015-14.042,6.154-14.322,13.823v23.319h-8.179v-45.294h8.179v5.171
 			C709.504,407.452,714.495,405.516,719.939,405.508z"/>
 		<path fill="#07242D" d="M766.789,428.12v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
 			c-3.289-4.003-5.171-8.928-5.183-14.414c0.523-25.548,35.102-31.264,44.026-7.699C766.335,422.88,766.789,425.508,766.789,428.12z
 			 M758.398,428.12c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008c-2.609,2.605-4.226,6.17-4.226,10.142
 			c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0S758.398,432.101,758.398,428.12z"/>
 		<path fill="#07242D" d="M805.36,438.37l5.801,5.801c-4.099,4.095-9.762,6.631-16.016,6.631c-6.254,0-11.913-2.536-16.012-6.631
 			c-4.099-4.103-6.631-9.766-6.631-16.02c0-6.247,2.532-11.909,6.631-16.012c4.099-4.095,9.758-6.631,16.012-6.631
 			c6.254,0,11.917,2.536,16.016,6.631l-5.801,5.801c-2.612-2.612-6.224-4.234-10.215-4.234c-3.988,0-7.599,1.621-10.211,4.234
 			c-2.616,2.612-4.234,6.224-4.234,10.211c0,3.995,1.617,7.607,4.234,10.219c2.612,2.612,6.224,4.234,10.211,4.234
 			C799.136,442.604,802.747,440.983,805.36,438.37z"/>
 		<path fill="#07242D" d="M858.664,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
 			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
 			C849.774,405.4,860.539,417.679,858.664,431.109z M849.59,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
 			s-11.276,3.742-13.385,9.059H849.59z"/>
 		<path fill="#07242D" d="M908.514,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
 			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
 			C899.625,405.4,910.389,417.679,908.514,431.109z M899.44,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
 			s-11.276,3.742-13.385,9.059H899.44z"/>
 	</g>
 </g>
 <g>
 	<path fill="#07242D" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
 		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
 	<path fill="#07242D" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
 		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
 	<path fill="#07242D" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
 	<path fill="#07242D" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
 	<path fill="#07242D" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
 		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
 		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
 		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
 </g>
 <g>
 	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
 		"/>
 	<g>
 		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
 			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
 		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
 			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
 		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
 			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
 		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
 			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
 		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
 			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
 			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
 		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
 			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
 			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
 		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
 			V347.086z"/>
 		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
 			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
 		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
 			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
 		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
 			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
 			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
 	</g>
 </g>
 <g>
 	<path fill="#07242D" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
 		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
 		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
 	<path fill="#07242D" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
 		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
 		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
 	<path fill="#07242D" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
 		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
 	<path fill="#07242D" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
 		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
 		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
 </g>
 </svg>
--- a/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg
@@ -0,0 +1,84 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
 <!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 <svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
 	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
 <g display="none">
 	<polygon display="inline" fill="#FFFFFF" points="65.469,9.61 12.669,40.117 12.669,101.621 65.463,132.371 118.268,101.639 
 		118.268,40.115 	"/>
 	<g display="inline">
 		<path fill="#08B1D5" d="M64.511,80.035c-5.972-2.687-9.502-8.433-9.313-14.534l-12.765-7.371c-0.952,7.062,0.569,14.449,4.4,20.85
 			c4.078,6.813,9.966,11.887,17.678,14.825V80.035L64.511,80.035z"/>
 		<path fill="#08B1D5" d="M64.511,111.257V95.432c-8.26-3.017-14.588-8.448-18.931-15.703c-4.108-6.864-5.671-14.819-4.507-22.384
 			l-11.864-6.851C22.412,75.299,37.662,101.72,64.511,111.257z"/>
 		<path fill="#0D819B" d="M66.259,95.288v15.969c26.352-9.758,42.17-36.132,35.489-60.682l-11.8,6.874
 			c1.473,8.16,0.189,16.115-3.759,22.77C82.134,87.057,75.052,92.189,66.259,95.288z"/>
 		<path fill="#0D819B" d="M75.879,65.569c0.053,5.924-3.429,11.136-9.62,14.466v13.769c8.227-2.999,14.873-7.918,18.675-14.329
 			c3.681-6.207,4.934-13.613,3.671-21.243L75.879,65.569z"/>
 		<path fill="#F69421" d="M77.717,44.4c4.977,2.427,9.031,6.315,11.724,11.244c0.035,0.065,0.069,0.132,0.104,0.198l11.574-6.684
 			c-0.184-0.232-0.361-0.466-0.506-0.701c-4.246-6.868-9.855-12.036-16.673-15.361c-19.245-9.385-42.827-2.309-54.094,16.087
 			l11.546,6.665C49.232,43.242,65.013,38.204,77.717,44.4z"/>
 		<path fill="#F69421" d="M70.489,59.089c2.06,1.005,3.731,2.627,4.832,4.692c0.037,0.07,0.07,0.143,0.105,0.214l12.854-7.423
 			c-0.04-0.076-0.079-0.153-0.12-0.228c-2.546-4.662-6.379-8.339-11.082-10.632c-12.018-5.861-26.965-1.08-34.421,10.866
 			l12.783,7.379C58.771,58.613,65.217,56.518,70.489,59.089z"/>
 		<path fill="#0D819B" d="M116.672,41.881l-13.621,7.936c7.185,25.544-9.291,53.076-36.791,62.992v17.294l50.413-29.381V41.881z"/>
 		<path fill="#08B1D5" d="M14.265,41.864v58.842l50.245,29.397v-17.294C36.51,103.127,20.607,75.545,27.905,49.74l-13.001-7.508
 			L14.265,41.864z"/>
 		<path fill="#F69421" d="M14.987,40.606l1.484,0.857l12.109,6.989C40.23,29.398,64.649,22.066,84.579,31.784
 			c7.069,3.448,12.881,8.799,17.274,15.904c0.139,0.225,0.333,0.472,0.543,0.731l13.542-7.82l-50.47-29.146L14.987,40.606z"/>
 		<path fill="#F0DF36" d="M66.202,78.433c4.968-2.778,7.95-7.226,8.141-12.159c0,0,0.022-0.489-0.015-1.283
 			c-0.007-0.163-1.102-2.766-4.435-4.583c-4.476-2.441-10.828-0.093-13.372,4.583c0,0-0.061,0.574-0.033,1.283
 			c0.182,4.483,2.945,9.749,7.836,12.159l0.991,0.473L66.202,78.433z"/>
 	</g>
 </g>
 <g>
 	<path fill="#FFFFFF" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
 		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
 	<path fill="#FFFFFF" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
 		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
 	<path fill="#FFFFFF" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
 	<path fill="#FFFFFF" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
 	<path fill="#FFFFFF" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
 		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
 		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
 		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
 </g>
 <g>
 	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
 	<g>
 		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
 			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
 		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
 			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
 		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
 			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
 		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
 			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
 		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.105-0.146-0.211-0.211-0.316
 			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
 			C48.47,40.15,65.268,34.975,78.53,41.442z"/>
 		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
 			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
 			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
 		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
 		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
 		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
 			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
 		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
 			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
 			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
 	</g>
 </g>
 <g>
 	<path fill="#FFFFFF" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
 		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
 		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
 	<path fill="#FFFFFF" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
 		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
 		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
 	<path fill="#FFFFFF" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
 		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
 	<path fill="#FFFFFF" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
 		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
 		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
 </g>
 </svg>
--- a/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg
@@ -0,0 +1,59 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
 <!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 <svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
 	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
 <g>
 	<path fill="#FFFFFF" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
 		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
 	<path fill="#FFFFFF" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
 		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
 	<path fill="#FFFFFF" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
 	<path fill="#FFFFFF" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
 	<path fill="#FFFFFF" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
 		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
 		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
 		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
 </g>
 <g>
 	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
 		"/>
 	<g>
 		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
 			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
 		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
 			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
 		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
 			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
 		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
 			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
 		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
 			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
 			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
 		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
 			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
 			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
 		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
 			V347.086z"/>
 		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
 			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
 		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
 			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
 		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
 			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
 			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
 	</g>
 </g>
 <g>
 	<path fill="#FFFFFF" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
 		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
 		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
 	<path fill="#FFFFFF" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
 		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
 		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
 	<path fill="#FFFFFF" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
 		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
 	<path fill="#FFFFFF" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
 		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
 		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
 </g>
 </svg>
--- a/brand/readme.md
+++ b/brand/readme.md
@@ -0,0 +1,2 @@
 This directory contains media assets, such as the Trivy logo.
 Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>
--- a/ci/deploy-deb.sh
+++ b/ci/deploy-deb.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 DEBIAN_RELEASES=$(debian-distro-info --supported)
-UBUNTU_RELEASES=$(ubuntu-distro-info --supported)
+UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))
 cd trivy-repo/deb
@@ -9,12 +9,14 @@ for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
  echo "Removing deb package of $release"
  reprepro -A i386 remove $release trivy
  reprepro -A amd64 remove $release trivy
  reprepro -A arm64 remove $release trivy
 done
 for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
  echo "Adding deb package to $release"
  reprepro includedeb $release ../../dist/*Linux-64bit.deb
  reprepro includedeb $release ../../dist/*Linux-32bit.deb
  reprepro includedeb $release ../../dist/*Linux-ARM64.deb
 done
 git add .
--- a/ci/deploy-rpm.sh
+++ b/ci/deploy-rpm.sh
@@ -1,27 +1,29 @@
 #!/bin/bash
 TRIVY_VERSION=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -nre 's/^[^0-9]*(([0-9]+\.)*[0-9]+).*/\1/p')
 function create_rpm_repo () {
        version=$1
        rpm_path=rpm/releases/${version}/x86_64
        RPM_EL=$(find ../dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -e "s/_/-/g" -e "s/-Linux/.el$version/" -e "s/-64bit/.x86_64/")
        echo $RPM_EL
        mkdir -p $rpm_path
-        cp ../dist/*64bit.rpm ${rpm_path}/${RPM_EL}
+        cp ../dist/*64bit.rpm ${rpm_path}/
-        createrepo --update $rpm_path
+        createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
        rm ${rpm_path}/*64bit.rpm
 }
 echo "Create RPM releases for Trivy v$TRIVY_VERSION"
 cd trivy-repo
-VERSIONS=(5 6 7 8)
+VERSIONS=(5 6 7 8 9)
 for version in ${VERSIONS[@]}; do
        echo "Processing RHEL/CentOS $version..."
        create_rpm_repo $version
 done
 git add .
-git commit -m "Update rpm packages"
+git commit -m "Update rpm packages for Trivy v$TRIVY_VERSION"
 git push origin main
--- a/cmd/trivy/main.go
+++ b/cmd/trivy/main.go
@@ -1,10 +1,16 @@
 package main
 import (
 	"context"
 	"os"
 	"golang.org/x/xerrors"
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/plugin"
 	_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB
 )
 var (
@@ -12,9 +18,26 @@ var (
 )
 func main() {
-	app := commands.NewApp(version)
+	if err := run(); err != nil {
 	err := app.Run(os.Args)
 	if err != nil {
 		log.Fatal(err)
 	}
 }
 func run() error {
 	// Trivy behaves as the specified plugin.
 	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
 		if !plugin.IsPredefined(runAsPlugin) {
 			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
 		}
 		if err := plugin.RunWithArgs(context.Background(), runAsPlugin, os.Args[1:]); err != nil {
 			return xerrors.Errorf("plugin error: %w", err)
 		}
 		return nil
 	}
 	app := commands.NewApp(version)
 	if err := app.Execute(); err != nil {
 		return err
 	}
 	return nil
 }
--- a/codecov.yml
+++ b/codecov.yml
@@ -1,12 +0,0 @@
 coverage:
  status:
    project:
      default:
        informational: true
        target: auto
        threshold: 100%
    patch:
      default:
        informational: true
        target: auto
        threshold: 100%
--- a/contrib/Trivy.gitlab-ci.yml
+++ b/contrib/Trivy.gitlab-ci.yml
@@ -10,7 +10,7 @@ Trivy_container_scanning:
    IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
  allow_failure: true
  before_script:
-    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.4.3}
+    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
    - apk add --no-cache curl docker-cli
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
--- a/contrib/asff.tpl
+++ b/contrib/asff.tpl
@@ -1,78 +1,161 @@
-[
+{
-{{- $t_first := true -}}
+    "Findings": [
-{{- range . -}}
+    {{- $t_first := true -}}
-{{- $target := .Target -}}
+    {{- range . -}}
-{{- range .Vulnerabilities -}}
+    {{- $target := .Target -}}
-{{- if $t_first -}}
+    {{- $image := .Target -}}
-  {{- $t_first = false -}}
+    {{- if gt (len $image) 127 -}}
-{{- else -}}
+        {{- $image = $image | regexFind ".{124}$" | printf "...%v" -}}
-  ,
+    {{- end}}
-{{- end -}}
+    {{- range .Vulnerabilities -}}
-{{- $trivyProductSev := 0 -}}
+    {{- if $t_first -}}
-{{- $trivyNormalizedSev := 0 -}}
+      {{- $t_first = false -}}
-{{- if eq .Severity "LOW" -}}
+    {{- else -}}
-    {{- $trivyProductSev = 1 -}}
+      ,
-    {{- $trivyNormalizedSev = 10 -}}
+    {{- end -}}
-  {{- else if eq .Severity "MEDIUM" -}}
+    {{- $severity := .Severity -}}
-    {{- $trivyProductSev = 4 -}}
+    {{- if eq $severity "UNKNOWN" -}}
-    {{- $trivyNormalizedSev = 40 -}}
+    {{- $severity = "INFORMATIONAL" -}}
-  {{- else if eq .Severity "HIGH" -}}
+    {{- end -}}
-    {{- $trivyProductSev = 7 -}}
+    {{- $description := .Description -}}
-    {{- $trivyNormalizedSev = 70 -}}
+    {{- if gt (len $description ) 512 -}}
-  {{- else if eq .Severity "CRITICAL" -}}
+        {{- $description = (substr 0 512 $description) | printf "%v .." -}}
-    {{- $trivyProductSev = 9 -}}
+    {{- end}}
-    {{- $trivyNormalizedSev = 90 -}}
+        {
-{{- end }}
+            "SchemaVersion": "2018-10-08",
-{{- $description := .Description -}}
+            "Id": "{{ $target }}/{{ .VulnerabilityID }}",
-{{- if gt (len $description ) 1021 -}}
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
-    {{- $description = (slice $description 0 1021) | printf "%v .." -}}
+            "GeneratorId": "Trivy/{{ .VulnerabilityID }}",
-{{- end}}
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
-    {
+            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "SchemaVersion": "2018-10-08",
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
-        "Id": "{{ $target }}/{{ .VulnerabilityID }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
-        "ProductArn": "arn:aws:securityhub:{{ getEnv "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "Severity": {
-        "GeneratorId": "Trivy",
+                "Label": "{{ $severity }}"
-        "AwsAccountId": "{{ getEnv "AWS_ACCOUNT_ID" }}",
+            },
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}, related to {{ .PkgName }}",
-        "CreatedAt": "{{ getCurrentTime }}",
+            "Description": {{ escapeString $description | printf "%q" }},
-        "UpdatedAt": "{{ getCurrentTime }}",
+            {{ if not (empty .PrimaryURL) -}}
-        "Severity": {
+            "Remediation": {
-            "Product": {{ $trivyProductSev }},
+                "Recommendation": {
-            "Normalized": {{ $trivyNormalizedSev }}
+                    "Text": "More information on this vulnerability is provided in the hyperlink",
-        },
+                    "Url": "{{ .PrimaryURL }}"
-        "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
+                }
-        "Description": {{ escapeString $description | printf "%q" }},
+            },
-        "Remediation": {
+            {{ end -}}
-            "Recommendation": {
+            "ProductFields": { "Product Name": "Trivy" },
-                "Text": "More information on this vulnerability is provided in the hyperlink",
+            "Resources": [
-                "Url": "{{ .PrimaryURL }}"
+                {
-            }
+                    "Type": "Container",
-        },
+                    "Id": "{{ $target }}",
-        "ProductFields": { "Product Name": "Trivy" },
+                    "Partition": "aws",
-        "Resources": [
+                    "Region": "{{ env "AWS_REGION" }}",
-            {
+                    "Details": {
-                "Type": "Container",
+                        "Container": { "ImageName": "{{ $image }}" },
-                "Id": "{{ $target }}",
+                        "Other": {
-                "Partition": "aws",
+                            "CVE ID": "{{ .VulnerabilityID }}",
-                "Region": "{{ getEnv "AWS_REGION" }}",
+                            "CVE Title": {{ .Title | printf "%q" }},
-                "Details": {
+                            "PkgName": "{{ .PkgName }}",
-                    "Container": { "ImageName": "{{ $target }}" },
+                            "Installed Package": "{{ .InstalledVersion }}",
-                    "Other": {
+                            "Patched Package": "{{ .FixedVersion }}",
-                        "CVE ID": "{{ .VulnerabilityID }}",
+                            "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
-                        "CVE Title": {{ .Title | printf "%q" }},
+                            "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
-                        "PkgName": "{{ .PkgName }}",
+                            "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
-                        "Installed Package": "{{ .InstalledVersion }}",
+                            "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
-                        "Patched Package": "{{ .FixedVersion }}",
+                        }
                        "NvdCvssScoreV3": "{{ (index .CVSS "nvd").V3Score }}",
                        "NvdCvssVectorV3": "{{ (index .CVSS "nvd").V3Vector }}",
                        "NvdCvssScoreV2": "{{ (index .CVSS "nvd").V2Score }}",
                        "NvdCvssVectorV2": "{{ (index .CVSS "nvd").V2Vector }}"
                    }
                }
-            }
+            ],
-        ],
+            "RecordState": "ACTIVE"
-        "RecordState": "ACTIVE"
+        }
-    }
+        {{- end -}}
-   {{- end -}}
+        {{- range .Misconfigurations -}}
-  {{- end }}
+            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
-]
+            {{- $severity := .Severity -}}
            {{- if eq $severity "UNKNOWN" -}}
                {{- $severity = "INFORMATIONAL" -}}
            {{- end -}}
            {{- $description := .Description -}}
            {{- if gt (len $description ) 512 -}}
                {{- $description = (substr 0 512 $description) | printf "%v .." -}}
            {{- end}}
        {
            "SchemaVersion": "2018-10-08",
            "Id": "{{ $target }}/{{ .ID }}",
            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
            "GeneratorId": "Trivy/{{ .ID }}",
            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
            "Types": [ "Software and Configuration Checks" ],
            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
            "Severity": {
                "Label": "{{ $severity }}"
            },
            "Title": "Trivy found a misconfiguration in {{ $target }}: {{ .Title }}",
            "Description": {{ escapeString $description | printf "%q" }},
            "Remediation": {
                "Recommendation": {
                    "Text": "{{ .Resolution }}",
                    "Url": "{{ .PrimaryURL }}"
                }
            },
            "ProductFields": { "Product Name": "Trivy" },
            "Resources": [
                {
                    "Type": "Other",
                    "Id": "{{ $target }}",
                    "Partition": "aws",
                    "Region": "{{ env "AWS_REGION" }}",
                    "Details": {
                        "Other": {
                            "Message": "{{ .Message }}",
                            "Filename": "{{ $target }}",
                            "StartLine": "{{ .CauseMetadata.StartLine }}",
                            "EndLine": "{{ .CauseMetadata.EndLine }}"
                        }
                    }
                }
            ],
            "RecordState": "ACTIVE"
        }
        {{- end -}}
        {{- range .Secrets -}}
            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
            {{- $severity := .Severity -}}
            {{- if eq $severity "UNKNOWN" -}}
                {{- $severity = "INFORMATIONAL" -}}
            {{- end -}}
        {
            "SchemaVersion": "2018-10-08",
            "Id": "{{ $target }}",
            "ProductArn": "arn:aws:securityhub:{{ env "AWS_DEFAULT_REGION" }}::product/aquasecurity/aquasecurity",
            "GeneratorId": "Trivy",
            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
            "Types": [ "Sensitive Data Identifications" ],
            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
            "Severity": {
                "Label": "{{ $severity }}"
            },
            "Title": "Trivy found a secret in {{ $target }}: {{ .Title }}",
            "Description": "Trivy found a secret in {{ $target }}: {{ .Title }}",
            "ProductFields": { "Product Name": "Trivy" },
            "Resources": [
                {
                    "Type": "Other",
                    "Id": "{{ $target }}",
                    "Partition": "aws",
                    "Region": "{{ env "AWS_DEFAULT_REGION" }}",
                    "Details": {
                        "Other": {
                            "Filename": "{{ $target }}"
                        }
                    }
                }
            ],
            "RecordState": "ACTIVE"
        }
        {{- end -}}
      {{- end }}
    ]
 }
--- a/contrib/example_policy/advanced.rego
+++ b/contrib/example_policy/advanced.rego
@@ -5,30 +5,42 @@ import data.lib.trivy
 default ignore = false
 nvd_v3_vector = v {
-	v := input.CVSS.nvd.v3
+	v := input.CVSS.nvd.V3Vector
 }
 redhat_v3_vector = v {
 	v := input.CVSS.redhat.V3Vector
 }
 # Ignore a vulnerability which requires high privilege
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.PrivilegesRequired == "High"
+	nvd_cvss_vector.PrivilegesRequired == "High"
        # Check against RedHat scores as well as NVD
 	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
 	redhat_cvss_vector.PrivilegesRequired == "High"
 }
 # Ignore a vulnerability which requires user interaction
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.UserInteraction == "Required"
+	nvd_cvss_vector.UserInteraction == "Required"
        # Check against RedHat scores as well as NVD
 	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
 	redhat_cvss_vector.UserInteraction == "Required"
 }
 ignore {
 	input.PkgName == "openssl"
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 }
 ignore {
@@ -50,11 +62,11 @@ ignore {
 	input.PkgName == "bash"
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local", "Adjacent"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
@@ -64,11 +76,11 @@ ignore {
 	input.PkgName == "django"
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM"}[_]
@@ -86,7 +98,7 @@ ignore {
 	input.PkgName == "jquery"
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	# Evaluate CWE-ID
 	deny_cwe_ids := {"CWE-79"} # XSS
--- a/contrib/example_policy/basic.rego
+++ b/contrib/example_policy/basic.rego
@@ -9,7 +9,11 @@ ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
 ignore_severities := {"LOW", "MEDIUM"}
 nvd_v3_vector = v {
-	v := input.CVSS.nvd.v3
+	v := input.CVSS.nvd.V3Vector
 }
 redhat_v3_vector = v {
 	v := input.CVSS.redhat.V3Vector
 }
 ignore {
@@ -22,20 +26,29 @@ ignore {
 # Ignore a vulnerability which is not remotely exploitable
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.AttackVector != "Network"
+	nvd_cvss_vector.AttackVector != "Network"
 	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
 	redhat_cvss_vector.AttackVector != "Network"
 }
 # Ignore a vulnerability which requires high privilege
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.PrivilegesRequired == "High"
+	nvd_cvss_vector.PrivilegesRequired == "High"
 	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
 	redhat_cvss_vector.PrivilegesRequired == "High"
 }
 # Ignore a vulnerability which requires user interaction
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.UserInteraction == "Required"
+	nvd_cvss_vector.UserInteraction == "Required"
 	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
 	redhat_cvss_vector.UserInteraction == "Required"
 }
 # Ignore CSRF
--- a/contrib/gitlab-codequality.tpl
+++ b/contrib/gitlab-codequality.tpl
@@ -0,0 +1,103 @@
 {{- /* Template based on https://github.com/codeclimate/platform/blob/master/spec/analyzers/SPEC.md#data-types */ -}}
 [
  {{- $t_first := true }}
  {{- range . }}
  {{- $target := .Target }}
    {{- range .Vulnerabilities -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
    {{ else -}}
      ,
    {{- end }}
    {
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
      "description": {{ list .VulnerabilityID .PkgName .InstalledVersion .Title | join " - " | printf "%q" }},
      "fingerprint": "{{ list .VulnerabilityID .PkgName .InstalledVersion $target | join "" | sha1sum }}",
      "content": {{ .Description | printf "%q" }},
      "severity": {{ if eq .Severity "LOW" -}}
                    "info"
                  {{- else if eq .Severity "MEDIUM" -}}
                    "minor"
                  {{- else if eq .Severity "HIGH" -}}
                    "major"
                  {{- else if eq .Severity "CRITICAL" -}}
                    "critical"
                  {{-  else -}}
                    "info"
                  {{- end }},
      "location": {
        "path": "{{ $target }}",
        "lines": {
          "begin": 0
        }
      }
    }
    {{- end -}}
    {{- range .Misconfigurations -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
    {{ else -}}
      ,
    {{- end }}
    {
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
      "description": {{ list "Misconfig" .ID .Title | join " - " | printf "%q" }},
      "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
      "content": {{ .Description | printf "%q" }},
      "severity": {{ if eq .Severity "LOW" -}}
                    "info"
                  {{- else if eq .Severity "MEDIUM" -}}
                    "minor"
                  {{- else if eq .Severity "HIGH" -}}
                    "major"
                  {{- else if eq .Severity "CRITICAL" -}}
                    "critical"
                  {{-  else -}}
                    "info"
                  {{- end }},
      "location": {
        "path": "{{ $target }}",
        "lines": {
          "begin": {{ .CauseMetadata.StartLine }}
        }
      }
    }
    {{- end -}}
    {{- range .Secrets -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
    {{ else -}}
      ,
    {{- end }}
    {
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
      "description": {{ list "Secret" .RuleID .Title | join " - " | printf "%q" }},
      "fingerprint": "{{ list .RuleID .Title $target | join "" | sha1sum }}",
      "content": {{ .Title | printf "%q" }},
      "severity": {{ if eq .Severity "LOW" -}}
                    "info"
                  {{- else if eq .Severity "MEDIUM" -}}
                    "minor"
                  {{- else if eq .Severity "HIGH" -}}
                    "major"
                  {{- else if eq .Severity "CRITICAL" -}}
                    "critical"
                  {{-  else -}}
                    "info"
                  {{- end }},
      "location": {
        "path": "{{ $target }}",
        "lines": {
          "begin": {{ .StartLine }}
        }
      }
    }
    {{- end -}}
  {{- end }}
 ]
--- a/contrib/gitlab.tpl
+++ b/contrib/gitlab.tpl
@@ -1,10 +1,11 @@
 {{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
 {
-  "version": "2.3",
+  "version": "14.0.6",
  "vulnerabilities": [
  {{- $t_first := true }}
  {{- range . }}
  {{- $target := .Target }}
    {{- $image := $target | regexFind "[^\\s]+" }}
    {{- range .Vulnerabilities -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
@@ -31,8 +32,6 @@
                  {{-  else -}}
                    "{{ .Severity }}"
                  {{- end }},
      {{- /* TODO: Define confidence */}}
      "confidence": "Unknown",
      "solution": {{ if .FixedVersion -}}
                    "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
                  {{- else -}}
@@ -51,7 +50,7 @@
        },
        {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
        "operating_system": "Unknown",
-        "image": "{{ $target }}"
+        "image": "{{ $image }}"
      },
      "identifiers": [
        {
@@ -71,7 +70,7 @@
          ,
        {{- end -}}
        {
-          "url": "{{ . }}"
+          "url": "{{ regexFind "[^ ]+" . }}"
        }
        {{- end }}
      ]
--- a/contrib/html.tpl
+++ b/contrib/html.tpl
@@ -52,7 +52,7 @@
      }
      a.toggle-more-links { cursor: pointer; }
    </style>
-    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</title>
+    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
    <script>
      window.onload = function() {
        document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -82,7 +82,7 @@
    </script>
  </head>
  <body>
-    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</h1>
+    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
    <table>
    {{- range . }}
      <tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>
@@ -112,6 +112,31 @@
      </tr>
        {{- end }}
      {{- end }}
      {{- if (eq (len .Misconfigurations ) 0) }}
      <tr><th colspan="6">No Misconfigurations found</th></tr>
      {{- else }}
      <tr class="sub-header">
        <th>Type</th>
        <th>Misconf ID</th>
        <th>Check</th>
        <th>Severity</th>
        <th>Message</th>
      </tr>
        {{- range .Misconfigurations }}
      <tr class="severity-{{ escapeXML .Severity }}">
        <td class="misconf-type">{{ escapeXML .Type }}</td>
        <td>{{ escapeXML .ID }}</td>
        <td class="misconf-check">{{ escapeXML .Title }}</td>
        <td class="severity">{{ escapeXML .Severity }}</td>
        <td class="link" data-more-links="off"  style="white-space:normal;"">
          {{ escapeXML .Message }}
          <br>
            <a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
          </br>
        </td>
      </tr>
        {{- end }}
      {{- end }}
    {{- end }}
    </table>
 {{- else }}
--- a/contrib/install.sh
+++ b/contrib/install.sh
@@ -182,11 +182,11 @@ log_tag() {
 }
 log_debug() {
  log_priority 7 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
+  echo "$(log_prefix)" "$(log_tag 7)" "$@"
 }
 log_info() {
  log_priority 6 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
+  echo "$(log_prefix)" "$(log_tag 6)" "$@"
 }
 log_err() {
  log_priority 3 || return 0
--- a/contrib/junit.tpl
+++ b/contrib/junit.tpl
@@ -1,5 +1,5 @@
 <?xml version="1.0" ?>
-<testsuites>
+<testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
@@ -14,5 +14,18 @@
        </testcase>
    {{- end }}
    </testsuite>
 {{- $failures := len .Misconfigurations }}
    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
    {{- if not (eq .Type "") }}
        <properties>
            <property name="type" value="{{ .Type }}"></property>
        </properties>
        {{- end -}}
        {{ range .Misconfigurations }}
        <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
        </testcase>
    {{- end }}
    </testsuite>
 {{- end }}
-</testsuites>
+</testsuites>
--- a/contrib/sarif.tpl
+++ b/contrib/sarif.tpl
@@ -1,95 +0,0 @@
 {
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Trivy",
          "informationUri": "https://github.com/aquasecurity/trivy",
          "fullName": "Trivy Vulnerability Scanner",
          "version": "0.15.0",
          "rules": [
        {{- $t_first := true }}
        {{- range . }}
            {{- $vulnerabilityType := .Type }}
            {{- range .Vulnerabilities -}}
              {{- if $t_first -}}
                {{- $t_first = false -}}
              {{ else -}}
                ,
              {{- end }}
            {
              "id": "{{ .VulnerabilityID }}/{{ .PkgName }}",
              "name": "{{ toSarifRuleName $vulnerabilityType }}",
              "shortDescription": {
                "text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
              },
              "fullDescription": {
                "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
              },
              "defaultConfiguration": {
                "level": "{{ toSarifErrorLevel .Vulnerability.Severity }}"
              }
              {{- with $help_uri := .PrimaryURL -}}
              ,
              {{ $help_uri | printf "\"helpUri\": %q," -}}
              {{- else -}}
              ,
              {{- end }}
              "help": {
                "text": {{ printf "Vulnerability %v\nSeverity: %v\nPackage: %v\nInstalled Version: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},
                "markdown": {{ printf "**Vulnerability %v**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|%v|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
              },
              "properties": {
                "tags": [
                  "vulnerability",
                  "{{ .Vulnerability.Severity }}",
                  {{ .PkgName | printf "%q" }}
                ],
                "precision": "very-high"
              }
            }
            {{- end -}}
         {{- end -}}
          ]
        }
      },
      "results": [
    {{- $t_first := true }}
    {{- range . }}
        {{- $filePath := .Target }}
        {{- range $index, $vulnerability := .Vulnerabilities -}}
          {{- if $t_first -}}
            {{- $t_first = false -}}
          {{ else -}}
            ,
          {{- end }}
        {
          "ruleId": "{{ $vulnerability.VulnerabilityID }}/{{ $vulnerability.PkgName }}",
          "ruleIndex": {{ $index }},
          "level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
          "message": {
            "text": {{ endWithPeriod (escapeString $vulnerability.Description) | printf "%q" }}
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "{{ toPathUri $filePath }}",
                "uriBaseId": "ROOTPATH"
              }
            }
          }]
        }
        {{- end -}}
      {{- end -}}
      ],
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
          "uri": "/"
        }
      }
    }
  ]
 }
--- a/docs/air-gap.md
+++ b/docs/air-gap.md
@@ -1,57 +0,0 @@
 # Air-Gapped Environment
 Trivy can be used in air-gapped environments.
 ## Download the vulnerability database
 At first, you need to download the vulnerability database for use in air-gapped environments.
 Go to [trivy-db][trivy-db] and download `trivy-offline.db.tgz` in the latest release.
 If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--light` option.
 ```
 $ wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz
 ```
 ## Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.
 ```
 $ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst
 ```
 ## Put the DB file in Trivy's cache directory
 You have to know where to put the DB file. The following command shows the default cache directory.
 ```
 $ ssh user@host
 $ trivy -h | grep cache
   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
 ```
 Put the DB file in the cache directory + `/db`.
 ```
 $ mkdir -p /home/myuser/.cache/trivy/db
 $ cd /home/myuser/.cache/trivy/db
 $ mv /path/to/trivy-offline.db.tgz .
 ```
 Then, decompress it.
 `trivy-offline.db.tgz` file includes two files, `trivy.db` and `metadata.json`.
 ```
 $ tar xvf trivy-offline.db.tgz
 x trivy.db
 x metadata.json
 $ rm trivy-offline.db.tgz
 ```
 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
 ## Run Trivy with --skip-update option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
 ```
 $ trivy image --skip-update alpine:3.12
 ```
 [trivy-db]: https://github.com/aquasecurity/trivy-db/releases
--- a/docs/build/Dockerfile
+++ b/docs/build/Dockerfile
@@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material
+FROM squidfunk/mkdocs-material:8.3.9
 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.
@@ -6,4 +6,5 @@ FROM squidfunk/mkdocs-material
 # docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN} ghcr.io
 # FROM ghcr.io/squidfunk/mkdocs-material-insiders
-RUN pip install mike mkdocs-macros-plugin
+COPY requirements.txt .
 RUN pip install -r requirements.txt
--- a/docs/build/requirements.txt
+++ b/docs/build/requirements.txt
@@ -0,0 +1,30 @@
 click==8.1.2
 csscompressor==0.9.5
 ghp-import==2.0.2
 htmlmin==0.1.12
 importlib-metadata==4.11.3
 Jinja2==3.1.1
 jsmin==3.0.1
 Markdown==3.3.6
 MarkupSafe==2.1.1
 mergedeep==1.3.4
 mike==1.1.2
 mkdocs==1.3.0
 mkdocs-macros-plugin==0.7.0
 mkdocs-material==8.3.9
 mkdocs-material-extensions==1.0.3
 mkdocs-minify-plugin==0.5.0
 mkdocs-redirects==1.0.4
 packaging==21.3
 Pygments==2.12.0
 pymdown-extensions==9.5
 pyparsing==3.0.8
 python-dateutil==2.8.2
 PyYAML==6.0
 pyyaml-env-tag==0.1
 six==1.16.0
 termcolor==1.1.0
 verspec==0.1.0
 watchdog==2.1.7
 zipp==3.8.0
--- a/docs/community/contribute/issue.md
+++ b/docs/community/contribute/issue.md
@@ -0,0 +1,31 @@
 Thank you for taking interest in contributing to Trivy!
 - Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
 - Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
 - Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
 - The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
 ## Wrong detection
 Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
 Sometime these databases contain mistakes.
 If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
 1. Run Trivy with `-f json` that shows data sources.
 2. According to the shown data source, make sure that the security advisory in the data source is correct.
 If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
 ### GitHub Advisory Database
 Visit [here](https://github.com/advisories) and search CVE-ID.
 If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
 ### GitLab Advisory Database
 Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
 If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
 ### Red Hat CVE Database
 Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
--- a/docs/community/contribute/pr.md
+++ b/docs/community/contribute/pr.md
@@ -0,0 +1,175 @@
 Thank you for taking interest in contributing to Trivy!
 1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
 1. Please add the associated Issue link in the PR description.
 1. Your PR is more likely to be accepted if it focuses on just one change.
 1. There's no need to add or tag reviewers.
 1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
 1. Please include a comment with the results before and after your change.
 1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
 1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
 ### Title
 It is not that strict, but we use the title conventions in this repository.
 Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
 #### Format of the title
 ```
 <type>(<scope>): <subject>
 ```
 The `type` and `scope` should always be lowercase as shown below.
 **Allowed `<type>` values:**
 - **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
 - **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
 - **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
 - **docs** for changes to the documentation.
 - **style** for formatting changes, missing semicolons, etc.
 - **refactor** for refactoring production code, e.g. renaming a variable.
 - **test** for adding missing tests, refactoring tests; no production code change.
 - **build** for updating build configuration, development tools or other changes irrelevant to the user.
 - **chore** for updates that do not apply to the above, such as dependency updates.
 - **ci** for changes to CI configuration files and scripts
 - **revert** for revert to a previous commit
 **Allowed `<scope>` values:**
 checks:
 - vuln
 - misconf
 - secret
 - license
 mode:
 - image
 - fs
 - repo
 - sbom
 - k8s
 - server
 - aws
 - vm
 os:
 - alpine
 - redhat
 - alma
 - rocky
 - mariner
 - oracle
 - debian
 - ubuntu
 - amazon
 - suse
 - photon
 - distroless
 language:
 - ruby
 - php
 - python
 - nodejs
 - rust
 - dotnet
 - java
 - go
 - elixir
 - dart
 vuln:
 - os
 - lang
 config:
 - kubernetes
 - dockerfile
 - terraform
 - cloudformation
 container
 - docker
 - podman
 - containerd
 - oci
 cli:
 - cli
 - flag
 SBOM:
 - cyclonedx
 - spdx
 - purl
 others:
 - helm
 - report
 - db
 - deps
 The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
 #### Example titles
 ```
 feat(alma): add support for AlmaLinux
 ```
 ```
 fix(oracle): handle advisories with ksplice versions
 ```
 ```
 docs(misconf): add comparison with Conftest and TFsec
 ```
 ```
 chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
 ```
 **NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
 The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
 ### Unit tests
 Your PR must pass all the unit tests. You can test it as below.
 ```
 $ make test
 ```
 ### Integration tests
 Your PR must pass all the integration tests. You can test it as below.
 ```
 $ make test-integration
 ```
 ### Documentation
 You can build the documents as below and view it at http://localhost:8000.
 ```
 $ make mkdocs-serve
 ```
 ## Understand where your pull request belongs
 Trivy is composed of several repositories that work together:
 - [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
 - [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
 - [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
 - [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
 - [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.
--- a/docs/community/maintainer/help-wanted.md
+++ b/docs/community/maintainer/help-wanted.md
--- a/docs/community/maintainer/triage.md
+++ b/docs/community/maintainer/triage.md
@@ -1,7 +1,10 @@
 # Triage
 Triage is an important part of maintaining the health of the trivy repo.
 A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible.
 Triage includes:
 - Labeling issues
 - Responding to issues
 - Closing issues
@@ -185,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
 and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
 to identify issues that have been specially groomed for new contributors.
-We have specific [guidelines](/docs/contrib/help-wanted.md)
+We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
 for how to use these labels. If you see an issue that satisfies these
 guidelines, you can add the `help wanted` label and the `good first issue` label.
 Please note that adding the `good first issue` label must also 
--- a/docs/comparison.md
+++ b/docs/comparison.md
@@ -1,17 +0,0 @@
 # Comparison with other scanners
 | Scanner        | OS<br>Packages  | Application<br>Dependencies | Easy to use  | Accuracy    | Suitable<br>for CI  |
 | -------------- | :-------------: | :-------------------------: | :----------: | :---------: | :-----------------: |
 | Trivy          |       ✅        |       ✅<br>(8 languages)   |    ⭐ ⭐ ⭐    |  ⭐ ⭐ ⭐    |      ⭐ ⭐ ⭐         |
 | Clair          |       ✅        |              ×              |      ⭐       |   ⭐ ⭐      |      ⭐ ⭐           |
 | Anchore Engine |       ✅        |       ✅<br>(4 languages)   |     ⭐ ⭐      |   ⭐ ⭐      |     ⭐ ⭐ ⭐         |
 | Quay           |       ✅        |              ×              |    ⭐ ⭐ ⭐    |   ⭐ ⭐      |        ×            |
 | Docker Hub     |       ✅        |              ×              |    ⭐ ⭐ ⭐    |    ⭐        |        ×            |
 | GCR            |       ✅        |              ×              |    ⭐ ⭐ ⭐    |   ⭐ ⭐      |        ×            |
 - [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
 - [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
 - [Research Spike: evaluate Trivy for scanning running containers](https://gitlab.com/gitlab-org/gitlab/-/issues/270888)
 [round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
 [tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
--- a/docs/credit.md
+++ b/docs/credit.md
@@ -1,14 +0,0 @@
 # Special Thanks to 
 - [Tomoya Amachi][tomoyamachi]
 - [Masahiro Fujimura][masahiro331]
 - [Naoki Harima][XapiMa]
 # Author
 [Teppei Fukuda][knqyf263] (knqyf263)
 [tomoyamachi]: https://github.com/tomoyamachi
 [masahiro331]: https://github.com/masahiro331
 [XapiMa]: https://github.com/XapiMa
 [knqyf263]: https://github.com/knqyf263
--- a/docs/docs/advanced/air-gap.md
+++ b/docs/docs/advanced/air-gap.md
@@ -0,0 +1,142 @@
 # Air-Gapped Environment
 Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
 ## Air-Gapped Environment for vulnerabilities
 ### Download the vulnerability database
 At first, you need to download the vulnerability database for use in air-gapped environments.
 === "Trivy"
    ```
    TRIVY_TEMP_DIR=$(mktemp -d)
    trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
    tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
    rm -rf $TRIVY_TEMP_DIR
    ```
 === "oras >= v0.13.0"
    Please follow [oras installation instruction][oras].
    Download `db.tar.gz`:
    ```
    $ oras pull ghcr.io/aquasecurity/trivy-db:2
    ```
 === "oras < v0.13.0"
    Please follow [oras installation instruction][oras].
    Download `db.tar.gz`:
    ```
    $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
    ```
 ### Download the Java index database[^1]
 Java users also need to download the Java index database for use in air-gapped environments.
 !!! note
    You container image may contain JAR files even though you don't use Java directly.
    In that case, you also need to download the Java index database.
 === "Trivy"
    ```
    TRIVY_TEMP_DIR=$(mktemp -d)
    trivy --cache-dir $TRIVY_TEMP_DIR image --download-java-db-only
    tar -cf ./javadb.tar.gz -C $TRIVY_TEMP_DIR/java-db metadata.json trivy-java.db
    rm -rf $TRIVY_TEMP_DIR
    ```
 === "oras >= v0.13.0"
    Please follow [oras installation instruction][oras].
    Download `db.tar.gz`:
    ```
    $ oras pull ghcr.io/aquasecurity/trivy-java-db:1
    ```
 === "oras < v0.13.0"
    Please follow [oras installation instruction][oras].
    Download `db.tar.gz`:
    ```
    $ oras pull -a ghcr.io/aquasecurity/trivy-java-db:1
    ```
 ### Transfer the DB files into the air-gapped environment
 The way of transfer depends on the environment.
 === "Vulnerability db"
    ```
    $ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
    ```
 === "Java index db[^1]"
    ```
    $ rsync -av -e ssh /path/to/javadb.tar.gz [user]@[host]:dst
    ```
 ### Put the DB files in Trivy's cache directory
 You have to know where to put the DB files. The following command shows the default cache directory.
 ```
 $ ssh user@host
 $ trivy -h | grep cache
   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
 ```
 === "Vulnerability db"
    Put the DB file in the cache directory + `/db`.
    ```
    $ mkdir -p /home/myuser/.cache/trivy/db
    $ cd /home/myuser/.cache/trivy/db
    $ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
    x trivy.db
    x metadata.json
    $ rm /path/to/db.tar.gz
    ```
 === "Java index db[^1]"
    Put the DB file in the cache directory + `/java-db`.
    ```
    $ mkdir -p /home/myuser/.cache/trivy/java-db
    $ cd /home/myuser/.cache/trivy/java-db
    $ tar xvf /path/to/javadb.tar.gz -C /home/myuser/.cache/trivy/java-db
    x trivy-java.db
    x metadata.json
    $ rm /path/to/javadb.tar.gz
    ```
 In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
 ### Run Trivy with the specific flags.
 In an air-gapped environment, you have to specify `--skip-db-update` and `--skip-java-db-update`[^1] so that Trivy doesn't attempt to download the latest database files.
 In addition, if you want to scan `pom.xml` dependencies, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
 ```
 $ trivy image --skip-update --skip-java-db-update --offline-scan alpine:3.12
 ```
 ## Air-Gapped Environment for misconfigurations
 No special measures are required to detect misconfigurations in an air-gapped environment.
 ### Run Trivy with `--skip-policy-update` option
 In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
 ```
 $ trivy conf --skip-policy-update /path/to/conf
 ```
 [allowlist]: ../references/troubleshooting.md
 [oras]: https://oras.land/cli/
 [^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../vulnerability/languages/java.md)
--- a/docs/docs/advanced/container/embed-in-dockerfile.md
+++ b/docs/docs/advanced/container/embed-in-dockerfile.md
@@ -10,7 +10,7 @@ FROM alpine:3.7
 RUN apk add curl \
    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
-    && trivy filesystem --exit-code 1 --no-progress /
+    && trivy rootfs --exit-code 1 --no-progress /
 $ docker build -t vulnerable-image .
 ```
@@ -21,7 +21,7 @@ insecure `curl | sh`. Also the image is not changed.
 # Run vulnerability scan on build image
 FROM build AS vulnscan
 COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
-RUN trivy filesystem --exit-code 1 --no-progress /
+RUN trivy rootfs --exit-code 1 --no-progress /
 [...]
 ```
--- a/docs/docs/advanced/container/unpacked-filesystem.md
+++ b/docs/docs/advanced/container/unpacked-filesystem.md
@@ -1,12 +1,12 @@
 # Unpacked Filesystem
-Scan aan unpacked container image filesystem.
+Scan an unpacked container image filesystem.
 In this case, Trivy works the same way when scanning containers
 ```bash
 $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
-$ trivy fs /tmp/rootfs
+$ trivy rootfs /tmp/rootfs
 ```
 <details>
--- a/docs/docs/advanced/modules.md
+++ b/docs/docs/advanced/modules.md
@@ -0,0 +1,358 @@
 # Modules
 !!! warning "EXPERIMENTAL"
    This feature might change without preserving backwards compatibility.
 Trivy provides a module feature to allow others to extend the Trivy CLI without the need to change the Trivy code base.
 It changes the behavior during scanning by WebAssembly.
 ## Overview
 Trivy modules are add-on tools that integrate seamlessly with Trivy.
 They provide a way to extend the core feature set of Trivy, but without updating the Trivy binary.
 - They can be added and removed from a Trivy installation without impacting the core Trivy tool.
 - They can be written in any programming language supporting WebAssembly.
  - It supports only [TinyGo][tinygo] at the moment.
 You can write your own detection logic.
 - Evaluate complex vulnerability conditions like [Spring4Shell][spring4shell]
 - Detect a shell script communicating with malicious domains
 - Detect malicious python install script (setup.py)
 - Even detect misconfigurations in WordPress setting
 - etc.
 Then, you can update the scan result however you want.
 - Change a severity
 - Remove a vulnerability
 - Add a new vulnerability
 - etc.
 Modules should be distributed in OCI registries like GitHub Container Registry.
 !!! warning
    WebAssembly doesn't allow file access and network access by default.
    Modules can read required files only, but cannot overwrite them.
    WebAssembly is sandboxed and secure by design, but Trivy modules available in public are not audited for security.
    You should install and run third-party modules at your own risk even though 
 Under the hood Trivy leverages [wazero][wazero] to run WebAssembly modules without CGO.
 ## Installing a Module
 A module can be installed using the `trivy module install` command.
 This command takes an url. It will download the module and install it in the module cache.
 Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
 Trivy will now search XDG_DATA_HOME for the location of the Trivy modules cache.
 The preference order is as follows:
 - XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
 - $HOME/.trivy/plugins
 For example, to download the WebAssembly module, you can execute the following command:
 ```bash
 $ trivy module install ghcr.io/aquasecurity/trivy-module-spring4shell
 ```
 ## Using Modules
 Once the module is installed, Trivy will load all available modules in the cache on the start of the next Trivy execution.
 The modules may inject custom logic into scanning and change the result.
 You can run Trivy as usual and modules are loaded automatically.
 You will see the log messages about WASM modules.
 ```shell
 $ trivy image ghcr.io/aquasecurity/trivy-test-images:spring4shell-jre8
 2022-06-12T12:57:13.210+0300    INFO    Loading ghcr.io/aquasecurity/trivy-module-spring4shell/spring4shell.wasm...
 2022-06-12T12:57:13.596+0300    INFO    Registering WASM module: spring4shell@v1
 ...
 2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: Java Version: 8, Tomcat Version: 8.5.77
 2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: change CVE-2022-22965 severity from CRITICAL to LOW
 Java (jar)
 Total: 9 (UNKNOWN: 1, LOW: 3, MEDIUM: 2, HIGH: 3, CRITICAL: 0)
 ┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────────┐
 │                           Library                            │    Vulnerability    │ Severity │ Installed Version │     Fixed Version      │                           Title                            │
 ├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
 │ org.springframework.boot:spring-boot (helloworld.war)        │ CVE-2022-22965      │ LOW      │ 2.6.3             │ 2.5.12, 2.6.6          │ spring-framework: RCE via Data Binding on JDK 9+           │
 │                                                              │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22965                 │
 ├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
 ...(snip)...
 ```
 In the above example, the Spring4Shell module changed the severity from CRITICAL to LOW because the application doesn't satisfy one of conditions.
 ## Uninstalling Modules
 Specify a module repository with `trivy module uninstall` command.
 ```bash
 $ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
 ```
 ## Building Modules
 It supports TinyGo only at the moment.
 ### TinyGo
 Trivy provides Go SDK including three interfaces.
 Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.
 ```go
 type Module interface {
    Version() int
    Name() string
 }
 type Analyzer interface {
    RequiredFiles() []string
    Analyze(filePath string) (*serialize.AnalysisResult, error)
 }
 type PostScanner interface {
    PostScanSpec() serialize.PostScanSpec
    PostScan(serialize.Results) (serialize.Results, error)
 }
 ```
 In the following tutorial, it creates a WordPress module that detects a WordPress version and a critical vulnerability accordingly.
 !!! tips
    You can use logging functions such as `Debug` and `Info` for debugging.
    See [examples](#examples) for the detail.
 #### Initialize your module
 Replace the repository name with yours.
 ```
 $ go mod init github.com/aquasecurity/trivy-module-wordpress
 ```
 #### Module interface
 `Version()` returns your module version and should be incremented after updates.
 `Name()` returns your module name.
 ```go
 package main
 const (
    version = 1
    name = "wordpress-module"
 )
 type WordpressModule struct{
 	// Cannot define fields as modules can't keep state.
 }
 func (WordpressModule) Version() int {
    return version
 }
 func (WordpressModule) Name() string {
    return name
 }
 ```
 !!! info
    A struct cannot have any fields. Each method invocation is performed in different states.
 #### Analyzer interface
 If you implement the `Analyzer` interface, `Analyze` method is called when the file path is matched to file patterns returned by `RequiredFiles()`.
 A file pattern must be a regular expression. The syntax detail is [here][regexp].
 `Analyze` takes the matched file path, then the file can be opened by `os.Open()`.
 ```go
 const typeWPVersion = "wordpress-version"
 func (WordpressModule) RequiredFiles() []string {
    return []string{
        `wp-includes\/version.php`,
    }
 }
 func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, error) {
    f, err := os.Open(filePath) // e.g. filePath: /usr/src/wordpress/wp-includes/version.php
    if err != nil {
        return nil, err
    }
    defer f.Close()
    var wpVersion string
    scanner := bufio.NewScanner(f)
    for scanner.Scan() {
        line := scanner.Text()
        if !strings.HasPrefix(line, "$wp_version=") {
            continue
        }
        ss := strings.Split(line, "=")
        if len(ss) != 2 {
            return nil, fmt.Errorf("invalid wordpress version: %s", line)
        }
        // NOTE: it is an example; you actually need to handle comments, etc
        ss[1] = strings.TrimSpace(ss[1])
        wpVersion = strings.Trim(ss[1], `";`)
    }
    if err = scanner.Err(); err != nil {
        return nil, err
    }
    return &serialize.AnalysisResult{
        CustomResources: []serialize.CustomResource{
            {
                Type:     typeWPVersion,
                FilePath: filePath,
                Data:     wpVersion,
            },
        },
    }, nil
 }
 ```
 !!! tips
    Trivy caches analysis results according to the module version.
    We'd recommend cleaning the cache or changing the module version every time you update `Analyzer`.
 #### PostScanner interface
 `PostScan` is called after scanning and takes the scan result as an argument from Trivy.
 In post scanning, your module can perform one of three actions:
 - Insert
    - Add a new security finding
    - e.g. Add a new vulnerability and misconfiguration
 - Update
    - Update the detected vulnerability and misconfiguration
    - e.g. Change a severity
 - Delete
    - Delete the detected vulnerability and misconfiguration
    - e.g. Remove Spring4Shell because it is not actually affected.
 `PostScanSpec()` returns which action the module does.
 If it is `Update` or `Delete`, it also needs to return IDs such as CVE-ID and misconfiguration ID, which your module wants to update or delete.
 `serialize.Results` contains the filtered results matching IDs you specified.
 Also, it includes `CustomResources` with the values your `Analyze` returns, so you can modify the scan result according to the custom resources.
 ```go
 func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
    return serialize.PostScanSpec{
        Action: api.ActionInsert, // Add new vulnerabilities
    }
 }
 func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
    // e.g. results
    // [
    //   {
    //     "Target": "",
    //     "Class": "custom",
    //     "CustomResources": [
    //       {
    //         "Type": "wordpress-version",
    //         "FilePath": "/usr/src/wordpress/wp-includes/version.php",
    //         "Layer": {
    //           "DiffID": "sha256:057649e61046e02c975b84557c03c6cca095b8c9accd3bd20eb4e432f7aec887"
    //         },
    //         "Data": "5.7.1"
    //       }
    //     ]
    //   }
    // ]   
    var wpVersion int
    for _, result := range results {
        if result.Class != types.ClassCustom {
            continue
        }
        for _, c := range result.CustomResources {
            if c.Type != typeWPVersion {
                continue
            }
            wpVersion = c.Data.(string)
            wasm.Info(fmt.Sprintf("WordPress Version: %s", wpVersion))
            ...snip...
            if affectedVersion.Check(ver) {
                vulnerable = true
            }
            break
        }
    }
    if vulnerable {
        // Add CVE-2020-36326
        results = append(results, serialize.Result{
            Target: wpPath,
            Class:  types.ClassLangPkg,
 			Type:   "wordpress",
            Vulnerabilities: []types.DetectedVulnerability {
                {
                    VulnerabilityID:  "CVE-2020-36326",
                    PkgName:          "wordpress",
                    InstalledVersion: wpVersion,
                    FixedVersion:     "5.7.2",
                    Vulnerability: dbTypes.Vulnerability{
                        Title:    "PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.",
                        Severity: "CRITICAL",
                    },
                },
            },
        })
    }
    return results, nil
 }
 ```
 The new vulnerability will be added to the scan results.
 This example shows how the module inserts a new finding.
 If you are interested in `Update`, you can see an example of [Spring4Shell][trivy-module-spring4shell].
 In the `Delete` action, `PostScan` needs to return results you want to delete.
 If `PostScan` returns an empty, Trivy will not delete anything.
 #### Build
 Follow [the install guide][tinygo-installation] and install TinyGo.
 ```bash
 $ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
 ```
 Put the built binary to the module directory that is under the home directory by default.
 ```bash
 $ mkdir -p ~/.trivy/modules
 $ cp spring4shell.wasm ~/.trivy/modules
 ```
 ## Distribute Your Module
 You can distribute your own module in OCI registries. Please follow [the oras installation instruction][oras].
 ```bash
 oras push ghcr.io/aquasecurity/trivy-module-wordpress:latest wordpress.wasm:application/vnd.module.wasm.content.layer.v1+wasm
 Uploading 3daa3dac086b wordpress.wasm
 Pushed ghcr.io/aquasecurity/trivy-module-wordpress:latest
 Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
 ```
 ## Examples
 - [Spring4Shell][trivy-module-spring4shell]
 - [WordPress][trivy-module-wordpress]
 [regexp]: https://github.com/google/re2/wiki/Syntax
 [tinygo]: https://tinygo.org/
 [spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
 [wazero]: https://github.com/tetratelabs/wazero
 [trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
 [trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
 [tinygo-installation]: https://tinygo.org/getting-started/install/
 [oras]: https://oras.land/cli/
--- a/docs/docs/advanced/plugins.md
+++ b/docs/docs/advanced/plugins.md
--- a/docs/docs/advanced/private-registries/acr.md
+++ b/docs/docs/advanced/private-registries/acr.md
@@ -0,0 +1,27 @@
 # Requirements
 None, Trivy uses Azure SDK for Go. You don't need to install `az` command.
 # Privileges
 Service principal must have the `AcrPull` permissions.
 ## Creation of a service principal
 ```bash
 export SP_DATA=$(az ad sp create-for-rbac --name TrivyTest --role AcrPull --scope "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ContainerRegistry/registries/<registry_name>")
 ```
 # Usage
 ```bash
 # must set TRIVY_USERNAME empty char
 export AZURE_CLIENT_ID$(echo $SP_DATA | jq -r .appId)
 export AZURE_CLIENT_SECRET$(echo $SP_DATA | jq -r .password)
 export AZURE_TENANT_ID$(echo $SP_DATA | jq -r .tenant)
 ```
 # Testing
 You can test credentials in the following manner.
 ```bash
 docker run -it --rm -v /tmp:/tmp\
  -e AZURE_CLIENT_ID=${AZURE_CLIENT_ID} -e AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} \
  -e AZURE_TENANT_ID=${AZURE_TENANT_ID} aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag
 ```
--- a/docs/docs/advanced/private-registries/docker-hub.md
+++ b/docs/docs/advanced/private-registries/docker-hub.md
--- a/docs/docs/advanced/private-registries/ecr.md
+++ b/docs/docs/advanced/private-registries/ecr.md
@@ -0,0 +1,35 @@
 Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
 You can use [AWS CLI's ENV Vars][env-var].
 [env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
 ### AWS private registry permissions
 You may need to grant permissions to allow Trivy to pull images from private ECR.
 It depends on how you want to provide AWS Role to trivy.
 - [IAM Role Service account](https://github.com/aws/amazon-eks-pod-identity-webhook)
 - [Kube2iam](https://github.com/jtblin/kube2iam) or [Kiam](https://github.com/uswitch/kiam)
 #### IAM Role Service account
 Add the AWS role in trivy's service account annotations:
 ```yaml
 trivy:
  serviceAccount:
    annotations: {}
      # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
 ```
 #### Kube2iam or Kiam
 Add the AWS role to pod's annotations:
 ```yaml
 podAnnotations: {}
  ## kube2iam/kiam annotation
  # iam.amazonaws.com/role: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
 ```
--- a/docs/docs/advanced/private-registries/gcr.md
+++ b/docs/docs/advanced/private-registries/gcr.md
@@ -0,0 +1,40 @@
 # Requirements
 None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
 # Privileges
 Credential file must have the `roles/storage.objectViewer` permissions.
 More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
 ## JSON File Format
 The JSON file specified should have the following format provided by google's service account mechanisms:
 ```json
 {
  "type": "service_account",
  "project_id": "your_special_project",
  "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
  "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
  "client_email": "somedude@your_special_project.iam.gserviceaccount.com",
  "client_id": "1234567890",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
 }
 ```
 # Usage
 If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
 ```bash
 # must set TRIVY_USERNAME empty char
 export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
 ```
 # Testing
 You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
 ```bash
 docker run -it --rm -v /tmp:/tmp\
  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
  aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
 ```
--- a/docs/docs/advanced/private-registries/index.md
+++ b/docs/docs/advanced/private-registries/index.md
--- a/docs/docs/advanced/private-registries/self.md
+++ b/docs/docs/advanced/private-registries/self.md
--- a/docs/docs/attestation/rekor.md
+++ b/docs/docs/attestation/rekor.md
@@ -0,0 +1,147 @@
 # Scan SBOM attestation in Rekor
 !!! warning "EXPERIMENTAL"
    This feature might change without preserving backwards compatibility.
 ## Container images
 Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities.
 ### Prerequisites
 1. SBOM attestation stored in Rekor
    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
 ### Scanning
 You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor.
 !!! note
    `--sbom-sources` can be used only with `trivy image` at the moment.
 ```bash
 $ trivy image --sbom-sources rekor otms61/alpine:3.7.3                                                                            [~/src/github.com/aquasecurity/trivy]
 2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
 2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
 2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
 2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
 2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
 2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
 2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
 2022-09-16T17:37:14.903+0900	INFO	Detecting Alpine vulnerabilities...
 2022-09-16T17:37:14.907+0900	INFO	Number of language-specific files: 0
 2022-09-16T17:37:14.908+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
 2022-09-16T17:37:14.908+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided
 otms61/alpine:3.7.3 (alpine 3.7.3)
 ==================================
 Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
 ┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
 │  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
 ├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
 │ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
 │            │                │          │                   │               │ adjustment im ......                                     │
 │            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
 ├────────────┤                │          │                   │               │                                                          │
 │ musl-utils │                │          │                   │               │                                                          │
 │            │                │          │                   │               │                                                          │
 │            │                │          │                   │               │                                                          │
 └────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
 ```
 If you have your own Rekor instance, you can specify the URL via `--rekor-url`.
 ```bash
 $ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3
 ```
 ## Non-packaged binaries
 Trivy can retrieve SBOM attestation of non-packaged binaries in the [Rekor][rekor] instance and scan it for vulnerabilities.
 ### Prerequisites
 1. SBOM attestation stored in Rekor
    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
 Cosign currently does not support keyless signing for blob attestation, so use our plugin at the moment.
 This example uses a cat clone [bat][bat] written in Rust.
 You need to generate SBOM from lock files like `Cargo.lock` at first.
 ```bash
 $ git clone -b v0.20.0 https://github.com/sharkdp/bat
 $ trivy fs --format cyclonedx --output bat.cdx ./bat/Cargo.lock
 ```
 Then [our attestation plugin][plugin-attest] allows you to store the SBOM attestation linking to a `bat` binary in the Rekor instance.
 ```bash
 $ wget https://github.com/sharkdp/bat/releases/download/v0.20.0/bat-v0.20.0-x86_64-apple-darwin.tar.gz
 $ tar xvf bat-v0.20.0-x86_64-apple-darwin.tar.gz
 $ trivy plugin install github.com/aquasecurity/trivy-plugin-attest
 $ trivy attest --predicate ./bat.cdx --type cyclonedx ./bat-v0.20.0-x86_64-apple-darwin/bat
 ```
 !!! note
    The public instance of the Rekor maintained by the Sigstore team limits the attestation size.
    If you are using the public instance, please make sure that your SBOM is small enough.
    To get more detail, please refer to the Rekor project's [documentation](https://github.com/sigstore/rekor#public-instance).
 ### Scan a non-packaged binary
 Trivy calculates the digest of the `bat` binary and searches for the SBOM attestation by the digest in Rekor.
 If it is found, Trivy uses that for vulnerability scanning.
 ```bash
 $ trivy fs --sbom-sources rekor ./bat-v0.20.0-x86_64-apple-darwin/bat
 2022-10-25T13:27:25.950+0300    INFO    Found SBOM attestation in Rekor: bat
 2022-10-25T13:27:25.993+0300    INFO    Number of language-specific files: 1
 2022-10-25T13:27:25.993+0300    INFO    Detecting cargo vulnerabilities...
 bat (cargo)
 ===========
 Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 ┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
 │  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
 ├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
 │ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
 │           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
 └───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
 ```
 Also, it is applied to non-packaged binaries even in container images.
 ```bash
 $ trivy image --sbom-sources rekor --scanners vuln alpine-with-bat
 2022-10-25T13:40:14.920+0300    INFO    Vulnerability scanning is enabled
 2022-10-25T13:40:18.047+0300    INFO    Found SBOM attestation in Rekor: bat
 2022-10-25T13:40:18.186+0300    INFO    Detected OS: alpine
 2022-10-25T13:40:18.186+0300    INFO    Detecting Alpine vulnerabilities...
 2022-10-25T13:40:18.199+0300    INFO    Number of language-specific files: 1
 2022-10-25T13:40:18.199+0300    INFO    Detecting cargo vulnerabilities...
 alpine-with-bat (alpine 3.15.6)
 ===============================
 Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 bat (cargo)
 ===========
 Total: 4 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 ┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
 │  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
 ├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
 │ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
 │           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
 └───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
 ```
 !!! note
    The `--sbom-sources rekor` flag slows down the scanning as it queries Rekor on the Internet for all non-packaged binaries.
 [rekor]: https://github.com/sigstore/rekor
 [sbom-attest]: sbom.md#keyless-signing
 [plugin-attest]: https://github.com/aquasecurity/trivy-plugin-attest
 [bat]: https://github.com/sharkdp/bat
--- a/docs/docs/attestation/sbom.md
+++ b/docs/docs/attestation/sbom.md
@@ -0,0 +1,87 @@
 # SBOM attestation
 [Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify SBOM attestation.
 And, Trivy can take an SBOM attestation as input and scan for vulnerabilities
 !!! note
    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
 ## Sign with a local key pair
 Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
 ```bash
 $ cosign generate-key-pair
 ```
 In the following example, Trivy generates an SBOM in the CycloneDX format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
 ```bash
 # The cyclonedx type is supported in Cosign v1.10.0 or later.
 $ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
 $ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>
 ```
 Then, you can verify attestations on the image.
 ```bash
 $ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE>
 ```
 You can also create attestations of other formatted SBOM.
 ```bash
 # spdx
 $ trivy image --format spdx -o sbom.spdx <IMAGE>
 $ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx <IMAGE>
 # spdx-json
 $ trivy image --format spdx-json -o sbom.spdx.json <IMAGE>
 $ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json <IMAGE>
 ```
 ## Keyless signing
 You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
 ```bash
 # The cyclonedx type is supported in Cosign v1.10.0 or later.
 $ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
 # The following command uploads SBOM attestation to the public Rekor instance.
 $ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
 ```
 You can verify attestations.
 ```bash
 $ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>
 ```
 ## Scanning
 Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
 In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it.
 You must create CycloneDX-type attestation before trying the example.
 To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
 ```bash
 $ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
 $ trivy sbom ./sbom.cdx.intoto.jsonl
 sbom.cdx.intoto.jsonl (alpine 3.7.3)
 =========================
 Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
 ┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
 │  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
 ├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
 │ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
 │            │                │          │                   │               │ adjustment im ......                                     │
 │            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
 ├────────────┤                │          │                   │               │                                                          │
 │ musl-utils │                │          │                   │               │                                                          │
 │            │                │          │                   │               │                                                          │
 │            │                │          │                   │               │                                                          │
 └────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
 ```
--- a/docs/docs/attestation/vuln.md
+++ b/docs/docs/attestation/vuln.md
@@ -0,0 +1,190 @@
 # Cosign Vulnerability Attestation
 ## Generate Cosign Vulnerability Scan Record
 Trivy generates reports in the [Cosign vulnerability scan record format][vuln-attest-spec].
 You can use the regular subcommands (like image, fs and rootfs) and specify `cosign-vuln` with the --format option.
 ```
 $ trivy image --format cosign-vuln --output vuln.json alpine:3.10
 ```
 <details>
 <summary>Result</summary>
 ```json
 {
  "invocation": {
    "parameters": null,
    "uri": "",
    "event_id": "",
    "builder.id": ""
  },
  "scanner": {
    "uri": "pkg:github/aquasecurity/trivy@v0.30.1-8-gf9cb8a28",
    "version": "v0.30.1-8-gf9cb8a28",
    "db": {
      "uri": "",
      "version": ""
    },
    "result": {
      "SchemaVersion": 2,
      "ArtifactName": "alpine:3.10",
      "ArtifactType": "container_image",
      "Metadata": {
        "OS": {
          "Family": "alpine",
          "Name": "3.10.9",
          "EOSL": true
        },
        "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
        "DiffIDs": [
          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
        ],
        "RepoTags": [
          "alpine:3.10"
        ],
        "RepoDigests": [
          "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
        ],
        "ImageConfig": {
          "architecture": "amd64",
          "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
          "created": "2021-04-14T19:20:05.338397761Z",
          "docker_version": "19.03.12",
          "history": [
            {
              "created": "2021-04-14T19:20:04.987219124Z",
              "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
            },
            {
              "created": "2021-04-14T19:20:05.338397761Z",
              "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
              "empty_layer": true
            }
          ],
          "os": "linux",
          "rootfs": {
            "type": "layers",
            "diff_ids": [
              "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
            ]
          },
          "config": {
            "Cmd": [
              "/bin/sh"
            ],
            "Env": [
              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
          }
        }
      },
      "Results": [
        {
          "Target": "alpine:3.10 (alpine 3.10.9)",
          "Class": "os-pkgs",
          "Type": "alpine",
          "Vulnerabilities": [
            {
              "VulnerabilityID": "CVE-2021-36159",
              "PkgName": "apk-tools",
              "InstalledVersion": "2.10.6-r0",
              "FixedVersion": "2.10.7-r0",
              "Layer": {
                "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
                "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
              },
              "SeveritySource": "nvd",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
              "DataSource": {
                "ID": "alpine",
                "Name": "Alpine Secdb",
                "URL": "https://secdb.alpinelinux.org/"
              },
              "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
              "Severity": "CRITICAL",
              "CweIDs": [
                "CWE-125"
              ],
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                  "V2Score": 6.4,
                  "V3Score": 9.1
                }
              },
              "References": [
                "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
                "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
              ],
              "PublishedDate": "2021-08-03T14:15:00Z",
              "LastModifiedDate": "2021-10-18T12:19:00Z"
            }
          ]
        }
      ]
    }
  },
  "metadata": {
    "scanStartedOn": "2022-07-24T17:14:04.864682+09:00",
    "scanFinishedOn": "2022-07-24T17:14:04.864682+09:00"
  }
 }
 ```
 </details>
 ## Create Cosign Vulnerability Attestation
 [Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify Cosign vulnerability attestation.
 !!! note
    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
 ### Sign with a local key pair
 Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
 ```bash
 $ cosign generate-key-pair
 ```
 In the following example, Trivy generates a cosign vulnerability scan record, and then Cosign attaches an attestation of it to a container image with a local key pair.
 ```
 $ trivy image --format cosign-vuln --output vuln.json <IMAGE>
 $ cosign attest --key /path/to/cosign.key --type vuln --predicate vuln.json <IMAGE>
 ```
 Then, you can verify attestations on the image.
 ```
 $ cosign verify-attestation --key /path/to/cosign.pub --type vuln <IMAGE>
 ```
 ### Keyless signing
 You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
 ```
 $ trivy image --format cosign-vuln -o vuln.json <IMAGE>
 $ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>
 ```
 You can verify attestations.
 ```
 $ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type vuln <IMAGE>
 ```
 [vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md
--- a/docs/docs/compliance/compliance.md
+++ b/docs/docs/compliance/compliance.md
@@ -0,0 +1,70 @@
 # Compliance Reports
 !!! warning "EXPERIMENTAL"
    This feature might change without preserving backwards compatibility.
 Trivy’s compliance flag lets you curate a specific set of checks into a report. In a typical Trivy scan, there are hundreds of different checks for many different components and configurations, but sometimes you already know which specific checks you are interested in. Often this would be an industry accepted set of checks such as CIS, or some vendor specific guideline, or your own organization policy that you want to comply with. These are all possible using the flexible compliance infrastructure that's built into Trivy. Compliance reports are defined as simple YAML documents that select checks to include in the report.
 ## Usage
 Compliance report is currently supported in the following targets (trivy sub-commands):
 - `trivy image`
 - `trivy aws`
 - `trivy k8s`
 Add the `--compliance` flag to the command line, and set it's value to desired report.
 For example: `trivy k8s cluster --compliance k8s-nsa` (see below for built-in and custom reports)
 ### Options
 The following flags are compatible with `--compliance` flag and allows customizing it's output:
 | flag               | effect                                                                               |
 |--------------------|--------------------------------------------------------------------------------------|
 | `--report summary` | shows a summary of the results. for every control shows the number of failed checks. |
 | `--report all`     | shows fully detailed results. for every control shows where it failed and why.       |
 | `--format table`   | shows results in textual table format (good for human readability).                  |
 | `--format json`    | shows results in json format (good for machine readability).                         |
 ## Built-in compliance
 Trivy has a number of built-in compliance reports that you can asses right out of the box.
 to specify a built-in compliance report, select it by ID like `trivy --compliance <compliance_id>`.
 For the list of built-in compliance reports, please see the relevant section:
 - [Docker compliance](../target/container_image.md#compliance)
 - [Kubernetes compliance](../target/kubernetes.md#compliance) 
 - [AWS compliance](../target/aws.md#compliance)
 ## Custom compliance
 You can create your own custom compliance report. A compliance report is a simple YAML document in the following format:
 ```yaml
 spec:
  id: "k8s-myreport" # report unique identifier. this should not container spaces.
  title: "My custom Kubernetes report" # report title. Any one-line title.
  description: "Describe your report" # description of the report. Any text.
  relatedResources :
    - https://some.url # useful references. URLs only.
  version: "1.0" # spec version (string)
  controls:
    - name: "Non-root containers" # Name for the control (appears in the report as is). Any one-line name.
      description: 'Check that container is not running as root' # Description (appears in the report as is). Any text.
      id: "1.0" # control identifier (string)
      checks:   # list of existing Trivy checks that define the control
        - id: AVD-KSV-0012 # check ID. Must start with `AVD-` or `CVE-` 
      severity: "MEDIUM" # Severity for the control (note that checks severity isn't used)
    - name: "Immutable container file systems"
      description: 'Check that container root file system is immutable'
      id: "1.1"
      checks:
        - id: AVD-KSV-0014
      severity: "LOW"
 ```
 The check id field (`controls[].checks[].id`) is referring to existing check by it's "AVD ID". This AVD ID is easily located in the check's source code metadata header, or by browsing [Aqua vulnerability DB](https://avd.aquasec.com/), specifically in the [Misconfigurations](https://avd.aquasec.com/misconfig/) and [Vulnerabilities](https://avd.aquasec.com/nvd) sections.
 Once you have a compliance spec, you can select it by file path: `trivy --compliance @</path/to/compliance.yaml>` (note the `@` indicating file path instead of report id).
--- a/docs/docs/index.md
+++ b/docs/docs/index.md
@@ -0,0 +1,5 @@
 # Docs
 In this section you can find the complete reference documentation for all of the different features and settings that Trivy has to offer.
 👈 Please use the side-navigation on the left in order to browse the different topics.
--- a/docs/docs/licenses/scanning.md
+++ b/docs/docs/licenses/scanning.md
@@ -0,0 +1,320 @@
 # License Scanning
 Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
 License are classified using the [Google License Classification][google-license-classification] -
 - Forbidden
 - Restricted 
 - Reciprocal
 - Notice
 - Permissive
 - Unencumbered
 - Unknown
 !!! tip
    Licenses that Trivy fails to recognize are classified as UNKNOWN.
    As those licenses may be in violation, it is recommended to check those unknown licenses as well.    
 By default, Trivy scans licenses for packages installed by `apk`, `apt-get`, `dnf`, `npm`, `pip`, `gem`, etc.
 To enable extended license scanning, you can use `--license-full`.
 In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
 !!! note
    The full license scanning is expensive. It takes a while.
 Currently, the standard license scanning doesn't support filesystem and repository scanning.
 |   License scanning    | Image | Rootfs    | Filesystem | Repository |
 |:---------------------:|:-----:|:---------:|:----------:|:----------:|
 |       Standard        |  ✅   |     ✅    |   -        |      -     |
 | Full (--license-full) |  ✅   |     ✅    |     ✅     |     ✅     |
 License checking classifies the identified licenses and map the classification to severity.
 | Classification | Severity |
 |----------------|----------|
 | Forbidden      | CRITICAL |
 | Restricted     | HIGH     |
 | Reciprocal     | MEDIUM   |
 | Notice         | LOW      |
 | Permissive     | LOW      |
 | Unencumbered   | LOW      |
 | Unknown        | UNKNOWN  |
 ## Quick start
 This section shows how to scan license in container image and filesystem.
 ### Standard scanning
 Specify an image name with `--scanners license`.
 ``` shell
 $ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
 2022-07-13T17:28:39.526+0300    INFO    License scanning is enabled
 OS Packages (license)
 =====================
 Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
 ┌───────────────────┬─────────┬────────────────┬──────────┐
 │      Package      │ License │ Classification │ Severity │
 ├───────────────────┼─────────┼────────────────┼──────────┤
 │ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
 ├───────────────────┤         │                │          │
 │ apk-tools         │         │                │          │
 ├───────────────────┤         │                │          │
 │ busybox           │         │                │          │
 ├───────────────────┤         │                │          │
 │ musl-utils        │         │                │          │
 ├───────────────────┤         │                │          │
 │ scanelf           │         │                │          │
 ├───────────────────┤         │                │          │
 │ ssl_client        │         │                │          │
 └───────────────────┴─────────┴────────────────┴──────────┘
 ```
 ### Full scanning
 Specify `--license-full`
 ``` shell
 $ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
 2022-07-13T17:48:40.905+0300    INFO    Full license scanning is enabled
 OS Packages (license)
 =====================
 Total: 20 (UNKNOWN: 9, HIGH: 11, CRITICAL: 0)
 ┌───────────────────┬───────────────────┬────────────────┬──────────┐
 │      Package      │      License      │ Classification │ Severity │
 ├───────────────────┼───────────────────┼────────────────┼──────────┤
 │ alpine-baselayout │ GPL-2.0           │ Restricted     │ HIGH     │
 ├───────────────────┤                   │                │          │
 │ apk-tools         │                   │                │          │
 ├───────────────────┼───────────────────┤                │          │
 │ bash              │ GPL-3.0           │                │          │
 ├───────────────────┼───────────────────┼────────────────┼──────────┤
 │ keyutils-libs     │ GPL-2.0           │ Restricted     │ HIGH     │
 │                   ├───────────────────┼────────────────┼──────────┤
 │                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
 ├───────────────────┼───────────────────┤                │          │
 │ libaio            │ LGPL-2.1-or-later │                │          │
 ├───────────────────┼───────────────────┼────────────────┼──────────┤
 │ libcom_err        │ GPL-2.0           │ Restricted     │ HIGH     │
 │                   ├───────────────────┼────────────────┼──────────┤
 │                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
 ├───────────────────┼───────────────────┼────────────────┼──────────┤
 │ tzdata            │ Public-Domain     │ Non Standard   │ UNKNOWN  │
 └───────────────────┴───────────────────┴────────────────┴──────────┘
 Loose File License(s) (license)
 ===============================
 Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)
 ┌────────────────┬──────────┬──────────────┬──────────────────────────────────────────────────────────────┐
 │ Classification │ Severity │   License    │                        File Location                         │
 ├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
 │ Forbidden      │ CRITICAL │ AGPL-3.0     │ /usr/share/grafana/LICENSE                                   │
 │                │          │              │                                                              │
 │                │          │              │                                                              │
 ├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
 │ Non Standard   │ UNKNOWN  │ BSD-0-Clause │ /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- │
 │                │          │              │ s.LICENSE.txt                                                │
 │                │          │              ├──────────────────────────────────────────────────────────────┤
 │                │          │              │ /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- │
 │                │          │              │ s.LICENSE.txt                                                │
 │                │          │              ├──────────────────────────────────────────────────────────────┤
 │                │          │              │ /usr/share/grafana/public/build/7889.d6aae9dd11d49c741a80.j- │
 │                │          │              │ s.LICENSE.txt                                                │
 │                │          │              ├──────────────────────────────────────────────────────────────┤
 │                │          │              │ /usr/share/grafana/public/build/canvasPanel.d6aae9dd11d49c7- │
 │                │          │              │ 41a80.js.LICENSE.txt                                         │
 └────────────────┴──────────┴──────────────┴──────────────────────────────────────────────────────────────┘
 ```
 ## Configuration
 Trivy has number of configuration flags for use with license scanning;
 ### Ignored Licenses
 Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the `--ignored-licenses` flag;
 ```shell
 $ trivy image --scanners license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
 2022-07-13T18:15:28.605Z        INFO    License scanning is enabled
 OS Packages (license)
 =====================
 Total: 2 (HIGH: 2, CRITICAL: 0)
 ┌───────────────────┬─────────┬────────────────┬──────────┐
 │      Package      │ License │ Classification │ Severity │
 ├───────────────────┼─────────┼────────────────┼──────────┤
 │ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
 ├───────────────────┤         │                │          │
 │ ssl_client        │         │                │          │
 └───────────────────┴─────────┴────────────────┴──────────┘
 ```
 ### Custom Classification
 You can generate the default config by the `--generate-default-config` flag and customize the license classification.
 For example, if you want to forbid only AGPL-3.0, you can leave it under `forbidden` and move other licenses to another classification.
 ```shell
 $ trivy image --generate-default-config
 $ vim trivy.yaml
 license:
  forbidden:
  - AGPL-3.0
  restricted:
  - AGPL-1.0
  - CC-BY-NC-1.0
  - CC-BY-NC-2.0
  - CC-BY-NC-2.5
  - CC-BY-NC-3.0
  - CC-BY-NC-4.0
  - CC-BY-NC-ND-1.0
  - CC-BY-NC-ND-2.0
  - CC-BY-NC-ND-2.5
  - CC-BY-NC-ND-3.0
  - CC-BY-NC-ND-4.0
  - CC-BY-NC-SA-1.0
  - CC-BY-NC-SA-2.0
  - CC-BY-NC-SA-2.5
  - CC-BY-NC-SA-3.0
  - CC-BY-NC-SA-4.0
  - Commons-Clause
  - Facebook-2-Clause
  - Facebook-3-Clause
  - Facebook-Examples
  - WTFPL
  - BCL
  - CC-BY-ND-1.0
  - CC-BY-ND-2.0
  - CC-BY-ND-2.5
  - CC-BY-ND-3.0
  - CC-BY-ND-4.0
  - CC-BY-SA-1.0
  - CC-BY-SA-2.0
  - CC-BY-SA-2.5
  - CC-BY-SA-3.0
  - CC-BY-SA-4.0
  - GPL-1.0
  - GPL-2.0
  - GPL-2.0-with-autoconf-exception
  - GPL-2.0-with-bison-exception
  - GPL-2.0-with-classpath-exception
  - GPL-2.0-with-font-exception
  - GPL-2.0-with-GCC-exception
  - GPL-3.0
  - GPL-3.0-with-autoconf-exception
  - GPL-3.0-with-GCC-exception
  - LGPL-2.0
  - LGPL-2.1
  - LGPL-3.0
  - NPL-1.0
  - NPL-1.1
  - OSL-1.0
  - OSL-1.1
  - OSL-2.0
  - OSL-2.1
  - OSL-3.0
  - QPL-1.0
  - Sleepycat
  reciprocal:
  - APSL-1.0
  - APSL-1.1
  - APSL-1.2
  - APSL-2.0
  - CDDL-1.0
  - CDDL-1.1
  - CPL-1.0
  - EPL-1.0
  - EPL-2.0
  - FreeImage
  - IPL-1.0
  - MPL-1.0
  - MPL-1.1
  - MPL-2.0
  - Ruby
  notice:
  - AFL-1.1
  - AFL-1.2
  - AFL-2.0
  - AFL-2.1
  - AFL-3.0
  - Apache-1.0
  - Apache-1.1
  - Apache-2.0
  - Artistic-1.0-cl8
  - Artistic-1.0-Perl
  - Artistic-1.0
  - Artistic-2.0
  - BSL-1.0
  - BSD-2-Clause-FreeBSD
  - BSD-2-Clause-NetBSD
  - BSD-2-Clause
  - BSD-3-Clause-Attribution
  - BSD-3-Clause-Clear
  - BSD-3-Clause-LBNL
  - BSD-3-Clause
  - BSD-4-Clause
  - BSD-4-Clause-UC
  - BSD-Protection
  - CC-BY-1.0
  - CC-BY-2.0
  - CC-BY-2.5
  - CC-BY-3.0
  - CC-BY-4.0
  - FTL
  - ISC
  - ImageMagick
  - Libpng
  - Lil-1.0
  - Linux-OpenIB
  - LPL-1.02
  - LPL-1.0
  - MS-PL
  - MIT
  - NCSA
  - OpenSSL
  - PHP-3.01
  - PHP-3.0
  - PIL
  - Python-2.0
  - Python-2.0-complete
  - PostgreSQL
  - SGI-B-1.0
  - SGI-B-1.1
  - SGI-B-2.0
  - Unicode-DFS-2015
  - Unicode-DFS-2016
  - Unicode-TOU
  - UPL-1.0
  - W3C-19980720
  - W3C-20150513
  - W3C
  - X11
  - Xnet
  - Zend-2.0
  - zlib-acknowledgement
  - Zlib
  - ZPL-1.1
  - ZPL-2.0
  - ZPL-2.1
  unencumbered:
  - CC0-1.0
  - Unlicense
  - 0BSD
  permissive: []
 ```
 [google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses
--- a/docs/docs/misconfiguration/custom/combine.md
+++ b/docs/docs/misconfiguration/custom/combine.md
@@ -0,0 +1,44 @@
 # Combined input
 ## Overview
 Trivy usually scans each configuration file individually. 
 Sometimes it might be useful to compare values from different configuration files simultaneously.
 When `combine` is set to true, all config files under the specified directory are combined into one input data structure.
 !!! example
    ```
    __rego_input__ := {
        "combine": false,
    }
    ```
 In "combine" mode, the `input` document becomes an array, where each element is an object with two fields:
 - `"path": "path/to/file"`: the relative file path of the respective file
 - `"contents": ...`: the parsed content of the respective file
 Now you can ensure that duplicate values match across the entirety of your configuration files.
 ## Return value
 In "combine" mode, the `deny` entrypoint must return an object with two keys
 `filepath` (required)
 : the relative file path of the file being evaluated
 `msg` (required)
 : the message describing an issue
 !!! example
    ```
    deny[res] {
        resource := input[i].contents
        ... some logic ...
    	res := {
    		"filepath": input[i].path,
    		"msg": "something bad",
    	}
    }
    ```
--- a/docs/docs/misconfiguration/custom/data.md
+++ b/docs/docs/misconfiguration/custom/data.md
@@ -0,0 +1,35 @@
 # Custom Data
 Custom policies may require additional data in order to determine an answer.
 For example, an allowed list of resources that can be created. 
 Instead of hardcoding this information inside of your policy, Trivy allows passing paths to data files with the `--data` flag.
 Given the following yaml file:
 ```bash
 $ cd examples/misconf/custom-data
 $ cat data/ports.yaml                                                                                                                                                                      [~/src/github.com/aquasecurity/trivy/examples/misconf/custom-data]
 services:
  ports:
    - "20"
    - "20/tcp"
    - "20/udp"
    - "23"
    - "23/tcp"
 ```
 This can be imported into your policy:
 ```rego
 import data.services
 ports := services.ports
 ```
 Then, you need to pass data paths through `--data` option.
 Trivy recursively searches the specified paths for JSON (`*.json`) and YAML (`*.yaml`) files.
 ```bash
 $ trivy conf --policy ./policy --data data --namespaces user ./configs
 ```
--- a/docs/docs/misconfiguration/custom/debug.md
+++ b/docs/docs/misconfiguration/custom/debug.md
@@ -0,0 +1,304 @@
 # Debugging policies
 When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied.
 For this purpose you can use the `--trace` flag.
 This will output a large trace from Open Policy Agent like the following:
 !!! tip
    Only failed policies show traces. If you want to debug a passed policy, you need to make it fail on purpose.
 ```shell
 $ trivy conf --trace configs/
 2022-05-16T13:47:58.853+0100	INFO	Detected config files: 1
 Dockerfile (dockerfile)
 =======================
 Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
 Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
 MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
 See https://avd.aquasec.com/misconfig/ds001
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile:1
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ FROM alpine:latest
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 HIGH: Last USER command in Dockerfile should not be 'root'
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
 See https://avd.aquasec.com/misconfig/ds002
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile:3
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 [ USER root
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ID: DS001
 File: Dockerfile
 Namespace: builtin.dockerfile.DS001
 Query: data.builtin.dockerfile.DS001.deny
 Message: Specify a tag in the 'FROM' statement for image 'alpine'
 TRACE  Enter data.builtin.dockerfile.DS001.deny = _
 TRACE  | Eval data.builtin.dockerfile.DS001.deny = _
 TRACE  | Index data.builtin.dockerfile.DS001.deny (matched 1 rule)
 TRACE  | Enter data.builtin.dockerfile.DS001.deny
 TRACE  | | Eval output = data.builtin.dockerfile.DS001.fail_latest[_]
 TRACE  | | Index data.builtin.dockerfile.DS001.fail_latest (matched 1 rule)
 TRACE  | | Enter data.builtin.dockerfile.DS001.fail_latest
 TRACE  | | | Eval output = data.builtin.dockerfile.DS001.image_tags[_]
 TRACE  | | | Index data.builtin.dockerfile.DS001.image_tags (matched 2 rules)
 TRACE  | | | Enter data.builtin.dockerfile.DS001.image_tags
 TRACE  | | | | Eval from = data.lib.docker.from[_]
 TRACE  | | | | Index data.lib.docker.from (matched 1 rule)
 TRACE  | | | | Enter data.lib.docker.from
 TRACE  | | | | | Eval instruction = input.stages[_][_]
 TRACE  | | | | | Eval instruction.Cmd = "from"
 TRACE  | | | | | Exit data.lib.docker.from
 TRACE  | | | | Redo data.lib.docker.from
 TRACE  | | | | | Redo instruction.Cmd = "from"
 TRACE  | | | | | Redo instruction = input.stages[_][_]
 TRACE  | | | | | Eval instruction.Cmd = "from"
 TRACE  | | | | | Fail instruction.Cmd = "from"
 TRACE  | | | | | Redo instruction = input.stages[_][_]
 TRACE  | | | | | Eval instruction.Cmd = "from"
 TRACE  | | | | | Fail instruction.Cmd = "from"
 TRACE  | | | | | Redo instruction = input.stages[_][_]
 TRACE  | | | | Eval name = from.Value[0]
 TRACE  | | | | Eval not startswith(name, "$")
 TRACE  | | | | Enter startswith(name, "$")
 TRACE  | | | | | Eval startswith(name, "$")
 TRACE  | | | | | Fail startswith(name, "$")
 TRACE  | | | | Eval data.builtin.dockerfile.DS001.parse_tag(name, __local505__)
 TRACE  | | | | Index data.builtin.dockerfile.DS001.parse_tag (matched 2 rules)
 TRACE  | | | | Enter data.builtin.dockerfile.DS001.parse_tag
 TRACE  | | | | | Eval split(name, ":", __local504__)
 TRACE  | | | | | Eval [img, tag] = __local504__
 TRACE  | | | | | Exit data.builtin.dockerfile.DS001.parse_tag
 TRACE  | | | | Eval [img, tag] = __local505__
 TRACE  | | | | Eval output = {"cmd": from, "img": img, "tag": tag}
 TRACE  | | | | Exit data.builtin.dockerfile.DS001.image_tags
 TRACE  | | | Redo data.builtin.dockerfile.DS001.image_tags
 TRACE  | | | | Redo output = {"cmd": from, "img": img, "tag": tag}
 TRACE  | | | | Redo [img, tag] = __local505__
 TRACE  | | | | Redo data.builtin.dockerfile.DS001.parse_tag(name, __local505__)
 TRACE  | | | | Redo data.builtin.dockerfile.DS001.parse_tag
 TRACE  | | | | | Redo [img, tag] = __local504__
 TRACE  | | | | | Redo split(name, ":", __local504__)
 TRACE  | | | | Enter data.builtin.dockerfile.DS001.parse_tag
 TRACE  | | | | | Eval tag = "latest"
 TRACE  | | | | | Eval not contains(img, ":")
 TRACE  | | | | | Enter contains(img, ":")
 TRACE  | | | | | | Eval contains(img, ":")
 TRACE  | | | | | | Exit contains(img, ":")
 TRACE  | | | | | Redo contains(img, ":")
 TRACE  | | | | | | Redo contains(img, ":")
 TRACE  | | | | | Fail not contains(img, ":")
 TRACE  | | | | | Redo tag = "latest"
 TRACE  | | | | Redo name = from.Value[0]
 TRACE  | | | | Redo from = data.lib.docker.from[_]
 TRACE  | | | Enter data.builtin.dockerfile.DS001.image_tags
 TRACE  | | | | Eval from = data.lib.docker.from[i]
 TRACE  | | | | Index data.lib.docker.from (matched 1 rule)
 TRACE  | | | | Eval name = from.Value[0]
 TRACE  | | | | Eval cmd_obj = input.stages[j][k]
 TRACE  | | | | Eval possibilities = {"arg", "env"}
 TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
 TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
 TRACE  | | | | Redo possibilities = {"arg", "env"}
 TRACE  | | | | Redo cmd_obj = input.stages[j][k]
 TRACE  | | | | Eval possibilities = {"arg", "env"}
 TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
 TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
 TRACE  | | | | Redo possibilities = {"arg", "env"}
 TRACE  | | | | Redo cmd_obj = input.stages[j][k]
 TRACE  | | | | Eval possibilities = {"arg", "env"}
 TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
 TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
 TRACE  | | | | Redo possibilities = {"arg", "env"}
 TRACE  | | | | Redo cmd_obj = input.stages[j][k]
 TRACE  | | | | Redo name = from.Value[0]
 TRACE  | | | | Redo from = data.lib.docker.from[i]
 TRACE  | | | Eval __local752__ = output.img
 TRACE  | | | Eval neq(__local752__, "scratch")
 TRACE  | | | Eval __local753__ = output.img
 TRACE  | | | Eval not data.builtin.dockerfile.DS001.is_alias(__local753__)
 TRACE  | | | Enter data.builtin.dockerfile.DS001.is_alias(__local753__)
 TRACE  | | | | Eval data.builtin.dockerfile.DS001.is_alias(__local753__)
 TRACE  | | | | Index data.builtin.dockerfile.DS001.is_alias (matched 1 rule, early exit)
 TRACE  | | | | Enter data.builtin.dockerfile.DS001.is_alias
 TRACE  | | | | | Eval img = data.builtin.dockerfile.DS001.get_aliases[_]
 TRACE  | | | | | Index data.builtin.dockerfile.DS001.get_aliases (matched 1 rule)
 TRACE  | | | | | Enter data.builtin.dockerfile.DS001.get_aliases
 TRACE  | | | | | | Eval from_cmd = data.lib.docker.from[_]
 TRACE  | | | | | | Index data.lib.docker.from (matched 1 rule)
 TRACE  | | | | | | Eval __local749__ = from_cmd.Value
 TRACE  | | | | | | Eval data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)
 TRACE  | | | | | | Index data.builtin.dockerfile.DS001.get_alias (matched 1 rule)
 TRACE  | | | | | | Enter data.builtin.dockerfile.DS001.get_alias
 TRACE  | | | | | | | Eval __local748__ = values[i]
 TRACE  | | | | | | | Eval lower(__local748__, __local501__)
 TRACE  | | | | | | | Eval "as" = __local501__
 TRACE  | | | | | | | Fail "as" = __local501__
 TRACE  | | | | | | | Redo lower(__local748__, __local501__)
 TRACE  | | | | | | | Redo __local748__ = values[i]
 TRACE  | | | | | | Fail data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)
 TRACE  | | | | | | Redo __local749__ = from_cmd.Value
 TRACE  | | | | | | Redo from_cmd = data.lib.docker.from[_]
 TRACE  | | | | | Fail img = data.builtin.dockerfile.DS001.get_aliases[_]
 TRACE  | | | | Fail data.builtin.dockerfile.DS001.is_alias(__local753__)
 TRACE  | | | Eval output.tag = "latest"
 TRACE  | | | Exit data.builtin.dockerfile.DS001.fail_latest
 TRACE  | | Redo data.builtin.dockerfile.DS001.fail_latest
 TRACE  | | | Redo output.tag = "latest"
 TRACE  | | | Redo __local753__ = output.img
 TRACE  | | | Redo neq(__local752__, "scratch")
 TRACE  | | | Redo __local752__ = output.img
 TRACE  | | | Redo output = data.builtin.dockerfile.DS001.image_tags[_]
 TRACE  | | Eval __local754__ = output.img
 TRACE  | | Eval sprintf("Specify a tag in the 'FROM' statement for image '%s'", [__local754__], __local509__)
 TRACE  | | Eval msg = __local509__
 TRACE  | | Eval __local755__ = output.cmd
 TRACE  | | Eval data.lib.docker.result(msg, __local755__, __local510__)
 TRACE  | | Index data.lib.docker.result (matched 1 rule)
 TRACE  | | Enter data.lib.docker.result
 TRACE  | | | Eval object.get(cmd, "EndLine", 0, __local470__)
 TRACE  | | | Eval object.get(cmd, "Path", "", __local471__)
 TRACE  | | | Eval object.get(cmd, "StartLine", 0, __local472__)
 TRACE  | | | Eval result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
 TRACE  | | | Exit data.lib.docker.result
 TRACE  | | Eval res = __local510__
 TRACE  | | Exit data.builtin.dockerfile.DS001.deny
 TRACE  | Redo data.builtin.dockerfile.DS001.deny
 TRACE  | | Redo res = __local510__
 TRACE  | | Redo data.lib.docker.result(msg, __local755__, __local510__)
 TRACE  | | Redo data.lib.docker.result
 TRACE  | | | Redo result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
 TRACE  | | | Redo object.get(cmd, "StartLine", 0, __local472__)
 TRACE  | | | Redo object.get(cmd, "Path", "", __local471__)
 TRACE  | | | Redo object.get(cmd, "EndLine", 0, __local470__)
 TRACE  | | Redo __local755__ = output.cmd
 TRACE  | | Redo msg = __local509__
 TRACE  | | Redo sprintf("Specify a tag in the 'FROM' statement for image '%s'", [__local754__], __local509__)
 TRACE  | | Redo __local754__ = output.img
 TRACE  | | Redo output = data.builtin.dockerfile.DS001.fail_latest[_]
 TRACE  | Exit data.builtin.dockerfile.DS001.deny = _
 TRACE  Redo data.builtin.dockerfile.DS001.deny = _
 TRACE  | Redo data.builtin.dockerfile.DS001.deny = _
 TRACE
 ID: DS002
 File: Dockerfile
 Namespace: builtin.dockerfile.DS002
 Query: data.builtin.dockerfile.DS002.deny
 Message: Last USER command in Dockerfile should not be 'root'
 TRACE  Enter data.builtin.dockerfile.DS002.deny = _
 TRACE  | Eval data.builtin.dockerfile.DS002.deny = _
 TRACE  | Index data.builtin.dockerfile.DS002.deny (matched 2 rules)
 TRACE  | Enter data.builtin.dockerfile.DS002.deny
 TRACE  | | Eval data.builtin.dockerfile.DS002.fail_user_count
 TRACE  | | Index data.builtin.dockerfile.DS002.fail_user_count (matched 1 rule, early exit)
 TRACE  | | Enter data.builtin.dockerfile.DS002.fail_user_count
 TRACE  | | | Eval __local771__ = data.builtin.dockerfile.DS002.get_user
 TRACE  | | | Index data.builtin.dockerfile.DS002.get_user (matched 1 rule)
 TRACE  | | | Enter data.builtin.dockerfile.DS002.get_user
 TRACE  | | | | Eval user = data.lib.docker.user[_]
 TRACE  | | | | Index data.lib.docker.user (matched 1 rule)
 TRACE  | | | | Enter data.lib.docker.user
 TRACE  | | | | | Eval instruction = input.stages[_][_]
 TRACE  | | | | | Eval instruction.Cmd = "user"
 TRACE  | | | | | Fail instruction.Cmd = "user"
 TRACE  | | | | | Redo instruction = input.stages[_][_]
 TRACE  | | | | | Eval instruction.Cmd = "user"
 TRACE  | | | | | Exit data.lib.docker.user
 TRACE  | | | | Redo data.lib.docker.user
 TRACE  | | | | | Redo instruction.Cmd = "user"
 TRACE  | | | | | Redo instruction = input.stages[_][_]
 TRACE  | | | | | Eval instruction.Cmd = "user"
 TRACE  | | | | | Fail instruction.Cmd = "user"
 TRACE  | | | | | Redo instruction = input.stages[_][_]
 TRACE  | | | | Eval username = user.Value[_]
 TRACE  | | | | Exit data.builtin.dockerfile.DS002.get_user
 TRACE  | | | Redo data.builtin.dockerfile.DS002.get_user
 TRACE  | | | | Redo username = user.Value[_]
 TRACE  | | | | Redo user = data.lib.docker.user[_]
 TRACE  | | | Eval count(__local771__, __local536__)
 TRACE  | | | Eval lt(__local536__, 1)
 TRACE  | | | Fail lt(__local536__, 1)
 TRACE  | | | Redo count(__local771__, __local536__)
 TRACE  | | | Redo __local771__ = data.builtin.dockerfile.DS002.get_user
 TRACE  | | Fail data.builtin.dockerfile.DS002.fail_user_count
 TRACE  | Enter data.builtin.dockerfile.DS002.deny
 TRACE  | | Eval cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]
 TRACE  | | Index data.builtin.dockerfile.DS002.fail_last_user_root (matched 1 rule)
 TRACE  | | Enter data.builtin.dockerfile.DS002.fail_last_user_root
 TRACE  | | | Eval stage_users = data.lib.docker.stage_user[_]
 TRACE  | | | Index data.lib.docker.stage_user (matched 1 rule)
 TRACE  | | | Enter data.lib.docker.stage_user
 TRACE  | | | | Eval stage = input.stages[stage_name]
 TRACE  | | | | Eval users = [cmd | cmd = stage[_]; cmd.Cmd = "user"]
 TRACE  | | | | Enter cmd = stage[_]; cmd.Cmd = "user"
 TRACE  | | | | | Eval cmd = stage[_]
 TRACE  | | | | | Eval cmd.Cmd = "user"
 TRACE  | | | | | Fail cmd.Cmd = "user"
 TRACE  | | | | | Redo cmd = stage[_]
 TRACE  | | | | | Eval cmd.Cmd = "user"
 TRACE  | | | | | Exit cmd = stage[_]; cmd.Cmd = "user"
 TRACE  | | | | Redo cmd = stage[_]; cmd.Cmd = "user"
 TRACE  | | | | | Redo cmd.Cmd = "user"
 TRACE  | | | | | Redo cmd = stage[_]
 TRACE  | | | | | Eval cmd.Cmd = "user"
 TRACE  | | | | | Fail cmd.Cmd = "user"
 TRACE  | | | | | Redo cmd = stage[_]
 TRACE  | | | | Exit data.lib.docker.stage_user
 TRACE  | | | Redo data.lib.docker.stage_user
 TRACE  | | | | Redo users = [cmd | cmd = stage[_]; cmd.Cmd = "user"]
 TRACE  | | | | Redo stage = input.stages[stage_name]
 TRACE  | | | Eval count(stage_users, __local537__)
 TRACE  | | | Eval len = __local537__
 TRACE  | | | Eval minus(len, 1, __local538__)
 TRACE  | | | Eval last = stage_users[__local538__]
 TRACE  | | | Eval user = last.Value[0]
 TRACE  | | | Eval user = "root"
 TRACE  | | | Exit data.builtin.dockerfile.DS002.fail_last_user_root
 TRACE  | | Redo data.builtin.dockerfile.DS002.fail_last_user_root
 TRACE  | | | Redo user = "root"
 TRACE  | | | Redo user = last.Value[0]
 TRACE  | | | Redo last = stage_users[__local538__]
 TRACE  | | | Redo minus(len, 1, __local538__)
 TRACE  | | | Redo len = __local537__
 TRACE  | | | Redo count(stage_users, __local537__)
 TRACE  | | | Redo stage_users = data.lib.docker.stage_user[_]
 TRACE  | | Eval msg = "Last USER command in Dockerfile should not be 'root'"
 TRACE  | | Eval data.lib.docker.result(msg, cmd, __local540__)
 TRACE  | | Index data.lib.docker.result (matched 1 rule)
 TRACE  | | Enter data.lib.docker.result
 TRACE  | | | Eval object.get(cmd, "EndLine", 0, __local470__)
 TRACE  | | | Eval object.get(cmd, "Path", "", __local471__)
 TRACE  | | | Eval object.get(cmd, "StartLine", 0, __local472__)
 TRACE  | | | Eval result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
 TRACE  | | | Exit data.lib.docker.result
 TRACE  | | Eval res = __local540__
 TRACE  | | Exit data.builtin.dockerfile.DS002.deny
 TRACE  | Redo data.builtin.dockerfile.DS002.deny
 TRACE  | | Redo res = __local540__
 TRACE  | | Redo data.lib.docker.result(msg, cmd, __local540__)
 TRACE  | | Redo data.lib.docker.result
 TRACE  | | | Redo result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
 TRACE  | | | Redo object.get(cmd, "StartLine", 0, __local472__)
 TRACE  | | | Redo object.get(cmd, "Path", "", __local471__)
 TRACE  | | | Redo object.get(cmd, "EndLine", 0, __local470__)
 TRACE  | | Redo msg = "Last USER command in Dockerfile should not be 'root'"
 TRACE  | | Redo cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]
 TRACE  | Exit data.builtin.dockerfile.DS002.deny = _
 TRACE  Redo data.builtin.dockerfile.DS002.deny = _
 TRACE  | Redo data.builtin.dockerfile.DS002.deny = _
 TRACE
 ```
--- a/docs/docs/misconfiguration/custom/examples.md
+++ b/docs/docs/misconfiguration/custom/examples.md
@@ -0,0 +1,296 @@
 # Examples
 ## Custom Policy
 ### Kubernetes
 See [here][k8s].
 The custom policy is defined in `user.kubernetes.ID001` package.
 You need to pass the package prefix you want to evaluate through `--namespaces` option.
 In this case, the package prefix should be `user`, `user.kubernetes`, or `user.kubernetes.ID001`.
 ### Dockerfile
 See [here][dockerfile].
 The input will be a dictionary of stages.
 #### Single Stage
 ??? example
    Dockerfile
    ```dockerfile
    FROM foo
    COPY . /
    RUN echo hello
    ```
    Rego Input
    ```json
    {
        "stages": {
            "foo": [
                {
                    "Cmd": "from",
                    "EndLine": 1,
                    "Flags": [],
                    "JSON": false,
                    "Original": "FROM foo",
                    "Stage": 0,
                    "StartLine": 1,
                    "SubCmd": "",
                    "Value": [
                        "foo"
                    ]
                },
                {
                    "Cmd": "copy",
                    "EndLine": 2,
                    "Flags": [],
                    "JSON": false,
                    "Original": "COPY . /",
                    "Stage": 0,
                    "StartLine": 2,
                    "SubCmd": "",
                    "Value": [
                        ".",
                        "/"
                    ]
                },
                {
                    "Cmd": "run",
                    "EndLine": 3,
                    "Flags": [],
                    "JSON": false,
                    "Original": "RUN echo hello",
                    "Stage": 0,
                    "StartLine": 3,
                    "SubCmd": "",
                    "Value": [
                        "echo hello"
                    ]
                }
            ]
        }
    }
    ```
 #### Multi Stage
 ??? example
    Dockerfile
    ```dockerfile
    FROM golang:1.16 AS builder
    WORKDIR /go/src/github.com/alexellis/href-counter/
    RUN go get -d -v golang.org/x/net/html
    COPY app.go .
    RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
    FROM alpine:latest
    RUN apk --no-cache add ca-certificates \
    && apk add --no-cache bash
    WORKDIR /root/
    COPY --from=builder /go/src/github.com/alexellis/href-counter/app .
    CMD ["./app"]
    ```
    Rego Input
    ```json
    {
        "stages": {
            "alpine:latest": [
                {
                    "Cmd": "from",
                    "EndLine": 7,
                    "Flags": [],
                    "JSON": false,
                    "Original": "FROM alpine:latest",
                    "Stage": 1,
                    "StartLine": 7,
                    "SubCmd": "",
                    "Value": [
                        "alpine:latest"
                    ]
                },
                {
                    "Cmd": "run",
                    "EndLine": 9,
                    "Flags": [],
                    "JSON": false,
                    "Original": "RUN apk --no-cache add ca-certificates     \u0026\u0026 apk add --no-cache bash",
                    "Stage": 1,
                    "StartLine": 8,
                    "SubCmd": "",
                    "Value": [
                        "apk --no-cache add ca-certificates     \u0026\u0026 apk add --no-cache bash"
                    ]
                },
                {
                    "Cmd": "workdir",
                    "EndLine": 10,
                    "Flags": [],
                    "JSON": false,
                    "Original": "WORKDIR /root/",
                    "Stage": 1,
                    "StartLine": 10,
                    "SubCmd": "",
                    "Value": [
                        "/root/"
                    ]
                },
                {
                    "Cmd": "copy",
                    "EndLine": 11,
                    "Flags": [
                        "--from=builder"
                    ],
                    "JSON": false,
                    "Original": "COPY --from=builder /go/src/github.com/alexellis/href-counter/app .",
                    "Stage": 1,
                    "StartLine": 11,
                    "SubCmd": "",
                    "Value": [
                        "/go/src/github.com/alexellis/href-counter/app",
                        "."
                    ]
                },
                {
                    "Cmd": "cmd",
                    "EndLine": 12,
                    "Flags": [],
                    "JSON": true,
                    "Original": "CMD [\"./app\"]",
                    "Stage": 1,
                    "StartLine": 12,
                    "SubCmd": "",
                    "Value": [
                        "./app"
                    ]
                }
            ],
            "golang:1.16 AS builder": [
                {
                    "Cmd": "from",
                    "EndLine": 1,
                    "Flags": [],
                    "JSON": false,
                    "Original": "FROM golang:1.16 AS builder",
                    "Stage": 0,
                    "StartLine": 1,
                    "SubCmd": "",
                    "Value": [
                        "golang:1.16",
                        "AS",
                        "builder"
                    ]
                },
                {
                    "Cmd": "workdir",
                    "EndLine": 2,
                    "Flags": [],
                    "JSON": false,
                    "Original": "WORKDIR /go/src/github.com/alexellis/href-counter/",
                    "Stage": 0,
                    "StartLine": 2,
                    "SubCmd": "",
                    "Value": [
                        "/go/src/github.com/alexellis/href-counter/"
                    ]
                    },
                {
                    "Cmd": "run",
                    "EndLine": 3,
                    "Flags": [],
                    "JSON": false,
                    "Original": "RUN go get -d -v golang.org/x/net/html",
                    "Stage": 0,
                    "StartLine": 3,
                    "SubCmd": "",
                    "Value": [
                        "go get -d -v golang.org/x/net/html"
                    ]
                },
                {
                    "Cmd": "copy",
                    "EndLine": 4,
                    "Flags": [],
                    "JSON": false,
                    "Original": "COPY app.go .",
                    "Stage": 0,
                    "StartLine": 4,
                    "SubCmd": "",
                    "Value": [
                        "app.go",
                        "."
                    ]
                },
                {
                    "Cmd": "run",
                    "EndLine": 5,
                    "Flags": [],
                    "JSON": false,
                    "Original": "RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .",
                    "Stage": 0,
                    "StartLine": 5,
                    "SubCmd": "",
                    "Value": [
                        "CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app ."
                    ]
                }
            ]
        }
    }
    ```
 ### Docker Compose
 See [here][compose].
 Docker Compose uses YAML format for configurations. You can apply your Rego policies to `docker-compose.yml`.
 ### HCL
 See [here][hcl].
 Trivy parses HCL files and converts into structured data.
 !!! warning
    Terraform HCL files are not supported yet.
 ### Terraform Plan
 See [here][tfplan].
 Use the command [terraform show][terraform-show] to convert the Terraform plan into JSON so that OPA can read the plan.
 ```bash
 $ terraform init
 $ terraform plan --out tfplan.binary
 $ terraform show -json tfplan.binary > tfplan.json
 ```
 For more details, see also [OPA document][opa-terraform].
 ### Serverless Framework
 See [here][serverless].
 Server Framework uses YAML format for configurations. You can apply your Rego policies to `serverless.yaml`.
 ## Custom Data
 See [here][data].
 ## Combined Input
 See [here][combine].
 ## Go Testing
 See [here][go-testing].
 [k8s]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/kubernetes/
 [dockerfile]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/dockerfile/
 [compose]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/docker-compose/
 [hcl]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/hcl/
 [serverless]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/serverless/
 [tfplan]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/terraform-plan/
 [terraform-show]: https://www.terraform.io/docs/cli/commands/show.html
 [opa-terraform]: https://www.openpolicyagent.org/docs/latest/terraform/
 [custom]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy
 [data]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-data
 [combine]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/combine
 [go-testing]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/go-testing
--- a/docs/docs/misconfiguration/custom/index.md
+++ b/docs/docs/misconfiguration/custom/index.md
@@ -0,0 +1,209 @@
 # Custom Policies
 ## Overview
 You can write custom policies in [Rego][rego].
 Once you finish writing custom policies, you can pass the directory where those policies are stored with `--policy` option.
 ``` bash
 trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
 ```
 As for `--namespaces` option, the detail is described as below.
 ### File formats
 If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.
 | File format   | File pattern                                              |
 |---------------|-----------------------------------------------------------|
 | JSON          | `*.json`                                                  |
 | YAML          | `*.yaml` and `*.yml`                                      |
 | Dockerfile    | `Dockerfile`, `Dockerfile.*`, and `*.Dockerfile`          |
 | Containerfile | `Containerfile`, `Containerfile.*`, and `*.Containerfile` |
 | Terraform     | `*.tf` and `*.tf.json`                                    |
 ### Configuration languages
 In the above general file formats, Trivy automatically identifies the following types of configuration files:
 - CloudFormation (JSON/YAML)
 - Kubernetes (JSON/YAML)
 - Helm (YAML)
 - Terraform Plan (JSON)
 This is useful for filtering inputs, as described below.
 ## Rego format
 A single package must contain only one policy.
 !!!example
    ``` rego
    # METADATA
    # title: Deployment not allowed
    # description: Deployments are not allowed because of some reasons.
    # schemas:
    #   - input: schema.input
    # custom:
    #   id: ID001
    #   severity: LOW
    #   input:
    #     selector: 
    #     - type: kubernetes
    package user.kubernetes.ID001
    deny[res] {
        input.kind == "Deployment"
        msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name])
        res := result.new(msg, input.kind)
    }
    ```
 In this example, ID001 "Deployment not allowed" is defined under `user.kubernetes.ID001`.
 If you add a new custom policy, it must be defined under a new package like `user.kubernetes.ID002`.
 ### Policy structure
 `# METADATA` (optional)
 :   - SHOULD be defined for clarity since these values will be displayed in the scan results
    - `custom.input` SHOULD be set to indicate the input type the policy should be applied to. See [list of available types](https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
 `package` (required)
 :   - MUST follow the Rego's [specification][package]
    - MUST be unique per policy
    - SHOULD include policy id for uniqueness
    - MAY include the group name such as `kubernetes` for clarity
        - Group name has no effect on policy evaluation
 `deny` (required)
 :   - SHOULD be `deny` or start with `deny_`
        - Although `warn`, `warn_*`, `violation`, `violation_` also work for compatibility, `deny` is recommended as severity can be defined in `__rego_metadata__`.
    - SHOULD return ONE OF:
        - The result of a call to `result.new(msg, cause)`. The `msg` is a `string` describing the issue occurrence, and the `cause` is the property/object where the issue occurred. Providing this allows Trivy to ascertain line numbers and highlight code in the output. 
        - A `string` denoting the detected issue
            - Although `object` with `msg` field is accepted, other fields are dropped and `string` is recommended if `result.new()` is not utilised.
            - e.g. `{"msg": "deny message", "details": "something"}`
 ### Package
 A package name must be unique per policy.
 !!!example
    ``` rego
    package user.kubernetes.ID001
    ```
 By default, only `builtin.*` packages will be evaluated.
 If you define custom packages, you have to specify the package prefix via `--namespaces` option. 
 ``` bash
 trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
 ```
 In this case, `user.*` will be evaluated.
 Any package prefixes such as `main` and `user` are allowed.
 ### Metadata
 Metadata helps enrich Trivy's scan results with useful information.
 The annotation format is described in the [OPA documentation](https://www.openpolicyagent.org/docs/latest/annotations/).
 Trivy supports extra fields in the `custom` section as described below.
 !!!example
    ``` rego
    # METADATA
    # title: Deployment not allowed
    # description: Deployments are not allowed because of some reasons.
    # custom:
    #   id: ID001
    #   severity: LOW
    #   input:
    #     selector:
    #     - type: kubernetes
    ```
 All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The 
 schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are 
 correct and do not reference incorrect properties/values.
 | Field name                 | Allowed values                           |        Default value         |     In table     |     In JSON      |
 |----------------------------|------------------------------------------|:----------------------------:|:----------------:|:----------------:|
 | title                      | Any characters                           |             N/A              | :material-check: | :material-check: |
 | description                | Any characters                           |                              | :material-close: | :material-check: |
 | schemas.input              | `schema.input`                           | (applied to all input types) | :material-close: | :material-close: |
 | custom.id                  | Any characters                           |             N/A              | :material-check: | :material-check: |
 | custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`      |           UNKNOWN            | :material-check: | :material-check: |
 | custom.recommended_actions | Any characters                           |                              | :material-close: | :material-check: | 
 | custom.input.selector.type | Any item(s) in [this list][source-types] |                              | :material-close: | :material-check: | 
 | url                        | Any characters                           |                              | :material-close: | :material-check: |
 Some fields are displayed in scan results.
 ``` bash
 k.yaml (kubernetes)
 ───────────────────
 Tests: 32 (SUCCESSES: 31, FAILURES: 1, EXCEPTIONS: 0)
 Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 LOW: Found deployment 'my-deployment' but deployments are not allowed
 ════════════════════════════════════════════════════════════════════════
 Deployments are not allowed because of some reasons.
 ────────────────────────────────────────────────────────────────────────
 k.yaml:1-2
 ────────────────────────────────────────────────────────────────────────
   1 ┌ apiVersion: v1
   2 └ kind: Deployment
 ────────────────────────────────────────────────────────────────────────
 ```
 ### Input
 You can specify input format via the `custom.input` annotation.
 !!!example
    ``` rego
    # METADATA
    # custom:
    #   input:
    #     combine: false
    #     selector:
    #     - type: kubernetes
    ```
 `combine` (boolean)
 : The details are [here](combine.md).
 `selector` (array)
 :   This option filters the input by file format or configuration language. 
    In the above example, Trivy passes only Kubernetes files to this policy.
    Even if a Dockerfile exists in the specified directory, it will not be passed to the policy as input.
    Possible values for input types are:
    - `dockerfile` (Dockerfile)
    - `kubernetes` (Kubernetes YAML/JSON)
    - `rbac` (Kubernetes RBAC YAML/JSON)
    - `cloud` (Cloud format, as defined by defsec - this is used for Terraform, CloudFormation, and Cloud/AWS scanning)
    - `yaml` (Generic YAML)
    - `json` (Generic JSON)
    - `toml` (Generic TOML)
    When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as `type`.
    When a configuration language is identified, it will overwrite `type`.
    !!! example
        `pod.yaml` including Kubernetes Pod will be handled as `kubernetes`, not `yaml`.
        `type` is overwritten by `kubernetes` from `yaml`.
    `type` accepts `kubernetes`, `dockerfile`, `cloudformation`, `terraform`, `terraformplan`, `json`, or `yaml`.
 ### Schemas
 You can explore the format of input documents by browsing the schema for the relevant input type:
 - [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
 - [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
 - [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
 - [RBAC](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/rbac.json)
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [package]: https://www.openpolicyagent.org/docs/latest/policy-language/#packages
 [source-types]: https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
--- a/docs/docs/misconfiguration/custom/testing.md
+++ b/docs/docs/misconfiguration/custom/testing.md
@@ -0,0 +1,90 @@
 # Testing
 It is highly recommended to write tests for your custom policies.
 ## Rego testing
 To help you verify the correctness of your custom policies, OPA gives you a framework that you can use to write tests for your policies. 
 By writing tests for your custom policies you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve.
 For more details, see [Policy Testing][opa-testing].
 !!! example
    ```
    package user.dockerfile.ID002
    test_add_denied {
        r := deny with input as {"stages": {"alpine:3.13": [
            {"Cmd": "add", "Value": ["/target/resources.tar.gz", "resources.jar"]},
            {"Cmd": "add", "Value": ["/target/app.jar", "app.jar"]},
        ]}}
        count(r) == 1
        r[_] == "Consider using 'COPY /target/app.jar app.jar' command instead of 'ADD /target/app.jar app.jar'"
    }
    ```
 To write tests for custom policies, you can refer to existing tests under [defsec][defsec].
 ## Go testing
 [Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
 You can scan config files in Go and test your custom policies using Go's testing methods, such as [table-driven tests][table].
 This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom policies work in practice.
 In particular, Dockerfile and HCL need to be converted to structural data as input, which may be different from the expected input format.
 !!! tip
    We recommend writing OPA and Go tests both since they have different roles, like unit tests and integration tests.
 The following example stores allowed and denied configuration files in a directory.
 `Successes` contains the result of successes, and `Failures` contains the result of failures.
 ``` go
 {
 	name:  "disallowed ports",
 	input: "configs/",
 	fields: fields{
 		policyPaths: []string{"policy"},
 		dataPaths:   []string{"data"},
 		namespaces:  []string{"user"},
 	},
 	want: []types.Misconfiguration{
 		{
 			FileType: types.Dockerfile,
 			FilePath: "Dockerfile.allowed",
 			Successes: types.MisconfResults{
 				{
 					Namespace: "user.dockerfile.ID002",
 					PolicyMetadata: types.PolicyMetadata{
 						ID:          "ID002",
 						Type:        "Docker Custom Check",
 						Title:       "Disallowed ports exposed",
 						Severity:    "HIGH",
 					},
 				},
 			},
 		},
 		{
 			FileType: types.Dockerfile,
 			FilePath: "Dockerfile.denied",
 			Failures: types.MisconfResults{
 				{
 					Namespace: "user.dockerfile.ID002",
 					Message:   "Port 23 should not be exposed",
 					PolicyMetadata: types.PolicyMetadata{
 						ID:          "ID002",
 						Type:        "Docker Custom Check",
 						Title:       "Disallowed ports exposed",
 						Severity:    "HIGH",
 					},
 				},
 			},
 		},
 	},
 },
 ```
 `Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.
 [opa-testing]: https://www.openpolicyagent.org/docs/latest/policy-testing/
 [defsec]: https://github.com/aquasecurity/defsec
 [table]: https://github.com/golang/go/wiki/TableDrivenTests
 [fanal]: https://github.com/aquasecurity/fanal
--- a/docs/docs/misconfiguration/options/filter.md
+++ b/docs/docs/misconfiguration/options/filter.md
@@ -0,0 +1,60 @@
 # Filter Misconfigurations
 ## By Severity
 Use `--severity` option.
 ```bash
 trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
 ```
 <details>
 <summary>Result</summary>
 ```shell
 2022-05-16T13:50:42.718+0100	INFO	Detected config files: 3
 Dockerfile (dockerfile)
 =======================
 Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
 Failures: 1 (HIGH: 1, CRITICAL: 0)
 HIGH: Last USER command in Dockerfile should not be 'root'
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
 See https://avd.aquasec.com/misconfig/ds002
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile:3
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 [ USER root
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml (kubernetes)
 ============================
 Tests: 8 (SUCCESSES: 8, FAILURES: 0, EXCEPTIONS: 0)
 Failures: 0 (HIGH: 0, CRITICAL: 0)
 main.tf (terraform)
 ===================
 Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
 Failures: 1 (HIGH: 0, CRITICAL: 1)
 CRITICAL: Classic resources should not be used.
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run
 resources in a VPC instead.
 See https://avd.aquasec.com/misconfig/avd-aws-0081
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:2-4
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2 ┌ resource "aws_db_security_group" "sg" {
   3 │
   4 └ }
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ```
 </details>
--- a/docs/docs/misconfiguration/options/others.md
+++ b/docs/docs/misconfiguration/options/others.md
@@ -0,0 +1,4 @@
 # Others
 !!! hint
    See also [Others](../../vulnerability/examples/others.md) in Vulnerability section.
--- a/docs/docs/misconfiguration/options/policy.md
+++ b/docs/docs/misconfiguration/options/policy.md
@@ -0,0 +1,35 @@
 # Policy
 ## Pass custom policies
 You can pass directories including your custom policies through `--policy` option.
 This can be repeated for specifying multiple directories.
 ```bash
 cd examplex/misconf/
 trivy conf --policy custom-policy/policy --policy combine/policy --namespaces user misconf/mixed
 ```
 For more details, see [Custom Policies](../custom/index.md).
 !!! tip
    You also need to specify `--namespaces` option.
 ## Pass custom data
 You can pass directories including your custom data through `--data` option.
 This can be repeated for specifying multiple directories.
 ```bash
 cd examples/misconf/custom-data
 trivy conf --policy ./policy --data ./data --namespaces user ./configs
 ```
 For more details, see [Custom Data](../custom/data.md).
 ## Pass namespaces
 By default, Trivy evaluates policies defined in `builtin.*`.
 If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option.
 This can be repeated for specifying multiple packages.
 ``` bash
 trivy conf --policy ./policy --namespaces main --namespaces user ./configs
 ```
--- a/docs/docs/misconfiguration/options/report.md
+++ b/docs/docs/misconfiguration/options/report.md
@@ -0,0 +1,6 @@
 # Report Formats
 See [Reports Formats](../../vulnerability/examples/report.md) in Vulnerability section.
 !!! caution
    Misconfiguration scanning doesn't support default templates such as XML for now.
--- a/docs/docs/misconfiguration/options/values.md
+++ b/docs/docs/misconfiguration/options/values.md
@@ -0,0 +1,48 @@
 # Value Overrides
 Value files can be passed for supported scannable config files.
 ## Terraform value overrides
 You can pass `tf-vars` files to Trivy to override default values found in the Terraform HCL code.
 ```bash
 trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
 ```
 ## Helm value overrides
 There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
 ### Setting inline value overrides
 Overrides can be set inline on the command line
 ```bash
 trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
 ```
 ### Setting value file overrides
 Overrides can be in a file that has the key=value set. 
 ```yaml
 # Example override file (overrides.yaml)
 securityContext:
  runAsUser: 0
 ```
 ```bash
 trivy conf --helm-values overrides.yaml ./charts/mySql
 ``` 
 ### Setting value as explicit string
 the `--helm-set-string` is the same as `--helm-set` but explicitly retains the value as a string
 ```bash
 trivy config --helm-set-string name=false ./infrastructure/tf
 ```
 ### Setting specific values from files
 Specific override values can come from specific files
 ```bash
 trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
 ```
--- a/docs/docs/misconfiguration/policy/builtin.md
+++ b/docs/docs/misconfiguration/policy/builtin.md
@@ -0,0 +1,38 @@
 # Built-in Policies
 ## Policy Sources
 Built-in policies are mainly written in [Rego][rego] and Go.
 Those policies are managed under [defsec repository][defsec].
 | Config type               | Source               |
 |---------------------------|----------------------|
 | Kubernetes                | [defsec][kubernetes] |
 | Dockerfile, Containerfile | [defsec][docker]     |
 | Terraform                 | [defsec][defsec]     |
 | CloudFormation            | [defsec][defsec]     |
 | Azure ARM Template        | [defsec][defsec]     |
 | Helm Chart                | [defsec][kubernetes] |      
 | RBAC                      | [defsec][rbac]       |      
 For suggestions or issues regarding policy content, please open an issue under the [defsec][defsec] repository.
 Helm Chart scanning will resolve the chart to Kubernetes manifests then run the [kubernetes][kubernetes] checks.
 Ansible scanning is coming soon.
 ## Policy Distribution
 defsec policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
 When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
 Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.
 If Trivy is unable to pull down newer policies, it will use the embedded set of policies as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
 ## Update Interval
 Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [defsec]: https://github.com/aquasecurity/defsec
 [kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/kubernetes
 [kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/rbac
 [docker]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/docker
 [ghcr]: https://github.com/aquasecurity/defsec/pkgs/container/defsec
--- a/docs/docs/misconfiguration/policy/exceptions.md
+++ b/docs/docs/misconfiguration/policy/exceptions.md
@@ -0,0 +1,98 @@
 # Exceptions
 Exceptions let you specify cases where you allow policy violations.
 Trivy supports two types of exceptions.
 !!! info
    Exceptions can be applied to built-in policies as well as custom policies.
 ## Namespace-based exceptions
 There are some cases where you need to disable built-in policies partially or fully.
 Namespace-based exceptions lets you rough choose which individual packages to exempt.
 To use namespace-based exceptions, create a Rego rule with the name `exception` that returns the package names to exempt.
 The `exception` rule must be defined under `namespace.exceptions`.
 `data.namespaces` includes all package names.
 !!! example
    ``` rego
    package namespace.exceptions
    import data.namespaces
    exception[ns] {
        ns := data.namespaces[_]
        startswith(ns, "builtin.kubernetes")
    }
    ```
 This example exempts all built-in policies for Kubernetes.
 For more details, see [an example][ns-example].
 ## Rule-based exceptions
 There are some cases where you need more flexibility and granularity in defining which cases to exempt.
 Rule-based exceptions lets you granularly choose which individual rules to exempt, while also declaring under which conditions to exempt them.
 To use rule-based exceptions, create a Rego rule with the name `exception` that returns the rule name suffixes to exempt, prefixed by `deny_` (for example, returning `foo` will exempt `deny_foo`). 
 The rule can make any other assertion, for example, on the input or data documents. 
 This is useful to specify the exemption for a specific case.
 Note that if you specify the empty string, the exception will match all rules named `deny`.
 ```
 exception[rules] {
    # Logic
    rules = ["foo","bar"]
 }
 ```
 The above would provide an exception from `deny_foo` and `deny_bar`.
 !!! example
    ```
    package user.kubernetes.ID100
    __rego_metadata := {
        "id": "ID100",
        "title": "Deployment not allowed",
        "severity": "HIGH",
        "type": "Kubernetes Custom Check",
    }
    deny_deployment[msg] {
        input.kind == "Deployment"
    	msg = sprintf("Found deployment '%s' but deployments are not allowed", [name])
    }
    exception[rules] {
        input.kind == "Deployment"
        input.metadata.name == "allow-deployment"
        rules := ["deployment"]
    }
    ```
 If you want to apply rule-based exceptions to built-in policies, you have to define the exception under the same package.
 !!! example
    ``` rego
    package builtin.kubernetes.KSV012
    exception[rules] {
        input.metadata.name == "can-run-as-root"
        rules := [""]
    }
    ```
 This exception is applied to [KSV012][ksv012] in defsec.
 You can get the package names in the [defsec repository][defsec] or the JSON output from Trivy.
 For more details, see [an example][rule-example].
 [ns-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/namespace-exception
 [rule-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/rule-exception
 [ksv012]: https://github.com/aquasecurity/defsec/blob/master/internal/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego
 [defsec]: https://github.com/aquasecurity/defsec/
--- a/docs/docs/misconfiguration/scanning.md
+++ b/docs/docs/misconfiguration/scanning.md
@@ -0,0 +1,319 @@
 # Misconfiguration Scanning
 Trivy provides built-in policies to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. 
 In addition to built-in policies, you can write your own custom policies, as you can see [here][custom].
 ![misconf](../../imgs/misconf.png)
 ## Quick start
 Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.
 ``` bash
 $ trivy config [YOUR_IaC_DIRECTORY]
 ```
 !!! example
    ```
    $ ls build/
    Dockerfile
    $ trivy config ./build
    2022-05-16T13:29:29.952+0100	INFO	Detected config files: 1
    Dockerfile (dockerfile)
    =======================
    Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
    Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
    MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
    ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
    When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
    See https://avd.aquasec.com/misconfig/ds001
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    Dockerfile:1
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    1 [ FROM alpine:latest
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ```
 You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--scanners config`.
 ```bash
 $ trivy image --scanners config IMAGE_NAME
 ```
 ```bash
 $ trivy fs --scanners config /path/to/dir
 ```
 !!! note
    Misconfiguration detection is not enabled by default in `image`, `fs` and `repo` subcommands.
 Unlike the `config` subcommand, `image`, `fs` and `repo` subcommands can also scan for vulnerabilities and secrets at the same time. 
 You can specify `--scanners vuln,config,secret` to enable vulnerability and secret detection as well as misconfiguration detection.
 !!! example
    ``` bash
    $ ls myapp/
    Dockerfile Pipfile.lock
    $ trivy fs --scanners vuln,config,secret --severity HIGH,CRITICAL myapp/
    2022-05-16T13:42:21.440+0100	INFO	Number of language-specific files: 1
    2022-05-16T13:42:21.440+0100	INFO	Detecting pipenv vulnerabilities...
    2022-05-16T13:42:21.440+0100	INFO	Detected config files: 1
    Pipfile.lock (pipenv)
    =====================
    Total: 1 (HIGH: 1, CRITICAL: 0)
    ┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
    │ Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
    ├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
    │ httplib2 │ CVE-2021-21240 │ HIGH     │ 0.12.1            │ 0.19.0        │ python-httplib2: Regular expression denial of service via │
    │          │                │          │                   │               │ malicious header                                          │
    │          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-21240                │
    └──────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
    Dockerfile (dockerfile)
    =======================
    Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
    Failures: 1 (HIGH: 1, CRITICAL: 0)
    HIGH: Last USER command in Dockerfile should not be 'root'
    ════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
    Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
    See https://avd.aquasec.com/misconfig/ds002
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    Dockerfile:3
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    3 [ USER root
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ```
 In the above example, Trivy detected vulnerabilities of Python dependencies and misconfigurations in Dockerfile.
 ## Type detection
 The specified directory can contain mixed types of IaC files.
 Trivy automatically detects config types and applies relevant policies.
 For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, Helm Charts, and Dockerfile in the same directory.
 ``` bash
 $ ls iac/
 Dockerfile  deployment.yaml  main.tf mysql-8.8.26.tar
 $ trivy conf --severity HIGH,CRITICAL ./iac
 ```
 <details>
 <summary>Result</summary>
 ```
 2022-06-06T11:01:21.142+0100	INFO	Detected config files: 8
 Dockerfile (dockerfile)
 Tests: 21 (SUCCESSES: 20, FAILURES: 1, EXCEPTIONS: 0)
 Failures: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
 See https://avd.aquasec.com/misconfig/ds002
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml (kubernetes)
 Tests: 20 (SUCCESSES: 15, FAILURES: 5, EXCEPTIONS: 0)
 Failures: 5 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)
 MEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.allowPrivilegeEscalation' to false
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
 See https://avd.aquasec.com/misconfig/ksv001
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:16-19
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  16 ┌       - name: hello-kubernetes
  17 │         image: hello-kubernetes:1.5
  18 │         ports:
  19 └         - containerPort: 8080
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 HIGH: Deployment 'hello-kubernetes' should not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 Mounting docker.sock from the host can give the container full root access to the host.
 See https://avd.aquasec.com/misconfig/ksv006
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:6-29
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   6 ┌   replicas: 3
   7 │   selector:
   8 │     matchLabels:
   9 │       app: hello-kubernetes
  10 │   template:
  11 │     metadata:
  12 │       labels:
  13 │         app: hello-kubernetes
  14 └     spec:
  ..   
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 MEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.runAsNonRoot' to true
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
 See https://avd.aquasec.com/misconfig/ksv012
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:16-19
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  16 ┌       - name: hello-kubernetes
  17 │         image: hello-kubernetes:1.5
  18 │         ports:
  19 └         - containerPort: 8080
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 MEDIUM: Deployment 'hello-kubernetes' should not set 'spec.template.volumes.hostPath'
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 HostPath volumes must be forbidden.
 See https://avd.aquasec.com/misconfig/ksv023
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:6-29
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   6 ┌   replicas: 3
   7 │   selector:
   8 │     matchLabels:
   9 │       app: hello-kubernetes
  10 │   template:
  11 │     metadata:
  12 │       labels:
  13 │         app: hello-kubernetes
  14 └     spec:
  ..   
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 MEDIUM: Deployment 'hello-kubernetes' should set 'securityContext.sysctl' to the allowed values
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.
 See https://avd.aquasec.com/misconfig/ksv026
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:6-29
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   6 ┌   replicas: 3
   7 │   selector:
   8 │     matchLabels:
   9 │       app: hello-kubernetes
  10 │   template:
  11 │     metadata:
  12 │       labels:
  13 │         app: hello-kubernetes
  14 └     spec:
  ..   
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
 Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
 Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 MEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.allowPrivilegeEscalation' to false
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
 See https://avd.aquasec.com/misconfig/ksv001
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  56 ┌         - name: mysql
  57 │           image: docker.io/bitnami/mysql:8.0.28-debian-10-r23
  58 │           imagePullPolicy: "IfNotPresent"
  59 │           securityContext:
  60 │             runAsUser: 1001
  61 │           env:
  62 │             - name: BITNAMI_DEBUG
  63 │               value: "false"
  64 └             - name: MYSQL_ROOT_PASSWORD
  ..   
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 MEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.runAsNonRoot' to true
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
 See https://avd.aquasec.com/misconfig/ksv012
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  56 ┌         - name: mysql
  57 │           image: docker.io/bitnami/mysql:8.0.28-debian-10-r23
  58 │           imagePullPolicy: "IfNotPresent"
  59 │           securityContext:
  60 │             runAsUser: 1001
  61 │           env:
  62 │             - name: BITNAMI_DEBUG
  63 │               value: "false"
  64 └             - name: MYSQL_ROOT_PASSWORD
  ..   
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ```
 </details>
 You can see the config type next to each file name.
 !!! example
 ``` bash
 Dockerfile (dockerfile)
 =======================
 Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
 Failures: 1 (HIGH: 1, CRITICAL: 0)
 ...
 deployment.yaml (kubernetes)
 ============================
 Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
 Failures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)
 ...
 main.tf (terraform)
 ===================
 Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
 Failures: 9 (HIGH: 6, CRITICAL: 1)
 ...
 bucket.yaml (cloudformation)
 ============================
 Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
 Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
 ...
 mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
 ==========================================================
 Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
 Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 ```
 ## Examples
 See [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/misconf/mixed)
 [custom]: ./custom/index.md
--- a/docs/docs/references/cli/client.md
+++ b/docs/docs/references/cli/client.md
@@ -0,0 +1,72 @@
 # Client
 ```bash
 Usage:
  trivy client [flags] IMAGE_NAME
 Aliases:
  client, c
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
      --skip-dirs strings        specify the directories where the traversal is skipped
      --skip-files strings       specify the file paths to skip traversal
 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
  -o, --output string          output file name
      --report string          specify a report format for the output. (all,summary) (default "all")
  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
  -t, --template string        output template
 Cache Flags
      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration     cache TTL when using redis as cache backend
      --clear-cache            clear image caches without scanning
      --redis-ca string        redis ca file location, if using redis as cache backend
      --redis-cert string      redis certificate file location, if using redis as cache backend
      --redis-key string       redis key file location, if using redis as cache backend
 DB Flags
      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --download-java-db-only  download/update java indexes database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
      --skip-db-update         skip updating vulnerability database
      --skip-java-db-update    skip updating java indexes database
 Vulnerability Flags
      --ignore-unfixed     display only fixed vulnerabilities
      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
 Misconfiguration Flags
      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
      --config-policy strings       specify paths to the Rego policy files directory, applying config files
      --file-patterns strings       specify config file patterns, available with '--scanners config'
      --include-non-failures        include successes and exceptions, available with '--scanners config'
      --policy-namespaces strings   Rego namespaces
      --trace                       enable more verbose trace output for custom queries
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --remote string            server address (default "http://localhost:4954")
      --token string             for authentication in client/server mode
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
 Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/config.md
+++ b/docs/docs/references/cli/config.md
@@ -0,0 +1,49 @@
 # Config
 ``` bash
 Scan config files for misconfigurations
 Usage:
  trivy config [flags] DIR
 Aliases:
  config, conf
 Scan Flags
      --skip-dirs strings    specify the directories where the traversal is skipped
      --skip-files strings   specify the file paths to skip traversal
 Report Flags
      --exit-code int       specify exit code when any security issues are found
  -f, --format string       format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignorefile string   specify .trivyignore file (default ".trivyignore")
  -o, --output string       output file name
  -s, --severity string     severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
  -t, --template string     output template
 Cache Flags
      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration     cache TTL when using redis as cache backend
      --clear-cache            clear image caches without scanning
      --redis-ca string        redis ca file location, if using redis as cache backend
      --redis-cert string      redis certificate file location, if using redis as cache backend
      --redis-key string       redis key file location, if using redis as cache backend
 Misconfiguration Flags
      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
      --config-policy strings       specify paths to the Rego policy files directory, applying config files
      --file-patterns strings       specify config file patterns, available with '--scanners config'
      --include-non-failures        include successes and exceptions, available with '--scanners config'
      --policy-namespaces strings   Rego namespaces
      --trace                       enable more verbose trace output for custom queries
 Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/fs.md
+++ b/docs/docs/references/cli/fs.md
@@ -0,0 +1,87 @@
 # Filesystem
 ```bash
 Scan local filesystem
 Usage:
  trivy filesystem [flags] PATH
 Aliases:
  filesystem, fs
 Examples:
  # Scan a local project including language-specific files
  $ trivy fs /path/to/your_project
  # Scan a single file
  $ trivy fs ./trivy-ci-test/Pipfile.lock
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
      --skip-dirs strings        specify the directories where the traversal is skipped
      --skip-files strings       specify the file paths to skip traversal
 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
  -o, --output string          output file name
  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
  -t, --template string        output template
 Cache Flags
      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration     cache TTL when using redis as cache backend
      --clear-cache            clear image caches without scanning
      --redis-ca string        redis ca file location, if using redis as cache backend
      --redis-cert string      redis certificate file location, if using redis as cache backend
      --redis-key string       redis key file location, if using redis as cache backend
 DB Flags
      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --download-java-db-only  download/update java indexes database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
      --skip-db-update         skip updating vulnerability database
      --skip-java-db-update    skip updating java indexes database
 Vulnerability Flags
      --ignore-unfixed     display only fixed vulnerabilities
      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
 Misconfiguration Flags
      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
      --config-policy strings       specify paths to the Rego policy files directory, applying config files
      --file-patterns strings       specify config file patterns, available with '--scanners config'
      --include-non-failures        include successes and exceptions, available with '--scanners config'
      --policy-namespaces strings   Rego namespaces
      --trace                       enable more verbose trace output for custom queries
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
 License Flags
      --ignored-licenses strings   specify a list of license to ignore
      --license-full               eagerly look for licenses in source code headers and license files
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
      --token string             for authentication in client/server mode
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
 Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/image.md
+++ b/docs/docs/references/cli/image.md
@@ -0,0 +1,105 @@
 # Image
 ```bash
 Scan a container image
 Usage:
  trivy image [flags] IMAGE_NAME
 Aliases:
  image, i
 Examples:
  # Scan a container image
  $ trivy image python:3.4-alpine
  # Scan a container image from a tar archive
  $ trivy image --input ruby-3.1.tar
  # Filter by severities
  $ trivy image --severity HIGH,CRITICAL alpine:3.15
  # Ignore unfixed/unpatched vulnerabilities
  $ trivy image --ignore-unfixed alpine:3.15
  # Scan a container image in client mode
  $ trivy image --server http://127.0.0.1:4954 alpine:latest
  # Generate json result
  $ trivy image --format json --output result.json alpine:3.15
  # Generate a report in the CycloneDX format
  $ trivy image --format cyclonedx --output result.cdx alpine:3.15
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
      --skip-dirs strings        specify the directories where the traversal is skipped
      --skip-files strings       specify the file paths to skip traversal
 Report Flags
      --exit-code int          specify exit code when any security issues are found
  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
  -o, --output string          output file name
  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
  -t, --template string        output template
 Cache Flags
      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration     cache TTL when using redis as cache backend
      --clear-cache            clear image caches without scanning
      --redis-ca string        redis ca file location, if using redis as cache backend
      --redis-cert string      redis certificate file location, if using redis as cache backend
      --redis-key string       redis key file location, if using redis as cache backend
 DB Flags
      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --download-java-db-only  download/update java indexes database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
      --skip-db-update         skip updating vulnerability database
      --skip-java-db-update    skip updating java indexes database
 Image Flags
      --input string   input file path instead of image name
      --removed-pkgs   detect vulnerabilities of removed packages (only for Alpine)
 Vulnerability Flags
      --ignore-unfixed     display only fixed vulnerabilities
      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
 Misconfiguration Flags
      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
      --config-policy strings       specify paths to the Rego policy files directory, applying config files
      --file-patterns strings       specify config file patterns, available with '--scanners config'
      --include-non-failures        include successes and exceptions, available with '--scanners config'
      --policy-namespaces strings   Rego namespaces
      --trace                       enable more verbose trace output for custom queries
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
 License Flags
      --ignored-licenses strings   specify a list of license to ignore
      --license-full               eagerly look for licenses in source code headers and license files
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
      --token string             for authentication in client/server mode
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
 Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/index.md
+++ b/docs/docs/references/cli/index.md
@@ -0,0 +1,50 @@
 Trivy has several sub commands, image, fs, repo, client and server.
 ``` bash
 Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
 Usage:
  trivy [global flags] command [flags] target
  trivy [command]
 Examples:
  # Scan a container image
  $ trivy image python:3.4-alpine
  # Scan a container image from a tar archive
  $ trivy image --input ruby-3.1.tar
  # Scan local filesystem
  $ trivy fs .
  # Run in server mode
  $ trivy server
 Available Commands:
  config      Scan config files for misconfigurations
  filesystem  Scan local filesystem
  help        Help about any command
  image       Scan a container image
  kubernetes  scan kubernetes cluster
  module      Manage modules
  plugin      Manage plugins
  repository  Scan a remote repository
  rootfs      Scan rootfs
  sbom        Scan SBOM for vulnerabilities
  server      Server mode
  version     Print the version
 Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
  -f, --format string             version format (json)
      --generate-default-config   write the default config to trivy-default.yaml
  -h, --help                      help for trivy
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
 Use "trivy [command] --help" for more information about a command.
 ```
--- a/docs/docs/references/cli/module.md
+++ b/docs/docs/references/cli/module.md
@@ -0,0 +1,30 @@
 # Module
 ```bash
 Manage modules
 Usage:
  trivy module [command]
 Aliases:
  module, m
 Available Commands:
  install     Install a module
  uninstall   Uninstall a module
 Flags:
  -h, --help   help for module
 Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
 Use "trivy module [command] --help" for more information about a command.
 ```
--- a/docs/docs/references/cli/plugin.md
+++ b/docs/docs/references/cli/plugin.md
@@ -0,0 +1,34 @@
 # Plugin
 ```bash
 Manage plugins
 Usage:
  trivy plugin [command]
 Aliases:
  plugin, p
 Available Commands:
  info        Show information about the specified plugin
  install     Install a plugin
  list        List installed plugin
  run         Run a plugin on the fly
  uninstall   Uninstall a plugin
  update      Update an existing plugin
 Flags:
  -h, --help   help for plugin
 Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
 Use "trivy plugin [command] --help" for more information about a command.
 ```
--- a/docs/docs/references/cli/repo.md
+++ b/docs/docs/references/cli/repo.md
@@ -0,0 +1,89 @@
 # Repository
 ```bash
 Scan a remote repository
 Usage:
  trivy repository [flags] REPO_URL
 Aliases:
  repository, repo
 Examples:
  # Scan your remote git repository
  $ trivy repo https://github.com/knqyf263/trivy-ci-test
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
      --skip-dirs strings        specify the directories where the traversal is skipped
      --skip-files strings       specify the file paths to skip traversal
 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
  -o, --output string          output file name
  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
  -t, --template string        output template
 Cache Flags
      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration     cache TTL when using redis as cache backend
      --clear-cache            clear image caches without scanning
      --redis-ca string        redis ca file location, if using redis as cache backend
      --redis-cert string      redis certificate file location, if using redis as cache backend
      --redis-key string       redis key file location, if using redis as cache backend
 DB Flags
      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --download-java-db-only  download/update java indexes database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
      --skip-db-update         skip updating vulnerability database
      --skip-java-db-update    skip updating java indexes database
 Vulnerability Flags
      --ignore-unfixed     display only fixed vulnerabilities
      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
 Misconfiguration Flags
      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
      --config-policy strings       specify paths to the Rego policy files directory, applying config files
      --file-patterns strings       specify config file patterns, available with '--scanners config'
      --include-non-failures        include successes and exceptions, available with '--scanners config'
      --policy-namespaces strings   Rego namespaces
      --trace                       enable more verbose trace output for custom queries
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
 License Flags
      --ignored-licenses strings   specify a list of license to ignore
      --license-full               eagerly look for licenses in source code headers and license files
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
      --token string             for authentication in client/server mode
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
 Repository Flags
      --branch string   pass the branch name to be scanned
      --commit string   pass the commit hash to be scanned
      --tag string      pass the tag name to be scanned
 Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/rootfs.md
+++ b/docs/docs/references/cli/rootfs.md
@@ -0,0 +1,96 @@
 # Rootfs
 ```bash
 Scan rootfs
 Usage:
  trivy rootfs [flags] ROOTDIR
 Examples:
  # Scan unpacked filesystem
  $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
  $ trivy rootfs /tmp/rootfs
  # Scan from inside a container
  $ docker run --rm -it alpine:3.11
  / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
  / # trivy rootfs /
 Scan Flags
      --file-patterns strings     specify config file patterns
      --offline-scan              do not issue API requests to identify dependencies
      --rekor-url string          [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --sbom-sources strings      [EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)
      --scanners strings          comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
      --skip-dirs strings         specify the directories where the traversal is skipped
      --skip-files strings        specify the file paths to skip traversal
 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
  -o, --output string          output file name
  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
  -t, --template string        output template
 Cache Flags
      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration     cache TTL when using redis as cache backend
      --clear-cache            clear image caches without scanning
      --redis-ca string        redis ca file location, if using redis as cache backend
      --redis-cert string      redis certificate file location, if using redis as cache backend
      --redis-key string       redis key file location, if using redis as cache backend
 DB Flags
      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --download-java-db-only  download/update java indexes database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
      --skip-db-update         skip updating vulnerability database
      --skip-java-db-update    skip updating java indexes database
 Vulnerability Flags
      --ignore-unfixed     display only fixed vulnerabilities
      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
 Misconfiguration Flags
      --helm-set strings          specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-set-file strings     specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
      --helm-set-string strings   specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-values strings       specify paths to override the Helm values.yaml files
      --include-non-failures      include successes and exceptions, available with '--scanners config'
      --tf-vars strings           specify paths to override the Terraform tfvars files
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
 License Flags
      --ignored-licenses strings   specify a list of license to ignore
      --license-full               eagerly look for licenses in source code headers and license files
 Rego Flags
      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
      --config-policy strings       specify paths to the Rego policy files directory, applying config files
      --policy-namespaces strings   Rego namespaces
      --trace                       enable more verbose trace output for custom queries
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
      --token string             for authentication in client/server mode
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
 Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
 ```
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`This directory contains media assets, such as the Trivy logo.`
							`Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>`