fix(docs): typo (#1488 )

feat(plugin): Add option to update plugin (#1462 )
* Add option to update plugin - add plugin update [pluginName] to update - add supporting test * refactor: wrap errors
2025-12-13 08:00:53 -08:00 · 2021-12-19 11:24:22 +02:00 · 2021-12-16 13:30:19 +02:00 · 2021-12-16 13:21:22 +02:00 · 2021-12-15 22:36:08 +02:00 · 2021-12-15 21:28:29 +02:00
187 changed files with 135824 additions and 132883 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: daily
+- package-ecosystem: docker
+  directory: /
+  schedule:
+    interval: daily
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -1,45 +1,82 @@
-name: Publish Chart Helm
+
+name: Publish Helm chart
+
 on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'helm/trivy/**'
  push:
    branches: [main]
    paths:
      - 'helm/trivy/**'
-  workflow_dispatch:
 env:
  HELM_REP: helm-charts
  GH_OWNER: aquasecurity
  CHART_DIR: helm/trivy
+  KIND_VERSION: "v0.11.1"
+  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 jobs:
-  release:
+  test-chart:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab #v1.1
        with:
          version: v3.5.0
+      - name: Set up python
+        uses: actions/setup-python@0066b88440aa9562be742e2c60ee750fc57d8849 #v2.3.0
+        with:
+          python-version: 3.7
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@5f16c27cf7a4fa9c776ff73734df3909b2b65127 #v2.1.0
+      - name: Setup Kubernetes cluster (KIND)
+        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+      - name: Run chart-testing
+        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
+      - name: Run chart-testing (Ingress enabled)
+        run: |
+          sed -i -e '97s,false,'true',g' ./helm/trivy/values.yaml
+          ct lint-and-install --validate-maintainers=false --charts helm/trivy
+
+  publish-chart:
+    if: github.event_name == 'push'
+    needs:
+      - test-chart
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+        with:
+          fetch-depth: 0
      - name: Install chart-releaser
        run: |
-          wget https://github.com/helm/chart-releaser/releases/download/v1.1.1/chart-releaser_1.1.1_linux_amd64.tar.gz
-          tar xzvf chart-releaser_1.1.1_linux_amd64.tar.gz cr
+          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
      - name: Package helm chart
        run: |
          ./cr package ${{ env.CHART_DIR }}
      - name: Upload helm chart
        # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
        continue-on-error: true
-        ## Upload the tar in the Releases repository
        run: |
          ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
      - name: Index helm chart
        run: |
          ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
-
      - name: Push index file
-        uses: dmnemec/copy_file_to_another_repo_action@v1.0.4
+        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
        env:
          API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
        with:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -4,7 +4,7 @@ on:
    tags:
      - "v*"
 env:
-  GO_VERSION: "1.16"
+  GO_VERSION: "1.17"
  GH_USER: "aqua-bot"
 jobs:
  release:
@@ -57,15 +57,14 @@ jobs:
          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
      - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v0.2.0
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
        with:
-          json: true
-          output: bom.json
-          version: latest
+          args: mod -licenses -json -output bom.json
+          version: ^v1
      - name: Release
        uses: goreleaser/goreleaser-action@v2
        with:
-          version: v0.164.0
+          version: v0.183.0
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
--- a/.github/workflows/stale-issues.yaml
+++ b/.github/workflows/stale-issues.yaml
@@ -7,7 +7,7 @@ jobs:
    timeout-minutes: 1
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/stale@v3
+    - uses: actions/stale@v4
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -10,7 +10,7 @@ on:
      - 'LICENSE'
  pull_request:
 env:
-  GO_VERSION: "1.16"
+  GO_VERSION: "1.17"
 jobs:
  test:
    name: Test
@@ -75,7 +75,7 @@ jobs:
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@v2
      with:
-        version: v0.164.0
+        version: v0.183.0
        args: release --snapshot --rm-dist --skip-publish

  build-documents:
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,6 @@ integration/testdata/fixtures/images

 # SBOMs generated during CI
 /bom.json
+
+# goreleaser output
+dist
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,9 +1,9 @@
-Thank you for taking interest in contributing to Trivy !
+Thank you for taking interest in contributing to Trivy!

 ## Issues
 - Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
 - Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
- Remember users might be searching for your issue in the future, so please give it a meaningful title to help others.
+- Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
 - The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.

 ## Pull Requests
@@ -23,6 +23,6 @@ Thank you for taking interest in contributing to Trivy !
 Trivy is composed of several different repositories that work together:

 - [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. This of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
+- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
 - [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information containers. It is being used by Trivy to find testable subjects in the container image.
+- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information from containers. It is being used by Trivy to find testable subjects in the container image.
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.15.0
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/README.md
+++ b/README.md
@@ -193,6 +193,12 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 # Documentation
 The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.

+---
+
+Trivy is an [Aqua Security][aquasec] open source project.  
+Learn about our open source work and portfolio [here][oss].  
+Contact us about any matter by opening a GitHub Discussion [here][discussions]
+
 [test]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml
 [test-img]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml/badge.svg
 [go-report]: https://goreportcard.com/report/github.com/aquasecurity/trivy
@@ -207,3 +213,7 @@ The official documentation, which provides detailed installation, configuration,
 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
 [action]: https://github.com/aquasecurity/trivy-action
 [vscode]: https://github.com/aquasecurity/trivy-vscode-extension
+
+[aquasec]: https://aquasec.com
+[oss]: https://www.aquasec.com/products/open-source-projects/
+[discussions]: https://github.com/aquasecurity/trivy/discussions
--- a/ci/deploy-deb.sh
+++ b/ci/deploy-deb.sh
@@ -1,7 +1,7 @@
 #!/bin/bash

 DEBIAN_RELEASES=$(debian-distro-info --supported)
-UBUNTU_RELEASES=$(ubuntu-distro-info --supported)
+UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))

 cd trivy-repo/deb

@@ -9,12 +9,14 @@ for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
  echo "Removing deb package of $release"
  reprepro -A i386 remove $release trivy
  reprepro -A amd64 remove $release trivy
+  reprepro -A arm64 remove $release trivy
 done

 for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
  echo "Adding deb package to $release"
  reprepro includedeb $release ../../dist/*Linux-64bit.deb
  reprepro includedeb $release ../../dist/*Linux-32bit.deb
+  reprepro includedeb $release ../../dist/*Linux-ARM64.deb
 done

 git add .
--- a/contrib/Trivy.gitlab-ci.yml
+++ b/contrib/Trivy.gitlab-ci.yml
@@ -10,7 +10,7 @@ Trivy_container_scanning:
    IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
  allow_failure: true
  before_script:
-    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.4.3}
+    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
    - apk add --no-cache curl docker-cli
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
--- a/contrib/install.sh
+++ b/contrib/install.sh
@@ -182,11 +182,11 @@ log_tag() {
 }
 log_debug() {
  log_priority 7 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
+  echo "$(log_prefix)" "$(log_tag 7)" "$@"
 }
 log_info() {
  log_priority 6 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
+  echo "$(log_prefix)" "$(log_tag 6)" "$@"
 }
 log_err() {
  log_priority 3 || return 0
--- a/contrib/sarif.tpl
+++ b/contrib/sarif.tpl
@@ -1,6 +1,7 @@
 {
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
+  {{- $rules := makeRuleMap }}
  "runs": [
    {
      "tool": {
@@ -14,16 +15,17 @@
        {{- range $result := . }}
            {{- $vulnerabilityType := .Type }}
            {{- range .Vulnerabilities -}}
+                {{- if indexRule $rules .VulnerabilityID -}}
                  {{- if $t_first -}}
                    {{- $t_first = false -}}
                  {{ else -}}
                    ,
                  {{- end }}
                {
-              "id": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
+                  "id": {{ .VulnerabilityID | toJson }},
                  "name": "{{ toSarifRuleName $vulnerabilityType }}",
                  "shortDescription": {
-                "text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
+                    "text": {{ .VulnerabilityID | toJson }}
                  },
                  "fullDescription": {
                    "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
@@ -38,20 +40,20 @@
                  ,
                  {{- end }}
                  "help": {
-                "text": {{ printf "Vulnerability %v\nSeverity: %v\nPackage: %v\nInstalled Version: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},
-                "markdown": {{ printf "**Vulnerability %v**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|%v|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
+                    "text": {{ printf "Vulnerability %v\n%v\nSeverity: %v\nPackage: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Description .Vulnerability.Severity .PkgName .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},                    
+                    "markdown": {{ printf "**Vulnerability %v**\n%v\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Description .Vulnerability.Severity .PkgName .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}                    
                  },
                  "properties": {
                    "tags": [
                      "vulnerability",
-                  "{{ .Vulnerability.Severity }}",
-                  {{ .PkgName | printf "%q" }}
+                      "{{ .Vulnerability.Severity }}"
                    ],
                    "precision": "very-high"
                  }
                }
                {{- end -}}
            {{- end -}}
+         {{- end -}}
          ]
        }
      },
@@ -66,17 +68,20 @@
            ,
          {{- end }}
        {
-          "ruleId": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
-          "ruleIndex": {{ $index }},
+          "ruleId": {{ .VulnerabilityID | toJson }},
+          "ruleIndex": {{ index $rules .VulnerabilityID }},
          "level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
          "message": {
-            "text": {{ endWithPeriod (escapeString $vulnerability.Description) | printf "%q" }}
+            "text": {{ printf "Package: %v\nInstalled Version: %v\nVulnerability %v\nSeverity: %v\nFixed Version: %v\nLink: [%v](%v)" .PkgName .InstalledVersion .VulnerabilityID .Vulnerability.Severity .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "{{ toPathUri $filePath }}",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
@@ -87,7 +92,7 @@
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
-          "uri": "/"
+          "uri": "file:///"
        }
      }
    }
--- a/docs/advanced/air-gap.md
+++ b/docs/advanced/air-gap.md
@@ -2,7 +2,10 @@

 Trivy can be used in air-gapped environments.

-## Download the vulnerability database
+
+## Air-Gapped Environment for vulnerabilities
+
+### Download the vulnerability database
 At first, you need to download the vulnerability database for use in air-gapped environments.
 Go to [trivy-db][trivy-db] and download `trivy-offline.db.tgz` in the latest release.
 If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--light` option.
@@ -11,14 +14,14 @@ If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--ligh
 $ wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz
 ```

-## Transfer the DB file into the air-gapped environment
+### Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.

 ```
 $ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst
 ```

-## Put the DB file in Trivy's cache directory
+### Put the DB file in Trivy's cache directory
 You have to know where to put the DB file. The following command shows the default cache directory.

 ```
@@ -47,11 +50,69 @@ $ rm trivy-offline.db.tgz

 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 

-## Run Trivy with --skip-update option
+### Run Trivy with --skip-update option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.

 ```
 $ trivy image --skip-update alpine:3.12
 ```

+## Air-Gapped Environment for misconfigurations
+
+### Download misconfiguration policies
+At first, you need to download misconfiguration policies for use in air-gapped environments.
+Please follow [oras installation instruction][oras]. \
+Download `bundle.tar.gz`:
+
+```
+$ oras pull ghcr.io/aquasecurity/appshield:latest -a
+```
+
+### Transfer misconfiguration policies into the air-gapped environment
+The way of transfer depends on the environment.
+
+```
+$ rsync -av -e ssh /path/to/bundle.tar.gz [user]@[host]:dst
+```
+
+### Put the misconfiguration policies in Trivy's cache directory
+You have to know where to put the misconfiguration policies file. The following command shows the default cache directory.
+
+```
+$ ssh user@host
+$ trivy -h | grep cache
+   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
+```
+
+Put the misconfiguration policies file in the cache directory + `/policy/content`.
+
+```
+$ mkdir -p /home/myuser/.cache/trivy/policy/content
+$ cd /home/myuser/.cache/trivy/policy/content
+$ mv /path/to/bundle.tar.gz .
+```
+
+Then, decompress it.
+`bundle.tar.gz ` file includes two folders: `docker`, `kubernetes` and file: `.manifest`.
+
+```
+$ tar xvf bundle.tar.gz 
+x ./docker/
+...
+x ./kubernetes/
+...
+x ./.manifest
+$ rm bundle.tar.gz
+```
+
+In an air-gapped environment it is your responsibility to update policies on a regular basis, so that the scanner can detect recently-identified misconfigurations. 
+
+### Run Trivy with --skip-policy-update option
+In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
+
+```
+$ trivy conf --skip-policy-update /path/to/conf
+```
+
 [trivy-db]: https://github.com/aquasecurity/trivy-db/releases
+[oras]: https://oras.land/cli/
--- a/docs/advanced/community/references.md
+++ b/docs/advanced/community/references.md
@@ -0,0 +1,19 @@
+# External References
+There are external blogs and evaluations.
+
+## Blogs
+- [the vulnerability remediation lifecycle of Alpine containers][alpine]
+- [Continuous Container Vulnerability Testing with Trivy][semaphore]
+- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
+- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
+
+## Links
+- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
+- [Istio evaluates scanners][istio]
+
+[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
+[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
+[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
+[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
+[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
+[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
--- a/docs/advanced/community/tools.md
+++ b/docs/advanced/community/tools.md
@@ -0,0 +1,37 @@
+# Community Tools
+The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
+
+Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
+
+## GitHub Actions
+
+| Actions                                    | Description                                                                      |
+| ------------------------------------------ | -------------------------------------------------------------------------------- |
+| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
+| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
+
+## Semaphore
+
+| Name                                                   | Description                               |
+| -------------------------------------------------------| ----------------------------------------- |
+| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
+
+
+## CircleCI
+
+| Orb                                      | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
+
+## Others
+
+| Name                                     | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
+
+
+[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
+[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
+[gitrivy]: https://github.com/marketplace/actions/trivy-action
+[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
+[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
--- a/docs/advanced/container/embed-in-dockerfile.md
+++ b/docs/advanced/container/embed-in-dockerfile.md
@@ -10,7 +10,7 @@ FROM alpine:3.7

 RUN apk add curl \
    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
-    && trivy filesystem --exit-code 1 --no-progress /
+    && trivy rootfs --exit-code 1 --no-progress /

 $ docker build -t vulnerable-image .
 ```
@@ -21,7 +21,7 @@ insecure `curl | sh`. Also the image is not changed.
 # Run vulnerability scan on build image
 FROM build AS vulnscan
 COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
-RUN trivy filesystem --exit-code 1 --no-progress /
+RUN trivy rootfs --exit-code 1 --no-progress /
 [...]
 ```

--- a/docs/advanced/container/unpacked-filesystem.md
+++ b/docs/advanced/container/unpacked-filesystem.md
@@ -1,12 +1,12 @@
 # Unpacked Filesystem

-Scan aan unpacked container image filesystem.
+Scan an unpacked container image filesystem.

 In this case, Trivy works the same way when scanning containers

 ```bash
 $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
-$ trivy fs /tmp/rootfs
+$ trivy rootfs /tmp/rootfs
 ```

 <details>
--- a/docs/advanced/integrations/bitbucket.md
+++ b/docs/advanced/integrations/bitbucket.md
@@ -0,0 +1,5 @@
+# Bitbucket Pipelines
+
+See [trivy-pipe][trivy-pipe] for the details.
+
+[trivy-pipe]: https://github.com/aquasecurity/trivy-pipe
--- a/docs/advanced/integrations/gitlab-ci.md
+++ b/docs/advanced/integrations/gitlab-ci.md
@@ -1,5 +1,11 @@
 # GitLab CI

+If you're a GitLab Ultimate customer, GitLab 14.0 and above include out-of-the-box integration with Trivy. To enable it for your project, simply add the container scanning template to your `.gitlab-ci.yml` file. For more details, please refer to [GitLab's documentation](https://docs.gitlab.com/ee/user/application_security/container_scanning/).
+
+If you're using an earlier version of GitLab, you can still use the new integration by copying the [contents of the 14.0 template](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml) to your configuration.
+
+Alternatively, you can always use the example configurations below.
+
 ```yaml
 stages:
  - test
--- a/docs/advanced/private-registries/gcr.md
+++ b/docs/advanced/private-registries/gcr.md
@@ -1,7 +1,40 @@
-Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
+# Requirements
+None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.

-If you want to use target project's repository, you can settle via `GOOGLE_APPLICATION_CREDENTIAL`.
+# Privileges
+Credential file must have the `roles/storage.objectViewer` permissions.
+More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
+
+## JSON File Format
+The JSON file specified should have the following format provided by google's service account mechanisms:
+
+```json
+{
+  "type": "service_account",
+  "project_id": "your_special_project",
+  "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
+  "client_email": "somedude@your_special_project.iam.gserviceaccount.com",
+  "client_id": "1234567890",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
+}
+```
+
+# Usage
+If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
 ```bash
 # must set TRIVY_USERNAME empty char
 export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
 ```
+
+# Testing
+You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
+  aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
+```
--- a/docs/getting-started/cli/fs.md
+++ b/docs/getting-started/cli/fs.md
@@ -10,7 +10,6 @@ USAGE:
 OPTIONS:
   --template value, -t value                     output template [$TRIVY_TEMPLATE]
   --format value, -f value                       format (table, json, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value                        input file path instead of image name [$TRIVY_INPUT]
   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
   --output value, -o value                       output file name [$TRIVY_OUTPUT]
   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
@@ -18,7 +17,6 @@ OPTIONS:
   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
   --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs                                 detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
   --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
   --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--- a/docs/getting-started/cli/rootfs.md
+++ b/docs/getting-started/cli/rootfs.md
@@ -0,0 +1,34 @@
+# Rootfs
+
+```bash
+NAME:
+   trivy rootfs - scan rootfs
+
+USAGE:
+   trivy rootfs [command options] dir
+
+OPTIONS:
+   --template value, -t value                     output template [$TRIVY_TEMPLATE]
+   --format value, -f value                       format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
+   --output value, -o value                       output file name [$TRIVY_OUTPUT]
+   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
+   --skip-db-update, --skip-update                skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
+   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
+   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
+   --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
+   --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
+   --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
+   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
+   --cache-backend value                          cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
+   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
+   --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
+   --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
+   --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
+   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
+   --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
+   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
+   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
+   --help, -h                                     show help (default: false)
+```
--- a/docs/getting-started/further.md
+++ b/docs/getting-started/further.md
@@ -18,11 +18,6 @@
 - [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
 - [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]

-## External Blogs
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
-
 [intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
 [cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
 [server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
@@ -35,7 +30,3 @@
 [actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
 [actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
 [vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code
-
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
--- a/docs/getting-started/overview.md
+++ b/docs/getting-started/overview.md
@@ -8,7 +8,7 @@ Trivy detects two types of security issues:
 Trivy can scan three different artifacts:

 - [Container Images][container]
- [Filesystem][filesystem]
+- [Filesystem][filesystem] and [Rootfs][rootfs]
 - [Git Repositories][repo]

 Trivy can be run in two different modes:
@@ -53,7 +53,7 @@ See [Integrations][integrations] for details.
        - A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
        - A tar archive stored in the `docker save` / `podman save` formatted file
        - An image directory compliant with [OCI Image Format][oci]
-    - local filesystem
+    - local filesystem and rootfs
    - remote git repository

 Please see [LICENSE][license] for Trivy licensing information.
@@ -64,6 +64,7 @@ Please see [LICENSE][license] for Trivy licensing information.
 [vuln]: ../vulnerability/scanning/index.md
 [misconf]: ../misconfiguration/index.md
 [container]: ../vulnerability/scanning/image.md
+[rootfs]: ../vulnerability/scanning/rootfs.md
 [filesystem]: ../vulnerability/scanning/filesystem.md
 [repo]: ../vulnerability/scanning/git-repository.md

--- a/docs/getting-started/troubleshooting.md
+++ b/docs/getting-started/troubleshooting.md
@@ -48,6 +48,17 @@ Reference : [boltdb: Opening a database][boltdb].

 [boltdb]: https://github.com/boltdb/bolt#opening-a-database

+### Error downloading vulnerability DB
+
+!!! error
+    FATAL failed to download vulnerability DB
+
+If trivy is running behind corporate firewall try to whitelist urls below:
+
+- api.github.com
+- github.com
+- github-releases.githubusercontent.com
+
 ## Homebrew
 ### Scope error
 !!! error
--- a/docs/index.md
+++ b/docs/index.md
@@ -32,8 +32,18 @@ All you need to do for scanning is to specify a target such as an image name of
  <figcaption>Demo: Misconfiguration Detection</figcaption>
 </figure>

+---
+
+Trivy is an [Aqua Security][aquasec] open source project.  
+Learn about our open source work and portfolio [here][oss].  
+Contact us about any matter by opening a GitHub Discussion [here][discussions]
+
 [vulnerability]: vulnerability/scanning/index.md
 [misconf]: misconfiguration/index.md
 [os]: vulnerability/detection/os.md
 [lang]: vulnerability/detection/language.md
 [iac]: misconfiguration/iac.md
+
+[aquasec]: https://aquasec.com
+[oss]: https://www.aquasec.com/products/open-source-projects/
+[discussions]: https://github.com/aquasecurity/trivy/discussions
--- a/docs/misconfiguration/comparison/cfsec.md
+++ b/docs/misconfiguration/comparison/cfsec.md
@@ -0,0 +1,25 @@
+# vs cfsec
+[cfsec][cfsec] uses static analysis of your CloudFormation templates to spot potential security issues.
+Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec.
+This section describes the differences between Trivy and cfsec.
+
+| Feature                     | Trivy                                   | cfsec                |
+| --------------------------- | --------------------------------------- | -------------------- |
+| Built-in Policies           | :material-check:                        | :material-check:     |
+| Custom Policies             | Rego[^1]                                | :material-close:     |
+| Policy Metadata[^2]         | :material-check:                        | :material-check:     |
+| Show Successes              | :material-check:                        | :material-check:     |
+| Disable Policies            | :material-check:                        | :material-check:     |
+| Show Issue Lines            | :material-close:                        | :material-check:     |
+| View Statistics             | :material-close:                        | :material-check:     |
+| Filtering by Severity       | :material-check:                        | :material-close:     |
+| Supported Formats           | Dockerfile, JSON, YAML, Terraform, etc. | CloudFormation JSON and YAML       |
+
+[^1]: CloudFormation files are not supported
+[^2]: To enrich the results such as ID, Title, Description, Severity, etc.
+
+cfsec is designed for CloudFormation.
+People who use only want to scan their CloudFormation templates should use cfsec.
+People who want to scan a wide range of configuration files should use Trivy.
+
+[cfsec]: https://github.com/aquasecurity/cfsec
--- a/docs/misconfiguration/comparison/tfsec.md
+++ b/docs/misconfiguration/comparison/tfsec.md
@@ -23,4 +23,4 @@ tfsec is designed for Terraform.
 People who use only Terraform should use tfsec.
 People who want to scan a wide range of configuration files should use Trivy.

-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec]: https://github.com/aquasecurity/tfsec
--- a/docs/misconfiguration/custom/index.md
+++ b/docs/misconfiguration/custom/index.md
@@ -2,7 +2,7 @@

 ## Overview
 You can write custom policies in [Rego][rego].
-Once you fisnish writing custom policies, you can pass the directory where those policies are stored with `--policy` option.
+Once you finish writing custom policies, you can pass the directory where those policies are stored with `--policy` option.

 ``` bash
 trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
--- a/docs/misconfiguration/iac.md
+++ b/docs/misconfiguration/iac.md
@@ -2,7 +2,7 @@

 ## Quick start

-Simply specify a directory containing IaC files such as Terraform and Dockerfile.
+Simply specify a directory containing IaC files such as Terraform, CloudFormation and Dockerfile.

 ``` bash
 $ trivy config [YOUR_IaC_DIRECTORY]
@@ -37,12 +37,12 @@ Trivy will automatically fetch the managed policies and will keep them up-to-dat
 The specified directory can contain mixed types of IaC files.
 Trivy automatically detects config types and applies relevant policies.

-For example, the following example holds IaC files for Terraform, Kubernetes, and Dockerfile in the same directory.
+For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, and Dockerfile in the same directory.

 ``` bash
 $ ls iac/
 Dockerfile  deployment.yaml  main.tf
-$ trivy conf --severith HIGH,CRITICAL ./iac
+$ trivy conf --severity HIGH,CRITICAL ./iac
 ```

 <details>
@@ -151,6 +151,12 @@ You can see the config type next to each file name.
    Failures: 9 (HIGH: 6, CRITICAL: 1)

    ...
+
+    bucket.yaml (cloudformation)
+    ============================
+    Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
+    Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
+
    ```

 ## Example
--- a/docs/misconfiguration/policy/builtin.md
+++ b/docs/misconfiguration/policy/builtin.md
@@ -4,22 +4,23 @@

 Built-in policies are mainly written in [Rego][rego].
 Those policies are managed under [AppShield repository][appshield].
-Only Terraform's policies are currently powered by [tfsec][tfsec].
+Terraform policies are currently powered by [tfsec][tfsec] and CloudFormation policies are powered by [cfsec][cfsec].

 | Config type    | Source                        |
 | ---------------| ----------------------------- |
 | Kubernetes     | [AppShield][kubernetes]       |
 | Dockerfile     | [AppShield][docker]           |
 | Terraform      | [tfsec][tfsec-checks]         |
+| CloudFormation | [cfsec][cfsec-checks]         |

-For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield] or [tfsec][tfsec] repository.
+For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield], [tfsec][tfsec] or [cfsec][cfsec] repository.

-CloudFormation and Ansible are coming soon.
+Ansible are coming soon.

 ## Policy Distribution
-AppShield policies are destributed as OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
-When misconfiguration detection is enabled, Trivy pulls OPA bundle from GHCR as OCI artifact and stores it in the cache.
-Then, those policies are loaded into Trivy OPA engine and used for detecting misconfigurations.
+AppShield policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
+When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
+Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.

 ## Update Interval
 Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
@@ -29,7 +30,9 @@ Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if th
 [kubernetes]: https://github.com/aquasecurity/appshield/tree/master/kubernetes
 [docker]: https://github.com/aquasecurity/appshield/tree/master/docker
 [tfsec-checks]: https://tfsec.dev/docs/aws/home/
-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec]: https://github.com/aquasecurity/tfsec
+[cfsec-checks]: https://cfsec.dev/
+[cfsec]: https://github.com/aquasecurity/cfsec
 [ghcr]: https://github.com/aquasecurity/appshield/pkgs/container/appshield

 [dockerfile-bestpractice]: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
--- a/docs/vulnerability/detection/data-source.md
+++ b/docs/vulnerability/detection/data-source.md
@@ -23,7 +23,7 @@
 |                              | [GitHub Advisory Database (Composer)][php-ghsa]  | ✅              | -        |
 | Python                       | [Safety DB][python]                              | ❌              | 1 month  |
 |                              | [GitHub Advisory Database (pip)][python-ghsa]    | ✅              | -        |
-| Ruby                         | [Ruby Advisory Database][ruby]                   | ❌ (partially)  | -        |
+| Ruby                         | [Ruby Advisory Database][ruby]                   | ✅              | -        |
 |                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa] | ✅              | -        |
 | Node.js                      | [Ecosystem Security Working Group][nodejs]       | ✅              | -        |
 |                              | [GitHub Advisory Database (npm)][nodejs-ghsa]    | ✅              | -        |
--- a/docs/vulnerability/detection/language.md
+++ b/docs/vulnerability/detection/language.md
@@ -2,23 +2,34 @@

 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

-| Language | File                                            | Dev dependencies |
-| ---------| ------------------------------------------------| -----------------|
-| Ruby     | Gemfile.lock                                    | included         |
-| Python   | Pipfile.lock                                    | excluded         |
-|          | poetry.lock                                     | included         |
-| PHP      | composer.lock                                   | excluded         |
-| Node.js  | package-lock.json                               | excluded         |
-|          | yarn.lock                                       | included         |
-| .NET     | packages.lock.json                              | included         |
-| Java     | JAR/WAR/EAR (`*.jar`, `*.war`, and `*.ear`)[^1] | included         |
-| Go       | Binaries built by Go[^2]                        | excluded         |
-|          | go.sum                                          | included         |
-
+| Language | File                     | Image[^6] | Rootfs[^7] | Filesystem[^8] |  Repository[^9] |Dev dependencies |
+|----------|--------------------------|:---------:|:----------:|:--------------:|:---------------:|-----------------|
+| Ruby     | Gemfile.lock             | -         | -          | ✅             | ✅              | included        |
+|          | gemspec                  | ✅        | ✅         | -              | -               | included        |
+| Python   | Pipfile.lock             | -         | -          | ✅             | ✅              | excluded        |
+|          | poetry.lock              | -         | -          | ✅             | ✅              | included        |
+|          | requirements.txt         | -         | -          | ✅             | ✅              | included        |
+|          | egg package[^1]          | ✅        | ✅         | -              | -               | excluded        |
+|          | wheel package[^2]        | ✅        | ✅         | -              | -               | excluded        |
+| PHP      | composer.lock            | ✅        | ✅         | ✅             | ✅              | excluded        |
+| Node.js  | package-lock.json        | -         | -          | ✅             | ✅              | excluded        |
+|          | yarn.lock                | -         | -          | ✅             | ✅              | included        |
+|          | package.json             | ✅        | ✅         | -              | -               | excluded        |
+| .NET     | packages.lock.json       | ✅        | ✅         | ✅             | ✅              | included        |
+| Java     | JAR/WAR/EAR[^3][^4]      | ✅        | ✅         | ✅             | ✅              | included        |
+| Go       | Binaries built by Go[^5] | ✅        | ✅         | -              | -               | excluded        |
+|          | go.sum                   | -         | -          | ✅             | ✅              | included        |

 The path of these files does not matter.

 Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Dockerfile)

-[^1]: It requires the Internet access
-[^2]: UPX-compressed binaries don't work
+[^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
+[^2]: `.dist-info/META-DATA`
+[^3]: `*.jar`, `*.war`, and `*.ear`
+[^4]: It requires the Internet access
+[^5]: UPX-compressed binaries don't work
+[^6]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^7]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^8]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^9]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
--- a/docs/vulnerability/detection/os.md
+++ b/docs/vulnerability/detection/os.md
@@ -4,7 +4,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi

 | OS                               | Supported Versions                       | Target Packages               | Detection of unfixed vulnerabilities |
 | -------------------------------- | ---------------------------------------- | ----------------------------- | :----------------------------------: |
-| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.13                    | Installed by apk              |                  NO                  |
+| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.15                    | Installed by apk              |                  NO                  |
 | Red Hat Universal Base Image[^1] | 7, 8                                     | Installed by yum/rpm          |                 YES                  |
 | Red Hat Enterprise Linux         | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |
 | CentOS                           | 6, 7                                     | Installed by yum/rpm          |                 YES                  |
--- a/docs/vulnerability/scanning/filesystem.md
+++ b/docs/vulnerability/scanning/filesystem.md
@@ -1,6 +1,6 @@
 # Filesystem

-Scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
+Scan a local project including language-specific files.

 ```bash
 $ trivy fs /path/to/project
@@ -47,57 +47,3 @@ Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
 ```

 </details>
-
-## From Inside Containers
-Scan your container from inside the container.
-
-```bash
-$ docker run --rm -it alpine:3.11
-/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
-/ # trivy fs /
-```
-
-<details>
-<summary>Result</summary>
-
-```
-2021-03-08T05:22:26.378Z        INFO    Need to update DB
-2021-03-08T05:22:26.380Z        INFO    Downloading DB...
-20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
-2021-03-08T05:22:30.134Z        INFO    Detecting Alpine vulnerabilities...
-2021-03-08T05:22:30.138Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected
-
-313430f09696 (alpine 3.11.7)
-============================
-Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)
-
-+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
-|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
-+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
-| libcrypto1.1 | CVE-2021-23839   | HIGH     | 1.1.1i-r0         | 1.1.1j-r0     | openssl: incorrect SSLv2              |
-|              |                  |          |                   |               | rollback protection                   |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
-|              |                  |          |                   |               | overflow in CipherUpdate              |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
-|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
-+--------------+------------------+          +                   +               +---------------------------------------+
-| libssl1.1    | CVE-2021-23839   |          |                   |               | openssl: incorrect SSLv2              |
-|              |                  |          |                   |               | rollback protection                   |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
-|              |                  |          |                   |               | overflow in CipherUpdate              |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
-|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
-+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
-```
-
-</details>
--- a/docs/vulnerability/scanning/git-repository.md
+++ b/docs/vulnerability/scanning/git-repository.md
@@ -6,8 +6,6 @@ Scan your remote git repository
 $ trivy repo https://github.com/knqyf263/trivy-ci-test
 ```

-Only public repositories are supported.
-
 <details>
 <summary>Result</summary>

@@ -148,3 +146,20 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
 ```

 </details>
+
+## Scanning Private Repositories
+
+In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
+
+The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
+
+For example:
+
+```
+$ export GITHUB_TOKEN="your_private_github_token"
+$ trivy repo <your private GitHub repo URL>
+$
+$ # or
+$ export GITLAB_TOKEN="your_private_gitlab_token"
+$ trivy repo <your private GitLab repo URL>
+```
--- a/docs/vulnerability/scanning/index.md
+++ b/docs/vulnerability/scanning/index.md
@@ -1,10 +1,11 @@
 # Vulnerability Scanning

-Trivy scans [Container Images][image], [Filesystem][fs], and [Git Repositores][repo] to detect vulnerabilities.
+Trivy scans [Container Images][image], [Rootfs][rootfs], [Filesystem][fs], and [Git Repositories][repo] to detect vulnerabilities.

 ![vulnerability][vuln]

 [image]: image.md
+[rootfs]: rootfs.md
 [fs]: filesystem.md
 [repo]: git-repository.md
 [vuln]: ../../imgs/vulnerability.png
--- a/docs/vulnerability/scanning/rootfs.md
+++ b/docs/vulnerability/scanning/rootfs.md
@@ -0,0 +1,68 @@
+# Rootfs
+
+Scan a root filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
+
+```bash
+$ trivy rootfs /path/to/rootfs
+```
+
+## From Inside Containers
+Scan your container from inside the container.
+
+```bash
+$ docker run --rm -it alpine:3.11
+/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+/ # trivy rootfs /
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2021-03-08T05:22:26.378Z        INFO    Need to update DB
+2021-03-08T05:22:26.380Z        INFO    Downloading DB...
+20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
+2021-03-08T05:22:30.134Z        INFO    Detecting Alpine vulnerabilities...
+2021-03-08T05:22:30.138Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected
+
+313430f09696 (alpine 3.11.7)
+============================
+Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)
+
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+| libcrypto1.1 | CVE-2021-23839   | HIGH     | 1.1.1i-r0         | 1.1.1j-r0     | openssl: incorrect SSLv2              |
+|              |                  |          |                   |               | rollback protection                   |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
+|              |                  |          |                   |               | overflow in CipherUpdate              |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
+|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+          +                   +               +---------------------------------------+
+| libssl1.1    | CVE-2021-23839   |          |                   |               | openssl: incorrect SSLv2              |
+|              |                  |          |                   |               | rollback protection                   |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
+|              |                  |          |                   |               | overflow in CipherUpdate              |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
+|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+```
+
+</details>
+
+## Other Examples
+- [Embed in Dockerfile][embedding]
+- [Unpacked container image filesystem][unpacked]
+
+[embedding]: ../../advanced/container/embed-in-dockerfile.md
+[unpacked]: ../../advanced/container/unpacked-filesystem.md
--- a/examples/misconf/mixed/configs/bucket.yaml
+++ b/examples/misconf/mixed/configs/bucket.yaml
@@ -0,0 +1,24 @@
+---
+AWSTemplateFormatVersion: "2010-09-09"
+Description: An example Stack for a bucket
+Parameters:
+  BucketName: 
+    Type: String
+    Default: naughty-bucket
+  EncryptBucket:
+    Type: Boolean
+    Default: false
+Resources:
+  S3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName:
+        Ref: BucketName
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+        - BucketKeyEnabled: !Ref EncryptBucket
--- a/go.mod
+++ b/go.mod
@@ -7,52 +7,46 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20210711090115-306da65306b4
-	github.com/aquasecurity/go-dep-parser v0.0.0-20210520015931-0dd56983cc62
+	github.com/aquasecurity/fanal v0.0.0-20211215173305-1b333c8c3995
+	github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/trivy-db v0.0.0-20210531102723-aaab62dec6ee
+	github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
-	github.com/containerd/containerd v1.4.4 // indirect
-	github.com/docker/docker v20.10.3+incompatible
+	github.com/containerd/containerd v1.5.7 // indirect
+	github.com/docker/cli v20.10.9+incompatible // indirect
+	github.com/docker/docker v20.10.10+incompatible
 	github.com/docker/go-connections v0.4.0
-	github.com/elazarl/goproxy v0.0.0-20200809112317-0581fc3aee2d // indirect
 	github.com/fatih/color v1.10.0
-	github.com/go-redis/redis/v8 v8.4.0
+	github.com/go-redis/redis/v8 v8.11.4
 	github.com/goccy/go-yaml v1.8.2 // indirect
-	github.com/golang/protobuf v1.4.3
-	github.com/google/go-containerregistry v0.1.2
+	github.com/golang/protobuf v1.5.2
+	github.com/google/go-containerregistry v0.6.0
 	github.com/google/go-github/v33 v33.0.0
 	github.com/google/wire v0.4.0
-	github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00 // indirect
 	github.com/hashicorp/go-getter v1.5.2
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
-	github.com/kylelemons/godebug v1.1.0
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/copystructure v1.1.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/open-policy-agent/opa v0.25.2
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/smartystreets/assertions v1.2.0 // indirect
-	github.com/spf13/afero v1.2.2
+	github.com/open-policy-agent/opa v0.34.0
+	github.com/spf13/afero v1.6.0
 	github.com/stretchr/objx v0.3.0 // indirect
 	github.com/stretchr/testify v1.7.0
-	github.com/testcontainers/testcontainers-go v0.9.1-0.20210218153226-c8e070a2f18d
+	github.com/testcontainers/testcontainers-go v0.11.1
 	github.com/twitchtv/twirp v8.1.0+incompatible
 	github.com/urfave/cli/v2 v2.3.0
-	go.uber.org/zap v1.16.0
-	golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
+	go.uber.org/zap v1.19.1
+	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
-	google.golang.org/protobuf v1.25.0
-	gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b // indirect
+	google.golang.org/protobuf v1.27.1
 	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
--- a/go.sum
+++ b/go.sum
--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -20,6 +20,7 @@ builds:
      - arm
      - arm64
      - ppc64le
+      - s390x
    goarm:
      - 7
    ignore:
@@ -54,6 +55,9 @@ nfpms:
      netbsd: NetBSD
      freebsd: FreeBSD
      dragonfly: DragonFlyBSD
+    contents:
+     - src: contrib/*.tpl
+       dst: /usr/local/share/trivy/templates

 archives:
  -
@@ -83,9 +87,9 @@ brews:
      owner: aquasecurity
      name: homebrew-trivy
    homepage: "https://github.com/aquasecurity/trivy"
-    description: ""
+    description: "Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues"
    test: |
-      system "#{bin}/program --version"
+      system "#{bin}/trivy", "--version"

 dockers:
  - image_templates:
@@ -95,7 +99,7 @@ dockers:
      - "ghcr.io/aquasecurity/trivy:latest-amd64"
      - "public.ecr.aws/aquasecurity/trivy:latest-amd64"
      - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64"
-    use_buildx: true
+    use: buildx
    goos: linux
    goarch: amd64
    ids:
@@ -119,7 +123,7 @@ dockers:
      - "ghcr.io/aquasecurity/trivy:latest-arm64"
      - "public.ecr.aws/aquasecurity/trivy:latest-arm64"
      - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64"
-    use_buildx: true
+    use: buildx
    goos: linux
    goarch: arm64
    ids:
--- a/helm/trivy/Chart.yaml
+++ b/helm/trivy/Chart.yaml
@@ -1,11 +1,11 @@
 apiVersion: v2
 name: trivy
-version: 0.4.4
-appVersion: "0.18.3"
+version: 0.4.8
+appVersion: "0.21.0"
 description: Trivy helm chart
 keywords:
  - scanner
  - trivy
  - vulnerability
 sources:
- https://github.com/aquasecurity/trivy
+  - https://github.com/aquasecurity/trivy
--- a/helm/trivy/templates/configmap.yaml
+++ b/helm/trivy/templates/configmap.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "trivy.fullname" . }}
+  labels:
+{{ include "trivy.labels" . | indent 4 }}
+data:
+  TRIVY_LISTEN: "0.0.0.0:{{ .Values.service.port }}"
+  TRIVY_CACHE_DIR: "/home/scanner/.cache/trivy"
+{{- if .Values.trivy.cache.redis.enabled }}
+  TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
+{{- end }}
+  TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
+  TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}
+{{- if .Values.httpProxy }}
+  HTTP_PROXY: {{ .Values.httpProxy | quote }}
+{{- end }}
+{{- if .Values.httpsProxy }}
+  HTTPS_PROXY: {{ .Values.httpsProxy | quote }}
+{{- end }}
+{{- if .Values.noProxy }}
+  NO_PROXY: {{ .Values.noProxy | quote }}
+{{- end }}
--- a/helm/trivy/templates/ingress.yaml
+++ b/helm/trivy/templates/ingress.yaml
@@ -1,6 +1,12 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "trivy.fullname" . -}}
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+apiVersion: networking.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
 apiVersion: networking.k8s.io/v1beta1
+{{- else }}
+apiVersion: extensions/v1beta1
+{{- end }}
 kind: Ingress
 metadata:
  name: {{ include "trivy.fullname" . }}
@@ -12,6 +18,9 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
+{{- if and (.Values.ingress.ingressClassName) (semverCompare ">= v1.18.0" .Capabilities.KubeVersion.Version) }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+{{- end }}
 {{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
@@ -28,8 +37,17 @@ spec:
      http:
        paths:
          - path: {{ $.Values.ingress.path }}
+        {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+            pathType: {{ $.Values.ingress.pathType }}
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $.Values.service.port -}}
+          {{- else }}
            backend:
              serviceName: {{ $fullName }}
              servicePort: {{ $.Values.service.port -}}
          {{- end }}
+  {{- end }}
 {{- end }}
--- a/helm/trivy/templates/secret.yaml
+++ b/helm/trivy/templates/secret.yaml
@@ -6,4 +6,4 @@ metadata:
 {{ include "trivy.labels" . | indent 4 }}
 type: Opaque
 data:
-  gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
+  GITHUB_TOKEN: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
--- a/helm/trivy/templates/statefulset.yaml
+++ b/helm/trivy/templates/statefulset.yaml
@@ -62,30 +62,11 @@ spec:
          {{- end }}
          args:
            - server
-          env:
-            - name: "TRIVY_LISTEN"
-              value: "0.0.0.0:{{ .Values.service.port | default 4954 }}"
-            - name: "TRIVY_CACHE_DIR"
-              value: "/home/scanner/.cache/trivy"
-            {{- if .Values.trivy.cache.redis.enabled }}
-            - name: "TRIVY_CACHE_BACKEND"
-              value: {{ .Values.trivy.cache.redis.url | quote }}
-            {{- end }}
-            - name: "TRIVY_DEBUG"
-              value: {{ .Values.trivy.debugMode | default false | quote }}
-            - name: "TRIVY_SKIP_UPDATE"
-              value: {{ .Values.trivy.skipUpdate | default false | quote }}
-            - name: "GITHUB_TOKEN"
-              valueFrom:
-                secretKeyRef:
+          envFrom:
+            - configMapRef:
+                name: {{ include "trivy.fullname" . }}
+            - secretRef:
                name: {{ include "trivy.fullname" . }}
-                  key: gitHubToken
-            - name: "HTTP_PROXY"
-              value: {{ .Values.httpProxy | quote }}
-            - name: "HTTPS_PROXY"
-              value: {{ .Values.httpsProxy | quote }}
-            - name: "NO_PROXY"
-              value: {{ .Values.noProxy | quote }}
          ports:
            - name: trivy-http
              containerPort: {{ .Values.service.port }}
--- a/helm/trivy/values.yaml
+++ b/helm/trivy/values.yaml
@@ -4,7 +4,7 @@ fullnameOverride: ""
 image:
  registry: docker.io
  repository: aquasec/trivy
-  tag: 0.18.3
+  tag: 0.21.0
  pullPolicy: IfNotPresent
  pullSecret: ""

@@ -95,11 +95,15 @@ service:

 ingress:
  enabled: false
+  # From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation.
+  ingressClassName:
  annotations: {}
    # kubernetes.io/ingress.class: nginx
  hosts:
    - host: trivy.example.com
  path: "/"
+  # type is only needed for networking.k8s.io/v1 in k8s 1.19+
+  pathType: Prefix
  tls: []
  #  - secretName: trivy-example-tls
  #    hosts:
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration

 package integration
@@ -5,7 +6,7 @@ package integration
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"path/filepath"
 	"strings"
@@ -22,10 +23,9 @@ import (
 	"github.com/aquasecurity/trivy/pkg/report"
 )

-type args struct {
+type csArgs struct {
 	Format            string
 	TemplatePath      string
-	Version           string
 	IgnoreUnfixed     bool
 	Severity          []string
 	IgnoreIDs         []string
@@ -35,24 +35,22 @@ type args struct {
 }

 func TestClientServer(t *testing.T) {
-	cases := []struct {
+	tests := []struct {
 		name    string
-		testArgs args
+		args    csArgs
 		golden  string
 		wantErr string
 	}{
 		{
 			name: "alpine 3.10 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310.json.golden",
 		},
 		{
 			name: "alpine 3.10 integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
 			},
@@ -60,8 +58,7 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "alpine 3.10 integration with medium and high severity",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Severity:      []string{"MEDIUM", "HIGH"},
 				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
@@ -70,64 +67,30 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "alpine 3.10 integration with .trivyignore",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: false,
 				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-1563"},
 				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310-ignore-cveids.json.golden",
 		},
-		{
-			name: "alpine 3.10 integration with gitlab template",
-			testArgs: args{
-				Format:       "template",
-				TemplatePath: "@../contrib/gitlab.tpl",
-				Version:      "dev",
-				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.gitlab.golden",
-		},
-		{
-			name: "alpine 3.10 integration with gitlab-codequality template",
-			testArgs: args{
-				Format:       "template",
-				TemplatePath: "@../contrib/gitlab-codequality.tpl",
-				Version:      "dev",
-				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.gitlab-codequality.golden",
-		},
-		{
-			name: "alpine 3.10 integration with sarif template",
-			testArgs: args{
-				Format:       "template",
-				TemplatePath: "@../contrib/sarif.tpl",
-				Version:      "dev",
-				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.sarif.golden",
-		},
 		{
 			name: "alpine 3.9 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39.json.golden",
 		},
 		{
 			name: "debian buster integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/debian-buster.tar.gz",
 			},
 			golden: "testdata/debian-buster.json.golden",
 		},
 		{
 			name: "debian buster integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/debian-buster.tar.gz",
 			},
@@ -135,24 +98,21 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "debian stretch integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/debian-stretch.tar.gz",
 			},
 			golden: "testdata/debian-stretch.json.golden",
 		},
 		{
 			name: "ubuntu 18.04 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			},
 			golden: "testdata/ubuntu-1804.json.golden",
 		},
 		{
 			name: "ubuntu 18.04 integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			},
@@ -160,24 +120,21 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "ubuntu 16.04 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/ubuntu-1604.tar.gz",
 			},
 			golden: "testdata/ubuntu-1604.json.golden",
 		},
 		{
 			name: "centos 7 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/centos-7.tar.gz",
 			},
 			golden: "testdata/centos-7.json.golden",
 		},
 		{
 			name: "centos 7 integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
 			},
@@ -185,8 +142,7 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "centos 7 integration with low and high severity",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Severity:      []string{"LOW", "HIGH"},
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
@@ -195,32 +151,28 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "centos 6 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/centos-6.tar.gz",
 			},
 			golden: "testdata/centos-6.json.golden",
 		},
 		{
 			name: "ubi 7 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/ubi-7.tar.gz",
 			},
 			golden: "testdata/ubi-7.json.golden",
 		},
 		{
 			name: "distroless base integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/distroless-base.tar.gz",
 			},
 			golden: "testdata/distroless-base.json.golden",
 		},
 		{
 			name: "distroless base integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/distroless-base.tar.gz",
 			},
@@ -228,116 +180,152 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "distroless python27 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/distroless-python27.tar.gz",
 			},
 			golden: "testdata/distroless-python27.json.golden",
 		},
 		{
 			name: "amazon 1 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/amazon-1.tar.gz",
 			},
 			golden: "testdata/amazon-1.json.golden",
 		},
 		{
 			name: "amazon 2 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/amazon-2.tar.gz",
 			},
 			golden: "testdata/amazon-2.json.golden",
 		},
 		{
 			name: "oracle 6 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
 			},
 			golden: "testdata/oraclelinux-6-slim.json.golden",
 		},
 		{
 			name: "oracle 7 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
 			},
 			golden: "testdata/oraclelinux-7-slim.json.golden",
 		},
 		{
 			name: "oracle 8 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
 			},
 			golden: "testdata/oraclelinux-8-slim.json.golden",
 		},
 		{
 			name: "opensuse leap 15.1 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
 		{
 			name: "opensuse leap 42.3 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/opensuse-leap-423.tar.gz",
 			},
 			golden: "testdata/opensuse-leap-423.json.golden",
 		},
 		{
 			name: "photon 1.0 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/photon-10.tar.gz",
 			},
 			golden: "testdata/photon-10.json.golden",
 		},
 		{
 			name: "photon 2.0 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/photon-20.tar.gz",
 			},
 			golden: "testdata/photon-20.json.golden",
 		},
 		{
 			name: "photon 3.0 integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/photon-30.tar.gz",
 			},
 			golden: "testdata/photon-30.json.golden",
 		},
 		{
 			name: "buxybox with Cargo.lock integration",
-			testArgs: args{
-				Version: "dev",
+			args: csArgs{
 				Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
 			},
 			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
+	}
+
+	app, addr, cacheDir := setup(t, setupOptions{})
+
+	for _, c := range tests {
+		t.Run(c.name, func(t *testing.T) {
+			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)
+
+			// Run Trivy client
+			err := app.Run(osArgs)
+			require.NoError(t, err)
+
+			compareReports(t, c.golden, outputFile)
+		})
+	}
+}
+
+func TestClientServerWithTemplate(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   csArgs
+		golden string
+	}{
+		{
+			name: "alpine 3.10 integration with gitlab template",
+			args: csArgs{
+				Format:       "template",
+				TemplatePath: "@../contrib/gitlab.tpl",
+				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.gitlab.golden",
+		},
+		{
+			name: "alpine 3.10 integration with gitlab-codequality template",
+			args: csArgs{
+				Format:       "template",
+				TemplatePath: "@../contrib/gitlab-codequality.tpl",
+				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.gitlab-codequality.golden",
+		},
+		{
+			name: "alpine 3.10 integration with sarif template",
+			args: csArgs{
+				Format:       "template",
+				TemplatePath: "@../contrib/sarif.tpl",
+				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.sarif.golden",
+		},
 		{
 			name: "alpine 3.10 integration with ASFF template",
-			testArgs: args{
+			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/asff.tpl",
-				Version:      "dev",
 				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310.asff.golden",
 		},
 		{
 			name: "alpine 3.10 integration with html template",
-			testArgs: args{
+			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/html.tpl",
-				Version:      "dev",
 				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310.html.golden",
@@ -346,21 +334,26 @@ func TestClientServer(t *testing.T) {

 	app, addr, cacheDir := setup(t, setupOptions{})

-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
 			report.Now = func() time.Time {
 				return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
 			}
-			os.Setenv("AWS_REGION", "test-region")
-			os.Setenv("AWS_ACCOUNT_ID", "123456789012")
-			osArgs, outputFile, cleanup := setupClient(t, c.testArgs, addr, cacheDir, c.golden)
-			defer cleanup()
+			t.Setenv("AWS_REGION", "test-region")
+			t.Setenv("AWS_ACCOUNT_ID", "123456789012")
+			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)

 			// Run Trivy client
 			err := app.Run(osArgs)
 			require.NoError(t, err)

-			compare(t, c.golden, outputFile)
+			want, err := os.ReadFile(tt.golden)
+			require.NoError(t, err)
+
+			got, err := os.ReadFile(outputFile)
+			require.NoError(t, err)
+
+			assert.EqualValues(t, string(want), string(got))
 		})
 	}
 }
@@ -368,14 +361,13 @@ func TestClientServer(t *testing.T) {
 func TestClientServerWithToken(t *testing.T) {
 	cases := []struct {
 		name    string
-		testArgs args
+		args    csArgs
 		golden  string
 		wantErr string
 	}{
 		{
 			name: "alpine 3.10 integration with token",
-			testArgs: args{
-				Version:           "dev",
+			args: csArgs{
 				Input:             "testdata/fixtures/images/alpine-310.tar.gz",
 				ClientToken:       "token",
 				ClientTokenHeader: "Trivy-Token",
@@ -384,8 +376,7 @@ func TestClientServerWithToken(t *testing.T) {
 		},
 		{
 			name: "invalid token",
-			testArgs: args{
-				Version:           "dev",
+			args: csArgs{
 				Input:             "testdata/fixtures/images/distroless-base.tar.gz",
 				ClientToken:       "invalidtoken",
 				ClientTokenHeader: "Trivy-Token",
@@ -394,8 +385,7 @@ func TestClientServerWithToken(t *testing.T) {
 		},
 		{
 			name: "invalid token header",
-			testArgs: args{
-				Version:           "dev",
+			args: csArgs{
 				Input:             "testdata/fixtures/images/distroless-base.tar.gz",
 				ClientToken:       "valid-token",
 				ClientTokenHeader: "Trivy-Token",
@@ -410,12 +400,10 @@ func TestClientServerWithToken(t *testing.T) {
 		token:       serverToken,
 		tokenHeader: serverTokenHeader,
 	})
-	defer os.RemoveAll(cacheDir)

 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			osArgs, outputFile, cleanup := setupClient(t, c.testArgs, addr, cacheDir, c.golden)
-			defer cleanup()
+			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)

 			// Run Trivy client
 			err := app.Run(osArgs)
@@ -428,7 +416,7 @@ func TestClientServerWithToken(t *testing.T) {
 				assert.NoError(t, err, c.name)
 			}

-			compare(t, c.golden, outputFile)
+			compareReports(t, c.golden, outputFile)
 		})
 	}
 }
@@ -443,29 +431,26 @@ func TestClientServerWithRedis(t *testing.T) {
 	defer os.RemoveAll(cacheDir)

 	// Test parameters
-	testArgs := args{
-		Version: "dev",
+	testArgs := csArgs{
 		Input: "testdata/fixtures/images/centos-7.tar.gz",
 	}
 	golden := "testdata/centos-7.json.golden"

 	t.Run("centos 7", func(t *testing.T) {
-		osArgs, outputFile, cleanup := setupClient(t, testArgs, addr, cacheDir, golden)
-		defer cleanup()
+		osArgs, outputFile := setupClient(t, testArgs, addr, cacheDir, golden)

 		// Run Trivy client
 		err := app.Run(osArgs)
 		require.NoError(t, err)

-		compare(t, golden, outputFile)
+		compareReports(t, golden, outputFile)
 	})

 	// Terminate the Redis container
 	require.NoError(t, redisC.Terminate(ctx))

 	t.Run("sad path", func(t *testing.T) {
-		osArgs, _, cleanup := setupClient(t, testArgs, addr, cacheDir, golden)
-		defer cleanup()
+		osArgs, _ := setupClient(t, testArgs, addr, cacheDir, golden)

 		// Run Trivy client
 		err := app.Run(osArgs)
@@ -494,7 +479,7 @@ func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
 	go func() {
 		// Setup CLI App
 		app := commands.NewApp(version)
-		app.Writer = ioutil.Discard
+		app.Writer = io.Discard
 		osArgs := setupServer(addr, options.token, options.tokenHeader, cacheDir, options.cacheBackend)

 		// Run Trivy server
@@ -507,7 +492,7 @@ func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {

 	// Setup CLI App
 	app := commands.NewApp(version)
-	app.Writer = ioutil.Discard
+	app.Writer = io.Discard

 	return app, addr, cacheDir
 }
@@ -523,7 +508,7 @@ func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []stri
 	return osArgs
 }

-func setupClient(t *testing.T, c args, addr string, cacheDir string, golden string) ([]string, string, func()) {
+func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden string) ([]string, string) {
 	t.Helper()
 	osArgs := []string{"trivy", "--cache-dir", cacheDir, "client", "--remote", "http://" + addr}

@@ -545,13 +530,9 @@ func setupClient(t *testing.T, c args, addr string, cacheDir string, golden stri
 		)
 	}

-	var err error
-	var ignoreTmpDir string
 	if len(c.IgnoreIDs) != 0 {
-		ignoreTmpDir, err = ioutil.TempDir("", "ignore")
-		require.NoError(t, err, "failed to create a temp dir")
-		trivyIgnore := filepath.Join(ignoreTmpDir, ".trivyignore")
-		err = ioutil.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)
+		trivyIgnore := filepath.Join(t.TempDir(), ".trivyignore")
+		err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)
 		require.NoError(t, err, "failed to write .trivyignore")
 		osArgs = append(osArgs, []string{"--ignorefile", trivyIgnore}...)
 	}
@@ -563,24 +544,14 @@ func setupClient(t *testing.T, c args, addr string, cacheDir string, golden stri
 	}

 	// Setup the output file
-	var outputFile string
+	outputFile := filepath.Join(t.TempDir(), "output.json")
 	if *update {
 		outputFile = golden
-	} else {
-		output, _ := ioutil.TempFile("", "integration")
-		assert.Nil(t, output.Close())
-		outputFile = output.Name()
-	}
-
-	cleanup := func() {
-		_ = os.Remove(ignoreTmpDir)
-		if !*update {
-			_ = os.Remove(outputFile)
-		}
 	}

 	osArgs = append(osArgs, []string{"--output", outputFile}...)
-	return osArgs, outputFile, cleanup
+
+	return osArgs, outputFile
 }

 func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, string) {
@@ -591,6 +562,8 @@ func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, st
 		Name:         "redis",
 		Image:        imageName,
 		ExposedPorts: []string{port},
+		SkipReaper:   true,
+		AutoRemove:   true,
 	}

 	redis, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
@@ -608,18 +581,3 @@ func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, st
 	addr := fmt.Sprintf("redis://%s:%s", ip, p.Port())
 	return redis, addr
 }
-
-func compare(t *testing.T, wantFile, gotFile string) {
-	t.Helper()
-	// Compare want and got
-	want, err := ioutil.ReadFile(wantFile)
-	assert.NoError(t, err)
-	got, err := ioutil.ReadFile(gotFile)
-	assert.NoError(t, err)
-
-	if strings.HasSuffix(wantFile, ".json.golden") {
-		assert.JSONEq(t, string(want), string(got))
-	} else {
-		assert.EqualValues(t, string(want), string(got))
-	}
-}
--- a/integration/docker/docker.go
+++ b/integration/docker/docker.go
@@ -6,7 +6,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/url"
 	"os"

@@ -78,7 +77,7 @@ func (d Docker) ReplicateImage(ctx context.Context, imageRef, imagePath string,
 	if err != nil {
 		return err
 	}
-	if _, err = io.Copy(ioutil.Discard, resp.Body); err != nil {
+	if _, err = io.Copy(io.Discard, resp.Body); err != nil {
 		return err
 	}
 	defer resp.Body.Close()
@@ -110,7 +109,7 @@ func (d Docker) ReplicateImage(ctx context.Context, imageRef, imagePath string,
 	}
 	defer pushOut.Close()

-	if _, err = io.Copy(ioutil.Discard, pushOut); err != nil {
+	if _, err = io.Copy(io.Discard, pushOut); err != nil {
 		return err
 	}
 	return nil
--- a/integration/docker_engine_test.go
+++ b/integration/docker_engine_test.go
@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration

 package integration
@@ -5,8 +6,8 @@ package integration
 import (
 	"context"
 	"io"
-	"io/ioutil"
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"

@@ -28,8 +29,8 @@ func TestRun_WithDockerEngine(t *testing.T) {
 		severity            []string
 		ignoreIDs           []string
 		testfile            string
-		expectedOutputFile  string
-		expectedError       string
+		wantOutputFile      string
+		wantError           string
 	}{
 		// All of these cases should pass for either
 		// $ trivy <args>
@@ -37,21 +38,21 @@ func TestRun_WithDockerEngine(t *testing.T) {
 		{
 			name:           "happy path, valid image path, alpine:3.10",
 			imageTag:       "alpine:3.10",
-			expectedOutputFile: "testdata/alpine-310.json.golden",
+			wantOutputFile: "testdata/alpine-310.json.golden",
 			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
 		},
 		{
 			name:                "happy path, valid image path, with image subcommand, alpine:3.10",
 			withImageSubcommand: true,
 			imageTag:            "alpine:3.10",
-			expectedOutputFile:  "testdata/alpine-310.json.golden",
+			wantOutputFile:      "testdata/alpine-310.json.golden",
 			testfile:            "testdata/fixtures/images/alpine-310.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, alpine:3.10, ignore unfixed",
 			ignoreUnfixed:  true,
 			imageTag:       "alpine:3.10",
-			expectedOutputFile: "testdata/alpine-310-ignore-unfixed.json.golden",
+			wantOutputFile: "testdata/alpine-310-ignore-unfixed.json.golden",
 			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
 		},
 		{
@@ -59,51 +60,51 @@ func TestRun_WithDockerEngine(t *testing.T) {
 			ignoreUnfixed:  true,
 			severity:       []string{"MEDIUM", "HIGH"},
 			imageTag:       "alpine:3.10",
-			expectedOutputFile: "testdata/alpine-310-medium-high.json.golden",
+			wantOutputFile: "testdata/alpine-310-medium-high.json.golden",
 			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, alpine:3.10, with .trivyignore",
 			imageTag:       "alpine:3.10",
 			ignoreIDs:      []string{"CVE-2019-1549", "CVE-2019-1563"},
-			expectedOutputFile: "testdata/alpine-310-ignore-cveids.json.golden",
+			wantOutputFile: "testdata/alpine-310-ignore-cveids.json.golden",
 			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, alpine:3.9",
 			imageTag:       "alpine:3.9",
-			expectedOutputFile: "testdata/alpine-39.json.golden",
+			wantOutputFile: "testdata/alpine-39.json.golden",
 			testfile:       "testdata/fixtures/images/alpine-39.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, amazonlinux:1",
 			imageTag:       "amazonlinux:1",
-			expectedOutputFile: "testdata/amazon-1.json.golden",
+			wantOutputFile: "testdata/amazon-1.json.golden",
 			testfile:       "testdata/fixtures/images/amazon-1.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, amazonlinux:2",
 			imageTag:       "amazonlinux:2",
-			expectedOutputFile: "testdata/amazon-2.json.golden",
+			wantOutputFile: "testdata/amazon-2.json.golden",
 			testfile:       "testdata/fixtures/images/amazon-2.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, centos:6",
 			imageTag:       "centos:6",
-			expectedOutputFile: "testdata/centos-6.json.golden",
+			wantOutputFile: "testdata/centos-6.json.golden",
 			testfile:       "testdata/fixtures/images/centos-6.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, centos:7",
 			imageTag:       "centos:7",
-			expectedOutputFile: "testdata/centos-7.json.golden",
+			wantOutputFile: "testdata/centos-7.json.golden",
 			testfile:       "testdata/fixtures/images/centos-7.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, centos:7, with --ignore-unfixed option",
 			imageTag:       "centos:7",
 			ignoreUnfixed:  true,
-			expectedOutputFile: "testdata/centos-7-ignore-unfixed.json.golden",
+			wantOutputFile: "testdata/centos-7-ignore-unfixed.json.golden",
 			testfile:       "testdata/fixtures/images/centos-7.tar.gz",
 		},
 		{
@@ -111,137 +112,137 @@ func TestRun_WithDockerEngine(t *testing.T) {
 			imageTag:       "centos:7",
 			ignoreUnfixed:  true,
 			severity:       []string{"LOW", "HIGH"},
-			expectedOutputFile: "testdata/centos-7-low-high.json.golden",
+			wantOutputFile: "testdata/centos-7-low-high.json.golden",
 			testfile:       "testdata/fixtures/images/centos-7.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, debian:buster",
 			imageTag:       "debian:buster",
-			expectedOutputFile: "testdata/debian-buster.json.golden",
+			wantOutputFile: "testdata/debian-buster.json.golden",
 			testfile:       "testdata/fixtures/images/debian-buster.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, debian:buster, with --ignore-unfixed option",
 			ignoreUnfixed:  true,
 			imageTag:       "debian:buster",
-			expectedOutputFile: "testdata/debian-buster-ignore-unfixed.json.golden",
+			wantOutputFile: "testdata/debian-buster-ignore-unfixed.json.golden",
 			testfile:       "testdata/fixtures/images/debian-buster.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, debian:stretch",
 			imageTag:       "debian:stretch",
-			expectedOutputFile: "testdata/debian-stretch.json.golden",
+			wantOutputFile: "testdata/debian-stretch.json.golden",
 			testfile:       "testdata/fixtures/images/debian-stretch.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, distroless:base",
 			imageTag:       "gcr.io/distroless/base:latest",
-			expectedOutputFile: "testdata/distroless-base.json.golden",
+			wantOutputFile: "testdata/distroless-base.json.golden",
 			testfile:       "testdata/fixtures/images/distroless-base.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, distroless:base",
 			imageTag:       "gcr.io/distroless/base:latest",
-			expectedOutputFile: "testdata/distroless-base.json.golden",
+			wantOutputFile: "testdata/distroless-base.json.golden",
 			testfile:       "testdata/fixtures/images/distroless-base.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, distroless:base, with --ignore-unfixed option",
 			imageTag:       "gcr.io/distroless/base:latest",
 			ignoreUnfixed:  true,
-			expectedOutputFile: "testdata/distroless-base-ignore-unfixed.json.golden",
+			wantOutputFile: "testdata/distroless-base-ignore-unfixed.json.golden",
 			testfile:       "testdata/fixtures/images/distroless-base.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, distroless:python2.7",
 			imageTag:       "gcr.io/distroless/python2.7:latest",
-			expectedOutputFile: "testdata/distroless-python27.json.golden",
+			wantOutputFile: "testdata/distroless-python27.json.golden",
 			testfile:       "testdata/fixtures/images/distroless-python27.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, oraclelinux:6-slim",
 			imageTag:       "oraclelinux:6-slim",
-			expectedOutputFile: "testdata/oraclelinux-6-slim.json.golden",
+			wantOutputFile: "testdata/oraclelinux-6-slim.json.golden",
 			testfile:       "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, oraclelinux:7-slim",
 			imageTag:       "oraclelinux:7-slim",
-			expectedOutputFile: "testdata/oraclelinux-7-slim.json.golden",
+			wantOutputFile: "testdata/oraclelinux-7-slim.json.golden",
 			testfile:       "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, oraclelinux:8-slim",
 			imageTag:       "oraclelinux:8-slim",
-			expectedOutputFile: "testdata/oraclelinux-8-slim.json.golden",
+			wantOutputFile: "testdata/oraclelinux-8-slim.json.golden",
 			testfile:       "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, ubuntu:16.04",
 			imageTag:       "ubuntu:16.04",
-			expectedOutputFile: "testdata/ubuntu-1604.json.golden",
+			wantOutputFile: "testdata/ubuntu-1604.json.golden",
 			testfile:       "testdata/fixtures/images/ubuntu-1604.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, ubuntu:18.04",
 			imageTag:       "ubuntu:18.04",
-			expectedOutputFile: "testdata/ubuntu-1804.json.golden",
+			wantOutputFile: "testdata/ubuntu-1804.json.golden",
 			testfile:       "testdata/fixtures/images/ubuntu-1804.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, ubuntu:18.04, with --ignore-unfixed option",
 			imageTag:       "ubuntu:18.04",
 			ignoreUnfixed:  true,
-			expectedOutputFile: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
+			wantOutputFile: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
 			testfile:       "testdata/fixtures/images/ubuntu-1804.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, registry.redhat.io/ubi7",
 			imageTag:       "registry.redhat.io/ubi7",
-			expectedOutputFile: "testdata/ubi-7.json.golden",
+			wantOutputFile: "testdata/ubi-7.json.golden",
 			testfile:       "testdata/fixtures/images/ubi-7.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, opensuse leap 15.1",
 			imageTag:       "opensuse/leap:latest",
-			expectedOutputFile: "testdata/opensuse-leap-151.json.golden",
+			wantOutputFile: "testdata/opensuse-leap-151.json.golden",
 			testfile:       "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, opensuse leap 42.3",
 			imageTag:       "opensuse/leap:42.3",
-			expectedOutputFile: "testdata/opensuse-leap-423.json.golden",
+			wantOutputFile: "testdata/opensuse-leap-423.json.golden",
 			testfile:       "testdata/fixtures/images/opensuse-leap-423.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, photon 1.0",
 			imageTag:       "photon:1.0-20190823",
-			expectedOutputFile: "testdata/photon-10.json.golden",
+			wantOutputFile: "testdata/photon-10.json.golden",
 			testfile:       "testdata/fixtures/images/photon-10.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, photon 2.0",
 			imageTag:       "photon:2.0-20190726",
-			expectedOutputFile: "testdata/photon-20.json.golden",
+			wantOutputFile: "testdata/photon-20.json.golden",
 			testfile:       "testdata/fixtures/images/photon-20.tar.gz",
 		},
 		{
 			name:           "happy path, valid image path, photon 3.0",
 			imageTag:       "photon:3.0-20190823",
-			expectedOutputFile: "testdata/photon-30.json.golden",
+			wantOutputFile: "testdata/photon-30.json.golden",
 			testfile:       "testdata/fixtures/images/photon-30.tar.gz",
 		},
 		{
 			name:           "buxybox with Cargo.lock integration",
 			imageTag:       "busy-cargo:latest",
-			expectedOutputFile: "testdata/busybox-with-lockfile.json.golden",
+			wantOutputFile: "testdata/busybox-with-lockfile.json.golden",
 			testfile:       "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
 		},
 		{
 			name:         "sad path, invalid image",
 			invalidImage: true,
 			testfile:     "badimage:latest",
-			expectedError: "unable to inspect the image (index.docker.io/library/badimage:latest)",
+			wantError:    "unable to inspect the image (index.docker.io/library/badimage:latest)",
 		},
 	}

@@ -269,16 +270,15 @@ func TestRun_WithDockerEngine(t *testing.T) {
 				// load image into docker engine
 				res, err := cli.ImageLoad(ctx, testfile, true)
 				require.NoError(t, err, tc.name)
-				io.Copy(ioutil.Discard, res.Body)
+				io.Copy(io.Discard, res.Body)

 				// tag our image to something unique
 				err = cli.ImageTag(ctx, tc.imageTag, tc.testfile)
 				require.NoError(t, err, tc.name)
 			}

-			of, err := ioutil.TempFile("", "integration-docker-engine-output-file-*")
-			require.NoError(t, err, tc.name)
-			defer os.Remove(of.Name())
+			tmpDir := t.TempDir()
+			output := filepath.Join(tmpDir, "result.json")

 			// run trivy
 			app := commands.NewApp("dev")
@@ -288,7 +288,7 @@ func TestRun_WithDockerEngine(t *testing.T) {
 				trivyArgs = append(trivyArgs, "image")
 			}

-			trivyArgs = append(trivyArgs, []string{"--skip-update", "--format=json", "--output", of.Name()}...)
+			trivyArgs = append(trivyArgs, []string{"--skip-update", "--format=json", "--output", output}...)

 			if tc.ignoreUnfixed {
 				trivyArgs = append(trivyArgs, "--ignore-unfixed")
@@ -300,7 +300,7 @@ func TestRun_WithDockerEngine(t *testing.T) {
 			}
 			if len(tc.ignoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
-				err := ioutil.WriteFile(trivyIgnore, []byte(strings.Join(tc.ignoreIDs, "\n")), 0444)
+				err := os.WriteFile(trivyIgnore, []byte(strings.Join(tc.ignoreIDs, "\n")), 0444)
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
@@ -308,20 +308,18 @@ func TestRun_WithDockerEngine(t *testing.T) {

 			err = app.Run(trivyArgs)
 			switch {
-			case tc.expectedError != "":
+			case tc.wantError != "":
 				require.NotNil(t, err)
-				assert.Contains(t, err.Error(), tc.expectedError, tc.name)
+				assert.Contains(t, err.Error(), tc.wantError, tc.name)
 				return
 			default:
 				assert.NoError(t, err, tc.name)
 			}

 			// check for vulnerability output info
-			got, err := ioutil.ReadAll(of)
-			assert.NoError(t, err, tc.name)
-			want, err := ioutil.ReadFile(tc.expectedOutputFile)
-			assert.NoError(t, err, tc.name)
-			assert.JSONEq(t, string(want), string(got), tc.name)
+			got := readReport(t, output)
+			want := readReport(t, tc.wantOutputFile)
+			assert.Equal(t, want, got)

 			// cleanup
 			_, err = cli.ImageRemove(ctx, tc.testfile, types.ImageRemoveOptions{
--- a/integration/fs_test.go
+++ b/integration/fs_test.go
@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration

 package integration
@@ -5,11 +6,11 @@ package integration
 import (
 	"io"
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"

 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"

 	"github.com/aquasecurity/trivy/pkg/commands"
 )
@@ -36,6 +37,14 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/nodejs.json.golden",
 		},
+		{
+			name: "pip",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/pip",
+			},
+			golden: "testdata/pip.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{
@@ -109,15 +118,9 @@ func TestFilesystem(t *testing.T) {
 			}

 			// Setup the output file
-			var outputFile string
+			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
 				outputFile = tt.golden
-			} else {
-				output, err := os.CreateTemp("", "integration")
-				require.NoError(t, err)
-				assert.Nil(t, output.Close())
-				defer os.Remove(output.Name())
-				outputFile = output.Name()
 			}

 			osArgs = append(osArgs, "--output", outputFile)
@@ -131,12 +134,10 @@ func TestFilesystem(t *testing.T) {
 			assert.Nil(t, app.Run(osArgs))

 			// Compare want and got
-			want, err := os.ReadFile(tt.golden)
-			assert.NoError(t, err)
-			got, err := os.ReadFile(outputFile)
-			assert.NoError(t, err)
+			want := readReport(t, tt.golden)
+			got := readReport(t, outputFile)

-			assert.JSONEq(t, string(want), string(got))
+			assert.Equal(t, want, got)
 		})
 	}
 }
--- a/integration/integration_test.go
+++ b/integration/integration_test.go
@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration

 package integration
@@ -14,9 +15,11 @@ import (
 	"testing"
 	"time"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/aquasecurity/trivy-db/pkg/db"
+	"github.com/aquasecurity/trivy/pkg/report"
 )

 var update = flag.Bool("update", false, "update golden files")
@@ -84,3 +87,29 @@ func waitPort(ctx context.Context, addr string) error {
 		}
 	}
 }
+
+func readReport(t *testing.T, filePath string) report.Report {
+	t.Helper()
+
+	f, err := os.Open(filePath)
+	require.NoError(t, err, filePath)
+	defer f.Close()
+
+	var res report.Report
+	err = json.NewDecoder(f).Decode(&res)
+	require.NoError(t, err, filePath)
+
+	// We don't compare history because the nano-seconds in "created" don't match
+	res.Metadata.ImageConfig.History = nil
+
+	// We don't compare repo tags because the archive doesn't support it
+	res.Metadata.RepoTags = nil
+
+	return res
+}
+
+func compareReports(t *testing.T, wantFile, gotFile string) {
+	want := readReport(t, wantFile)
+	got := readReport(t, gotFile)
+	assert.Equal(t, want, got)
+}
--- a/integration/registry_test.go
+++ b/integration/registry_test.go
@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration

 package integration
@@ -8,7 +9,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"os"
@@ -25,7 +26,6 @@ import (
 	_ "github.com/aquasecurity/fanal/analyzer"
 	testdocker "github.com/aquasecurity/trivy/integration/docker"
 	"github.com/aquasecurity/trivy/pkg/commands"
-	"github.com/aquasecurity/trivy/pkg/report"
 )

 const (
@@ -56,6 +56,8 @@ func setupRegistry(ctx context.Context, baseDir string, authURL *url.URL) (testc
 		BindMounts: map[string]string{
 			filepath.Join(baseDir, "data", "certs"): "/certs",
 		},
+		SkipReaper: true,
+		AutoRemove: true,
 		WaitingFor: wait.ForLog("listening on [::]:5443"),
 	}

@@ -75,6 +77,8 @@ func setupAuthServer(ctx context.Context, baseDir string) (testcontainers.Contai
 			filepath.Join(baseDir, "data", "auth_config"): "/config",
 			filepath.Join(baseDir, "data", "certs"):       "/certs",
 		},
+		SkipReaper: true,
+		AutoRemove: true,
 		Cmd:        []string{"/config/config.yml"},
 	}

@@ -170,7 +174,7 @@ func TestRegistry(t *testing.T) {
 			name:      "sad path",
 			imageName: "alpine:3.10",
 			imageFile: "testdata/fixtures/images/alpine-310.tar.gz",
-			wantErr:   "unsupported status code 401; body: Auth failed",
+			wantErr:   "unexpected status code 401 Unauthorized: Auth failed",
 		},
 	}

@@ -188,7 +192,7 @@ func TestRegistry(t *testing.T) {
 			require.NoError(t, err)

 			// 2. Scan it
-			resultFile, cleanup, err := scan(t, imageRef, baseDir, tc.golden, tc.option)
+			resultFile, err := scan(t, imageRef, baseDir, tc.golden, tc.option)

 			if tc.wantErr != "" {
 				require.NotNil(t, err)
@@ -197,75 +201,56 @@ func TestRegistry(t *testing.T) {
 			} else {
 				require.NoError(t, err)
 			}
-			defer cleanup()

-			// 3. Compare want and got
-			golden, err := os.Open(tc.golden)
-			assert.NoError(t, err)
+			// 3. Read want and got
+			want := readReport(t, tc.golden)
+			got := readReport(t, resultFile)

-			var want report.Results
-			err = json.NewDecoder(golden).Decode(&want)
-			require.NoError(t, err)
+			// 4 Update some dynamic fields
+			want.ArtifactName = s
+			for i := range want.Results {
+				want.Results[i].Target = fmt.Sprintf("%s (alpine 3.10.2)", s)
+			}
+			want.Metadata.RepoDigests = []string{
+				fmt.Sprintf("%s/alpine@sha256:acd3ca9941a85e8ed16515bfc5328e4e2f8c128caa72959a58a127b7801ee01f", registryURL.Host),
+			}

-			result, err := os.Open(resultFile)
-			assert.NoError(t, err)
-
-			var got report.Results
-			err = json.NewDecoder(result).Decode(&got)
-			require.NoError(t, err)
-
-			assert.Equal(t, want[0].Vulnerabilities, got[0].Vulnerabilities)
-			assert.Equal(t, want[0].Vulnerabilities, got[0].Vulnerabilities)
+			// 5. Compare want and got
+			assert.Equal(t, want, got)
 		})
 	}
 }

-func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, func(), error) {
-	cleanup := func() {}
-
+func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, error) {
 	// Set up testing DB
 	cacheDir := gunzipDB(t)

 	// Setup the output file
-	var outputFile string
-	if *update && goldenFile != "" {
+	outputFile := filepath.Join(t.TempDir(), "output.json")
+	if *update {
 		outputFile = goldenFile
-	} else {
-		output, err := ioutil.TempFile("", "integration")
-		if err != nil {
-			return "", cleanup, err
-		}
-		defer output.Close()
-
-		outputFile = output.Name()
-		cleanup = func() {
-			os.Remove(outputFile)
-		}
 	}

 	// Setup env
-	if err := setupEnv(imageRef, baseDir, opt); err != nil {
-		return "", cleanup, err
+	if err := setupEnv(t, imageRef, baseDir, opt); err != nil {
+		return "", err
 	}
-	defer unsetEnv()

 	// Setup CLI App
 	app := commands.NewApp("dev")
-	app.Writer = ioutil.Discard
+	app.Writer = io.Discard

 	osArgs := []string{"trivy", "--cache-dir", cacheDir, "--format", "json", "--skip-update", "--output", outputFile, imageRef.Name()}

 	// Run Trivy
 	if err := app.Run(osArgs); err != nil {
-		return "", cleanup, err
+		return "", err
 	}
-	return outputFile, cleanup, nil
+	return outputFile, nil
 }

-func setupEnv(imageRef name.Reference, baseDir string, opt registryOption) error {
-	if err := os.Setenv("TRIVY_INSECURE", "true"); err != nil {
-		return err
-	}
+func setupEnv(t *testing.T, imageRef name.Reference, baseDir string, opt registryOption) error {
+	t.Setenv("TRIVY_INSECURE", "true")

 	if opt.Username != "" && opt.Password != "" {
 		if opt.RegistryToken {
@@ -274,26 +259,10 @@ func setupEnv(imageRef name.Reference, baseDir string, opt registryOption) error
 			if err != nil {
 				return err
 			}
-			if err := os.Setenv("TRIVY_REGISTRY_TOKEN", token); err != nil {
-				return err
-			}
+			t.Setenv("TRIVY_REGISTRY_TOKEN", token)
 		} else {
-			if err := os.Setenv("TRIVY_USERNAME", opt.Username); err != nil {
-				return err
-			}
-			if err := os.Setenv("TRIVY_PASSWORD", opt.Password); err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func unsetEnv() error {
-	envs := []string{"TRIVY_INSECURE", "TRIVY_USERNAME", "TRIVY_PASSWORD", "TRIVY_REGISTRY_TOKEN"}
-	for _, e := range envs {
-		if err := os.Unsetenv(e); err != nil {
-			return err
+			t.Setenv("TRIVY_USERNAME", opt.Username)
+			t.Setenv("TRIVY_PASSWORD", opt.Password)
 		}
 	}
 	return nil
@@ -301,7 +270,7 @@ func unsetEnv() error {

 func requestRegistryToken(imageRef name.Reference, baseDir string, opt registryOption) (string, error) {
 	// Create a CA certificate pool and add cert.pem to it
-	caCert, err := ioutil.ReadFile(filepath.Join(baseDir, "data", "certs", "cert.pem"))
+	caCert, err := os.ReadFile(filepath.Join(baseDir, "data", "certs", "cert.pem"))
 	if err != nil {
 		return "", err
 	}
--- a/integration/standalone_tar_test.go
+++ b/integration/standalone_tar_test.go
@@ -1,10 +1,12 @@
+//go:build integration
 // +build integration

 package integration

 import (
-	"io/ioutil"
+	"io"
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"

@@ -376,11 +378,10 @@ func TestRun_WithTar(t *testing.T) {

 	// Setup CLI App
 	app := commands.NewApp("dev")
-	app.Writer = ioutil.Discard
+	app.Writer = io.Discard

 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-
 			osArgs := []string{"trivy"}
 			osArgs = append(osArgs, "--cache-dir", cacheDir)
 			if c.testArgs.WithImageSubcommand {
@@ -401,7 +402,7 @@ func TestRun_WithTar(t *testing.T) {
 			}
 			if len(c.testArgs.IgnoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
-				err := ioutil.WriteFile(trivyIgnore, []byte(strings.Join(c.testArgs.IgnoreIDs, "\n")), 0444)
+				err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.testArgs.IgnoreIDs, "\n")), 0444)
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
@@ -422,14 +423,9 @@ func TestRun_WithTar(t *testing.T) {
 			}

 			// Setup the output file
-			var outputFile string
+			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
 				outputFile = c.golden
-			} else {
-				output, _ := ioutil.TempFile("", "integration")
-				assert.Nil(t, output.Close())
-				defer os.Remove(output.Name())
-				outputFile = output.Name()
 			}

 			osArgs = append(osArgs, []string{"--output", outputFile}...)
@@ -438,12 +434,7 @@ func TestRun_WithTar(t *testing.T) {
 			assert.Nil(t, app.Run(osArgs))

 			// Compare want and got
-			want, err := ioutil.ReadFile(c.golden)
-			assert.NoError(t, err)
-			got, err := ioutil.ReadFile(outputFile)
-			assert.NoError(t, err)
-
-			assert.JSONEq(t, string(want), string(got))
+			compareReports(t, c.golden, outputFile)
 		})
 	}
 }
--- a/integration/testdata/alpine-310-ignore-cveids.json.golden
+++ b/integration/testdata/alpine-310-ignore-cveids.json.golden
@@ -1,4 +1,53 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.10.2",
+      "EOSL": true
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-20T20:19:55.062606894Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
+        },
+        {
+          "created": "2019-08-20T20:19:55.211423266Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
      "Class": "os-pkgs",
@@ -170,4 +219,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/alpine-310-ignore-unfixed.json.golden
+++ b/integration/testdata/alpine-310-ignore-unfixed.json.golden
@@ -1,4 +1,53 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.10.2",
+      "EOSL": true
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-20T20:19:55.062606894Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
+        },
+        {
+          "created": "2019-08-20T20:19:55.211423266Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
      "Class": "os-pkgs",
@@ -322,4 +371,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/alpine-310-medium-high.json.golden
+++ b/integration/testdata/alpine-310-medium-high.json.golden
@@ -1,4 +1,53 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.10.2",
+      "EOSL": true
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-20T20:19:55.062606894Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
+        },
+        {
+          "created": "2019-08-20T20:19:55.211423266Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
      "Class": "os-pkgs",
@@ -242,4 +291,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/alpine-310-registry.json.golden
+++ b/integration/testdata/alpine-310-registry.json.golden
@@ -1,6 +1,56 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.10.2",
+      "EOSL": true
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
        {
-    "Target": "localhost:55015/alpine:3.10 (alpine 3.10.2)",
+          "created": "2019-08-20T20:19:55.062606894Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
+        },
+        {
+          "created": "2019-08-20T20:19:55.211423266Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+      "Class": "os-pkgs",
      "Type": "alpine",
      "Vulnerabilities": [
        {
@@ -329,4 +379,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/alpine-310.json.golden
+++ b/integration/testdata/alpine-310.json.golden
@@ -1,4 +1,53 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.10.2",
+      "EOSL": true
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-20T20:19:55.062606894Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
+        },
+        {
+          "created": "2019-08-20T20:19:55.211423266Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
      "Class": "os-pkgs",
@@ -322,4 +371,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/alpine-310.sarif.golden
+++ b/integration/testdata/alpine-310.sarif.golden
@@ -11,10 +11,10 @@
          "version": "0.15.0",
          "rules": [
                {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
-              "name": "OS Package Vulnerability (Alpine)",
+                  "id": "CVE-2019-1549",
+                  "name": "OsPackageVulnerability",
                  "shortDescription": {
-                "text": "CVE-2019-1549 Package: libcrypto1.1"
+                    "text": "CVE-2019-1549"
                  },
                  "fullDescription": {
                    "text": "openssl: information disclosure in fork()."
@@ -24,23 +24,22 @@
                  },
                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
                  "help": {
-                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",
-                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"
+                    "text": "Vulnerability CVE-2019-1549\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",                    
+                    "markdown": "**Vulnerability CVE-2019-1549**\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"                    
                  },
                  "properties": {
                    "tags": [
                      "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
+                      "MEDIUM"
                    ],
                    "precision": "very-high"
                  }
                },
                {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
-              "name": "OS Package Vulnerability (Alpine)",
+                  "id": "CVE-2019-1551",
+                  "name": "OsPackageVulnerability",
                  "shortDescription": {
-                "text": "CVE-2019-1551 Package: libcrypto1.1"
+                    "text": "CVE-2019-1551"
                  },
                  "fullDescription": {
                    "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
@@ -50,23 +49,22 @@
                  },
                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
                  "help": {
-                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",
-                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"
+                    "text": "Vulnerability CVE-2019-1551\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",                    
+                    "markdown": "**Vulnerability CVE-2019-1551**\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"                    
                  },
                  "properties": {
                    "tags": [
                      "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
+                      "MEDIUM"
                    ],
                    "precision": "very-high"
                  }
                },
                {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
-              "name": "OS Package Vulnerability (Alpine)",
+                  "id": "CVE-2019-1563",
+                  "name": "OsPackageVulnerability",
                  "shortDescription": {
-                "text": "CVE-2019-1563 Package: libcrypto1.1"
+                    "text": "CVE-2019-1563"
                  },
                  "fullDescription": {
                    "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
@@ -76,23 +74,22 @@
                  },
                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
                  "help": {
-                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",
-                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"
+                    "text": "Vulnerability CVE-2019-1563\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",                    
+                    "markdown": "**Vulnerability CVE-2019-1563**\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"                    
                  },
                  "properties": {
                    "tags": [
                      "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
+                      "MEDIUM"
                    ],
                    "precision": "very-high"
                  }
                },
                {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
-              "name": "OS Package Vulnerability (Alpine)",
+                  "id": "CVE-2019-1547",
+                  "name": "OsPackageVulnerability",
                  "shortDescription": {
-                "text": "CVE-2019-1547 Package: libcrypto1.1"
+                    "text": "CVE-2019-1547"
                  },
                  "fullDescription": {
                    "text": "openssl: side-channel weak encryption vulnerability."
@@ -102,118 +99,13 @@
                  },
                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
                  "help": {
-                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",
-                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"
+                    "text": "Vulnerability CVE-2019-1547\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\nSeverity: LOW\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",                    
+                    "markdown": "**Vulnerability CVE-2019-1547**\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libcrypto1.1|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"                    
                  },
                  "properties": {
                    "tags": [
                      "vulnerability",
-                  "LOW",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1549 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in fork()."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
-              "help": {
-                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",
-                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1551 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
-              "help": {
-                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",
-                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1563 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
-              "help": {
-                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",
-                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1547 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: side-channel weak encryption vulnerability."
-              },
-              "defaultConfiguration": {
-                "level": "note"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
-              "help": {
-                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",
-                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "LOW",
-                  "libssl1.1"
+                      "LOW"
                    ],
                    "precision": "very-high"
                  }
@@ -222,129 +114,153 @@
      },
      "results": [
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
+          "ruleId": "CVE-2019-1549",
          "ruleIndex": 0,
          "level": "warning",
          "message": {
-            "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
+          "ruleId": "CVE-2019-1551",
          "ruleIndex": 1,
          "level": "warning",
          "message": {
-            "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
+          "ruleId": "CVE-2019-1563",
          "ruleIndex": 2,
          "level": "warning",
          "message": {
-            "text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1563\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
+          "ruleId": "CVE-2019-1547",
          "ruleIndex": 3,
          "level": "note",
          "message": {
-            "text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1547\nSeverity: LOW\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
-          "ruleIndex": 4,
+          "ruleId": "CVE-2019-1549",
+          "ruleIndex": 0,
          "level": "warning",
          "message": {
-            "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
-          "ruleIndex": 5,
+          "ruleId": "CVE-2019-1551",
+          "ruleIndex": 1,
          "level": "warning",
          "message": {
-            "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
-          "ruleIndex": 6,
+          "ruleId": "CVE-2019-1563",
+          "ruleIndex": 2,
          "level": "warning",
          "message": {
-            "text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1563\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
-          "ruleIndex": 7,
+          "ruleId": "CVE-2019-1547",
+          "ruleIndex": 3,
          "level": "note",
          "message": {
-            "text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1547\nSeverity: LOW\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
@@ -352,7 +268,7 @@
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
-          "uri": "/"
+          "uri": "file:///"
        }
      }
    }
--- a/integration/testdata/alpine-39.json.golden
+++ b/integration/testdata/alpine-39.json.golden
@@ -1,4 +1,53 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-39.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.9.4",
+      "EOSL": true
+    },
+    "ImageID": "sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1",
+    "DiffIDs": [
+      "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "c10d36fa368a7ea673683682666758adf35efe98e10989505f4f566b5b18538f",
+      "created": "2019-05-11T00:07:03.510395965Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-05-11T00:07:03.358250803Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / "
+        },
+        {
+          "created": "2019-05-11T00:07:03.510395965Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:09f2bbe58e774849d74dc1391c2e01731896c745c4aba1ecf69a283bdb4b537a",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
      "Class": "os-pkgs",
@@ -382,4 +431,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/amazon-1.json.golden
+++ b/integration/testdata/amazon-1.json.golden
@@ -1,4 +1,52 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/amazon-1.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "amazon",
+      "Name": "AMI release 2018.03"
+    },
+    "ImageID": "sha256:961c4ee06269351d858969ea0426878675ed708d3a140246eabbc0bfc352bffa",
+    "DiffIDs": [
+      "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "ef1b126795001e9b4bdc14a01180e4d8146282d279f53e05adfaa8195ecda20e",
+      "created": "2019-09-05T23:37:46.854286502Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-09-05T23:37:46.575366692Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:45ed06ba8960dec70e01e809fe38df2718d4b16aa2b0f88835522d8366de71e3 in / "
+        },
+        {
+          "created": "2019-09-05T23:37:46.854286502Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:8db654f611aca1693ac658bd981ee35e4b6517e6ef74fa608c4b3b3595a986c8",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/amazon-1.tar.gz (amazon AMI release 2018.03)",
      "Class": "os-pkgs",
@@ -667,4 +715,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/amazon-2.json.golden
+++ b/integration/testdata/amazon-2.json.golden
@@ -1,4 +1,52 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/amazon-2.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "amazon",
+      "Name": "2 (Karoo)"
+    },
+    "ImageID": "sha256:b94321659aca6a89cb7650a5b864bc8ec4bf62c620b8f1a01530c2e90a88c391",
+    "DiffIDs": [
+      "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "e020a5508b9f809b29659128692cd634e3d4fba3f2c13d2029d797317b5c3a56",
+      "created": "2019-05-23T22:20:00.121624838Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-05-23T22:19:59.161963646Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:3cf811fe5073384ff1d5f405992ef7e5e452ad6d4a4cb873eee65007382f3a4a in / "
+        },
+        {
+          "created": "2019-05-23T22:20:00.121624838Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:648b8b37f8b5087423bec7f4331271253f8aff63154761a67c22cd0c3ba2661b",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/amazon-2.tar.gz (amazon 2 (Karoo))",
      "Class": "os-pkgs",
@@ -3506,4 +3554,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/busybox-with-lockfile.json.golden
+++ b/integration/testdata/busybox-with-lockfile.json.golden
@@ -1,4 +1,53 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "ImageID": "sha256:17c82adee8b5ffec7d6e30dba333bb37986add86afeb4a07754407bb049faedb",
+    "DiffIDs": [
+      "sha256:a6d503001157aedc826853f9b67f26d35966221b158bff03849868ae4a821116",
+      "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "created": "2020-04-26T16:23:28.996276377Z",
+      "docker_version": "19.03.8",
+      "history": [
+        {
+          "created": "2020-03-10T00:19:32.83969331Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:450bea8cddb743ed282cb1ade3d1614033172b93ef531c69a4e49fda3016cef0 in / "
+        },
+        {
+          "created": "2020-03-10T00:19:33.019716493Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"sh\"]",
+          "empty_layer": true
+        },
+        {
+          "created": "2020-04-26T16:23:28.996276377Z",
+          "created_by": "/bin/sh -c #(nop) ADD 343df0159abcc51b06b4e56bfd4c06d2003b88947ed93b0cec6214ae5985669e in . "
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:a6d503001157aedc826853f9b67f26d35966221b158bff03849868ae4a821116",
+          "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:83aa35aa1c79e4b6957e018da6e322bfca92bf3b4696a211b42502543c242d6f",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "Cargo.lock",
      "Class": "lang-pkgs",
@@ -133,4 +182,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/centos-6.json.golden
+++ b/integration/testdata/centos-6.json.golden
@@ -1,4 +1,75 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/centos-6.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "centos",
+      "Name": "6.10",
+      "EOSL": true
+    },
+    "ImageID": "sha256:d0957ffdf8a2ea8c8925903862b65a1b6850dbb019f88d45e927d3d5a3fa0c31",
+    "DiffIDs": [
+      "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "https://github.com/CentOS/sig-cloud-instance-images",
+      "container": "d519f3e5c41d16388d3fba0dac626427b21deb98cce150dee80c180b9baf9435",
+      "created": "2019-03-14T21:20:11.486358099Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "author": "https://github.com/CentOS/sig-cloud-instance-images",
+          "created": "2018-10-09T18:20:03.816986835Z",
+          "created_by": "/bin/sh -c #(nop)  MAINTAINER https://github.com/CentOS/sig-cloud-instance-images",
+          "empty_layer": true
+        },
+        {
+          "author": "https://github.com/CentOS/sig-cloud-instance-images",
+          "created": "2019-03-14T21:20:10.936939354Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:0065316a41144e95bcb133567cc86816b8368a823cc067d741e06ded59849fd8 in / "
+        },
+        {
+          "author": "https://github.com/CentOS/sig-cloud-instance-images",
+          "created": "2019-03-14T21:20:11.322700622Z",
+          "created_by": "/bin/sh -c #(nop)  LABEL org.label-schema.schema-version=1.0 org.label-schema.name=CentOS Base Image org.label-schema.vendor=CentOS org.label-schema.license=GPLv2 org.label-schema.build-date=20181006",
+          "empty_layer": true
+        },
+        {
+          "author": "https://github.com/CentOS/sig-cloud-instance-images",
+          "created": "2019-03-14T21:20:11.486358099Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:143abcd43bce45f4fd9ba51c7361051d7ea9e9e1eadb66e5c94a9c1b7754524f",
+        "Labels": {
+          "org.label-schema.build-date": "20181006",
+          "org.label-schema.license": "GPLv2",
+          "org.label-schema.name": "CentOS Base Image",
+          "org.label-schema.schema-version": "1.0",
+          "org.label-schema.vendor": "CentOS"
+        },
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/centos-6.tar.gz (centos 6.10)",
      "Class": "os-pkgs",
@@ -27249,4 +27320,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/centos-7-ignore-unfixed.json.golden
+++ b/integration/testdata/centos-7-ignore-unfixed.json.golden
@@ -1,4 +1,64 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/centos-7.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "centos",
+      "Name": "7.6.1810"
+    },
+    "ImageID": "sha256:9f38484d220fa527b1fb19747638497179500a1bed8bf0498eb788229229e6e1",
+    "DiffIDs": [
+      "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "958baf5225f586da9c70a21e911a0a875402dd22d83133d78b3b3aa6130e7892",
+      "created": "2019-03-14T21:19:53.361167852Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-03-14T21:19:52.66982152Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:074f2c974463ab38cf3532134e8ba2c91c9e346457713f2e8b8e2ac0ee9fd83d in / "
+        },
+        {
+          "created": "2019-03-14T21:19:53.099141434Z",
+          "created_by": "/bin/sh -c #(nop)  LABEL org.label-schema.schema-version=1.0 org.label-schema.name=CentOS Base Image org.label-schema.vendor=CentOS org.label-schema.license=GPLv2 org.label-schema.build-date=20190305",
+          "empty_layer": true
+        },
+        {
+          "created": "2019-03-14T21:19:53.361167852Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:294e8d8145287e70f07328cc09d840fad8980b801223321b983442f097aff0d8",
+        "Labels": {
+          "org.label-schema.build-date": "20190305",
+          "org.label-schema.license": "GPLv2",
+          "org.label-schema.name": "CentOS Base Image",
+          "org.label-schema.schema-version": "1.0",
+          "org.label-schema.vendor": "CentOS"
+        },
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
      "Class": "os-pkgs",
@@ -4666,4 +4726,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/centos-7-low-high.json.golden
+++ b/integration/testdata/centos-7-low-high.json.golden
@@ -1,4 +1,64 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/centos-7.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "centos",
+      "Name": "7.6.1810"
+    },
+    "ImageID": "sha256:9f38484d220fa527b1fb19747638497179500a1bed8bf0498eb788229229e6e1",
+    "DiffIDs": [
+      "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "958baf5225f586da9c70a21e911a0a875402dd22d83133d78b3b3aa6130e7892",
+      "created": "2019-03-14T21:19:53.361167852Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-03-14T21:19:52.66982152Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:074f2c974463ab38cf3532134e8ba2c91c9e346457713f2e8b8e2ac0ee9fd83d in / "
+        },
+        {
+          "created": "2019-03-14T21:19:53.099141434Z",
+          "created_by": "/bin/sh -c #(nop)  LABEL org.label-schema.schema-version=1.0 org.label-schema.name=CentOS Base Image org.label-schema.vendor=CentOS org.label-schema.license=GPLv2 org.label-schema.build-date=20190305",
+          "empty_layer": true
+        },
+        {
+          "created": "2019-03-14T21:19:53.361167852Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:294e8d8145287e70f07328cc09d840fad8980b801223321b983442f097aff0d8",
+        "Labels": {
+          "org.label-schema.build-date": "20190305",
+          "org.label-schema.license": "GPLv2",
+          "org.label-schema.name": "CentOS Base Image",
+          "org.label-schema.schema-version": "1.0",
+          "org.label-schema.vendor": "CentOS"
+        },
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
      "Class": "os-pkgs",
@@ -2524,4 +2584,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/centos-7.json.golden
+++ b/integration/testdata/centos-7.json.golden
@@ -1,4 +1,64 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/centos-7.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "centos",
+      "Name": "7.6.1810"
+    },
+    "ImageID": "sha256:9f38484d220fa527b1fb19747638497179500a1bed8bf0498eb788229229e6e1",
+    "DiffIDs": [
+      "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "958baf5225f586da9c70a21e911a0a875402dd22d83133d78b3b3aa6130e7892",
+      "created": "2019-03-14T21:19:53.361167852Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-03-14T21:19:52.66982152Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:074f2c974463ab38cf3532134e8ba2c91c9e346457713f2e8b8e2ac0ee9fd83d in / "
+        },
+        {
+          "created": "2019-03-14T21:19:53.099141434Z",
+          "created_by": "/bin/sh -c #(nop)  LABEL org.label-schema.schema-version=1.0 org.label-schema.name=CentOS Base Image org.label-schema.vendor=CentOS org.label-schema.license=GPLv2 org.label-schema.build-date=20190305",
+          "empty_layer": true
+        },
+        {
+          "created": "2019-03-14T21:19:53.361167852Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:294e8d8145287e70f07328cc09d840fad8980b801223321b983442f097aff0d8",
+        "Labels": {
+          "org.label-schema.build-date": "20190305",
+          "org.label-schema.license": "GPLv2",
+          "org.label-schema.name": "CentOS Base Image",
+          "org.label-schema.schema-version": "1.0",
+          "org.label-schema.vendor": "CentOS"
+        },
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
      "Class": "os-pkgs",
@@ -29334,4 +29394,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/debian-buster-ignore-unfixed.json.golden
+++ b/integration/testdata/debian-buster-ignore-unfixed.json.golden
@@ -1,4 +1,52 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/debian-buster.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "debian",
+      "Name": "10.1"
+    },
+    "ImageID": "sha256:c2c03a296d2329a4f3ab72a7bf38b78a8a80108204d326b0139d6af700e152d1",
+    "DiffIDs": [
+      "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "cbb6a20ddb7dedfeee41aeb21e9780f14afbb0f47a6b1ffa514a1822f45d0a51",
+      "created": "2019-09-11T23:21:51.562946709Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-09-11T23:21:51.123609274Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:770e381defc5e4a0ba5df52265a96494b9f5d94309234cb3f7bc6b00e1d18f9a in / "
+        },
+        {
+          "created": "2019-09-11T23:21:51.562946709Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:5519bb349f72eef81944da56843c995b1b81ed67c8e7e48ac29dd6c543c1dd2d",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/debian-buster.tar.gz (debian 10.1)",
      "Class": "os-pkgs",
@@ -725,4 +773,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/debian-buster.json.golden
+++ b/integration/testdata/debian-buster.json.golden
@@ -1,4 +1,52 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/debian-buster.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "debian",
+      "Name": "10.1"
+    },
+    "ImageID": "sha256:c2c03a296d2329a4f3ab72a7bf38b78a8a80108204d326b0139d6af700e152d1",
+    "DiffIDs": [
+      "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "cbb6a20ddb7dedfeee41aeb21e9780f14afbb0f47a6b1ffa514a1822f45d0a51",
+      "created": "2019-09-11T23:21:51.562946709Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-09-11T23:21:51.123609274Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:770e381defc5e4a0ba5df52265a96494b9f5d94309234cb3f7bc6b00e1d18f9a in / "
+        },
+        {
+          "created": "2019-09-11T23:21:51.562946709Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:5519bb349f72eef81944da56843c995b1b81ed67c8e7e48ac29dd6c543c1dd2d",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/debian-buster.tar.gz (debian 10.1)",
      "Class": "os-pkgs",
@@ -3257,4 +3305,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/debian-stretch.json.golden
+++ b/integration/testdata/debian-stretch.json.golden
@@ -1,4 +1,52 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/debian-stretch.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "debian",
+      "Name": "9.9"
+    },
+    "ImageID": "sha256:f26939cc87ef44a6fc554eedd0a976ab30b5bc2769d65d2e986b6c5f1fd4053d",
+    "DiffIDs": [
+      "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "957bc0b73d29f0e1030fec9c63f81d3e81baa610cffcc9c574b14fee6d1821ae",
+      "created": "2019-08-14T00:24:45.872523599Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-14T00:24:45.612796997Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:b9b24bd862a79bf6c6e79daf6babca27245063eb52a2f72ffc4fc3494ddd3d48 in / "
+        },
+        {
+          "created": "2019-08-14T00:24:45.872523599Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:2ce0e924e5d43d66387e476478ce3c857b1eaae74b5c74693ed47b3502bbdc3e",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/debian-stretch.tar.gz (debian 9.9)",
      "Class": "os-pkgs",
@@ -5772,4 +5820,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/distroless-base-ignore-unfixed.json.golden
+++ b/integration/testdata/distroless-base-ignore-unfixed.json.golden
@@ -1,4 +1,50 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/distroless-base.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "debian",
+      "Name": "9.9"
+    },
+    "ImageID": "sha256:7f04a8d247173b1f2546d22913af637bbab4e7411e00ae6207da8d94c445750d",
+    "DiffIDs": [
+      "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+      "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "Bazel",
+      "created": "1970-01-01T00:00:00Z",
+      "history": [
+        {
+          "author": "Bazel",
+          "created": "1970-01-01T00:00:00Z",
+          "created_by": "bazel build ..."
+        },
+        {
+          "author": "Bazel",
+          "created": "1970-01-01T00:00:00Z",
+          "created_by": "bazel build ..."
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+          "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
+        ]
+      },
+      "config": {
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+          "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
+        ]
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/distroless-base.tar.gz (debian 9.9)",
      "Class": "os-pkgs",
@@ -84,4 +130,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/distroless-base.json.golden
+++ b/integration/testdata/distroless-base.json.golden
@@ -1,4 +1,50 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/distroless-base.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "debian",
+      "Name": "9.9"
+    },
+    "ImageID": "sha256:7f04a8d247173b1f2546d22913af637bbab4e7411e00ae6207da8d94c445750d",
+    "DiffIDs": [
+      "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+      "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "Bazel",
+      "created": "1970-01-01T00:00:00Z",
+      "history": [
+        {
+          "author": "Bazel",
+          "created": "1970-01-01T00:00:00Z",
+          "created_by": "bazel build ..."
+        },
+        {
+          "author": "Bazel",
+          "created": "1970-01-01T00:00:00Z",
+          "created_by": "bazel build ..."
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+          "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
+        ]
+      },
+      "config": {
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+          "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
+        ]
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/distroless-base.tar.gz (debian 9.9)",
      "Class": "os-pkgs",
@@ -1096,4 +1142,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/distroless-python27.json.golden
+++ b/integration/testdata/distroless-python27.json.golden
@@ -1,4 +1,67 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/distroless-python27.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "debian",
+      "Name": "9.9"
+    },
+    "ImageID": "sha256:6fcac2cc8a710f21577b5bbd534e0bfc841c0cca569b57182ba19054696cddda",
+    "DiffIDs": [
+      "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+      "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+      "sha256:6189abe095d53c1c9f2bfc8f50128ee876b9a5d10f9eda1564e5f5357d6ffe61",
+      "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "Bazel",
+      "created": "1970-01-01T00:00:00Z",
+      "history": [
+        {
+          "author": "Bazel",
+          "created": "1970-01-01T00:00:00Z",
+          "created_by": "bazel build ..."
+        },
+        {
+          "author": "Bazel",
+          "created": "1970-01-01T00:00:00Z",
+          "created_by": "bazel build ..."
+        },
+        {
+          "author": "Bazel",
+          "created": "1970-01-01T00:00:00Z",
+          "created_by": "bazel build ..."
+        },
+        {
+          "author": "Bazel",
+          "created": "1970-01-01T00:00:00Z",
+          "created_by": "bazel build ..."
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+          "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+          "sha256:6189abe095d53c1c9f2bfc8f50128ee876b9a5d10f9eda1564e5f5357d6ffe61",
+          "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e"
+        ]
+      },
+      "config": {
+        "Entrypoint": [
+          "/usr/bin/python2.7"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+          "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
+        ]
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/distroless-python27.tar.gz (debian 9.9)",
      "Class": "os-pkgs",
@@ -4021,4 +4084,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/dockerfile-custom-policies.json.golden
+++ b/integration/testdata/dockerfile-custom-policies.json.golden
@@ -1,4 +1,20 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/custom-policy",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
    {
      "Target": "Dockerfile",
      "Class": "config",
@@ -17,10 +33,7 @@
          "Namespace": "user.bar",
          "Query": "data.user.bar.deny",
          "Severity": "UNKNOWN",
-        "Status": "FAIL",
-        "Layer": {
-          "DiffID": "sha256:8dc85f0b450296556c427e94db1d76a25fdce31334a4fcedac370f1aa59c86dc"
-        }
+          "Status": "FAIL"
        },
        {
          "Type": "N/A",
@@ -30,11 +43,9 @@
          "Namespace": "user.foo",
          "Query": "data.user.foo.deny",
          "Severity": "UNKNOWN",
-        "Status": "FAIL",
-        "Layer": {
-          "DiffID": "sha256:8dc85f0b450296556c427e94db1d76a25fdce31334a4fcedac370f1aa59c86dc"
-        }
+          "Status": "FAIL"
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/dockerfile-namespace-exception.json.golden
+++ b/integration/testdata/dockerfile-namespace-exception.json.golden
@@ -1,4 +1,20 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/namespace-exception",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
    {
      "Target": "Dockerfile",
      "Class": "config",
@@ -9,4 +25,5 @@
        "Exceptions": 1
      }
    }
-]
+  ]
+}
--- a/integration/testdata/dockerfile-rule-exception.json.golden
+++ b/integration/testdata/dockerfile-rule-exception.json.golden
@@ -1,4 +1,20 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/rule-exception",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
    {
      "Target": "Dockerfile",
      "Class": "config",
@@ -9,4 +25,5 @@
        "Exceptions": 1
      }
    }
-]
+  ]
+}
--- a/integration/testdata/dockerfile.json.golden
+++ b/integration/testdata/dockerfile.json.golden
@@ -1,4 +1,20 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/dockerfile",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
    {
      "Target": "Dockerfile",
      "Class": "config",
@@ -24,11 +40,9 @@
            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
            "https://avd.aquasec.com/appshield/ds002"
          ],
-        "Status": "FAIL",
-        "Layer": {
-          "DiffID": "sha256:2f8334a38883ba260fc9cab989110b8eea18721ee15c319b83fa3eba8d5981ca"
-        }
+          "Status": "FAIL"
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/fixtures/fs/pip/requirements.txt
+++ b/integration/testdata/fixtures/fs/pip/requirements.txt
@@ -0,0 +1,6 @@
+click==8.0.0
+Flask==2.0.0
+itsdangerous==2.0.0
+Jinja2==3.0.0
+MarkupSafe>2.0.0
+Werkzeug==0.11
--- a/integration/testdata/fluentd-multiple-lockfiles.json.golden
+++ b/integration/testdata/fluentd-multiple-lockfiles.json.golden
@@ -1,4 +1,105 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "debian",
+      "Name": "10.2"
+    },
+    "ImageID": "sha256:5a992077baba51b97f27591a10d54d2f2723dc9c81a3fe419e261023f2554933",
+    "DiffIDs": [
+      "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f",
+      "sha256:02874b2b269dea8dde0f7edb4c9906904dfe38a09de1a214f20c650cfb15c60e",
+      "sha256:3752e1f6fd759c795c13aff2c93c081529366e27635ba6621e849b0f9cfc77f0",
+      "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9",
+      "sha256:788c00e2cfc8f2a018ae4344ccf0b2c226ebd756d7effd1ce50eea1a4252cd89",
+      "sha256:25165eb51d15842f870f97873e0a58409d5e860e6108e3dd829bd10e484c0065"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "232f3fc7ddffd71dc3ff52c6c0c3a5feea2f51acffd9b53850a8fc6f1a15319a",
+      "created": "2020-03-04T13:59:39.161374106Z",
+      "docker_version": "19.03.4",
+      "history": [
+        {
+          "created": "2019-11-22T14:55:09.912242636Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:bc8179c87c8dbb3d962bed1801f99e7c860ff03797cde6ad19b107d43b973ada in / "
+        },
+        {
+          "created": "2019-11-22T14:55:10.253859615Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"bash\"]",
+          "empty_layer": true
+        },
+        {
+          "created": "2020-03-04T13:58:17.973854594Z",
+          "created_by": "/bin/sh -c #(nop)  ARG DEBIAN_FRONTEND=noninteractive",
+          "empty_layer": true
+        },
+        {
+          "created": "2020-03-04T13:58:18.12120844Z",
+          "created_by": "/bin/sh -c #(nop) COPY file:4e7fdb1bc31a0f689d88f6af28d4f0352e89a2ac598c523e9637da3de75bfada in /tmp/install.sh "
+        },
+        {
+          "created": "2020-03-04T13:58:18.26894021Z",
+          "created_by": "/bin/sh -c #(nop) COPY file:c03560fcb4f0aff4cecd93039c348ba4992564740c77e3d6049a44fe79ca44ab in /Gemfile "
+        },
+        {
+          "created": "2020-03-04T13:59:37.96119583Z",
+          "created_by": "|1 DEBIAN_FRONTEND=noninteractive /bin/sh -c chmod +x /tmp/install.sh \u0026\u0026     /bin/bash -l -c /tmp/install.sh \u0026\u0026     rm /tmp/*"
+        },
+        {
+          "created": "2020-03-04T13:59:38.583719926Z",
+          "created_by": "/bin/sh -c #(nop) COPY file:f742fdea941d5baccbf9a9c45ccc9cd943377f3c3e07da787a8d8d9f92a8b3d3 in /etc/fluent/fluent.conf "
+        },
+        {
+          "created": "2020-03-04T13:59:38.72131564Z",
+          "created_by": "/bin/sh -c #(nop) COPY file:a9ce963551c165ec55bb4d982d96336caa97e8c70011eb4ca58927956bd08e2a in /run.sh "
+        },
+        {
+          "created": "2020-03-04T13:59:38.844116271Z",
+          "created_by": "/bin/sh -c #(nop)  EXPOSE 80",
+          "empty_layer": true
+        },
+        {
+          "created": "2020-03-04T13:59:38.99446051Z",
+          "created_by": "/bin/sh -c #(nop)  ENV LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2",
+          "empty_layer": true
+        },
+        {
+          "created": "2020-03-04T13:59:39.161374106Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/run.sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f",
+          "sha256:02874b2b269dea8dde0f7edb4c9906904dfe38a09de1a214f20c650cfb15c60e",
+          "sha256:3752e1f6fd759c795c13aff2c93c081529366e27635ba6621e849b0f9cfc77f0",
+          "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9",
+          "sha256:788c00e2cfc8f2a018ae4344ccf0b2c226ebd756d7effd1ce50eea1a4252cd89",
+          "sha256:25165eb51d15842f870f97873e0a58409d5e860e6108e3dd829bd10e484c0065"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/run.sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+          "LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
+        ],
+        "Image": "sha256:2a538358cddc4824e9eff1531e0c63ae5e3cda85d2984c647df9b1c816b9b86b",
+        "ExposedPorts": {
+          "80/tcp": {}
+        }
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz (debian 10.2)",
      "Class": "os-pkgs",
@@ -196,5 +297,30 @@
          "LastModifiedDate": "2020-01-28T06:15:00Z"
        }
      ]
+    },
+    {
+      "Target": "Ruby",
+      "Class": "lang-pkgs",
+      "Type": "gemspec",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2020-8165",
+          "PkgName": "activesupport",
+          "PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
+          "InstalledVersion": "6.0.2.1",
+          "FixedVersion": "~\u003e 5.2.4.3, \u003e= 6.0.3.1",
+          "Layer": {
+            "DiffID": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9"
+          },
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8165",
+          "Title": "Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore",
+          "Description": "There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when\nuntrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result\nfrom the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:\n\n```\ndata = cache.fetch(\"demo\", raw: true) { untrusted_string }\n```\n\nVersions Affected:  rails \u003c 5.2.5, rails \u003c 6.0.4\nNot affected:       Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.\nFixed Versions:     rails \u003e= 5.2.4.3, rails \u003e= 6.0.3.1\n\nImpact\n------\n\nUnmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,\nthis vulnerability allows an attacker to inject untrusted Ruby objects into a web application.\n\nIn addition to upgrading to the latest versions of Rails, developers should ensure that whenever\nthey are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both\nreading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,\ndetect if data was serialized using the raw option upon deserialization.\n\nWorkarounds\n-----------\n\nIt is recommended that application developers apply the suggested patch or upgrade to the latest release as\nsoon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using\nthe `raw` argument should be double-checked to ensure that they conform to the expected format.\n",
+          "Severity": "UNKNOWN",
+          "References": [
+            "https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c"
+          ]
        }
-]
+      ]
+    }
+  ]
+}
--- a/integration/testdata/nodejs.json.golden
+++ b/integration/testdata/nodejs.json.golden
@@ -1,4 +1,20 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/nodejs",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
    {
      "Target": "package-lock.json",
      "Class": "lang-pkgs",
@@ -8,10 +24,7 @@
          "VulnerabilityID": "CVE-2019-11358",
          "PkgName": "jquery",
          "InstalledVersion": "3.3.9",
-        "FixedVersion": "3.4.0",
-        "Layer": {
-          "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-        },
+          "FixedVersion": ">=3.4.0",
          "SeveritySource": "nodejs-security-wg",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
          "Title": "js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection",
@@ -79,10 +92,7 @@
          "PkgName": "lodash",
          "InstalledVersion": "4.17.4",
          "FixedVersion": "4.17.12",
-        "Layer": {
-          "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-        },
-        "SeveritySource": "nvd",
+          "SeveritySource": "ghsa-npm",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744",
          "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties",
          "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.",
@@ -118,10 +128,7 @@
          "VulnerabilityID": "CVE-2018-16487",
          "PkgName": "lodash",
          "InstalledVersion": "4.17.4",
-        "FixedVersion": "4.17.11",
-        "Layer": {
-          "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-        },
+          "FixedVersion": ">=4.17.11",
          "SeveritySource": "nodejs-security-wg",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487",
          "Title": "lodash: Prototype pollution in utilities function",
@@ -157,10 +164,7 @@
          "PkgName": "lodash",
          "InstalledVersion": "4.17.4",
          "FixedVersion": "4.17.11",
-        "Layer": {
-          "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-        },
-        "SeveritySource": "nvd",
+          "SeveritySource": "ghsa-npm",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266",
          "Title": "Moderate severity vulnerability that affects lodash",
          "Description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.",
@@ -191,10 +195,7 @@
          "VulnerabilityID": "CVE-2018-3721",
          "PkgName": "lodash",
          "InstalledVersion": "4.17.4",
-        "FixedVersion": "4.17.5",
-        "Layer": {
-          "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-        },
+          "FixedVersion": ">=4.17.5",
          "SeveritySource": "nodejs-security-wg",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721",
          "Title": "lodash: Prototype pollution in utilities function",
@@ -224,4 +225,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/opensuse-leap-151.json.golden
+++ b/integration/testdata/opensuse-leap-151.json.golden
@@ -1,4 +1,60 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/opensuse-leap-151.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "opensuse.leap",
+      "Name": "15.1",
+      "EOSL": true
+    },
+    "ImageID": "sha256:fef5ad254f6378f08071cfa2daaf05a1ce9857141c944b67a40742e63e65cecc",
+    "DiffIDs": [
+      "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "Fabian Vogt \u003cfvogt@suse.com\u003e",
+      "created": "2019-11-05T15:54:41Z",
+      "history": [
+        {
+          "created": "2019-11-05T15:54:41Z",
+          "created_by": "KIWI 9.17.16"
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Labels": {
+          "org.openbuildservice.disturl": "obs://build.opensuse.org/openSUSE:Leap:15.1:Images/images/740264e3294afe7ca32a3ea9deb863d2-opensuse-leap-image:docker",
+          "org.opencontainers.image.created": "2019-11-05T15:54:10.571514200Z",
+          "org.opencontainers.image.description": "Image containing a minimal environment for containers based on openSUSE Leap 15.1.",
+          "org.opencontainers.image.title": "openSUSE Leap 15.1 Base Container",
+          "org.opencontainers.image.url": "https://www.opensuse.org/",
+          "org.opencontainers.image.vendor": "openSUSE Project",
+          "org.opencontainers.image.version": "15.1.3.67",
+          "org.opensuse.base.created": "2019-11-05T15:54:10.571514200Z",
+          "org.opensuse.base.description": "Image containing a minimal environment for containers based on openSUSE Leap 15.1.",
+          "org.opensuse.base.disturl": "obs://build.opensuse.org/openSUSE:Leap:15.1:Images/images/740264e3294afe7ca32a3ea9deb863d2-opensuse-leap-image:docker",
+          "org.opensuse.base.reference": "registry.opensuse.org/opensuse/leap:15.1.3.67",
+          "org.opensuse.base.title": "openSUSE Leap 15.1 Base Container",
+          "org.opensuse.base.url": "https://www.opensuse.org/",
+          "org.opensuse.base.vendor": "openSUSE Project",
+          "org.opensuse.base.version": "15.1.3.67",
+          "org.opensuse.reference": "registry.opensuse.org/opensuse/leap:15.1.3.67"
+        }
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/opensuse-leap-151.tar.gz (opensuse.leap 15.1)",
      "Class": "os-pkgs",
@@ -294,4 +350,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/opensuse-leap-423.json.golden
+++ b/integration/testdata/opensuse-leap-423.json.golden
@@ -1,7 +1,55 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/opensuse-leap-423.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "opensuse.leap",
+      "Name": "42.3",
+      "EOSL": true
+    },
+    "ImageID": "sha256:8e098189cc8dcb9cf52438dded1403b802a5822acb22e44db027705a146fef7a",
+    "DiffIDs": [
+      "sha256:55e4cf12579297bd6b98a41e0f22e56241508b5f697dcc43ab9a3d7c546acb3c"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "SUSE Containers Team \u003ccontainers@suse.com\u003e",
+      "created": "2019-08-13T08:49:10Z",
+      "history": [
+        {
+          "created": "2019-08-13T08:48:40.372298552Z",
+          "created_by": "umoci config"
+        },
+        {
+          "author": "SUSE Containers Team \u003ccontainers@suse.com\u003e",
+          "created": "2019-08-13T08:49:10.375196393Z",
+          "created_by": "umoci config",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:55e4cf12579297bd6b98a41e0f22e56241508b5f697dcc43ab9a3d7c546acb3c"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Labels": {
+          "org.openbuildservice.disturl": "'obs://build.opensuse.org/Virtualization:containers:images:openSUSE-Leap-42.3/containers/e855437d458198eb2a8cf9d551fc66c3-openSUSE-Leap-42.3-container-image:docker'"
+        }
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/opensuse-leap-423.tar.gz (opensuse.leap 42.3)",
      "Class": "os-pkgs",
      "Type": "opensuse.leap"
    }
-]
+  ]
+}
--- a/integration/testdata/oraclelinux-6-slim.json.golden
+++ b/integration/testdata/oraclelinux-6-slim.json.golden
@@ -1,4 +1,62 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "oracle",
+      "Name": "6.10",
+      "EOSL": true
+    },
+    "ImageID": "sha256:0689e911150c66c3f03c9b184239ff5578685f0de9f913e1fbfff71a6bb77461",
+    "DiffIDs": [
+      "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+      "container": "8878731dd37dcf400770b7f4b72a1e8e84d21d1cc8c47e4f697e126493cd4d54",
+      "created": "2019-06-14T22:36:44.570639862Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "author": "Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+          "created": "2018-08-30T21:49:27.028879762Z",
+          "created_by": "/bin/sh -c #(nop)  MAINTAINER Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+          "empty_layer": true
+        },
+        {
+          "author": "Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+          "created": "2019-06-14T22:36:44.306550224Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:f1e31a7216515c21d38e5af18cbaf6cac772a2f953ac2a9e7772beb29f2652d8 in / "
+        },
+        {
+          "author": "Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+          "created": "2019-06-14T22:36:44.570639862Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:c68f924be5159077a4d1c5de261fab2f423bffc06e1534a154306d551978a95c",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/oraclelinux-6-slim.tar.gz (oracle 6.10)",
      "Class": "os-pkgs",
@@ -501,4 +559,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/oraclelinux-7-slim.json.golden
+++ b/integration/testdata/oraclelinux-7-slim.json.golden
@@ -1,4 +1,61 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "oracle",
+      "Name": "7.6"
+    },
+    "ImageID": "sha256:874477adb545ac1108a0c703bbf15f39cf00eb3a66052363ede44b971d648c29",
+    "DiffIDs": [
+      "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+      "container": "eef695e3d8b370ac9770c6437285ffaeee9197f6a902ed42c970f680c77d8c91",
+      "created": "2019-08-08T22:29:13.643372657Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "author": "Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+          "created": "2018-08-30T21:49:27.028879762Z",
+          "created_by": "/bin/sh -c #(nop)  MAINTAINER Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+          "empty_layer": true
+        },
+        {
+          "author": "Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+          "created": "2019-08-08T22:29:13.37257495Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:ec6faaeaeb57818c0cdf4a109896315eb8c8d30a8d0a3fddce47d0479ec28fcf in / "
+        },
+        {
+          "author": "Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+          "created": "2019-08-08T22:29:13.643372657Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:9397663bff18e4294dec723411c402b55445d41c076040d050aaaaf1ac130313",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/oraclelinux-7-slim.tar.gz (oracle 7.6)",
      "Class": "os-pkgs",
@@ -2710,4 +2767,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/oraclelinux-8-slim.json.golden
+++ b/integration/testdata/oraclelinux-8-slim.json.golden
@@ -1,4 +1,61 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "oracle",
+      "Name": "8.0"
+    },
+    "ImageID": "sha256:73f821d86dfb84de2f3371288b1c28ff9f78913f7f61bf60eb652fafab548ea3",
+    "DiffIDs": [
+      "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+      "container": "c00a901742ec3d7be814b0a90a11eb41c332c8ed5c9f49035af0e97c2a4b1114",
+      "created": "2019-10-15T21:23:40.950042801Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "author": "Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+          "created": "2018-08-30T21:49:27.028879762Z",
+          "created_by": "/bin/sh -c #(nop)  MAINTAINER Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+          "empty_layer": true
+        },
+        {
+          "author": "Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+          "created": "2019-10-15T21:23:40.753460369Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:4d6968487994b1c559af3fbb14644e32f15bf8c154b4db9209d05b434f691776 in / "
+        },
+        {
+          "author": "Oracle Linux Product Team \u003col-ovm-info_ww@oracle.com\u003e",
+          "created": "2019-10-15T21:23:40.950042801Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:966f5e6fbcc4915f120935883ccc882ae0271e00917a2955cae3cca10fc899b9",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/oraclelinux-8-slim.tar.gz (oracle 8.0)",
      "Class": "os-pkgs",
@@ -1723,4 +1780,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/photon-10.json.golden
+++ b/integration/testdata/photon-10.json.golden
@@ -1,4 +1,62 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/photon-10.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "photon",
+      "Name": "1.0"
+    },
+    "ImageID": "sha256:91bae7d50a3697560a26c74d1ea2c89f93994d6cc820b0c45930b889ec8205e2",
+    "DiffIDs": [
+      "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "19c0561fb4fdbf192cf1c53382ed623d9df34ef12f3d6fceebc094a14cf0fbb3",
+      "created": "2019-08-23T22:27:03.861643679Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-23T22:27:03.414237479Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:f328b305cd347d88e1f2f11847075e42c746b557c465a93d468d7c20a9fdafa8 in / "
+        },
+        {
+          "created": "2019-08-23T22:27:03.705737675Z",
+          "created_by": "/bin/sh -c #(nop)  LABEL name=Photon OS 1.0 Base Image vendor=VMware build-date=20190823",
+          "empty_layer": true
+        },
+        {
+          "created": "2019-08-23T22:27:03.861643679Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:dfa479c1cd7faef668c299b52fbc775f4df904a392ccbc0d374bf52e4fa2e5be",
+        "Labels": {
+          "build-date": "20190823",
+          "name": "Photon OS 1.0 Base Image",
+          "vendor": "VMware"
+        },
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/photon-10.tar.gz (photon 1.0)",
      "Class": "os-pkgs",
@@ -764,4 +822,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/photon-20.json.golden
+++ b/integration/testdata/photon-20.json.golden
@@ -1,4 +1,62 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/photon-20.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "photon",
+      "Name": "2.0"
+    },
+    "ImageID": "sha256:15bd3cb464a2746dfbb6c942022c7c666c349c0579ecc39bf7b7abae40bc18b7",
+    "DiffIDs": [
+      "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "fb859bb7c6f1a32b3c75be0d746f4c9fa2ad7c3072c903e90d220261a7abf240",
+      "created": "2019-07-27T00:22:18.482655014Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-07-27T00:22:18.156548541Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:ac5bd1051be53ef75116a4924e67f767ca29def6fb6b15405715f4b4ad3e039d in / "
+        },
+        {
+          "created": "2019-07-27T00:22:18.307713726Z",
+          "created_by": "/bin/sh -c #(nop)  LABEL name=Photon OS 2.0 Base Image vendor=VMware build-date=20190726",
+          "empty_layer": true
+        },
+        {
+          "created": "2019-07-27T00:22:18.482655014Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:f1ee8270ca15b34f868cc35b469cc95f83e712d5f5bf8b46d108928acf3aa05b",
+        "Labels": {
+          "build-date": "20190726",
+          "name": "Photon OS 2.0 Base Image",
+          "vendor": "VMware"
+        },
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/photon-20.tar.gz (photon 2.0)",
      "Class": "os-pkgs",
@@ -1093,4 +1151,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/photon-30.json.golden
+++ b/integration/testdata/photon-30.json.golden
@@ -1,4 +1,62 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/photon-30.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "photon",
+      "Name": "3.0"
+    },
+    "ImageID": "sha256:5ccb5186b75cd13ff0d028f5b5b2bdf7ef7ca2b3d56eb2c6eb6c136077a6991a",
+    "DiffIDs": [
+      "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "ed27e7f1fbd8ef9d3ea89947f682907e9a65a8e51bbe2e0eba60db6e69213848",
+      "created": "2019-08-23T22:26:32.857588774Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-23T22:26:32.53400229Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:0d19c0b1adc18a00f073eeb1a9d6e5e4fdde392b20a3229ec0ef88642549b2df in / "
+        },
+        {
+          "created": "2019-08-23T22:26:32.689364313Z",
+          "created_by": "/bin/sh -c #(nop)  LABEL name=Photon OS x86_64/3.0 Base Image vendor=VMware build-date=20190823",
+          "empty_layer": true
+        },
+        {
+          "created": "2019-08-23T22:26:32.857588774Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:e7cbb54381cebcd7eea8e391127352224e1d8268fd14bfa5c7dd53e507299f60",
+        "Labels": {
+          "build-date": "20190823",
+          "name": "Photon OS x86_64/3.0 Base Image",
+          "vendor": "VMware"
+        },
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/photon-30.tar.gz (photon 3.0)",
      "Class": "os-pkgs",
@@ -646,4 +704,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/pip.json.golden
+++ b/integration/testdata/pip.json.golden
@@ -0,0 +1,123 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/pip",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "requirements.txt",
+      "Class": "lang-pkgs",
+      "Type": "pip",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-14806",
+          "PkgName": "Werkzeug",
+          "InstalledVersion": "0.11",
+          "FixedVersion": "0.15.3",
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14806",
+          "Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability",
+          "Description": "Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-331"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 7.5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806",
+            "https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168",
+            "https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246",
+            "https://nvd.nist.gov/vuln/detail/CVE-2019-14806",
+            "https://palletsprojects.com/blog/werkzeug-0-15-3-released/"
+          ],
+          "PublishedDate": "2019-08-09T15:15:00Z",
+          "LastModifiedDate": "2019-09-11T00:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2016-10516",
+          "PkgName": "Werkzeug",
+          "InstalledVersion": "0.11",
+          "FixedVersion": "0.11.11",
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10516",
+          "Title": "python-werkzeug: Cross-site scripting in render_full function in debug/tbtools.py",
+          "Description": "Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-79"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+              "V2Score": 4.3,
+              "V3Score": 6.1
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
+              "V3Score": 7.1
+            }
+          },
+          "References": [
+            "http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10516",
+            "https://github.com/pallets/werkzeug/pull/1001",
+            "https://lists.debian.org/debian-lts-announce/2017/11/msg00037.html",
+            "https://usn.ubuntu.com/usn/usn-3463-1"
+          ],
+          "PublishedDate": "2017-10-23T16:29:00Z",
+          "LastModifiedDate": "2018-02-04T02:29:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2020-28724",
+          "PkgName": "Werkzeug",
+          "InstalledVersion": "0.11",
+          "FixedVersion": "0.11.6",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28724",
+          "Title": "Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724.",
+          "Severity": "UNKNOWN"
+        },
+        {
+          "VulnerabilityID": "pyup.io-26435",
+          "PkgName": "Werkzeug",
+          "InstalledVersion": "0.11",
+          "FixedVersion": "0.12",
+          "Title": "The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.",
+          "Severity": "UNKNOWN"
+        },
+        {
+          "VulnerabilityID": "pyup.io-36967",
+          "PkgName": "Werkzeug",
+          "InstalledVersion": "0.11",
+          "FixedVersion": "0.15.0",
+          "Title": "Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.",
+          "Severity": "UNKNOWN"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/ubi-7.json.golden
+++ b/integration/testdata/ubi-7.json.golden
@@ -1,4 +1,75 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/ubi-7.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "redhat",
+      "Name": "7.7"
+    },
+    "ImageID": "sha256:6fecccc91c83e11ae4fede6793e9410841221d4779520c2b9e9fb7f7b3830264",
+    "DiffIDs": [
+      "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac",
+      "sha256:ecb0311889b3478bc9b62660fa9391d5ebf8da4c6ae143cb33434873668f9e36"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "created": "2019-09-02T12:56:43.939095Z",
+      "docker_version": "1.13.1",
+      "history": [
+        {
+          "created": "2019-09-02T12:56:36.440695936Z",
+          "comment": "Imported from -"
+        },
+        {
+          "created": "2019-09-02T12:56:43.939095Z"
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac",
+          "sha256:ecb0311889b3478bc9b62660fa9391d5ebf8da4c6ae143cb33434873668f9e36"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+          "container=oci"
+        ],
+        "Hostname": "0da2e3774382",
+        "Image": "2e9103a7b91a7ffe333e9162ce98ea078263747527571655e93bd4d35ee278f0",
+        "Labels": {
+          "architecture": "x86_64",
+          "authoritative-source-url": "registry.access.redhat.com",
+          "build-date": "2019-09-02T12:56:18.824770",
+          "com.redhat.build-host": "cpt-1005.osbs.prod.upshift.rdu2.redhat.com",
+          "com.redhat.component": "ubi7-container",
+          "com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
+          "description": "The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
+          "distribution-scope": "public",
+          "io.k8s.description": "The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
+          "io.k8s.display-name": "Red Hat Universal Base Image 7",
+          "io.openshift.tags": "base rhel7",
+          "maintainer": "Red Hat, Inc.",
+          "name": "ubi7",
+          "release": "140",
+          "summary": "Provides the latest release of the Red Hat Universal Base Image 7.",
+          "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi7/images/7.7-140",
+          "vcs-ref": "4c80c8aa26e69950ab11b87789c8fb7665b1632d",
+          "vcs-type": "git",
+          "vendor": "Red Hat, Inc.",
+          "version": "7.7"
+        },
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/ubi-7.tar.gz (redhat 7.7)",
      "Class": "os-pkgs",
@@ -25604,4 +25675,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/ubuntu-1604.json.golden
+++ b/integration/testdata/ubuntu-1604.json.golden
@@ -1,4 +1,70 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/ubuntu-1604.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "ubuntu",
+      "Name": "16.04"
+    },
+    "ImageID": "sha256:5e13f8dd4c1a20dbe677261cc73171093d502f8edd1da8bec47416cdc20323c6",
+    "DiffIDs": [
+      "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031",
+      "sha256:2558e637fbff95178cb4b43e0ca5f20a04ddeaf9673053bfa4dc10c72833d15a",
+      "sha256:aeda103e78c90b573700d64f6660efda378b59fe3e636ebfa28a0a105e2e2168",
+      "sha256:e79142719515e5304607fdd9adeb31db96b7acf00cabadac2678b056ed83bca6"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "dd31e0e0382f230149544dd4c1a4a02e50824aa0c02ce981087b3f08794cb3a2",
+      "created": "2019-07-23T15:22:34.054269174Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-07-23T15:22:31.648568069Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:603693e48cdc7f0c5c62119923aadbb266e5df5a5002fc0f61295858f91690e8 in / "
+        },
+        {
+          "created": "2019-07-23T15:22:32.444207677Z",
+          "created_by": "/bin/sh -c rm -rf /var/lib/apt/lists/*"
+        },
+        {
+          "created": "2019-07-23T15:22:33.179492618Z",
+          "created_by": "/bin/sh -c set -xe \t\t\u0026\u0026 echo '#!/bin/sh' \u003e /usr/sbin/policy-rc.d \t\u0026\u0026 echo 'exit 101' \u003e\u003e /usr/sbin/policy-rc.d \t\u0026\u0026 chmod +x /usr/sbin/policy-rc.d \t\t\u0026\u0026 dpkg-divert --local --rename --add /sbin/initctl \t\u0026\u0026 cp -a /usr/sbin/policy-rc.d /sbin/initctl \t\u0026\u0026 sed -i 's/^exit.*/exit 0/' /sbin/initctl \t\t\u0026\u0026 echo 'force-unsafe-io' \u003e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup \t\t\u0026\u0026 echo 'DPkg::Post-Invoke { \"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\"; };' \u003e /etc/apt/apt.conf.d/docker-clean \t\u0026\u0026 echo 'APT::Update::Post-Invoke { \"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\"; };' \u003e\u003e /etc/apt/apt.conf.d/docker-clean \t\u0026\u0026 echo 'Dir::Cache::pkgcache \"\"; Dir::Cache::srcpkgcache \"\";' \u003e\u003e /etc/apt/apt.conf.d/docker-clean \t\t\u0026\u0026 echo 'Acquire::Languages \"none\";' \u003e /etc/apt/apt.conf.d/docker-no-languages \t\t\u0026\u0026 echo 'Acquire::GzipIndexes \"true\"; Acquire::CompressionTypes::Order:: \"gz\";' \u003e /etc/apt/apt.conf.d/docker-gzip-indexes \t\t\u0026\u0026 echo 'Apt::AutoRemove::SuggestsImportant \"false\";' \u003e /etc/apt/apt.conf.d/docker-autoremove-suggests"
+        },
+        {
+          "created": "2019-07-23T15:22:33.883423097Z",
+          "created_by": "/bin/sh -c mkdir -p /run/systemd \u0026\u0026 echo 'docker' \u003e /run/systemd/container"
+        },
+        {
+          "created": "2019-07-23T15:22:34.054269174Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031",
+          "sha256:2558e637fbff95178cb4b43e0ca5f20a04ddeaf9673053bfa4dc10c72833d15a",
+          "sha256:aeda103e78c90b573700d64f6660efda378b59fe3e636ebfa28a0a105e2e2168",
+          "sha256:e79142719515e5304607fdd9adeb31db96b7acf00cabadac2678b056ed83bca6"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:94a0c867edd7edc17a6d2736356509c9b6ce5ed6fc19544fe63dadd6ab576a40",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/ubuntu-1604.tar.gz (ubuntu 16.04)",
      "Class": "os-pkgs",
@@ -6922,4 +6988,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden
+++ b/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden
@@ -1,4 +1,70 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/ubuntu-1804.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "ubuntu",
+      "Name": "18.04"
+    },
+    "ImageID": "sha256:a2a15febcdf362f6115e801d37b5e60d6faaeedcb9896155e5fe9d754025be12",
+    "DiffIDs": [
+      "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
+      "sha256:f7eae43028b334123c3a1d778f7bdf9783bbe651c8b15371df0120fd13ec35c5",
+      "sha256:7beb13bce073c21c9ee608acb13c7e851845245dc76ce81b418fdf580c45076b",
+      "sha256:122be11ab4a29e554786b4a1ec4764dd55656b59d6228a0a3de78eaf5c1f226c"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "41b694b9b42f9c5ef7fb40c24272927a727a6d6cb8120bb3eae5849ceb9bee77",
+      "created": "2019-08-15T07:28:14.830150536Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-15T07:28:12.433344678Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:c477cb0e95c56b51e0b7353f3805165393689902b82a41bbe77dbef4b31667e1 in / "
+        },
+        {
+          "created": "2019-08-15T07:28:13.20852008Z",
+          "created_by": "/bin/sh -c [ -z \"$(apt-get indextargets)\" ]"
+        },
+        {
+          "created": "2019-08-15T07:28:13.964607567Z",
+          "created_by": "/bin/sh -c set -xe \t\t\u0026\u0026 echo '#!/bin/sh' \u003e /usr/sbin/policy-rc.d \t\u0026\u0026 echo 'exit 101' \u003e\u003e /usr/sbin/policy-rc.d \t\u0026\u0026 chmod +x /usr/sbin/policy-rc.d \t\t\u0026\u0026 dpkg-divert --local --rename --add /sbin/initctl \t\u0026\u0026 cp -a /usr/sbin/policy-rc.d /sbin/initctl \t\u0026\u0026 sed -i 's/^exit.*/exit 0/' /sbin/initctl \t\t\u0026\u0026 echo 'force-unsafe-io' \u003e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup \t\t\u0026\u0026 echo 'DPkg::Post-Invoke { \"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\"; };' \u003e /etc/apt/apt.conf.d/docker-clean \t\u0026\u0026 echo 'APT::Update::Post-Invoke { \"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\"; };' \u003e\u003e /etc/apt/apt.conf.d/docker-clean \t\u0026\u0026 echo 'Dir::Cache::pkgcache \"\"; Dir::Cache::srcpkgcache \"\";' \u003e\u003e /etc/apt/apt.conf.d/docker-clean \t\t\u0026\u0026 echo 'Acquire::Languages \"none\";' \u003e /etc/apt/apt.conf.d/docker-no-languages \t\t\u0026\u0026 echo 'Acquire::GzipIndexes \"true\"; Acquire::CompressionTypes::Order:: \"gz\";' \u003e /etc/apt/apt.conf.d/docker-gzip-indexes \t\t\u0026\u0026 echo 'Apt::AutoRemove::SuggestsImportant \"false\";' \u003e /etc/apt/apt.conf.d/docker-autoremove-suggests"
+        },
+        {
+          "created": "2019-08-15T07:28:14.64282638Z",
+          "created_by": "/bin/sh -c mkdir -p /run/systemd \u0026\u0026 echo 'docker' \u003e /run/systemd/container"
+        },
+        {
+          "created": "2019-08-15T07:28:14.830150536Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
+          "sha256:f7eae43028b334123c3a1d778f7bdf9783bbe651c8b15371df0120fd13ec35c5",
+          "sha256:7beb13bce073c21c9ee608acb13c7e851845245dc76ce81b418fdf580c45076b",
+          "sha256:122be11ab4a29e554786b4a1ec4764dd55656b59d6228a0a3de78eaf5c1f226c"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:bcbe079849fdbb50b3eb04798547e046bdbc82020b8b780d767cf29f7e60b396",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/ubuntu-1804.tar.gz (ubuntu 18.04)",
      "Class": "os-pkgs",
@@ -828,4 +894,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/integration/testdata/ubuntu-1804.json.golden
+++ b/integration/testdata/ubuntu-1804.json.golden
@@ -1,4 +1,70 @@
-[
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/ubuntu-1804.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "ubuntu",
+      "Name": "18.04"
+    },
+    "ImageID": "sha256:a2a15febcdf362f6115e801d37b5e60d6faaeedcb9896155e5fe9d754025be12",
+    "DiffIDs": [
+      "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
+      "sha256:f7eae43028b334123c3a1d778f7bdf9783bbe651c8b15371df0120fd13ec35c5",
+      "sha256:7beb13bce073c21c9ee608acb13c7e851845245dc76ce81b418fdf580c45076b",
+      "sha256:122be11ab4a29e554786b4a1ec4764dd55656b59d6228a0a3de78eaf5c1f226c"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "41b694b9b42f9c5ef7fb40c24272927a727a6d6cb8120bb3eae5849ceb9bee77",
+      "created": "2019-08-15T07:28:14.830150536Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-15T07:28:12.433344678Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:c477cb0e95c56b51e0b7353f3805165393689902b82a41bbe77dbef4b31667e1 in / "
+        },
+        {
+          "created": "2019-08-15T07:28:13.20852008Z",
+          "created_by": "/bin/sh -c [ -z \"$(apt-get indextargets)\" ]"
+        },
+        {
+          "created": "2019-08-15T07:28:13.964607567Z",
+          "created_by": "/bin/sh -c set -xe \t\t\u0026\u0026 echo '#!/bin/sh' \u003e /usr/sbin/policy-rc.d \t\u0026\u0026 echo 'exit 101' \u003e\u003e /usr/sbin/policy-rc.d \t\u0026\u0026 chmod +x /usr/sbin/policy-rc.d \t\t\u0026\u0026 dpkg-divert --local --rename --add /sbin/initctl \t\u0026\u0026 cp -a /usr/sbin/policy-rc.d /sbin/initctl \t\u0026\u0026 sed -i 's/^exit.*/exit 0/' /sbin/initctl \t\t\u0026\u0026 echo 'force-unsafe-io' \u003e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup \t\t\u0026\u0026 echo 'DPkg::Post-Invoke { \"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\"; };' \u003e /etc/apt/apt.conf.d/docker-clean \t\u0026\u0026 echo 'APT::Update::Post-Invoke { \"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\"; };' \u003e\u003e /etc/apt/apt.conf.d/docker-clean \t\u0026\u0026 echo 'Dir::Cache::pkgcache \"\"; Dir::Cache::srcpkgcache \"\";' \u003e\u003e /etc/apt/apt.conf.d/docker-clean \t\t\u0026\u0026 echo 'Acquire::Languages \"none\";' \u003e /etc/apt/apt.conf.d/docker-no-languages \t\t\u0026\u0026 echo 'Acquire::GzipIndexes \"true\"; Acquire::CompressionTypes::Order:: \"gz\";' \u003e /etc/apt/apt.conf.d/docker-gzip-indexes \t\t\u0026\u0026 echo 'Apt::AutoRemove::SuggestsImportant \"false\";' \u003e /etc/apt/apt.conf.d/docker-autoremove-suggests"
+        },
+        {
+          "created": "2019-08-15T07:28:14.64282638Z",
+          "created_by": "/bin/sh -c mkdir -p /run/systemd \u0026\u0026 echo 'docker' \u003e /run/systemd/container"
+        },
+        {
+          "created": "2019-08-15T07:28:14.830150536Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
+          "sha256:f7eae43028b334123c3a1d778f7bdf9783bbe651c8b15371df0120fd13ec35c5",
+          "sha256:7beb13bce073c21c9ee608acb13c7e851845245dc76ce81b418fdf580c45076b",
+          "sha256:122be11ab4a29e554786b4a1ec4764dd55656b59d6228a0a3de78eaf5c1f226c"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:bcbe079849fdbb50b3eb04798547e046bdbc82020b8b780d767cf29f7e60b396",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
    {
      "Target": "testdata/fixtures/images/ubuntu-1804.tar.gz (ubuntu 18.04)",
      "Class": "os-pkgs",
@@ -3118,4 +3184,5 @@
        }
      ]
    }
-]
+  ]
+}
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -21,6 +21,7 @@ nav:
              - Image: getting-started/cli/image.md
              - Config: getting-started/cli/config.md
              - Filesystem: getting-started/cli/fs.md
+              - Rootfs: getting-started/cli/rootfs.md
              - Repository: getting-started/cli/repo.md
              - Client: getting-started/cli/client.md
              - Server: getting-started/cli/server.md
@@ -29,6 +30,7 @@ nav:
          - Overview: vulnerability/scanning/index.md
          - Container Image: vulnerability/scanning/image.md
          - Filesystem: vulnerability/scanning/filesystem.md
+          - Rootfs: vulnerability/scanning/rootfs.md
          - Git Repository: vulnerability/scanning/git-repository.md
      - Detection:
          - OS Packages: vulnerability/detection/os.md
@@ -64,6 +66,7 @@ nav:
      - Comparison:
          - vs Conftest: misconfiguration/comparison/conftest.md
          - vs tfsec: misconfiguration/comparison/tfsec.md
+          - vs cfsec: misconfiguration/comparison/cfsec.md
  - Advanced:
      - Overview: advanced/index.md
      - Plugins: advanced/plugins.md
@@ -74,6 +77,7 @@ nav:
          - CircleCI: advanced/integrations/circleci.md
          - Travis CI: advanced/integrations/travis-ci.md
          - GitLab CI: advanced/integrations/gitlab-ci.md
+          - Bitbucket Pipelines: advanced/integrations/bitbucket.md
          - AWS CodePipeline: advanced/integrations/aws-codepipeline.md
          - AWS Security Hub: advanced/integrations/aws-security-hub.md
      - Container Image:
@@ -90,6 +94,9 @@ nav:
      - Modes:
          - Standalone: advanced/modes/standalone.md
          - Client/Server: advanced/modes/client-server.md
+      - Community:
+          - Tools: advanced/community/tools.md
+          - References: advanced/community/references.md
      - Maintainer:
          - Help Wanted: advanced/contrib/help-wanted.md
          - Triage: advanced/contrib/triage.md
--- a/pkg/commands/app.go
+++ b/pkg/commands/app.go
@@ -312,25 +312,6 @@ var (
 		stringSliceFlag(skipFiles),
 		stringSliceFlag(skipDirs),
 	}
-
-	// deprecated options
-	deprecatedFlags = []cli.Flag{
-		&cli.StringFlag{
-			Name:    "only-update",
-			Usage:   "deprecated",
-			EnvVars: []string{"TRIVY_ONLY_UPDATE"},
-		},
-		&cli.BoolFlag{
-			Name:    "refresh",
-			Usage:   "deprecated",
-			EnvVars: []string{"TRIVY_REFRESH"},
-		},
-		&cli.BoolFlag{
-			Name:    "auto-refresh",
-			Usage:   "deprecated",
-			EnvVars: []string{"TRIVY_AUTO_REFRESH"},
-		},
-	}
 )

 // NewApp is the factory method to return Trivy CLI
@@ -346,13 +327,13 @@ func NewApp(version string) *cli.App {
 	app.Usage = "A simple and comprehensive vulnerability scanner for containers"
 	app.EnableBashCompletion = true

-	flags := append(globalFlags, setHidden(deprecatedFlags, true)...)
-	flags = append(flags, setHidden(imageFlags, true)...)
+	flags := append(globalFlags, setHidden(imageFlags, true)...)

 	app.Flags = flags
 	app.Commands = []*cli.Command{
 		NewImageCommand(),
 		NewFilesystemCommand(),
+		NewRootfsCommand(),
 		NewRepositoryCommand(),
 		NewClientCommand(),
 		NewServerCommand(),
@@ -429,9 +410,9 @@ func showVersion(cacheDir, outputFormat, version string, outputWriter io.Writer)
 		if dbMeta != nil {
 			var dbType string
 			switch dbMeta.Type {
-			case 0:
+			case db.TypeFull:
 				dbType = "Full"
-			case 1:
+			case db.TypeLight:
 				dbType = "Light"
 			}
 			output += fmt.Sprintf(`Vulnerability DB:
@@ -464,12 +445,11 @@ func NewFilesystemCommand() *cli.Command {
 		Name:      "filesystem",
 		Aliases:   []string{"fs"},
 		ArgsUsage: "dir",
-		Usage:     "scan local filesystem",
+		Usage:     "scan local filesystem for language-specific dependencies and config files",
 		Action:    artifact.FilesystemRun,
 		Flags: []cli.Flag{
 			&templateFlag,
 			&formatFlag,
-			&inputFlag,
 			&severityFlag,
 			&outputFlag,
 			&exitCodeFlag,
@@ -477,7 +457,40 @@ func NewFilesystemCommand() *cli.Command {
 			&skipPolicyUpdateFlag,
 			&clearCacheFlag,
 			&ignoreUnfixedFlag,
-			&removedPkgsFlag,
+			&vulnTypeFlag,
+			&securityChecksFlag,
+			&ignoreFileFlag,
+			&cacheBackendFlag,
+			&timeoutFlag,
+			&noProgressFlag,
+			&ignorePolicy,
+			&listAllPackages,
+			stringSliceFlag(skipFiles),
+			stringSliceFlag(skipDirs),
+			stringSliceFlag(configPolicy),
+			stringSliceFlag(configData),
+			stringSliceFlag(policyNamespaces),
+		},
+	}
+}
+
+// NewRootfsCommand is the factory method to add filesystem command
+func NewRootfsCommand() *cli.Command {
+	return &cli.Command{
+		Name:      "rootfs",
+		ArgsUsage: "dir",
+		Usage:     "scan rootfs",
+		Action:    artifact.RootfsRun,
+		Flags: []cli.Flag{
+			&templateFlag,
+			&formatFlag,
+			&severityFlag,
+			&outputFlag,
+			&exitCodeFlag,
+			&skipDBUpdateFlag,
+			&skipPolicyUpdateFlag,
+			&clearCacheFlag,
+			&ignoreUnfixedFlag,
 			&vulnTypeFlag,
 			&securityChecksFlag,
 			&ignoreFileFlag,
@@ -552,6 +565,8 @@ func NewClientCommand() *cli.Command {
 			&ignoreFileFlag,
 			&timeoutFlag,
 			&ignorePolicy,
+			stringSliceFlag(skipFiles),
+			stringSliceFlag(skipDirs),
 			stringSliceFlag(configPolicy),
 			&listAllPackages,

@@ -652,6 +667,18 @@ func NewPluginCommand() *cli.Command {
 				ArgsUsage: "PLUGIN_NAME",
 				Action:    plugin.Uninstall,
 			},
+			{
+				Name:    "list",
+				Aliases: []string{"l"},
+				Usage:   "list installed plugin",
+				Action:  plugin.List,
+			},
+			{
+				Name:      "info",
+				Usage:     "information about a plugin",
+				ArgsUsage: "PLUGIN_NAME",
+				Action:    plugin.Information,
+			},
 			{
 				Name:      "run",
 				Aliases:   []string{"r"},
@@ -659,6 +686,12 @@ func NewPluginCommand() *cli.Command {
 				ArgsUsage: "PLUGIN_NAME [PLUGIN_OPTIONS]",
 				Action:    plugin.Run,
 			},
+			{
+				Name:      "update",
+				Usage:     "update an existing plugin",
+				ArgsUsage: "PLUGIN_NAME",
+				Action:    plugin.Update,
+			},
 		},
 	}
 }
--- a/pkg/commands/app_test.go
+++ b/pkg/commands/app_test.go
@@ -3,7 +3,6 @@ package commands
 import (
 	"bytes"
 	"encoding/json"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
@@ -36,7 +35,7 @@ func Test_showVersion(t *testing.T) {
 			},
 			expectedOutput: `Version: v1.2.3
 Vulnerability DB:
-  Type: Light
+  Type: Full
  Version: 42
  UpdatedAt: 2020-03-16 23:40:20 +0000 UTC
  NextUpdate: 2020-03-16 23:57:00 +0000 UTC
@@ -81,7 +80,7 @@ Vulnerability DB:
 			case tt.args.cacheDir != "":
 				cacheDir = tt.args.cacheDir
 			default:
-				cacheDir, _ = ioutil.TempDir("", "Test_showVersion-*")
+				cacheDir, _ = os.MkdirTemp("", "Test_showVersion-*")
 				defer os.RemoveAll(cacheDir)
 			}

--- a/pkg/commands/artifact/config.go
+++ b/pkg/commands/artifact/config.go
@@ -4,20 +4,19 @@ import (
 	"github.com/urfave/cli/v2"
 	"golang.org/x/xerrors"

+	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/types"
 )

 // ConfigRun runs scan on config files
 func ConfigRun(ctx *cli.Context) error {
-	opt, err := NewOption(ctx)
+	opt, err := initOption(ctx)
 	if err != nil {
 		return xerrors.Errorf("option error: %w", err)
 	}

-	// initialize options
-	if err = opt.Init(); err != nil {
-		return xerrors.Errorf("failed to initialize options: %w", err)
-	}
+	// Disable OS and language analyzers
+	opt.DisabledAnalyzers = append(analyzer.TypeOSes, analyzer.TypeLanguages...)

 	// Scan only config files
 	opt.VulnType = nil
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Chetan Goti	8e57dee86b	fix(docs): typo (#1488 )	2021-12-19 11:24:22 +02:00
Owen Rumney	8bfbc84a41	feat(plugin): Add option to update plugin (#1462 ) * Add option to update plugin - add plugin update [pluginName] to update - add supporting test * refactor: wrap errors	2021-12-16 13:30:19 +02:00
DmitriyLewen	1e811de263	fix: fixed skipFiles/skipDirs flags for relative path (#1482 )	2021-12-16 13:21:22 +02:00
Owen Rumney	8b5796f770	feat (plugin): add list and info command for plugin (#1452 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2021-12-15 22:36:08 +02:00
afdesk	a2199bb417	fix: set up a vulnerability severity (#1458 )	2021-12-15 21:28:29 +02:00
geyingqi	279e76f704	chore: add arm64 deb package (#1480 )	2021-12-15 20:08:05 +02:00
Tomas Fernandez	5262590831	Link to trivy tutorial on Semaphore (#1449 ) * Link to trivy tutorial on Semaphore * Move tutorial to Advanced > Community > Tools	2021-12-12 05:33:00 +02:00
abdennour	c275a841fd	refactor(helm): externalize env vars to configMap (#1345 ) \#1343 Signed-off-by: abdennour <mail@abdennoor.com>	2021-12-08 08:37:05 +02:00
nobletrout	7beed30170	docs: provide more information on scanning Google's GCR (#1426 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2021-12-07 03:28:46 +02:00
DmitriyLewen	f50e1f42a1	docs(misconfiguration): added instruction for misconfiguration detection (#1428 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2021-12-06 13:56:41 +02:00
Guilherme Macedo	3ae4de5869	Update git-repository.md (#1430 ) Update instructions on how to scan private git repositories, as according to https://github.com/aquasecurity/fanal/pull/253 .	2021-12-06 13:04:03 +02:00
AndreyLevchenko	6e35b8f53c	fix(hooks): exclude unrelated lib types from system files filtering (#1431 )	2021-12-06 10:53:34 +02:00
afdesk	beb60b05f3	chore: run `go fmt` (#1429 )	2021-12-02 17:52:57 +09:00
afdesk	582e7fd1ba	fix(sarif): change `help` field in the sarif template. (#1423 )	2021-12-02 14:23:26 +09:00
Owen Rumney	11bc290111	Update fanal with cfsec version update (#1425 ) - new version of cfsec brought in with latest fanal - fixes issue where cfsec treats files as CloudFormation when they arent - fixes issuee where invalid content errors are surfaced to Trivy - Gets addition of service and provider on the IaC results - this is not visible to others	2021-12-01 04:15:26 +02:00
Nilushan Costa	392f68926c	Replace deprecated option in goreleaser (#1406 ) * Replace deprecated docker.use_buildx with docker.use * Bump goreleaser GitHub action to v0.183.0	2021-11-29 05:31:16 +02:00
Huang Huang	101d576025	feat(alpine): support 3.15 (#1422 )	2021-11-29 05:30:44 +02:00
Carol Valencia	bd3ba68cce	chore: test the helm chart in the PR and used the commit hash (#1414 ) Co-authored-by: carolina valencia <krol3@users.noreply.github.com>	2021-11-29 05:29:01 +02:00
dependabot[bot]	3860d6e4e9	chore(deps): bump alpine from 3.14 to 3.15.0 (#1417 ) Bumps alpine from 3.14 to 3.15.0. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-11-28 09:48:31 +02:00
afdesk	4f82673a61	chore(release): add ubuntu older versions to deploy script (#1416 ) * chore(release): add ubuntu older versions to deploy script `ubuntu-distro-info --supported` returns only versions: `bionic`, `focal`, `hirsute`, `impish` and `jammy`. `ubuntu-distro-info --supported-esm` returns another versions: `trusty`, `xenial`, `bionic`, `focal` and `jammy`. for the release script we should use the union of these sets. Fixes #1194 * change `uniq` command to `-u` parameter	2021-11-28 09:43:07 +02:00
Teppei Fukuda	b9a51de862	chore(mod): tidy (#1415 )	2021-11-26 06:36:55 +02:00
AndreyLevchenko	7f248341cc	fix(rpc): fix nil layer transmit (#1410 ) * fix(rpc): fix nil layer transmit Closes #1400 * added tests	2021-11-24 10:29:13 +02:00
Naimuddin Shaik	af3eaefdb2	Lang advisory order (#1409 ) * chore(advisory reorder) Reorder language advisory. * fixed integration tests.	2021-11-24 10:27:12 +02:00
Raul Cabello Martin	07c9200eb7	chore: add support for s390x arch (#1304 )	2021-11-21 11:38:47 +02:00
Carol Valencia	8bc8a4ad60	fix(chart): ingress helm manifest-update trivy image (#1323 ) * fix: ingress helm manifest-update trivy image * chore: helm ingress Capabilities.apiVersion * feat: helm chart test gh Co-authored-by: carolina valencia <krol3@users.noreply.github.com>	2021-11-21 09:57:30 +02:00
Owen Rumney	9076a49b0f	docs: Add comparison for cfsec (#1388 ) * Add cfsec comparison * Add to mkdocs.yml	2021-11-17 16:42:17 +02:00
naoyukis	bb316d93ca	remove: delete unused functions in utils package (#1379 )	2021-11-16 14:12:18 +02:00
AndreyLevchenko	efdb29d0d4	fix(sarif): fix validation errors (#1376 )	2021-11-15 16:36:51 +02:00
Teppei Fukuda	9bcf9e72f5	docs: add Bitbucket Pipelines (#1374 )	2021-11-14 11:31:21 +02:00
Teppei Fukuda	3147097daf	docs: add community integrations (#1361 ) Co-authored-by: Carsten Hoffmann <choffmann87@googlemail.com>	2021-11-14 10:28:26 +02:00
Simon Engledew	33f74b3acb	Use a stable SARIF identifier (#1230 )	2021-11-11 20:02:40 +02:00
rahul2393	5915ffb42b	fix(python): fix parsing of requirements.txt with hash checking mode available in pip since version 8.0	2021-11-11 13:18:31 +02:00
Owen Rumney	ae4c42b975	feat(iac): Add line information (#1366 ) * feat(iac): Adding resource and Line data - adding line in file information to the misconfiguration result - updating tfsec and cfsec versions to provide this additional info * Add usage of IaC metadata * update the fanal version	2021-11-11 08:00:13 +02:00
Owen Rumney	19747d0535	feat(cloudformation): Adding support for cfsec IaC scanning (#1360 )	2021-11-09 17:42:44 +02:00
Jamie	da45061f4d	chore: send debug and info logs to stdout in install.sh, not stderr. (#1264 ) The current install.sh script logs all messages to stderr via ```echoerr()``` function. Since godownloader is no longer maintained, it seems reasonable to update install.sh here.	2021-11-09 16:54:42 +02:00
tspearconquest	cb1a4ed3a1	Update containerd to v1.5.7 and docker-cli to v20.10.9 (#1356 ) Signed-off-by: Thomas Spear <tspear@conquestcyber.com>	2021-11-09 16:00:41 +02:00
Vinod Anandan	69dae54aa1	chore: update SBOM generation (#1349 )	2021-11-01 16:44:14 +02:00
Simar	5dc8cfe55d	docs: update builtin.md (#1335 )	2021-10-25 21:22:13 +03:00
psibre	798b564ee3	chore: fix issues with Homebrew formula (#1329 )	2021-10-25 20:34:32 +03:00
psibre	21bf5e58f7	chore: bump GoReleaser to v0.183.0 (#1328 )	2021-10-25 20:33:35 +03:00
Simar	e0f4ebd7cb	docs: update iac.md for a typo (#1326 )	2021-10-25 19:40:47 +03:00
Rory McCune	23a9a5e319	docs: typo fix (#1308 ) Just fixing a typo in the docs "Filesysetm" --> "Filesystem	2021-10-25 19:39:34 +03:00
Christian Zunker	1f5d17fe13	Add new networking API features to Ingress (#1262 ) * Add new networking API features to Ingress This PR adds `v1` of the networking API introduced with k8s 1.19. It also adds the new field `ingressClassName` introduced with k8s 1.18. Fixes #1261 * Also query for the Kind in the capabilities Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>	2021-10-20 18:59:12 +03:00
Teppei Fukuda	bcfa0287b9	chore(release): bump up GoReleaser to v0.182.1 (#1299 )	2021-10-16 06:48:44 +03:00
Teppei Fukuda	681ab1b889	fix(yarn): support quoted version (#1298 )	2021-10-15 08:22:40 +03:00
Ankush K	46051d5ec8	feat(custom-forward): Forward the extended advisory data (#1247 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2021-10-14 21:57:30 +03:00
santhosh1729	d8d692b8ba	feat(javascript) : Initialize npm driver for javascript packages (#1289 )	2021-10-10 08:37:15 +03:00
besdollma	cc344dfbe3	fix(cli): fix incorrect comparision of DB metadata type. (#1286 ) -- Incorrect Db metadata type comparision resulted in wrong print in show version. This fixes #1275. Signed-off-by: Bes Dollma <besi7dollma@gmail.com>	2021-10-08 19:16:46 +03:00
Itay Shakury	0dec17fc3f	docs: add footer to readme (#1281 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2021-10-07 10:18:38 +03:00
Teppei Fukuda	f12446d3ba	feat(report): add package path (#1274 )	2021-10-06 10:28:48 +03:00
Teppei Fukuda	1c9ccb5e03	feat(command): add rootfs command (#1271 )	2021-10-04 21:03:34 +03:00
Huang Huang	a463e794ce	fix: update fanal (#1272 ) Fixes #1251 Fixes #1183 Fixes #1172	2021-10-04 17:47:00 +03:00
Teppei Fukuda	e0ca5eff38	feat(commands): remove deprecated options (#1270 )	2021-10-04 15:49:04 +03:00
Masahiro331	1ebb3296ee	Aggregate jar result for table (#1269 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2021-10-04 11:30:12 +03:00
Teppei Fukuda	b37f682ee2	BREAKING(report): migrate to new json schema (#1265 )	2021-10-04 10:22:24 +03:00
Teppei Fukuda	da905108b4	feat: improve --skip-dirs and --skip-files (#1249 )	2021-10-03 13:08:09 +03:00
Teppei Fukuda	bd57b4f9b5	fix(gobinary): skip large files (#1259 )	2021-10-01 19:54:47 +03:00
Fabian Windheuser	9027dc3252	Disable library analyzer for OS only scan type (#1191 )	2021-09-29 11:54:46 +03:00
fnishe	5750cc2e1a	chore: update trivy version (#1252 )	2021-09-29 10:56:44 +03:00
Eng Zer Jun	bbcce9f7b7	refactor: move from io/ioutil to io and os package (#1245 ) The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2021-09-29 10:17:02 +03:00
Minchao	6bcb4af10f	fix: brew test command (#1253 )	2021-09-27 07:25:30 +03:00
Naimuddin Shaik	8d13234554	fix:added layer info in packages (#1248 ) * added layer info in packages * fixed unit cases	2021-09-22 17:17:16 +03:00
Teppei Fukuda	982f35b424	fix(go/binary): improve debug messages (#1244 )	2021-09-20 10:28:02 +03:00
洋仔	2e170cd15a	Update db.go (#1199 ) fix args name error	2021-09-19 20:38:22 +03:00
AndreyLevchenko	cc6c67d81c	fix(deps): fix CVE-2021-32760 for github.com/containerd/containerd (#1243 ) Closes #1226	2021-09-19 09:49:15 +03:00
Teppei Fukuda	669fd1fd1d	feat(debian): support the versions that reached EOL (#1237 ) * refactor(debian): aggregate oval and json api into salsa * fix(vulnerability): use package-specific severity * chore(mod): update trivy-db	2021-09-17 13:59:46 +03:00
Teppei Fukuda	8cd7de276e	feat(alpine): support unfixed vulnerabilities (#1235 )	2021-09-16 22:20:59 +03:00
Teppei Fukuda	3bf3a46cd4	feat(report): add image config (#1231 ) * feat(report): add image config * chore(mod): update fanal * test(scanner): fix type	2021-09-15 22:19:37 +03:00
Ankush K	8edcc62a8d	feat(nodejs): support package.json (#1225 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2021-09-15 14:23:35 +03:00
Teppei Fukuda	31c45ffc52	refactor: use testing DB instead of mock (#1234 )	2021-09-15 10:06:01 +03:00
Ankush K	d8cc8b550b	feat(ruby): support gemspec (#1224 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2021-09-14 23:16:19 +03:00
Ankush K	dbc7a83e8c	feat(python): add packaging detector and respective hook (#1223 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2021-09-13 20:59:11 +03:00
Ankush K	19c0b70d26	feat(license): Added support to new License field of go-dep-parser's library (#1167 )	2021-09-09 14:32:50 +03:00
afdesk	9d617777d5	fix(oracle): handle advisories contain ksplice versions (#1209 ) * fix(oracle): handle advisories contain ksplice versions Improve a handling of advisories contain ksplice versions: * when one of them doesn't have ksplice, we'll also skip it * extract kspliceX and compare it with kspliceY in advisories * if kspliceX and kspliceY are different, we will skip the advisory. Fixes #1205 * fix(oracle): handle advisories contain ksplice versions simplify code and remove duplicated tests Fixes #1205 * run go fmt	2021-09-05 11:29:13 +03:00
afdesk	5d57deaa4f	fix(docs): remove OSVDB advisories (#1215 ) Trivy no longer depends on OSVDB and can use "Ruby Advisory Database" for commercial usage. Fixes #1208	2021-09-05 08:39:10 +03:00
Guilherme Macedo	b5955597a4	docs: fix typos in CONTRIBUTING.md (#1181 ) * Fix typos in CONTRIBUTING.md Fix small typos in CONTRIBUTING.md * Fix typos in CONTRIBUTING.md Fix small typos in CONTRIBUTING.md	2021-09-02 14:51:57 +03:00
Huang Huang	b1410b27b8	Update EOL of Debian 11 (#1180 ) https://bits.debian.org/2021/08/bullseye-released.html	2021-09-02 14:32:47 +03:00
afdesk	0e777d386e	fix(plugin): resolve a closure (#1207 ) There is a closure inside a function for Action field: variable p always refers on the last plugin. solution: redefine variable inside the for loop. Fixes #1086	2021-09-02 14:29:54 +03:00
Pascal Borreli	b6d9c30eea	docs: fix typo (#1206 )	2021-09-01 18:03:14 +03:00
afdesk	5160a2eb53	fix(detector): change an argument for trivy-db getter (#1203 ) use a package name instead of SrcName for getting of advisories about Oracle packages. Fixes #1170	2021-09-01 14:27:14 +03:00
Teppei Fukuda	40ed227c23	chore(mod): update fanal (#1179 ) * chore(mod): update fanal * test(integration): fix error message * test(integration): skip reaper	2021-08-15 15:19:22 +03:00
santhosh1729	2a4400c147	Add license info to package data (#1176 )	2021-08-15 13:05:37 +03:00
Tauseef	82eb630be7	feat(nuget): support packages.config (#1095 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2021-08-12 15:27:13 +03:00
AndreyLevchenko	4a8db20a9a	feat(python): add support for requirements.txt (#1169 )	2021-08-11 11:14:37 +03:00
thiago-gitlab	8db9b6a2a6	GitLab CI integration documentation (#1168 ) Recommend the native GitLab integration.	2021-08-08 14:10:16 +03:00
AndreyLevchenko	c159501d0d	chore(gorelease) change goreleaser config to include template examples (#1138 ) Closes #1123	2021-07-28 11:05:14 +03:00
dependabot[bot]	76e63d1124	chore(deps): bump dmnemec/copy_file_to_another_repo_action (#1153 ) Bumps [dmnemec/copy_file_to_another_repo_action](https://github.com/dmnemec/copy_file_to_another_repo_action) from 1.0.4 to 1.1.1. - [Release notes](https://github.com/dmnemec/copy_file_to_another_repo_action/releases) - [Commits](https://github.com/dmnemec/copy_file_to_another_repo_action/compare/v1.0.4...v1.1.1) --- updated-dependencies: - dependency-name: dmnemec/copy_file_to_another_repo_action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-07-28 10:57:32 +03:00
dependabot[bot]	79b6684840	chore(deps): bump actions/stale from 3 to 4 (#1152 ) Bumps [actions/stale](https://github.com/actions/stale) from 3 to 4. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-07-28 10:56:09 +03:00
AndreyLevchenko	214fe82c7e	feat(report): add end of service life flag to OS metadata (#1142 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2021-07-27 17:08:57 +03:00
Matthieu MOREL	c489e31f5d	chore: set up Dependabot for github-actions and docker (#1128 )	2021-07-27 16:03:43 +03:00
MaineK00n	efd812cb1a	docs: fix typo (#1149 )	2021-07-27 16:00:54 +03:00
Teppei Fukuda	3a920dc401	docs: add some external links (#1147 )	2021-07-27 15:39:55 +03:00
AndreyLevchenko	7cb1598991	chore (release): add ubuntu esm versions to deploy script (#1151 )	2021-07-26 12:49:42 +03:00
AndreyLevchenko	6a8800286e	docs(troubleshooting) add urls which are required to download vuls db (#1137 )	2021-07-21 11:07:57 +03:00
Simran Munot	f3f3029014	Updated the Alpine Image to 3.14 (latest) (#1130 )	2021-07-20 13:27:43 +03:00
Simran Munot	0e52fde047	Added EOL for Ubuntu 21.10 (#1131 ) As per (https://wiki.ubuntu.com/Releases) and (https://ubuntu.com/about/release-cycle), Ubuntu 21.10 is supported until July 2022	2021-07-20 13:25:01 +03:00
AndreyLevchenko	9b3fba04f9	fix(image): disabled scanning of config files within container images (#1133 )	2021-07-20 10:15:45 +03:00
mustafa-rean	1101634f6a	docs: fixed typo (#1124 )	2021-07-18 12:18:39 +03:00
Niklas	499b7a6ecf	update cyclonedx github action to v0.3.0 (#1127 ) use version `^v0` instead of `latest` to avoid breaking the build when cyclonedx-gomod introduces breaking changes in a new major version. See https://github.com/CycloneDX/gh-gomod-generate-sbom/releases/tag/v0.3.0 Signed-off-by: nscuro <nscuro@protonmail.com>	2021-07-18 11:59:55 +03:00
Teppei Fukuda	cea9b0bc78	fix(policy): fix panic on the first run (#1116 )	2021-07-12 21:38:20 +03:00