chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.0 to 0.5.1 (#1926)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>

.github/ISSUE_TEMPLATE/WRONG_DETECTION.md

@@ -0,0 +1,33 @@
+---
+name: Wrong Detection
+labels: ["kind/bug"]
+about: If Trivy doesn't detect something, or shows false positive detection
+---
+
+## Checklist
+- [ ] I've read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/#wrong-detection).
+- [ ] I've confirmed that a security advisory in data sources was correct.
+    - Run Trivy with `-f json` that shows data sources and make sure that the security advisory is correct.
+
+
+## Description
+
+<!--
+Briefly describe the CVE that aren't detected and information about artifacts with this CVE.
+-->
+
+## JSON Output of run with `-debug`:
+
+```
+(paste your output here)
+```
+
+## Output of `trivy -v`:
+
+```
+(paste your output here)
+```
+
+## Additional details (base image name, container registry info...):
+
+

.github/pull_request_template.md

@@ -10,8 +10,8 @@
 Remove this section if you don't have related PRs.
 
 ## Checklist
-- [ ] I've read the [guidelines for contributing](https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md) to this repository.
-- [ ] I've followed the [conventions](https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md#title) in the PR title.
+- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
+- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
 - [ ] I've added tests that prove my fix is effective or that my feature works.
 - [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
 - [ ] I've added usage information (if the PR introduces new options)

.github/workflows/mkdocs-dev.yaml

@@ -12,18 +12,17 @@ jobs:
     runs-on: ubuntu-18.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v3
         with:
           python-version: 3.x
       - name: Install dependencies
         run: |
           pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
-          pip install mike
-          pip install mkdocs-macros-plugin
+          pip install -r docs/build/requirements.txt
         env:
           GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
       - name: Configure the git user

.github/workflows/mkdocs-latest.yaml

@@ -14,18 +14,17 @@ jobs:
     runs-on: ubuntu-18.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v3
         with:
           python-version: 3.x
       - name: Install dependencies
         run: |
           pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
-          pip install mike
-          pip install mkdocs-macros-plugin
+          pip install -r docs/build/requirements.txt
         env:
           GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
       - name: Configure the git user

.github/workflows/publish-chart.yaml

@@ -9,9 +9,8 @@ on:
     paths:
       - 'helm/trivy/**'
   push:
-    branches: [main]
-    paths:
-      - 'helm/trivy/**'
+    tags:
+      - "v*"
 env:
   HELM_REP: helm-charts
   GH_OWNER: aquasecurity
@@ -23,22 +22,22 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab #v1.1
+        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab
         with:
           version: v3.5.0
       - name: Set up python
-        uses: actions/setup-python@0066b88440aa9562be742e2c60ee750fc57d8849 #v2.3.0
+        uses: actions/setup-python@v3
         with:
           python-version: 3.7
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@6b64532d456fa490a3da177fbd181ac4c8192b58 #v2.1.0
+        uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a
       - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
+        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}
@@ -50,13 +49,13 @@ jobs:
           ct lint-and-install --validate-maintainers=false --charts helm/trivy
 
   publish-chart:
-    if: github.event_name == 'push'
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
     needs:
       - test-chart
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
         with:
           fetch-depth: 0
       - name: Install chart-releaser

.github/workflows/release.yaml

@@ -4,7 +4,7 @@ on:
     tags:
       - "v*"
 env:
-  GO_VERSION: "1.17"
+  GO_VERSION: "1.18"
   GH_USER: "aqua-bot"
 jobs:
   release:
@@ -12,11 +12,16 @@ jobs:
     runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: read  # Not required for public repositories, but for clarity
     steps:
       - name: Install dependencies
         run: |
           sudo apt-get -y update
           sudo apt-get -y install rpm reprepro createrepo distro-info
+      - uses: sigstore/cosign-installer@51f8e5c6fce54e46006ae97d73b2b6315f518752
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
       - name: Set up Docker Buildx
@@ -29,11 +34,11 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Cache Go modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3.0.1
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -64,12 +69,12 @@ jobs:
       - name: Release
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: v0.183.0
+          version: v1.4.1
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
       - name: Checkout trivy-repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           repository: ${{ github.repository_owner }}/trivy-repo
           path: trivy-repo

.github/workflows/scan.yaml

@@ -1,25 +1,23 @@
-name: Scan
-on: [push, pull_request]
+name: Scan vulnerabilities
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
 jobs:
   build:
     name: Scan Go vulnerabilities
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
-      - name: Run Trivy vulnerability scanner to scan for Critical Vulnerabilities
-        uses: aquasecurity/trivy-action@master
+      - name: Run Trivy vulnerability scanner and create GitHub issues
+        uses: knqyf263/trivy-issue-action@v0.0.3
         with:
-          scan-type: 'fs'
-          exit-code: '1'
-          severity: 'CRITICAL'
-          skip-dirs: integration,examples
-
-      - name: Run Trivy vulnerability scanner to scan for Medium and High Vulnerabilities
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          exit-code: '0'
-          severity: 'HIGH,MEDIUM'
+          assignee: knqyf263
+          severity: CRITICAL
           skip-dirs: integration,examples
+          label: vulnerability
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/semantic-pr.yaml

@@ -0,0 +1,85 @@
+name: "Lint PR title"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types:
+            feat
+            fix
+            docs
+            style
+            refactor
+            perf
+            test
+            build
+            ci
+            chore
+            revert
+            BREAKING
+
+          scopes:
+            vuln
+            misconf
+            secret
+
+            image
+            fs
+            repo
+            sbom
+            server
+
+            alpine
+            redhat
+            alma
+            rocky
+            mariner
+            oracle
+            debian
+            ubuntu
+            amazon
+            suse
+            photon
+            distroless
+
+            ruby
+            php
+            python
+            nodejs
+            rust
+            dotnet
+            java
+            go
+            
+            os
+            lang
+
+            kubernetes
+            dockerfile
+            terraform
+            cloudformation
+
+            docker
+            podman
+            containerd
+            oci
+
+            cli
+            flag
+
+            helm
+            report
+            db
+            deps

.github/workflows/test.yaml

@@ -10,13 +10,13 @@ on:
       - 'LICENSE'
   pull_request:
 env:
-  GO_VERSION: "1.17"
+  GO_VERSION: "1.18"
 jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Set up Go
         uses: actions/setup-go@v2
@@ -24,9 +24,9 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3.1.0
         with:
-          version: v1.41
+          version: v1.45
           args: --deadline=30m
 
       - name: Run unit tests
@@ -43,7 +43,7 @@ jobs:
       id: go
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Run integration tests
       run: make test-integration
@@ -65,7 +65,7 @@ jobs:
       run: echo ${{ steps.buildx.outputs.platforms }}
 
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Set up Go
       uses: actions/setup-go@v2
@@ -75,7 +75,7 @@ jobs:
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
       with:
-        version: v0.183.0
+        version: v1.4.1
         args: release --snapshot --rm-dist --skip-publish
 
   build-documents:
@@ -83,18 +83,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         fetch-depth: 0
         persist-credentials: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v3
       with:
         python-version: 3.x
     - name: Install dependencies
       run: |
-        pip install mkdocs-material
-        pip install mike
-        pip install mkdocs-macros-plugin
+        pip install -r docs/build/requirements.txt
     - name: Configure the git user
       run: |
         git config user.name "knqyf263"

.gitignore

@@ -4,7 +4,7 @@
 *.dll
 *.so
 *.dylib
-trivy
+/trivy
 
 ## chart release
 .cr-release-packages

.golangci.yaml

@@ -44,6 +44,7 @@ linters:
     - misspell
 
 run:
+  go: 1.18
   skip-files:
     - ".*._mock.go$"
     - ".*._test.go$"

CONTRIBUTING.md

@@ -1,104 +1 @@
-Thank you for taking interest in contributing to Trivy!
-
-## Issues
-- Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
-- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
-- Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
-- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
-
-## Pull Requests
-
-1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
-4. Please add the associated Issue link in the PR description.
-2. Your PR is more likely to be accepted if it focuses on just one change.
-5. There's no need to add or tag reviewers.
-6. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
-7. Please include a comment with the results before and after your change.
-8. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
-9. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
-
-### Title
-It is not that strict, but we use the title conventions in this repository.
-Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
-
-#### Format of the title
-
-```
-<type>(<scope>): <subject>
-```
-
-The `type` and `scope` should always be lowercase as shown below.
-
-**Allowed `<type>` values:**
-  - **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
-  - **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
-  - **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
-  - **docs** for changes to the documentation.
-  - **style** for formatting changes, missing semicolons, etc.
-  - **refactor** for refactoring production code, e.g. renaming a variable.
-  - **test** for adding missing tests, refactoring tests; no production code change.
-  - **build** for updating build configuration, development tools or other changes irrelevant to the user.
-  - **chore** for updates that do not apply to the above, such as dependency updates.
-
-**Example `<scope>` values:**
-- alpine
-- redhat
-- ruby
-- python
-- terraform
-- report
-- etc.
- 
-The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
-
-#### Example titles
-
-```
-feat(alma): add support for AlmaLinux
-```
-
-```
-fix(oracle): handle advisories with ksplice versions
-```
-
-```
-docs(misconf): add comparison with Conftest and TFsec
-```
-
-```
-chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
-```
-
-**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
-The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
-
-### Unit tests
-Your PR must pass all the unit tests. You can test it as below.
-
-```
-$ make test
-```
-
-### Integration tests
-Your PR must pass all the integration tests. You can test it as below.
-
-```
-$ make test-integration
-```
-
-### Documentation
-You can build the documents as below and view it at http://localhost:8000.
-
-```
-$ make mkdocs-serve
-```
-
-## Understand where your pull request belongs
-
-Trivy is composed of several different repositories that work together:
-
-- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
-- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
-- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
-- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
-- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information from containers. It is being used by Trivy to find testable subjects in the container image.
+See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.15.0
+FROM alpine:3.15.4
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.protoc

@@ -1,4 +1,4 @@
-FROM golang:1.17
+FROM golang:1.18.0
 
 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

Makefile

@@ -58,7 +58,9 @@ protoc:
 	docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@
 
 _protoc:
-	find ./rpc/ -name "*.proto" -type f -exec protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative {} \;
+	for path in `find ./rpc/ -name "*.proto" -type f`; do \
+		protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative $${path} || exit; \
+	done
 
 .PHONY: install
 install:

README.md

@@ -22,24 +22,31 @@ Scanner for vulnerabilities in container images, file systems, and Git repositor
 `Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.
 `Trivy` detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.).
 In addition, `Trivy` scans Infrastructure as Code (IaC) files such as Terraform, Dockerfile and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack.
+`Trivy` also scans hardcoded secrets like passwords, API keys and tokens.
 `Trivy` is easy to use. Just install the binary and you're ready to scan.
 
-<p align="center">
+<figure style="text-aligh: center">
   <img src="docs/imgs/overview.png" width="800" alt="Trivy Overview">
-</p>
+</figure>
 
 ### Demo: Vulnerability Detection (Container Image)
-<p align="center">
+<figure style="text-aligh: center">
   <img src="docs/imgs/vuln-demo.gif" width="1000" alt="Vulnerability Detection">
-</p>
+</figure>
 
 ### Demo: Misconfiguration Detection (IaC Files)
-<p align="center">
+<figure style="text-aligh: center">
   <img src="docs/imgs/misconf-demo.gif" width="1000" alt="Misconfiguration Detection">
-</p>
+</figure>
+
+### Demo: Secret Detection
+<figure style="text-aligh: center">
+  <img src="docs/imgs/secret-demo.gif" width="1000">
+</figure>
+
 
 # Quick Start
-## Scan Image for Vulnerabilities
+## Scan Image for Vulnerabilities and Secrets
 Simply specify an image name (and a tag).
 
 ```
@@ -72,17 +79,17 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
 ```
 </details>
 
-## Scan Filesystem for Vulnerabilities and Misconfigurations
+## Scan Filesystem for Vulnerabilities, Secrets and Misconfigurations
 Simply specify a directory to scan.
 
 ```bash
-$ trivy fs --security-checks vuln,config [YOUR_PROJECT_DIR]
+$ trivy fs --security-checks vuln,secret,config [YOUR_PROJECT_DIR]
 ```
 
 For example:
 
 ```bash
-$ trivy fs --security-checks vuln,config myproject/
+$ trivy fs --security-checks vuln,secret,config myproject/
 ```
 
 <details>
@@ -171,6 +178,10 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
   - A wide variety of built-in policies are provided **out of the box**
     - Kubernetes, Docker, Terraform, and more coming soon
   - Support custom policies
+- Secret detection
+  - A wide variety of built-in rules are provided **out of the box**
+  - Support custom rules
+  - Scan container images at high speed
 - Simple
   - Specify only an image name, a path to config files, or an artifact name
 - Fast

contrib/asff.tpl

@@ -1,66 +1,72 @@
-[
-{{- $t_first := true -}}
-{{- range . -}}
-{{- $target := .Target -}}
-{{- range .Vulnerabilities -}}
-{{- if $t_first -}}
-  {{- $t_first = false -}}
-{{- else -}}
-  ,
-{{- end -}}
-{{- $severity := .Severity -}}
-{{- if eq $severity "UNKNOWN" -}}
-{{- $severity = "INFORMATIONAL" -}}
-{{- end -}}
-{{- $description := .Description -}}
-{{- if gt (len $description ) 1021 -}}
-    {{- $description = (substr 0 1021 $description) | printf "%v .." -}}
-{{- end}}
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "{{ $target }}/{{ .VulnerabilityID }}",
-        "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
-        "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
-        "Severity": {
-            "Label": "{{ $severity }}"
-        },
-        "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
-        "Description": {{ escapeString $description | printf "%q" }},
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "{{ .PrimaryURL }}"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "{{ $target }}",
-                "Partition": "aws",
-                "Region": "{{ env "AWS_REGION" }}",
-                "Details": {
-                    "Container": { "ImageName": "{{ $target }}" },
-                    "Other": {
-                        "CVE ID": "{{ .VulnerabilityID }}",
-                        "CVE Title": {{ .Title | printf "%q" }},
-                        "PkgName": "{{ .PkgName }}",
-                        "Installed Package": "{{ .InstalledVersion }}",
-                        "Patched Package": "{{ .FixedVersion }}",
-                        "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
-                        "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
-                        "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
-                        "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
+{
+    "Findings": [
+    {{- $t_first := true -}}
+    {{- range . -}}
+    {{- $target := .Target -}}
+    {{- $image := .Target -}}
+    {{- if gt (len $image) 127 -}}
+        {{- $image = $image | regexFind ".{124}$" | printf "...%v" -}}
+    {{- end}}
+    {{- range .Vulnerabilities -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{- else -}}
+      ,
+    {{- end -}}
+    {{- $severity := .Severity -}}
+    {{- if eq $severity "UNKNOWN" -}}
+    {{- $severity = "INFORMATIONAL" -}}
+    {{- end -}}
+    {{- $description := .Description -}}
+    {{- if gt (len $description ) 512 -}}
+        {{- $description = (substr 0 512 $description) | printf "%v .." -}}
+    {{- end}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}/{{ .VulnerabilityID }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy/{{ .VulnerabilityID }}",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
+            "Description": {{ escapeString $description | printf "%q" }},
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "More information on this vulnerability is provided in the hyperlink",
+                    "Url": "{{ .PrimaryURL }}"
+                }
+            },
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Container",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_REGION" }}",
+                    "Details": {
+                        "Container": { "ImageName": "{{ $image }}" },
+                        "Other": {
+                            "CVE ID": "{{ .VulnerabilityID }}",
+                            "CVE Title": {{ .Title | printf "%q" }},
+                            "PkgName": "{{ .PkgName }}",
+                            "Installed Package": "{{ .InstalledVersion }}",
+                            "Patched Package": "{{ .FixedVersion }}",
+                            "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
+                            "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
+                            "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
+                            "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
+                        }
                     }
                 }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    }
-   {{- end -}}
-  {{- end }}
-]
+            ],
+            "RecordState": "ACTIVE"
+        }
+       {{- end -}}
+      {{- end }}
+    ]
+}

contrib/gitlab-codequality.tpl

@@ -13,8 +13,8 @@
       "type": "issue",
       "check_name": "container_scanning",
       "categories": [ "Security" ],
-      "description": {{ list .VulnerabilityID .Title | join ": " | printf "%q" }},
-      "fingerprint": "{{ .VulnerabilityID | sha1sum }}",
+      "description": {{ list .VulnerabilityID .PkgName .InstalledVersion .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .VulnerabilityID .PkgName .InstalledVersion $target | join "" | sha1sum }}",
       "content": {{ .Description | printf "%q" }},
       "severity": {{ if eq .Severity "LOW" -}}
                     "info"
@@ -28,9 +28,41 @@
                     "info"
                   {{- end }},
       "location": {
-        "path": "{{ .PkgName }}-{{ .InstalledVersion }}",
+        "path": "{{ $target }}",
         "lines": {
-          "begin": 1
+          "begin": 0
+        }
+      }
+    }
+    {{- end -}}
+    {{- range .Misconfigurations -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list .ID .Title | join ": " | printf "%q" }},
+      "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Description | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .IacMetadata.StartLine }}
         }
       }
     }

docs/advanced/community/references.md

@@ -1,19 +0,0 @@
-# External References
-There are external blogs and evaluations.
-
-## Blogs
-- [the vulnerability remediation lifecycle of Alpine containers][alpine]
-- [Continuous Container Vulnerability Testing with Trivy][semaphore]
-- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
-- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
-
-## Links
-- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
-- [Istio evaluates scanners][istio]
-
-[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
-[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
-[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417

docs/advanced/index.md

@@ -1,2 +0,0 @@
-# Advanced
-This section describes advanced features, integrations, etc.

docs/build/Dockerfile

@@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material:7.0.6
+FROM squidfunk/mkdocs-material:8.2.10
 
 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.
@@ -6,4 +6,5 @@ FROM squidfunk/mkdocs-material:7.0.6
 # docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN} ghcr.io
 # FROM ghcr.io/squidfunk/mkdocs-material-insiders
 
-RUN pip install mike mkdocs-macros-plugin
+COPY requirements.txt .
+RUN pip install -r requirements.txt

docs/build/requirements.txt

@@ -0,0 +1,30 @@
+click==8.1.2
+csscompressor==0.9.5
+ghp-import==2.0.2
+htmlmin==0.1.12
+importlib-metadata==4.11.3
+Jinja2==3.1.1
+jsmin==3.0.1
+Markdown==3.3.6
+MarkupSafe==2.1.1
+mergedeep==1.3.4
+mike==1.1.2
+mkdocs==1.3.0
+mkdocs-macros-plugin==0.7.0
+mkdocs-material==8.2.10
+mkdocs-material-extensions==1.0.3
+mkdocs-minify-plugin==0.5.0
+mkdocs-redirects==1.0.4
+packaging==21.3
+Pygments==2.11.2
+pymdown-extensions==9.3
+pyparsing==3.0.8
+python-dateutil==2.8.2
+PyYAML==6.0
+pyyaml-env-tag==0.1
+six==1.16.0
+termcolor==1.1.0
+verspec==0.1.0
+watchdog==2.1.7
+zipp==3.8.0
+

docs/community/cks.md

@@ -0,0 +1,21 @@
+# CKS preparation resources
+
+Community Resources
+
+- [Trivy Video overview (short)][overview]
+- [Example questions from the exam][exam]
+- [More example questions][questions]
+
+Aqua Security Blog posts
+
+- Supply chain security best [practices][supply-chain-best-practices]
+- Supply chain [attacks][supply-chain-attacks]
+- 
+If you know of interesting resources, please start a PR to add those to the list.
+
+[overview]: https://youtu.be/2cjH6Zkieys
+[exam]: https://jonathan18186.medium.com/certified-kubernetes-security-specialist-cks-preparation-part-7-supply-chain-security-9cf62c34cf6a
+[questions]: https://github.com/kodekloudhub/certified-kubernetes-security-specialist-cks-course/blob/main/docs/06-Supply-Chain-Security/09-Scan-images-for-known-vulnerabilities-(Trivy).md
+
+[supply-chain-best-practices]: https://blog.aquasec.com/supply-chain-security-best-practices
+[supply-chain-attacks]: https://blog.aquasec.com/supply-chain-threats-using-container-images

docs/community/contribute/issue.md

@@ -0,0 +1,31 @@
+Thank you for taking interest in contributing to Trivy!
+
+- Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
+- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
+- Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
+- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
+
+## Wrong detection
+Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
+Sometime these databases contain mistakes.
+
+If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
+
+1. Run Trivy with `-f json` that shows data sources.
+2. According to the shown data source, make sure that the security advisory in the data source is correct.
+
+If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
+
+### GitHub Advisory Database
+Visit [here](https://github.com/advisories) and search CVE-ID.
+
+If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
+ 
+### GitLab Advisory Database
+Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
+
+If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
+ 
+### Red Hat CVE Database
+Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
+

docs/community/contribute/pr.md

@@ -0,0 +1,164 @@
+Thank you for taking interest in contributing to Trivy!
+
+1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
+1. Please add the associated Issue link in the PR description.
+1. Your PR is more likely to be accepted if it focuses on just one change.
+1. There's no need to add or tag reviewers.
+1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
+1. Please include a comment with the results before and after your change.
+1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
+1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
+
+### Title
+It is not that strict, but we use the title conventions in this repository.
+Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
+
+#### Format of the title
+
+```
+<type>(<scope>): <subject>
+```
+
+The `type` and `scope` should always be lowercase as shown below.
+
+**Allowed `<type>` values:**
+
+- **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
+- **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
+- **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
+- **docs** for changes to the documentation.
+- **style** for formatting changes, missing semicolons, etc.
+- **refactor** for refactoring production code, e.g. renaming a variable.
+- **test** for adding missing tests, refactoring tests; no production code change.
+- **build** for updating build configuration, development tools or other changes irrelevant to the user.
+- **chore** for updates that do not apply to the above, such as dependency updates.
+- **ci** for changes to CI configuration files and scripts
+- **revert** for revert to a previous commit
+
+**Allowed `<scope>` values:**
+
+checks:
+
+- vuln
+- misconf
+- secret
+
+mode:
+
+- image
+- fs
+- repo
+- sbom
+- server
+
+os:
+
+- alpine
+- redhat
+- alma
+- rocky
+- mariner
+- oracle
+- debian
+- ubuntu
+- amazon
+- suse
+- photon
+- distroless
+
+language:
+
+- ruby
+- php
+- python
+- nodejs
+- rust
+- dotnet
+- java
+- go
+
+vuln:
+
+- os
+- lang
+
+config:
+
+- kubernetes
+- dockerfile
+- terraform
+- cloudformation
+
+container
+
+- docker
+- podman
+- containerd
+- oci
+
+cli:
+
+- cli
+- flag
+
+others:
+
+- helm
+- report
+- db
+- deps
+
+The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
+
+#### Example titles
+
+```
+feat(alma): add support for AlmaLinux
+```
+
+```
+fix(oracle): handle advisories with ksplice versions
+```
+
+```
+docs(misconf): add comparison with Conftest and TFsec
+```
+
+```
+chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
+```
+
+**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
+The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
+
+### Unit tests
+Your PR must pass all the unit tests. You can test it as below.
+
+```
+$ make test
+```
+
+### Integration tests
+Your PR must pass all the integration tests. You can test it as below.
+
+```
+$ make test-integration
+```
+
+### Documentation
+You can build the documents as below and view it at http://localhost:8000.
+
+```
+$ make mkdocs-serve
+```
+
+## Understand where your pull request belongs
+
+Trivy is composed of several repositories that work together:
+
+- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
+- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
+- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
+- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
+- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information from containers. It is being used by Trivy to find testable subjects in the container image.
+- [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.

docs/community/maintainer/triage.md

@@ -1,7 +1,10 @@
+# Triage
+
 Triage is an important part of maintaining the health of the trivy repo.
 A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible.
 
 Triage includes:
+
 - Labeling issues
 - Responding to issues
 - Closing issues
@@ -185,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
 and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
 to identify issues that have been specially groomed for new contributors.
 
-We have specific [guidelines](/docs/advanced/contribd/contrib/help-wanted.md)
+We have specific [guidelines](/docs/docs/advanced/contribd/contrib/help-wanted.md)
 for how to use these labels. If you see an issue that satisfies these
 guidelines, you can add the `help wanted` label and the `good first issue` label.
 Please note that adding the `good first issue` label must also 

docs/community/references.md

@@ -0,0 +1,48 @@
+# Additional References
+There are external blogs and evaluations.
+
+## Blogs
+- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join]
+- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license]
+- [DevSecOps with Trivy and GitHub Actions][actions]
+- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
+- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
+- [the vulnerability remediation lifecycle of Alpine containers][alpine]
+- [Continuous Container Vulnerability Testing with Trivy][semaphore]
+- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
+- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
+
+## Links
+- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
+- [Istio evaluates scanners][istio]
+
+## Presentations
+- Aqua Security YouTube Channel
+    - [Trivy - container image scanning][intro]
+    - [Using Trivy in client server mode][server]
+    - [Tweaking Trivy output to fit your workflow][tweaking]
+    - [How does a vulnerability scanner identify packages?][identify]
+- CNCF Webinar 2020
+    - [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf]
+- KubeCon + CloudNativeCon Europe 2020 Virtual
+    - [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon]
+
+[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
+[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
+[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
+[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
+[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
+[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
+
+[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
+[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
+[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
+[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4
+[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M
+[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU
+
+[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family
+[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license
+[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
+[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
+[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code

docs/docs/advanced/air-gap.md

@@ -109,5 +109,5 @@ In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn
 $ trivy conf --skip-policy-update /path/to/conf
 ```
 
-[allowlist]: ../getting-started/troubleshooting.md
+[allowlist]: ../references/troubleshooting.md
 [oras]: https://oras.land/cli/

docs/docs/index.md

@@ -0,0 +1,85 @@
+# Docs
+
+Trivy detects two types of security issues:
+
+- [Vulnerabilities][vuln]
+- [Misconfigurations][misconf]
+
+Trivy can scan three different artifacts:
+
+- [Container Images][container]
+- [Filesystem][filesystem] and [Rootfs][rootfs]
+- [Git Repositories][repo]
+
+Trivy can be run in two different modes:
+
+- [Standalone][standalone]
+- [Client/Server][client-server]
+
+It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
+See [Integrations][integrations] for details.
+
+## Features
+
+- Comprehensive vulnerability detection
+    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
+- Detect IaC misconfigurations
+    - A wide variety of [built-in policies][builtin] are provided **out of the box**:
+        - Kubernetes
+        - Docker
+        - Terraform
+        - more coming soon
+    - Support custom policies
+- Simple
+    - Specify only an image name, a directory containing IaC configs, or an artifact name
+    - See [Quick Start][quickstart]
+- Fast
+    - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
+    - Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
+- Easy installation
+    - `apt-get install`, `yum install` and `brew install` is possible (See [Installation][installation])
+    - **No pre-requisites** such as installation of DB, libraries, etc.
+- High accuracy
+    - **Especially Alpine Linux and RHEL/CentOS**
+    - Other OSes are also high
+- DevSecOps
+    - **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
+    - See [CI Example][integrations]
+- Support multiple formats
+    - container image
+        - A local image in Docker Engine which is running as a daemon
+        - A local image in [Podman][podman] (>=2.0) which is exposing a socket
+        - A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
+        - A tar archive stored in the `docker save` / `podman save` formatted file
+        - An image directory compliant with [OCI Image Format][oci]
+    - local filesystem and rootfs
+    - remote git repository
+- [SBOM][sbom] (Software Bill of Materials) support
+    - CycloneDX 
+
+Please see [LICENSE][license] for Trivy licensing information.
+
+[installation]: ../getting-started/installation.md
+[vuln]: ../docs/vulnerability/scanning/index.md
+[misconf]: ../docs/misconfiguration/index.md
+[container]: ../docs/vulnerability/scanning/image.md
+[rootfs]: ../docs/vulnerability/scanning/rootfs.md
+[filesystem]: ../docs/vulnerability/scanning/filesystem.md
+[repo]: ../docs/vulnerability/scanning/git-repository.md
+
+[standalone]: ../docs/references/modes/standalone.md
+[client-server]: ../docs/references/modes/client-server.md
+[integrations]: ../docs/integrations/index.md
+
+[os]: ../docs/vulnerability/detection/os.md
+[lang]: ../docs/vulnerability/detection/language.md
+
+[builtin]: ../docs/misconfiguration/policy/builtin.md
+[quickstart]: ../getting-started/quickstart.md
+[podman]: ../docs/advanced/container/podman.md
+
+[sbom]: ../docs/sbom/index.md
+
+[oci]: https://github.com/opencontainers/image-spec
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE

docs/docs/integrations/gitlab-ci.md

@@ -23,6 +23,8 @@ trivy:
     # See https://github.com/docker-library/docker/pull/166
     DOCKER_TLS_CERTDIR: ""
     IMAGE: trivy-ci-test:$CI_COMMIT_SHA
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: ".trivycache/"
   before_script:
     - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
     - echo $TRIVY_VERSION
@@ -32,11 +34,11 @@ trivy:
     # Build image
     - docker build -t $IMAGE .
     # Build report
-    - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
+    - ./trivy image --exit-code 0 --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
     # Print report
-    - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --severity HIGH $IMAGE
+    - ./trivy image --exit-code 0 --severity HIGH $IMAGE
     # Fail on severe vulnerabilities
-    - ./trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress $IMAGE
+    - ./trivy image --exit-code 1 --severity CRITICAL $IMAGE
   cache:
     paths:
       - .trivycache/
@@ -71,20 +73,22 @@ container_scanning:
     TRIVY_USERNAME: "$CI_REGISTRY_USER"
     TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
     TRIVY_AUTH_URL: "$CI_REGISTRY"
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: ".trivycache/"
     FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
   script:
     - trivy --version
     # cache cleanup is needed when scanning images with the same tags, it does not remove the database
     - time trivy image --clear-cache
     # update vulnerabilities db
-    - time trivy --cache-dir .trivycache/ image --download-db-only --no-progress
+    - time trivy image --download-db-only
     # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
-    - time trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@/contrib/gitlab.tpl"
+    - time trivy image --exit-code 0 --format template --template "@/contrib/gitlab.tpl"
         --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
     # Prints full report
-    - time trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress "$FULL_IMAGE_NAME"
+    - time trivy image --exit-code 0 "$FULL_IMAGE_NAME"
     # Fail on critical vulnerabilities
-    - time trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
+    - time trivy image --exit-code 1 --severity CRITICAL "$FULL_IMAGE_NAME"
   cache:
     paths:
       - .trivycache/
@@ -126,6 +130,8 @@ trivy:
     # See https://github.com/docker-library/docker/pull/166
     DOCKER_TLS_CERTDIR: ""
     IMAGE: trivy-ci-test:$CI_COMMIT_SHA
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: ".trivycache/"
   before_script:
     - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
     - echo $TRIVY_VERSION
@@ -134,8 +140,13 @@ trivy:
   script:
     # Build image
     - docker build -t $IMAGE .
-    # Build report
-    - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate.json $IMAGE
+    # Image report
+    - ./trivy image --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE
+    # Filesystem report
+    - ./trivy filesystem --security-checks config,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json .
+    # Combine report
+    - apk update && apk add jq
+    - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json
   cache:
     paths:
       - .trivycache/
@@ -155,3 +166,9 @@ already have a code quality report in your pipeline, you can use
 be necessary to rename the artifact if you want to reuse the name. To then
 combine the previous artifact with the output of trivy, the following `jq`
 command can be used, `jq -s 'add' prev-codeclimate.json trivy-codeclimate.json > gl-codeclimate.json`.
+
+### Gitlab CI alternative template example report
+
+You'll be able to see a full report in the Gitlab pipeline code quality UI, where filesystem vulnerabilities and misconfigurations include links to the flagged files and image vulnerabilities report the image/os or runtime/library that the vulnerability originates from instead.
+
+![codequality](../../imgs/gitlab-codequality.png)

docs/docs/misconfiguration/custom/index.md

@@ -13,13 +13,14 @@ As for `--namespaces` option, the detail is described as below.
 ### File formats
 If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.
 
-| File format    | File pattern                                     |
-| -------------- | ------------------------------------------------ |
-| JSON           | `*.json`                                         |
-| YAML           | `*.yaml`                                         |
-| TOML           | `*.toml`                                         |
-| HCL            | `*.hcl`, `*.hcl1`, and `*.hcl2`                  |
-| Dockerfile     | `Dockerfile`, `Dockerfile.*`, and `*.Dockerfile` |
+| File format   | File pattern                                              |
+| ------------- | --------------------------------------------------------- |
+| JSON          | `*.json`                                                  |
+| YAML          | `*.yaml`                                                  |
+| TOML          | `*.toml`                                                  |
+| HCL           | `*.hcl`, `*.hcl1`, and `*.hcl2`                           |
+| Dockerfile    | `Dockerfile`, `Dockerfile.*`, and `*.Dockerfile`          |
+| Containerfile | `Containerfile`, `Containerfile.*`, and `*.Containerfile` |
 
 ### Configuration languages
 In the above general file formats, Trivy automatically identifies the following types of configuration files:

docs/docs/misconfiguration/index.md

@@ -2,7 +2,7 @@
 Trivy provides built-in policies to detect configuration issues in Docker, Kubernetes and Terraform.
 Also, you can write your own policies in [Rego][rego] to scan JSON, YAML, HCL, etc, like [Conftest][conftest].
 
-![misconf](../imgs/misconf.png)
+![misconf](../../imgs/misconf.png)
 
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [conftest]: https://github.com/open-policy-agent/conftest/

docs/docs/misconfiguration/policy/builtin.md

@@ -6,12 +6,12 @@ Built-in policies are mainly written in [Rego][rego].
 Those policies are managed under [AppShield repository][appshield].
 Terraform policies are currently powered by [tfsec][tfsec] and CloudFormation policies are powered by [cfsec][cfsec].
 
-| Config type    | Source                        |
-| ---------------| ----------------------------- |
-| Kubernetes     | [AppShield][kubernetes]       |
-| Dockerfile     | [AppShield][docker]           |
-| Terraform      | [tfsec][tfsec-checks]         |
-| CloudFormation | [cfsec][cfsec-checks]         |
+| Config type               | Source                  |
+| ------------------------- | ----------------------- |
+| Kubernetes                | [AppShield][kubernetes] |
+| Dockerfile, Containerfile | [AppShield][docker]     |
+| Terraform                 | [tfsec][tfsec-checks]   |
+| CloudFormation            | [cfsec][cfsec-checks]   |
 
 For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield], [tfsec][tfsec] or [cfsec][cfsec] repository.
 
@@ -29,7 +29,7 @@ Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if th
 [appshield]: https://github.com/aquasecurity/appshield
 [kubernetes]: https://github.com/aquasecurity/appshield/tree/master/kubernetes
 [docker]: https://github.com/aquasecurity/appshield/tree/master/docker
-[tfsec-checks]: https://tfsec.dev/docs/aws/home/
+[tfsec-checks]: https://tfsec.dev/
 [tfsec]: https://github.com/aquasecurity/tfsec
 [cfsec-checks]: https://cfsec.dev/
 [cfsec]: https://github.com/aquasecurity/cfsec

docs/docs/references/cli/fs.md

@@ -2,10 +2,10 @@
 
 ```bash
 NAME:
-   trivy filesystem - scan local filesystem
+   trivy filesystem - scan local filesystem for language-specific dependencies and config files
 
 USAGE:
-   trivy filesystem [command options] dir
+   trivy filesystem [command options] path
 
 OPTIONS:
    --template value, -t value                     output template [$TRIVY_TEMPLATE]
@@ -21,15 +21,21 @@ OPTIONS:
    --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
    --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
    --cache-backend value                          cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
+   --cache-ttl value                              cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
    --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
    --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
    --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
    --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
-   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
-   --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
-   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
-   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
+   --db-repository value                          OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
+   --skip-files value                             specify the file paths to skip traversal                                        (accepts multiple inputs) [$TRIVY_SKIP_FILES]
+   --skip-dirs value                              specify the directories where the traversal is skipped                          (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
+   --config-policy value                          specify paths to the Rego policy files directory, applying config files         (accepts multiple inputs) [$TRIVY_CONFIG_POLICY]
+   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded  (accepts multiple inputs) [$TRIVY_CONFIG_DATA]
+   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users")                                              (accepts multiple inputs) [$TRIVY_POLICY_NAMESPACES]
+   --server value                                 server address [$TRIVY_SERVER]
+   --token value                                  for authentication in client/server mode [$TRIVY_TOKEN]
+   --token-header value                           specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
+   --custom-headers value                         custom headers in client/server mode  (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS]
    --help, -h                                     show help (default: false)
 ```

docs/docs/references/cli/image.md

@@ -0,0 +1,39 @@
+# Image
+
+```bash
+NAME:
+   trivy image - scan an image
+
+USAGE:
+   trivy image [command options] image_name
+
+OPTIONS:
+   --template value, -t value       output template [$TRIVY_TEMPLATE]
+   --format value, -f value         format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
+   --input value, -i value          input file path instead of image name [$TRIVY_INPUT]
+   --severity value, -s value       severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
+   --output value, -o value         output file name [$TRIVY_OUTPUT]
+   --exit-code value                Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
+   --skip-db-update, --skip-update  skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
+   --download-db-only               download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
+   --reset                          remove all caches and database (default: false) [$TRIVY_RESET]
+   --clear-cache, -c                clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
+   --no-progress                    suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
+   --ignore-unfixed                 display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
+   --removed-pkgs                   detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
+   --vuln-type value                comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
+   --security-checks value          comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
+   --ignorefile value               specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
+   --timeout value                  timeout (default: 5m0s) [$TRIVY_TIMEOUT]
+   --light                          deprecated (default: false) [$TRIVY_LIGHT]
+   --ignore-policy value            specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
+   --list-all-pkgs                  enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --cache-backend value            cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
+   --cache-ttl value                cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
+   --offline-scan                   do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
+   --insecure                       allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
+   --db-repository value            OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
+   --skip-files value               specify the file paths to skip traversal                (accepts multiple inputs) [$TRIVY_SKIP_FILES]
+   --skip-dirs value                specify the directories where the traversal is skipped  (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
+   --help, -h                       show help (default: false)
+```

docs/docs/references/cli/index.md

@@ -18,6 +18,7 @@ COMMANDS:
    server, s         server mode
    config, conf      scan config files
    plugin, p         manage plugins
+   version           print the version
    help, h           Shows a list of commands or help for one command
 
 GLOBAL OPTIONS:

docs/docs/references/cli/plugins.md

@@ -0,0 +1,173 @@
+# Plugins
+Trivy provides a plugin feature to allow others to extend the Trivy CLI without the need to change the Trivycode base.
+This plugin system was inspired by the plugin system used in [kubectl][kubectl], [Helm][helm], and [Conftest][conftest].
+
+## Overview
+Trivy plugins are add-on tools that integrate seamlessly with Trivy.
+They provide a way to extend the core feature set of Trivy, but without requiring every new feature to be written in Go and added to the core tool.
+
+- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
+- They can be written in any programming language.
+- They integrate with Trivy, and will show up in Trivy help and subcommands.
+
+!!! warning
+    Trivy plugins available in public are not audited for security.
+    You should install and run third-party plugins at your own risk, since they are arbitrary programs running on your machine.
+
+
+## Installing a Plugin
+A plugin can be installed using the `trivy plugin install` command.
+This command takes a url and will download the plugin and install it in the plugin cache.
+
+Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
+Trivy will now search XDG_DATA_HOME for the location of the Trivy plugins cache.
+The preference order is as follows:
+
+- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
+- ~/.trivy/plugins
+
+Under the hood Trivy leverages [go-getter][go-getter] to download plugins.
+This means the following protocols are supported for downloading plugins:
+
+- OCI Registries
+- Local Files
+- Git
+- HTTP/HTTPS
+- Mercurial
+- Amazon S3
+- Google Cloud Storage
+
+For example, to download the Kubernetes Trivy plugin you can execute the following command:
+
+```bash
+$ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
+```
+## Using Plugins
+Once the plugin is installed, Trivy will load all available plugins in the cache on the start of the next Trivy execution.
+A plugin will be made in the Trivy CLI based on the plugin name.
+To display all plugins, you can list them by `trivy --help`
+
+```bash
+$ trivy --help
+NAME:
+   trivy - A simple and comprehensive vulnerability scanner for containers
+
+USAGE:
+   trivy [global options] command [command options] target
+
+VERSION:
+   dev
+
+COMMANDS:
+   image, i          scan an image
+   filesystem, fs    scan local filesystem
+   repository, repo  scan remote repository
+   client, c         client mode
+   server, s         server mode
+   plugin, p         manage plugins
+   kubectl           scan kubectl resources
+   help, h           Shows a list of commands or help for one command
+```
+
+As shown above, `kubectl` subcommand exists in the `COMMANDS` section.
+To call the kubectl plugin and scan existing Kubernetes deployments, you can execute the following command:
+
+```
+$ trivy kubectl deployment <deployment-id> -- --ignore-unfixed --severity CRITICAL
+```
+
+Internally the kubectl plugin calls the kubectl binary to fetch information about that deployment and passes the using images to Trivy.
+You can see the detail [here][trivy-plugin-kubectl].
+
+If you want to omit even the subcommand, you can use `TRIVY_RUN_AS_PLUGIN` environment variable.
+
+```bash
+$ TRIVY_RUN_AS_PLUGIN=kubectl trivy job your-job -- --format json
+```
+
+## Installing and Running Plugins on the fly
+`trivy plugin run` installs a plugin and runs it on the fly.
+If the plugin is already present in the cache, the installation is skipped.
+
+```bash
+trivy plugin run github.com/aquasecurity/trivy-plugin-kubectl pod your-pod -- --exit-code 1
+```
+
+## Uninstalling Plugins
+Specify a plugin name with `trivy plugin uninstall` command.
+
+```bash
+$ trivy plugin uninstall kubectl
+```
+
+## Building Plugins
+Each plugin has a top-level directory, and then a plugin.yaml file.
+
+```bash
+your-plugin/
+  |
+  |- plugin.yaml
+  |- your-plugin.sh
+```
+
+In the example above, the plugin is contained inside of a directory named `your-plugin`.
+It has two files: plugin.yaml (required) and an executable script, your-plugin.sh (optional).
+
+The core of a plugin is a simple YAML file named plugin.yaml.
+Here is an example YAML of trivy-plugin-kubectl plugin that adds support for Kubernetes scanning.
+
+```yaml
+name: "kubectl"
+repository: github.com/aquasecurity/trivy-plugin-kubectl
+version: "0.1.0"
+usage: scan kubectl resources
+description: |-
+  A Trivy plugin that scans the images of a kubernetes resource.
+  Usage: trivy kubectl TYPE[.VERSION][.GROUP] NAME
+platforms:
+  - selector: # optional
+      os: darwin
+      arch: amd64
+    uri: ./trivy-kubectl # where the execution file is (local file, http, git, etc.)
+    bin: ./trivy-kubectl # path to the execution file
+  - selector: # optional
+      os: linux
+      arch: amd64
+    uri: https://github.com/aquasecurity/trivy-plugin-kubectl/releases/download/v0.1.0/trivy-kubectl.tar.gz
+    bin: ./trivy-kubectl
+```
+
+The `plugin.yaml` field should contain the following information:
+
+- name: The name of the plugin. This also determines how the plugin will be made available in the Trivy CLI. For example, if the plugin is named kubectl, you can call the plugin with `trivy kubectl`. (required)
+- version: The version of the plugin. (required)
+- usage: A short usage description. (required)
+- description: A long description of the plugin. This is where you could provide a helpful documentation of your plugin. (required)
+- platforms: (required)
+  - selector: The OS/Architecture specific variations of a execution file. (optional)
+    - os: OS information based on GOOS (linux, darwin, etc.) (optional)
+    - arch: The architecture information based on GOARCH (amd64, arm64, etc.) (optional)
+  - uri: Where the executable file is. Relative path from the root directory of the plugin or remote URL such as HTTP and S3. (required)
+  - bin: Which file to call when the plugin is executed. Relative path from the root directory of the plugin. (required)
+
+The following rules will apply in deciding which platform to select:
+
+- If both `os` and `arch` under `selector` match the current platform, search will stop and the platform will be used.
+- If `selector` is not present, the platform will be used.
+- If `os` matches and there is no more specific `arch` match, the platform will be used.
+- If no `platform` match is found, Trivy will exit with an error.
+
+After determining platform, Trivy will download the execution file from `uri` and store it in the plugin cache.
+When the plugin is called via Trivy CLI, `bin` command will be executed.
+
+The plugin is responsible for handling flags and arguments. Any arguments are passed to the plugin from the `trivy` command.
+
+## Example
+https://github.com/aquasecurity/trivy-plugin-kubectl
+
+[kubectl]: https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/
+[helm]: https://helm.sh/docs/topics/plugins/
+[conftest]: https://www.conftest.dev/plugins/
+[go-getter]: https://github.com/hashicorp/go-getter
+[trivy-plugin-kubectl]: https://github.com/aquasecurity/trivy-plugin-kubectl
+

docs/docs/references/cli/repo.md

@@ -0,0 +1,38 @@
+# Repository
+
+```bash
+NAME:
+   trivy repository - scan remote repository
+
+USAGE:
+   trivy repository [command options] repo_url
+
+OPTIONS:
+   --template value, -t value       output template [$TRIVY_TEMPLATE]
+   --format value, -f value         format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
+   --input value, -i value          input file path instead of image name [$TRIVY_INPUT]
+   --severity value, -s value       severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
+   --output value, -o value         output file name [$TRIVY_OUTPUT]
+   --exit-code value                Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
+   --skip-db-update, --skip-update  skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
+   --skip-policy-update             skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
+   --clear-cache, -c                clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
+   --ignore-unfixed                 display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
+   --removed-pkgs                   detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
+   --vuln-type value                comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
+   --security-checks value          comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
+   --ignorefile value               specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
+   --cache-backend value            cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
+   --cache-ttl value                cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
+   --timeout value                  timeout (default: 5m0s) [$TRIVY_TIMEOUT]
+   --no-progress                    suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
+   --quiet, -q                      suppress progress bar and log output (default: false) [$TRIVY_QUIET]
+   --ignore-policy value            specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
+   --list-all-pkgs                  enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan                   do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
+   --insecure                       allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
+   --db-repository value            OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
+   --skip-files value               specify the file paths to skip traversal                (accepts multiple inputs) [$TRIVY_SKIP_FILES]
+   --skip-dirs value                specify the directories where the traversal is skipped  (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
+   --help, -h                       show help (default: false)
+```

docs/docs/references/cli/sbom.md

@@ -0,0 +1,19 @@
+# SBOM
+
+```bash
+NAME:
+   trivy sbom - generate SBOM for an artifact
+
+USAGE:
+   trivy sbom [command options] ARTIFACT
+
+OPTIONS:
+   --output value, -o value             output file name [$TRIVY_OUTPUT]
+   --clear-cache, -c                    clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
+   --ignorefile value                   specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
+   --timeout value                      timeout (default: 5m0s) [$TRIVY_TIMEOUT]
+   --severity value, -s value           severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
+   --artifact-type value, --type value  input artifact type (image, fs, repo, archive) (default: "image") [$TRIVY_ARTIFACT_TYPE]
+   --sbom-format value, --format value  SBOM format (cyclonedx) (default: "cyclonedx") [$TRIVY_SBOM_FORMAT]
+   --help, -h                           show help (default: false)
+```

docs/docs/references/cli/server.md

@@ -0,0 +1,21 @@
+# Server
+
+```bash
+NAME:
+   trivy server - server mode
+
+USAGE:
+   trivy server [command options] [arguments...]
+
+OPTIONS:
+   --skip-db-update, --skip-update  skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
+   --download-db-only               download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
+   --reset                          remove all caches and database (default: false) [$TRIVY_RESET]
+   --cache-backend value            cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
+   --cache-ttl value                cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
+   --db-repository value            OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
+   --token value                    for authentication in client/server mode [$TRIVY_TOKEN]
+   --token-header value             specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
+   --listen value                   listen address (default: "localhost:4954") [$TRIVY_LISTEN]
+   --help, -h                       show help (default: false)
+```

docs/docs/references/modes/client-server.md

@@ -55,5 +55,5 @@ $ trivy client --remote http://localhost:8080 --token dummy alpine:3.10
 
 ## Architecture
 
-![architecture](../../imgs/client-server.png)
+![architecture](../../../imgs/client-server.png)
 

docs/docs/references/modes/standalone.md

@@ -4,13 +4,13 @@
 
 ## Image
 
-![standalone](../../imgs/image.png)
+![standalone](../../../imgs/image.png)
 
 ## Filesystem
 
-![fs](../../imgs/fs.png)
+![fs](../../../imgs/fs.png)
 
 ## Git Repository
 
-![repo](../../imgs/repo.png)
+![repo](../../../imgs/repo.png)
 

docs/docs/references/troubleshooting.md

@@ -39,7 +39,7 @@ https://developer.github.com/v3/#rate-limiting
 $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
 ```
 
-### Maven rate limiting
+### Maven rate limiting / inconsistent jar vulnerability reporting
 
 !!! error
     ``` bash
@@ -49,14 +49,41 @@ $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
     ```
 
 Trivy calls Maven API for better detection of JAR files, but many requests may exceed rate limiting.
-If it happens frequently, try the `--offline-scan` option to stop Trivy from making API requests.
+This can easily happen if you are running more than one instance of Trivy which is concurrently scanning multiple images.
+Once this starts happening Trivy's vulnerability reporting on jar files may become inconsistent.
+There are two options to resolve this issue:
+
+The first is to enable offline scanning using the `--offline-scan` option to stop Trivy from making API requests.
 This option affects only vulnerability scanning. The vulnerability database and builtin policies are downloaded as usual.
 If you want to skip them as well, you can try `--skip-update` and `--skip-policy-update`.
+**Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.**
+
+The second, more scalable, option is the place Trivy behind a rate-limiting forward-proxy to the Maven Central API.
+One way to achieve this is to use nginx. You can use the following nginx config to enable both rate-limiting and caching (the caching greatly reduces the number of calls to the Maven Central API, especially if you are scanning a lot of similar images):
+
+```nginx
+limit_req_zone global zone=maven:1m rate=10r/s;
+proxy_cache_path /tmp/cache keys_zone=mavencache:10m;
+
+server {
+  listen 80;
+  proxy_cache mavencache;
+
+  location / {
+    limit_req zone=maven burst=1000;
+    proxy_cache_valid any 1h;
+    proxy_pass https://search.maven.org:443;
+  }
+}
+```
+
+This config file will allow a maximum of 10 requests per second to the Maven API, this number was determined experimentally so you might want to use something else if it doesn't fit your needs.
+
+Once nginx is up and running, you need to tell all your Trivy deployments to proxy their Maven API calls through nginx. You can do this by setting the `MAVEN_CENTRAL_URL` environment variable. For example, if your nginx proxy is running at `127.0.0.1`, you can set `MAVEN_CENTRAL_URL=http://127.0.0.1/solrsearch/select`.
 
-Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.
 
 ### Running in parallel takes same time as series run
-When running trivy on multiple images simultaneously, it will take same time as running trivy in series.  
+When running trivy on multiple images simultaneously, it will take same time as running trivy in series.
 This is because of a limitation of boltdb.
 > Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it.
 
@@ -79,7 +106,7 @@ If trivy is running behind corporate firewall, you have to add the following url
 !!! error
     --skip-update cannot be specified with the old DB schema.
 
-Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
+Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][../advanced/air-gap.md].
 
 ## Homebrew
 ### Scope error
@@ -130,4 +157,4 @@ Try again with `--reset` option:
 $ trivy image --reset
 ```
 
-[air-gapped]: ../advanced/air-gap.md
+[air-gapped]: ../how-to-guides/air-gap.md

docs/docs/sbom/cyclonedx.md

@@ -0,0 +1,233 @@
+# CycloneDX
+
+Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
+Note that XML format is not supported at the moment.
+
+You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.
+
+```
+$ trivy image --format cyclonedx --output result.json alpine:3.15
+```
+
+<details>
+<summary>Result</summary>
+
+```
+$ cat result.json | jq .
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2022-02-22T15:11:40.270597Z",
+    "tools": [
+      {
+        "vendor": "aquasecurity",
+        "name": "trivy",
+        "version": "dev"
+      }
+    ],
+    "component": {
+      "bom-ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "type": "container",
+      "name": "alpine:3.15",
+      "version": "",
+      "purl": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SchemaVersion",
+          "value": "2"
+        },
+        {
+          "name": "aquasecurity:trivy:ImageID",
+          "value": "sha256:c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18"
+        },
+        {
+          "name": "aquasecurity:trivy:RepoDigest",
+          "value": "alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        },
+        {
+          "name": "aquasecurity:trivy:RepoTag",
+          "value": "alpine:3.15"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+      "type": "library",
+      "name": "alpine-baselayout",
+      "version": "3.2.0-r18",
+      "licenses": [
+        {
+          "expression": "GPL-2.0-only"
+        }
+      ],
+      "purl": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "alpine-baselayout"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "3.2.0-r18"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        }
+      ]
+    },
+    ...(snip)...
+    {
+      "bom-ref": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0",
+      "type": "library",
+      "name": "zlib",
+      "version": "1.2.11-r3",
+      "licenses": [
+        {
+          "expression": "Zlib"
+        }
+      ],
+      "purl": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "zlib"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "1.2.11-r3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        }
+      ]
+    },
+    {
+      "bom-ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37",
+      "type": "operating-system",
+      "name": "alpine",
+      "version": "3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:Type",
+          "value": "alpine"
+        },
+        {
+          "name": "aquasecurity:trivy:Class",
+          "value": "os-pkgs"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37",
+      "dependsOn": [
+        "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+        "pkg:apk/alpine/alpine-keys@2.4-r1?distro=3.15.0",
+        "pkg:apk/alpine/apk-tools@2.12.7-r3?distro=3.15.0",
+        "pkg:apk/alpine/busybox@1.34.1-r3?distro=3.15.0",
+        "pkg:apk/alpine/ca-certificates-bundle@20191127-r7?distro=3.15.0",
+        "pkg:apk/alpine/libc-utils@0.7.2-r3?distro=3.15.0",
+        "pkg:apk/alpine/libcrypto1.1@1.1.1l-r7?distro=3.15.0",
+        "pkg:apk/alpine/libretls@3.3.4-r2?distro=3.15.0",
+        "pkg:apk/alpine/libssl1.1@1.1.1l-r7?distro=3.15.0",
+        "pkg:apk/alpine/musl@1.2.2-r7?distro=3.15.0",
+        "pkg:apk/alpine/musl-utils@1.2.2-r7?distro=3.15.0",
+        "pkg:apk/alpine/scanelf@1.3.3-r0?distro=3.15.0",
+        "pkg:apk/alpine/ssl_client@1.34.1-r3?distro=3.15.0",
+        "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0"
+      ]
+    },
+    {
+      "ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "dependsOn": [
+        "3da6a469-964d-4b4e-b67d-e94ec7c88d37"
+      ]
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "CVE-2021-42386",
+      "source": {
+        "name": "alpine",
+        "url": "https://secdb.alpinelinux.org/"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 7.2,
+          "severity": "high",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 6.5,
+          "severity": "medium",
+          "method": "CVSSv2",
+          "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"
+        },
+        {
+          "source": {
+            "name": "redhat"
+          },
+          "score": 6.6,
+          "severity": "medium",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
+        }
+      ],
+      "cwes": [
+        416
+      ],
+      "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function",
+      "advisories": [
+        {
+          "url": "https://access.redhat.com/security/cve/CVE-2021-42386"
+        },
+        {
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386"
+        }
+      ],
+      "published": "2021-11-15 21:15:00 +0000 UTC",
+      "updated": "2022-01-04 17:14:00 +0000 UTC",
+      "affects": [
+        {
+          "ref": "pkg:apk/alpine/busybox@1.33.1-r3?distro=3.14.2"
+        },
+        {
+          "ref": "pkg:apk/alpine/ssl_client@1.33.1-r3?distro=3.14.2"
+        }
+      ]
+    }
+  ]
+}
+
+```
+
+</details>
+
+[cyclonedx]: https://cyclonedx.org/

docs/docs/sbom/index.md

@@ -1,19 +1,24 @@
-# CycloneDX
-Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
-Note that XML format is not supported at the moment.
+# SBOM
+Trivy currently supports the following SBOM formats.
 
+- [CycloneDX][cyclonedx]
 
-You can specify `cyclonedx` with the `--format` option.
+To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.
 
 ```
 $ trivy image --format cyclonedx --output result.json alpine:3.15
 ```
 
+In addition, you can use the `trivy sbom` subcommand.
+
+```
+$ trivy sbom alpine:3.15
+```
+
 <details>
 <summary>Result</summary>
 
 ```
-$ cat result.json | jq .
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.3",
@@ -167,9 +172,20 @@ $ cat result.json | jq .
 }
 
 ```
+
 </details>
 
-!!! caution
-    It doesn't support vulnerabilities yet, but installed packages.
+`fs`, `repo` and `archive` also work with `sbom` subcommand.
 
-[cyclonedx]: https://cyclonedx.org/
+```
+# filesystem
+$ trivy sbom --artifact-type fs /path/to/project
+
+# repository
+$ trivy sbom --artifact-type repo github.com/aquasecurity/trivy-ci-test
+
+# container image archive
+$ trivy sbom --artifact-type archive alpine.tar
+```
+
+[cyclonedx]: cyclonedx.md

docs/docs/secret/configuration.md

@@ -0,0 +1,143 @@
+# Configuration
+Trivy tries to load `trivy-secret.yaml` in the current directory by default.
+If the file doesn't exist, only built-in rules are used.
+You can customize the config file path via the `--secret-config` flag.
+
+You can see the example [here][examples].
+
+## Custom Rules
+Trivy allows defining custom rules. You can see an example.
+
+``` yaml
+rules:
+  - id: rule1
+    category: general
+    title: Generic Rule
+    severity: HIGH
+    path:
+      - .*\.sh
+    keywords:
+      - secret
+    regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]
+    secret-group-name: secret
+    allow-rules:
+      - id: skip-text
+        description: skip text files
+        path: .*\.txt
+```
+
+`id` (required)
+:   - Unique identifier for this rule.
+
+`category` (required)
+:   - String used for metadata and reporting purposes.
+
+`title` (required)
+:   - Short human-readable title of the rule.
+
+`severity` (required)
+:   - How critical this rule is.
+    - Allowed values:
+        - CRITICAL
+        - HIGH
+        - MEDIUM
+        - LOW
+
+`regex` (required)
+:   - Golang regular expression used to detect secrets.
+
+`path` (optional)
+:   - Golang regular expression used to match paths.
+
+`keywords` (optional, recommended)
+:   - Keywords are used for pre-regex check filtering.
+    - Rules that contain keywords will perform a quick string compare check to make sure the keyword(s) are in the content being scanned.
+    - Ideally these values should either be part of the identifier or unique strings specific to the rule's regex.
+    - It is recommended to define for better performance.
+
+`allow-rules` (optional)
+:   - Allow rules for a single rule to reduce false positives with known secrets.
+    - The details are below.
+
+## Allow Rules
+If the detected secret is matched with the specified `regex`, then that secret will be skipped and not detected.
+The same logic applies for `path`.
+
+`allow-rules` can be defined globally and per each rule. The fields are the same.
+
+``` yaml
+rules:
+  - id: rule1
+    category: general
+    title: Generic Rule
+    severity: HIGH
+    regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]
+    allow-rules:
+      - id: skip-text
+        description: skip text files
+        path: .*\.txt
+allow-rules:
+  - id: social-security-number
+    description: skip social security number
+    regex: 219-09-9999
+```
+
+
+`id` (required)
+:   - Unique identifier for this allow rule.
+
+`description` (optional)
+:   - Short human-readable description of this allow rule.
+
+`regex` (optional)
+:   - Golang regular expression used to allow detected secrets.
+    - `regex` or `path` must be specified.
+
+`path` (optional)
+:   - Golang regular expression used to allow matched paths.
+    - `regex` or `path` must be specified.
+
+## Enable Rules
+Trivy provides plenty of out-of-box rules and allow rules, but you may not need all of them.
+In that case, `enable-builin-rules` will be helpful.
+If you just need AWS secret detection, you can enable only relevant rules as shown below.
+It specifies AWS-related rule IDs in `enable-builin-rules`.
+All other rules are disabled, so the scanning will be much faster.
+We would strongly recommend using this option if you don't need all rules.
+
+You can see a full list of [built-in rule IDs][builtin] and [built-in allow rule IDs][builtin-allow].
+
+``` yaml
+enable-builtin-rules:
+  - aws-access-key-id
+  - aws-account-id
+  - aws-secret-access-key
+```
+
+## Disable Rules
+Trivy offers built-in rules and allow rules, but you may want to disable some of them.
+For example, you don't use Slack, so Slack doesn't have to be scanned.
+You can specify the Slack rule IDs, `slack-access-token` and `slack-web-hook` in `disable-rules` so that those rules will be disabled for less false positives.
+
+You should specify either `enable-builin-rules` or `disable-rules`.
+If they both are specified, `disable-rules` takes precedence.
+In case `github-pat` is specified in `enable-builin-rules` and `disable-rules`, it will be disabled.
+
+In addition, there are some allow rules.
+Markdown files are ignored by default, but you may want to scan markdown files as well.
+You can disable the allow rule by adding `markdown` to `disable-allow-rules`.
+
+You can see a full list of [built-in rule IDs][builtin] and [built-in allow rule IDs][builtin-allow].
+
+``` yaml
+disable-rules:
+  - slack-access-token
+  - slack-web-hook
+disable-allow-rules:
+  - markdown
+```
+
+
+[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
+[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-allow-rules.go
+[examples]: ./examples.md

docs/docs/secret/examples.md

@@ -0,0 +1,98 @@
+# Examples
+Also see [quick start][quick-start].
+
+## Skip Directories
+Trivy traversals directories and scans all files except those matching the built-in allow rules by default.
+If your have a lot of files in your container image or project, the scanning takes time.
+To make it faster, you can skip traversal in the specific directory.
+Also, it would be helpful if your project contains secrets and certificates for testing.
+
+``` shell
+$ trivy image --skip-dirs /var/lib --skip-dirs /var/log YOUR_IMAGE
+```
+
+``` shell
+$ trivy fs --skip-dirs ./my-test-dir --skip-dirs ./my-testing-cert/ /path/to/your_project
+```
+
+`--skip-fles` also works similarly.
+
+## Filter by severity
+
+Use `--severity` option.
+
+``` shell
+$ trivy fs --severity CRITICAL ./
+
+app/secret.sh (secrets)
+=======================
+Total: 1 (CRITICAL: 1)
+
++----------+-------------------+----------+---------+--------------------------------+
+| CATEGORY |    DESCRIPTION    | SEVERITY | LINE NO |             MATCH              |
++----------+-------------------+----------+---------+--------------------------------+
+|   AWS    | AWS Access Key ID | CRITICAL |   10    | export AWS_ACCESS_KEY_ID=***** |
++----------+-------------------+----------+---------+--------------------------------+
+```
+
+## Disable secret scanning
+If you need vulnerability scanning only, you can disable secret scanning via the `--security-checks` flag.
+
+``` shell
+$ trivy image --security-checks vuln alpine:3.15
+```
+
+## With configuration file
+`trivy-secret.yaml` in the working directory is loaded by default.
+
+``` yaml
+$ cat trivy-secret.yaml
+rules:
+  - id: rule1
+    category: general
+    title: Generic Rule
+    severity: HIGH
+    regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]
+allow-rules:
+  - id: social-security-number
+    description: skip social security number
+    regex: 219-09-9999
+  - id: log-dir
+    description: skip log directory
+    path: ^\/var\/log\/
+disable-rules:
+  - slack-access-token
+  - slack-web-hook
+disable-allow-rules:
+  - markdown
+
+# The following command automatically loads the above configuration.
+$ trivy image YOUR_IMAGE
+```
+
+Also, you can customize the config file path via `--secret-config`.
+
+``` yaml
+$ cat ./secret-config/trivy.yaml
+rules:
+  - id: rule1
+    category: general
+    title: Generic Rule
+    severity: HIGH
+    regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]
+    allow-rules:
+      - id: skip-text
+        description: skip text files
+        path: .*\.txt
+enable-builtin-rules:
+  - aws-access-key-id
+  - aws-account-id
+  - aws-secret-access-key
+disable-allow-rules:
+  - usr-dirs
+
+# Pass the above config with `--secret-config`.
+$ trivy fs --secret-config ./secret-config/trivy.yaml /path/to/your_project
+```
+
+[quick-start]: ./scanning.md#quick-start

docs/docs/secret/scanning.md

@@ -0,0 +1,124 @@
+# Secret Scanning
+
+Trivy scans any container image, filesystem and git repository to detect exposed secrets like passwords, api keys, and tokens.
+Secret scanning is enabled by default.
+
+Trivy will scan every plaintext file, according to builtin rules or configuration. There are plenty of builtin rules:
+
+- AWS access key
+- GCP service account
+- GitHub personal access token
+- GitLab personal access token
+- Slack access token
+- etc.
+
+You can see a full list of [built-in rules][builtin] and [built-in allow rules][builtin-allow].
+
+!!! tip
+    If your secret is not detected properly, please make sure that your file including the secret is not in [the allowed paths][builtin-allow].
+    You can disable allow rules via [disable-allow-rules][disable-rules].
+
+## Quick start
+This section shows how to scan secrets in container image and filesystem. Other subcommands should be the same.
+
+### Container image
+Specify an image name.
+
+``` shell
+$ trivy image myimage:1.0.0
+2022-04-21T18:56:44.099+0300    INFO    Detected OS: alpine
+2022-04-21T18:56:44.099+0300    INFO    Detecting Alpine vulnerabilities...
+2022-04-21T18:56:44.101+0300    INFO    Number of language-specific files: 0
+
+myimage:1.0.0 (alpine 3.15.0)
+=============================
+Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
++--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
++--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+| busybox      | CVE-2022-28391   | CRITICAL | 1.34.1-r3         | 1.34.1-r5     | CVE-2022-28391 affecting              |
+|              |                  |          |                   |               | package busybox 1.35.0                |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-28391 |
++--------------+------------------|          |-------------------+---------------+---------------------------------------+
+| ssl_client   | CVE-2022-28391   |          | 1.34.1-r3         | 1.34.1-r5     | CVE-2022-28391 affecting              |
+|              |                  |          |                   |               | package busybox 1.35.0                |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-28391 |
++--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+
+app/secret.sh (secrets)
+=======================
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
+
++----------+-------------------+----------+---------+--------------------------------+
+| CATEGORY |    DESCRIPTION    | SEVERITY | LINE NO |             MATCH              |
++----------+-------------------+----------+---------+--------------------------------+
+|   AWS    | AWS Access Key ID | CRITICAL |   10    | export AWS_ACCESS_KEY_ID=***** |
++----------+-------------------+----------+---------+--------------------------------+
+```
+
+
+!!! tip
+    Trivy tries to detect a base image and skip those layers for secret scanning.
+    A base image usually contains a lot of files and makes secret scanning much slower.
+    If a secret is not detected properly, you can see base layers with the `--debug` flag.
+
+### Filesystem
+
+``` shell
+$ trivy fs /path/to/your_project
+...(snip)...
+
+certs/key.pem (secrets)
+========================
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
++----------------------+------------------------+----------+---------+---------------------------------+
+|       CATEGORY       |      DESCRIPTION       | SEVERITY | LINE NO |              MATCH              |
++----------------------+------------------------+----------+---------+---------------------------------+
+| AsymmetricPrivateKey | Asymmetric Private Key |   HIGH   |    1    | -----BEGIN RSA PRIVATE KEY----- |
++----------------------+------------------------+----------+---------+---------------------------------+
+```
+
+
+!!! tip
+    Your project may have some secrets for testing. You can skip them with `--skip-dirs` or `--skip-files`.
+    We would recommend specifying these options so that the secret scanning can be faster if those files don't need to be scanned.
+    Also, you can specify paths to be allowed in a configuration file. See the detail [here][configuration].   
+
+## Configuration
+Trivy has a set of builtin rules for secret scanning, which can be extended or modified by a configuration file.
+
+If you don't need secret scanning, you can disable it via the `--security-checks` flag.
+
+```shell
+$ trivy image --security-checks vuln alpine:3.15
+```
+
+## Recommendation
+We would recommend specifying `--skip-dirs` for faster secret scanning.
+In container image scanning, Trivy walks the file tree rooted  `/` and scans all the files other than [built-in allowed paths][builtin-allow].
+It will take a while if your image contains a lot of files even though Trivy tries to avoid scanning layers from a base image.
+If you want to make scanning faster, `--skip-dirs` and `--skip-files` helps so that Trivy will skip scanning those files and directories.
+The usage examples are [here][examples].
+
+`allow-rules` is also helpful. See the [allow-rules][allow-rules] section.
+
+In addition, all the built-in rules are enabled by default, so it takes some time to scan all of them.
+If you don't need all those rules, you can use `enable-builtin-rules` or `disable-rules` in the configuration file.
+You should use `enable-builin-rules` if you need only AWS secret detection, for example.
+All rules are disabled except for the ones you specify, so it runs very fast.
+On the other hand, you should use `disable-rules` if you just want to disable some built-in rules.
+See the [enable-rules][enable-rules] and [disable-rules][disable-rules] sections for the detail.
+
+## Credit
+This feature is inspired by [gitleaks][gitleaks]. 
+
+[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
+[builtin-allow]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-allow-rules.go
+[configuration]: ./configuration.md
+[allow-rules]: ./configuration.md#allow-rules
+[enable-rules]: ./configuration.md#enable-rules
+[disable-rules]: ./configuration.md#disable-rules
+[examples]: ./examples.md
+[gitleaks]: https://github.com/zricethezav/gitleaks

docs/docs/vulnerability/detection/language.md

@@ -16,6 +16,7 @@
 |          | yarn.lock                | -         | -          |       ✅        |       ✅        | included        |
 |          | package.json             | ✅        | ✅         |       -        |       -        | excluded        |
 | .NET     | packages.lock.json       | ✅        | ✅         |       ✅        |       ✅        | included        |
+|          | packages.config          | ✅        | ✅         |       ✅        |       ✅        | excluded        |
 | Java     | JAR/WAR/PAR/EAR[^3][^4]  | ✅        | ✅         |       -        |       -        | included        |
 |          | pom.xml[^5]              | -         | -          |       ✅        |       ✅        | excluded        |
 | Go       | Binaries built by Go[^6] | ✅        | ✅         |       -        |       -        | excluded        |

docs/docs/vulnerability/detection/os.md

@@ -0,0 +1,24 @@
+# Supported OS
+
+The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. Trivy doesn't support self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.
+
+| OS                               | Supported Versions                        | Target Packages               | Detection of unfixed vulnerabilities |
+| -------------------------------- |-------------------------------------------| ----------------------------- | :----------------------------------: |
+| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.15, edge               | Installed by apk              |                  NO                  |
+| Red Hat Universal Base Image[^1] | 7, 8                                      | Installed by yum/rpm          |                 YES                  |
+| Red Hat Enterprise Linux         | 6, 7, 8                                   | Installed by yum/rpm          |                 YES                  |
+| CentOS                           | 6, 7, 8                                   | Installed by yum/rpm          |                 YES                  |
+| AlmaLinux                        | 8                                         | Installed by yum/rpm          |                  NO                  |
+| Rocky Linux                      | 8                                         | Installed by yum/rpm          |                  NO                  |
+| Oracle Linux                     | 5, 6, 7, 8                                | Installed by yum/rpm          |                  NO                  |
+| CBL-Mariner                      | 1.0, 2.0                                  | Installed by yum/rpm          |                 YES                  |
+| Amazon Linux                     | 1, 2                                      | Installed by yum/rpm          |                  NO                  |
+| openSUSE Leap                    | 42, 15                                    | Installed by zypper/rpm       |                  NO                  |
+| SUSE Enterprise Linux            | 11, 12, 15                                | Installed by zypper/rpm       |                  NO                  |
+| Photon OS                        | 1.0, 2.0, 3.0, 4.0                        | Installed by tdnf/yum/rpm     |                  NO                  |
+| Debian GNU/Linux                 | wheezy, jessie, stretch, buster, bullseye | Installed by apt/apt-get/dpkg |                 YES                  |
+| Ubuntu                           | All versions supported by Canonical       | Installed by apt/apt-get/dpkg |                 YES                  |
+| Distroless[^2]                   | Any                                       | Installed by apt/apt-get/dpkg |                 YES                  |
+
+[^1]: https://developers.redhat.com/products/rhel/ubi
+[^2]: https://github.com/GoogleContainerTools/distroless

docs/docs/vulnerability/distributions.md

@@ -0,0 +1,29 @@
+## CBL-Mariner
+Trivy scans [CBL-Mariner][mariner].
+
+### Support
+The following table provides an outline of the features Trivy offers.
+
+| Version | Container image | Virtual machine | Distroless |  Multi-arch  | Unfixed support |
+|---------|:---------------:|:---------------:|:----------:|:------------:|:---------------:|
+| 1.0     |        ✔        |        ✔        |            | amd64, arm64 |        ✔        |
+| 2.0     |        ✔        |        ✔        |            | amd64, arm64 |        ✔        |
+
+### Examples
+
+```
+$ trivy image cblmariner.azurecr.io/base/core:1.0
+2022-01-31T15:02:27.754+0200    INFO    Detected OS: cbl-mariner
+2022-01-31T15:02:27.754+0200    INFO    Detecting CBL-Mariner vulnerabilities...
+2022-01-31T15:02:27.757+0200    INFO    Number of language-specific files: 0
+
+cblmariner.azurecr.io/base/core:1.0 (cbl-mariner 1.0.20220122)
+==============================================================
+Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 4, CRITICAL: 5) 
+```
+
+### Data source
+See [here][source].
+
+[mariner]: https://github.com/microsoft/CBL-Mariner
+[source]: detection/data-source.md

docs/docs/vulnerability/examples/cache.md

@@ -33,10 +33,12 @@ $ trivy --cache-dir /tmp/trivy/ image python:3.4-alpine3.9
 Trivy supports local filesystem and Redis as the cache backend. This option is useful especially for client/server mode.
 
 Two options:
+
 - `fs`
     - the cache path can be specified by `--cache-dir`
 - `redis://`
     - `redis://[HOST]:[PORT]`
+    - TTL can be configured via `--cache-ttl`
 
 ```
 $ trivy server --cache-backend redis://localhost:6379

docs/docs/vulnerability/examples/db.md

@@ -36,3 +36,10 @@ This is useful to initialize workers in Continuous Integration systems.
 ```
 $ trivy image --download-db-only
 ```
+
+## DB Repository
+`Trivy` could also download the vulnerability database from an external OCI registry by using `--db-repository` option.
+
+```
+$ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
+```

docs/docs/vulnerability/examples/filter.md

@@ -352,5 +352,5 @@ Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 5)
 
 </details>
 
-[helper]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/vulnerability/module.go
+[helper]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go
 [policy]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/contrib/example_policy

docs/docs/vulnerability/examples/report.md

@@ -219,6 +219,6 @@ $ trivy image --format template --template "@/usr/local/share/trivy/templates/ht
 
 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
-[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/integrations/aws-security-hub.md
+[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/advanced/integrations/aws-security-hub.md
 [sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
 [sprig]: http://masterminds.github.io/sprig/

docs/docs/vulnerability/languages/golang.md

@@ -0,0 +1,62 @@
+# Go
+
+## Features
+Trivy supports two types of Go scanning, Go Modules and binaries built by Go.
+The following table provides an outline of the features Trivy offers.
+
+| Artifact | Offline[^1] | Dev dependencies |
+|----------|:-----------:|:-----------------|
+| Modules  |      ✓      | Include          |
+| Binaries |      ✓      | Exclude          |
+
+!!! note
+    Trivy scans only dependencies of the Go project.
+    Let's say you scan the Docker binary, Trivy doesn't detect vulnerabilities of Docker itself.
+    Also, when you scan go.mod in Kubernetes, the Kubernetes vulnerabilities will not be found.
+
+### Go Modules
+Depending on Go versions, the required files are different.
+
+| Version | Required files | Offline | License |
+|---------|:--------------:|:-------:|:-------:|
+| \>=1.17 |     go.mod     |    ✓    |    -    |
+| <1.17   | go.mod, go.sum |    ✓    |    -    |
+
+In Go 1.17+ projects, Trivy uses `go.mod` for direct/indirect dependencies.
+On the other hand, it uses `go.mod` for direct dependencies and `go.sum` for indirect dependencies in Go 1.16 or less.
+
+Go 1.17+ holds actually needed indirect dependencies in `go.mod`, and it reduces false detection.
+`go.sum` in Go 1.16 or less contains all indirect dependencies that are even not needed for compiling.
+If you want to have better detection, please consider updating the Go version in your project.
+
+!!! note
+    The Go version doesn't mean your CLI version, but the Go version in your go.mod.
+
+    ```
+    module github.com/aquasecurity/trivy
+    
+    go 1.18
+    
+    require (
+            github.com/CycloneDX/cyclonedx-go v0.5.0
+            ...
+    )
+    ```
+
+    To update the Go version in your project, you need to run the following command.
+
+    ```
+    $ go mod tidy -go=1.18
+    ```
+
+### Go binaries
+Trivy scans binaries built by Go.
+If there is a Go binary in your container image, Trivy automatically finds and scans it.
+
+Also, you can scan your local binaries.
+
+```
+$ trivy fs ./your_binary
+```
+
+[^1]: It doesn't require the Internet access.

docs/docs/vulnerability/scanning/filesystem.md

@@ -0,0 +1,103 @@
+# Filesystem
+
+Scan a local project including language-specific files.
+
+```bash
+$ trivy fs /path/to/project
+```
+
+## Standalone mode
+### Local Project
+Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
+
+```
+$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2020-06-01T17:06:58.652+0300    WARN    OS is not detected and vulnerabilities in OS packages are not detected.
+2020-06-01T17:06:58.652+0300    INFO    Detecting pipenv vulnerabilities...
+2020-06-01T17:06:58.691+0300    INFO    Detecting cargo vulnerabilities...
+
+Pipfile.lock
+============
+Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
+
++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
+|       LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |               TITLE                |
++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
+| django              | CVE-2020-7471    | HIGH     | 2.0.9             | 3.0.3, 2.2.10, 1.11.28 | django: potential                  |
+|                     |                  |          |                   |                        | SQL injection via                  |
+|                     |                  |          |                   |                        | StringAgg(delimiter)               |
++                     +------------------+----------+                   +------------------------+------------------------------------+
+|                     | CVE-2019-19844   | MEDIUM   |                   | 3.0.1, 2.2.9, 1.11.27  | Django: crafted email address      |
+|                     |                  |          |                   |                        | allows account takeover            |
++                     +------------------+          +                   +------------------------+------------------------------------+
+|                     | CVE-2019-3498    |          |                   | 2.1.5, 2.0.10, 1.11.18 | python-django: Content             |
+|                     |                  |          |                   |                        | spoofing via URL path in           |
+|                     |                  |          |                   |                        | default 404 page                   |
++                     +------------------+          +                   +------------------------+------------------------------------+
+|                     | CVE-2019-6975    |          |                   | 2.1.6, 2.0.11, 1.11.19 | python-django:                     |
+|                     |                  |          |                   |                        | memory exhaustion in               |
+|                     |                  |          |                   |                        | django.utils.numberformat.format() |
++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
+...
+```
+
+</details>
+
+### Single file
+It's also possible to scan a single file.
+
+```
+$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock
+```
+
+## Client/Server mode
+You must launch Trivy server in advance. 
+
+```sh
+$ trivy server
+```
+
+Then, Trivy works as a client if you specify the `--server` option.
+
+```sh
+$ trivy fs --server http://localhost:4954 --severity CRITICAL ./integration/testdata/fixtures/fs/pom/
+```
+
+<details>
+<summary>Result</summary>
+
+```
+pom.xml (pom)
+=============
+Total: 4 (CRITICAL: 4)
+
++---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                 TITLE                 |
++---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+| com.fasterxml.jackson.core:jackson-databind | CVE-2017-17485   | CRITICAL | 2.9.1             | 2.8.11, 2.9.4                  | jackson-databind: Unsafe              |
+|                                             |                  |          |                   |                                | deserialization due to                |
+|                                             |                  |          |                   |                                | incomplete black list (incomplete     |
+|                                             |                  |          |                   |                                | fix for CVE-2017-15095)...            |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-17485 |
++                                             +------------------+          +                   +--------------------------------+---------------------------------------+
+|                                             | CVE-2020-9546    |          |                   | 2.7.9.7, 2.8.11.6, 2.9.10.4    | jackson-databind: Serialization       |
+|                                             |                  |          |                   |                                | gadgets in shaded-hikari-config       |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9546  |
++                                             +------------------+          +                   +                                +---------------------------------------+
+|                                             | CVE-2020-9547    |          |                   |                                | jackson-databind: Serialization       |
+|                                             |                  |          |                   |                                | gadgets in ibatis-sqlmap              |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9547  |
++                                             +------------------+          +                   +                                +---------------------------------------+
+|                                             | CVE-2020-9548    |          |                   |                                | jackson-databind: Serialization       |
+|                                             |                  |          |                   |                                | gadgets in anteros-core               |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9548  |
++---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+```
+</details>
+