refactor(k8s): custom reports (#3076 )

fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068 )
Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-06 12:51:17 -08:00 · 2022-10-26 00:02:33 +03:00 · 2022-10-25 23:41:27 +03:00 · 2022-10-25 22:03:50 +03:00 · 2022-10-25 21:05:54 +03:00 · 2022-10-25 21:04:29 +03:00
1128 changed files with 256997 additions and 13135 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -0,0 +1,19 @@
+# Global
+*   @knqyf263
+
+# Helm chart
+helm/trivy/ @krol3
+
+# Misconfiguration scanning
+examples/misconf/           @owenrumney @liamg @knqyf263
+docs/docs/misconfiguration  @owenrumney @liamg @knqyf263
+docs/docs/cloud             @owenrumney @liamg @knqyf263
+pkg/fanal/analyzer/config   @owenrumney @liamg @knqyf263
+pkg/fanal/handler/misconf   @owenrumney @liamg @knqyf263
+pkg/cloud                   @owenrumney @liamg @knqyf263
+pkg/flag/aws_flags.go       @owenrumney @liamg @knqyf263
+pkg/flag/misconf_flags.go   @owenrumney @liamg @knqyf263
+
+# Kubernetes scanning
+pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
+docs/docs/kubernetes/   @josedonizetti @chen-keinan @knqyf263
--- a/.github/ISSUE_TEMPLATE/WRONG_DETECTION.md
+++ b/.github/ISSUE_TEMPLATE/WRONG_DETECTION.md
@@ -0,0 +1,33 @@
+---
+name: Wrong Detection
+labels: ["kind/bug"]
+about: If Trivy doesn't detect something, or shows false positive detection
+---
+
+## Checklist
+- [ ] I've read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/#wrong-detection).
+- [ ] I've confirmed that a security advisory in data sources was correct.
+    - Run Trivy with `-f json` that shows data sources and make sure that the security advisory is correct.
+
+
+## Description
+
+<!--
+Briefly describe the CVE that aren't detected and information about artifacts with this CVE.
+-->
+
+## JSON Output of run with `-debug`:
+
+```
+(paste your output here)
+```
+
+## Output of `trivy -v`:
+
+```
+(paste your output here)
+```
+
+## Additional details (base image name, container registry info...):
+
+
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -10,8 +10,8 @@
 Remove this section if you don't have related PRs.

 ## Checklist
- [ ] I've read the [guidelines for contributing](https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md) to this repository.
- [ ] I've followed the [conventions](https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md#title) in the PR title.
+- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
+- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
 - [ ] I've added tests that prove my fix is effective or that my feature works.
 - [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
 - [ ] I've added usage information (if the PR introduces new options)
--- a/.github/workflows/canary.yaml
+++ b/.github/workflows/canary.yaml
@@ -0,0 +1,59 @@
+name: Canary build
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '**.go'
+      - 'Dockerfile.canary'
+      - '.github/workflows/canary.yaml'
+  workflow_dispatch:
+
+jobs:
+  build-binaries:
+    name: Build binaries
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser-canary.yml
+      goreleaser_options: '--snapshot --rm-dist --timeout 60m' # will not release
+    secrets: inherit
+
+  upload-binaries:
+    name: Upload binaries
+    needs: build-binaries # run this job after 'build-binaries' job completes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.0.9
+        with:
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+        # Upload artifacts
+      - name: Upload artifacts (trivy_Linux-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-64bit
+          path: dist/trivy_*_Linux-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_Linux-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-ARM64
+          path: dist/trivy_*_Linux-ARM64.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-64bit
+          path: dist/trivy_*_macOS-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-ARM64
+          path: dist/trivy_*_macOS-ARM64.tar.gz
+          if-no-files-found: error
--- a/.github/workflows/mkdocs-dev.yaml
+++ b/.github/workflows/mkdocs-dev.yaml
@@ -12,18 +12,17 @@ jobs:
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout main
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          persist-credentials: true
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
        with:
          python-version: 3.x
      - name: Install dependencies
        run: |
          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
-          pip install mike
-          pip install mkdocs-macros-plugin
+          pip install -r docs/build/requirements.txt
        env:
          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
      - name: Configure the git user
--- a/.github/workflows/mkdocs-latest.yaml
+++ b/.github/workflows/mkdocs-latest.yaml
@@ -14,18 +14,17 @@ jobs:
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout main
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          persist-credentials: true
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
        with:
          python-version: 3.x
      - name: Install dependencies
        run: |
          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
-          pip install mike
-          pip install mkdocs-macros-plugin
+          pip install -r docs/build/requirements.txt
        env:
          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
      - name: Configure the git user
@@ -36,7 +35,7 @@ jobs:
        if: ${{ github.event.inputs.version == '' }}
        run: |
          VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
-          mike deploy --push --update-aliases $VERSION latest
+          mike deploy --push --update-aliases ${VERSION%.*} latest
      - name: Deploy the latest documents from manual trigger
        if: ${{ github.event.inputs.version != '' }}
        run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -9,36 +9,35 @@ on:
    paths:
      - 'helm/trivy/**'
  push:
-    branches: [main]
-    paths:
-      - 'helm/trivy/**'
+    tags:
+      - "v*"
 env:
  HELM_REP: helm-charts
  GH_OWNER: aquasecurity
  CHART_DIR: helm/trivy
-  KIND_VERSION: "v0.11.1"
-  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
+  KIND_VERSION: "v0.14.0"
+  KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
 jobs:
  test-chart:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab #v1.1
+        uses: azure/setup-helm@b5b231a831f96336bbfeccc1329990f0005c5bb1
        with:
          version: v3.5.0
      - name: Set up python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
        with:
          python-version: 3.7
      - name: Setup Chart Linting
        id: lint
-        uses: helm/chart-testing-action@6b64532d456fa490a3da177fbd181ac4c8192b58 #v2.1.0
+        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec
      - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
+        uses: helm/kind-action@9e8295d178de23cbfbd8fa16cf844eec1d773a07
        with:
          version: ${{ env.KIND_VERSION }}
          image: ${{ env.KIND_IMAGE }}
@@ -46,17 +45,17 @@ jobs:
        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
      - name: Run chart-testing (Ingress enabled)
        run: |
-          sed -i -e '117s,false,'true',g' ./helm/trivy/values.yaml
+          sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
          ct lint-and-install --validate-maintainers=false --charts helm/trivy

  publish-chart:
-    if: github.event_name == 'push'
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
    needs:
      - test-chart
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
        with:
          fetch-depth: 0
      - name: Install chart-releaser
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,85 +3,55 @@ on:
  push:
    tags:
      - "v*"
-env:
-  GO_VERSION: "1.17"
-  GH_USER: "aqua-bot"
+
 jobs:
  release:
    name: Release
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser.yml
+      goreleaser_options: '--rm-dist --timeout 90m'
+    secrets: inherit
+
+  deploy-packages:
+    name: Deploy rpm/dep packages
+    needs: release # run this job after 'release' job completes
    runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
-    env:
-      DOCKER_CLI_EXPERIMENTAL: "enabled"
    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.0.9
+        with:
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
      - name: Install dependencies
        run: |
          sudo apt-get -y update
          sudo apt-get -y install rpm reprepro createrepo distro-info
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Show available Docker Buildx platforms
-        run: echo ${{ steps.buildx.outputs.platforms }}
-      - name: Setup Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ env.GO_VERSION }}
-      - name: Checkout code
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Cache Go modules
-        uses: actions/cache@v2
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: Login to docker.io registry
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to ghcr.io registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ env.GH_USER }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login to ECR
-        uses: docker/login-action@v1
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
-          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
-      - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v1
-        with:
-          args: mod -licenses -json -output bom.json
-          version: ^v1
-      - name: Release
-        uses: goreleaser/goreleaser-action@v2
-        with:
-          version: v0.183.0
-          args: release --rm-dist
-        env:
-          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
      - name: Checkout trivy-repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          repository: ${{ github.repository_owner }}/trivy-repo
          path: trivy-repo
          fetch-depth: 0
          token: ${{ secrets.ORG_REPO_TOKEN }}
+
      - name: Setup git settings
        run: |
          git config --global user.email "knqyf263@gmail.com"
          git config --global user.name "Teppei Fukuda"
+
      - name: Create rpm repository
        run: ci/deploy-rpm.sh
+
      - name: Import GPG key
        run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import
+
      - name: Create deb repository
        run: ci/deploy-deb.sh
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -0,0 +1,108 @@
+name: Reusable release
+on:
+  workflow_call:
+    inputs:
+      goreleaser_config:
+        description: 'file path to GoReleaser config'
+        required: true
+        type: string
+      goreleaser_options:
+        description: 'GoReleaser options separated by spaces'
+        default: ''
+        required: false
+        type: string
+
+env:
+  GH_USER: "aqua-bot"
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: read  # Not required for public repositories, but for clarity
+    steps:
+      - name: Cosign install
+        uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Show available Docker Buildx platforms
+        run: echo ${{ steps.buildx.outputs.platforms }}
+
+      - name: Login to docker.io registry
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to ghcr.io registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ env.GH_USER }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to ECR
+        uses: docker/login-action@v2
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
+          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: Generate SBOM
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
+        with:
+          args: mod -licenses -json -output bom.json
+          version: ^v1
+
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          version: v1.4.1
+          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
+        env:
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
+      ## push images to registries
+      ## only for canary build
+      - name: Build and push
+        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
+        uses: docker/build-push-action@v3
+        with:
+          platforms: linux/amd64, linux/arm64
+          file: ./Dockerfile.canary # path to Dockerfile
+          context: .
+          push: true
+          tags: |
+            aquasec/trivy:canary
+            ghcr.io/aquasecurity/trivy:canary
+            public.ecr.aws/aquasecurity/trivy:canary
+
+      - name: Cache Trivy binaries
+        uses: actions/cache@v3.0.9
+        with:
+          path: dist/
+          # use 'github.sha' to create a unique cache folder for each run.
+          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
+          # e.g. build and release runs
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -1,25 +1,23 @@
-name: Scan
-on: [push, pull_request]
+name: Scan vulnerabilities
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
 jobs:
  build:
    name: Scan Go vulnerabilities
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3

-      - name: Run Trivy vulnerability scanner to scan for Critical Vulnerabilities
-        uses: aquasecurity/trivy-action@master
+      - name: Run Trivy vulnerability scanner and create GitHub issues
+        uses: knqyf263/trivy-issue-action@v0.0.4
        with:
-          scan-type: 'fs'
-          exit-code: '1'
-          severity: 'CRITICAL'
-          skip-dirs: integration,examples
-
-      - name: Run Trivy vulnerability scanner to scan for Medium and High Vulnerabilities
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          exit-code: '0'
-          severity: 'HIGH,MEDIUM'
+          assignee: knqyf263
+          severity: CRITICAL
          skip-dirs: integration,examples
+          label: kind/security
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/semantic-pr.yaml
+++ b/.github/workflows/semantic-pr.yaml
@@ -0,0 +1,92 @@
+name: "Lint PR title"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types:
+            feat
+            fix
+            docs
+            style
+            refactor
+            perf
+            test
+            build
+            ci
+            chore
+            revert
+            BREAKING
+
+          scopes:
+            vuln
+            misconf
+            secret
+            license
+
+            image
+            fs
+            repo
+            sbom
+            server
+            k8s
+
+            alpine
+            redhat
+            alma
+            rocky
+            mariner
+            oracle
+            debian
+            ubuntu
+            amazon
+            suse
+            photon
+            distroless
+
+            ruby
+            php
+            python
+            nodejs
+            rust
+            dotnet
+            java
+            go
+            c
+            c++
+            
+            os
+            lang
+
+            kubernetes
+            dockerfile
+            terraform
+            cloudformation
+
+            docker
+            podman
+            containerd
+            oci
+
+            cli
+            flag
+            
+            cyclonedx
+            spdx
+
+            helm
+            report
+            db
+            deps
--- a/.github/workflows/stale-issues.yaml
+++ b/.github/workflows/stale-issues.yaml
@@ -7,7 +7,7 @@ jobs:
    timeout-minutes: 1
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/stale@v4
+    - uses: actions/stale@v6
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -10,24 +10,38 @@ on:
      - 'LICENSE'
  pull_request:
 env:
-  GO_VERSION: "1.17"
+  TINYGO_VERSION: "0.25.0"
 jobs:
  test:
    name: Test
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

      - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
+
+      - name: go mod tidy
+        run: |
+          go mod tidy
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'go mod tidy' and push it"
+            exit 1
+          fi

      - name: Lint
-        uses: golangci/golangci-lint-action@v3.1.0
+        uses: golangci/golangci-lint-action@v3.2.0
        with:
-          version: v1.41
+          version: v1.49
          args: --deadline=30m
+          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
+
+      - name: Install TinyGo
+        run: |
+          wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
+          sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb

      - name: Run unit tests
        run: make test
@@ -36,17 +50,37 @@ jobs:
    name: Integration Test
    runs-on: ubuntu-latest
    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v2
-      with:
-        go-version: ${{ env.GO_VERSION }}
-      id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod

-    - name: Run integration tests
-      run: make test-integration
+      - name: Run integration tests
+        run: make test-integration
+
+  module-test:
+    name: Module Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: Install TinyGo
+        run: |
+          wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
+          sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb
+
+      - name: Run module integration tests
+        run: |
+          make test-module-integration

  build-test:
    name: Build Test
@@ -55,46 +89,44 @@ jobs:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    steps:
    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
+      uses: docker/setup-qemu-action@v2

    - name: Set up Docker Buildx
      id: buildx
-      uses: docker/setup-buildx-action@v1
+      uses: docker/setup-buildx-action@v2

    - name: Show available Docker Buildx platforms
      run: echo ${{ steps.buildx.outputs.platforms }}

    - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3

    - name: Set up Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v3
      with:
-        go-version: ${{ env.GO_VERSION }}
+        go-version-file: go.mod

    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v2
+      uses: goreleaser/goreleaser-action@v3
      with:
-        version: v0.183.0
-        args: release --snapshot --rm-dist --skip-publish
+        version: v1.4.1
+        args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m

  build-documents:
    name: Documentation Test
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
      with:
        fetch-depth: 0
        persist-credentials: true
-    - uses: actions/setup-python@v3
+    - uses: actions/setup-python@v4
      with:
        python-version: 3.x
    - name: Install dependencies
      run: |
-        pip install mkdocs-material
-        pip install mike
-        pip install mkdocs-macros-plugin
+        pip install -r docs/build/requirements.txt
    - name: Configure the git user
      run: |
        git config user.name "knqyf263"
--- a/.gitignore
+++ b/.gitignore
@@ -4,7 +4,7 @@
 *.dll
 *.so
 *.dylib
-trivy
+/trivy

 ## chart release
 .cr-release-packages
@@ -16,6 +16,7 @@ trivy
 *.out

 .idea
+.vscode

 # Directory Cache Files
 .DS_Store
@@ -30,3 +31,6 @@ integration/testdata/fixtures/images

 # goreleaser output
 dist
+
+# WebAssembly
+*.wasm
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -21,19 +21,17 @@ linters-settings:
    local-prefixes: github.com/aquasecurity
  gosec:
    excludes:
+      - G114
      - G204
      - G402

 linters:
  disable-all: true
  enable:
-    - structcheck
+    - unused
    - ineffassign
    - typecheck
    - govet
-    - errcheck
-    - varcheck
-    - deadcode
    - revive
    - gosec
    - unconvert
@@ -44,10 +42,12 @@ linters:
    - misspell

 run:
+  go: 1.19
  skip-files:
    - ".*._mock.go$"
    - ".*._test.go$"
    - "integration/*"
+    - "examples/*"

 issues:
  exclude-rules:
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,104 +1 @@
-Thank you for taking interest in contributing to Trivy!
-
-## Issues
- Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
- Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
-
-## Pull Requests
-
-1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
-4. Please add the associated Issue link in the PR description.
-2. Your PR is more likely to be accepted if it focuses on just one change.
-5. There's no need to add or tag reviewers.
-6. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
-7. Please include a comment with the results before and after your change.
-8. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
-9. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
-
-### Title
-It is not that strict, but we use the title conventions in this repository.
-Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
-
-#### Format of the title
-
-```
-<type>(<scope>): <subject>
-```
-
-The `type` and `scope` should always be lowercase as shown below.
-
-**Allowed `<type>` values:**
-  - **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
-  - **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
-  - **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
-  - **docs** for changes to the documentation.
-  - **style** for formatting changes, missing semicolons, etc.
-  - **refactor** for refactoring production code, e.g. renaming a variable.
-  - **test** for adding missing tests, refactoring tests; no production code change.
-  - **build** for updating build configuration, development tools or other changes irrelevant to the user.
-  - **chore** for updates that do not apply to the above, such as dependency updates.
-
-**Example `<scope>` values:**
- alpine
- redhat
- ruby
- python
- terraform
- report
- etc.
- 
-The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
-
-#### Example titles
-
-```
-feat(alma): add support for AlmaLinux
-```
-
-```
-fix(oracle): handle advisories with ksplice versions
-```
-
-```
-docs(misconf): add comparison with Conftest and TFsec
-```
-
-```
-chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
-```
-
-**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
-The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
-
-### Unit tests
-Your PR must pass all the unit tests. You can test it as below.
-
-```
-$ make test
-```
-
-### Integration tests
-Your PR must pass all the integration tests. You can test it as below.
-
-```
-$ make test-integration
-```
-
-### Documentation
-You can build the documents as below and view it at http://localhost:8000.
-
-```
-$ make mkdocs-serve
-```
-
-## Understand where your pull request belongs
-
-Trivy is composed of several different repositories that work together:
-
- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information from containers. It is being used by Trivy to find testable subjects in the container image.
+See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.15.0
+FROM alpine:3.16.2
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -0,0 +1,10 @@
+FROM alpine:3.16.2
+RUN apk --no-cache add ca-certificates git
+
+# binaries were created with GoReleaser
+# need to copy binaries from folder with correct architecture
+# example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
+ARG TARGETARCH
+COPY "dist/trivy_canary_build_linux_${TARGETARCH}/trivy" /usr/local/bin/trivy
+COPY contrib/*.tpl contrib/
+ENTRYPOINT ["trivy"]
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -1,4 +1,4 @@
-FROM golang:1.17
+FROM golang:1.19.1

 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
--- a/78
+++ b/78
@@ -1,21 +1,42 @@
-VERSION := $(shell git describe --tags)
-LDFLAGS=-ldflags "-s -w -X=main.version=$(VERSION)"
+VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
+LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"

-GOPATH=$(shell go env GOPATH)
-GOBIN=$(GOPATH)/bin
-GOSRC=$(GOPATH)/src
+GOPATH := $(shell go env GOPATH)
+GOBIN := $(GOPATH)/bin
+GOSRC := $(GOPATH)/src
+
+TEST_MODULE_DIR := pkg/module/testdata
+TEST_MODULE_SRCS := $(wildcard $(TEST_MODULE_DIR)/*/*.go)
+TEST_MODULES := $(patsubst %.go,%.wasm,$(TEST_MODULE_SRCS))
+
+EXAMPLE_MODULE_DIR := examples/module
+EXAMPLE_MODULE_SRCS := $(wildcard $(EXAMPLE_MODULE_DIR)/*/*.go)
+EXAMPLE_MODULES := $(patsubst %.go,%.wasm,$(EXAMPLE_MODULE_SRCS))

 MKDOCS_IMAGE := aquasec/mkdocs-material:dev
 MKDOCS_PORT := 8000

 u := $(if $(update),-u)

+# Tools
 $(GOBIN)/wire:
-	GO111MODULE=off go get github.com/google/wire/cmd/wire
+	go install github.com/google/wire/cmd/wire@v0.5.0
+
+$(GOBIN)/crane:
+	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0
+
+$(GOBIN)/golangci-lint:
+	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
+
+$(GOBIN)/labeler:
+	go install github.com/knqyf263/labeler@latest
+
+$(GOBIN)/easyjson:
+	go install github.com/mailru/easyjson/...@v0.7.7

 .PHONY: wire
 wire: $(GOBIN)/wire
-	wire gen ./pkg/...
+	wire gen ./pkg/commands/... ./pkg/rpc/...

 .PHONY: mock
 mock: $(GOBIN)/mockery
@@ -26,19 +47,35 @@ deps:
 	go get ${u} -d
 	go mod tidy

-$(GOBIN)/golangci-lint:
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.41.1
+.PHONY: generate-test-modules
+generate-test-modules: $(TEST_MODULES)

+# Compile WASM modules for unit and integration tests
+%.wasm:%.go
+	@if !(type "tinygo" > /dev/null 2>&1); then \
+		echo "Need to install TinyGo. Follow https://tinygo.org/getting-started/install/"; \
+		exit 1; \
+	fi
+	go generate $<
+
+# Run unit tests
 .PHONY: test
-test:
+test: $(TEST_MODULES)
 	go test -v -short -coverprofile=coverage.txt -covermode=atomic ./...

-integration/testdata/fixtures/images/*.tar.gz:
-	git clone https://github.com/aquasecurity/trivy-test-images.git integration/testdata/fixtures/images
+integration/testdata/fixtures/images/*.tar.gz: $(GOBIN)/crane
+	mkdir -p integration/testdata/fixtures/images/
+	integration/scripts/download-images.sh

+# Run integration tests
 .PHONY: test-integration
 test-integration: integration/testdata/fixtures/images/*.tar.gz
-	go test -v -tags=integration ./integration/...
+	go test -v -tags=integration ./integration/... ./pkg/fanal/test/integration/...
+
+# Run WASM integration tests
+.PHONY: test-module-integration
+test-module-integration: integration/testdata/fixtures/images/*.tar.gz $(EXAMPLE_MODULES)
+	go test -v -tags=module_integration ./integration/...

 .PHONY: lint
 lint: $(GOBIN)/golangci-lint
@@ -58,7 +95,9 @@ protoc:
 	docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@

 _protoc:
-	find ./rpc/ -name "*.proto" -type f -exec protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative {} \;
+	for path in `find ./rpc/ -name "*.proto" -type f`; do \
+		protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative $${path} || exit; \
+	done

 .PHONY: install
 install:
@@ -68,15 +107,18 @@ install:
 clean:
 	rm -rf integration/testdata/fixtures/images

-$(GOBIN)/labeler:
-	go install github.com/knqyf263/labeler@latest
-
+# Create labels on GitHub
 .PHONY: label
 label: $(GOBIN)/labeler
 	labeler apply misc/triage/labels.yaml -r aquasecurity/trivy -l 5

+# Run MkDocs development server to preview the documentation page
 .PHONY: mkdocs-serve
-## Runs MkDocs development server to preview the documentation page
 mkdocs-serve:
 	docker build -t $(MKDOCS_IMAGE) -f docs/build/Dockerfile docs/build
 	docker run --name mkdocs-serve --rm -v $(PWD):/docs -p $(MKDOCS_PORT):8000 $(MKDOCS_IMAGE)
+
+# Generate JSON marshaler/unmarshaler for TinyGo/WebAssembly as TinyGo doesn't support encoding/json.
+.PHONY: easyjson
+easyjson: $(GOBIN)/easyjson
+	easyjson pkg/module/serialize/types.go
--- a/README.md
+++ b/README.md
@@ -1,14 +1,5 @@
-<p align="center">
-  <img src="docs/imgs/logo.png" width="200">
-</p>
-
-<p align="center">
-  <a href="https://aquasecurity.github.io/trivy/">Documentation</a> 
-</p>
-
-<p align="center">
-Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
-</p>
+<div align="center">
+<img src="docs/imgs/logo.png" width="200">

 [![GitHub Release][release-img]][release]
 [![Test][test-img]][test]
@@ -17,183 +8,115 @@ Scanner for vulnerabilities in container images, file systems, and Git repositor
 [![GitHub All Releases][github-all-releases-img]][release]
 ![Docker Pulls][docker-pulls]

+[📖 Documentation][docs]
+</div>

-# Abstract
-`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.
-`Trivy` detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.).
-In addition, `Trivy` scans Infrastructure as Code (IaC) files such as Terraform, Dockerfile and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack.
-`Trivy` is easy to use. Just install the binary and you're ready to scan.
+Trivy (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.

-<p align="center">
-  <img src="docs/imgs/overview.png" width="800" alt="Trivy Overview">
-</p>
+Trivy has different *scanners* that look for different security issues, and different *targets* where it can find those issues.

-### Demo: Vulnerability Detection (Container Image)
-<p align="center">
-  <img src="docs/imgs/vuln-demo.gif" width="1000" alt="Vulnerability Detection">
-</p>
+Targets:
+- Container Image
+- Filesystem
+- Git repository (remote)
+- Kubernetes cluster or resource

-### Demo: Misconfiguration Detection (IaC Files)
-<p align="center">
-  <img src="docs/imgs/misconf-demo.gif" width="1000" alt="Misconfiguration Detection">
-</p>
+Scanners:
+- OS packages and software dependencies in use (SBOM)
+- Known vulnerabilities (CVEs)
+- IaC misconfigurations
+- Sensitive information and secrets

-# Quick Start
-## Scan Image for Vulnerabilities
-Simply specify an image name (and a tag).
+Much more scanners and targets are coming up. Missing something? Let us know!

-```
-$ trivy image [YOUR_IMAGE_NAME]
+Read more in the [Trivy Documentation][docs]
+
+## Quick Start
+
+### Get Trivy
+
+Get Trivy by your favorite installation method. See [installation] section in the documentation for details. For example:
+
+- `apt-get install trivy`
+- `yum install trivy`
+- `pacman -S trivy`
+- `brew install aquasecurity/trivy/trivy`
+- `sudo port install trivy`
+- `docker run aquasec/trivy`
+- Download binary from https://github.com/aquasecurity/trivy/releases/latest/
+
+### General usage
+
+```bash
+trivy <target> [--security-checks <scanner1,scanner2>] TARGET_NAME
 ```

-For example:
+Examples:

-```
+```bash
 $ trivy image python:3.4-alpine
 ```

 <details>
 <summary>Result</summary>

-```
-2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
-2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...
+https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov

-python:3.4-alpine3.9 (alpine 3.9.2)
-===================================
-Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
-
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
-|         |                  |          |                   |               | with long nonces               |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-```
 </details>

-## Scan Filesystem for Vulnerabilities and Misconfigurations
-Simply specify a directory to scan.
-
 ```bash
-$ trivy fs --security-checks vuln,config [YOUR_PROJECT_DIR]
-```
-
-For example:
-
-```bash
-$ trivy fs --security-checks vuln,config myproject/
+$ trivy fs --security-checks vuln,secret,config myproject/
 ```

 <details>
 <summary>Result</summary>

-```bash
-2021-07-09T12:03:27.564+0300    INFO    Number of language-specific files: 1
-2021-07-09T12:03:27.564+0300    INFO    Detecting pipenv vulnerabilities...
-2021-07-09T12:03:27.566+0300    INFO    Detected config files: 1
+https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov

-Pipfile.lock (pipenv)
-=====================
-Total: 1 (HIGH: 1, CRITICAL: 0)
-
-+----------+------------------+----------+-------------------+---------------+---------------------------------------+
-| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
-+----------+------------------+----------+-------------------+---------------+---------------------------------------+
-| httplib2 | CVE-2021-21240   | HIGH     | 0.12.1            | 0.19.0        | python-httplib2: Regular              |
-|          |                  |          |                   |               | expression denial of                  |
-|          |                  |          |                   |               | service via malicious header          |
-|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-21240 |
-+----------+------------------+----------+-------------------+---------------+---------------------------------------+
-
-Dockerfile (dockerfile)
-=======================
-Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
-Failures: 1 (HIGH: 1, CRITICAL: 0)
-
-+---------------------------+------------+----------------------+----------+------------------------------------------+
-|           TYPE            | MISCONF ID |        CHECK         | SEVERITY |                 MESSAGE                  |
-+---------------------------+------------+----------------------+----------+------------------------------------------+
-| Dockerfile Security Check |   DS002    | Image user is 'root' |   HIGH   | Last USER command in                     |
-|                           |            |                      |          | Dockerfile should not be 'root'          |
-|                           |            |                      |          | -->avd.aquasec.com/appshield/ds002       |
-+---------------------------+------------+----------------------+----------+------------------------------------------+
-```
 </details>

-## Scan Directory for Misconfigurations
-
-Simply specify a directory containing IaC files such as Terraform and Dockerfile.
-
-```
-$ trivy config [YOUR_IAC_DIR]
-```
-
-For example:
-
-```
-$ ls build/
-Dockerfile
-$ trivy config ./build
+```bash
+$ trivy k8s --report summary cluster
 ```

 <details>
 <summary>Result</summary>

-```
-2021-07-09T10:06:29.188+0300    INFO    Need to update the built-in policies
-2021-07-09T10:06:29.188+0300    INFO    Downloading the built-in policies...
-2021-07-09T10:06:30.520+0300    INFO    Detected config files: 1
-
-Dockerfile (dockerfile)
-=======================
-Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
-Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
-
-+---------------------------+------------+----------------------+----------+------------------------------------------+
-|           TYPE            | MISCONF ID |        CHECK         | SEVERITY |                 MESSAGE                  |
-+---------------------------+------------+----------------------+----------+------------------------------------------+
-| Dockerfile Security Check |   DS002    | Image user is 'root' |   HIGH   | Last USER command in                     |
-|                           |            |                      |          | Dockerfile should not be 'root'          |
-|                           |            |                      |          | -->avd.aquasec.com/appshield/ds002       |
-+---------------------------+------------+----------------------+----------+------------------------------------------+
-```
+![k8s summary](docs/imgs/trivy-k8s.png)

 </details>

+Note that you can also receive a detailed scan, scan only a specific namespace, resource and more.

-# Features
+Find out more in the [Trivy Documentation][docs] - [Getting Started][getting-started]
+
+
+## Highlights

 - Comprehensive vulnerability detection
  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
  - **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
- Misconfiguration detection (IaC scanning) 
-  - A wide variety of built-in policies are provided **out of the box**
-    - Kubernetes, Docker, Terraform, and more coming soon
-  - Support custom policies
- Simple
-  - Specify only an image name, a path to config files, or an artifact name
- Fast
-  - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
- Easy installation
-  - `apt-get install`, `yum install` and `brew install` are possible.
-  - **No pre-requisites** such as installation of DB, libraries, etc.
- High accuracy
-  - **Especially [Alpine Linux][alpine] and RHEL/CentOS**
-  - Other OSes are also high
- DevSecOps
-  - **Suitable for CI** such as GitHub Actions, Jenkins, GitLab CI, etc.
- Support multiple targets
-  - container image, local filesystem and remote git repository
+  - High accuracy, especially [Alpine Linux][alpine] and RHEL/CentOS
 - Supply chain security (SBOM support)
  - Support CycloneDX
-
-# Integrations
- [GitHub Actions][action]
- [Visual Studio Code][vscode]
-
-# Documentation
-The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.
+  - Support SPDX
+- Misconfiguration detection (IaC scanning) 
+  - Wide variety of security checks are provided **out of the box**
+  - Kubernetes, Docker, Terraform, and more
+  - User-defined policies using [OPA Rego][rego]
+- Secret detection
+  - A wide variety of built-in rules are provided **out of the box**
+  - User-defined patterns
+  - Efficient scanning of container images
+- Simple
+  - Available in apt, yum, brew, dockerhub
+  - **No pre-requisites** such as a database, system libraries, or eny environmental requirements. The binary runs anywhere.
+  - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish instantaneously.
+- Fits your workflow
+  - **Great for CI** such as GitHub Actions, Jenkins, GitLab CI, etc.
+  - Available as extension for IDEs such as vscode, jetbrains, vim
+  - Available as extension for Docker Desktop, Rancher Desktop
+  - See [integrations] section in the documentation.

 ---

@@ -212,10 +135,14 @@ Contact us about any matter by opening a GitHub Discussion [here][discussions]
 [license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
 [license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg

-[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
-[action]: https://github.com/aquasecurity/trivy-action
-[vscode]: https://github.com/aquasecurity/trivy-vscode-extension

+[getting-started]: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
+[docs]: https://aquasecurity.github.io/trivy
+[integrations]:https://aquasecurity.github.io/trivy/latest/tutorials/integrations/
+[installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
+[releases]: https://github.com/aquasecurity/trivy/releases
+[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
+[rego]: https://www.openpolicyagent.org/docs/latest/#rego
 [aquasec]: https://aquasec.com
 [oss]: https://www.aquasec.com/products/open-source-projects/
 [discussions]: https://github.com/aquasecurity/trivy/discussions
--- a/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g>
+	<path fill="#07242D" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#07242D" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#07242D" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#07242D" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#07242D" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.106-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.151,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#07242D" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#07242D" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#07242D" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>
--- a/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg
@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g display="none">
+	<g display="inline">
+		<path fill="#07242D" d="M-483.763,450.803h-11.559l-22.557-22.807c-0.919,0.114-1.853,0.174-2.802,0.174v22.632h-8.238v-63.931
+			h8.239c0,0-0.016,33.158,0,33.158c4.013,0,7.684-1.656,10.29-4.32l9.86-10.073h11.814l-16.032,15.918
+			c-1.42,1.421-3.031,2.655-4.787,3.659L-483.763,450.803z"/>
+		<path fill="#07242D" d="M-438.316,405.517v22.819c0,0,0,0.033,0,0.049c0,12.39-10.039,22.418-22.429,22.418
+			c-12.389,0-22.421-10.059-22.421-22.448c0-0.017,0-22.837,0-22.837h7.989v22.819c0,7.967,6.466,14.457,14.433,14.457
+			c7.966,0,14.424-6.491,14.424-14.457v-22.819H-438.316z"/>
+		<path fill="#07242D" d="M-385.244,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.217l-0.004,23.854c3.918-3.246,8.947-5.196,14.432-5.196
+			C-395.377,405.529-385.242,415.664-385.244,428.166z M-393.437,428.166c0-7.976-6.466-14.441-14.442-14.441
+			c-7.793,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-399.903,442.607-393.437,436.142-393.437,428.166z"/>
+		<path fill="#07242D" d="M-335.539,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-344.426,405.411-333.664,417.688-335.539,431.11z M-344.611,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-344.611z"/>
+		<path fill="#07242D" d="M-306.194,420.895v7.548h-23.302v-7.548H-306.194z"/>
+		<path fill="#07242D" d="M-252.987,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.218l-0.004,23.854c3.918-3.246,8.946-5.196,14.431-5.196
+			C-263.12,405.529-252.985,415.664-252.987,428.166z M-261.181,428.166c0-7.976-6.467-14.441-14.442-14.441
+			c-7.794,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-267.647,442.607-261.181,436.142-261.181,428.166z"/>
+		<path fill="#07242D" d="M-203.283,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-212.17,405.411-201.408,417.688-203.283,431.11z M-212.355,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-212.355z"/>
+		<path fill="#07242D" d="M-151.113,428.114c0,15.871,0,22.688,0,22.688h-8.262c0,0,0-14.878,0-22.688
+			c0-8.095-6.591-14.327-14.363-14.327c-7.772,0-14.393,6.163-14.393,14.327c0,7.814,0,22.688,0,22.688h-8.26v-45.285
+			c0,0,3.539,0,8.26,0v5.101c0,0,5.421-5.101,14.393-5.101C-163.095,405.517-151.113,413.789-151.113,428.114z"/>
+		<path fill="#07242D" d="M-112.598,438.373l5.799,5.798c-4.098,4.097-9.758,6.632-16.01,6.632c-6.252,0-11.912-2.534-16.01-6.632
+			c-4.097-4.098-6.632-9.758-6.632-16.01s2.534-11.912,6.632-16.01c4.098-4.097,9.758-6.632,16.01-6.632
+			c6.252,0,11.912,2.534,16.01,6.632l-5.799,5.799c-2.613-2.615-6.224-4.231-10.212-4.231c-3.988,0-7.599,1.617-10.212,4.231
+			c-2.614,2.613-4.23,6.224-4.23,10.212s1.616,7.599,4.23,10.213c2.613,2.613,6.224,4.229,10.212,4.229
+			C-118.821,442.602-115.211,440.986-112.598,438.373z"/>
+		<path fill="#07242D" d="M-55.678,428.174c0,15.827,0,22.626,0,22.626h-8.239c0,0,0-14.838,0-22.626
+			c0-8.072-6.575-14.287-14.324-14.287c-7.751,0-14.353,6.146-14.353,14.287c0,7.793,0,22.626,0,22.626h-8.238v-63.929h8.238v23.856
+			c0,0,5.405-5.086,14.353-5.086C-67.626,405.641-55.678,413.889-55.678,428.174z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M186.582,442.579v8.203c-5.588,0-10.623-2.012-14.594-5.346c-4.989-4.186-8.157-10.469-8.157-17.489
+			v-41.085h8.157v18.642h14.594v8.257h-14.594v14.386C172.1,436.134,178.571,442.579,186.582,442.579z"/>
+		<path fill="#07242D" d="M215.674,405.503v8.149c-7.739,0.015-14.037,6.152-14.317,13.818v23.312h-8.176v-45.279h8.176v5.169
+			C205.243,407.446,210.232,405.51,215.674,405.503z"/>
+		<path fill="#07242D" d="M220.928,395.003v-8.165h8.161v8.165H220.928z M220.928,450.782v-45.279h8.161v45.279H220.928z"/>
+		<path fill="#07242D" d="M279.137,405.503l-22.624,45.279l-22.647-45.279h9.271l13.376,26.737l13.349-26.737H279.137z"/>
+		<path fill="#07242D" d="M328.08,405.503c0,0,0,49.504,0,52.776c0,12.643-10.369,22.736-22.655,22.728
+			c-5.753,0-11.084-2.181-15.131-5.807l5.868-5.868c2.504,2.12,5.734,3.41,9.263,3.403c7.95,0,14.386-6.498,14.386-14.456v-12.651
+			c-3.944,3.264-8.979,5.154-14.386,5.154c-12.309,0.008-22.674-9.924-22.674-22.659c0-0.269,0-22.62,0-22.62h8.265
+			c0,0,0.004,22.014,0.004,22.62c0,7.919,6.448,14.463,14.406,14.456c7.95,0,14.386-6.506,14.386-14.456v-22.62H328.08z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1186.898,438.384c-0.411,4.687-4.656,12.67-15.302,12.67c-10.092,0-16.135-6.761-16.135-6.761
+			l5.797-5.801c4.906,4.664,10.338,4.372,10.338,4.372c3.473-0.238,6.258-2.643,6.469-5.471c0.242-3.235-2.009-5.486-6.469-6.124
+			c-2.098-0.307-7.184-0.791-11.36-4.533c-1.36-1.222-6.489-6.577-2.217-14.191c0.834-1.491,4.556-6.769,13.577-6.769
+			c0,0,7.434-0.53,14.311,5.086l-5.866,5.863c-1.16-0.96-4.46-2.904-8.444-2.881c-7.207,0.046-7.007,4.011-7.007,4.011
+			c0.061,3.166,2.874,4.864,7.007,5.409C1185.672,425.114,1187.309,433.743,1186.898,438.384z"/>
+		<path fill="#07242D" d="M1215.419,442.848v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495v-41.099
+			h8.16v18.648h14.599v8.26h-14.599v14.391C1200.932,436.401,1207.405,442.848,1215.419,442.848z"/>
+		<path fill="#07242D" d="M1263.522,428.372v22.682h-22.705c-0.5,0-0.999-0.015-1.495-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1263.068,423.132,1263.522,425.76,1263.522,428.372z M1255.131,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1255.131,432.352,1255.131,428.372z"/>
+		<path fill="#07242D" d="M1293.898,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1283.464,407.704,1288.454,405.767,1293.898,405.76z"/>
+		<path fill="#07242D" d="M1344.448,428.411c0,12.509-10.135,22.643-22.639,22.643c-5.486,0-10.515-1.952-14.433-5.194v5.194h-8.221
+			c0.008-0.515,0.008-63.942,0.008-63.942h8.217l-0.004,23.857c3.919-3.25,8.947-5.202,14.433-5.202
+			C1334.313,405.767,1344.452,415.91,1344.448,428.411z M1336.254,428.411c0-7.975-6.466-14.445-14.445-14.445
+			c-7.795,0-14.445,6.331-14.445,14.422c0,8.091,6.65,14.468,14.445,14.468C1329.788,442.856,1336.254,436.394,1336.254,428.411z"/>
+		<path fill="#07242D" d="M1394.394,428.411c0,12.509-10.15,22.643-22.643,22.643s-22.651-10.135-22.651-22.643
+			s10.157-22.651,22.651-22.651S1394.394,415.91,1394.394,428.411z M1386.127,428.411c0-7.937-6.431-14.376-14.376-14.376
+			c-7.941,0-14.387,6.431-14.387,14.376s6.446,14.383,14.387,14.383C1379.696,442.794,1386.127,436.355,1386.127,428.411z"/>
+		<path fill="#07242D" d="M1444.414,428.372v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054
+			c-6.431-0.423-12.128-3.527-15.985-8.214c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1443.961,423.132,1444.414,425.76,1444.414,428.372z M1436.024,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1436.024,432.352,1436.024,428.372z"/>
+		<path fill="#07242D" d="M1474.791,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1464.356,407.704,1469.347,405.767,1474.791,405.76z"/>
+		<path fill="#07242D" d="M1521.556,451.031h-8.214v-5.194c-3.919,3.242-8.951,5.194-14.43,5.194
+			c-12.501,0-22.635-10.127-22.635-22.628s10.135-22.636,22.635-22.636c5.478,0,10.511,1.952,14.43,5.194l0.008-23.85h8.221
+			C1521.572,387.112,1521.556,450.516,1521.556,451.031z M1513.35,428.38c0-8.091-6.646-14.422-14.437-14.422
+			c-7.975,0-14.445,6.469-14.445,14.445s6.469,14.437,14.445,14.437C1506.704,442.84,1513.35,436.471,1513.35,428.38z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1711.171,438.276l5.802,5.802c-4.1,4.096-9.763,6.632-16.014,6.632c-6.255,0-11.918-2.536-16.018-6.632
+			c-4.1-4.103-6.635-9.759-6.635-16.014s2.536-11.918,6.635-16.022c4.1-4.096,9.763-6.632,16.018-6.632
+			c6.251,0,11.915,2.536,16.014,6.632l-5.802,5.802c-2.613-2.613-6.224-4.234-10.213-4.234c-3.992,0-7.604,1.621-10.216,4.234
+			c-2.617,2.613-4.234,6.224-4.234,10.22c0,3.988,1.618,7.6,4.234,10.213c2.613,2.613,6.224,4.234,10.216,4.234
+			C1704.947,442.511,1708.559,440.889,1711.171,438.276z"/>
+		<path fill="#07242D" d="M1722.967,450.71v-63.95h8.241v63.95H1722.967z"/>
+		<path fill="#07242D" d="M1783.282,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C1773.131,405.41,1783.282,415.561,1783.282,428.064z M1775.013,428.064
+			c0-7.938-6.432-14.378-14.378-14.378c-7.942,0-14.389,6.432-14.389,14.378c0,7.946,6.447,14.385,14.389,14.385
+			C1768.581,442.449,1775.013,436.01,1775.013,428.064z"/>
+		<path fill="#07242D" d="M1833.833,405.41v22.823c0,0,0,0.038,0,0.054c0,12.395-10.04,22.423-22.435,22.423
+			c-12.395,0-22.427-10.059-22.427-22.454c0-0.015,0-22.846,0-22.846h7.992v22.823c0,7.976,6.466,14.462,14.435,14.462
+			c7.969,0,14.431-6.486,14.431-14.462V405.41H1833.833z"/>
+		<path fill="#07242D" d="M1884.777,450.687h-8.218v-5.195c-3.915,3.243-8.945,5.195-14.431,5.195
+			c-12.503,0-22.634-10.128-22.634-22.631c0-12.503,10.132-22.638,22.634-22.638c5.487,0,10.516,1.952,14.431,5.195l0.011-23.852
+			h8.219C1884.789,386.76,1884.773,450.172,1884.777,450.687z M1876.574,428.033c0-8.092-6.651-14.424-14.447-14.424
+			c-7.973,0-14.443,6.47-14.443,14.447c0,7.976,6.466,14.439,14.443,14.439C1869.923,442.495,1876.574,436.125,1876.574,428.033z"/>
+		<path fill="#07242D" d="M1922.865,438.038c-0.411,4.687-4.657,12.672-15.303,12.672c-10.094,0-16.137-6.762-16.137-6.762
+			l5.798-5.802c4.906,4.664,10.339,4.372,10.339,4.372c3.473-0.238,6.259-2.643,6.47-5.471c0.242-3.235-2.009-5.487-6.47-6.124
+			c-2.098-0.307-7.185-0.792-11.361-4.534c-1.36-1.222-6.489-6.578-2.217-14.193c0.834-1.491,4.557-6.77,13.578-6.77
+			c0,0,7.435-0.53,14.312,5.087l-5.867,5.863c-1.16-0.961-4.461-2.905-8.445-2.882c-7.208,0.046-7.008,4.011-7.008,4.011
+			c0.062,3.166,2.874,4.864,7.008,5.41C1921.639,424.767,1923.276,433.397,1922.865,438.038z"/>
+		<path fill="#07242D" d="M1975.107,428.041c0,12.526-10.151,22.73-22.661,22.73c-5.471,0-10.493-1.952-14.416-5.195v35.371h-8.276
+			V405.41h8.276v5.156c3.923-3.22,8.945-5.156,14.416-5.156C1964.956,405.41,1975.107,415.523,1975.107,428.041z M1966.831,428.041
+			c0-7.953-6.432-14.347-14.385-14.347s-14.416,6.393-14.416,14.347s6.463,14.462,14.416,14.462S1966.831,435.994,1966.831,428.041z
+			"/>
+		<path fill="#07242D" d="M1981.877,450.71v-63.95h8.245v63.95H1981.877z"/>
+		<path fill="#07242D" d="M2042.192,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C2032.041,405.41,2042.192,415.561,2042.192,428.064z M2033.916,428.064
+			c0-7.938-6.432-14.378-14.37-14.378c-7.946,0-14.393,6.432-14.393,14.378c0,7.946,6.447,14.385,14.393,14.385
+			C2027.484,442.449,2033.916,436.01,2033.916,428.064z"/>
+		<path fill="#07242D" d="M2049.016,394.906v-8.168h8.168v8.168H2049.016z M2049.016,450.71v-45.3h8.168v45.3H2049.016z"/>
+		<path fill="#07242D" d="M2087.737,442.503v8.207c-5.594,0-10.627-2.013-14.6-5.348c-4.987-4.188-8.161-10.474-8.161-17.497V386.76
+			h8.161v18.65h14.6v8.261h-14.6v14.393C2073.252,436.056,2079.722,442.503,2087.737,442.503z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M690.837,442.596v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495V386.86
+			h8.16v18.648h14.599v8.26h-14.599v14.391C676.35,436.15,682.823,442.596,690.837,442.596z"/>
+		<path fill="#07242D" d="M719.939,405.508v8.152c-7.737,0.015-14.042,6.154-14.322,13.823v23.319h-8.179v-45.294h8.179v5.171
+			C709.504,407.452,714.495,405.516,719.939,405.508z"/>
+		<path fill="#07242D" d="M766.789,428.12v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.183-14.414c0.523-25.548,35.102-31.264,44.026-7.699C766.335,422.88,766.789,425.508,766.789,428.12z
+			 M758.398,428.12c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008c-2.609,2.605-4.226,6.17-4.226,10.142
+			c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0S758.398,432.101,758.398,428.12z"/>
+		<path fill="#07242D" d="M805.36,438.37l5.801,5.801c-4.099,4.095-9.762,6.631-16.016,6.631c-6.254,0-11.913-2.536-16.012-6.631
+			c-4.099-4.103-6.631-9.766-6.631-16.02c0-6.247,2.532-11.909,6.631-16.012c4.099-4.095,9.758-6.631,16.012-6.631
+			c6.254,0,11.917,2.536,16.016,6.631l-5.801,5.801c-2.612-2.612-6.224-4.234-10.215-4.234c-3.988,0-7.599,1.621-10.211,4.234
+			c-2.616,2.612-4.234,6.224-4.234,10.211c0,3.995,1.617,7.607,4.234,10.219c2.612,2.612,6.224,4.234,10.211,4.234
+			C799.136,442.604,802.747,440.983,805.36,438.37z"/>
+		<path fill="#07242D" d="M858.664,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C849.774,405.4,860.539,417.679,858.664,431.109z M849.59,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H849.59z"/>
+		<path fill="#07242D" d="M908.514,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C899.625,405.4,910.389,417.679,908.514,431.109z M899.44,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H899.44z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#07242D" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#07242D" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#07242D" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#07242D" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#07242D" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#07242D" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#07242D" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>
--- a/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g display="none">
+	<polygon display="inline" fill="#FFFFFF" points="65.469,9.61 12.669,40.117 12.669,101.621 65.463,132.371 118.268,101.639 
+		118.268,40.115 	"/>
+	<g display="inline">
+		<path fill="#08B1D5" d="M64.511,80.035c-5.972-2.687-9.502-8.433-9.313-14.534l-12.765-7.371c-0.952,7.062,0.569,14.449,4.4,20.85
+			c4.078,6.813,9.966,11.887,17.678,14.825V80.035L64.511,80.035z"/>
+		<path fill="#08B1D5" d="M64.511,111.257V95.432c-8.26-3.017-14.588-8.448-18.931-15.703c-4.108-6.864-5.671-14.819-4.507-22.384
+			l-11.864-6.851C22.412,75.299,37.662,101.72,64.511,111.257z"/>
+		<path fill="#0D819B" d="M66.259,95.288v15.969c26.352-9.758,42.17-36.132,35.489-60.682l-11.8,6.874
+			c1.473,8.16,0.189,16.115-3.759,22.77C82.134,87.057,75.052,92.189,66.259,95.288z"/>
+		<path fill="#0D819B" d="M75.879,65.569c0.053,5.924-3.429,11.136-9.62,14.466v13.769c8.227-2.999,14.873-7.918,18.675-14.329
+			c3.681-6.207,4.934-13.613,3.671-21.243L75.879,65.569z"/>
+		<path fill="#F69421" d="M77.717,44.4c4.977,2.427,9.031,6.315,11.724,11.244c0.035,0.065,0.069,0.132,0.104,0.198l11.574-6.684
+			c-0.184-0.232-0.361-0.466-0.506-0.701c-4.246-6.868-9.855-12.036-16.673-15.361c-19.245-9.385-42.827-2.309-54.094,16.087
+			l11.546,6.665C49.232,43.242,65.013,38.204,77.717,44.4z"/>
+		<path fill="#F69421" d="M70.489,59.089c2.06,1.005,3.731,2.627,4.832,4.692c0.037,0.07,0.07,0.143,0.105,0.214l12.854-7.423
+			c-0.04-0.076-0.079-0.153-0.12-0.228c-2.546-4.662-6.379-8.339-11.082-10.632c-12.018-5.861-26.965-1.08-34.421,10.866
+			l12.783,7.379C58.771,58.613,65.217,56.518,70.489,59.089z"/>
+		<path fill="#0D819B" d="M116.672,41.881l-13.621,7.936c7.185,25.544-9.291,53.076-36.791,62.992v17.294l50.413-29.381V41.881z"/>
+		<path fill="#08B1D5" d="M14.265,41.864v58.842l50.245,29.397v-17.294C36.51,103.127,20.607,75.545,27.905,49.74l-13.001-7.508
+			L14.265,41.864z"/>
+		<path fill="#F69421" d="M14.987,40.606l1.484,0.857l12.109,6.989C40.23,29.398,64.649,22.066,84.579,31.784
+			c7.069,3.448,12.881,8.799,17.274,15.904c0.139,0.225,0.333,0.472,0.543,0.731l13.542-7.82l-50.47-29.146L14.987,40.606z"/>
+		<path fill="#F0DF36" d="M66.202,78.433c4.968-2.778,7.95-7.226,8.141-12.159c0,0,0.022-0.489-0.015-1.283
+			c-0.007-0.163-1.102-2.766-4.435-4.583c-4.476-2.441-10.828-0.093-13.372,4.583c0,0-0.061,0.574-0.033,1.283
+			c0.182,4.483,2.945,9.749,7.836,12.159l0.991,0.473L66.202,78.433z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#FFFFFF" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#FFFFFF" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#FFFFFF" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#FFFFFF" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.105-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.15,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#FFFFFF" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#FFFFFF" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#FFFFFF" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>
--- a/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g>
+	<path fill="#FFFFFF" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#FFFFFF" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#FFFFFF" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#FFFFFF" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#FFFFFF" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#FFFFFF" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#FFFFFF" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#FFFFFF" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>
--- a/brand/readme.md
+++ b/brand/readme.md
@@ -0,0 +1,2 @@
+This directory contains media assets, such as the Trivy logo.
+Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>
--- a/ci/deploy-rpm.sh
+++ b/ci/deploy-rpm.sh
@@ -15,7 +15,7 @@ function create_rpm_repo () {

 cd trivy-repo

-VERSIONS=(5 6 7 8)
+VERSIONS=(5 6 7 8 9)
 for version in ${VERSIONS[@]}; do
        echo "Processing RHEL/CentOS $version..."
        create_rpm_repo $version
--- a/cmd/trivy/main.go
+++ b/cmd/trivy/main.go
@@ -1,10 +1,14 @@
 package main

 import (
+	"context"
 	"os"

+	"golang.org/x/xerrors"
+
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/plugin"
 )

 var (
@@ -12,9 +16,26 @@ var (
 )

 func main() {
-	app := commands.NewApp(version)
-	err := app.Run(os.Args)
-	if err != nil {
+	if err := run(); err != nil {
 		log.Fatal(err)
 	}
 }
+
+func run() error {
+	// Trivy behaves as the specified plugin.
+	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
+		if !plugin.IsPredefined(runAsPlugin) {
+			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
+		}
+		if err := plugin.RunWithArgs(context.Background(), runAsPlugin, os.Args[1:]); err != nil {
+			return xerrors.Errorf("plugin error: %w", err)
+		}
+		return nil
+	}
+
+	app := commands.NewApp(version)
+	if err := app.Execute(); err != nil {
+		return err
+	}
+	return nil
+}
--- a/contrib/asff.tpl
+++ b/contrib/asff.tpl
@@ -1,66 +1,124 @@
-[
-{{- $t_first := true -}}
-{{- range . -}}
-{{- $target := .Target -}}
-{{- range .Vulnerabilities -}}
-{{- if $t_first -}}
-  {{- $t_first = false -}}
-{{- else -}}
-  ,
-{{- end -}}
-{{- $severity := .Severity -}}
-{{- if eq $severity "UNKNOWN" -}}
-{{- $severity = "INFORMATIONAL" -}}
-{{- end -}}
-{{- $description := .Description -}}
-{{- if gt (len $description ) 1021 -}}
-    {{- $description = (substr 0 1021 $description) | printf "%v .." -}}
-{{- end}}
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "{{ $target }}/{{ .VulnerabilityID }}",
-        "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
-        "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
-        "Severity": {
-            "Label": "{{ $severity }}"
-        },
-        "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
-        "Description": {{ escapeString $description | printf "%q" }},
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "{{ .PrimaryURL }}"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "{{ $target }}",
-                "Partition": "aws",
-                "Region": "{{ env "AWS_REGION" }}",
-                "Details": {
-                    "Container": { "ImageName": "{{ $target }}" },
-                    "Other": {
-                        "CVE ID": "{{ .VulnerabilityID }}",
-                        "CVE Title": {{ .Title | printf "%q" }},
-                        "PkgName": "{{ .PkgName }}",
-                        "Installed Package": "{{ .InstalledVersion }}",
-                        "Patched Package": "{{ .FixedVersion }}",
-                        "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
-                        "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
-                        "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
-                        "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
+{
+    "Findings": [
+    {{- $t_first := true -}}
+    {{- range . -}}
+    {{- $target := .Target -}}
+    {{- $image := .Target -}}
+    {{- if gt (len $image) 127 -}}
+        {{- $image = $image | regexFind ".{124}$" | printf "...%v" -}}
+    {{- end}}
+    {{- range .Vulnerabilities -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{- else -}}
+      ,
+    {{- end -}}
+    {{- $severity := .Severity -}}
+    {{- if eq $severity "UNKNOWN" -}}
+    {{- $severity = "INFORMATIONAL" -}}
+    {{- end -}}
+    {{- $description := .Description -}}
+    {{- if gt (len $description ) 512 -}}
+        {{- $description = (substr 0 512 $description) | printf "%v .." -}}
+    {{- end}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}/{{ .VulnerabilityID }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy/{{ .VulnerabilityID }}",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
+            "Description": {{ escapeString $description | printf "%q" }},
+            {{ if not (empty .PrimaryURL) -}}
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "More information on this vulnerability is provided in the hyperlink",
+                    "Url": "{{ .PrimaryURL }}"
+                }
+            },
+            {{ end -}}
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Container",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_REGION" }}",
+                    "Details": {
+                        "Container": { "ImageName": "{{ $image }}" },
+                        "Other": {
+                            "CVE ID": "{{ .VulnerabilityID }}",
+                            "CVE Title": {{ .Title | printf "%q" }},
+                            "PkgName": "{{ .PkgName }}",
+                            "Installed Package": "{{ .InstalledVersion }}",
+                            "Patched Package": "{{ .FixedVersion }}",
+                            "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
+                            "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
+                            "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
+                            "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
+                        }
                    }
                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    }
-   {{- end -}}
-  {{- end }}
-]
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
+        {{- range .Misconfigurations -}}
+            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
+            {{- $severity := .Severity -}}
+            {{- if eq $severity "UNKNOWN" -}}
+                {{- $severity = "INFORMATIONAL" -}}
+            {{- end -}}
+            {{- $description := .Description -}}
+            {{- if gt (len $description ) 512 -}}
+                {{- $description = (substr 0 512 $description) | printf "%v .." -}}
+            {{- end}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}/{{ .ID }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy/{{ .ID }}",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Software and Configuration Checks" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a misconfiguration in {{ $target }}: {{ .Title }}",
+            "Description": {{ escapeString $description | printf "%q" }},
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "{{ .Resolution }}",
+                    "Url": "{{ .PrimaryURL }}"
+                }
+            },
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Other",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_REGION" }}",
+                    "Details": {
+                        "Other": {
+                            "Message": "{{ .Message }}",
+                            "Filename": "{{ $target }}",
+                            "StartLine": "{{ .CauseMetadata.StartLine }}",
+                            "EndLine": "{{ .CauseMetadata.EndLine }}"
+                        }
+                    }
+                }
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
+      {{- end }}
+    ]
+}
--- a/contrib/gitlab-codequality.tpl
+++ b/contrib/gitlab-codequality.tpl
@@ -13,8 +13,8 @@
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
-      "description": {{ list .VulnerabilityID .Title | join ": " | printf "%q" }},
-      "fingerprint": "{{ .VulnerabilityID | sha1sum }}",
+      "description": {{ list .VulnerabilityID .PkgName .InstalledVersion .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .VulnerabilityID .PkgName .InstalledVersion $target | join "" | sha1sum }}",
      "content": {{ .Description | printf "%q" }},
      "severity": {{ if eq .Severity "LOW" -}}
                    "info"
@@ -28,9 +28,73 @@
                    "info"
                  {{- end }},
      "location": {
-        "path": "{{ .PkgName }}-{{ .InstalledVersion }}",
+        "path": "{{ $target }}",
        "lines": {
-          "begin": 1
+          "begin": 0
+        }
+      }
+    }
+    {{- end -}}
+    {{- range .Misconfigurations -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Misconfig" .ID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Description | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .CauseMetadata.StartLine }}
+        }
+      }
+    }
+    {{- end -}}
+    {{- range .Secrets -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Secret" .RuleID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .RuleID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Title | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .StartLine }}
        }
      }
    }
--- a/contrib/gitlab.tpl
+++ b/contrib/gitlab.tpl
@@ -1,10 +1,11 @@
 {{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
 {
-  "version": "2.3",
+  "version": "14.0.6",
  "vulnerabilities": [
  {{- $t_first := true }}
  {{- range . }}
  {{- $target := .Target }}
+    {{- $image := $target | regexFind "[^\\s]+" }}
    {{- range .Vulnerabilities -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
@@ -31,8 +32,6 @@
                  {{-  else -}}
                    "{{ .Severity }}"
                  {{- end }},
-      {{- /* TODO: Define confidence */}}
-      "confidence": "Unknown",
      "solution": {{ if .FixedVersion -}}
                    "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
                  {{- else -}}
@@ -51,7 +50,7 @@
        },
        {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
        "operating_system": "Unknown",
-        "image": "{{ $target }}"
+        "image": "{{ $image }}"
      },
      "identifiers": [
        {
@@ -71,7 +70,7 @@
          ,
        {{- end -}}
        {
-          "url": "{{ . }}"
+          "url": "{{ regexFind "[^ ]+" . }}"
        }
        {{- end }}
      ]
--- a/contrib/junit.tpl
+++ b/contrib/junit.tpl
@@ -1,5 +1,5 @@
 <?xml version="1.0" ?>
-<testsuites>
+<testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
@@ -28,4 +28,4 @@
    {{- end }}
    </testsuite>
 {{- end }}
-</testsuites>
+</testsuites>
--- a/docs/advanced/air-gap.md
+++ b/docs/advanced/air-gap.md
@@ -1,113 +0,0 @@
-# Air-Gapped Environment
-
-Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
-
-## Air-Gapped Environment for vulnerabilities
-
-### Download the vulnerability database
-At first, you need to download the vulnerability database for use in air-gapped environments.
-Please follow [oras installation instruction][oras].
-
-Download `db.tar.gz`:
-
-```
-$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a
-```
-
-### Transfer the DB file into the air-gapped environment
-The way of transfer depends on the environment.
-
-```
-$ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
-```
-
-### Put the DB file in Trivy's cache directory
-You have to know where to put the DB file. The following command shows the default cache directory.
-
-```
-$ ssh user@host
-$ trivy -h | grep cache
-   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
-```
-
-Put the DB file in the cache directory + `/db`.
-
-```
-$ mkdir -p /home/myuser/.cache/trivy/db
-$ cd /home/myuser/.cache/trivy/db
-$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
-x trivy.db
-x metadata.json
-$ rm /path/to/db.tar.gz
-```
-
-In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
-
-### Run Trivy with --skip-update and --offline-scan option
-In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
-In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
-
-```
-$ trivy image --skip-update --offline-scan alpine:3.12
-```
-
-## Air-Gapped Environment for misconfigurations
-
-### Download misconfiguration policies
-At first, you need to download misconfiguration policies for use in air-gapped environments.
-Please follow [oras installation instruction][oras].
-
-Download `bundle.tar.gz`:
-
-```
-$ oras pull ghcr.io/aquasecurity/appshield:latest -a
-```
-
-### Transfer misconfiguration policies into the air-gapped environment
-The way of transfer depends on the environment.
-
-```
-$ rsync -av -e ssh /path/to/bundle.tar.gz [user]@[host]:dst
-```
-
-### Put the misconfiguration policies in Trivy's cache directory
-You have to know where to put the misconfiguration policies file. The following command shows the default cache directory.
-
-```
-$ ssh user@host
-$ trivy -h | grep cache
-   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
-```
-
-Put the misconfiguration policies file in the cache directory + `/policy/content`.
-
-```
-$ mkdir -p /home/myuser/.cache/trivy/policy/content
-$ cd /home/myuser/.cache/trivy/policy/content
-$ mv /path/to/bundle.tar.gz .
-```
-
-Then, decompress it.
-`bundle.tar.gz ` file includes two folders: `docker`, `kubernetes` and file: `.manifest`.
-
-```
-$ tar xvf bundle.tar.gz 
-x ./docker/
-...
-x ./kubernetes/
-...
-x ./.manifest
-$ rm bundle.tar.gz
-```
-
-In an air-gapped environment it is your responsibility to update policies on a regular basis, so that the scanner can detect recently-identified misconfigurations. 
-
-### Run Trivy with --skip-policy-update option
-In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
-
-```
-$ trivy conf --skip-policy-update /path/to/conf
-```
-
-[allowlist]: ../getting-started/troubleshooting.md
-[oras]: https://oras.land/cli/
--- a/docs/advanced/community/references.md
+++ b/docs/advanced/community/references.md
@@ -1,19 +0,0 @@
-# External References
-There are external blogs and evaluations.
-
-## Blogs
- [the vulnerability remediation lifecycle of Alpine containers][alpine]
- [Continuous Container Vulnerability Testing with Trivy][semaphore]
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
-
-## Links
- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
- [Istio evaluates scanners][istio]
-
-[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
-[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
-[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
--- a/docs/advanced/community/tools.md
+++ b/docs/advanced/community/tools.md
@@ -1,37 +0,0 @@
-# Community Tools
-The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
-
-Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
-
-## GitHub Actions
-
-| Actions                                    | Description                                                                      |
-| ------------------------------------------ | -------------------------------------------------------------------------------- |
-| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
-| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
-
-## Semaphore
-
-| Name                                                   | Description                               |
-| -------------------------------------------------------| ----------------------------------------- |
-| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
-
-
-## CircleCI
-
-| Orb                                      | Description                               |
-| -----------------------------------------| ----------------------------------------- |
-| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
-
-## Others
-
-| Name                                     | Description                               |
-| -----------------------------------------| ----------------------------------------- |
-| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
-
-
-[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
-[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
-[gitrivy]: https://github.com/marketplace/actions/trivy-action
-[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
-[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
--- a/docs/advanced/index.md
+++ b/docs/advanced/index.md
@@ -1,2 +0,0 @@
-# Advanced
-This section describes advanced features, integrations, etc.
--- a/docs/advanced/integrations/aws-security-hub.md
+++ b/docs/advanced/integrations/aws-security-hub.md
@@ -1,29 +0,0 @@
-# AWS Security Hub
-
-## Upload findings to Security Hub
-
-In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
-
-```
-$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
-```
-
-ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
-
-Then, you can upload it with AWS CLI.
-
-```
-$ aws securityhub batch-import-findings --findings file://report.asff
-```
-
-## Customize
-You can customize [asff.tpl](https://github.com/aquasecurity/trivy/blob/main/contrib/asff.tpl)
-
-```
-$ export AWS_REGION=us-west-1
-$ export AWS_ACCOUNT_ID=123456789012
-$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
-```
-
-## Reference
-https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/
--- a/docs/advanced/modes/client-server.md
+++ b/docs/advanced/modes/client-server.md
@@ -1,59 +0,0 @@
-# Client/Server
-
-Trivy has client/server mode. Trivy server has vulnerability database and Trivy client doesn't have to download vulnerability database. It is useful if you want to scan images at multiple locations and do not want to download the database at every location.
-
-## Server
-At first, you need to launch Trivy server. It downloads vulnerability database automatically and continue to fetch the latest DB in the background.
-```
-$ trivy server --listen localhost:8080
-2019-12-12T15:17:06.551+0200    INFO    Need to update DB
-2019-12-12T15:17:56.706+0200    INFO    Reopening DB...
-2019-12-12T15:17:56.707+0200    INFO    Listening localhost:8080...
-```
-
-If you want to accept a connection from outside, you have to specify `0.0.0.0` or your ip address, not `localhost`.
-
-```
-$ trivy server --listen 0.0.0.0:8080
-```
-
-## Client
-Then, specify the remote address.
-```
-$ trivy client --remote http://localhost:8080 alpine:3.10
-```
-
-<details>
-<summary>Result</summary>
-
-```
-alpine:3.10 (alpine 3.10.2)
-===========================
-Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
-
-+---------+------------------+----------+-------------------+---------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
-+---------+------------------+----------+-------------------+---------------+
-| openssl | CVE-2019-1549    | MEDIUM   | 1.1.1c-r0         | 1.1.1d-r0     |
-+         +------------------+          +                   +               +
-|         | CVE-2019-1563    |          |                   |               |
-+         +------------------+----------+                   +               +
-|         | CVE-2019-1547    | LOW      |                   |               |
-+---------+------------------+----------+-------------------+---------------+
-```
-</details>
-
-## Authentication
-
-```
-$ trivy server --listen localhost:8080 --token dummy
-```
-
-```
-$ trivy client --remote http://localhost:8080 --token dummy alpine:3.10
-```
-
-## Architecture
-
-![architecture](../../imgs/client-server.png)
-
--- a/docs/build/Dockerfile
+++ b/docs/build/Dockerfile
@@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material:7.0.6
+FROM squidfunk/mkdocs-material:8.3.9

 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.
@@ -6,4 +6,5 @@ FROM squidfunk/mkdocs-material:7.0.6
 # docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN} ghcr.io
 # FROM ghcr.io/squidfunk/mkdocs-material-insiders

-RUN pip install mike mkdocs-macros-plugin
+COPY requirements.txt .
+RUN pip install -r requirements.txt
--- a/docs/build/requirements.txt
+++ b/docs/build/requirements.txt
@@ -0,0 +1,30 @@
+click==8.1.2
+csscompressor==0.9.5
+ghp-import==2.0.2
+htmlmin==0.1.12
+importlib-metadata==4.11.3
+Jinja2==3.1.1
+jsmin==3.0.1
+Markdown==3.3.6
+MarkupSafe==2.1.1
+mergedeep==1.3.4
+mike==1.1.2
+mkdocs==1.3.0
+mkdocs-macros-plugin==0.7.0
+mkdocs-material==8.3.9
+mkdocs-material-extensions==1.0.3
+mkdocs-minify-plugin==0.5.0
+mkdocs-redirects==1.0.4
+packaging==21.3
+Pygments==2.12.0
+pymdown-extensions==9.5
+pyparsing==3.0.8
+python-dateutil==2.8.2
+PyYAML==6.0
+pyyaml-env-tag==0.1
+six==1.16.0
+termcolor==1.1.0
+verspec==0.1.0
+watchdog==2.1.7
+zipp==3.8.0
+
--- a/docs/community/contribute/issue.md
+++ b/docs/community/contribute/issue.md
@@ -0,0 +1,31 @@
+Thank you for taking interest in contributing to Trivy!
+
+- Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
+- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
+- Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
+- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
+
+## Wrong detection
+Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
+Sometime these databases contain mistakes.
+
+If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
+
+1. Run Trivy with `-f json` that shows data sources.
+2. According to the shown data source, make sure that the security advisory in the data source is correct.
+
+If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
+
+### GitHub Advisory Database
+Visit [here](https://github.com/advisories) and search CVE-ID.
+
+If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
+ 
+### GitLab Advisory Database
+Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
+
+If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
+ 
+### Red Hat CVE Database
+Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
+
--- a/docs/community/contribute/pr.md
+++ b/docs/community/contribute/pr.md
@@ -0,0 +1,164 @@
+Thank you for taking interest in contributing to Trivy!
+
+1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
+1. Please add the associated Issue link in the PR description.
+1. Your PR is more likely to be accepted if it focuses on just one change.
+1. There's no need to add or tag reviewers.
+1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
+1. Please include a comment with the results before and after your change.
+1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
+1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
+
+### Title
+It is not that strict, but we use the title conventions in this repository.
+Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
+
+#### Format of the title
+
+```
+<type>(<scope>): <subject>
+```
+
+The `type` and `scope` should always be lowercase as shown below.
+
+**Allowed `<type>` values:**
+
+- **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
+- **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
+- **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
+- **docs** for changes to the documentation.
+- **style** for formatting changes, missing semicolons, etc.
+- **refactor** for refactoring production code, e.g. renaming a variable.
+- **test** for adding missing tests, refactoring tests; no production code change.
+- **build** for updating build configuration, development tools or other changes irrelevant to the user.
+- **chore** for updates that do not apply to the above, such as dependency updates.
+- **ci** for changes to CI configuration files and scripts
+- **revert** for revert to a previous commit
+
+**Allowed `<scope>` values:**
+
+checks:
+
+- vuln
+- misconf
+- secret
+- license
+
+mode:
+
+- image
+- fs
+- repo
+- sbom
+- server
+
+os:
+
+- alpine
+- redhat
+- alma
+- rocky
+- mariner
+- oracle
+- debian
+- ubuntu
+- amazon
+- suse
+- photon
+- distroless
+
+language:
+
+- ruby
+- php
+- python
+- nodejs
+- rust
+- dotnet
+- java
+- go
+
+vuln:
+
+- os
+- lang
+
+config:
+
+- kubernetes
+- dockerfile
+- terraform
+- cloudformation
+
+container
+
+- docker
+- podman
+- containerd
+- oci
+
+cli:
+
+- cli
+- flag
+
+others:
+
+- helm
+- report
+- db
+- deps
+
+The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
+
+#### Example titles
+
+```
+feat(alma): add support for AlmaLinux
+```
+
+```
+fix(oracle): handle advisories with ksplice versions
+```
+
+```
+docs(misconf): add comparison with Conftest and TFsec
+```
+
+```
+chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
+```
+
+**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
+The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
+
+### Unit tests
+Your PR must pass all the unit tests. You can test it as below.
+
+```
+$ make test
+```
+
+### Integration tests
+Your PR must pass all the integration tests. You can test it as below.
+
+```
+$ make test-integration
+```
+
+### Documentation
+You can build the documents as below and view it at http://localhost:8000.
+
+```
+$ make mkdocs-serve
+```
+
+## Understand where your pull request belongs
+
+Trivy is composed of several repositories that work together:
+
+- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
+- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
+- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
+- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
+- [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.
--- a/docs/community/maintainer/help-wanted.md
+++ b/docs/community/maintainer/help-wanted.md
--- a/docs/community/maintainer/triage.md
+++ b/docs/community/maintainer/triage.md
@@ -1,7 +1,10 @@
+# Triage
+
 Triage is an important part of maintaining the health of the trivy repo.
 A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible.

 Triage includes:
+
 - Labeling issues
 - Responding to issues
 - Closing issues
@@ -185,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
 and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
 to identify issues that have been specially groomed for new contributors.

-We have specific [guidelines](/docs/advanced/contribd/contrib/help-wanted.md)
+We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
 for how to use these labels. If you see an issue that satisfies these
 guidelines, you can add the `help wanted` label and the `good first issue` label.
 Please note that adding the `good first issue` label must also 
--- a/docs/docs/advanced/air-gap.md
+++ b/docs/docs/advanced/air-gap.md
@@ -0,0 +1,86 @@
+# Air-Gapped Environment
+
+Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
+
+## Air-Gapped Environment for vulnerabilities
+
+### Download the vulnerability database
+=== "Trivy"
+
+    ```
+    TRIVY_TEMP_DIR=$(mktemp -d)
+    trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+    tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+    rm -rf $TRIVY_TEMP_DIR
+    ```
+
+=== "oras >= v0.13.0"
+    At first, you need to download the vulnerability database for use in air-gapped environments.
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull ghcr.io/aquasecurity/trivy-db:2
+    ```
+
+=== "oras < v0.13.0"
+    At first, you need to download the vulnerability database for use in air-gapped environments.
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
+    ```
+
+### Transfer the DB file into the air-gapped environment
+The way of transfer depends on the environment.
+
+```
+$ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
+```
+
+### Put the DB file in Trivy's cache directory
+You have to know where to put the DB file. The following command shows the default cache directory.
+
+```
+$ ssh user@host
+$ trivy -h | grep cache
+   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
+```
+
+Put the DB file in the cache directory + `/db`.
+
+```
+$ mkdir -p /home/myuser/.cache/trivy/db
+$ cd /home/myuser/.cache/trivy/db
+$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
+x trivy.db
+x metadata.json
+$ rm /path/to/db.tar.gz
+```
+
+In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
+
+### Run Trivy with `--skip-update` and `--offline-scan` option
+In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
+In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
+
+```
+$ trivy image --skip-update --offline-scan alpine:3.12
+```
+
+## Air-Gapped Environment for misconfigurations
+
+No special measures are required to detect misconfigurations in an air-gapped environment.
+
+### Run Trivy with `--skip-policy-update` option
+In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
+
+```
+$ trivy conf --skip-policy-update /path/to/conf
+```
+
+[allowlist]: ../references/troubleshooting.md
+[oras]: https://oras.land/cli/
--- a/docs/docs/advanced/container/containerd.md
+++ b/docs/docs/advanced/container/containerd.md
@@ -0,0 +1,22 @@
+# containerd
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Scan your image in [containerd][containerd] running locally.
+
+```bash
+$ nerdctl images
+REPOSITORY        TAG       IMAGE ID        CREATED         PLATFORM       SIZE         BLOB SIZE
+aquasec/nginx    latest    2bcabc23b454    3 hours ago     linux/amd64    149.1 MiB    54.1 MiB
+$ trivy image aquasec/nginx
+```
+
+If your containerd socket is not the default path (`//run/containerd/containerd.sock`), you can override it via `CONTAINERD_ADDRESS`.
+
+```bash
+$ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock
+$ trivy image aquasec/nginx
+```
+
+[containerd]: https://containerd.io/
--- a/docs/docs/advanced/container/embed-in-dockerfile.md
+++ b/docs/docs/advanced/container/embed-in-dockerfile.md
--- a/docs/docs/advanced/container/oci.md
+++ b/docs/docs/advanced/container/oci.md
--- a/docs/docs/advanced/container/podman.md
+++ b/docs/docs/advanced/container/podman.md
--- a/docs/docs/advanced/container/unpacked-filesystem.md
+++ b/docs/docs/advanced/container/unpacked-filesystem.md
--- a/docs/docs/advanced/modules.md
+++ b/docs/docs/advanced/modules.md
@@ -0,0 +1,358 @@
+# Modules
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy provides a module feature to allow others to extend the Trivy CLI without the need to change the Trivy code base.
+It changes the behavior during scanning by WebAssembly.
+
+## Overview
+Trivy modules are add-on tools that integrate seamlessly with Trivy.
+They provide a way to extend the core feature set of Trivy, but without updating the Trivy binary.
+
+- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
+- They can be written in any programming language supporting WebAssembly.
+  - It supports only [TinyGo][tinygo] at the moment.
+
+You can write your own detection logic.
+
+- Evaluate complex vulnerability conditions like [Spring4Shell][spring4shell]
+- Detect a shell script communicating with malicious domains
+- Detect malicious python install script (setup.py)
+- Even detect misconfigurations in WordPress setting
+- etc.
+
+Then, you can update the scan result however you want.
+
+- Change a severity
+- Remove a vulnerability
+- Add a new vulnerability
+- etc.
+
+Modules should be distributed in OCI registries like GitHub Container Registry.
+
+!!! warning
+    WebAssembly doesn't allow file access and network access by default.
+    Modules can read required files only, but cannot overwrite them.
+    WebAssembly is sandboxed and secure by design, but Trivy modules available in public are not audited for security.
+    You should install and run third-party modules at your own risk even though 
+
+Under the hood Trivy leverages [wazero][wazero] to run WebAssembly modules without CGO.
+
+## Installing a Module
+A module can be installed using the `trivy module install` command.
+This command takes an url. It will download the module and install it in the module cache.
+
+Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
+Trivy will now search XDG_DATA_HOME for the location of the Trivy modules cache.
+The preference order is as follows:
+
+- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
+- $HOME/.trivy/plugins
+
+For example, to download the WebAssembly module, you can execute the following command:
+
+```bash
+$ trivy module install ghcr.io/aquasecurity/trivy-module-spring4shell
+```
+
+## Using Modules
+Once the module is installed, Trivy will load all available modules in the cache on the start of the next Trivy execution.
+The modules may inject custom logic into scanning and change the result.
+You can run Trivy as usual and modules are loaded automatically.
+
+You will see the log messages about WASM modules.
+
+```shell
+$ trivy image ghcr.io/aquasecurity/trivy-test-images:spring4shell-jre8
+2022-06-12T12:57:13.210+0300    INFO    Loading ghcr.io/aquasecurity/trivy-module-spring4shell/spring4shell.wasm...
+2022-06-12T12:57:13.596+0300    INFO    Registering WASM module: spring4shell@v1
+...
+2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: Java Version: 8, Tomcat Version: 8.5.77
+2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: change CVE-2022-22965 severity from CRITICAL to LOW
+
+Java (jar)
+
+Total: 9 (UNKNOWN: 1, LOW: 3, MEDIUM: 2, HIGH: 3, CRITICAL: 0)
+
+┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────────┐
+│                           Library                            │    Vulnerability    │ Severity │ Installed Version │     Fixed Version      │                           Title                            │
+├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
+│ org.springframework.boot:spring-boot (helloworld.war)        │ CVE-2022-22965      │ LOW      │ 2.6.3             │ 2.5.12, 2.6.6          │ spring-framework: RCE via Data Binding on JDK 9+           │
+│                                                              │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22965                 │
+├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
+...(snip)...
+```
+
+In the above example, the Spring4Shell module changed the severity from CRITICAL to LOW because the application doesn't satisfy one of conditions.
+
+## Uninstalling Modules
+Specify a module repository with `trivy module uninstall` command.
+
+```bash
+$ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
+```
+
+## Building Modules
+It supports TinyGo only at the moment.
+
+### TinyGo
+Trivy provides Go SDK including three interfaces.
+Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.
+
+```go
+type Module interface {
+    Version() int
+    Name() string
+}
+
+type Analyzer interface {
+    RequiredFiles() []string
+    Analyze(filePath string) (*serialize.AnalysisResult, error)
+}
+
+type PostScanner interface {
+    PostScanSpec() serialize.PostScanSpec
+    PostScan(serialize.Results) (serialize.Results, error)
+}
+```
+
+In the following tutorial, it creates a WordPress module that detects a WordPress version and a critical vulnerability accordingly.
+
+!!! tips
+    You can use logging functions such as `Debug` and `Info` for debugging.
+    See [examples](#examples) for the detail.
+
+#### Initialize your module
+Replace the repository name with yours.
+
+```
+$ go mod init github.com/aquasecurity/trivy-module-wordpress
+```
+
+#### Module interface
+`Version()` returns your module version and should be incremented after updates.
+`Name()` returns your module name.
+
+```go
+package main
+
+const (
+    version = 1
+    name = "wordpress-module"
+)
+
+type WordpressModule struct{
+	// Cannot define fields as modules can't keep state.
+}
+
+func (WordpressModule) Version() int {
+    return version
+}
+
+func (WordpressModule) Name() string {
+    return name
+}
+```
+
+!!! info
+    A struct cannot have any fields. Each method invocation is performed in different states.
+
+#### Analyzer interface
+If you implement the `Analyzer` interface, `Analyze` method is called when the file path is matched to file patterns returned by `RequiredFiles()`.
+A file pattern must be a regular expression. The syntax detail is [here][regexp].
+
+`Analyze` takes the matched file path, then the file can be opened by `os.Open()`.
+
+```go
+const typeWPVersion = "wordpress-version"
+
+func (WordpressModule) RequiredFiles() []string {
+    return []string{
+        `wp-includes\/version.php`,
+    }
+}
+
+func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, error) {
+    f, err := os.Open(filePath) // e.g. filePath: /usr/src/wordpress/wp-includes/version.php
+    if err != nil {
+        return nil, err
+    }
+    defer f.Close()
+
+    var wpVersion string
+    scanner := bufio.NewScanner(f)
+    for scanner.Scan() {
+        line := scanner.Text()
+        if !strings.HasPrefix(line, "$wp_version=") {
+            continue
+        }
+
+        ss := strings.Split(line, "=")
+        if len(ss) != 2 {
+            return nil, fmt.Errorf("invalid wordpress version: %s", line)
+        }
+
+        // NOTE: it is an example; you actually need to handle comments, etc
+        ss[1] = strings.TrimSpace(ss[1])
+        wpVersion = strings.Trim(ss[1], `";`)
+    }
+
+    if err = scanner.Err(); err != nil {
+        return nil, err
+    }
+	
+    return &serialize.AnalysisResult{
+        CustomResources: []serialize.CustomResource{
+            {
+                Type:     typeWPVersion,
+                FilePath: filePath,
+                Data:     wpVersion,
+            },
+        },
+    }, nil
+}
+```
+
+!!! tips
+    Trivy caches analysis results according to the module version.
+    We'd recommend cleaning the cache or changing the module version every time you update `Analyzer`.
+
+
+#### PostScanner interface
+`PostScan` is called after scanning and takes the scan result as an argument from Trivy.
+In post scanning, your module can perform one of three actions:
+
+- Insert
+    - Add a new security finding
+    - e.g. Add a new vulnerability and misconfiguration
+- Update
+    - Update the detected vulnerability and misconfiguration
+    - e.g. Change a severity
+- Delete
+    - Delete the detected vulnerability and misconfiguration
+    - e.g. Remove Spring4Shell because it is not actually affected.
+ 
+`PostScanSpec()` returns which action the module does.
+If it is `Update` or `Delete`, it also needs to return IDs such as CVE-ID and misconfiguration ID, which your module wants to update or delete.
+
+`serialize.Results` contains the filtered results matching IDs you specified.
+Also, it includes `CustomResources` with the values your `Analyze` returns, so you can modify the scan result according to the custom resources.
+
+```go
+func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
+    return serialize.PostScanSpec{
+        Action: api.ActionInsert, // Add new vulnerabilities
+    }
+}
+
+func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
+    // e.g. results
+    // [
+    //   {
+    //     "Target": "",
+    //     "Class": "custom",
+    //     "CustomResources": [
+    //       {
+    //         "Type": "wordpress-version",
+    //         "FilePath": "/usr/src/wordpress/wp-includes/version.php",
+    //         "Layer": {
+    //           "DiffID": "sha256:057649e61046e02c975b84557c03c6cca095b8c9accd3bd20eb4e432f7aec887"
+    //         },
+    //         "Data": "5.7.1"
+    //       }
+    //     ]
+    //   }
+    // ]   
+    var wpVersion int
+    for _, result := range results {
+        if result.Class != types.ClassCustom {
+            continue
+        }
+		
+        for _, c := range result.CustomResources {
+            if c.Type != typeWPVersion {
+                continue
+            }
+            wpVersion = c.Data.(string)
+            wasm.Info(fmt.Sprintf("WordPress Version: %s", wpVersion))
+
+            ...snip...
+			
+            if affectedVersion.Check(ver) {
+                vulnerable = true
+            }
+            break
+        }
+    }
+
+    if vulnerable {
+        // Add CVE-2020-36326
+        results = append(results, serialize.Result{
+            Target: wpPath,
+            Class:  types.ClassLangPkg,
+			Type:   "wordpress",
+            Vulnerabilities: []types.DetectedVulnerability {
+                {
+                    VulnerabilityID:  "CVE-2020-36326",
+                    PkgName:          "wordpress",
+                    InstalledVersion: wpVersion,
+                    FixedVersion:     "5.7.2",
+                    Vulnerability: dbTypes.Vulnerability{
+                        Title:    "PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.",
+                        Severity: "CRITICAL",
+                    },
+                },
+            },
+        })
+    }
+    return results, nil
+}
+```
+
+The new vulnerability will be added to the scan results.
+This example shows how the module inserts a new finding.
+If you are interested in `Update`, you can see an example of [Spring4Shell][trivy-module-spring4shell].
+
+In the `Delete` action, `PostScan` needs to return results you want to delete.
+If `PostScan` returns an empty, Trivy will not delete anything.
+
+#### Build
+Follow [the install guide][tinygo-installation] and install TinyGo.
+
+```bash
+$ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
+```
+
+Put the built binary to the module directory that is under the home directory by default.
+
+```bash
+$ mkdir -p ~/.trivy/modules
+$ cp spring4shell.wasm ~/.trivy/modules
+```
+
+## Distribute Your Module
+You can distribute your own module in OCI registries. Please follow [the oras installation instruction][oras].
+
+```bash
+oras push ghcr.io/aquasecurity/trivy-module-wordpress:latest wordpress.wasm:application/vnd.module.wasm.content.layer.v1+wasm
+Uploading 3daa3dac086b wordpress.wasm
+Pushed ghcr.io/aquasecurity/trivy-module-wordpress:latest
+Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
+```
+
+## Examples
+- [Spring4Shell][trivy-module-spring4shell]
+- [WordPress][trivy-module-wordpress]
+
+[regexp]: https://github.com/google/re2/wiki/Syntax
+
+[tinygo]: https://tinygo.org/
+[spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
+[wazero]: https://github.com/tetratelabs/wazero
+
+[trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
+[trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
+
+[tinygo-installation]: https://tinygo.org/getting-started/install/
+[oras]: https://oras.land/cli/
--- a/docs/docs/advanced/plugins.md
+++ b/docs/docs/advanced/plugins.md
--- a/docs/docs/advanced/private-registries/acr.md
+++ b/docs/docs/advanced/private-registries/acr.md
--- a/docs/docs/advanced/private-registries/docker-hub.md
+++ b/docs/docs/advanced/private-registries/docker-hub.md
--- a/docs/docs/advanced/private-registries/ecr.md
+++ b/docs/docs/advanced/private-registries/ecr.md
--- a/docs/docs/advanced/private-registries/gcr.md
+++ b/docs/docs/advanced/private-registries/gcr.md
--- a/docs/docs/advanced/private-registries/index.md
+++ b/docs/docs/advanced/private-registries/index.md
--- a/docs/docs/advanced/private-registries/self.md
+++ b/docs/docs/advanced/private-registries/self.md
--- a/docs/docs/attestation/rekor.md
+++ b/docs/docs/attestation/rekor.md
@@ -0,0 +1,142 @@
+# Scan SBOM attestation in Rekor
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+## Container images
+Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+ 
+
+### Scanning
+You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor.
+
+!!! note
+    `--sbom-sources` can be used only with `trivy image` at the moment.
+
+```bash
+$ trivy image --sbom-sources rekor otms61/alpine:3.7.3                                                                            [~/src/github.com/aquasecurity/trivy]
+2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
+2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
+2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
+2022-09-16T17:37:14.903+0900	INFO	Detecting Alpine vulnerabilities...
+2022-09-16T17:37:14.907+0900	INFO	Number of language-specific files: 0
+2022-09-16T17:37:14.908+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
+2022-09-16T17:37:14.908+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided
+
+otms61/alpine:3.7.3 (alpine 3.7.3)
+==================================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+
+```
+
+If you have your own Rekor instance, you can specify the URL via `--rekor-url`.
+
+```bash
+$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3
+```
+
+## Non-packaged binaries
+Trivy can retrieve SBOM attestation of non-packaged binaries in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+
+Cosign currently does not support keyless signing for blob attestation, so use our plugin at the moment.
+This example uses a cat clone [bat][bat] written in Rust.
+You need to generate SBOM from lock files like `Cargo.lock` at first.
+
+```bash
+$ git clone -b v0.20.0 https://github.com/sharkdp/bat
+$ trivy fs --format cyclonedx --output bat.cdx ./bat/Cargo.lock
+```
+
+Then [our attestation plugin][plugin-attest] allows you to store the SBOM attestation linking to a `bat` binary in the Rekor instance.
+
+```bash
+$ wget https://github.com/sharkdp/bat/releases/download/v0.20.0/bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ tar xvf bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ trivy plugin install github.com/aquasecurity/trivy-plugin-attest
+$ trivy attest --predicate ./bat.cdx --type cyclonedx ./bat-v0.20.0-x86_64-apple-darwin/bat
+```
+
+### Scan a non-packaged binary
+Trivy calculates the digest of the `bat` binary and searches for the SBOM attestation by the digest in Rekor.
+If it is found, Trivy uses that for vulnerability scanning.
+
+```bash
+$ trivy fs --sbom-sources rekor ./bat-v0.20.0-x86_64-apple-darwin/bat
+2022-10-25T13:27:25.950+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:27:25.993+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:27:25.993+0300    INFO    Detecting cargo vulnerabilities...
+
+bat (cargo)
+===========
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+Also, it is applied to non-packaged binaries even in container images.
+
+```bash
+$ trivy image --sbom-sources rekor --security-checks vuln alpine-with-bat
+2022-10-25T13:40:14.920+0300    INFO    Vulnerability scanning is enabled
+2022-10-25T13:40:18.047+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:40:18.186+0300    INFO    Detected OS: alpine
+2022-10-25T13:40:18.186+0300    INFO    Detecting Alpine vulnerabilities...
+2022-10-25T13:40:18.199+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:40:18.199+0300    INFO    Detecting cargo vulnerabilities...
+
+alpine-with-bat (alpine 3.15.6)
+===============================
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+
+bat (cargo)
+===========
+Total: 4 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+
+!!! note
+    The `--sbom-sources rekor` flag slows down the scanning as it queries Rekor on the Internet for all non-packaged binaries.
+
+[rekor]: https://github.com/sigstore/rekor
+[sbom-attest]: sbom.md#keyless-signing
+
+[plugin-attest]: https://github.com/aquasecurity/trivy-plugin-attest
+
+[bat]: https://github.com/sharkdp/bat
--- a/docs/docs/attestation/sbom.md
+++ b/docs/docs/attestation/sbom.md
@@ -0,0 +1,87 @@
+# SBOM attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify SBOM attestation.
+And, Trivy can take an SBOM attestation as input and scan for vulnerabilities
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+## Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates an SBOM in the CycloneDX format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE>
+```
+
+You can also create attestations of other formatted SBOM.
+
+```bash
+# spdx
+$ trivy image --format spdx -o sbom.spdx <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx <IMAGE>
+
+# spdx-json
+$ trivy image --format spdx-json -o sbom.spdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json <IMAGE>
+```
+
+## Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+# The following command uploads SBOM attestation to the public Rekor instance.
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
+```
+
+You can verify attestations.
+```bash
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>
+```
+
+## Scanning
+
+Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
+
+In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it.
+You must create CycloneDX-type attestation before trying the example.
+To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+```
--- a/docs/docs/attestation/vuln.md
+++ b/docs/docs/attestation/vuln.md
@@ -0,0 +1,190 @@
+# Cosign Vulnerability Attestation
+
+## Generate Cosign Vulnerability Scan Record
+
+Trivy generates reports in the [Cosign vulnerability scan record format][vuln-attest-spec].
+
+You can use the regular subcommands (like image, fs and rootfs) and specify `cosign-vuln` with the --format option.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json alpine:3.10
+```
+
+<details>
+<summary>Result</summary>
+
+```json
+{
+  "invocation": {
+    "parameters": null,
+    "uri": "",
+    "event_id": "",
+    "builder.id": ""
+  },
+  "scanner": {
+    "uri": "pkg:github/aquasecurity/trivy@v0.30.1-8-gf9cb8a28",
+    "version": "v0.30.1-8-gf9cb8a28",
+    "db": {
+      "uri": "",
+      "version": ""
+    },
+    "result": {
+      "SchemaVersion": 2,
+      "ArtifactName": "alpine:3.10",
+      "ArtifactType": "container_image",
+      "Metadata": {
+        "OS": {
+          "Family": "alpine",
+          "Name": "3.10.9",
+          "EOSL": true
+        },
+        "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
+        "DiffIDs": [
+          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+        ],
+        "RepoTags": [
+          "alpine:3.10"
+        ],
+        "RepoDigests": [
+          "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
+        ],
+        "ImageConfig": {
+          "architecture": "amd64",
+          "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
+          "created": "2021-04-14T19:20:05.338397761Z",
+          "docker_version": "19.03.12",
+          "history": [
+            {
+              "created": "2021-04-14T19:20:04.987219124Z",
+              "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
+            },
+            {
+              "created": "2021-04-14T19:20:05.338397761Z",
+              "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+              "empty_layer": true
+            }
+          ],
+          "os": "linux",
+          "rootfs": {
+            "type": "layers",
+            "diff_ids": [
+              "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+            ]
+          },
+          "config": {
+            "Cmd": [
+              "/bin/sh"
+            ],
+            "Env": [
+              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+            ],
+            "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
+          }
+        }
+      },
+      "Results": [
+        {
+          "Target": "alpine:3.10 (alpine 3.10.9)",
+          "Class": "os-pkgs",
+          "Type": "alpine",
+          "Vulnerabilities": [
+            {
+              "VulnerabilityID": "CVE-2021-36159",
+              "PkgName": "apk-tools",
+              "InstalledVersion": "2.10.6-r0",
+              "FixedVersion": "2.10.7-r0",
+              "Layer": {
+                "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
+                "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+              },
+              "SeveritySource": "nvd",
+              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
+              "DataSource": {
+                "ID": "alpine",
+                "Name": "Alpine Secdb",
+                "URL": "https://secdb.alpinelinux.org/"
+              },
+              "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
+              "Severity": "CRITICAL",
+              "CweIDs": [
+                "CWE-125"
+              ],
+              "CVSS": {
+                "nvd": {
+                  "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
+                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
+                  "V2Score": 6.4,
+                  "V3Score": 9.1
+                }
+              },
+              "References": [
+                "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
+                "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
+              ],
+              "PublishedDate": "2021-08-03T14:15:00Z",
+              "LastModifiedDate": "2021-10-18T12:19:00Z"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "metadata": {
+    "scanStartedOn": "2022-07-24T17:14:04.864682+09:00",
+    "scanFinishedOn": "2022-07-24T17:14:04.864682+09:00"
+  }
+}
+```
+
+</details>
+
+## Create Cosign Vulnerability Attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify Cosign vulnerability attestation.
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+
+### Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates a cosign vulnerability scan record, and then Cosign attaches an attestation of it to a container image with a local key pair.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type vuln --predicate vuln.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```
+$ cosign verify-attestation --key /path/to/cosign.pub --type vuln <IMAGE>
+```
+
+### Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```
+$ trivy image --format cosign-vuln -o vuln.json <IMAGE>
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>
+```
+
+You can verify attestations.
+
+```
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type vuln <IMAGE>
+```
+
+[vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md
--- a/docs/docs/cloud/aws/scanning.md
+++ b/docs/docs/cloud/aws/scanning.md
@@ -0,0 +1,59 @@
+# Amazon Web Services
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. 
+
+Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
+
+The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
+
+Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
+
+You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
+
+Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region.
+
+## CLI Commands
+
+Scan a full AWS account (all supported services):
+
+```shell
+trivy aws --region us-east-1
+```
+
+You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
+
+![AWS Summary Report](../../../imgs/trivy-aws.png)
+
+The summary view is the default when scanning multiple services.
+
+Scan a specific service:
+
+```shell
+trivy aws --service s3
+```
+
+Scan multiple services:
+
+```shell
+# --service s3,ec2 works too
+trivy aws --service s3 --service ec2
+```
+
+Show results for a specific AWS resource:
+
+```shell
+trivy aws --service s3 --arn arn:aws:s3:::example-bucket
+```
+
+All ARNs with detected issues will be displayed when showing results for their associated service.
+
+## Cached Results
+
+By default, Trivy will cache a representation of each AWS service for 24 hours. This means you can filter and view results for a service without having to wait for the entire scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.). Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`.
+
+## Custom Policies
+
+You can write custom policies for Trivy to evaluate against your AWS account. These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). See the [Custom Policies](../../misconfiguration/custom/index.md) page for more information.
--- a/docs/docs/compliance/compliance.md
+++ b/docs/docs/compliance/compliance.md
@@ -0,0 +1,8 @@
+# Compliance Reports
+
+Trivy support producing compliance reports.
+
+## Supported reports
+
+- [NSA, CISA Kubernetes Hardening Guidance v1.0](../kubernetes/cli/compliance.md) 
+
--- a/docs/getting-started/overview.md
+++ b/docs/getting-started/overview.md
@@ -1,29 +1,12 @@
-# Overview
+# Docs

-Trivy detects two types of security issues:
-
- [Vulnerabilities][vuln]
- [Misconfigurations][misconf]
-
-Trivy can scan three different artifacts:
-
- [Container Images][container]
- [Filesystem][filesystem] and [Rootfs][rootfs]
- [Git Repositories][repo]
-
-Trivy can be run in two different modes:
-
- [Standalone][standalone]
- [Client/Server][client-server]
-
-It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
-See [Integrations][integrations] for details.
+This documentation details how to use Trivy to access the features listed below.

 ## Features

 - Comprehensive vulnerability detection
    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
+    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
 - Detect IaC misconfigurations
    - A wide variety of [built-in policies][builtin] are provided **out of the box**:
        - Kubernetes
@@ -38,7 +21,7 @@ See [Integrations][integrations] for details.
    - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
    - Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
 - Easy installation
-    - `apt-get install`, `yum install` and `brew install` is possible (See [Installation](installation.md))
+    - `apt-get install`, `yum install` and `brew install` is possible (See [Installation][installation])
    - **No pre-requisites** such as installation of DB, libraries, etc.
 - High accuracy
    - **Especially Alpine Linux and RHEL/CentOS**
@@ -55,28 +38,35 @@ See [Integrations][integrations] for details.
        - An image directory compliant with [OCI Image Format][oci]
    - local filesystem and rootfs
    - remote git repository
- SBOM (Software Bill of Materials) support
-    - CycloneDX 
+- [SBOM][sbom] (Software Bill of Materials) support
+    - CycloneDX
+    - SPDX
+    - GitHub Dependency Snapshots

 Please see [LICENSE][license] for Trivy licensing information.

-[vuln]: ../vulnerability/scanning/index.md
-[misconf]: ../misconfiguration/index.md
-[container]: ../vulnerability/scanning/image.md
-[rootfs]: ../vulnerability/scanning/rootfs.md
-[filesystem]: ../vulnerability/scanning/filesystem.md
-[repo]: ../vulnerability/scanning/git-repository.md
+[installation]: ../index.md
+[vuln]: ../docs/vulnerability/scanning/index.md
+[misconf]: ../docs/misconfiguration/scanning.md
+[kubernetesoperator]: ../docs/kubernetes/operator/index.md
+[container]: ../docs/vulnerability/scanning/image.md
+[rootfs]: ../docs/vulnerability/scanning/rootfs.md
+[filesystem]: ../docs/vulnerability/scanning/filesystem.md
+[repo]: ../docs/vulnerability/scanning/git-repository.md
+[kubernetes]: ../docs/kubernetes/cli/scanning.md

-[standalone]: ../advanced/modes/standalone.md
-[client-server]: ../advanced/modes/client-server.md
-[integrations]: ../advanced/integrations/index.md
+[standalone]: ../docs/references/modes/standalone.md
+[client-server]: ../docs/references/modes/client-server.md
+[integrations]: ../tutorials/integrations/index.md

-[os]: ../vulnerability/detection/os.md
-[lang]: ../vulnerability/detection/language.md
+[os]: ../docs/vulnerability/detection/os.md
+[lang]: ../docs/vulnerability/detection/language.md

-[builtin]: ../misconfiguration/policy/builtin.md
-[quickstart]: quickstart.md
-[podman]: ../advanced/container/podman.md
+[builtin]: ../docs/misconfiguration/policy/builtin.md
+[quickstart]: ../getting-started/quickstart.md
+[podman]: ../docs/advanced/container/podman.md
+
+[sbom]: ../docs/sbom/index.md

 [oci]: https://github.com/opencontainers/image-spec
-[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/docs/integrations/woodpecker-ci.md
+++ b/docs/docs/integrations/woodpecker-ci.md
@@ -0,0 +1,17 @@
+# Woodpecker CI
+
+This is a simple example configuration `.woodpecker/trivy.yml` that shows how you could get started:
+
+```yml
+pipeline:
+  securitycheck:
+    image: aquasec/trivy:latest
+    commands:
+      # use any trivy command, if exit code is 0 woodpecker marks it as passed, else it assumes it failed
+      - trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL .
+```
+
+Woodpecker does use Trivy itself so you can see an [Example][example] run at its [Repository][repository] and how it was [added](https://github.com/woodpecker-ci/woodpecker/pull/1163).
+
+[example]: https://ci.woodpecker-ci.org/woodpecker-ci/woodpecker/build/3520/37
+[repository]: https://github.com/woodpecker-ci/woodpecker
--- a/docs/docs/kubernetes/cli/compliance.md
+++ b/docs/docs/kubernetes/cli/compliance.md
@@ -0,0 +1,68 @@
+# Kubernetes Compliance
+
+## NSA Complaince Report
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+The Trivy K8s CLI allows you to scan your Kubernetes cluster resources and generate the `NSA, CISA Kubernetes Hardening Guidance` report
+
+[NSA, CISA Kubernetes Hardening Guidance v1.2](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) cybersecurity technical report is produced by trivy and validate the following control checks :
+
+| NAME                                                     | DESCRIPTION                                                                                             |          |
+|----------------------------------------------------------|---------------------------------------------------------------------------------------------------------|---------------|
+| Non-root containers                                      | Check that container is not running as root                                                       |
+| Immutable container file systems                         | Check that container root file system is immutable                                                  |
+| Preventing privileged containers                         | Controls whether Pods can run privileged containers                                                 |
+| Share containers process namespaces                      | Controls whether containers can share process namespaces                                                 |
+| Share host process namespaces                            | Controls whether share host process namespaces                                                 |
+| Use the host network                                     | Controls whether containers can use the host network                                                    |
+| Run with root privileges or with root group membership   | Controls whether container applications can run with <br/>root privileges or with root group membership                   |
+| Restricts escalation to root privileges                  | Control check restrictions escalation to root privileges                                                 |
+| Sets the SELinux context of the container                | Control checks if pod sets the SELinux context of the container                                                  |
+| Restrict a container's access to resources with AppArmor | Control checks the restriction of containers access to resources with AppArmor                                    | 
+| Sets the seccomp profile used to sandbox containers      | Control checks the sets the seccomp profile used to sandbox containers                                                 |
+| Protecting Pod service account tokens                    | Control check whether disable secret token been mount ,automountServiceAccountToken: false                        | 
+| Namespace kube-system should not be used by users        | Control check whether Namespace kube-system is not be used by users                                                      |
+| Pod and/or namespace Selectors usage                     | Control check validate the pod and/or namespace Selectors usage                                                      |
+| Use CNI plugin that supports NetworkPolicy API           | Control check whether check cni plugin installed                                                  |
+| Use ResourceQuota policies to limit resources            | Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace                  | 
+| Use LimitRange policies to limit resources               | Control check the use of LimitRange policy limit resource usage for namespaces or nodes                              |
+| Control plan disable insecure port                       | Control check whether control plan disable insecure port                                                       |
+| Encrypt etcd communication                               | Control check whether etcd communication is encrypted                                                  |
+| Ensure kube config file permission                       | Control check whether kube config file permissions                                                |
+| Check that encryption resource has been set              | Control checks whether encryption resource has been set                                                        |
+| Check encryption provider                                | Control checks whether encryption provider has been set                                                        |
+| Make sure anonymous-auth is unset                        | Control checks whether anonymous-auth is unset                                                      |
+| Make sure -authorization-mode=RBAC                       | Control check whether RBAC permission is in use                                                        |
+| Audit policy is configure                                | Control check whether audit policy is configure                                                  |
+| Audit log path is configure                              | Control check whether audit log path is configure                                                  |
+| Audit log aging                                          | Control check whether audit log aging is configure                                                  |
+
+## CLI Commands
+
+Scan a full cluster and generate a complliance NSA summary report:
+
+```
+$ trivy k8s cluster --compliance=nsa --report summary
+```
+
+![k8s Summary Report](../../../imgs/trivy-nsa-summary.png)
+
+***Note*** : The `compliance` column represent the calculation of all tests pass vs. fail for all resources per control check in percentage format.
+
+Example: if I have two resources in cluster and one resource scan result show pass while the other one show fail for `1.0 Non-root Containers` then it compliance will show 50%
+
+An additional report is supported to get all of the detail the output contains, use `--report all`
+```
+$ trivy k8s cluster --compliance=nsa --report all
+```
+Report also supported in json format examples :
+
+```
+$ trivy k8s cluster --compliance=nsa --report summary --format json
+```
+
+```
+$ trivy k8s cluster --compliance=nsa --report all --format json
+```
--- a/docs/docs/kubernetes/cli/scanning.md
+++ b/docs/docs/kubernetes/cli/scanning.md
@@ -0,0 +1,279 @@
+# Kubernetes
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+The Trivy K8s CLI allows you to scan your Kubernetes cluster for Vulnerabilities, Secrets and Misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.
+
+If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/index.md)
+
+Trivy uses your local kubectl configuration to access the API server to list artifacts.
+
+## CLI Commands
+
+Scan a full cluster and generate a simple summary report:
+
+```
+$ trivy k8s --report=summary cluster
+```
+
+![k8s Summary Report](../../../imgs/trivy-k8s.png)
+
+The summary report is the default. To get all of the detail the output contains, use `--report all`.
+
+Filter by severity:
+
+```
+$ trivy k8s --severity=CRITICAL --report=all cluster
+```
+
+Filter by security check (Vulnerabilities, Secrets or Misconfigurations):
+
+```
+$ trivy k8s --security-checks=secret --report=summary cluster
+# or
+$ trivy k8s --security-checks=config --report=summary cluster
+```
+
+Scan a specific namespace:
+
+```
+$ trivy k8s -n kube-system --report=summary all
+```
+
+Use a specific kubeconfig file:
+
+```
+$ trivy k8s --kubeconfig ~/.kube/config2 -n kube-system --report=summary all
+```
+
+Scan a specific resource and get all the output:
+
+```
+$ trivy k8s deployment appname
+```
+
+Scan all deploys, or deploys and configmaps:
+
+```
+$ trivy k8s --report=summary deployment
+$ trivy k8s --report=summary deployment,configmaps
+```
+
+If you want to pass in flags before scanning specific workloads, you will have to do it before the resource name.
+For example, scanning a deployment in the app namespace of your Kubernetes cluster for critical vulnerabilities would be done through the following command:
+
+```
+$ trivy k8s -n app --severity=CRITICAL deployment/appname
+```
+This is specific to all Trivy CLI commands.
+
+The supported formats are `table`, which is the default, and `json`.
+To get a JSON output on a full cluster scan:
+
+```
+$ trivy k8s --format json -o results.json cluster
+```
+
+<details>
+<summary>Result</summary>
+
+```json
+{
+  "ClusterName": "minikube",
+  "Vulnerabilities": [
+    {
+      "Namespace": "default",
+      "Kind": "Deployment",
+      "Name": "app",
+      "Results": [
+        {
+          "Target": "ubuntu:latest (ubuntu 22.04)",
+          "Class": "os-pkgs",
+          "Type": "ubuntu",
+          "Vulnerabilities": [
+            {
+              "VulnerabilityID": "CVE-2016-2781",
+              "PkgName": "coreutils",
+              "InstalledVersion": "8.32-4.1ubuntu1",
+              "Layer": {
+                "Digest": "sha256:125a6e411906fe6b0aaa50fc9d600bf6ff9bb11a8651727ce1ed482dc271c24c",
+                "DiffID": "sha256:e59fc94956120a6c7629f085027578e6357b48061d45714107e79f04a81a6f0c"
+              },
+              "SeveritySource": "ubuntu",
+              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-2781",
+              "DataSource": {
+                "ID": "ubuntu",
+                "Name": "Ubuntu CVE Tracker",
+                "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
+              },
+              "Title": "coreutils: Non-privileged session can escape to the parent session in chroot",
+              "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
+              "Severity": "LOW",
+              "CweIDs": [
+                "CWE-20"
+              ],
+              "VendorSeverity": {
+                "cbl-mariner": 2,
+                "nvd": 2,
+                "redhat": 2,
+                "ubuntu": 1
+              },
+              "CVSS": {
+                "nvd": {
+                  "V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
+                  "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
+                  "V2Score": 2.1,
+                  "V3Score": 6.5
+                },
+                "redhat": {
+                  "V2Vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
+                  "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
+                  "V2Score": 6.2,
+                  "V3Score": 8.6
+                }
+              },
+              "References": [
+                "http://seclists.org/oss-sec/2016/q1/452",
+                "http://www.openwall.com/lists/oss-security/2016/02/28/2",
+                "http://www.openwall.com/lists/oss-security/2016/02/28/3",
+                "https://access.redhat.com/security/cve/CVE-2016-2781",
+                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2781",
+                "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
+                "https://lore.kernel.org/patchwork/patch/793178/",
+                "https://nvd.nist.gov/vuln/detail/CVE-2016-2781"
+              ],
+              "PublishedDate": "2017-02-07T15:59:00Z",
+              "LastModifiedDate": "2021-02-25T17:15:00Z"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "Misconfigurations": [
+    {
+      "Namespace": "default",
+      "Kind": "Deployment",
+      "Name": "app",
+      "Results": [
+        {
+          "Target": "Deployment/app",
+          "Class": "config",
+          "Type": "kubernetes",
+          "MisconfSummary": {
+            "Successes": 20,
+            "Failures": 19,
+            "Exceptions": 0
+          },
+          "Misconfigurations": [
+            {
+              "Type": "Kubernetes Security Check",
+              "ID": "KSV001",
+              "Title": "Process can elevate its own privileges",
+              "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
+              "Message": "Container 'app' of Deployment 'app' should set 'securityContext.allowPrivilegeEscalation' to false",
+              "Namespace": "builtin.kubernetes.KSV001",
+              "Query": "data.builtin.kubernetes.KSV001.deny",
+              "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.",
+              "Severity": "MEDIUM",
+              "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001",
+              "References": [
+                "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
+                "https://avd.aquasec.com/misconfig/ksv001"
+              ],
+              "Status": "FAIL",
+              "Layer": {},
+              "IacMetadata": {
+                "Provider": "Kubernetes",
+                "Service": "general",
+                "StartLine": 121,
+                "EndLine": 133
+              }
+            },
+            {
+              "Type": "Kubernetes Security Check",
+              "ID": "KSV003",
+              "Title": "Default capabilities not dropped",
+              "Description": "The container should drop all default capabilities and add only those that are needed for its execution.",
+              "Message": "Container 'app' of Deployment 'app' should add 'ALL' to 'securityContext.capabilities.drop'",
+              "Namespace": "builtin.kubernetes.KSV003",
+              "Query": "data.builtin.kubernetes.KSV003.deny",
+              "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.",
+              "Severity": "LOW",
+              "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003",
+              "References": [
+                "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/",
+                "https://avd.aquasec.com/misconfig/ksv003"
+              ],
+              "Status": "FAIL",
+              "Layer": {},
+              "IacMetadata": {
+                "Provider": "Kubernetes",
+                "Service": "general",
+                "StartLine": 121,
+                "EndLine": 133
+              }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "Namespace": "default",
+      "Kind": "ConfigMap",
+      "Name": "kube-root-ca.crt"
+    }
+  ]
+}
+
+```
+
+</details>
+
+
+
+## Infra checks
+
+Trivy by default scans kubernetes infra components (apiserver, controller-manager, scheduler and etcd)
+if they exist under the `kube-system` namespace. For example, if you run a full cluster scan, or scan all
+components under `kube-system` with commands:
+
+```
+$ trivy k8s cluster --report summary # full cluster scan
+$ trivy k8s all -n kube-system --report summary # scan all componetns under kube-system
+```
+
+A table will be printed about misconfigurations found on kubernetes core components:
+
+```
+Summary Report for minikube
+┌─────────────┬──────────────────────────────────────┬─────────────────────────────┐
+│  Namespace  │               Resource               │ Kubernetes Infra Assessment │
+│             │                                      ├────┬────┬────┬─────┬────────┤
+│             │                                      │ C  │ H  │ M  │ L   │   U    │
+├─────────────┼──────────────────────────────────────┼────┼────┼────┼─────┼────────┤
+│ kube-system │ Pod/kube-apiserver-minikube          │    │    │ 1  │ 10  │        │
+│ kube-system │ Pod/kube-controller-manager-minikube │    │    │    │ 3   │        │
+│ kube-system │ Pod/kube-scheduler-minikube          │    │    │    │ 1   │        │
+└─────────────┴──────────────────────────────────────┴────┴────┴────┴─────┴────────┘
+Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
+```
+
+The infra checks are based on CIS Benchmarks recommendations for kubernetes.
+
+
+If you want filter only for the infra checks, you can use the flag `--components` along with the `--security-checks=config`
+
+```
+$ trivy k8s cluster --report summary --components=infra --security-checks=config # scan only infra
+```
+
+Or, to filter for all other checks besides the infra checks, you can:
+
+```
+$ trivy k8s cluster --report summary --components=workload --security-checks=config # scan all components besides infra
+```
+
+	
+
--- a/docs/docs/kubernetes/operator/index.md
+++ b/docs/docs/kubernetes/operator/index.md
@@ -0,0 +1,14 @@
+# Trivy Operator  
+
+Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
+
+
+> Kubernetes-native security toolkit. ([Documentation][trivy-operator]).
+
+<figure>
+  <figcaption>Workload reconcilers discover K8s controllers, manage scan jobs, and create VulnerabilityReport and ConfigAuditReport objects.</figcaption>
+</figure>
+
+[operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/
+[crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
+[trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest
--- a/docs/docs/licenses/scanning.md
+++ b/docs/docs/licenses/scanning.md
@@ -0,0 +1,320 @@
+# License Scanning
+
+Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
+
+License are classified using the [Google License Classification][google-license-classification] -
+
+ - Forbidden
+ - Restricted 
+ - Reciprocal
+ - Notice
+ - Permissive
+ - Unencumbered
+ - Unknown
+
+!!! tip
+    Licenses that Trivy fails to recognize are classified as UNKNOWN.
+    As those licenses may be in violation, it is recommended to check those unknown licenses as well.    
+
+By default, Trivy scans licenses for packages installed by `apk`, `apt-get`, `dnf`, `npm`, `pip`, `gem`, etc.
+To enable extended license scanning, you can use `--license-full`.
+In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
+
+!!! note
+    The full license scanning is expensive. It takes a while.
+
+Currently, the standard license scanning doesn't support filesystem and repository scanning.
+
+|   License scnanning   | Image | Rootfs    | Filesystem | Repository |
+|:---------------------:|:-----:|:---------:|:----------:|:----------:|
+|       Standard        |  ✅   |     ✅    |   -        |      -     |
+| Full (--license-full) |  ✅   |     ✅    |     ✅     |     ✅     |
+
+
+License checking classifies the identified licenses and map the classification to severity.
+
+| Classification | Severity |
+|----------------|----------|
+| Forbidden      | CRITICAL |
+| Restricted     | HIGH     |
+| Reciprocal     | MEDIUM   |
+| Notice         | LOW      |
+| Permissive     | LOW      |
+| Unencumbered   | LOW      |
+| Unknown        | UNKNOWN  |
+
+## Quick start
+This section shows how to scan license in container image and filesystem.
+
+### Standard scanning
+Specify an image name with `--security-cheks license`.
+
+``` shell
+$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
+2022-07-13T17:28:39.526+0300    INFO    License scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
+
+┌───────────────────┬─────────┬────────────────┬──────────┐
+│      Package      │ License │ Classification │ Severity │
+├───────────────────┼─────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
+├───────────────────┤         │                │          │
+│ apk-tools         │         │                │          │
+├───────────────────┤         │                │          │
+│ busybox           │         │                │          │
+├───────────────────┤         │                │          │
+│ musl-utils        │         │                │          │
+├───────────────────┤         │                │          │
+│ scanelf           │         │                │          │
+├───────────────────┤         │                │          │
+│ ssl_client        │         │                │          │
+└───────────────────┴─────────┴────────────────┴──────────┘
+```
+
+### Full scanning
+Specify `--license-full`
+
+``` shell
+$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
+2022-07-13T17:48:40.905+0300    INFO    Full license scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 20 (UNKNOWN: 9, HIGH: 11, CRITICAL: 0)
+
+┌───────────────────┬───────────────────┬────────────────┬──────────┐
+│      Package      │      License      │ Classification │ Severity │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0           │ Restricted     │ HIGH     │
+├───────────────────┤                   │                │          │
+│ apk-tools         │                   │                │          │
+├───────────────────┼───────────────────┤                │          │
+│ bash              │ GPL-3.0           │                │          │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ keyutils-libs     │ GPL-2.0           │ Restricted     │ HIGH     │
+│                   ├───────────────────┼────────────────┼──────────┤
+│                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
+├───────────────────┼───────────────────┤                │          │
+│ libaio            │ LGPL-2.1-or-later │                │          │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ libcom_err        │ GPL-2.0           │ Restricted     │ HIGH     │
+│                   ├───────────────────┼────────────────┼──────────┤
+│                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ tzdata            │ Public-Domain     │ Non Standard   │ UNKNOWN  │
+└───────────────────┴───────────────────┴────────────────┴──────────┘
+
+Loose File License(s) (license)
+===============================
+Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)
+
+┌────────────────┬──────────┬──────────────┬──────────────────────────────────────────────────────────────┐
+│ Classification │ Severity │   License    │                        File Location                         │
+├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
+│ Forbidden      │ CRITICAL │ AGPL-3.0     │ /usr/share/grafana/LICENSE                                   │
+│                │          │              │                                                              │
+│                │          │              │                                                              │
+├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
+│ Non Standard   │ UNKNOWN  │ BSD-0-Clause │ /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/7889.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/canvasPanel.d6aae9dd11d49c7- │
+│                │          │              │ 41a80.js.LICENSE.txt                                         │
+└────────────────┴──────────┴──────────────┴──────────────────────────────────────────────────────────────┘
+```
+
+## Configuration
+
+Trivy has number of configuration flags for use with license scanning;
+                                 
+### Ignored Licenses
+
+Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the `--ignored-licenses` flag;
+
+```shell
+$ trivy image --security-checks license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
+2022-07-13T18:15:28.605Z        INFO    License scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 2 (HIGH: 2, CRITICAL: 0)
+
+┌───────────────────┬─────────┬────────────────┬──────────┐
+│      Package      │ License │ Classification │ Severity │
+├───────────────────┼─────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
+├───────────────────┤         │                │          │
+│ ssl_client        │         │                │          │
+└───────────────────┴─────────┴────────────────┴──────────┘
+
+```
+
+### Custom Classification
+You can generate the default config by the `--generate-default-config` flag and customize the license classification.
+For example, if you want to forbid only AGPL-3.0, you can leave it under `forbidden` and move other licenses to another classification.
+
+```shell
+$ trivy image --generate-default-config
+$ vim trivy.yaml
+license:
+  forbidden:
+  - AGPL-3.0
+  
+  restricted:
+  - AGPL-1.0
+  - CC-BY-NC-1.0
+  - CC-BY-NC-2.0
+  - CC-BY-NC-2.5
+  - CC-BY-NC-3.0
+  - CC-BY-NC-4.0
+  - CC-BY-NC-ND-1.0
+  - CC-BY-NC-ND-2.0
+  - CC-BY-NC-ND-2.5
+  - CC-BY-NC-ND-3.0
+  - CC-BY-NC-ND-4.0
+  - CC-BY-NC-SA-1.0
+  - CC-BY-NC-SA-2.0
+  - CC-BY-NC-SA-2.5
+  - CC-BY-NC-SA-3.0
+  - CC-BY-NC-SA-4.0
+  - Commons-Clause
+  - Facebook-2-Clause
+  - Facebook-3-Clause
+  - Facebook-Examples
+  - WTFPL
+  - BCL
+  - CC-BY-ND-1.0
+  - CC-BY-ND-2.0
+  - CC-BY-ND-2.5
+  - CC-BY-ND-3.0
+  - CC-BY-ND-4.0
+  - CC-BY-SA-1.0
+  - CC-BY-SA-2.0
+  - CC-BY-SA-2.5
+  - CC-BY-SA-3.0
+  - CC-BY-SA-4.0
+  - GPL-1.0
+  - GPL-2.0
+  - GPL-2.0-with-autoconf-exception
+  - GPL-2.0-with-bison-exception
+  - GPL-2.0-with-classpath-exception
+  - GPL-2.0-with-font-exception
+  - GPL-2.0-with-GCC-exception
+  - GPL-3.0
+  - GPL-3.0-with-autoconf-exception
+  - GPL-3.0-with-GCC-exception
+  - LGPL-2.0
+  - LGPL-2.1
+  - LGPL-3.0
+  - NPL-1.0
+  - NPL-1.1
+  - OSL-1.0
+  - OSL-1.1
+  - OSL-2.0
+  - OSL-2.1
+  - OSL-3.0
+  - QPL-1.0
+  - Sleepycat
+  
+  reciprocal:
+  - APSL-1.0
+  - APSL-1.1
+  - APSL-1.2
+  - APSL-2.0
+  - CDDL-1.0
+  - CDDL-1.1
+  - CPL-1.0
+  - EPL-1.0
+  - EPL-2.0
+  - FreeImage
+  - IPL-1.0
+  - MPL-1.0
+  - MPL-1.1
+  - MPL-2.0
+  - Ruby
+  
+  notice:
+  - AFL-1.1
+  - AFL-1.2
+  - AFL-2.0
+  - AFL-2.1
+  - AFL-3.0
+  - Apache-1.0
+  - Apache-1.1
+  - Apache-2.0
+  - Artistic-1.0-cl8
+  - Artistic-1.0-Perl
+  - Artistic-1.0
+  - Artistic-2.0
+  - BSL-1.0
+  - BSD-2-Clause-FreeBSD
+  - BSD-2-Clause-NetBSD
+  - BSD-2-Clause
+  - BSD-3-Clause-Attribution
+  - BSD-3-Clause-Clear
+  - BSD-3-Clause-LBNL
+  - BSD-3-Clause
+  - BSD-4-Clause
+  - BSD-4-Clause-UC
+  - BSD-Protection
+  - CC-BY-1.0
+  - CC-BY-2.0
+  - CC-BY-2.5
+  - CC-BY-3.0
+  - CC-BY-4.0
+  - FTL
+  - ISC
+  - ImageMagick
+  - Libpng
+  - Lil-1.0
+  - Linux-OpenIB
+  - LPL-1.02
+  - LPL-1.0
+  - MS-PL
+  - MIT
+  - NCSA
+  - OpenSSL
+  - PHP-3.01
+  - PHP-3.0
+  - PIL
+  - Python-2.0
+  - Python-2.0-complete
+  - PostgreSQL
+  - SGI-B-1.0
+  - SGI-B-1.1
+  - SGI-B-2.0
+  - Unicode-DFS-2015
+  - Unicode-DFS-2016
+  - Unicode-TOU
+  - UPL-1.0
+  - W3C-19980720
+  - W3C-20150513
+  - W3C
+  - X11
+  - Xnet
+  - Zend-2.0
+  - zlib-acknowledgement
+  - Zlib
+  - ZPL-1.1
+  - ZPL-2.0
+  - ZPL-2.1
+  
+  unencumbered:
+  - CC0-1.0
+  - Unlicense
+  - 0BSD
+  
+  permissive: []
+```
+
+
+[google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses
--- a/docs/docs/misconfiguration/comparison/cfsec.md
+++ b/docs/docs/misconfiguration/comparison/cfsec.md
@@ -0,0 +1,24 @@
+# vs cfsec
+[cfsec][cfsec] uses static analysis of your CloudFormation templates to spot potential security issues.
+Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec.
+This section describes the differences between Trivy and cfsec.
+
+| Feature               | Trivy                                                  | cfsec                        |
+|-----------------------|--------------------------------------------------------|------------------------------|
+| Built-in Policies     | :material-check:                                       | :material-check:             |
+| Custom Policies       | :material-check:                                       | :material-close:             |
+| Policy Metadata[^1]   | :material-check:                                       | :material-check:             |
+| Show Successes        | :material-check:                                       | :material-check:             |
+| Disable Policies      | :material-check:                                       | :material-check:             |
+| Show Issue Lines      | :material-check:                                       | :material-check:             |
+| View Statistics       | :material-close:                                       | :material-check:             |
+| Filtering by Severity | :material-check:                                       | :material-close:             |
+| Supported Formats     | Dockerfile, JSON, YAML, Terraform, CloudFormation etc. | CloudFormation JSON and YAML |
+
+[^1]: To enrich the results such as ID, Title, Description, Severity, etc.
+
+cfsec is designed for CloudFormation.
+People who use only want to scan their CloudFormation templates should use cfsec.
+People who want to scan a wide range of configuration files should use Trivy.
+
+[cfsec]: https://github.com/aquasecurity/cfsec
--- a/docs/docs/misconfiguration/comparison/conftest.md
+++ b/docs/docs/misconfiguration/comparison/conftest.md
--- a/docs/docs/misconfiguration/comparison/tfsec.md
+++ b/docs/docs/misconfiguration/comparison/tfsec.md
@@ -0,0 +1,25 @@
+# vs tfsec
+[tfsec][tfsec] uses static analysis of your Terraform templates to spot potential security issues.
+Trivy uses tfsec internally to scan Terraform HCL files, but Trivy doesn't support some features provided by tfsec.
+This section describes the differences between Trivy and tfsec.
+
+| Feature               | Trivy                                                  | tfsec                |
+|-----------------------|--------------------------------------------------------|----------------------|
+| Built-in Policies     | :material-check:                                       | :material-check:     |
+| Custom Policies       | Rego                                                   | Rego, JSON, and YAML |
+| Policy Metadata[^1]   | :material-check:                                       | :material-check:     |
+| Show Successes        | :material-check:                                       | :material-check:     |
+| Disable Policies      | :material-check:                                       | :material-check:     |
+| Show Issue Lines      | :material-check:                                       | :material-check:     |
+| Support .tfvars       | :material-close:                                       | :material-check:     |
+| View Statistics       | :material-close:                                       | :material-check:     |
+| Filtering by Severity | :material-check:                                       | :material-check:     |
+| Supported Formats     | Dockerfile, JSON, YAML, Terraform, CloudFormation etc. | Terraform            |
+
+[^1]: To enrich the results such as ID, Title, Description, Severity, etc.
+
+tfsec is designed for Terraform.
+People who use only Terraform should use tfsec.
+People who want to scan a wide range of configuration files should use Trivy.
+
+[tfsec]: https://github.com/aquasecurity/tfsec
--- a/docs/docs/misconfiguration/custom/combine.md
+++ b/docs/docs/misconfiguration/custom/combine.md
--- a/docs/docs/misconfiguration/custom/data.md
+++ b/docs/docs/misconfiguration/custom/data.md
--- a/docs/docs/misconfiguration/custom/debug.md
+++ b/docs/docs/misconfiguration/custom/debug.md
@@ -0,0 +1,304 @@
+# Debugging policies
+When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied.
+For this purpose you can use the `--trace` flag.
+This will output a large trace from Open Policy Agent like the following:
+
+!!! tip
+    Only failed policies show traces. If you want to debug a passed policy, you need to make it fail on purpose.
+
+```shell
+$ trivy conf --trace configs/
+2022-05-16T13:47:58.853+0100	INFO	Detected config files: 1
+
+Dockerfile (dockerfile)
+=======================
+Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
+Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
+
+MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
+
+See https://avd.aquasec.com/misconfig/ds001
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ Dockerfile:1
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   1 [ FROM alpine:latest
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+HIGH: Last USER command in Dockerfile should not be 'root'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+
+See https://avd.aquasec.com/misconfig/ds002
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ Dockerfile:3
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   3 [ USER root
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+
+ID: DS001
+File: Dockerfile
+Namespace: builtin.dockerfile.DS001
+Query: data.builtin.dockerfile.DS001.deny
+Message: Specify a tag in the 'FROM' statement for image 'alpine'
+TRACE  Enter data.builtin.dockerfile.DS001.deny = _
+TRACE  | Eval data.builtin.dockerfile.DS001.deny = _
+TRACE  | Index data.builtin.dockerfile.DS001.deny (matched 1 rule)
+TRACE  | Enter data.builtin.dockerfile.DS001.deny
+TRACE  | | Eval output = data.builtin.dockerfile.DS001.fail_latest[_]
+TRACE  | | Index data.builtin.dockerfile.DS001.fail_latest (matched 1 rule)
+TRACE  | | Enter data.builtin.dockerfile.DS001.fail_latest
+TRACE  | | | Eval output = data.builtin.dockerfile.DS001.image_tags[_]
+TRACE  | | | Index data.builtin.dockerfile.DS001.image_tags (matched 2 rules)
+TRACE  | | | Enter data.builtin.dockerfile.DS001.image_tags
+TRACE  | | | | Eval from = data.lib.docker.from[_]
+TRACE  | | | | Index data.lib.docker.from (matched 1 rule)
+TRACE  | | | | Enter data.lib.docker.from
+TRACE  | | | | | Eval instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "from"
+TRACE  | | | | | Exit data.lib.docker.from
+TRACE  | | | | Redo data.lib.docker.from
+TRACE  | | | | | Redo instruction.Cmd = "from"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "from"
+TRACE  | | | | | Fail instruction.Cmd = "from"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "from"
+TRACE  | | | | | Fail instruction.Cmd = "from"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | Eval name = from.Value[0]
+TRACE  | | | | Eval not startswith(name, "$")
+TRACE  | | | | Enter startswith(name, "$")
+TRACE  | | | | | Eval startswith(name, "$")
+TRACE  | | | | | Fail startswith(name, "$")
+TRACE  | | | | Eval data.builtin.dockerfile.DS001.parse_tag(name, __local505__)
+TRACE  | | | | Index data.builtin.dockerfile.DS001.parse_tag (matched 2 rules)
+TRACE  | | | | Enter data.builtin.dockerfile.DS001.parse_tag
+TRACE  | | | | | Eval split(name, ":", __local504__)
+TRACE  | | | | | Eval [img, tag] = __local504__
+TRACE  | | | | | Exit data.builtin.dockerfile.DS001.parse_tag
+TRACE  | | | | Eval [img, tag] = __local505__
+TRACE  | | | | Eval output = {"cmd": from, "img": img, "tag": tag}
+TRACE  | | | | Exit data.builtin.dockerfile.DS001.image_tags
+TRACE  | | | Redo data.builtin.dockerfile.DS001.image_tags
+TRACE  | | | | Redo output = {"cmd": from, "img": img, "tag": tag}
+TRACE  | | | | Redo [img, tag] = __local505__
+TRACE  | | | | Redo data.builtin.dockerfile.DS001.parse_tag(name, __local505__)
+TRACE  | | | | Redo data.builtin.dockerfile.DS001.parse_tag
+TRACE  | | | | | Redo [img, tag] = __local504__
+TRACE  | | | | | Redo split(name, ":", __local504__)
+TRACE  | | | | Enter data.builtin.dockerfile.DS001.parse_tag
+TRACE  | | | | | Eval tag = "latest"
+TRACE  | | | | | Eval not contains(img, ":")
+TRACE  | | | | | Enter contains(img, ":")
+TRACE  | | | | | | Eval contains(img, ":")
+TRACE  | | | | | | Exit contains(img, ":")
+TRACE  | | | | | Redo contains(img, ":")
+TRACE  | | | | | | Redo contains(img, ":")
+TRACE  | | | | | Fail not contains(img, ":")
+TRACE  | | | | | Redo tag = "latest"
+TRACE  | | | | Redo name = from.Value[0]
+TRACE  | | | | Redo from = data.lib.docker.from[_]
+TRACE  | | | Enter data.builtin.dockerfile.DS001.image_tags
+TRACE  | | | | Eval from = data.lib.docker.from[i]
+TRACE  | | | | Index data.lib.docker.from (matched 1 rule)
+TRACE  | | | | Eval name = from.Value[0]
+TRACE  | | | | Eval cmd_obj = input.stages[j][k]
+TRACE  | | | | Eval possibilities = {"arg", "env"}
+TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Redo possibilities = {"arg", "env"}
+TRACE  | | | | Redo cmd_obj = input.stages[j][k]
+TRACE  | | | | Eval possibilities = {"arg", "env"}
+TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Redo possibilities = {"arg", "env"}
+TRACE  | | | | Redo cmd_obj = input.stages[j][k]
+TRACE  | | | | Eval possibilities = {"arg", "env"}
+TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
+TRACE  | | | | Redo possibilities = {"arg", "env"}
+TRACE  | | | | Redo cmd_obj = input.stages[j][k]
+TRACE  | | | | Redo name = from.Value[0]
+TRACE  | | | | Redo from = data.lib.docker.from[i]
+TRACE  | | | Eval __local752__ = output.img
+TRACE  | | | Eval neq(__local752__, "scratch")
+TRACE  | | | Eval __local753__ = output.img
+TRACE  | | | Eval not data.builtin.dockerfile.DS001.is_alias(__local753__)
+TRACE  | | | Enter data.builtin.dockerfile.DS001.is_alias(__local753__)
+TRACE  | | | | Eval data.builtin.dockerfile.DS001.is_alias(__local753__)
+TRACE  | | | | Index data.builtin.dockerfile.DS001.is_alias (matched 1 rule, early exit)
+TRACE  | | | | Enter data.builtin.dockerfile.DS001.is_alias
+TRACE  | | | | | Eval img = data.builtin.dockerfile.DS001.get_aliases[_]
+TRACE  | | | | | Index data.builtin.dockerfile.DS001.get_aliases (matched 1 rule)
+TRACE  | | | | | Enter data.builtin.dockerfile.DS001.get_aliases
+TRACE  | | | | | | Eval from_cmd = data.lib.docker.from[_]
+TRACE  | | | | | | Index data.lib.docker.from (matched 1 rule)
+TRACE  | | | | | | Eval __local749__ = from_cmd.Value
+TRACE  | | | | | | Eval data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)
+TRACE  | | | | | | Index data.builtin.dockerfile.DS001.get_alias (matched 1 rule)
+TRACE  | | | | | | Enter data.builtin.dockerfile.DS001.get_alias
+TRACE  | | | | | | | Eval __local748__ = values[i]
+TRACE  | | | | | | | Eval lower(__local748__, __local501__)
+TRACE  | | | | | | | Eval "as" = __local501__
+TRACE  | | | | | | | Fail "as" = __local501__
+TRACE  | | | | | | | Redo lower(__local748__, __local501__)
+TRACE  | | | | | | | Redo __local748__ = values[i]
+TRACE  | | | | | | Fail data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)
+TRACE  | | | | | | Redo __local749__ = from_cmd.Value
+TRACE  | | | | | | Redo from_cmd = data.lib.docker.from[_]
+TRACE  | | | | | Fail img = data.builtin.dockerfile.DS001.get_aliases[_]
+TRACE  | | | | Fail data.builtin.dockerfile.DS001.is_alias(__local753__)
+TRACE  | | | Eval output.tag = "latest"
+TRACE  | | | Exit data.builtin.dockerfile.DS001.fail_latest
+TRACE  | | Redo data.builtin.dockerfile.DS001.fail_latest
+TRACE  | | | Redo output.tag = "latest"
+TRACE  | | | Redo __local753__ = output.img
+TRACE  | | | Redo neq(__local752__, "scratch")
+TRACE  | | | Redo __local752__ = output.img
+TRACE  | | | Redo output = data.builtin.dockerfile.DS001.image_tags[_]
+TRACE  | | Eval __local754__ = output.img
+TRACE  | | Eval sprintf("Specify a tag in the 'FROM' statement for image '%s'", [__local754__], __local509__)
+TRACE  | | Eval msg = __local509__
+TRACE  | | Eval __local755__ = output.cmd
+TRACE  | | Eval data.lib.docker.result(msg, __local755__, __local510__)
+TRACE  | | Index data.lib.docker.result (matched 1 rule)
+TRACE  | | Enter data.lib.docker.result
+TRACE  | | | Eval object.get(cmd, "EndLine", 0, __local470__)
+TRACE  | | | Eval object.get(cmd, "Path", "", __local471__)
+TRACE  | | | Eval object.get(cmd, "StartLine", 0, __local472__)
+TRACE  | | | Eval result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
+TRACE  | | | Exit data.lib.docker.result
+TRACE  | | Eval res = __local510__
+TRACE  | | Exit data.builtin.dockerfile.DS001.deny
+TRACE  | Redo data.builtin.dockerfile.DS001.deny
+TRACE  | | Redo res = __local510__
+TRACE  | | Redo data.lib.docker.result(msg, __local755__, __local510__)
+TRACE  | | Redo data.lib.docker.result
+TRACE  | | | Redo result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
+TRACE  | | | Redo object.get(cmd, "StartLine", 0, __local472__)
+TRACE  | | | Redo object.get(cmd, "Path", "", __local471__)
+TRACE  | | | Redo object.get(cmd, "EndLine", 0, __local470__)
+TRACE  | | Redo __local755__ = output.cmd
+TRACE  | | Redo msg = __local509__
+TRACE  | | Redo sprintf("Specify a tag in the 'FROM' statement for image '%s'", [__local754__], __local509__)
+TRACE  | | Redo __local754__ = output.img
+TRACE  | | Redo output = data.builtin.dockerfile.DS001.fail_latest[_]
+TRACE  | Exit data.builtin.dockerfile.DS001.deny = _
+TRACE  Redo data.builtin.dockerfile.DS001.deny = _
+TRACE  | Redo data.builtin.dockerfile.DS001.deny = _
+TRACE
+
+
+ID: DS002
+File: Dockerfile
+Namespace: builtin.dockerfile.DS002
+Query: data.builtin.dockerfile.DS002.deny
+Message: Last USER command in Dockerfile should not be 'root'
+TRACE  Enter data.builtin.dockerfile.DS002.deny = _
+TRACE  | Eval data.builtin.dockerfile.DS002.deny = _
+TRACE  | Index data.builtin.dockerfile.DS002.deny (matched 2 rules)
+TRACE  | Enter data.builtin.dockerfile.DS002.deny
+TRACE  | | Eval data.builtin.dockerfile.DS002.fail_user_count
+TRACE  | | Index data.builtin.dockerfile.DS002.fail_user_count (matched 1 rule, early exit)
+TRACE  | | Enter data.builtin.dockerfile.DS002.fail_user_count
+TRACE  | | | Eval __local771__ = data.builtin.dockerfile.DS002.get_user
+TRACE  | | | Index data.builtin.dockerfile.DS002.get_user (matched 1 rule)
+TRACE  | | | Enter data.builtin.dockerfile.DS002.get_user
+TRACE  | | | | Eval user = data.lib.docker.user[_]
+TRACE  | | | | Index data.lib.docker.user (matched 1 rule)
+TRACE  | | | | Enter data.lib.docker.user
+TRACE  | | | | | Eval instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "user"
+TRACE  | | | | | Fail instruction.Cmd = "user"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "user"
+TRACE  | | | | | Exit data.lib.docker.user
+TRACE  | | | | Redo data.lib.docker.user
+TRACE  | | | | | Redo instruction.Cmd = "user"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | | Eval instruction.Cmd = "user"
+TRACE  | | | | | Fail instruction.Cmd = "user"
+TRACE  | | | | | Redo instruction = input.stages[_][_]
+TRACE  | | | | Eval username = user.Value[_]
+TRACE  | | | | Exit data.builtin.dockerfile.DS002.get_user
+TRACE  | | | Redo data.builtin.dockerfile.DS002.get_user
+TRACE  | | | | Redo username = user.Value[_]
+TRACE  | | | | Redo user = data.lib.docker.user[_]
+TRACE  | | | Eval count(__local771__, __local536__)
+TRACE  | | | Eval lt(__local536__, 1)
+TRACE  | | | Fail lt(__local536__, 1)
+TRACE  | | | Redo count(__local771__, __local536__)
+TRACE  | | | Redo __local771__ = data.builtin.dockerfile.DS002.get_user
+TRACE  | | Fail data.builtin.dockerfile.DS002.fail_user_count
+TRACE  | Enter data.builtin.dockerfile.DS002.deny
+TRACE  | | Eval cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]
+TRACE  | | Index data.builtin.dockerfile.DS002.fail_last_user_root (matched 1 rule)
+TRACE  | | Enter data.builtin.dockerfile.DS002.fail_last_user_root
+TRACE  | | | Eval stage_users = data.lib.docker.stage_user[_]
+TRACE  | | | Index data.lib.docker.stage_user (matched 1 rule)
+TRACE  | | | Enter data.lib.docker.stage_user
+TRACE  | | | | Eval stage = input.stages[stage_name]
+TRACE  | | | | Eval users = [cmd | cmd = stage[_]; cmd.Cmd = "user"]
+TRACE  | | | | Enter cmd = stage[_]; cmd.Cmd = "user"
+TRACE  | | | | | Eval cmd = stage[_]
+TRACE  | | | | | Eval cmd.Cmd = "user"
+TRACE  | | | | | Fail cmd.Cmd = "user"
+TRACE  | | | | | Redo cmd = stage[_]
+TRACE  | | | | | Eval cmd.Cmd = "user"
+TRACE  | | | | | Exit cmd = stage[_]; cmd.Cmd = "user"
+TRACE  | | | | Redo cmd = stage[_]; cmd.Cmd = "user"
+TRACE  | | | | | Redo cmd.Cmd = "user"
+TRACE  | | | | | Redo cmd = stage[_]
+TRACE  | | | | | Eval cmd.Cmd = "user"
+TRACE  | | | | | Fail cmd.Cmd = "user"
+TRACE  | | | | | Redo cmd = stage[_]
+TRACE  | | | | Exit data.lib.docker.stage_user
+TRACE  | | | Redo data.lib.docker.stage_user
+TRACE  | | | | Redo users = [cmd | cmd = stage[_]; cmd.Cmd = "user"]
+TRACE  | | | | Redo stage = input.stages[stage_name]
+TRACE  | | | Eval count(stage_users, __local537__)
+TRACE  | | | Eval len = __local537__
+TRACE  | | | Eval minus(len, 1, __local538__)
+TRACE  | | | Eval last = stage_users[__local538__]
+TRACE  | | | Eval user = last.Value[0]
+TRACE  | | | Eval user = "root"
+TRACE  | | | Exit data.builtin.dockerfile.DS002.fail_last_user_root
+TRACE  | | Redo data.builtin.dockerfile.DS002.fail_last_user_root
+TRACE  | | | Redo user = "root"
+TRACE  | | | Redo user = last.Value[0]
+TRACE  | | | Redo last = stage_users[__local538__]
+TRACE  | | | Redo minus(len, 1, __local538__)
+TRACE  | | | Redo len = __local537__
+TRACE  | | | Redo count(stage_users, __local537__)
+TRACE  | | | Redo stage_users = data.lib.docker.stage_user[_]
+TRACE  | | Eval msg = "Last USER command in Dockerfile should not be 'root'"
+TRACE  | | Eval data.lib.docker.result(msg, cmd, __local540__)
+TRACE  | | Index data.lib.docker.result (matched 1 rule)
+TRACE  | | Enter data.lib.docker.result
+TRACE  | | | Eval object.get(cmd, "EndLine", 0, __local470__)
+TRACE  | | | Eval object.get(cmd, "Path", "", __local471__)
+TRACE  | | | Eval object.get(cmd, "StartLine", 0, __local472__)
+TRACE  | | | Eval result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
+TRACE  | | | Exit data.lib.docker.result
+TRACE  | | Eval res = __local540__
+TRACE  | | Exit data.builtin.dockerfile.DS002.deny
+TRACE  | Redo data.builtin.dockerfile.DS002.deny
+TRACE  | | Redo res = __local540__
+TRACE  | | Redo data.lib.docker.result(msg, cmd, __local540__)
+TRACE  | | Redo data.lib.docker.result
+TRACE  | | | Redo result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
+TRACE  | | | Redo object.get(cmd, "StartLine", 0, __local472__)
+TRACE  | | | Redo object.get(cmd, "Path", "", __local471__)
+TRACE  | | | Redo object.get(cmd, "EndLine", 0, __local470__)
+TRACE  | | Redo msg = "Last USER command in Dockerfile should not be 'root'"
+TRACE  | | Redo cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]
+TRACE  | Exit data.builtin.dockerfile.DS002.deny = _
+TRACE  Redo data.builtin.dockerfile.DS002.deny = _
+TRACE  | Redo data.builtin.dockerfile.DS002.deny = _
+TRACE
+```
--- a/docs/docs/misconfiguration/custom/examples.md
+++ b/docs/docs/misconfiguration/custom/examples.md
@@ -6,7 +6,7 @@ See [here][k8s].

 The custom policy is defined in `user.kubernetes.ID001` package.
 You need to pass the package prefix you want to evaluate through `--namespaces` option.
-In this case, the package prefix should be `user`, `user.kuberntes`, or `user.kubernetes.ID001`.
+In this case, the package prefix should be `user`, `user.kubernetes`, or `user.kubernetes.ID001`.

 ### Dockerfile
 See [here][dockerfile].
--- a/docs/docs/misconfiguration/custom/index.md
+++ b/docs/docs/misconfiguration/custom/index.md
@@ -0,0 +1,209 @@
+# Custom Policies
+
+## Overview
+You can write custom policies in [Rego][rego].
+Once you finish writing custom policies, you can pass the directory where those policies are stored with `--policy` option.
+
+``` bash
+trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
+```
+
+As for `--namespaces` option, the detail is described as below.
+
+### File formats
+If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.
+
+| File format   | File pattern                                              |
+|---------------|-----------------------------------------------------------|
+| JSON          | `*.json`                                                  |
+| YAML          | `*.yaml` and `*.yml`                                      |
+| Dockerfile    | `Dockerfile`, `Dockerfile.*`, and `*.Dockerfile`          |
+| Containerfile | `Containerfile`, `Containerfile.*`, and `*.Containerfile` |
+| Terraform     | `*.tf` and `*.tf.json`                                    |
+
+### Configuration languages
+In the above general file formats, Trivy automatically identifies the following types of configuration files:
+
+- CloudFormation (JSON/YAML)
+- Kubernetes (JSON/YAML)
+- Helm (YAML)
+- Terraform Plan (JSON)
+
+This is useful for filtering inputs, as described below.
+
+## Rego format
+A single package must contain only one policy.
+
+!!!example
+    ``` rego
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # schemas:
+    #   - input: schema.input
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector: 
+    #     - type: kubernetes
+    package user.kubernetes.ID001
+    
+    deny[res] {
+        input.kind == "Deployment"
+        msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name])
+        res := result.new(msg, input.kind)
+    }
+    ```
+
+In this example, ID001 "Deployment not allowed" is defined under `user.kubernetes.ID001`.
+If you add a new custom policy, it must be defined under a new package like `user.kubernetes.ID002`.
+
+### Policy structure
+
+`# METADATA` (optional)
+:   - SHOULD be defined for clarity since these values will be displayed in the scan results
+    - `custom.input` SHOULD be set to indicate the input type the policy should be applied to. See [list of available types](https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
+
+`package` (required)
+:   - MUST follow the Rego's [specification][package]
+    - MUST be unique per policy
+    - SHOULD include policy id for uniqueness
+    - MAY include the group name such as `kubernetes` for clarity
+        - Group name has no effect on policy evaluation
+
+`deny` (required)
+:   - SHOULD be `deny` or start with `deny_`
+        - Although `warn`, `warn_*`, `violation`, `violation_` also work for compatibility, `deny` is recommended as severity can be defined in `__rego_metadata__`.
+    - SHOULD return ONE OF:
+        - The result of a call to `result.new(msg, cause)`. The `msg` is a `string` describing the issue occurrence, and the `cause` is the property/object where the issue occurred. Providing this allows Trivy to ascertain line numbers and highlight code in the output. 
+        - A `string` denoting the detected issue
+            - Although `object` with `msg` field is accepted, other fields are dropped and `string` is recommended if `result.new()` is not utilised.
+            - e.g. `{"msg": "deny message", "details": "something"}`
+    
+
+### Package
+A package name must be unique per policy.
+
+!!!example
+    ``` rego
+    package user.kubernetes.ID001
+    ```
+
+By default, only `builtin.*` packages will be evaluated.
+If you define custom packages, you have to specify the package prefix via `--namespaces` option. 
+
+``` bash
+trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
+```
+
+In this case, `user.*` will be evaluated.
+Any package prefixes such as `main` and `user` are allowed.
+
+### Metadata
+Metadata helps enrich Trivy's scan results with useful information.
+
+The annotation format is described in the [OPA documentation](https://www.openpolicyagent.org/docs/latest/annotations/).
+
+Trivy supports extra fields in the `custom` section as described below.
+
+!!!example
+    ``` rego
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector:
+    #     - type: kubernetes
+    ```
+  
+All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The 
+schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are 
+correct and do not reference incorrect properties/values.
+
+| Field name                 | Allowed values                           |        Default value         |     In table     |     In JSON      |
+|----------------------------|------------------------------------------|:----------------------------:|:----------------:|:----------------:|
+| title                      | Any characters                           |             N/A              | :material-check: | :material-check: |
+| description                | Any characters                           |                              | :material-close: | :material-check: |
+| schemas.input              | `schema.input`                           | (applied to all input types) | :material-close: | :material-close: |
+| custom.id                  | Any characters                           |             N/A              | :material-check: | :material-check: |
+| custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`      |           UNKNOWN            | :material-check: | :material-check: |
+| custom.recommended_actions | Any characters                           |                              | :material-close: | :material-check: | 
+| custom.input.selector.type | Any item(s) in [this list][source-types] |                              | :material-close: | :material-check: | 
+| url                        | Any characters                           |                              | :material-close: | :material-check: |
+
+
+Some fields are displayed in scan results.
+
+``` bash
+k.yaml (kubernetes)
+───────────────────
+
+Tests: 32 (SUCCESSES: 31, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+LOW: Found deployment 'my-deployment' but deployments are not allowed
+════════════════════════════════════════════════════════════════════════
+Deployments are not allowed because of some reasons.
+────────────────────────────────────────────────────────────────────────
+ k.yaml:1-2
+────────────────────────────────────────────────────────────────────────
+   1 ┌ apiVersion: v1
+   2 └ kind: Deployment
+────────────────────────────────────────────────────────────────────────
+```
+
+### Input
+You can specify input format via the `custom.input` annotation.
+
+!!!example
+    ``` rego
+    # METADATA
+    # custom:
+    #   input:
+    #     combine: false
+    #     selector:
+    #     - type: kubernetes
+    ```
+
+`combine` (boolean)
+: The details are [here](combine.md).
+
+`selector` (array)
+:   This option filters the input by file format or configuration language. 
+    In the above example, Trivy passes only Kubernetes files to this policy.
+    Even if a Dockerfile exists in the specified directory, it will not be passed to the policy as input.
+
+    Possible values for input types are:
+    - `dockerfile` (Dockerfile)
+    - `kubernetes` (Kubernetes YAML/JSON)
+    - `rbac` (Kubernetes RBAC YAML/JSON)
+    - `cloud` (Cloud format, as defined by defsec - this is used for Terraform, CloudFormation, and Cloud/AWS scanning)
+    - `yaml` (Generic YAML)
+    - `json` (Generic JSON)
+    - `toml` (Generic TOML)
+
+    When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as `type`.
+    When a configuration language is identified, it will overwrite `type`.
+    
+    !!! example
+        `pod.yaml` including Kubernetes Pod will be handled as `kubernetes`, not `yaml`.
+        `type` is overwritten by `kubernetes` from `yaml`.
+
+    `type` accepts `kubernetes`, `dockerfile`, `cloudformation`, `terraform`, `terraformplan`, `json`, or `yaml`.
+
+### Schemas
+
+You can explore the format of input documents by browsing the schema for the relevant input type:
+
+- [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
+- [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
+- [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
+- [RBAC](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/rbac.json)
+
+[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
+[package]: https://www.openpolicyagent.org/docs/latest/policy-language/#packages
+[source-types]: https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
--- a/docs/docs/misconfiguration/custom/testing.md
+++ b/docs/docs/misconfiguration/custom/testing.md
@@ -22,7 +22,7 @@ For more details, see [Policy Testing][opa-testing].
    }
    ```

-To write tests for custom policies, you can refer to existing tests under [AppShield][appshield].
+To write tests for custom policies, you can refer to existing tests under [defsec][defsec].

 ## Go testing
 [Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
@@ -85,6 +85,6 @@ The following example stores allowed and denied configuration files in a directo
 `Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.

 [opa-testing]: https://www.openpolicyagent.org/docs/latest/policy-testing/
-[appshield]: https://github.com/aquasecurity/appshield
+[defsec]: https://github.com/aquasecurity/defsec
 [table]: https://github.com/golang/go/wiki/TableDrivenTests
 [fanal]: https://github.com/aquasecurity/fanal
--- a/docs/docs/misconfiguration/options/filter.md
+++ b/docs/docs/misconfiguration/options/filter.md
@@ -0,0 +1,60 @@
+# Filter Misconfigurations
+
+## By Severity
+
+Use `--severity` option.
+
+```bash
+trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
+```
+
+<details>
+<summary>Result</summary>
+
+```shell
+2022-05-16T13:50:42.718+0100	INFO	Detected config files: 3
+
+Dockerfile (dockerfile)
+=======================
+Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (HIGH: 1, CRITICAL: 0)
+
+HIGH: Last USER command in Dockerfile should not be 'root'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+
+See https://avd.aquasec.com/misconfig/ds002
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ Dockerfile:3
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   3 [ USER root
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+
+deployment.yaml (kubernetes)
+============================
+Tests: 8 (SUCCESSES: 8, FAILURES: 0, EXCEPTIONS: 0)
+Failures: 0 (HIGH: 0, CRITICAL: 0)
+
+
+main.tf (terraform)
+===================
+Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (HIGH: 0, CRITICAL: 1)
+
+CRITICAL: Classic resources should not be used.
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run
+resources in a VPC instead.
+
+See https://avd.aquasec.com/misconfig/avd-aws-0081
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ main.tf:2-4
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   2 ┌ resource "aws_db_security_group" "sg" {
+   3 │
+   4 └ }
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+```
+</details>
--- a/docs/docs/misconfiguration/options/others.md
+++ b/docs/docs/misconfiguration/options/others.md
@@ -0,0 +1,4 @@
+# Others
+
+!!! hint
+    See also [Others](../../vulnerability/examples/others.md) in Vulnerability section.
--- a/docs/docs/misconfiguration/options/policy.md
+++ b/docs/docs/misconfiguration/options/policy.md
@@ -0,0 +1,35 @@
+# Policy
+
+## Pass custom policies
+You can pass directories including your custom policies through `--policy` option.
+This can be repeated for specifying multiple directories.
+
+```bash
+cd examplex/misconf/
+trivy conf --policy custom-policy/policy --policy combine/policy --namespaces user misconf/mixed
+```
+
+For more details, see [Custom Policies](../custom/index.md).
+
+!!! tip
+    You also need to specify `--namespaces` option.
+
+## Pass custom data
+You can pass directories including your custom data through `--data` option.
+This can be repeated for specifying multiple directories.
+
+```bash
+cd examples/misconf/custom-data
+trivy conf --policy ./policy --data ./data --namespaces user ./configs
+```
+
+For more details, see [Custom Data](../custom/data.md).
+
+## Pass namespaces
+By default, Trivy evaluates policies defined in `builtin.*`.
+If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option.
+This can be repeated for specifying multiple packages.
+
+``` bash
+trivy conf --policy ./policy --namespaces main --namespaces user ./configs
+```
--- a/docs/docs/misconfiguration/options/report.md
+++ b/docs/docs/misconfiguration/options/report.md
--- a/docs/docs/misconfiguration/options/values.md
+++ b/docs/docs/misconfiguration/options/values.md
@@ -0,0 +1,48 @@
+# Value Overrides
+
+Value files can be passed for supported scannable config files.
+
+## Terraform value overrides
+You can pass `tf-vars` files to Trivy to override default values found in the Terraform HCL code.
+
+```bash
+trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
+```
+
+## Helm value overrides
+There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
+
+### Setting inline value overrides
+Overrides can be set inline on the command line
+
+```bash
+trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
+```
+
+### Setting value file overrides
+Overrides can be in a file that has the key=value set. 
+
+```yaml
+# Example override file (overrides.yaml)
+
+securityContext:
+  runAsUser: 0
+```
+
+```bash
+trivy conf --helm-values overrides.yaml ./charts/mySql
+``` 
+
+### Setting value as explicit string
+the `--helm-set-string` is the same as `--helm-set` but explicitly retains the value as a string
+
+```bash
+trivy config --helm-set-string name=false ./infrastructure/tf
+```
+
+### Setting specific values from files
+Specific override values can come from specific files
+
+```bash
+trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
+```
--- a/docs/docs/misconfiguration/policy/builtin.md
+++ b/docs/docs/misconfiguration/policy/builtin.md
@@ -0,0 +1,28 @@
+# Built-in Policies
+
+## Policy Sources
+
+Built-in policies are mainly written in [Rego][rego] and Go.
+Those policies are managed under [defsec repository][defsec].
+
+| Config type               | Source               |
+|---------------------------|----------------------|
+| Kubernetes                | [defsec][kubernetes] |
+| Dockerfile, Containerfile | [defsec][docker]     |
+| Terraform                 | [defsec][defsec]     |
+| CloudFormation            | [defsec][defsec]     |
+| Azure ARM Template        | [defsec][defsec]     |
+| Helm Chart                | [defsec][kubernetes] |      
+| RBAC                      | [defsec][rbac]       |      
+
+For suggestions or issues regarding policy content, please open an issue under the [defsec][defsec] repository.
+
+Helm Chart scanning will resolve the chart to Kubernetes manifests then run the [kubernetes][kubernetes] checks.
+
+Ansible scanning is coming soon.
+
+[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
+[defsec]: https://github.com/aquasecurity/defsec
+[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/kubernetes
+[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/rbac
+[docker]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/docker
--- a/docs/docs/misconfiguration/policy/exceptions.md
+++ b/docs/docs/misconfiguration/policy/exceptions.md
@@ -1,5 +1,5 @@
 # Exceptions
-Exceptions lets you to specify cases where you allow policy violations.
+Exceptions let you specify cases where you allow policy violations.
 Trivy supports two types of exceptions.

 !!! info
@@ -22,7 +22,7 @@ The `exception` rule must be defined under `namespace.exceptions`.
        
    exception[ns] {
        ns := data.namespaces[_]
-        startswith(ns, "appshield")
+        startswith(ns, "builtin.kubernetes")
    }
    ```

@@ -79,7 +79,7 @@ If you want to apply rule-based exceptions to built-in policies, you have to def

 !!! example
    ``` rego
-    package appshield.kubernetes.KSV012
+    package builtin.kubernetes.KSV012

    exception[rules] {
        input.metadata.name == "can-run-as-root"
@@ -87,12 +87,12 @@ If you want to apply rule-based exceptions to built-in policies, you have to def
    }
    ```

-This exception is applied to [KSV012][ksv012] in AppShield.
-You can get the package names in [AppShield repository][appshield] or the JSON output from Trivy.
+This exception is applied to [KSV012][ksv012] in defsec.
+You can get the package names in the [defsec repository][defsec] or the JSON output from Trivy.

 For more details, see [an example][rule-example].

 [ns-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/namespace-exception
 [rule-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/rule-exception
-[ksv012]: https://github.com/aquasecurity/appshield/blob/57bccc1897b2500a731415bda3990b0d4fbc959e/kubernetes/policies/pss/restricted/3_runs_as_root.rego
-[appshield]: https://github.com/aquasecurity/appshield/
+[ksv012]: https://github.com/aquasecurity/defsec/blob/master/internal/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego
+[defsec]: https://github.com/aquasecurity/defsec/
--- a/docs/docs/misconfiguration/scanning.md
+++ b/docs/docs/misconfiguration/scanning.md
@@ -0,0 +1,321 @@
+# Misconfiguration Scanning
+Trivy provides built-in policies to detect configuration issues in Docker, Kubernetes, Terraform and CloudFormation.
+Also, you can write your own policies in [Rego][rego] to scan JSON, YAML, etc, like [Conftest][conftest].
+
+![misconf](../../imgs/misconf.png)
+
+## Quick start
+
+Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.
+
+``` bash
+$ trivy config [YOUR_IaC_DIRECTORY]
+```
+
+
+!!! example
+    ```
+    $ ls build/
+    Dockerfile
+    $ trivy config ./build
+    2022-05-16T13:29:29.952+0100	INFO	Detected config files: 1
+    
+    Dockerfile (dockerfile)
+    =======================
+    Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
+    Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+    
+    MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
+    ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+    When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
+    
+    See https://avd.aquasec.com/misconfig/ds001
+    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    Dockerfile:1
+    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    1 [ FROM alpine:latest
+    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    ```
+
+You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--security-checks config`.
+
+```bash
+$ trivy image --security-checks config IMAGE_NAME
+```
+
+```bash
+$ trivy fs --security-checks config /path/to/dir
+```
+
+!!! note
+    Misconfiguration detection is not enabled by default in `image`, `fs` and `repo` subcommands.
+
+Unlike the `config` subcommand, `image`, `fs` and `repo` subcommands can also scan for vulnerabilities and secrets at the same time. 
+You can specify `--security-checks vuln,config,secret` to enable vulnerability and secret detection as well as misconfiguration detection.
+
+
+!!! example
+    ``` bash
+    $ ls myapp/
+    Dockerfile Pipfile.lock
+    $ trivy fs --security-checks vuln,config,secret --severity HIGH,CRITICAL myapp/
+    2022-05-16T13:42:21.440+0100	INFO	Number of language-specific files: 1
+    2022-05-16T13:42:21.440+0100	INFO	Detecting pipenv vulnerabilities...
+    2022-05-16T13:42:21.440+0100	INFO	Detected config files: 1
+    
+    Pipfile.lock (pipenv)
+    =====================
+    Total: 1 (HIGH: 1, CRITICAL: 0)
+    
+    ┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
+    │ Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
+    ├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
+    │ httplib2 │ CVE-2021-21240 │ HIGH     │ 0.12.1            │ 0.19.0        │ python-httplib2: Regular expression denial of service via │
+    │          │                │          │                   │               │ malicious header                                          │
+    │          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-21240                │
+    └──────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
+    
+    Dockerfile (dockerfile)
+    =======================
+    Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
+    Failures: 1 (HIGH: 1, CRITICAL: 0)
+    
+    HIGH: Last USER command in Dockerfile should not be 'root'
+    ════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+    Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+    
+    See https://avd.aquasec.com/misconfig/ds002
+    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    Dockerfile:3
+    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    3 [ USER root
+    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+    ```
+
+In the above example, Trivy detected vulnerabilities of Python dependencies and misconfigurations in Dockerfile.
+
+## Type detection
+The specified directory can contain mixed types of IaC files.
+Trivy automatically detects config types and applies relevant policies.
+
+For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, Helm Charts, and Dockerfile in the same directory.
+
+``` bash
+$ ls iac/
+Dockerfile  deployment.yaml  main.tf mysql-8.8.26.tar
+$ trivy conf --severity HIGH,CRITICAL ./iac
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2022-06-06T11:01:21.142+0100	INFO	Detected config files: 8
+
+Dockerfile (dockerfile)
+
+Tests: 21 (SUCCESSES: 20, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+
+See https://avd.aquasec.com/misconfig/ds002
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+
+deployment.yaml (kubernetes)
+
+Tests: 20 (SUCCESSES: 15, FAILURES: 5, EXCEPTIONS: 0)
+Failures: 5 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)
+
+MEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.allowPrivilegeEscalation' to false
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
+
+See https://avd.aquasec.com/misconfig/ksv001
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:16-19
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  16 ┌       - name: hello-kubernetes
+  17 │         image: hello-kubernetes:1.5
+  18 │         ports:
+  19 └         - containerPort: 8080
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+HIGH: Deployment 'hello-kubernetes' should not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Mounting docker.sock from the host can give the container full root access to the host.
+
+See https://avd.aquasec.com/misconfig/ksv006
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:6-29
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   6 ┌   replicas: 3
+   7 │   selector:
+   8 │     matchLabels:
+   9 │       app: hello-kubernetes
+  10 │   template:
+  11 │     metadata:
+  12 │       labels:
+  13 │         app: hello-kubernetes
+  14 └     spec:
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+MEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.runAsNonRoot' to true
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
+
+See https://avd.aquasec.com/misconfig/ksv012
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:16-19
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  16 ┌       - name: hello-kubernetes
+  17 │         image: hello-kubernetes:1.5
+  18 │         ports:
+  19 └         - containerPort: 8080
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+MEDIUM: Deployment 'hello-kubernetes' should not set 'spec.template.volumes.hostPath'
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+HostPath volumes must be forbidden.
+
+See https://avd.aquasec.com/misconfig/ksv023
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:6-29
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   6 ┌   replicas: 3
+   7 │   selector:
+   8 │     matchLabels:
+   9 │       app: hello-kubernetes
+  10 │   template:
+  11 │     metadata:
+  12 │       labels:
+  13 │         app: hello-kubernetes
+  14 └     spec:
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+MEDIUM: Deployment 'hello-kubernetes' should set 'securityContext.sysctl' to the allowed values
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.
+
+See https://avd.aquasec.com/misconfig/ksv026
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ deployment.yaml:6-29
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   6 ┌   replicas: 3
+   7 │   selector:
+   8 │     matchLabels:
+   9 │       app: hello-kubernetes
+  10 │   template:
+  11 │     metadata:
+  12 │       labels:
+  13 │         app: hello-kubernetes
+  14 └     spec:
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+
+mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
+
+Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
+Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
+
+MEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.allowPrivilegeEscalation' to false
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
+
+See https://avd.aquasec.com/misconfig/ksv001
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  56 ┌         - name: mysql
+  57 │           image: docker.io/bitnami/mysql:8.0.28-debian-10-r23
+  58 │           imagePullPolicy: "IfNotPresent"
+  59 │           securityContext:
+  60 │             runAsUser: 1001
+  61 │           env:
+  62 │             - name: BITNAMI_DEBUG
+  63 │               value: "false"
+  64 └             - name: MYSQL_ROOT_PASSWORD
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+MEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.runAsNonRoot' to true
+═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
+
+See https://avd.aquasec.com/misconfig/ksv012
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  56 ┌         - name: mysql
+  57 │           image: docker.io/bitnami/mysql:8.0.28-debian-10-r23
+  58 │           imagePullPolicy: "IfNotPresent"
+  59 │           securityContext:
+  60 │             runAsUser: 1001
+  61 │           env:
+  62 │             - name: BITNAMI_DEBUG
+  63 │               value: "false"
+  64 └             - name: MYSQL_ROOT_PASSWORD
+  ..   
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+```
+
+</details>
+
+You can see the config type next to each file name.
+
+!!! example
+``` bash
+Dockerfile (dockerfile)
+=======================
+Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (HIGH: 1, CRITICAL: 0)
+
+...
+
+deployment.yaml (kubernetes)
+============================
+Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
+Failures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)
+
+...
+
+main.tf (terraform)
+===================
+Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
+Failures: 9 (HIGH: 6, CRITICAL: 1)
+
+...
+
+bucket.yaml (cloudformation)
+============================
+Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
+Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
+
+...
+
+mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
+==========================================================
+Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
+Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
+```
+
+## Examples
+See [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/misconf/mixed)
+
+[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
+[conftest]: https://github.com/open-policy-agent/conftest/
+
--- a/docs/docs/references/cli/client.md
+++ b/docs/docs/references/cli/client.md
@@ -0,0 +1,70 @@
+# Client
+
+```bash
+Usage:
+  trivy client [flags] IMAGE_NAME
+
+Aliases:
+  client, c
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+      --report string          specify a report format for the output. (all,summary) (default "all")
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --remote string            server address (default "http://localhost:4954")
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
--- a/docs/docs/references/cli/config.md
+++ b/docs/docs/references/cli/config.md
@@ -0,0 +1,49 @@
+# Config
+
+``` bash
+Scan config files for misconfigurations
+
+Usage:
+  trivy config [flags] DIR
+
+Aliases:
+  config, conf
+
+Scan Flags
+      --skip-dirs strings    specify the directories where the traversal is skipped
+      --skip-files strings   specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int       specify exit code when any security issues are found
+  -f, --format string       format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignorefile string   specify .trivyignore file (default ".trivyignore")
+  -o, --output string       output file name
+  -s, --severity string     severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string     output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
--- a/docs/docs/references/cli/fs.md
+++ b/docs/docs/references/cli/fs.md
@@ -0,0 +1,85 @@
+# Filesystem
+
+```bash
+Scan local filesystem
+
+Usage:
+  trivy filesystem [flags] PATH
+
+Aliases:
+  filesystem, fs
+
+Examples:
+  # Scan a local project including language-specific files
+  $ trivy fs /path/to/your_project
+
+  # Scan a single file
+  $ trivy fs ./trivy-ci-test/Pipfile.lock
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
--- a/docs/docs/references/cli/image.md
+++ b/docs/docs/references/cli/image.md
@@ -0,0 +1,103 @@
+# Image
+
+```bash
+Scan a container image
+
+Usage:
+  trivy image [flags] IMAGE_NAME
+
+Aliases:
+  image, i
+
+Examples:
+  # Scan a container image
+  $ trivy image python:3.4-alpine
+
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
+
+  # Filter by severities
+  $ trivy image --severity HIGH,CRITICAL alpine:3.15
+
+  # Ignore unfixed/unpatched vulnerabilities
+  $ trivy image --ignore-unfixed alpine:3.15
+
+  # Scan a container image in client mode
+  $ trivy image --server http://127.0.0.1:4954 alpine:latest
+
+  # Generate json result
+  $ trivy image --format json --output result.json alpine:3.15
+
+  # Generate a report in the CycloneDX format
+  $ trivy image --format cyclonedx --output result.cdx alpine:3.15
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Image Flags
+      --input string   input file path instead of image name
+      --removed-pkgs   detect vulnerabilities of removed packages (only for Alpine)
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
--- a/docs/docs/references/cli/index.md
+++ b/docs/docs/references/cli/index.md
@@ -0,0 +1,50 @@
+Trivy has several sub commands, image, fs, repo, client and server.
+
+``` bash
+Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
+
+Usage:
+  trivy [global flags] command [flags] target
+  trivy [command]
+
+Examples:
+  # Scan a container image
+  $ trivy image python:3.4-alpine
+
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
+
+  # Scan local filesystem
+  $ trivy fs .
+
+  # Run in server mode
+  $ trivy server
+
+Available Commands:
+  config      Scan config files for misconfigurations
+  filesystem  Scan local filesystem
+  help        Help about any command
+  image       Scan a container image
+  kubernetes  scan kubernetes cluster
+  module      Manage modules
+  plugin      Manage plugins
+  repository  Scan a remote repository
+  rootfs      Scan rootfs
+  sbom        Scan SBOM for vulnerabilities
+  server      Server mode
+  version     Print the version
+
+Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+  -f, --format string             version format (json)
+      --generate-default-config   write the default config to trivy-default.yaml
+  -h, --help                      help for trivy
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy [command] --help" for more information about a command.
+```
--- a/docs/docs/references/cli/module.md
+++ b/docs/docs/references/cli/module.md
@@ -0,0 +1,30 @@
+# Module
+
+```bash
+Manage modules
+
+Usage:
+  trivy module [command]
+
+Aliases:
+  module, m
+
+Available Commands:
+  install     Install a module
+  uninstall   Uninstall a module
+
+Flags:
+  -h, --help   help for module
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy module [command] --help" for more information about a command.
+```
--- a/docs/docs/references/cli/plugin.md
+++ b/docs/docs/references/cli/plugin.md
@@ -0,0 +1,34 @@
+# Plugin
+
+```bash
+Manage plugins
+
+Usage:
+  trivy plugin [command]
+
+Aliases:
+  plugin, p
+
+Available Commands:
+  info        Show information about the specified plugin
+  install     Install a plugin
+  list        List installed plugin
+  run         Run a plugin on the fly
+  uninstall   Uninstall a plugin
+  update      Update an existing plugin
+
+Flags:
+  -h, --help   help for plugin
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy plugin [command] --help" for more information about a command.
+```
--- a/docs/docs/references/cli/repo.md
+++ b/docs/docs/references/cli/repo.md
@@ -0,0 +1,87 @@
+# Repository
+
+```bash
+Scan a remote repository
+
+Usage:
+  trivy repository [flags] REPO_URL
+
+Aliases:
+  repository, repo
+
+Examples:
+  # Scan your remote git repository
+  $ trivy repo https://github.com/knqyf263/trivy-ci-test
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Repository Flags
+      --branch string   pass the branch name to be scanned
+      --commit string   pass the commit hash to be scanned
+      --tag string      pass the tag name to be scanned
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
--- a/docs/docs/references/cli/rootfs.md
+++ b/docs/docs/references/cli/rootfs.md
@@ -0,0 +1,94 @@
+# Rootfs
+
+```bash
+Scan rootfs
+
+Usage:
+  trivy rootfs [flags] ROOTDIR
+
+Examples:
+  # Scan unpacked filesystem
+  $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
+  $ trivy rootfs /tmp/rootfs
+
+  # Scan from inside a container
+  $ docker run --rm -it alpine:3.11
+  / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+  / # trivy rootfs /
+
+Scan Flags
+      --file-patterns strings     specify config file patterns
+      --offline-scan              do not issue API requests to identify dependencies
+      --rekor-url string          [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --sbom-sources strings      [EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)
+      --security-checks strings   comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --skip-dirs strings         specify the directories where the traversal is skipped
+      --skip-files strings        specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --helm-set strings          specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings     specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings   specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings       specify paths to override the Helm values.yaml files
+      --include-non-failures      include successes and exceptions, available with '--security-checks config'
+      --tf-vars strings           specify paths to override the Terraform tfvars files
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Rego Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
--- a/docs/docs/references/cli/sbom.md
+++ b/docs/docs/references/cli/sbom.md
@@ -0,0 +1,70 @@
+# SBOM
+
+```bash
+Scan SBOM for vulnerabilities
+
+Usage:
+  trivy sbom [flags] SBOM_PATH
+
+Examples:
+  # Scan CycloneDX and show the result in tables
+  $ trivy sbom /path/to/report.cdx
+
+  # Scan CycloneDX and generate a CycloneDX report
+  $ trivy sbom --format cyclonedx /path/to/report.cdx
+
+  # Scan CycloneDX-type attestation and show the result in tables
+  $ trivy sbom /path/to/report.cdx.intoto.jsonl
+
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
--- a/Show More
+++ b/Show More