fix(downloadDB): add dbRepositoryFlag to repository and rootfs commands (#1956)

Signed-off-by: Liam Galvin <liam.galvin@aquasec.com>

.github/workflows/mkdocs-dev.yaml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-18.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
           persist-credentials: true

.github/workflows/mkdocs-latest.yaml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-18.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
           persist-credentials: true

.github/workflows/publish-chart.yaml

@@ -23,11 +23,11 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab #v1.1
+        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab
         with:
           version: v3.5.0
       - name: Set up python
@@ -36,9 +36,9 @@ jobs:
           python-version: 3.7
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@6b64532d456fa490a3da177fbd181ac4c8192b58 #v2.1.0
+        uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a
       - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
+        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}
@@ -56,7 +56,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
         with:
           fetch-depth: 0
       - name: Install chart-releaser

.github/workflows/release.yaml

@@ -4,7 +4,7 @@ on:
     tags:
       - "v*"
 env:
-  GO_VERSION: "1.17"
+  GO_VERSION: "1.18"
   GH_USER: "aqua-bot"
 jobs:
   release:
@@ -12,11 +12,16 @@ jobs:
     runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: read  # Not required for public repositories, but for clarity
     steps:
       - name: Install dependencies
         run: |
           sudo apt-get -y update
           sudo apt-get -y install rpm reprepro createrepo distro-info
+      - uses: sigstore/cosign-installer@51f8e5c6fce54e46006ae97d73b2b6315f518752
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
       - name: Set up Docker Buildx
@@ -29,11 +34,11 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Cache Go modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3.0.1
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -64,12 +69,12 @@ jobs:
       - name: Release
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: v0.183.0
+          version: v1.4.1
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
       - name: Checkout trivy-repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           repository: ${{ github.repository_owner }}/trivy-repo
           path: trivy-repo

.github/workflows/scan.yaml

@@ -1,25 +1,23 @@
-name: Scan
-on: [push, pull_request]
+name: Scan vulnerabilities
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
 jobs:
   build:
     name: Scan Go vulnerabilities
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
-      - name: Run Trivy vulnerability scanner to scan for Critical Vulnerabilities
-        uses: aquasecurity/trivy-action@master
+      - name: Run Trivy vulnerability scanner and create GitHub issues
+        uses: knqyf263/trivy-issue-action@v0.0.3
         with:
-          scan-type: 'fs'
-          exit-code: '1'
-          severity: 'CRITICAL'
-          skip-dirs: integration,examples
-
-      - name: Run Trivy vulnerability scanner to scan for Medium and High Vulnerabilities
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          exit-code: '0'
-          severity: 'HIGH,MEDIUM'
+          assignee: knqyf263
+          severity: CRITICAL
           skip-dirs: integration,examples
+          label: vulnerability
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yaml

@@ -10,13 +10,13 @@ on:
       - 'LICENSE'
   pull_request:
 env:
-  GO_VERSION: "1.17"
+  GO_VERSION: "1.18"
 jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Set up Go
         uses: actions/setup-go@v2
@@ -26,7 +26,7 @@ jobs:
       - name: Lint
         uses: golangci/golangci-lint-action@v3.1.0
         with:
-          version: v1.41
+          version: v1.45
           args: --deadline=30m
 
       - name: Run unit tests
@@ -43,7 +43,7 @@ jobs:
       id: go
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Run integration tests
       run: make test-integration
@@ -65,7 +65,7 @@ jobs:
       run: echo ${{ steps.buildx.outputs.platforms }}
 
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Set up Go
       uses: actions/setup-go@v2
@@ -75,7 +75,7 @@ jobs:
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
       with:
-        version: v0.183.0
+        version: v1.4.1
         args: release --snapshot --rm-dist --skip-publish
 
   build-documents:
@@ -83,7 +83,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         fetch-depth: 0
         persist-credentials: true

.gitignore

@@ -4,7 +4,7 @@
 *.dll
 *.so
 *.dylib
-trivy
+/trivy
 
 ## chart release
 .cr-release-packages

.golangci.yaml

@@ -44,6 +44,7 @@ linters:
     - misspell
 
 run:
+  go: 1.18
   skip-files:
     - ".*._mock.go$"
     - ".*._test.go$"

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.15.0
+FROM alpine:3.15.3
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.protoc

@@ -1,4 +1,4 @@
-FROM golang:1.17
+FROM golang:1.18.0
 
 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

Makefile

@@ -58,7 +58,9 @@ protoc:
 	docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@
 
 _protoc:
-	find ./rpc/ -name "*.proto" -type f -exec protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative {} \;
+	for path in `find ./rpc/ -name "*.proto" -type f`; do \
+		protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative $${path} || exit; \
+	done
 
 .PHONY: install
 install:

contrib/asff.tpl

@@ -1,66 +1,68 @@
-[
-{{- $t_first := true -}}
-{{- range . -}}
-{{- $target := .Target -}}
-{{- range .Vulnerabilities -}}
-{{- if $t_first -}}
-  {{- $t_first = false -}}
-{{- else -}}
-  ,
-{{- end -}}
-{{- $severity := .Severity -}}
-{{- if eq $severity "UNKNOWN" -}}
-{{- $severity = "INFORMATIONAL" -}}
-{{- end -}}
-{{- $description := .Description -}}
-{{- if gt (len $description ) 1021 -}}
-    {{- $description = (substr 0 1021 $description) | printf "%v .." -}}
-{{- end}}
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "{{ $target }}/{{ .VulnerabilityID }}",
-        "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
-        "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
-        "Severity": {
-            "Label": "{{ $severity }}"
-        },
-        "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
-        "Description": {{ escapeString $description | printf "%q" }},
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "{{ .PrimaryURL }}"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "{{ $target }}",
-                "Partition": "aws",
-                "Region": "{{ env "AWS_REGION" }}",
-                "Details": {
-                    "Container": { "ImageName": "{{ $target }}" },
-                    "Other": {
-                        "CVE ID": "{{ .VulnerabilityID }}",
-                        "CVE Title": {{ .Title | printf "%q" }},
-                        "PkgName": "{{ .PkgName }}",
-                        "Installed Package": "{{ .InstalledVersion }}",
-                        "Patched Package": "{{ .FixedVersion }}",
-                        "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
-                        "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
-                        "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
-                        "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
+{
+    "Findings": [
+    {{- $t_first := true -}}
+    {{- range . -}}
+    {{- $target := .Target -}}
+    {{- range .Vulnerabilities -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{- else -}}
+      ,
+    {{- end -}}
+    {{- $severity := .Severity -}}
+    {{- if eq $severity "UNKNOWN" -}}
+    {{- $severity = "INFORMATIONAL" -}}
+    {{- end -}}
+    {{- $description := .Description -}}
+    {{- if gt (len $description ) 1021 -}}
+        {{- $description = (substr 0 1021 $description) | printf "%v .." -}}
+    {{- end}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}/{{ .VulnerabilityID }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
+            "Description": {{ escapeString $description | printf "%q" }},
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "More information on this vulnerability is provided in the hyperlink",
+                    "Url": "{{ .PrimaryURL }}"
+                }
+            },
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Container",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_REGION" }}",
+                    "Details": {
+                        "Container": { "ImageName": "{{ $target }}" },
+                        "Other": {
+                            "CVE ID": "{{ .VulnerabilityID }}",
+                            "CVE Title": {{ .Title | printf "%q" }},
+                            "PkgName": "{{ .PkgName }}",
+                            "Installed Package": "{{ .InstalledVersion }}",
+                            "Patched Package": "{{ .FixedVersion }}",
+                            "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
+                            "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
+                            "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
+                            "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
+                        }
                     }
                 }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    }
-   {{- end -}}
-  {{- end }}
-]
+            ],
+            "RecordState": "ACTIVE"
+        }
+       {{- end -}}
+      {{- end }}
+    ]
+}

contrib/gitlab-codequality.tpl

@@ -13,8 +13,8 @@
       "type": "issue",
       "check_name": "container_scanning",
       "categories": [ "Security" ],
-      "description": {{ list .VulnerabilityID .Title | join ": " | printf "%q" }},
-      "fingerprint": "{{ .VulnerabilityID | sha1sum }}",
+      "description": {{ list .VulnerabilityID .PkgName .InstalledVersion .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .VulnerabilityID .PkgName .InstalledVersion $target | join "" | sha1sum }}",
       "content": {{ .Description | printf "%q" }},
       "severity": {{ if eq .Severity "LOW" -}}
                     "info"
@@ -28,9 +28,41 @@
                     "info"
                   {{- end }},
       "location": {
-        "path": "{{ .PkgName }}-{{ .InstalledVersion }}",
+        "path": "{{ $target }}",
         "lines": {
-          "begin": 1
+          "begin": 0
+        }
+      }
+    }
+    {{- end -}}
+    {{- range .Misconfigurations -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list .ID .Title | join ": " | printf "%q" }},
+      "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Description | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .IacMetadata.StartLine }}
         }
       }
     }

docs/advanced/community/references.md

@@ -1,19 +0,0 @@
-# External References
-There are external blogs and evaluations.
-
-## Blogs
-- [the vulnerability remediation lifecycle of Alpine containers][alpine]
-- [Continuous Container Vulnerability Testing with Trivy][semaphore]
-- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
-- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
-
-## Links
-- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
-- [Istio evaluates scanners][istio]
-
-[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
-[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
-[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417

docs/advanced/index.md

@@ -1,2 +0,0 @@
-# Advanced
-This section describes advanced features, integrations, etc.

docs/community/cks.md

@@ -0,0 +1,21 @@
+# CKS preparation resources
+
+Community Resources
+
+- [Trivy Video overview (short)][overview]
+- [Example questions from the exam][exam]
+- [More example questions][questions]
+
+Aqua Security Blog posts
+
+- Supply chain security best [practices][supply-chain-best-practices]
+- Supply chain [attacks][supply-chain-attacks]
+- 
+If you know of interesting resources, please start a PR to add those to the list.
+
+[overview]: https://youtu.be/2cjH6Zkieys
+[exam]: https://jonathan18186.medium.com/certified-kubernetes-security-specialist-cks-preparation-part-7-supply-chain-security-9cf62c34cf6a
+[questions]: https://github.com/kodekloudhub/certified-kubernetes-security-specialist-cks-course/blob/main/docs/06-Supply-Chain-Security/09-Scan-images-for-known-vulnerabilities-(Trivy).md
+
+[supply-chain-best-practices]: https://blog.aquasec.com/supply-chain-security-best-practices
+[supply-chain-attacks]: https://blog.aquasec.com/supply-chain-threats-using-container-images

docs/community/contrib/triage.md

@@ -1,7 +1,10 @@
+# Triage
+
 Triage is an important part of maintaining the health of the trivy repo.
 A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible.
 
 Triage includes:
+
 - Labeling issues
 - Responding to issues
 - Closing issues
@@ -185,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
 and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
 to identify issues that have been specially groomed for new contributors.
 
-We have specific [guidelines](/docs/advanced/contribd/contrib/help-wanted.md)
+We have specific [guidelines](/docs/docs/advanced/contribd/contrib/help-wanted.md)
 for how to use these labels. If you see an issue that satisfies these
 guidelines, you can add the `help wanted` label and the `good first issue` label.
 Please note that adding the `good first issue` label must also 

docs/community/references.md

@@ -0,0 +1,48 @@
+# Additional References
+There are external blogs and evaluations.
+
+## Blogs
+- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join]
+- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license]
+- [DevSecOps with Trivy and GitHub Actions][actions]
+- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
+- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
+- [the vulnerability remediation lifecycle of Alpine containers][alpine]
+- [Continuous Container Vulnerability Testing with Trivy][semaphore]
+- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
+- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
+
+## Links
+- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
+- [Istio evaluates scanners][istio]
+
+## Presentations
+- Aqua Security YouTube Channel
+    - [Trivy - container image scanning][intro]
+    - [Using Trivy in client server mode][server]
+    - [Tweaking Trivy output to fit your workflow][tweaking]
+    - [How does a vulnerability scanner identify packages?][identify]
+- CNCF Webinar 2020
+    - [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf]
+- KubeCon + CloudNativeCon Europe 2020 Virtual
+    - [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon]
+
+[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
+[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
+[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
+[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
+[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
+[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
+
+[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
+[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
+[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
+[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4
+[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M
+[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU
+
+[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family
+[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license
+[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
+[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
+[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code

docs/docs/advanced/air-gap.md

@@ -109,5 +109,5 @@ In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn
 $ trivy conf --skip-policy-update /path/to/conf
 ```
 
-[allowlist]: ../getting-started/troubleshooting.md
+[allowlist]: ../references/troubleshooting.md
 [oras]: https://oras.land/cli/

docs/docs/index.md

@@ -0,0 +1,85 @@
+# Docs
+
+Trivy detects two types of security issues:
+
+- [Vulnerabilities][vuln]
+- [Misconfigurations][misconf]
+
+Trivy can scan three different artifacts:
+
+- [Container Images][container]
+- [Filesystem][filesystem] and [Rootfs][rootfs]
+- [Git Repositories][repo]
+
+Trivy can be run in two different modes:
+
+- [Standalone][standalone]
+- [Client/Server][client-server]
+
+It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
+See [Integrations][integrations] for details.
+
+## Features
+
+- Comprehensive vulnerability detection
+    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
+- Detect IaC misconfigurations
+    - A wide variety of [built-in policies][builtin] are provided **out of the box**:
+        - Kubernetes
+        - Docker
+        - Terraform
+        - more coming soon
+    - Support custom policies
+- Simple
+    - Specify only an image name, a directory containing IaC configs, or an artifact name
+    - See [Quick Start][quickstart]
+- Fast
+    - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
+    - Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
+- Easy installation
+    - `apt-get install`, `yum install` and `brew install` is possible (See [Installation][installation])
+    - **No pre-requisites** such as installation of DB, libraries, etc.
+- High accuracy
+    - **Especially Alpine Linux and RHEL/CentOS**
+    - Other OSes are also high
+- DevSecOps
+    - **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
+    - See [CI Example][integrations]
+- Support multiple formats
+    - container image
+        - A local image in Docker Engine which is running as a daemon
+        - A local image in [Podman][podman] (>=2.0) which is exposing a socket
+        - A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
+        - A tar archive stored in the `docker save` / `podman save` formatted file
+        - An image directory compliant with [OCI Image Format][oci]
+    - local filesystem and rootfs
+    - remote git repository
+- [SBOM][sbom] (Software Bill of Materials) support
+    - CycloneDX 
+
+Please see [LICENSE][license] for Trivy licensing information.
+
+[installation]: ../getting-started/installation.md
+[vuln]: ../docs/vulnerability/scanning/index.md
+[misconf]: ../docs/misconfiguration/index.md
+[container]: ../docs/vulnerability/scanning/image.md
+[rootfs]: ../docs/vulnerability/scanning/rootfs.md
+[filesystem]: ../docs/vulnerability/scanning/filesystem.md
+[repo]: ../docs/vulnerability/scanning/git-repository.md
+
+[standalone]: ../docs/references/modes/standalone.md
+[client-server]: ../docs/references/modes/client-server.md
+[integrations]: ../docs/integrations/index.md
+
+[os]: ../docs/vulnerability/detection/os.md
+[lang]: ../docs/vulnerability/detection/language.md
+
+[builtin]: ../docs/misconfiguration/policy/builtin.md
+[quickstart]: ../getting-started/quickstart.md
+[podman]: ../docs/advanced/container/podman.md
+
+[sbom]: ../docs/sbom/index.md
+
+[oci]: https://github.com/opencontainers/image-spec
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE

docs/docs/integrations/gitlab-ci.md

@@ -23,6 +23,8 @@ trivy:
     # See https://github.com/docker-library/docker/pull/166
     DOCKER_TLS_CERTDIR: ""
     IMAGE: trivy-ci-test:$CI_COMMIT_SHA
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: ".trivycache/"
   before_script:
     - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
     - echo $TRIVY_VERSION
@@ -32,11 +34,11 @@ trivy:
     # Build image
     - docker build -t $IMAGE .
     # Build report
-    - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
+    - ./trivy image --exit-code 0 --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
     # Print report
-    - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --severity HIGH $IMAGE
+    - ./trivy image --exit-code 0 --severity HIGH $IMAGE
     # Fail on severe vulnerabilities
-    - ./trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress $IMAGE
+    - ./trivy image --exit-code 1 --severity CRITICAL $IMAGE
   cache:
     paths:
       - .trivycache/
@@ -71,20 +73,22 @@ container_scanning:
     TRIVY_USERNAME: "$CI_REGISTRY_USER"
     TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
     TRIVY_AUTH_URL: "$CI_REGISTRY"
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: ".trivycache/"
     FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
   script:
     - trivy --version
     # cache cleanup is needed when scanning images with the same tags, it does not remove the database
     - time trivy image --clear-cache
     # update vulnerabilities db
-    - time trivy --cache-dir .trivycache/ image --download-db-only --no-progress
+    - time trivy image --download-db-only
     # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
-    - time trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@/contrib/gitlab.tpl"
+    - time trivy image --exit-code 0 --format template --template "@/contrib/gitlab.tpl"
         --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
     # Prints full report
-    - time trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress "$FULL_IMAGE_NAME"
+    - time trivy image --exit-code 0 "$FULL_IMAGE_NAME"
     # Fail on critical vulnerabilities
-    - time trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
+    - time trivy image --exit-code 1 --severity CRITICAL "$FULL_IMAGE_NAME"
   cache:
     paths:
       - .trivycache/
@@ -126,6 +130,8 @@ trivy:
     # See https://github.com/docker-library/docker/pull/166
     DOCKER_TLS_CERTDIR: ""
     IMAGE: trivy-ci-test:$CI_COMMIT_SHA
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: ".trivycache/"
   before_script:
     - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
     - echo $TRIVY_VERSION
@@ -134,8 +140,13 @@ trivy:
   script:
     # Build image
     - docker build -t $IMAGE .
-    # Build report
-    - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate.json $IMAGE
+    # Image report
+    - ./trivy image --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE
+    # Filesystem report
+    - ./trivy filesystem --security-checks config,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json .
+    # Combine report
+    - apk update && apk add jq
+    - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json
   cache:
     paths:
       - .trivycache/
@@ -155,3 +166,9 @@ already have a code quality report in your pipeline, you can use
 be necessary to rename the artifact if you want to reuse the name. To then
 combine the previous artifact with the output of trivy, the following `jq`
 command can be used, `jq -s 'add' prev-codeclimate.json trivy-codeclimate.json > gl-codeclimate.json`.
+
+### Gitlab CI alternative template example report
+
+You'll be able to see a full report in the Gitlab pipeline code quality UI, where filesystem vulnerabilities and misconfigurations include links to the flagged files and image vulnerabilities report the image/os or runtime/library that the vulnerability originates from instead.
+
+![codequality](../../imgs/gitlab-codequality.png)

docs/docs/misconfiguration/index.md

@@ -2,7 +2,7 @@
 Trivy provides built-in policies to detect configuration issues in Docker, Kubernetes and Terraform.
 Also, you can write your own policies in [Rego][rego] to scan JSON, YAML, HCL, etc, like [Conftest][conftest].
 
-![misconf](../imgs/misconf.png)
+![misconf](../../imgs/misconf.png)
 
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [conftest]: https://github.com/open-policy-agent/conftest/

docs/docs/misconfiguration/policy/builtin.md

@@ -29,7 +29,7 @@ Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if th
 [appshield]: https://github.com/aquasecurity/appshield
 [kubernetes]: https://github.com/aquasecurity/appshield/tree/master/kubernetes
 [docker]: https://github.com/aquasecurity/appshield/tree/master/docker
-[tfsec-checks]: https://tfsec.dev/docs/aws/home/
+[tfsec-checks]: https://tfsec.dev/
 [tfsec]: https://github.com/aquasecurity/tfsec
 [cfsec-checks]: https://cfsec.dev/
 [cfsec]: https://github.com/aquasecurity/cfsec

docs/docs/references/cli/fs.md

@@ -31,5 +31,9 @@ OPTIONS:
    --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
    --config-data value                            specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
    --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
+   --server value                                 server address [$TRIVY_SERVER]
+   --token value                                  for authentication [$TRIVY_TOKEN]
+   --token-header value                           specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
+   --custom-headers value                         custom headers [$TRIVY_CUSTOM_HEADERS]
    --help, -h                                     show help (default: false)
 ```

docs/docs/references/cli/index.md

@@ -18,6 +18,7 @@ COMMANDS:
    server, s         server mode
    config, conf      scan config files
    plugin, p         manage plugins
+   version           print the version
    help, h           Shows a list of commands or help for one command
 
 GLOBAL OPTIONS:

docs/docs/references/cli/plugins.md

@@ -0,0 +1,173 @@
+# Plugins
+Trivy provides a plugin feature to allow others to extend the Trivy CLI without the need to change the Trivycode base.
+This plugin system was inspired by the plugin system used in [kubectl][kubectl], [Helm][helm], and [Conftest][conftest].
+
+## Overview
+Trivy plugins are add-on tools that integrate seamlessly with Trivy.
+They provide a way to extend the core feature set of Trivy, but without requiring every new feature to be written in Go and added to the core tool.
+
+- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
+- They can be written in any programming language.
+- They integrate with Trivy, and will show up in Trivy help and subcommands.
+
+!!! warning
+    Trivy plugins available in public are not audited for security.
+    You should install and run third-party plugins at your own risk, since they are arbitrary programs running on your machine.
+
+
+## Installing a Plugin
+A plugin can be installed using the `trivy plugin install` command.
+This command takes a url and will download the plugin and install it in the plugin cache.
+
+Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
+Trivy will now search XDG_DATA_HOME for the location of the Trivy plugins cache.
+The preference order is as follows:
+
+- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
+- ~/.trivy/plugins
+
+Under the hood Trivy leverages [go-getter][go-getter] to download plugins.
+This means the following protocols are supported for downloading plugins:
+
+- OCI Registries
+- Local Files
+- Git
+- HTTP/HTTPS
+- Mercurial
+- Amazon S3
+- Google Cloud Storage
+
+For example, to download the Kubernetes Trivy plugin you can execute the following command:
+
+```bash
+$ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
+```
+## Using Plugins
+Once the plugin is installed, Trivy will load all available plugins in the cache on the start of the next Trivy execution.
+A plugin will be made in the Trivy CLI based on the plugin name.
+To display all plugins, you can list them by `trivy --help`
+
+```bash
+$ trivy --help
+NAME:
+   trivy - A simple and comprehensive vulnerability scanner for containers
+
+USAGE:
+   trivy [global options] command [command options] target
+
+VERSION:
+   dev
+
+COMMANDS:
+   image, i          scan an image
+   filesystem, fs    scan local filesystem
+   repository, repo  scan remote repository
+   client, c         client mode
+   server, s         server mode
+   plugin, p         manage plugins
+   kubectl           scan kubectl resources
+   help, h           Shows a list of commands or help for one command
+```
+
+As shown above, `kubectl` subcommand exists in the `COMMANDS` section.
+To call the kubectl plugin and scan existing Kubernetes deployments, you can execute the following command:
+
+```
+$ trivy kubectl deployment <deployment-id> -- --ignore-unfixed --severity CRITICAL
+```
+
+Internally the kubectl plugin calls the kubectl binary to fetch information about that deployment and passes the using images to Trivy.
+You can see the detail [here][trivy-plugin-kubectl].
+
+If you want to omit even the subcommand, you can use `TRIVY_RUN_AS_PLUGIN` environment variable.
+
+```bash
+$ TRIVY_RUN_AS_PLUGIN=kubectl trivy job your-job -- --format json
+```
+
+## Installing and Running Plugins on the fly
+`trivy plugin run` installs a plugin and runs it on the fly.
+If the plugin is already present in the cache, the installation is skipped.
+
+```bash
+trivy plugin run github.com/aquasecurity/trivy-plugin-kubectl pod your-pod -- --exit-code 1
+```
+
+## Uninstalling Plugins
+Specify a plugin name with `trivy plugin uninstall` command.
+
+```bash
+$ trivy plugin uninstall kubectl
+```
+
+## Building Plugins
+Each plugin has a top-level directory, and then a plugin.yaml file.
+
+```bash
+your-plugin/
+  |
+  |- plugin.yaml
+  |- your-plugin.sh
+```
+
+In the example above, the plugin is contained inside of a directory named `your-plugin`.
+It has two files: plugin.yaml (required) and an executable script, your-plugin.sh (optional).
+
+The core of a plugin is a simple YAML file named plugin.yaml.
+Here is an example YAML of trivy-plugin-kubectl plugin that adds support for Kubernetes scanning.
+
+```yaml
+name: "kubectl"
+repository: github.com/aquasecurity/trivy-plugin-kubectl
+version: "0.1.0"
+usage: scan kubectl resources
+description: |-
+  A Trivy plugin that scans the images of a kubernetes resource.
+  Usage: trivy kubectl TYPE[.VERSION][.GROUP] NAME
+platforms:
+  - selector: # optional
+      os: darwin
+      arch: amd64
+    uri: ./trivy-kubectl # where the execution file is (local file, http, git, etc.)
+    bin: ./trivy-kubectl # path to the execution file
+  - selector: # optional
+      os: linux
+      arch: amd64
+    uri: https://github.com/aquasecurity/trivy-plugin-kubectl/releases/download/v0.1.0/trivy-kubectl.tar.gz
+    bin: ./trivy-kubectl
+```
+
+The `plugin.yaml` field should contain the following information:
+
+- name: The name of the plugin. This also determines how the plugin will be made available in the Trivy CLI. For example, if the plugin is named kubectl, you can call the plugin with `trivy kubectl`. (required)
+- version: The version of the plugin. (required)
+- usage: A short usage description. (required)
+- description: A long description of the plugin. This is where you could provide a helpful documentation of your plugin. (required)
+- platforms: (required)
+  - selector: The OS/Architecture specific variations of a execution file. (optional)
+    - os: OS information based on GOOS (linux, darwin, etc.) (optional)
+    - arch: The architecture information based on GOARCH (amd64, arm64, etc.) (optional)
+  - uri: Where the executable file is. Relative path from the root directory of the plugin or remote URL such as HTTP and S3. (required)
+  - bin: Which file to call when the plugin is executed. Relative path from the root directory of the plugin. (required)
+
+The following rules will apply in deciding which platform to select:
+
+- If both `os` and `arch` under `selector` match the current platform, search will stop and the platform will be used.
+- If `selector` is not present, the platform will be used.
+- If `os` matches and there is no more specific `arch` match, the platform will be used.
+- If no `platform` match is found, Trivy will exit with an error.
+
+After determining platform, Trivy will download the execution file from `uri` and store it in the plugin cache.
+When the plugin is called via Trivy CLI, `bin` command will be executed.
+
+The plugin is responsible for handling flags and arguments. Any arguments are passed to the plugin from the `trivy` command.
+
+## Example
+https://github.com/aquasecurity/trivy-plugin-kubectl
+
+[kubectl]: https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/
+[helm]: https://helm.sh/docs/topics/plugins/
+[conftest]: https://www.conftest.dev/plugins/
+[go-getter]: https://github.com/hashicorp/go-getter
+[trivy-plugin-kubectl]: https://github.com/aquasecurity/trivy-plugin-kubectl
+

docs/docs/references/cli/sbom.md

@@ -0,0 +1,19 @@
+# SBOM
+
+```bash
+NAME:
+   trivy sbom - generate SBOM for an artifact
+
+USAGE:
+   trivy sbom [command options] ARTIFACT
+
+OPTIONS:
+   --output value, -o value             output file name [$TRIVY_OUTPUT]
+   --clear-cache, -c                    clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
+   --ignorefile value                   specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
+   --timeout value                      timeout (default: 5m0s) [$TRIVY_TIMEOUT]
+   --severity value, -s value           severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
+   --artifact-type value, --type value  input artifact type (image, fs, repo, archive) (default: "image") [$TRIVY_ARTIFACT_TYPE]
+   --sbom-format value, --format value  SBOM format (cyclonedx) (default: "cyclonedx") [$TRIVY_SBOM_FORMAT]
+   --help, -h                           show help (default: false)
+```

docs/docs/references/modes/client-server.md

@@ -55,5 +55,5 @@ $ trivy client --remote http://localhost:8080 --token dummy alpine:3.10
 
 ## Architecture
 
-![architecture](../../imgs/client-server.png)
+![architecture](../../../imgs/client-server.png)
 

docs/docs/references/modes/standalone.md

@@ -4,13 +4,13 @@
 
 ## Image
 
-![standalone](../../imgs/image.png)
+![standalone](../../../imgs/image.png)
 
 ## Filesystem
 
-![fs](../../imgs/fs.png)
+![fs](../../../imgs/fs.png)
 
 ## Git Repository
 
-![repo](../../imgs/repo.png)
+![repo](../../../imgs/repo.png)
 

docs/docs/references/troubleshooting.md

@@ -39,7 +39,7 @@ https://developer.github.com/v3/#rate-limiting
 $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
 ```
 
-### Maven rate limiting
+### Maven rate limiting / inconsistent jar vulnerability reporting
 
 !!! error
     ``` bash
@@ -49,14 +49,41 @@ $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
     ```
 
 Trivy calls Maven API for better detection of JAR files, but many requests may exceed rate limiting.
-If it happens frequently, try the `--offline-scan` option to stop Trivy from making API requests.
+This can easily happen if you are running more than one instance of Trivy which is concurrently scanning multiple images.
+Once this starts happening Trivy's vulnerability reporting on jar files may become inconsistent.
+There are two options to resolve this issue:
+
+The first is to enable offline scanning using the `--offline-scan` option to stop Trivy from making API requests.
 This option affects only vulnerability scanning. The vulnerability database and builtin policies are downloaded as usual.
 If you want to skip them as well, you can try `--skip-update` and `--skip-policy-update`.
+**Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.**
+
+The second, more scalable, option is the place Trivy behind a rate-limiting forward-proxy to the Maven Central API.
+One way to achieve this is to use nginx. You can use the following nginx config to enable both rate-limiting and caching (the caching greatly reduces the number of calls to the Maven Central API, especially if you are scanning a lot of similar images):
+
+```nginx
+limit_req_zone global zone=maven:1m rate=10r/s;
+proxy_cache_path /tmp/cache keys_zone=mavencache:10m;
+
+server {
+  listen 80;
+  proxy_cache mavencache;
+
+  location / {
+    limit_req zone=maven burst=1000;
+    proxy_cache_valid any 1h;
+    proxy_pass https://search.maven.org:443;
+  }
+}
+```
+
+This config file will allow a maximum of 10 requests per second to the Maven API, this number was determined experimentally so you might want to use something else if it doesn't fit your needs.
+
+Once nginx is up and running, you need to tell all your Trivy deployments to proxy their Maven API calls through nginx. You can do this by setting the `MAVEN_CENTRAL_URL` environment variable. For example, if your nginx proxy is running at `127.0.0.1`, you can set `MAVEN_CENTRAL_URL=http://127.0.0.1/solrsearch/select`.
 
-Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.
 
 ### Running in parallel takes same time as series run
-When running trivy on multiple images simultaneously, it will take same time as running trivy in series.  
+When running trivy on multiple images simultaneously, it will take same time as running trivy in series.
 This is because of a limitation of boltdb.
 > Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it.
 
@@ -79,7 +106,7 @@ If trivy is running behind corporate firewall, you have to add the following url
 !!! error
     --skip-update cannot be specified with the old DB schema.
 
-Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
+Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][../advanced/air-gap.md].
 
 ## Homebrew
 ### Scope error
@@ -130,4 +157,4 @@ Try again with `--reset` option:
 $ trivy image --reset
 ```
 
-[air-gapped]: ../advanced/air-gap.md
+[air-gapped]: ../how-to-guides/air-gap.md

docs/docs/sbom/cyclonedx.md

@@ -0,0 +1,233 @@
+# CycloneDX
+
+Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
+Note that XML format is not supported at the moment.
+
+You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.
+
+```
+$ trivy image --format cyclonedx --output result.json alpine:3.15
+```
+
+<details>
+<summary>Result</summary>
+
+```
+$ cat result.json | jq .
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2022-02-22T15:11:40.270597Z",
+    "tools": [
+      {
+        "vendor": "aquasecurity",
+        "name": "trivy",
+        "version": "dev"
+      }
+    ],
+    "component": {
+      "bom-ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "type": "container",
+      "name": "alpine:3.15",
+      "version": "",
+      "purl": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SchemaVersion",
+          "value": "2"
+        },
+        {
+          "name": "aquasecurity:trivy:ImageID",
+          "value": "sha256:c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18"
+        },
+        {
+          "name": "aquasecurity:trivy:RepoDigest",
+          "value": "alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        },
+        {
+          "name": "aquasecurity:trivy:RepoTag",
+          "value": "alpine:3.15"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+      "type": "library",
+      "name": "alpine-baselayout",
+      "version": "3.2.0-r18",
+      "licenses": [
+        {
+          "expression": "GPL-2.0-only"
+        }
+      ],
+      "purl": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "alpine-baselayout"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "3.2.0-r18"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        }
+      ]
+    },
+    ...(snip)...
+    {
+      "bom-ref": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0",
+      "type": "library",
+      "name": "zlib",
+      "version": "1.2.11-r3",
+      "licenses": [
+        {
+          "expression": "Zlib"
+        }
+      ],
+      "purl": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "zlib"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "1.2.11-r3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        }
+      ]
+    },
+    {
+      "bom-ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37",
+      "type": "operating-system",
+      "name": "alpine",
+      "version": "3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:Type",
+          "value": "alpine"
+        },
+        {
+          "name": "aquasecurity:trivy:Class",
+          "value": "os-pkgs"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37",
+      "dependsOn": [
+        "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+        "pkg:apk/alpine/alpine-keys@2.4-r1?distro=3.15.0",
+        "pkg:apk/alpine/apk-tools@2.12.7-r3?distro=3.15.0",
+        "pkg:apk/alpine/busybox@1.34.1-r3?distro=3.15.0",
+        "pkg:apk/alpine/ca-certificates-bundle@20191127-r7?distro=3.15.0",
+        "pkg:apk/alpine/libc-utils@0.7.2-r3?distro=3.15.0",
+        "pkg:apk/alpine/libcrypto1.1@1.1.1l-r7?distro=3.15.0",
+        "pkg:apk/alpine/libretls@3.3.4-r2?distro=3.15.0",
+        "pkg:apk/alpine/libssl1.1@1.1.1l-r7?distro=3.15.0",
+        "pkg:apk/alpine/musl@1.2.2-r7?distro=3.15.0",
+        "pkg:apk/alpine/musl-utils@1.2.2-r7?distro=3.15.0",
+        "pkg:apk/alpine/scanelf@1.3.3-r0?distro=3.15.0",
+        "pkg:apk/alpine/ssl_client@1.34.1-r3?distro=3.15.0",
+        "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0"
+      ]
+    },
+    {
+      "ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "dependsOn": [
+        "3da6a469-964d-4b4e-b67d-e94ec7c88d37"
+      ]
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "CVE-2021-42386",
+      "source": {
+        "name": "alpine",
+        "url": "https://secdb.alpinelinux.org/"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 7.2,
+          "severity": "high",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 6.5,
+          "severity": "medium",
+          "method": "CVSSv2",
+          "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"
+        },
+        {
+          "source": {
+            "name": "redhat"
+          },
+          "score": 6.6,
+          "severity": "medium",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
+        }
+      ],
+      "cwes": [
+        416
+      ],
+      "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function",
+      "advisories": [
+        {
+          "url": "https://access.redhat.com/security/cve/CVE-2021-42386"
+        },
+        {
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386"
+        }
+      ],
+      "published": "2021-11-15 21:15:00 +0000 UTC",
+      "updated": "2022-01-04 17:14:00 +0000 UTC",
+      "affects": [
+        {
+          "ref": "pkg:apk/alpine/busybox@1.33.1-r3?distro=3.14.2"
+        },
+        {
+          "ref": "pkg:apk/alpine/ssl_client@1.33.1-r3?distro=3.14.2"
+        }
+      ]
+    }
+  ]
+}
+
+```
+
+</details>
+
+[cyclonedx]: https://cyclonedx.org/

docs/docs/sbom/index.md

@@ -1,19 +1,24 @@
-# CycloneDX
-Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
-Note that XML format is not supported at the moment.
+# SBOM
+Trivy currently supports the following SBOM formats.
 
+- [CycloneDX][cyclonedx]
 
-You can specify `cyclonedx` with the `--format` option.
+To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.
 
 ```
 $ trivy image --format cyclonedx --output result.json alpine:3.15
 ```
 
+In addition, you can use the `trivy sbom` subcommand.
+
+```
+$ trivy sbom alpine:3.15
+```
+
 <details>
 <summary>Result</summary>
 
 ```
-$ cat result.json | jq .
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.3",
@@ -167,9 +172,20 @@ $ cat result.json | jq .
 }
 
 ```
+
 </details>
 
-!!! caution
-    It doesn't support vulnerabilities yet, but installed packages.
+`fs`, `repo` and `archive` also work with `sbom` subcommand.
 
-[cyclonedx]: https://cyclonedx.org/
+```
+# filesystem
+$ trivy sbom --artifact-type fs /path/to/project
+
+# repository
+$ trivy sbom --artifact-type repo github.com/aquasecurity/trivy-ci-test
+
+# container image archive
+$ trivy sbom --artifact-type archive alpine.tar
+```
+
+[cyclonedx]: cyclonedx.md

docs/docs/vulnerability/detection/language.md

@@ -16,6 +16,7 @@
 |          | yarn.lock                | -         | -          |       ✅        |       ✅        | included        |
 |          | package.json             | ✅        | ✅         |       -        |       -        | excluded        |
 | .NET     | packages.lock.json       | ✅        | ✅         |       ✅        |       ✅        | included        |
+|          | packages.config          | ✅        | ✅         |       ✅        |       ✅        | excluded        |
 | Java     | JAR/WAR/PAR/EAR[^3][^4]  | ✅        | ✅         |       -        |       -        | included        |
 |          | pom.xml[^5]              | -         | -          |       ✅        |       ✅        | excluded        |
 | Go       | Binaries built by Go[^6] | ✅        | ✅         |       -        |       -        | excluded        |

docs/docs/vulnerability/examples/db.md

@@ -36,3 +36,10 @@ This is useful to initialize workers in Continuous Integration systems.
 ```
 $ trivy image --download-db-only
 ```
+
+## DB Repository
+`Trivy` could also download the vulnerability database from an external OCI registry by using `--db-repository` option.
+
+```
+$ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
+```

docs/docs/vulnerability/examples/filter.md

@@ -352,5 +352,5 @@ Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 5)
 
 </details>
 
-[helper]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/vulnerability/module.go
+[helper]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go
 [policy]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/contrib/example_policy

docs/docs/vulnerability/examples/report.md

@@ -219,6 +219,6 @@ $ trivy image --format template --template "@/usr/local/share/trivy/templates/ht
 
 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
-[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/integrations/aws-security-hub.md
+[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/advanced/integrations/aws-security-hub.md
 [sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
 [sprig]: http://masterminds.github.io/sprig/

docs/docs/vulnerability/scanning/filesystem.md

@@ -0,0 +1,103 @@
+# Filesystem
+
+Scan a local project including language-specific files.
+
+```bash
+$ trivy fs /path/to/project
+```
+
+## Standalone mode
+### Local Project
+Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
+
+```
+$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2020-06-01T17:06:58.652+0300    WARN    OS is not detected and vulnerabilities in OS packages are not detected.
+2020-06-01T17:06:58.652+0300    INFO    Detecting pipenv vulnerabilities...
+2020-06-01T17:06:58.691+0300    INFO    Detecting cargo vulnerabilities...
+
+Pipfile.lock
+============
+Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
+
++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
+|       LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |               TITLE                |
++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
+| django              | CVE-2020-7471    | HIGH     | 2.0.9             | 3.0.3, 2.2.10, 1.11.28 | django: potential                  |
+|                     |                  |          |                   |                        | SQL injection via                  |
+|                     |                  |          |                   |                        | StringAgg(delimiter)               |
++                     +------------------+----------+                   +------------------------+------------------------------------+
+|                     | CVE-2019-19844   | MEDIUM   |                   | 3.0.1, 2.2.9, 1.11.27  | Django: crafted email address      |
+|                     |                  |          |                   |                        | allows account takeover            |
++                     +------------------+          +                   +------------------------+------------------------------------+
+|                     | CVE-2019-3498    |          |                   | 2.1.5, 2.0.10, 1.11.18 | python-django: Content             |
+|                     |                  |          |                   |                        | spoofing via URL path in           |
+|                     |                  |          |                   |                        | default 404 page                   |
++                     +------------------+          +                   +------------------------+------------------------------------+
+|                     | CVE-2019-6975    |          |                   | 2.1.6, 2.0.11, 1.11.19 | python-django:                     |
+|                     |                  |          |                   |                        | memory exhaustion in               |
+|                     |                  |          |                   |                        | django.utils.numberformat.format() |
++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
+...
+```
+
+</details>
+
+### Single file
+It's also possible to scan a single file.
+
+```
+$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock
+```
+
+## Client/Server mode
+You must launch Trivy server in advance. 
+
+```sh
+$ trivy server
+```
+
+Then, Trivy works as a client if you specify the `--server` option.
+
+```sh
+$ trivy fs --server http://localhost:4954 --severity CRITICAL ./integration/testdata/fixtures/fs/pom/
+```
+
+<details>
+<summary>Result</summary>
+
+```
+pom.xml (pom)
+=============
+Total: 4 (CRITICAL: 4)
+
++---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                 TITLE                 |
++---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+| com.fasterxml.jackson.core:jackson-databind | CVE-2017-17485   | CRITICAL | 2.9.1             | 2.8.11, 2.9.4                  | jackson-databind: Unsafe              |
+|                                             |                  |          |                   |                                | deserialization due to                |
+|                                             |                  |          |                   |                                | incomplete black list (incomplete     |
+|                                             |                  |          |                   |                                | fix for CVE-2017-15095)...            |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-17485 |
++                                             +------------------+          +                   +--------------------------------+---------------------------------------+
+|                                             | CVE-2020-9546    |          |                   | 2.7.9.7, 2.8.11.6, 2.9.10.4    | jackson-databind: Serialization       |
+|                                             |                  |          |                   |                                | gadgets in shaded-hikari-config       |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9546  |
++                                             +------------------+          +                   +                                +---------------------------------------+
+|                                             | CVE-2020-9547    |          |                   |                                | jackson-databind: Serialization       |
+|                                             |                  |          |                   |                                | gadgets in ibatis-sqlmap              |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9547  |
++                                             +------------------+          +                   +                                +---------------------------------------+
+|                                             | CVE-2020-9548    |          |                   |                                | jackson-databind: Serialization       |
+|                                             |                  |          |                   |                                | gadgets in anteros-core               |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9548  |
++---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+```
+</details>
+

docs/docs/vulnerability/scanning/index.md

@@ -8,4 +8,4 @@ Trivy scans [Container Images][image], [Rootfs][rootfs], [Filesystem][fs], and [
 [rootfs]: rootfs.md
 [fs]: filesystem.md
 [repo]: git-repository.md
-[vuln]: ../../imgs/vulnerability.png
+[vuln]: ../../../imgs/vulnerability.png

docs/getting-started/installation.md

@@ -124,7 +124,7 @@ Example:
 === "macOS"
 
     ``` bash
-    docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} python:3.4-alpine
+    docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image [YOUR_IMAGE_NAME
     ```
 
 If you would like to scan the image on your host machine, you need to mount `docker.sock`.

docs/getting-started/overview.md

@@ -3,80 +3,35 @@
 Trivy detects two types of security issues:
 
 - [Vulnerabilities][vuln]
+    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+    - [Language-specific packages][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
 - [Misconfigurations][misconf]
+    - Kubernetes
+    - Docker
+    - Terraform
+    - CloudFormation
+    - more coming soon
 
 Trivy can scan three different artifacts:
 
 - [Container Images][container]
-- [Filesystem][filesystem] and [Rootfs][rootfs]
+- [Filesystem][filesystem]
 - [Git Repositories][repo]
 
-Trivy can be run in two different modes:
-
-- [Standalone][standalone]
-- [Client/Server][client-server]
-
 It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
 See [Integrations][integrations] for details.
 
-## Features
+[vuln]: ../docs/vulnerability/scanning/index.md
+[os]: ../docs/vulnerability/detection/os.md
+[lang]: ../docs/vulnerability/detection/language.md
 
-- Comprehensive vulnerability detection
-    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
-- Detect IaC misconfigurations
-    - A wide variety of [built-in policies][builtin] are provided **out of the box**:
-        - Kubernetes
-        - Docker
-        - Terraform
-        - more coming soon
-    - Support custom policies
-- Simple
-    - Specify only an image name, a directory containing IaC configs, or an artifact name
-    - See [Quick Start][quickstart]
-- Fast
-    - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
-    - Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
-- Easy installation
-    - `apt-get install`, `yum install` and `brew install` is possible (See [Installation](installation.md))
-    - **No pre-requisites** such as installation of DB, libraries, etc.
-- High accuracy
-    - **Especially Alpine Linux and RHEL/CentOS**
-    - Other OSes are also high
-- DevSecOps
-    - **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
-    - See [CI Example][integrations]
-- Support multiple formats
-    - container image
-        - A local image in Docker Engine which is running as a daemon
-        - A local image in [Podman][podman] (>=2.0) which is exposing a socket
-        - A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
-        - A tar archive stored in the `docker save` / `podman save` formatted file
-        - An image directory compliant with [OCI Image Format][oci]
-    - local filesystem and rootfs
-    - remote git repository
-- SBOM (Software Bill of Materials) support
-    - CycloneDX 
+[misconf]: ../docs/misconfiguration/index.md
 
-Please see [LICENSE][license] for Trivy licensing information.
+[container]: ../docs/vulnerability/scanning/image.md
+[rootfs]: ../docs/vulnerability/scanning/rootfs.md
+[filesystem]: ../docs/vulnerability/scanning/filesystem.md
+[repo]: ../docs/vulnerability/scanning/git-repository.md
 
-[vuln]: ../vulnerability/scanning/index.md
-[misconf]: ../misconfiguration/index.md
-[container]: ../vulnerability/scanning/image.md
-[rootfs]: ../vulnerability/scanning/rootfs.md
-[filesystem]: ../vulnerability/scanning/filesystem.md
-[repo]: ../vulnerability/scanning/git-repository.md
+[integrations]: ../docs/integrations/index.md
 
-[standalone]: ../advanced/modes/standalone.md
-[client-server]: ../advanced/modes/client-server.md
-[integrations]: ../advanced/integrations/index.md
-
-[os]: ../vulnerability/detection/os.md
-[lang]: ../vulnerability/detection/language.md
-
-[builtin]: ../misconfiguration/policy/builtin.md
-[quickstart]: quickstart.md
-[podman]: ../advanced/container/podman.md
-
-[oci]: https://github.com/opencontainers/image-spec
 [license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE

docs/getting-started/quickstart.md

@@ -79,5 +79,5 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 
 For more details, see [here][misconf].
 
-[vulnerability]: ../vulnerability/scanning/index.md
-[misconf]: ../misconfiguration/index.md
+[vulnerability]: ../docs/vulnerability/scanning/index.md
+[misconf]: ../docs/misconfiguration/index.md

docs/imgs/logo-horizontal.svg

@@ -0,0 +1,32 @@
+<svg width="265" height="135" viewBox="0 0 265 135" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M148.629 103.077V109.005C144.591 109.005 140.953 107.551 138.084 105.142C134.479 102.117 132.19 97.5774 132.19 92.5044V62.8164H138.084V76.2874H148.629V82.2534H138.084V92.6484C138.164 98.4204 142.84 103.077 148.629 103.077Z" fill="#07242D"/>
+<path d="M169.65 76.2852V82.1742C164.059 82.1852 159.507 86.6201 159.305 92.1581V109.003H153.397V76.2852H159.305V80.0201C162.113 77.6891 165.718 76.2912 169.65 76.2852Z" fill="#07242D"/>
+<path d="M173.447 68.6988V62.7988H179.344V68.6988H173.447ZM173.447 109.004V76.2858H179.344V109.005H173.447V109.004Z" fill="#07242D"/>
+<path d="M215.508 76.2852L199.16 109.004L182.796 76.2852H189.495L199.16 95.6052L208.806 76.2852H215.508Z" fill="#07242D"/>
+<path d="M250.874 76.2852C250.874 76.2852 250.874 112.056 250.874 114.42C250.874 123.556 243.381 130.848 234.504 130.843C230.347 130.843 226.495 129.267 223.57 126.647L227.81 122.407C229.619 123.939 231.953 124.871 234.503 124.866C240.248 124.866 244.899 120.17 244.899 114.42V105.279C242.049 107.638 238.411 109.003 234.503 109.003C225.609 109.008 218.119 101.832 218.119 92.6311C218.119 92.4371 218.119 76.2862 218.119 76.2862H224.091C224.091 76.2862 224.094 92.1931 224.094 92.6311C224.094 98.3531 228.753 103.082 234.503 103.077C240.248 103.077 244.899 98.3761 244.899 92.6311V76.2852H250.874Z" fill="#07242D"/>
+<path d="M166.114 59.3782H169.243V39.9432C169.253 39.7722 169.243 39.5992 169.243 39.4262C169.243 34.6752 165.402 30.8242 160.651 30.8242C155.9 30.8242 152.049 34.6752 152.049 39.4262C152.049 44.1772 155.9 48.0282 160.651 48.0282H161.086L164.25 44.8782H160.89H160.651C157.64 44.8782 155.2 42.4372 155.2 39.4272C155.2 36.4172 157.641 33.9762 160.651 33.9762C163.662 33.9762 166.114 36.4172 166.114 39.4272V59.3782Z" fill="#07242D"/>
+<path d="M185.899 30.8242V39.5332C185.899 42.5742 183.434 45.0512 180.394 45.0512C177.353 45.0512 174.886 42.5742 174.886 39.5332V30.8242H171.837V39.5332C171.837 39.5332 171.837 39.5332 171.837 39.5402C171.837 44.2692 175.665 48.1082 180.394 48.1082C185.123 48.1082 188.955 44.2812 188.955 39.5522C188.955 39.5462 188.955 39.5332 188.955 39.5332V30.8242H185.899Z" fill="#07242D"/>
+<path d="M148.941 36.5135C145.536 27.5195 132.339 29.7035 132.139 39.4525C132.144 41.5465 132.863 43.4245 134.118 44.9545C135.59 46.7415 137.764 47.9275 140.219 48.0885C140.408 48.1005 140.598 48.1075 140.789 48.1075H149.454C149.454 48.1075 149.454 39.4515 149.454 39.4525C149.454 38.4535 149.281 37.4515 148.941 36.5135ZM146.252 44.9475C146.252 44.9475 142.315 44.9475 140.797 44.9475C137.769 44.9475 135.315 42.4795 135.315 39.4515C135.315 37.9345 135.932 36.5745 136.928 35.5815L136.929 35.5825C140.315 32.1515 146.274 34.5585 146.253 39.4515C146.252 40.9695 146.252 44.9475 146.252 44.9475Z" fill="#07242D"/>
+<path d="M208.351 36.5135C204.946 27.5195 191.749 29.7035 191.549 39.4525C191.554 41.5465 192.273 43.4245 193.528 44.9545C195 46.7415 197.174 47.9275 199.629 48.0885C199.818 48.1005 200.008 48.1075 200.199 48.1075H208.864C208.864 48.1075 208.864 39.4515 208.864 39.4525C208.863 38.4535 208.69 37.4515 208.351 36.5135ZM205.661 44.9475C205.661 44.9475 201.724 44.9475 200.206 44.9475C197.178 44.9475 194.724 42.4795 194.724 39.4515C194.724 37.9345 195.341 36.5745 196.337 35.5815L196.338 35.5825C199.724 32.1515 205.683 34.5585 205.662 39.4515C205.661 40.9695 205.661 44.9475 205.661 44.9475Z" fill="#07242D"/>
+<path d="M65.469 5.43164L10.124 37.4096L10.125 101.878L65.462 134.11L120.813 101.896V37.4076L65.469 5.43164Z" fill="white"/>
+<path d="M64.4641 79.2511C58.2051 76.4341 54.5051 70.4121 54.7021 64.0161L41.3221 56.2891C40.3241 63.6921 41.9181 71.4341 45.9341 78.1431C50.2081 85.2841 56.3811 90.6031 64.4651 93.6831V79.2511H64.4641Z" fill="#1904DA"/>
+<path d="M64.9709 94.4207L64.2839 94.1587C56.2419 91.0947 49.9219 85.7947 45.4989 78.4057C41.4619 71.6607 39.7999 63.7827 40.8199 56.2227L40.9209 55.4727L55.2169 63.7287L55.2079 64.0327C55.0139 70.3227 58.7289 76.1157 64.6709 78.7887L64.9699 78.9237V94.4207H64.9709ZM41.7329 57.1127C40.9499 64.2137 42.5849 71.5597 46.3689 77.8837C50.5449 84.8607 56.4599 89.9237 63.9569 92.9407V79.5767C57.9089 76.7207 54.1109 70.7847 54.1889 64.3067L41.7329 57.1127Z" fill="white"/>
+<path d="M64.4641 111.978V95.3902C55.8061 92.2282 49.1731 86.5352 44.6211 78.9302C40.3151 71.7362 38.6771 63.3972 39.8971 55.4672L27.4611 48.2852C20.3371 74.2882 36.3221 101.982 64.4641 111.978Z" fill="#1904DA"/>
+<path d="M64.9709 112.696L64.2949 112.456C50.5849 107.586 39.2219 98.3286 32.2989 86.3876C25.3779 74.4516 23.4859 60.8726 26.9719 48.1506L27.1459 47.5176L40.4509 55.2006L40.3989 55.5436C39.1879 63.4146 40.8429 71.6266 45.0569 78.6686C49.6779 86.3896 56.2659 91.8556 64.6389 94.9126L64.9719 95.0346V112.696H64.9709ZM27.7809 49.0556C21.1389 74.6526 36.5699 101.188 63.9569 111.256V95.7426C55.5189 92.5806 48.8679 87.0126 44.1869 79.1896C39.9119 72.0486 38.1979 63.7316 39.3449 55.7326L27.7809 49.0556Z" fill="white"/>
+<path d="M66.2969 95.24V111.979C93.9189 101.751 110.5 74.105 103.496 48.373L91.1269 55.579C92.6709 64.132 91.3249 72.47 87.1869 79.446C82.9369 86.613 75.5139 91.992 66.2969 95.24Z" fill="#08B1D5"/>
+<path d="M65.79 112.708V94.8806L66.129 94.7616C75.546 91.4436 82.676 86.0576 86.753 79.1876C90.825 72.3196 92.166 64.1876 90.629 55.6696L90.566 55.3196L103.812 47.6016L103.985 48.2396C110.962 73.8746 94.485 102.082 66.473 112.455L65.79 112.708ZM66.804 95.5976V111.247C93.681 100.941 109.519 73.8986 103.176 49.1466L91.688 55.8396C93.17 64.4746 91.767 72.7186 87.623 79.7046C83.476 86.6986 76.281 92.1896 66.804 95.5976Z" fill="white"/>
+<path d="M76.3809 64.0884C76.4369 70.2984 72.7869 75.7614 66.2969 79.2514V93.6844C74.9209 90.5404 81.8869 85.3844 85.8719 78.6654C89.7309 72.1594 91.0429 64.3964 89.7199 56.3984L76.3809 64.0884Z" fill="#08B1D5"/>
+<path d="M65.79 94.4097V78.9487L66.057 78.8048C72.348 75.4208 75.926 70.0588 75.873 64.0928L75.87 63.7967L90.101 55.5938L90.22 56.3158C91.575 64.5068 90.223 72.3247 86.308 78.9237C82.345 85.6057 75.486 90.8747 66.47 94.1607L65.79 94.4097ZM66.804 79.5528V92.9548C75.26 89.7358 81.694 84.7157 85.436 78.4067C89.111 72.2097 90.452 64.8948 89.332 57.2068L76.888 64.3817C76.826 70.5317 73.171 76.0338 66.804 79.5528Z" fill="white"/>
+<path d="M78.3069 41.8987C83.5239 44.4427 87.7739 48.5187 90.5959 53.6847C90.6329 53.7527 90.6679 53.8237 90.7049 53.8917L102.837 46.8857C102.644 46.6427 102.459 46.3967 102.306 46.1507C97.8549 38.9517 91.9759 33.5347 84.8299 30.0497C64.6569 20.2117 39.9379 27.6297 28.1289 46.9117L40.2319 53.8977C48.4489 40.6847 64.9909 35.4047 78.3069 41.8987Z" fill="#FFC900"/>
+<path d="M90.5038 54.5924L90.1508 53.9304C87.3788 48.8534 83.2058 44.8524 78.0848 42.3534C65.1428 36.0424 48.7038 41.2304 40.6608 54.1654L40.4018 54.5814L27.4238 47.0914L27.6948 46.6474C39.6018 27.2064 64.7978 19.7184 85.0508 29.5944C92.2848 33.1224 98.2348 38.6034 102.736 45.8844C102.879 46.1134 103.053 46.3434 103.233 46.5704L103.598 47.0314L90.5038 54.5924ZM28.8358 46.7354L40.0628 53.2164C48.4698 40.1524 65.2678 34.9764 78.5298 41.4434C83.7578 43.9924 88.0308 48.0514 90.9028 53.1924L102.087 46.7344C102.012 46.6294 101.941 46.5234 101.876 46.4184C97.4758 39.3024 91.6668 33.9484 84.6088 30.5054C64.9668 20.9294 40.5818 28.0644 28.8358 46.7354Z" fill="white"/>
+<path d="M70.7312 57.2939C72.8912 58.3469 74.6422 60.0479 75.7962 62.2119C75.8352 62.2849 75.8692 62.3619 75.9062 62.4359L89.3792 54.6559C89.3372 54.5769 89.2962 54.4949 89.2532 54.4169C86.5842 49.5309 82.5672 45.6759 77.6362 43.2719C65.0392 37.1279 49.3712 42.1399 41.5562 54.6619L54.9562 62.3959C58.4482 56.7959 65.2052 54.5999 70.7312 57.2939Z" fill="#FFC900"/>
+<path d="M75.6891 63.1474L75.3461 62.4474C74.2461 60.3824 72.5721 58.7574 70.5081 57.7504H70.5091C65.2351 55.1804 58.7351 57.2924 55.3861 62.6654L55.1281 63.0814L40.8491 54.8394L41.1271 54.3944C49.1731 41.5044 64.9661 36.5264 77.8601 42.8174C82.8851 45.2674 86.9801 49.1954 89.6991 54.1744L90.0601 54.8494L75.6891 63.1474ZM65.7711 55.6464C67.5331 55.6464 69.2981 56.0314 70.9531 56.8394H70.9541C73.1291 57.9014 74.9081 59.5894 76.1121 61.7334L88.7001 54.4634C86.0821 49.7634 82.1841 46.0544 77.4151 43.7284C65.3371 37.8404 50.0061 42.5684 42.2681 54.4884L54.7921 61.7174C57.3971 57.8364 61.5721 55.6464 65.7711 55.6464Z" fill="white"/>
+<path d="M119.14 39.2578L104.862 47.5758C112.393 74.3508 95.1229 103.21 66.2979 113.604V131.732L119.14 100.935V39.2578Z" fill="#08B1D5"/>
+<path d="M65.79 132.614V113.248L66.125 113.127C94.965 102.727 111.766 73.994 104.374 47.713L104.268 47.335L119.647 38.375V101.225L119.395 101.372L65.79 132.614ZM66.804 113.959V130.849L118.632 100.644V40.141L105.455 47.818C112.697 74.404 95.801 103.331 66.804 113.959Z" fill="white"/>
+<path d="M11.7979 39.2402V100.918L64.4648 131.731V113.603C35.1148 103.455 18.4449 74.5442 26.0949 47.4952L12.4679 39.6262L11.7979 39.2402Z" fill="#1904DA"/>
+<path d="M64.971 132.614L11.29 101.208V38.3613L26.69 47.2533L26.583 47.6333C19.022 74.3663 35.735 103.133 64.63 113.124L64.972 113.242V132.614H64.971ZM12.304 100.626L63.957 130.846V113.963C34.902 103.736 18.087 74.7733 25.5 47.7383L12.304 40.1173V100.626Z" fill="white"/>
+<path d="M12.5542 37.9232L14.1102 38.8222L26.8032 46.1482C39.0142 26.1752 64.6102 18.4892 85.5002 28.6762C92.9102 32.2902 99.0022 37.8992 103.607 45.3472C103.753 45.5832 103.956 45.8412 104.177 46.1132L118.372 37.9162L65.4692 7.36523L12.5542 37.9232Z" fill="#FFC900"/>
+<path d="M26.977 46.8333L11.541 37.9223L65.469 6.7793L65.723 6.9253L119.386 37.9153L104.056 46.7673L103.784 46.4323C103.547 46.1413 103.331 45.8643 103.176 45.6123C98.622 38.2473 92.601 32.7023 85.279 29.1303C64.768 19.1303 39.274 26.7213 27.236 46.4113L26.977 46.8333ZM13.569 37.9223L26.63 45.4623C39.042 25.6453 64.896 18.0633 85.722 28.2193C93.22 31.8763 99.382 37.5483 104.038 45.0783C104.112 45.1983 104.202 45.3233 104.301 45.4543L117.357 37.9153L65.469 7.9493L13.569 37.9223Z" fill="white"/>
+<path d="M66.2373 77.5717C71.4443 74.6597 74.5703 69.9977 74.7713 64.8267C74.7713 64.8267 74.7943 64.3137 74.7553 63.4817C74.7473 63.3107 73.6003 60.5827 70.1063 58.6777C65.4143 56.1197 58.7563 58.5807 56.0903 63.4817C56.0903 63.4817 56.0263 64.0827 56.0563 64.8267C56.2473 69.5267 59.1433 75.0457 64.2703 77.5717L65.3093 78.0677L66.2373 77.5717Z" fill="#FF445F"/>
+<path d="M65.3232 78.6355L64.0532 78.0294C58.4362 75.2604 55.7362 69.4144 55.5502 64.8475C55.5182 64.0745 55.5842 63.4544 55.5872 63.4274L55.6452 63.2394C56.9892 60.7704 59.3682 58.7895 62.1722 57.8035C65.0272 56.7995 68.0082 56.9554 70.3502 58.2314C73.8942 60.1634 75.2422 62.9965 75.2622 63.4575C75.3032 64.3175 75.2782 64.8484 75.2782 64.8484C75.0702 70.2064 71.8652 75.0054 66.4852 78.0145L65.3232 78.6355ZM56.5862 63.6325C56.5712 63.8245 56.5422 64.2795 56.5642 64.8055C56.7312 68.9345 59.2862 74.5484 64.4952 77.1164L65.2972 77.4995L65.9932 77.1274C71.0552 74.2944 74.0702 69.8044 74.2642 64.8074C74.2652 64.7934 74.2862 64.2995 74.2492 63.5065C74.1452 63.1825 72.9212 60.7915 69.8642 59.1235C67.7752 57.9845 65.0952 57.8535 62.5072 58.7615C59.9722 59.6505 57.8202 61.4234 56.5862 63.6325Z" fill="white"/>
+</svg>

docs/index.md

@@ -38,11 +38,11 @@ Trivy is an [Aqua Security][aquasec] open source project.
 Learn about our open source work and portfolio [here][oss].  
 Contact us about any matter by opening a GitHub Discussion [here][discussions]
 
-[vulnerability]: vulnerability/scanning/index.md
-[misconf]: misconfiguration/index.md
-[os]: vulnerability/detection/os.md
-[lang]: vulnerability/detection/language.md
-[iac]: misconfiguration/iac.md
+[vulnerability]: docs/vulnerability/scanning/index.md
+[misconf]: docs/misconfiguration/index.md
+[os]: docs/vulnerability/detection/os.md
+[lang]: docs/vulnerability/detection/language.md
+[iac]: docs/misconfiguration/iac.md
 
 [aquasec]: https://aquasec.com
 [oss]: https://www.aquasec.com/products/open-source-projects/

docs/vulnerability/scanning/filesystem.md

@@ -1,56 +0,0 @@
-# Filesystem
-
-Scan a local project including language-specific files.
-
-```bash
-$ trivy fs /path/to/project
-```
-
-## Local Project
-Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
-
-```
-$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test
-```
-
-<details>
-<summary>Result</summary>
-
-```
-2020-06-01T17:06:58.652+0300    WARN    OS is not detected and vulnerabilities in OS packages are not detected.
-2020-06-01T17:06:58.652+0300    INFO    Detecting pipenv vulnerabilities...
-2020-06-01T17:06:58.691+0300    INFO    Detecting cargo vulnerabilities...
-
-Pipfile.lock
-============
-Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
-
-+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
-|       LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |               TITLE                |
-+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
-| django              | CVE-2020-7471    | HIGH     | 2.0.9             | 3.0.3, 2.2.10, 1.11.28 | django: potential                  |
-|                     |                  |          |                   |                        | SQL injection via                  |
-|                     |                  |          |                   |                        | StringAgg(delimiter)               |
-+                     +------------------+----------+                   +------------------------+------------------------------------+
-|                     | CVE-2019-19844   | MEDIUM   |                   | 3.0.1, 2.2.9, 1.11.27  | Django: crafted email address      |
-|                     |                  |          |                   |                        | allows account takeover            |
-+                     +------------------+          +                   +------------------------+------------------------------------+
-|                     | CVE-2019-3498    |          |                   | 2.1.5, 2.0.10, 1.11.18 | python-django: Content             |
-|                     |                  |          |                   |                        | spoofing via URL path in           |
-|                     |                  |          |                   |                        | default 404 page                   |
-+                     +------------------+          +                   +------------------------+------------------------------------+
-|                     | CVE-2019-6975    |          |                   | 2.1.6, 2.0.11, 1.11.19 | python-django:                     |
-|                     |                  |          |                   |                        | memory exhaustion in               |
-|                     |                  |          |                   |                        | django.utils.numberformat.format() |
-+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
-...
-```
-
-</details>
-
-### Single file
-It's also possible to scan a single file.
-
-```
-$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock
-```

go.mod

@@ -1,26 +1,26 @@
 module github.com/aquasecurity/trivy
 
-go 1.17
+go 1.18
 
 require (
-	github.com/CycloneDX/cyclonedx-go v0.4.0
-	github.com/Masterminds/sprig v2.22.0+incompatible
+	github.com/CycloneDX/cyclonedx-go v0.5.0
+	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20220303080309-254063f95ea0
-	github.com/aquasecurity/go-dep-parser v0.0.0-20220302151315-ff6d77c26988
+	github.com/aquasecurity/fanal v0.0.0-20220405131907-55a9aabfbe72
+	github.com/aquasecurity/go-dep-parser v0.0.0-20220404084355-b8c54558919c
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/trivy-db v0.0.0-20220130223604-df65ebde46f4
+	github.com/aquasecurity/trivy-db v0.0.0-20220327074450-74195d9604b2
 	github.com/caarlos0/env/v6 v6.9.1
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.8
-	github.com/docker/docker v20.10.12+incompatible
+	github.com/docker/docker v20.10.14+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/fatih/color v1.13.0
-	github.com/go-redis/redis/v8 v8.11.4
+	github.com/go-redis/redis/v8 v8.11.5
 	github.com/golang/protobuf v1.5.2
 	github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
 	github.com/google/uuid v1.3.0
@@ -31,18 +31,19 @@ require (
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/open-policy-agent/opa v0.37.2
-	github.com/owenrumney/go-sarif/v2 v2.0.17
+	github.com/open-policy-agent/opa v0.39.0
+	github.com/owenrumney/go-sarif/v2 v2.1.1
 	github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
-	github.com/spf13/afero v1.8.1
-	github.com/stretchr/testify v1.7.0
-	github.com/testcontainers/testcontainers-go v0.11.1
+	github.com/spf13/afero v1.8.1 // indirect
+	github.com/stretchr/testify v1.7.1
+	github.com/testcontainers/testcontainers-go v0.12.0
 	github.com/twitchtv/twirp v8.1.1+incompatible
-	github.com/urfave/cli/v2 v2.3.0
+	github.com/urfave/cli/v2 v2.4.0
 	go.uber.org/zap v1.21.0
+	golang.org/x/exp v0.0.0-20220321124402-2d6d886f8a82
 	golang.org/x/sys v0.0.0-20220204135822-1c1b9b1eba6a // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
-	google.golang.org/protobuf v1.27.1
+	google.golang.org/protobuf v1.28.0
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
 )
@@ -50,20 +51,21 @@ require (
 require (
 	cloud.google.com/go v0.99.0 // indirect
 	cloud.google.com/go/storage v1.14.0 // indirect
-	github.com/Azure/azure-sdk-for-go v61.4.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go v63.0.0+incompatible // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.24 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.25 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/BurntSushi/toml v1.0.0 // indirect
-	github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0 // indirect
+	github.com/BurntSushi/toml v1.1.0 // indirect
+	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
+	github.com/Masterminds/semver/v3 v3.1.1 // indirect
 	github.com/Microsoft/go-winio v0.5.1 // indirect
 	github.com/Microsoft/hcsshim v0.9.2 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
@@ -73,9 +75,9 @@ require (
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/aquasecurity/defsec v0.12.1 // indirect
-	github.com/aquasecurity/tfsec v1.4.1 // indirect
-	github.com/aws/aws-sdk-go v1.43.8 // indirect
+	github.com/aquasecurity/defsec v0.28.4 // indirect
+	github.com/aquasecurity/tfsec v1.8.0 // indirect
+	github.com/aws/aws-sdk-go v1.43.31 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/bmatcuk/doublestar v1.3.4 // indirect
 	github.com/briandowns/spinner v1.12.0 // indirect
@@ -113,7 +115,7 @@ require (
 	github.com/hashicorp/go-version v1.4.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/hcl/v2 v2.11.1 // indirect
-	github.com/huandu/xstrings v1.3.2 // indirect
+	github.com/huandu/xstrings v1.3.1 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -124,15 +126,16 @@ require (
 	github.com/knqyf263/nested v0.0.1 // indirect
 	github.com/liamg/iamgo v0.0.6 // indirect
 	github.com/liamg/jfather v0.0.7 // indirect
+	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.12 // indirect
-	github.com/mitchellh/copystructure v1.1.1 // indirect
+	github.com/mitchellh/copystructure v1.0.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.4.3 // indirect
-	github.com/mitchellh/reflectwalk v1.0.1 // indirect
+	github.com/mitchellh/reflectwalk v1.0.0 // indirect
 	github.com/moby/buildkit v0.9.3 // indirect
 	github.com/moby/sys/mount v0.2.0 // indirect
 	github.com/moby/sys/mountinfo v0.6.0 // indirect
@@ -141,7 +144,7 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/opencontainers/runc v1.1.0 // indirect
-	github.com/owenrumney/squealer v0.3.1 // indirect
+	github.com/owenrumney/squealer v0.3.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
@@ -150,15 +153,17 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/spf13/cast v1.4.1 // indirect
 	github.com/stretchr/objx v0.3.0 // indirect
-	github.com/tmccombs/hcl2json v0.3.3 // indirect
+	github.com/tmccombs/hcl2json v0.3.4 // indirect
 	github.com/ulikunitz/xz v0.5.8 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b // indirect
+	github.com/yashtewari/glob-intersection v0.1.0 // indirect
 	github.com/zclconf/go-cty v1.10.0 // indirect
 	github.com/zclconf/go-cty-yaml v1.0.2 // indirect
 	go.etcd.io/bbolt v1.3.6 // indirect
@@ -175,7 +180,7 @@ require (
 	google.golang.org/api v0.62.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220204002441-d6cc3cc0770e // indirect
-	google.golang.org/grpc v1.44.0 // indirect
+	google.golang.org/grpc v1.45.0 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect

goreleaser.yml

@@ -108,14 +108,15 @@ dockers:
     ids:
       - trivy
     build_flag_templates:
-      - "--label=org.label-schema.schema-version=1.0"
-      - "--label=org.label-schema.name={{ .ProjectName }}"
-      - "--label=org.label-schema.description=A Fast Vulnerability Scanner for Containers"
-      - "--label=org.label-schema.vendor=Aqua Security"
-      - "--label=org.label-schema.version={{ .Version }}"
-      - "--label=org.label-schema.build-date={{ .Date }}"
-      - "--label=org.label-schema.vcs=https://github.com/aquasecurity/trivy"
-      - "--label=org.label-schema.vcs-ref={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.description=A Fast Vulnerability Scanner for Containers"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
       - "--platform=linux/amd64"
     extra_files:
     - contrib/
@@ -132,14 +133,15 @@ dockers:
     ids:
       - trivy
     build_flag_templates:
-      - "--label=org.label-schema.schema-version=1.0"
-      - "--label=org.label-schema.name={{ .ProjectName }}"
-      - "--label=org.label-schema.description=A Fast Vulnerability Scanner for Containers"
-      - "--label=org.label-schema.vendor=Aqua Security"
-      - "--label=org.label-schema.version={{ .Version }}"
-      - "--label=org.label-schema.build-date={{ .Date }}"
-      - "--label=org.label-schema.vcs=https://github.com/aquasecurity/trivy"
-      - "--label=org.label-schema.vcs-ref={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.description=A Fast Vulnerability Scanner for Containers"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
       - "--platform=linux/arm64"
     extra_files:
     - contrib/
@@ -156,14 +158,15 @@ dockers:
     ids:
       - trivy
     build_flag_templates:
-      - "--label=org.label-schema.schema-version=1.0"
-      - "--label=org.label-schema.name={{ .ProjectName }}"
-      - "--label=org.label-schema.description=A Fast Vulnerability Scanner for Containers"
-      - "--label=org.label-schema.vendor=Aqua Security"
-      - "--label=org.label-schema.version={{ .Version }}"
-      - "--label=org.label-schema.build-date={{ .Date }}"
-      - "--label=org.label-schema.vcs=https://github.com/aquasecurity/trivy"
-      - "--label=org.label-schema.vcs-ref={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.description=A Fast Vulnerability Scanner for Containers"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
       - "--platform=linux/s390x"
     extra_files:
     - contrib/
@@ -195,7 +198,17 @@ docker_manifests:
     - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-arm64'
     - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-s390x'
   - name_template: 'public.ecr.aws/aquasecurity/trivy:latest'
-    image_templates: 
+    image_templates:
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64'
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64'
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'
+
+docker_signs:
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  artifacts: manifests
+  output: true
+  args:
+  - 'sign'
+  - '${artifact}'

helm/trivy/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: trivy
-version: 0.4.11
-appVersion: 0.24.0
+version: 0.4.13
+appVersion: 0.25.0
 description: Trivy helm chart
 keywords:
   - scanner