fix: handle empty OS family (#2768)

Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>

.github/CODEOWNERS

@@ -4,6 +4,15 @@
 # Helm chart
 helm/trivy/ @krol3
 
+# Misconfiguration scanning
+examples/misconf/           @owenrumney @liamg @knqyf263
+docs/docs/misconfiguration  @owenrumney @liamg @knqyf263
+docs/docs/cloud             @owenrumney @liamg @knqyf263
+pkg/fanal/analyzer/config   @owenrumney @liamg @knqyf263
+pkg/fanal/handler/misconf   @owenrumney @liamg @knqyf263
+pkg/cloud                   @owenrumney @liamg @knqyf263
+pkg/flag                    @owenrumney @liamg @knqyf263
+
 # Kubernetes scanning
-pkg/k8s/                @josedonizetti @chen-keinan
-docs/docs/kubernetes/   @josedonizetti @chen-keinan
+pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
+docs/docs/kubernetes/   @josedonizetti @chen-keinan @knqyf263

.github/workflows/canary.yaml

@@ -0,0 +1,59 @@
+name: Canary build
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '**.go'
+      - 'Dockerfile.canary'
+      - '.github/workflows/canary.yaml'
+  workflow_dispatch:
+
+jobs:
+  build-binaries:
+    name: Build binaries
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser-canary.yml
+      goreleaser_options: '--snapshot --rm-dist --timeout 60m' # will not release
+    secrets: inherit
+
+  upload-binaries:
+    name: Upload binaries
+    needs: build-binaries # run this job after 'build-binaries' job completes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.0.5
+        with:
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+        # Upload artifacts
+      - name: Upload artifacts (trivy_Linux-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-64bit
+          path: dist/trivy_*_Linux-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_Linux-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-ARM64
+          path: dist/trivy_*_Linux-ARM64.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-64bit
+          path: dist/trivy_*_macOS-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-ARM64
+          path: dist/trivy_*_macOS-ARM64.tar.gz
+          if-no-files-found: error

.github/workflows/mkdocs-dev.yaml

@@ -16,7 +16,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/mkdocs-latest.yaml

@@ -18,7 +18,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/publish-chart.yaml

@@ -30,14 +30,14 @@ jobs:
         with:
           version: v3.5.0
       - name: Set up python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: 3.7
       - name: Setup Chart Linting
         id: lint
         uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a
       - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478
+        uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}

.github/workflows/release.yaml

@@ -3,76 +3,37 @@ on:
   push:
     tags:
       - "v*"
-env:
-  GO_VERSION: "1.18"
-  GH_USER: "aqua-bot"
+
 jobs:
   release:
     name: Release
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser.yml
+      goreleaser_options: '--rm-dist --timeout 90m'
+    secrets: inherit
+
+  deploy-packages:
+    name: Deploy rpm/dep packages
+    needs: release # run this job after 'release' job completes
     runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
-    env:
-      DOCKER_CLI_EXPERIMENTAL: "enabled"
-    permissions:
-      id-token: write # For cosign
-      packages: write # For GHCR
-      contents: read  # Not required for public repositories, but for clarity
     steps:
-      - name: Install dependencies
-        run: |
-          sudo apt-get -y update
-          sudo apt-get -y install rpm reprepro createrepo distro-info
-      - uses: sigstore/cosign-installer@536b37ec5d5b543420bdfd9b744c5965bd4d8730
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2
-      - name: Show available Docker Buildx platforms
-        run: echo ${{ steps.buildx.outputs.platforms }}
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
       - name: Checkout code
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: Cache Go modules
-        uses: actions/cache@v3.0.2
+
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.0.5
         with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: Login to docker.io registry
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to ghcr.io registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ env.GH_USER }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login to ECR
-        uses: docker/login-action@v2
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
-          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
-      - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v1
-        with:
-          args: mod -licenses -json -output bom.json
-          version: ^v1
-      - name: Release
-        uses: goreleaser/goreleaser-action@v3
-        with:
-          version: v1.4.1
-          args: release --rm-dist --timeout 60m
-        env:
-          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install rpm reprepro createrepo distro-info
+
       - name: Checkout trivy-repo
         uses: actions/checkout@v3
         with:
@@ -80,13 +41,17 @@ jobs:
           path: trivy-repo
           fetch-depth: 0
           token: ${{ secrets.ORG_REPO_TOKEN }}
+
       - name: Setup git settings
         run: |
           git config --global user.email "knqyf263@gmail.com"
           git config --global user.name "Teppei Fukuda"
+
       - name: Create rpm repository
         run: ci/deploy-rpm.sh
+
       - name: Import GPG key
         run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import
+
       - name: Create deb repository
         run: ci/deploy-deb.sh

.github/workflows/reusable-release.yaml

@@ -0,0 +1,109 @@
+name: Reusable release
+on:
+  workflow_call:
+    inputs:
+      goreleaser_config:
+        description: 'file path to GoReleaser config'
+        required: true
+        type: string
+      goreleaser_options:
+        description: 'GoReleaser options separated by spaces'
+        default: ''
+        required: false
+        type: string
+
+env:
+  GO_VERSION: "1.18"
+  GH_USER: "aqua-bot"
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: read  # Not required for public repositories, but for clarity
+    steps:
+      - name: Cosign install
+        uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Show available Docker Buildx platforms
+        run: echo ${{ steps.buildx.outputs.platforms }}
+
+      - name: Login to docker.io registry
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to ghcr.io registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ env.GH_USER }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to ECR
+        uses: docker/login-action@v2
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
+          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Generate SBOM
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
+        with:
+          args: mod -licenses -json -output bom.json
+          version: ^v1
+
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          version: v1.4.1
+          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
+        env:
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
+      ## push images to registries
+      ## only for canary build
+      - name: Build and push
+        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
+        uses: docker/build-push-action@v3
+        with:
+          platforms: linux/amd64, linux/arm64
+          file: ./Dockerfile.canary # path to Dockerfile
+          context: .
+          push: true
+          tags: |
+            aquasec/trivy:canary
+            ghcr.io/aquasecurity/trivy:canary
+            public.ecr.aws/aquasecurity/trivy:canary
+
+      - name: Cache Trivy binaries
+        uses: actions/cache@v3.0.5
+        with:
+          path: dist/
+          # use 'github.sha' to create a unique cache folder for each run.
+          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
+          # e.g. build and release runs
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/scan.yaml

@@ -18,6 +18,6 @@ jobs:
           assignee: knqyf263
           severity: CRITICAL
           skip-dirs: integration,examples
-          label: vulnerability
+          label: kind/security
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/semantic-pr.yaml

@@ -34,6 +34,7 @@ jobs:
             vuln
             misconf
             secret
+            license
 
             image
             fs
@@ -79,6 +80,9 @@ jobs:
 
             cli
             flag
+            
+            cyclonedx
+            spdx
 
             helm
             report

.github/workflows/test.yaml

@@ -11,7 +11,7 @@ on:
   pull_request:
 env:
   GO_VERSION: "1.18"
-  TINYGO_VERSION: "0.23.0"
+  TINYGO_VERSION: "0.24.0"
 jobs:
   test:
     name: Test
@@ -28,6 +28,7 @@ jobs:
         run: |
           go mod tidy
           if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'go mod tidy' and push it"
             exit 1
           fi
 
@@ -112,7 +113,7 @@ jobs:
       uses: goreleaser/goreleaser-action@v3
       with:
         version: v1.4.1
-        args: release --snapshot --rm-dist --skip-publish --timeout 60m
+        args: release --snapshot --rm-dist --skip-publish --timeout 90m
 
   build-documents:
     name: Documentation Test
@@ -123,7 +124,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: true
-    - uses: actions/setup-python@v3
+    - uses: actions/setup-python@v4
       with:
         python-version: 3.x
     - name: Install dependencies

.golangci.yaml

@@ -31,7 +31,6 @@ linters:
     - ineffassign
     - typecheck
     - govet
-    - errcheck
     - varcheck
     - deadcode
     - revive

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.16.0
+FROM alpine:3.16.2
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.canary

@@ -0,0 +1,10 @@
+FROM alpine:3.16.2
+RUN apk --no-cache add ca-certificates git
+
+# binaries were created with GoReleaser
+# need to copy binaries from folder with correct architecture
+# example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
+ARG TARGETARCH
+COPY "dist/trivy_canary_build_linux_${TARGETARCH}/trivy" /usr/local/bin/trivy
+COPY contrib/*.tpl contrib/
+ENTRYPOINT ["trivy"]

Dockerfile.protoc

@@ -1,4 +1,4 @@
-FROM golang:1.18.2
+FROM golang:1.18.4
 
 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

Makefile

@@ -1,4 +1,4 @@
-VERSION := $(shell git describe --tags --always)
+VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
 LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"
 
 GOPATH := $(shell go env GOPATH)

README.md

@@ -40,6 +40,7 @@ Get Trivy by your favorite installation method. See [installation] section in th
 - `apt-get install trivy`
 - `yum install trivy`
 - `brew install aquasecurity/trivy/trivy`
+- `sudo port install trivy`
 - `docker run aquasec/trivy`
 - Download binary from https://github.com/aquasecurity/trivy/releases/latest/
 
@@ -74,7 +75,7 @@ https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b
 </details>
 
 ```bash
-$ trivy k8s mycluster
+$ trivy k8s --report summary cluster
 ```
 
 <details>
@@ -84,6 +85,8 @@ $ trivy k8s mycluster
 
 </details>
 
+Note that you can also receive a detailed scan, scan only a specific namespace, resource and more.
+
 Find out more in the [Trivy Documentation][docs] - [Getting Started][getting-started]
 
 

ci/deploy-rpm.sh

@@ -15,7 +15,7 @@ function create_rpm_repo () {
 
 cd trivy-repo
 
-VERSIONS=(5 6 7 8)
+VERSIONS=(5 6 7 8 9)
 for version in ${VERSIONS[@]}; do
         echo "Processing RHEL/CentOS $version..."
         create_rpm_repo $version

cmd/trivy/main.go

@@ -1,10 +1,14 @@
 package main
 
 import (
+	"context"
 	"os"
 
+	"golang.org/x/xerrors"
+
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/plugin"
 )
 
 var (
@@ -12,9 +16,26 @@ var (
 )
 
 func main() {
-	app := commands.NewApp(version)
-	err := app.Run(os.Args)
-	if err != nil {
+	if err := run(); err != nil {
 		log.Fatal(err)
 	}
 }
+
+func run() error {
+	// Trivy behaves as the specified plugin.
+	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
+		if !plugin.IsPredefined(runAsPlugin) {
+			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
+		}
+		if err := plugin.RunWithArgs(context.Background(), runAsPlugin, os.Args[1:]); err != nil {
+			return xerrors.Errorf("plugin error: %w", err)
+		}
+		return nil
+	}
+
+	app := commands.NewApp(version)
+	if err := app.Execute(); err != nil {
+		return err
+	}
+	return nil
+}

contrib/gitlab-codequality.tpl

@@ -45,7 +45,7 @@
       "type": "issue",
       "check_name": "container_scanning",
       "categories": [ "Security" ],
-      "description": {{ list .ID .Title | join ": " | printf "%q" }},
+      "description": {{ list "Misconfig" .ID .Title | join " - " | printf "%q" }},
       "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
       "content": {{ .Description | printf "%q" }},
       "severity": {{ if eq .Severity "LOW" -}}
@@ -67,5 +67,37 @@
       }
     }
     {{- end -}}
+    {{- range .Secrets -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Secret" .RuleID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .RuleID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Title | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .StartLine }}
+        }
+      }
+    }
+    {{- end -}}
   {{- end }}
 ]

contrib/gitlab.tpl

@@ -1,10 +1,11 @@
 {{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
 {
-  "version": "2.3",
+  "version": "14.0.6",
   "vulnerabilities": [
   {{- $t_first := true }}
   {{- range . }}
   {{- $target := .Target }}
+    {{- $image := $target | regexFind "[^\\s]+" }}
     {{- range .Vulnerabilities -}}
     {{- if $t_first -}}
       {{- $t_first = false -}}
@@ -31,8 +32,6 @@
                   {{-  else -}}
                     "{{ .Severity }}"
                   {{- end }},
-      {{- /* TODO: Define confidence */}}
-      "confidence": "Unknown",
       "solution": {{ if .FixedVersion -}}
                     "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
                   {{- else -}}
@@ -51,7 +50,7 @@
         },
         {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
         "operating_system": "Unknown",
-        "image": "{{ $target }}"
+        "image": "{{ $image }}"
       },
       "identifiers": [
         {

contrib/junit.tpl

@@ -1,5 +1,5 @@
 <?xml version="1.0" ?>
-<testsuites>
+<testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
     <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
@@ -28,4 +28,4 @@
     {{- end }}
     </testsuite>
 {{- end }}
-</testsuites>
+</testsuites>

docs/build/Dockerfile

@@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material:8.2.10
+FROM squidfunk/mkdocs-material:8.3.9
 
 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.

docs/build/requirements.txt

@@ -11,13 +11,13 @@ mergedeep==1.3.4
 mike==1.1.2
 mkdocs==1.3.0
 mkdocs-macros-plugin==0.7.0
-mkdocs-material==8.2.10
+mkdocs-material==8.3.9
 mkdocs-material-extensions==1.0.3
 mkdocs-minify-plugin==0.5.0
 mkdocs-redirects==1.0.4
 packaging==21.3
-Pygments==2.11.2
-pymdown-extensions==9.3
+Pygments==2.12.0
+pymdown-extensions==9.5
 pyparsing==3.0.8
 python-dateutil==2.8.2
 PyYAML==6.0

docs/community/contribute/pr.md

@@ -42,6 +42,7 @@ checks:
 - vuln
 - misconf
 - secret
+- license
 
 mode:
 

docs/docs/advanced/air-gap.md

@@ -5,14 +5,34 @@ Trivy can be used in air-gapped environments. Note that an allowlist is [here][a
 ## Air-Gapped Environment for vulnerabilities
 
 ### Download the vulnerability database
-At first, you need to download the vulnerability database for use in air-gapped environments.
-Please follow [oras installation instruction][oras].
+=== "Trivy"
 
-Download `db.tar.gz`:
+    ```
+    TRIVY_TEMP_DIR=$(mktemp -d)
+    trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+    tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+    rm -rf $TRIVY_TEMP_DIR
+    ```
 
-```
-$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a
-```
+=== "oras >= v0.13.0"
+    At first, you need to download the vulnerability database for use in air-gapped environments.
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull ghcr.io/aquasecurity/trivy-db:2
+    ```
+
+=== "oras < v0.13.0"
+    At first, you need to download the vulnerability database for use in air-gapped environments.
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
+    ```
 
 ### Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.
@@ -43,7 +63,7 @@ $ rm /path/to/db.tar.gz
 
 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
 
-### Run Trivy with --skip-update and --offline-scan option
+### Run Trivy with `--skip-update` and `--offline-scan` option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
 In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
 
@@ -55,7 +75,7 @@ $ trivy image --skip-update --offline-scan alpine:3.12
 
 No special measures are required to detect misconfigurations in an air-gapped environment.
 
-### Run Trivy with --skip-policy-update option
+### Run Trivy with `--skip-policy-update` option
 In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
 
 ```

docs/docs/attestation/sbom.md

@@ -0,0 +1,84 @@
+# SBOM attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify SBOM attestation.
+And, Trivy can take an SBOM attestation as input and scan for vulnerabilities
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+## Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates an SBOM in the CycloneDX format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE>
+```
+
+You can also create attestations of other formatted SBOM.
+
+```bash
+# spdx
+$ trivy image --format spdx -o sbom.spdx <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx <IMAGE>
+
+# spdx-json
+$ trivy image --format spdx-json -o sbom.spdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json <IMAGE>
+```
+
+## Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
+```
+
+You can verify attestations.
+```bash
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>
+```
+
+## Scanning
+
+Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
+
+In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+```

docs/docs/attestation/vuln.md

@@ -0,0 +1,190 @@
+# Cosign Vulnerability Attestation
+
+## Generate Cosign Vulnerability Scan Record
+
+Trivy generates reports in the [Cosign vulnerability scan record format][vuln-attest-spec].
+
+You can use the regular subcommands (like image, fs and rootfs) and specify `cosign-vuln` with the --format option.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json alpine:3.10
+```
+
+<details>
+<summary>Result</summary>
+
+```json
+{
+  "invocation": {
+    "parameters": null,
+    "uri": "",
+    "event_id": "",
+    "builder.id": ""
+  },
+  "scanner": {
+    "uri": "pkg:github/aquasecurity/trivy@v0.30.1-8-gf9cb8a28",
+    "version": "v0.30.1-8-gf9cb8a28",
+    "db": {
+      "uri": "",
+      "version": ""
+    },
+    "result": {
+      "SchemaVersion": 2,
+      "ArtifactName": "alpine:3.10",
+      "ArtifactType": "container_image",
+      "Metadata": {
+        "OS": {
+          "Family": "alpine",
+          "Name": "3.10.9",
+          "EOSL": true
+        },
+        "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
+        "DiffIDs": [
+          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+        ],
+        "RepoTags": [
+          "alpine:3.10"
+        ],
+        "RepoDigests": [
+          "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
+        ],
+        "ImageConfig": {
+          "architecture": "amd64",
+          "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
+          "created": "2021-04-14T19:20:05.338397761Z",
+          "docker_version": "19.03.12",
+          "history": [
+            {
+              "created": "2021-04-14T19:20:04.987219124Z",
+              "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
+            },
+            {
+              "created": "2021-04-14T19:20:05.338397761Z",
+              "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+              "empty_layer": true
+            }
+          ],
+          "os": "linux",
+          "rootfs": {
+            "type": "layers",
+            "diff_ids": [
+              "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+            ]
+          },
+          "config": {
+            "Cmd": [
+              "/bin/sh"
+            ],
+            "Env": [
+              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+            ],
+            "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
+          }
+        }
+      },
+      "Results": [
+        {
+          "Target": "alpine:3.10 (alpine 3.10.9)",
+          "Class": "os-pkgs",
+          "Type": "alpine",
+          "Vulnerabilities": [
+            {
+              "VulnerabilityID": "CVE-2021-36159",
+              "PkgName": "apk-tools",
+              "InstalledVersion": "2.10.6-r0",
+              "FixedVersion": "2.10.7-r0",
+              "Layer": {
+                "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
+                "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+              },
+              "SeveritySource": "nvd",
+              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
+              "DataSource": {
+                "ID": "alpine",
+                "Name": "Alpine Secdb",
+                "URL": "https://secdb.alpinelinux.org/"
+              },
+              "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
+              "Severity": "CRITICAL",
+              "CweIDs": [
+                "CWE-125"
+              ],
+              "CVSS": {
+                "nvd": {
+                  "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
+                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
+                  "V2Score": 6.4,
+                  "V3Score": 9.1
+                }
+              },
+              "References": [
+                "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
+                "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
+              ],
+              "PublishedDate": "2021-08-03T14:15:00Z",
+              "LastModifiedDate": "2021-10-18T12:19:00Z"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "metadata": {
+    "scanStartedOn": "2022-07-24T17:14:04.864682+09:00",
+    "scanFinishedOn": "2022-07-24T17:14:04.864682+09:00"
+  }
+}
+```
+
+</details>
+
+## Create Cosign Vulnerability Attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify Cosign vulnerability attestation.
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+
+### Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates a cosign vulnerability scan record, and then Cosign attaches an attestation of it to a container image with a local key pair.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type vuln --predicate vuln.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```
+$ cosign verify-attestation --key /path/to/cosign.pub --type vuln <IMAGE>
+```
+
+### Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```
+$ trivy image --format cosign-vuln -o vuln.json <IMAGE>
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>
+```
+
+You can verify attestations.
+
+```
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type vuln <IMAGE>
+```
+
+[vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md

docs/docs/cloud/aws/scanning.md

@@ -0,0 +1,55 @@
+# Amazon Web Services
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. 
+
+Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
+
+The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
+
+Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
+
+You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
+
+Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - results are cached locally per AWS account/region.
+
+## CLI Commands
+
+Scan a full AWS account (all supported services):
+
+```shell
+trivy aws --region us-east-1
+```
+
+You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
+
+![AWS Summary Report](../../../imgs/trivy-aws.png)
+
+The summary view is the default when scanning multiple services.
+
+Scan a specific service:
+
+```shell
+trivy aws --service s3
+```
+
+Scan multiple services:
+
+```shell
+# --service s3,ec2 works too
+trivy aws --service s3 --service ec2
+```
+
+Show results for a specific AWS resource:
+
+```shell
+trivy aws --service s3 --arn arn:aws:s3:::example-bucket
+```
+
+All ARNs with detected issues will be displayed when showing results for their associated service.
+
+## Cached Results
+
+By default, Trivy will cache results for each service for 24 hours. This means you can filter and view results for a service without having to wait for the scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.)

docs/docs/index.md

@@ -28,7 +28,7 @@ See [Integrations][integrations] for details.
 
 - Comprehensive vulnerability detection
     - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
+    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
 - Detect IaC misconfigurations
     - A wide variety of [built-in policies][builtin] are provided **out of the box**:
         - Kubernetes
@@ -63,6 +63,7 @@ See [Integrations][integrations] for details.
 - [SBOM][sbom] (Software Bill of Materials) support
     - CycloneDX
     - SPDX
+    - GitHub Dependency Snapshots
 
 Please see [LICENSE][license] for Trivy licensing information.
 

docs/docs/integrations/gitlab-ci.md

@@ -11,7 +11,7 @@ include:
 
 If you're a GitLab 14.x Ultimate customer, you can use the same configuration above.
 
-Alternatively, you can always use the example configurations below. Note that the examples use [`contrib/gitlab.tpl`](https://github.com/aquasecurity/trivy/blob/main/contrib/gitlab.tpl), which does not work with GitLab 15.0 and above (for details, see [issue 1598](https://github.com/aquasecurity/trivy/issues/1598)).
+Alternatively, you can always use the example configurations below.
 
 ```yaml
 stages:

docs/docs/kubernetes/cli/scanning.md

@@ -41,12 +41,25 @@ Scan a specific namespace:
 $ trivy k8s -n kube-system --report=summary all
 ```
 
+Use a specific kubeconfig file:
+
+```
+$ trivy k8s --kubeconfig ~/.kube/config2 -n kube-system --report=summary all
+```
+
 Scan a specific resource and get all the output:
 
 ```
 $ trivy k8s deployment appname
 ```
 
+Scan all deploys, or deploys and configmaps:
+
+```
+$ trivy k8s --report=summary deployment
+$ trivy k8s --report=summary deployment,configmaps
+```
+
 If you want to pass in flags before scanning specific workloads, you will have to do it before the resource name.
 For example, scanning a deployment in the app namespace of your Kubernetes cluster for critical vulnerabilities would be done through the following command:
 

docs/docs/kubernetes/operator/index.md

@@ -1,17 +1,14 @@
 # Trivy Operator  
 
-Trivy has a native [Kubernetes Operator](operator) which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources](crd). It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
+Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
 
 
-> Kubernetes-native security toolkit. ([Documentation](https://aquasecurity.github.io/trivy-operator/latest)).
-
+> Kubernetes-native security toolkit. ([Documentation][trivy-operator]).
 
 <figure>
-  <img src="./images/operator/trivy-operator-workloads.png" />
   <figcaption>Workload reconcilers discover K8s controllers, manage scan jobs, and create VulnerabilityReport and ConfigAuditReport objects.</figcaption>
 </figure>
 
 [operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/
 [crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
-[Starboard]: https://github.com/aquasecurity/starboard
-[starboard-announcement]: https://github.com/aquasecurity/starboard/discussions/1173
+[trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest

docs/docs/licenses/scanning.md

@@ -0,0 +1,320 @@
+# License Scanning
+
+Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
+
+License are classified using the [Google License Classification][google-license-classification] -
+
+ - Forbidden
+ - Restricted 
+ - Reciprocal
+ - Notice
+ - Permissive
+ - Unencumbered
+ - Unknown
+
+!!! tip
+    Licenses that Trivy fails to recognize are classified as UNKNOWN.
+    As those licenses may be in violation, it is recommended to check those unknown licenses as well.    
+
+By default, Trivy scans licenses for packages installed by `apk`, `apt-get`, `dnf`, `npm`, `pip`, `gem`, etc.
+To enable extended license scanning, you can use `--license-full`.
+In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
+
+!!! note
+    The full license scanning is expensive. It takes a while.
+
+Currently, the standard license scanning doesn't support filesystem and repository scanning.
+
+|   License scnanning   | Image | Rootfs    | Filesystem | Repository |
+|:---------------------:|:-----:|:---------:|:----------:|:----------:|
+|       Standard        |  ✅   |     ✅    |   -        |      -     |
+| Full (--license-full) |  ✅   |     ✅    |     ✅     |     ✅     |
+
+
+License checking classifies the identified licenses and map the classification to severity.
+
+| Classification | Severity |
+|----------------|----------|
+| Forbidden      | CRITICAL |
+| Restricted     | HIGH     |
+| Reciprocal     | MEDIUM   |
+| Notice         | LOW      |
+| Permissive     | LOW      |
+| Unencumbered   | LOW      |
+| Unknown        | UNKNOWN  |
+
+## Quick start
+This section shows how to scan license in container image and filesystem.
+
+### Standard scanning
+Specify an image name with `--security-cheks license`.
+
+``` shell
+$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
+2022-07-13T17:28:39.526+0300    INFO    License scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
+
+┌───────────────────┬─────────┬────────────────┬──────────┐
+│      Package      │ License │ Classification │ Severity │
+├───────────────────┼─────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
+├───────────────────┤         │                │          │
+│ apk-tools         │         │                │          │
+├───────────────────┤         │                │          │
+│ busybox           │         │                │          │
+├───────────────────┤         │                │          │
+│ musl-utils        │         │                │          │
+├───────────────────┤         │                │          │
+│ scanelf           │         │                │          │
+├───────────────────┤         │                │          │
+│ ssl_client        │         │                │          │
+└───────────────────┴─────────┴────────────────┴──────────┘
+```
+
+### Full scanning
+Specify `--license-full`
+
+``` shell
+$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
+2022-07-13T17:48:40.905+0300    INFO    Full license scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 20 (UNKNOWN: 9, HIGH: 11, CRITICAL: 0)
+
+┌───────────────────┬───────────────────┬────────────────┬──────────┐
+│      Package      │      License      │ Classification │ Severity │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0           │ Restricted     │ HIGH     │
+├───────────────────┤                   │                │          │
+│ apk-tools         │                   │                │          │
+├───────────────────┼───────────────────┤                │          │
+│ bash              │ GPL-3.0           │                │          │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ keyutils-libs     │ GPL-2.0           │ Restricted     │ HIGH     │
+│                   ├───────────────────┼────────────────┼──────────┤
+│                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
+├───────────────────┼───────────────────┤                │          │
+│ libaio            │ LGPL-2.1-or-later │                │          │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ libcom_err        │ GPL-2.0           │ Restricted     │ HIGH     │
+│                   ├───────────────────┼────────────────┼──────────┤
+│                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ tzdata            │ Public-Domain     │ Non Standard   │ UNKNOWN  │
+└───────────────────┴───────────────────┴────────────────┴──────────┘
+
+Loose File License(s) (license)
+===============================
+Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)
+
+┌────────────────┬──────────┬──────────────┬──────────────────────────────────────────────────────────────┐
+│ Classification │ Severity │   License    │                        File Location                         │
+├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
+│ Forbidden      │ CRITICAL │ AGPL-3.0     │ /usr/share/grafana/LICENSE                                   │
+│                │          │              │                                                              │
+│                │          │              │                                                              │
+├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
+│ Non Standard   │ UNKNOWN  │ BSD-0-Clause │ /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/7889.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/canvasPanel.d6aae9dd11d49c7- │
+│                │          │              │ 41a80.js.LICENSE.txt                                         │
+└────────────────┴──────────┴──────────────┴──────────────────────────────────────────────────────────────┘
+```
+
+## Configuration
+
+Trivy has number of configuration flags for use with license scanning;
+                                 
+### Ignored Licenses
+
+Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the `--ignored-licenses` flag;
+
+```shell
+$ trivy image --security-checks license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
+2022-07-13T18:15:28.605Z        INFO    License scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 2 (HIGH: 2, CRITICAL: 0)
+
+┌───────────────────┬─────────┬────────────────┬──────────┐
+│      Package      │ License │ Classification │ Severity │
+├───────────────────┼─────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
+├───────────────────┤         │                │          │
+│ ssl_client        │         │                │          │
+└───────────────────┴─────────┴────────────────┴──────────┘
+
+```
+
+### Custom Classification
+You can generate the default config by the `--generate-default-config` flag and customize the license classification.
+For example, if you want to forbid only AGPL-3.0, you can leave it under `forbidden` and move other licenses to another classification.
+
+```shell
+$ trivy image --generate-default-config
+$ vim trivy.yaml
+license:
+  forbidden:
+  - AGPL-3.0
+  
+  restricted:
+  - AGPL-1.0
+  - CC-BY-NC-1.0
+  - CC-BY-NC-2.0
+  - CC-BY-NC-2.5
+  - CC-BY-NC-3.0
+  - CC-BY-NC-4.0
+  - CC-BY-NC-ND-1.0
+  - CC-BY-NC-ND-2.0
+  - CC-BY-NC-ND-2.5
+  - CC-BY-NC-ND-3.0
+  - CC-BY-NC-ND-4.0
+  - CC-BY-NC-SA-1.0
+  - CC-BY-NC-SA-2.0
+  - CC-BY-NC-SA-2.5
+  - CC-BY-NC-SA-3.0
+  - CC-BY-NC-SA-4.0
+  - Commons-Clause
+  - Facebook-2-Clause
+  - Facebook-3-Clause
+  - Facebook-Examples
+  - WTFPL
+  - BCL
+  - CC-BY-ND-1.0
+  - CC-BY-ND-2.0
+  - CC-BY-ND-2.5
+  - CC-BY-ND-3.0
+  - CC-BY-ND-4.0
+  - CC-BY-SA-1.0
+  - CC-BY-SA-2.0
+  - CC-BY-SA-2.5
+  - CC-BY-SA-3.0
+  - CC-BY-SA-4.0
+  - GPL-1.0
+  - GPL-2.0
+  - GPL-2.0-with-autoconf-exception
+  - GPL-2.0-with-bison-exception
+  - GPL-2.0-with-classpath-exception
+  - GPL-2.0-with-font-exception
+  - GPL-2.0-with-GCC-exception
+  - GPL-3.0
+  - GPL-3.0-with-autoconf-exception
+  - GPL-3.0-with-GCC-exception
+  - LGPL-2.0
+  - LGPL-2.1
+  - LGPL-3.0
+  - NPL-1.0
+  - NPL-1.1
+  - OSL-1.0
+  - OSL-1.1
+  - OSL-2.0
+  - OSL-2.1
+  - OSL-3.0
+  - QPL-1.0
+  - Sleepycat
+  
+  reciprocal:
+  - APSL-1.0
+  - APSL-1.1
+  - APSL-1.2
+  - APSL-2.0
+  - CDDL-1.0
+  - CDDL-1.1
+  - CPL-1.0
+  - EPL-1.0
+  - EPL-2.0
+  - FreeImage
+  - IPL-1.0
+  - MPL-1.0
+  - MPL-1.1
+  - MPL-2.0
+  - Ruby
+  
+  notice:
+  - AFL-1.1
+  - AFL-1.2
+  - AFL-2.0
+  - AFL-2.1
+  - AFL-3.0
+  - Apache-1.0
+  - Apache-1.1
+  - Apache-2.0
+  - Artistic-1.0-cl8
+  - Artistic-1.0-Perl
+  - Artistic-1.0
+  - Artistic-2.0
+  - BSL-1.0
+  - BSD-2-Clause-FreeBSD
+  - BSD-2-Clause-NetBSD
+  - BSD-2-Clause
+  - BSD-3-Clause-Attribution
+  - BSD-3-Clause-Clear
+  - BSD-3-Clause-LBNL
+  - BSD-3-Clause
+  - BSD-4-Clause
+  - BSD-4-Clause-UC
+  - BSD-Protection
+  - CC-BY-1.0
+  - CC-BY-2.0
+  - CC-BY-2.5
+  - CC-BY-3.0
+  - CC-BY-4.0
+  - FTL
+  - ISC
+  - ImageMagick
+  - Libpng
+  - Lil-1.0
+  - Linux-OpenIB
+  - LPL-1.02
+  - LPL-1.0
+  - MS-PL
+  - MIT
+  - NCSA
+  - OpenSSL
+  - PHP-3.01
+  - PHP-3.0
+  - PIL
+  - Python-2.0
+  - Python-2.0-complete
+  - PostgreSQL
+  - SGI-B-1.0
+  - SGI-B-1.1
+  - SGI-B-2.0
+  - Unicode-DFS-2015
+  - Unicode-DFS-2016
+  - Unicode-TOU
+  - UPL-1.0
+  - W3C-19980720
+  - W3C-20150513
+  - W3C
+  - X11
+  - Xnet
+  - Zend-2.0
+  - zlib-acknowledgement
+  - Zlib
+  - ZPL-1.1
+  - ZPL-2.0
+  - ZPL-2.1
+  
+  unencumbered:
+  - CC0-1.0
+  - Unlicense
+  - 0BSD
+  
+  permissive: []
+```
+
+
+[google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses

docs/docs/misconfiguration/options/values.md

@@ -0,0 +1,48 @@
+# Value Overrides
+
+Value files can be passed for supported scannable config files.
+
+## Terraform value overrides
+You can pass `tf-vars` files to Trivy to override default values found in the Terraform HCL code.
+
+```bash
+trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
+```
+
+## Helm value overrides
+There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
+
+### Setting inline value overrides
+Overrides can be set inline on the command line
+
+```bash
+trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
+```
+
+### Setting value file overrides
+Overrides can be in a file that has the key=value set. 
+
+```yaml
+# Example override file (overrides.yaml)
+
+securityContext:
+  runAsUser: 0
+```
+
+```bash
+trivy conf --helm-values overrides.yaml ./charts/mySql
+``` 
+
+### Setting value as explicit string
+the `--helm-set-string` is the same as `--helm-set` but explicitly retains the value as a string
+
+```bash
+trivy config --helm-set-string name=false ./infrastructure/tf
+```
+
+### Setting sepecific values from files
+Specific override values can come from specific files
+
+```bash
+trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
+```

docs/docs/references/cli/client.md

@@ -1,32 +1,70 @@
 # Client
 
 ```bash
-NAME:
-   trivy client - DEPRECATED client mode, use `trivy image` with `--server` option for remote scans now.
+Usage:
+  trivy client [flags] IMAGE_NAME
 
-USAGE:
-   trivy image --server value
+Aliases:
+  client, c
 
-   trivy client [deprecated command options] image_name
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
 
-DEPRECATED OPTIONS:
-   --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
-   --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value    output file name [$TRIVY_OUTPUT]
-   --exit-code value           Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --ignore-unfixed            display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs              detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
-   --vuln-type value           comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --ignorefile value          specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --token value               for authentication [$TRIVY_TOKEN]
-   --token-header value        specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --remote value              server address (default: "http://localhost:4954") [$TRIVY_REMOTE]
-   --custom-headers value      custom headers [$TRIVY_CUSTOM_HEADERS]
-   --help, -h                  show help (default: false)
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+      --report string          specify a report format for the output. (all,summary) (default "all")
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --remote string            server address (default "http://localhost:4954")
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/config.md

@@ -1,29 +1,49 @@
 # Config
 
 ``` bash
-NAME:
-   trivy config - scan config files
+Scan config files for misconfigurations
 
-USAGE:
-   trivy config [command options] dir
+Usage:
+  trivy config [flags] DIR
 
-OPTIONS:
-   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value                       output file name [$TRIVY_OUTPUT]
-   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --reset                                        remove all caches and database (default: false) [$TRIVY_RESET]
-   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
-   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
-   --policy value, --config-policy value          specify paths to the Rego policy files directory, applying config files [$TRIVY_POLICY]
-   --data value, --config-data value              specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_DATA]
-   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
-   --file-patterns value                          specify file patterns [$TRIVY_FILE_PATTERNS]
-   --include-successes                            include successes of misconfigurations (default: false) [$TRIVY_INCLUDE_SUCCESSES]
-   --help, -h                                     show help (default: false)
+Aliases:
+  config, conf
+
+Scan Flags
+      --skip-dirs strings    specify the directories where the traversal is skipped
+      --skip-files strings   specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int       specify exit code when any security issues are found
+  -f, --format string       format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignorefile string   specify .trivyignore file (default ".trivyignore")
+  -o, --output string       output file name
+  -s, --severity string     severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string     output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/fs.md

@@ -1,42 +1,85 @@
 # Filesystem
 
 ```bash
-NAME:
-   trivy filesystem - scan local filesystem for language-specific dependencies and config files
+Scan local filesystem
 
-USAGE:
-   trivy filesystem [command options] path
+Usage:
+  trivy filesystem [flags] PATH
 
-OPTIONS:
-   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value                       output file name [$TRIVY_OUTPUT]
-   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update                skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --insecure                                     allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --cache-backend value                          cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                              cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --db-repository value                          OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --skip-files value                             specify the file paths to skip traversal                                        (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                              specify the directories where the traversal is skipped                          (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --config-policy value                          specify paths to the Rego policy files directory, applying config files         (accepts multiple inputs) [$TRIVY_CONFIG_POLICY]
-   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded  (accepts multiple inputs) [$TRIVY_CONFIG_DATA]
-   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users")                                              (accepts multiple inputs) [$TRIVY_POLICY_NAMESPACES]
-   --server value                                 server address [$TRIVY_SERVER]
-   --token value                                  for authentication in client/server mode [$TRIVY_TOKEN]
-   --token-header value                           specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --custom-headers value                         custom headers in client/server mode  (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS]
-   --help, -h                                     show help (default: false)
+Aliases:
+  filesystem, fs
+
+Examples:
+  # Scan a local project including language-specific files
+  $ trivy fs /path/to/your_project
+
+  # Scan a single file
+  $ trivy fs ./trivy-ci-test/Pipfile.lock
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/image.md

@@ -1,43 +1,103 @@
 # Image
 
 ```bash
-NAME:
-   trivy image - scan an image
+Scan a container image
 
-USAGE:
-   trivy image [command options] image_name
+Usage:
+  trivy image [flags] IMAGE_NAME
 
-OPTIONS:
-   --template value, -t value       output template [$TRIVY_TEMPLATE]
-   --format value, -f value         format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value          input file path instead of image name [$TRIVY_INPUT]
-   --severity value, -s value       severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value         output file name [$TRIVY_OUTPUT]
-   --exit-code value                Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update  skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --download-db-only               download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
-   --reset                          remove all caches and database (default: false) [$TRIVY_RESET]
-   --clear-cache, -c                clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --no-progress                    suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --ignore-unfixed                 display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs                   detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
-   --vuln-type value                comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value          comma-separated list of what security issues to detect (vuln,config,secret) (default: "vuln,secret") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value               specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value                  timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --light                          deprecated (default: false) [$TRIVY_LIGHT]
-   --ignore-policy value            specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                  enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --cache-backend value            cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --offline-scan                   do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --insecure                       allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --db-repository value            OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --skip-files value               specify the file paths to skip traversal                (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                specify the directories where the traversal is skipped  (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --server value                   server address [$TRIVY_SERVER]
-   --token value                    for authentication in client/server mode [$TRIVY_TOKEN]
-   --token-header value             specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --custom-headers value           custom headers in client/server mode  (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS]
-   --help, -h                       show help (default: false)
+Aliases:
+  image, i
+
+Examples:
+  # Scan a container image
+  $ trivy image python:3.4-alpine
+
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
+
+  # Filter by severities
+  $ trivy image --severity HIGH,CRITICAL alpine:3.15
+
+  # Ignore unfixed/unpatched vulnerabilities
+  $ trivy image --ignore-unfixed alpine:3.15
+
+  # Scan a container image in client mode
+  $ trivy image --server http://127.0.0.1:4954 alpine:latest
+
+  # Generate json result
+  $ trivy image --format json --output result.json alpine:3.15
+
+  # Generate a report in the CycloneDX format
+  $ trivy image --format cyclonedx --output result.cdx alpine:3.15
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Image Flags
+      --input string   input file path instead of image name
+      --removed-pkgs   detect vulnerabilities of removed packages (only for Alpine)
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/index.md

@@ -1,32 +1,50 @@
 Trivy has several sub commands, image, fs, repo, client and server.
 
 ``` bash
-NAME:
-   trivy - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
+Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
 
-USAGE:
-   trivy [global options] command [command options] target
+Usage:
+  trivy [global flags] command [flags] target
+  trivy [command]
 
-VERSION:
-   dev
+Examples:
+  # Scan a container image
+  $ trivy image python:3.4-alpine
 
-COMMANDS:
-   image, i          scan an image
-   filesystem, fs    scan local filesystem for language-specific dependencies and config files
-   rootfs            scan rootfs
-   repository, repo  scan remote repository
-   server, s         server mode
-   config, conf      scan config files
-   plugin, p         manage plugins
-   kubernetes, k8s   scan kubernetes vulnerabilities and misconfigurations
-   sbom              generate SBOM for an artifact
-   version           print the version
-   help, h           Shows a list of commands or help for one command
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
 
-GLOBAL OPTIONS:
-   --quiet, -q        suppress progress bar and log output (default: false) [$TRIVY_QUIET]
-   --debug, -d        debug mode (default: false) [$TRIVY_DEBUG]
-   --cache-dir value  cache directory (default: "/Users/teppei/Library/Caches/trivy") [$TRIVY_CACHE_DIR]
-   --help, -h         show help (default: false)
-   --version, -v      print the version (default: false)
+  # Scan local filesystem
+  $ trivy fs .
+
+  # Run in server mode
+  $ trivy server
+
+Available Commands:
+  config      Scan config files for misconfigurations
+  filesystem  Scan local filesystem
+  help        Help about any command
+  image       Scan a container image
+  kubernetes  scan kubernetes cluster
+  module      Manage modules
+  plugin      Manage plugins
+  repository  Scan a remote repository
+  rootfs      Scan rootfs
+  sbom        Scan SBOM for vulnerabilities
+  server      Server mode
+  version     Print the version
+
+Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+  -f, --format string             version format (json)
+      --generate-default-config   write the default config to trivy-default.yaml
+  -h, --help                      help for trivy
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy [command] --help" for more information about a command.
 ```

docs/docs/references/cli/module.md

@@ -1,17 +1,30 @@
 # Module
 
 ```bash
-NAME:
-   trivy module - manage modules
+Manage modules
 
-USAGE:
-   trivy module command [command options] [arguments...]
+Usage:
+  trivy module [command]
 
-COMMANDS:
-   install, i    install a module
-   uninstall, u  uninstall a module
-   help, h       Shows a list of commands or help for one command
+Aliases:
+  module, m
 
-OPTIONS:
-   --help, -h  show help (default: false)
+Available Commands:
+  install     Install a module
+  uninstall   Uninstall a module
+
+Flags:
+  -h, --help   help for module
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy module [command] --help" for more information about a command.
 ```

docs/docs/references/cli/plugin.md

@@ -1,21 +1,34 @@
 # Plugin
 
 ```bash
-NAME:
-   trivy plugin - manage plugins
+Manage plugins
 
-USAGE:
-   trivy plugin command [command options] plugin_uri
+Usage:
+  trivy plugin [command]
 
-COMMANDS:
-   install, i    install a plugin
-   uninstall, u  uninstall a plugin
-   list, l       list installed plugin
-   info          information about a plugin
-   run, r        run a plugin on the fly
-   update        update an existing plugin
-   help, h       Shows a list of commands or help for one command
+Aliases:
+  plugin, p
 
-OPTIONS:
-   --help, -h  show help (default: false)
+Available Commands:
+  info        Show information about the specified plugin
+  install     Install a plugin
+  list        List installed plugin
+  run         Run a plugin on the fly
+  uninstall   Uninstall a plugin
+  update      Update an existing plugin
+
+Flags:
+  -h, --help   help for plugin
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy plugin [command] --help" for more information about a command.
 ```

docs/docs/references/cli/repo.md

@@ -1,38 +1,87 @@
 # Repository
 
 ```bash
-NAME:
-   trivy repository - scan remote repository
+Scan a remote repository
 
-USAGE:
-   trivy repository [command options] repo_url
+Usage:
+  trivy repository [flags] REPO_URL
 
-OPTIONS:
-   --template value, -t value       output template [$TRIVY_TEMPLATE]
-   --format value, -f value         format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value          input file path instead of image name [$TRIVY_INPUT]
-   --severity value, -s value       severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value         output file name [$TRIVY_OUTPUT]
-   --exit-code value                Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update  skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --skip-policy-update             skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --clear-cache, -c                clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignore-unfixed                 display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs                   detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
-   --vuln-type value                comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value          comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value               specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --cache-backend value            cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --timeout value                  timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --no-progress                    suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --quiet, -q                      suppress progress bar and log output (default: false) [$TRIVY_QUIET]
-   --ignore-policy value            specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                  enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan                   do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --insecure                       allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --db-repository value            OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --skip-files value               specify the file paths to skip traversal                (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                specify the directories where the traversal is skipped  (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --help, -h                       show help (default: false)
+Aliases:
+  repository, repo
+
+Examples:
+  # Scan your remote git repository
+  $ trivy repo https://github.com/knqyf263/trivy-ci-test
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Repository Flags
+      --branch string   pass the branch name to be scanned
+      --commit string   pass the commit hash to be scanned
+      --tag string      pass the tag name to be scanned
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/rootfs.md

@@ -1,36 +1,79 @@
 # Rootfs
 
 ```bash
-NAME:
-   trivy rootfs - scan rootfs
+Scan rootfs
 
-USAGE:
-   trivy rootfs [command options] dir
+Usage:
+  trivy rootfs [flags] ROOTDIR
 
-OPTIONS:
-   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value                       output file name [$TRIVY_OUTPUT]
-   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update                skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --insecure                                     allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --cache-backend value                          cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
-   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
-   --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
-   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
-   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
-   --help, -h                                     show help (default: false)
+Examples:
+  # Scan unpacked filesystem
+  $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
+  $ trivy rootfs /tmp/rootfs
+
+  # Scan from inside a container
+  $ docker run --rm -it alpine:3.11
+  / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+  / # trivy rootfs /
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/sbom.md

@@ -1,27 +1,70 @@
 # SBOM
 
 ```bash
-NAME:
-   trivy sbom - generate SBOM for an artifact
+Scan SBOM for vulnerabilities
 
-USAGE:
-   trivy sbom [command options] ARTIFACT
+Usage:
+  trivy sbom [flags] SBOM_PATH
 
-DESCRIPTION:
-   ARTIFACT can be a container image, file path/directory, git repository or container image archive. See examples.
+Examples:
+  # Scan CycloneDX and show the result in tables
+  $ trivy sbom /path/to/report.cdx
 
-OPTIONS:
-   --output value, -o value             output file name [$TRIVY_OUTPUT]
-   --clear-cache, -c                    clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignorefile value                   specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value                      timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --severity value, -s value           severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --offline-scan                       do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --db-repository value                OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --insecure                           allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --skip-files value                   specify the file paths to skip traversal                (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                    specify the directories where the traversal is skipped  (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --artifact-type value, --type value  input artifact type (image, fs, repo, archive) (default: "image") [$TRIVY_ARTIFACT_TYPE]
-   --sbom-format value, --format value  SBOM format (cyclonedx, spdx, spdx-json) (default: "cyclonedx") [$TRIVY_SBOM_FORMAT]
-   --help, -h                           show help (default: false)
-```
+  # Scan CycloneDX and generate a CycloneDX report
+  $ trivy sbom --format cyclonedx /path/to/report.cdx
+
+  # Scan CycloneDX-type attestation and show the result in tables
+  $ trivy sbom /path/to/report.cdx.intoto.jsonl
+
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```

docs/docs/references/cli/server.md

@@ -1,22 +1,49 @@
 # Server
 
 ```bash
-NAME:
-   trivy server - server mode
+Server mode
 
-USAGE:
-   trivy server [command options] [arguments...]
+Usage:
+  trivy server [flags]
 
-OPTIONS:
-   --skip-db-update, --skip-update  skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --download-db-only               download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
-   --insecure                       allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --reset                          remove all caches and database (default: false) [$TRIVY_RESET]
-   --cache-backend value            cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --db-repository value            OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --token value                    for authentication in client/server mode [$TRIVY_TOKEN]
-   --token-header value             specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --listen value                   listen address (default: "localhost:4954") [$TRIVY_LISTEN]
-   --help, -h                       show help (default: false)
+Aliases:
+  server, s
+
+Examples:
+  # Run a server
+  $ trivy server
+
+  # Listen on 0.0.0.0:10000
+  $ trivy server --listen 0.0.0.0:10000
+
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Client/Server Flags
+      --listen string         listen address in server mode (default "localhost:4954")
+      --token string          for authentication in client/server mode
+      --token-header string   specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/customization/config-file.md

@@ -0,0 +1,340 @@
+# Config file
+
+Trivy can be customized by tweaking a `trivy.yaml` file. The config path can be overridden by the `--config` flag.
+
+An example is [here][example].
+
+## Global Options
+
+```yaml
+# Same as '--quiet'
+# Default is false
+quiet: false
+
+# Same as '--debug'
+# Default is false
+debug: false
+
+# Same as '--insecure'
+# Default is false
+insecure: false
+
+# Same as '--timeout'
+# Default is '5m'
+timeout: 10m
+
+# Same as '--cache-dir'
+# Default is your system cache dir
+cache-dir: $HOME/.cache/trivy
+```
+
+## Report Options
+
+```yaml
+# Same as '--format'
+# Default is 'table'
+format: table
+
+# Same as '--report' (available with 'trivy k8s')
+# Default is all
+report: all
+
+# Same as '--template'
+# Default is empty
+template: 
+
+# Same as '--dependency-tree'
+# Default is false
+dependency-tree: false
+
+# Same as '--list-all-pkgs'
+# Default is false
+list-all-pkgs: false
+
+# Same as '--ignorefile'
+# Default is '.trivyignore'
+ignorefile: .trivyignore
+
+# Same as '--ignore-policy'
+# Default is empty
+ignore-policy:
+
+# Same as '--exit-code'
+# Default is 0
+exit-code: 0
+
+# Same as '--output'
+# Default is empty (stdout)
+output:
+
+# Same as '--severity'
+# Default is all severities
+severity:
+  - UNKNOWN
+  - LOW
+  - MEDIUM
+  - HIGH
+  - CRITICAL
+```
+
+## Scan Options
+Available in client/server mode
+
+```yaml
+scan:
+  # Same as '--skip-dirs'
+  # Default is empty
+  skip-dirs:
+    - usr/local/
+    - etc/
+  
+  # Same as '--skip-files'
+  # Default is empty
+  skip-files:
+    - package-dev.json
+  
+  # Same as '--offline-scan'
+  # Default is false
+  offline-scan: false
+  
+  # Same as '--security-checks'
+  # Default depends on subcommand
+  security-checks:
+    - vuln
+    - config
+    - secret
+```
+
+## Cache Options
+
+```yaml
+cache:
+  # Same as '--cache-backend'
+  # Default is 'fs' 
+  backend: 'fs'
+  
+  # Same as '--cache-ttl'
+  # Default is 0 (no ttl) 
+  ttl: 0
+  
+  # Redis options
+  redis:
+    # Same as '--redis-ca'
+    # Default is empty
+    ca:
+    
+    # Same as '--redis-cert'
+    # Default is empty
+    cert:
+    
+    # Same as '--redis-key'
+    # Default is empty
+    key:
+```
+
+## DB Options
+
+```yaml
+db:
+  # Same as '--skip-db-update'
+  # Default is false
+  skip-update: false
+  
+  # Same as '--no-progress'
+  # Default is false
+  no-progress: false
+  
+  # Same as '--db-repository'
+  # Default is 'github.com/aquasecurity-trivy-repo'
+  repository: github.com/aquasecurity-trivy-repo
+```
+
+## Image Options
+Available with container image scanning
+
+```yaml
+image:
+  # Same as '--input' (available with 'trivy image')
+  # Default is empty
+  input:
+  
+  # Same as '--removed-pkgs'
+  # Default is false
+  removed-pkgs: false
+```
+
+## Vulnerability Options
+Available with vulnerability scanning
+
+```yaml
+vulnerability:
+  # Same as '--vuln-type'
+  # Default is 'os,library'
+  type:
+    - os
+    - library
+  
+  # Same as '--ignore-unfixed'
+  # Default is false
+  ignore-unfixed: false
+```
+
+## Secret Options
+Available with secret scanning
+
+```yaml
+secret:
+  # Same as '--secret-config'
+  # Default is 'trivy-secret.yaml'
+  config: config/trivy/secret.yaml
+```
+
+
+## Misconfiguration Options
+Available with misconfiguration scanning
+
+```yaml
+misconfiguration:
+  # Same as '--file-patterns'
+  # Default is empty
+  file-patterns:
+    -
+  
+  # Same as '--include-non-failures'
+  # Default is false
+  include-non-failures: false
+  
+  # Same as '--trace'
+  # Default is false
+  trace: false
+  
+  # Same as '--config-policy'
+  # Default is empty
+  policy:
+    - policy/repository
+    - policy/custom
+    
+  # Same as '--config-data'
+  # Default is empty
+  data:
+    - data/
+    
+  # Same as '--policy-namespaces'
+  # Default is empty
+  namespaces:
+    - opa.examples
+    - users
+
+  # helm value override configurations
+  # set individual values
+  helm:
+    set:
+      - securityContext.runAsUser=10001
+
+  # set values with file
+  helm:
+    values:
+      - overrides.yaml
+
+  # set specific values from specific files
+  helm:
+    set-file:
+      - image=dev-overrides.yaml
+
+  # set as string and preserve type
+  helm:
+    set-string:
+      - name=true
+
+  # terraform tfvars overrrides
+  terraform:
+    vars:
+      - dev-terraform.tfvars
+      - common-terraform.tfvars
+```
+
+## Kubernetes Options
+Available with Kubernetes scanning
+
+```yaml
+kubernetes:
+  # Same as '--context'
+  # Default is empty
+  context:
+  
+  # Same as '--namespace'
+  # Default is empty
+  namespace:
+```
+
+## Repository Options
+Available with git repository scanning (`trivy repo`) 
+
+```yaml
+repository:
+  # Same as '--branch'
+  # Default is empty
+  branch:
+  
+  # Same as '--commit'
+  # Default is empty
+  commit:
+  
+  # Same as '--tag'
+  # Default is empty
+  tag:
+```
+
+## Client/Server Options
+Available in client/server mode
+
+```yaml
+server:
+  # Same as '--server' (available in client mode)
+  # Default is empty
+  addr: http://localhost:4954
+  
+  # Same as '--token'
+  # Default is empty
+  token: "something-secret"
+  
+  # Same as '--token-header'
+  # Default is 'Trivy-Token'
+  token-header: 'My-Token-Header'
+  
+  # Same as '--custom-headers'
+  # Default is empty
+  custom-headers:
+    - scanner: trivy
+    - x-api-token: xxx
+    
+  # Same as '--listen' (available in server mode)
+  # Default is 'localhost:4954'
+  listen: 0.0.0.0:10000
+```
+
+## Cloud Options
+
+Available for cloud scanning (currently only `trivy aws`)
+
+```yaml
+cloud:
+  # whether to force a cache update for every scan
+  update-cache: false
+  
+  # how old cached results can be before being invalidated
+  max-cache-age: 24h
+  
+  # aws-specific cloud settings
+  aws:
+    # the aws region to use
+    region: us-east-1
+    
+    # the aws endpoint to use (not required for general use)
+    endpoint: https://my.custom.aws.endpoint
+    
+    # the aws account to use (this will be determined from your environment when not set)
+    account: 123456789012
+```
+
+[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml

docs/docs/references/customization/envs.md

@@ -0,0 +1,17 @@
+# Environment variables
+
+Trivy can be customized by environment variables.
+The environment variable key is the flag name converted by the following procedure.
+
+- Add `TRIVY_` prefix
+- Make it all uppercase
+- Replace `-` with `_`
+
+For example, 
+
+- `--debug` => `TRIVY_DEBUG`
+- `--cache-dir` => `TRIVY_CACHE_DIR`
+
+```
+$ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15
+```

docs/docs/references/troubleshooting.md

@@ -106,7 +106,19 @@ If trivy is running behind corporate firewall, you have to add the following url
 !!! error
     --skip-update cannot be specified with the old DB schema.
 
-Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][../advanced/air-gap.md].
+Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
+
+### Multiple Trivy servers
+
+!!! error
+    ```
+    $ trivy image --server http://xxx.com:xxxx test-image
+    ...
+    - twirp error internal: failed scan, test-image: failed to apply layers: layer cache missing: sha256:*****
+    ```
+To run multiple Trivy servers, you need to use Redis as the cache backend so that those servers can share the cache. 
+Follow [this instruction][redis-cache] to do so.
+
 
 ## Homebrew
 ### Scope error
@@ -157,4 +169,5 @@ Try again with `--reset` option:
 $ trivy image --reset
 ```
 
-[air-gapped]: ../how-to-guides/air-gap.md
+[air-gapped]: ../advanced/air-gap.md
+[redis-cache]: ../../vulnerability/examples/cache/#cache-backend

docs/docs/sbom/cyclonedx.md

@@ -1,12 +1,21 @@
 # CycloneDX
 
+## Reporting
 Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
 Note that XML format is not supported at the moment.
 
 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.
 
+CycloneDX can represent either or both SBOM or BOV.
+
+- [Software Bill of Materials (SBOM)][sbom]
+- [Bill of Vulnerabilities (BOV)][bov]
+
+By default, `--format cyclonedx` represents SBOM and doesn't include vulnerabilities in the CycloneDX output.
+
 ```
 $ trivy image --format cyclonedx --output result.json alpine:3.15
+2022-07-19T07:47:27.624Z        INFO    "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
 ```
 
 <details>
@@ -230,4 +239,41 @@ $ cat result.json | jq .
 
 </details>
 
-[cyclonedx]: https://cyclonedx.org/
+If you want to include vulnerabilities, you can enable vulnerability scanning via `--security-checks vuln`.
+
+```
+$ trivy image --security-checks vuln --format cyclonedx --output result.json alpine:3.15
+```
+
+## Scanning
+Trivy can take CycloneDX as an input and scan for vulnerabilities.
+To scan SBOM, you can use the `sbom` subcommand and pass the path to your CycloneDX report. 
+
+```bash
+$ trivy sbom /path/to/cyclonedx.json
+
+cyclonedx.json (alpine 3.7.1)
+=========================
+Total: 3 (CRITICAL: 3)
+
+┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
+│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ curl        │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ libbz2      │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
+└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
+```
+
+!!! note
+    If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
+    The report is called [BOV][bov].
+
+[cyclonedx]: https://cyclonedx.org/
+[sbom]: https://cyclonedx.org/capabilities/sbom/
+[bov]: https://cyclonedx.org/capabilities/bov/

docs/docs/sbom/index.md

@@ -1,6 +1,7 @@
 # SBOM
 
-Trivy currently supports the following SBOM formats.
+## Reporting
+Trivy can generate the following SBOM formats.
 
 - [CycloneDX][cyclonedx]
 - [SPDX][spdx]
@@ -8,13 +9,12 @@ Trivy currently supports the following SBOM formats.
 To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.
 
 ```
-$ trivy image --format cyclonedx --output result.json alpine:3.15
+$ trivy image --format spdx-json --output result.json alpine:3.15
 ```
 
-In addition, you can use the `trivy sbom` subcommand.
 
 ```
-$ trivy sbom alpine:3.15
+$ trivy fs --format cyclonedx --output result.json /app/myproject
 ```
 
 <details>
@@ -177,18 +177,63 @@ $ trivy sbom alpine:3.15
 
 </details>
 
-`fs`, `repo` and `archive` also work with `sbom` subcommand.
+## Scanning
+Trivy also can take the following SBOM formats as an input and scan for vulnerabilities.
 
+- CycloneDX
+- CycloneDX-type attestation
+
+To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
+
+```bash
+$ trivy sbom /path/to/cyclonedx.json
+
+cyclonedx.json (alpine 3.7.1)
+=========================
+Total: 3 (CRITICAL: 3)
+
+┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
+│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ curl        │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ libbz2      │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
+└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
 ```
-# filesystem
-$ trivy sbom --artifact-type fs /path/to/project
 
-# repository
-$ trivy sbom --artifact-type repo github.com/aquasecurity/trivy-ci-test
 
-# container image archive
-$ trivy sbom --artifact-type archive alpine.tar
+!!! note
+    CycloneDX XML and SPDX are not supported at the moment.
+
+You can also scan an SBOM attestation.
+In the following example, [Cosign][Cosign] can get an attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page][sbom_attestation].
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
 ```
 
 [cyclonedx]: cyclonedx.md
 [spdx]: spdx.md
+[Cosign]: https://github.com/sigstore/cosign
+[sbom_attestation]: ../attestation/sbom.md#sign-with-a-local-key-pair

docs/docs/secret/configuration.md

@@ -137,6 +137,6 @@ disable-allow-rules:
 ```
 
 
-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-allow-rules.go
+[builtin]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go
+[builtin-allow]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-allow-rules.go
 [examples]: ./examples.md

docs/docs/secret/scanning.md

@@ -116,8 +116,8 @@ $ trivy image --security-checks vuln alpine:3.15
 ## Credit
 This feature is inspired by [gitleaks][gitleaks]. 
 
-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
-[builtin-allow]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-allow-rules.go
+[builtin]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go
+[builtin-allow]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-allow-rules.go
 [configuration]: ./configuration.md
 [allow-rules]: ./configuration.md#allow-rules
 [enable-rules]: ./configuration.md#enable-rules

docs/docs/vulnerability/detection/data-source.md

@@ -1,22 +1,21 @@
 # OS
 
-| OS             | Source                                                                              |
-| ---------------| ---------------------------------------- |
-| Arch Linux     | [Vulnerable Issues][arch]                |
-| Alpine Linux   | [secdb][alpine]                          |
-| Amazon Linux 1 | [Amazon Linux Security Center][amazon1]  |
-| Amazon Linux 2 | [Amazon Linux Security Center][amazon2]  |
-| Debian         | [Security Bug Tracker][debian-tracker]   |
-|                | [OVAL][debian-oval]                      |
-| Ubuntu         | [Ubuntu CVE Tracker][ubuntu]             |
-| RHEL/CentOS    | [OVAL][rhel-oval]                        |
-|                | [Security Data][rhel-api]                |
-| AlmaLinux      | [AlmaLinux Product Errata][alma]         |
-| Rocky Linux    | [Rocky Linux UpdateInfo][rocky]          |
-| Oracle Linux   | [OVAL][oracle]                           |
-| CBL-Mariner    | [OVAL][mariner]                          |
-| OpenSUSE/SLES	 | [CVRF][suse]                             |
-| Photon OS      | [Photon Security Advisory][photon]       |
+| OS                 | Source                                      |
+|--------------------|---------------------------------------------|
+| Arch Linux         | [Vulnerable Issues][arch]                   |
+| Alpine Linux       | [secdb][alpine]                             |
+| Amazon Linux       | [Amazon Linux Security Center][amazon]      |
+| Debian             | [Security Bug Tracker][debian-tracker]      |
+|                    | [OVAL][debian-oval]                         |
+| Ubuntu             | [Ubuntu CVE Tracker][ubuntu]                |
+| RHEL/CentOS        | [OVAL][rhel-oval]                           |
+|                    | [Security Data][rhel-api]                   |
+| AlmaLinux          | [AlmaLinux Product Errata][alma]            |
+| Rocky Linux        | [Rocky Linux UpdateInfo][rocky]             |
+| Oracle Linux       | [OVAL][oracle]                              |
+| CBL-Mariner        | [OVAL][mariner]                             |
+| OpenSUSE/SLES      | [CVRF][suse]                                |
+| Photon OS          | [Photon Security Advisory][photon]          |
 
 # Programming Language
 
@@ -57,8 +56,7 @@ The severity is from the selected data source. If the data source does not provi
 
 [arch]: https://security.archlinux.org/
 [alpine]: https://secdb.alpinelinux.org/
-[amazon1]: https://alas.aws.amazon.com/
-[amazon2]: https://alas.aws.amazon.com/alas2.html
+[amazon]: https://alas.aws.amazon.com/
 [debian-tracker]: https://security-tracker.debian.org/tracker/
 [debian-oval]: https://www.debian.org/security/oval/
 [ubuntu]: https://ubuntu.com/security/cve

docs/docs/vulnerability/detection/language.md

@@ -2,26 +2,29 @@
 
 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
 
-| Language | File                     | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] |Dev dependencies |
-|----------|--------------------------|:---------:|:----------:|:--------------:|:--------------:|-----------------|
-| Ruby     | Gemfile.lock             | -         | -          |       ✅        |       ✅        | included        |
-|          | gemspec                  | ✅        | ✅         |       -        |       -        | included        |
-| Python   | Pipfile.lock             | -         | -          |       ✅        |       ✅        | excluded        |
-|          | poetry.lock              | -         | -          |       ✅        |       ✅        | included        |
-|          | requirements.txt         | -         | -          |       ✅        |       ✅        | included        |
-|          | egg package[^1]          | ✅        | ✅         |       -        |       -        | excluded        |
-|          | wheel package[^2]        | ✅        | ✅         |       -        |       -        | excluded        |
-| PHP      | composer.lock            | ✅        | ✅         |       ✅        |       ✅        | excluded        |
-| Node.js  | package-lock.json        | -         | -          |       ✅        |       ✅        | excluded        |
-|          | yarn.lock                | -         | -          |       ✅        |       ✅        | included        |
-|          | package.json             | ✅        | ✅         |       -        |       -        | excluded        |
-| .NET     | packages.lock.json       | ✅        | ✅         |       ✅        |       ✅        | included        |
-|          | packages.config          | ✅        | ✅         |       ✅        |       ✅        | excluded        |
-| Java     | JAR/WAR/PAR/EAR[^3][^4]  | ✅        | ✅         |       -        |       -        | included        |
-|          | pom.xml[^5]              | -         | -          |       ✅        |       ✅        | excluded        |
-| Go       | Binaries built by Go[^6] | ✅        | ✅         |       -        |       -        | excluded        |
-|          | go.mod[^7]               | -         | -          |       ✅        |       ✅        | included        |
-| Rust     | Cargo.lock               | ✅        | ✅         |       ✅        |       ✅        | included        |
+| Language | File                    | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies |
+| -------- |-------------------------| :-------: | :--------: | :-------------: | :-------------: | ---------------- |
+| Ruby     | Gemfile.lock            |     -     |     -      |        ✅        |        ✅        | included         |
+|          | gemspec                 |     ✅     |     ✅      |        -        |        -        | included         |
+| Python   | Pipfile.lock            |     -     |     -      |        ✅        |        ✅        | excluded         |
+|          | poetry.lock             |     -     |     -      |        ✅        |        ✅        | included         |
+|          | requirements.txt        |     -     |     -      |        ✅        |        ✅        | included         |
+|          | egg package[^1]         |     ✅     |     ✅      |        -        |        -        | excluded         |
+|          | wheel package[^2]       |     ✅     |     ✅      |        -        |        -        | excluded         |
+| PHP      | composer.lock           |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
+| Node.js  | package-lock.json       |     -     |     -      |        ✅        |        ✅        | excluded         |
+|          | yarn.lock               |     -     |     -      |        ✅        |        ✅        | included         |
+|          | pnpm-lock.yaml          |     -     |     -      |        ✅        |        ✅        | excluded         |
+|          | package.json            |     ✅     |     ✅      |        -        |        -        | excluded         |
+| .NET     | packages.lock.json      |     ✅     |     ✅      |        ✅        |        ✅        | included         |
+|          | packages.config         |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
+|          | .deps.json              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
+| Java     | JAR/WAR/PAR/EAR[^3][^4] |     ✅     |     ✅      |        -        |        -        | included         |
+|          | pom.xml[^5]             |     -     |     -      |        ✅        |        ✅        | excluded         |
+| Go       | Binaries built by Go[^6] |     ✅     |     ✅      |        -        |        -        | excluded         |
+|          | go.mod[^7]              |     -     |     -      |        ✅        |        ✅        | included         |
+| Rust     | Cargo.lock              |     ✅     |     ✅      |        ✅        |        ✅        | included         |
+|          | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |        -        |        -        | excluded   
 
 The path of these files does not matter.
 

docs/docs/vulnerability/detection/os.md

@@ -12,7 +12,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 | Rocky Linux                      | 8                                         | Installed by yum/rpm          |                  NO                  |
 | Oracle Linux                     | 5, 6, 7, 8                                | Installed by yum/rpm          |                  NO                  |
 | CBL-Mariner                      | 1.0, 2.0                                  | Installed by yum/rpm          |                 YES                  |
-| Amazon Linux                     | 1, 2                                      | Installed by yum/rpm          |                  NO                  |
+| Amazon Linux                     | 1, 2, 2022                                | Installed by yum/rpm          |                  NO                  |
 | openSUSE Leap                    | 42, 15                                    | Installed by zypper/rpm       |                  NO                  |
 | SUSE Enterprise Linux            | 11, 12, 15                                | Installed by zypper/rpm       |                  NO                  |
 | Photon OS                        | 1.0, 2.0, 3.0, 4.0                        | Installed by tdnf/yum/rpm     |                  NO                  |

docs/docs/vulnerability/distributions.md

@@ -6,24 +6,53 @@ The following table provides an outline of the features Trivy offers.
 
 | Version | Container image | Virtual machine | Distroless |  Multi-arch  | Unfixed support |
 |---------|:---------------:|:---------------:|:----------:|:------------:|:---------------:|
-| 1.0     |        ✔        |        ✔        |            | amd64, arm64 |        ✔        |
+| 1.0     |        ✔        |        ✔        |      ✔     | amd64, arm64 |        ✔        |
 | 2.0     |        ✔        |        ✔        |      ✔     | amd64, arm64 |        ✔        |
 
 ### Examples
 
-```
-$ trivy image cblmariner.azurecr.io/base/core:1.0
-2022-01-31T15:02:27.754+0200    INFO    Detected OS: cbl-mariner
-2022-01-31T15:02:27.754+0200    INFO    Detecting CBL-Mariner vulnerabilities...
-2022-01-31T15:02:27.757+0200    INFO    Number of language-specific files: 0
+=== "image"
+    ```
+    ➜ trivy image mcr.microsoft.com/cbl-mariner/base/core:2.0
+    2022-07-27T14:48:20.355+0600	INFO	Detected OS: cbl-mariner
+    2022-07-27T14:48:20.355+0600	INFO	Detecting CBL-Mariner vulnerabilities...
+    2022-07-27T14:48:20.356+0600	INFO	Number of language-specific files: 0
+    
+    mcr.microsoft.com/cbl-mariner/base/core:2.0 (cbl-mariner 2.0.20220527)
+    
+    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
+    ```
 
-cblmariner.azurecr.io/base/core:1.0 (cbl-mariner 1.0.20220122)
-==============================================================
-Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 4, CRITICAL: 5) 
-```
+=== "fs"
+    ```
+    ➜ docker run  -it --rm --entrypoint bin/bash mcr.microsoft.com/cbl-mariner/base/core:2.0 
+    
+    root [ / ]# tdnf -y install ca-certificates
+    ...
+
+    root [ / ]# rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.30.4/trivy_0.30.4_Linux-64bit.rpm
+    ...
+    
+    root [ / ]# trivy fs /
+    2022-07-27T09:30:06.815Z	INFO	Need to update DB
+    2022-07-27T09:30:06.815Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
+    2022-07-27T09:30:06.815Z	INFO	Downloading DB...
+    33.25 MiB / 33.25 MiB [------------------------------] 100.00% 4.20 MiB p/s 8.1s
+    2022-07-27T09:30:21.756Z	INFO	Vulnerability scanning is enabled
+    2022-07-27T09:30:21.756Z	INFO	Secret scanning is enabled
+    2022-07-27T09:30:21.756Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+    2022-07-27T09:30:21.756Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection
+    2022-07-27T09:30:22.205Z	INFO	Detected OS: cbl-mariner
+    2022-07-27T09:30:22.205Z	INFO	Detecting CBL-Mariner vulnerabilities...
+    2022-07-27T09:30:22.205Z	INFO	Number of language-specific files: 0
+    
+    40ba9a55397c (cbl-mariner 2.0.20220527)
+    
+    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
+    ```
 
 ### Data source
 See [here][source].
 
 [mariner]: https://github.com/microsoft/CBL-Mariner
-[source]: detection/data-source.md
+[source]: detection/data-source.md

docs/docs/vulnerability/examples/report.md

@@ -15,7 +15,7 @@ Modern software development relies on the use of third-party libraries.
 Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph.
 In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree.
 To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
-This flag is available with the `--format table` flag only.
+This flag is only available with the `fs` or `repo` commands and the `--format table` flag.
 
 This tree is the reverse of the npm list command.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -63,33 +63,6 @@ Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to reso
 !!! note
     Only Node.js (package-lock.json) is supported at the moment.
 
-## JSON
-Similar structure is included in JSON output format
-```json
-          "VulnerabilityID": "CVE-2022-0235",
-          "PkgID": "node-fetch@1.7.3",
-          "PkgName": "node-fetch",
-          "PkgParents": [
-            {
-              "ID": "isomorphic-fetch@2.2.1",
-              "Parents": [
-                {
-                  "ID": "fbjs@0.8.18",
-                  "Parents": [
-                    {
-                      "ID": "styled-components@3.1.3"
-                    }
-                  ]
-                }
-              ]
-            }
-          ],
-
-```
-
-!!! caution
-As of May 2022 the feature is supported for `npm` dependency parser only
-
 ## JSON
 
 ```
@@ -303,6 +276,6 @@ $ trivy image --format template --template "@/usr/local/share/trivy/templates/ht
 
 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
-[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/advanced/integrations/aws-security-hub.md
+[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/docs/integrations/aws-security-hub.md
 [sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
 [sprig]: http://masterminds.github.io/sprig/

docs/docs/vulnerability/scanning/git-repository.md

@@ -147,6 +147,30 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
 
 </details>
 
+## Scanning a Branch
+
+Pass a `--branch` agrument with a valid branch name on the remote repository provided:
+
+```
+$ trivy repo --branch <branch-name> <repo-name>
+```
+
+## Scanning upto a Commit
+
+Pass a `--commit` agrument with a valid commit hash on the remote repository provided:
+
+```
+$ trivy repo --commit <commit-hash> <repo-name>
+```
+
+## Scanning a Tag
+
+Pass a `--tag` agrument with a valid tag on the remote repository provided:
+
+```
+$ trivy repo --tag <tag-name> <repo-name>
+```
+
 ## Scanning Private Repositories
 
 In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.

docs/getting-started/installation.md

@@ -31,8 +31,8 @@
 
     ``` bash
     sudo apt-get install wget apt-transport-https gnupg lsb-release
-    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
-    echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+    echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
     sudo apt-get update
     sudo apt-get install trivy
     ```
@@ -68,6 +68,16 @@ You can use homebrew on macOS and Linux.
 brew install aquasecurity/trivy/trivy
 ```
 
+## MacPorts
+
+You can also install `trivy` via [MacPorts](https://www.macports.org) on macOS:
+
+```bash
+sudo port install trivy
+```
+
+More info [here](https://ports.macports.org/port/trivy/).
+
 ## Nix/NixOS
 
 Direct issues installing `trivy` via `nix` through the channels mentioned [here](https://nixos.wiki/wiki/Support)

docs/getting-started/overview.md

@@ -4,7 +4,7 @@ Trivy detects three types of security issues:
 
 - [Vulnerabilities][vuln]
     - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-    - [Language-specific packages][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
+    - [Language-specific packages][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
 - [Misconfigurations][misconf]
     - Kubernetes
     - Docker

docs/index.md

@@ -23,12 +23,16 @@ All you need to do for scanning is to specify a target such as an image name of
 </div>
 
 <figure style="text-align: center">
-  <img src="imgs/vuln-demo.gif" width="1000">
+  <video width="1000" autoplay muted controls loop>
+    <source src="https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov" type="video/mp4" />
+  </video>
   <figcaption>Demo: Vulnerability Detection</figcaption>
 </figure>
 
 <figure style="text-align: center">
-  <img src="imgs/misconf-demo.gif" width="1000">
+  <video width="1000" autoplay muted controls loop>
+    <source src="https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov" type="video/mp4" />
+  </video>
   <figcaption>Demo: Misconfiguration Detection</figcaption>
 </figure>
 

examples/misconf/custom-policy/dockerfile/policy/from.rego

@@ -11,7 +11,7 @@ __rego_metadata__ := {
 __rego_input__ := {"selector": [{"type": "dockerfile"}]}
 
 deny[res] {
-	add := input.stages[_][_]
+	add := input.Stages[_].Commands[_]
 	add.Cmd == "add"
 	startswith(add.Value[0], "http://")
 

examples/misconf/custom-policy/dockerfile/policy/from_test.rego

@@ -1,21 +1,21 @@
 package user.dockerfile.ID002
 
 test_http_denied {
-	r := deny with input as {"stages": {"alpine:3.13": [
+	r := deny with input as {"Stages": [{"Name": "alpine:3.31", "Commands": [
 		{"Cmd": "from", "Value": ["alpine:3.13"]},
 		{"Cmd": "add", "Value": ["http://example.com/big.tar.xz", "/usr/src/things/"]},
 		{"Cmd": "run", "Value": ["tar -xJf /usr/src/things/big.tar.xz -C /usr/src/things"]},
-	]}}
+	]}]}
 
 	count(r) == 1
 	r[_] == "HTTP not allowed: 'http://example.com/big.tar.xz'"
 }
 
 test_http_allowed {
-	r := deny with input as {"stages": {"alpine:3.13": [
+	r := deny with input as {"Stages": [{"Name": "alpine:3.31", "Commands": [
 		{"Cmd": "from", "Value": ["alpine:3.13"]},
 		{"Cmd": "add", "Value": ["https://example.com/big.tar.xz", "/usr/src/things/"]},
-	]}}
+	]}]}
 
 	count(r) == 0
 }

examples/trivy-conf/trivy.yaml

@@ -0,0 +1,24 @@
+timeout: 10m
+format: json
+dependency-tree: true
+list-all-pkgs: true
+exit-code: 1
+output: result.json
+severity:
+  - HIGH
+  - CRITICAL
+scan:
+  skip-dirs:
+    - /lib64
+    - /lib
+    - /usr/lib
+    - /usr/include
+
+  security-checks:
+    - vuln
+    - secret
+vulnerability:
+  type:
+    - os
+    - library
+  ignore-unfixed: true

go.mod

@@ -6,84 +6,150 @@ require (
 	github.com/CycloneDX/cyclonedx-go v0.6.0
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/NYTimes/gziphandler v1.1.1
-	github.com/alicebob/miniredis/v2 v2.21.0
+	github.com/alicebob/miniredis/v2 v2.22.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/go-dep-parser v0.0.0-20220607141748-ab2deea55bdf
+	github.com/aquasecurity/go-dep-parser v0.0.0-20220819065825-29e1e04fb7ae
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/table v1.5.1
+	github.com/aquasecurity/table v1.7.2
 	github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516
-	github.com/aquasecurity/trivy-db v0.0.0-20220602091213-39d8a6798e07
-	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220613131930-79b2cb425b18
+	github.com/aquasecurity/trivy-db v0.0.0-20220627104749-930461748b63
+	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220823151349-b90b48958b91
+	github.com/aws/aws-sdk-go-v2 v1.16.11
+	github.com/aws/aws-sdk-go-v2/config v1.17.0
+	github.com/aws/aws-sdk-go-v2/service/sts v1.16.13
 	github.com/caarlos0/env/v6 v6.9.3
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/cheggaaa/pb/v3 v3.0.8
-	github.com/docker/docker v20.10.16+incompatible
+	github.com/cheggaaa/pb/v3 v3.1.0
+	github.com/containerd/containerd v1.6.6
+	github.com/docker/docker v20.10.17+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/fatih/color v1.13.0
+	github.com/go-enry/go-license-detector/v4 v4.3.0
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.2
 	github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
+	github.com/google/licenseclassifier/v2 v2.0.0-pre6
 	github.com/google/uuid v1.3.0
 	github.com/google/wire v0.5.0
 	github.com/hashicorp/go-getter v1.6.2
+	github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
-	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
+	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
 	github.com/kylelemons/godebug v1.1.0
-	github.com/mailru/easyjson v0.7.6
+	github.com/liamg/loading v0.0.4
+	github.com/liamg/memoryfs v1.4.2
+	github.com/liamg/tml v0.6.0
+	github.com/mailru/easyjson v0.7.7
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/open-policy-agent/opa v0.41.0
-	github.com/owenrumney/go-sarif/v2 v2.1.1
+	github.com/open-policy-agent/opa v0.43.0
+	github.com/owenrumney/go-sarif/v2 v2.1.2
 	github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
-	github.com/samber/lo v1.21.0
+	github.com/samber/lo v1.27.0
+	github.com/secure-systems-lab/go-securesystemslib v0.4.0
 	github.com/sosedoff/gitkit v0.3.0
-	github.com/stretchr/testify v1.7.2
+	github.com/spf13/cobra v1.5.0
+	github.com/spf13/pflag v1.0.5
+	github.com/spf13/viper v1.12.0
+	github.com/stretchr/testify v1.8.0
 	github.com/testcontainers/testcontainers-go v0.13.0
-	github.com/tetratelabs/wazero v0.0.0-20220606011721-119b069ba23e
+	github.com/tetratelabs/wazero v0.0.0-20220701105919-891761ac1ee2
 	github.com/twitchtv/twirp v8.1.2+incompatible
-	github.com/urfave/cli/v2 v2.8.1
 	github.com/xlab/treeprint v1.1.0
-	go.uber.org/zap v1.21.0
+	go.etcd.io/bbolt v1.3.6
+	go.uber.org/zap v1.22.0
 	golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
-	google.golang.org/protobuf v1.28.0
+	golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df
+	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
 )
 
 require (
-	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
-	github.com/gofrs/uuid v4.0.0+incompatible // indirect
-	github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.4 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.12.13 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.12 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.18 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.12 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.19 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.12.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/athena v1.18.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.18.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.16.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.20.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/docdb v1.19.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.15.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.52.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecs v1.18.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/efs v1.17.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/eks v1.21.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticache v1.22.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.18.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/emr v1.20.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/iam v1.18.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kafka v1.17.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.18.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lambda v1.23.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/mq v1.13.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/neptune v1.17.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/rds v1.23.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/redshift v1.26.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.27.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sns v1.17.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sqs v1.19.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/workspaces v1.22.3 // indirect
+	github.com/aws/smithy-go v1.12.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	gonum.org/v1/gonum v0.7.0 // indirect
 )
 
 require (
-	cloud.google.com/go v0.99.0 // indirect
+	cloud.google.com/go v0.100.2 // indirect
+	cloud.google.com/go/compute v1.6.1 // indirect
+	cloud.google.com/go/iam v0.3.0 // indirect
 	cloud.google.com/go/storage v1.14.0 // indirect
-	github.com/Azure/azure-sdk-for-go v65.0.0+incompatible
+	github.com/Azure/azure-sdk-for-go v66.0.0+incompatible
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.27
-	github.com/Azure/go-autorest/autorest/adal v0.9.20
+	github.com/Azure/go-autorest/autorest v0.11.28
+	github.com/Azure/go-autorest/autorest/adal v0.9.21
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/BurntSushi/toml v1.1.0 // indirect
+	github.com/BurntSushi/toml v1.2.0 // indirect
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
-	github.com/Masterminds/squirrel v1.5.2 // indirect
+	github.com/Masterminds/squirrel v1.5.3 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/Microsoft/hcsshim v0.9.2 // indirect
+	github.com/Microsoft/hcsshim v0.9.3 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
@@ -93,50 +159,42 @@ require (
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.0.1 // indirect
 	github.com/alecthomas/chroma v0.10.0 // indirect
+	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/aquasecurity/defsec v0.68.3
+	github.com/aquasecurity/defsec v0.71.9
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
-	github.com/aws/aws-sdk-go v1.44.25
+	github.com/aws/aws-sdk-go v1.44.77
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
-	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/bmatcuk/doublestar v1.3.4 // indirect
 	github.com/briandowns/spinner v1.12.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
-	github.com/container-orchestrated-devices/container-device-interface v0.3.1 // indirect
-	github.com/containerd/cgroups v1.0.3 // indirect
-	github.com/containerd/console v1.0.3 // indirect
-	github.com/containerd/containerd v1.6.4
+	github.com/containerd/cgroups v1.0.4 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
 	github.com/containerd/fifo v1.0.0 // indirect
-	github.com/containerd/go-cni v1.1.6 // indirect
-	github.com/containerd/imgcrypt v1.1.5-0.20220421044638-8ba028dca028 // indirect
-	github.com/containerd/nerdctl v0.20.0
-	github.com/containerd/stargz-snapshotter v0.11.4 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.11.4 // indirect
 	github.com/containerd/ttrpc v1.1.1-0.20220420014843-944ef4a40df3 // indirect
-	github.com/containerd/typeurl v1.0.3-0.20220422153119-7f6e6d160d67 // indirect
-	github.com/containernetworking/cni v1.1.1 // indirect
-	github.com/containers/ocicrypt v1.1.3 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
+	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dgryski/go-minhash v0.0.0-20170608043002-7fe510aff544 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/docker/cli v20.10.16+incompatible // indirect
+	github.com/docker/cli v20.10.17+incompatible // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.6.4 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
-	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
+	github.com/ekzhu/minhash-lsh v0.0.0-20171225071031-5c06ee8586a1 // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
+	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
@@ -149,6 +207,8 @@ require (
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-yaml v1.8.2 // indirect
+	github.com/gofrs/uuid v4.0.0+incompatible // indirect
+	github.com/gogo/googleapis v1.4.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -157,7 +217,7 @@ require (
 	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
+	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
@@ -167,75 +227,66 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
-	github.com/hashicorp/go-version v1.4.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.12.0 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.13.0 // indirect
+	github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/ipfs/go-cid v0.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jdkato/prose v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/jmoiron/sqlx v1.3.4 // indirect
+	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
-	github.com/klauspost/compress v1.15.1 // indirect
-	github.com/klauspost/cpuid/v2 v2.0.6 // indirect
+	github.com/klauspost/compress v1.15.6 // indirect
 	github.com/knqyf263/go-rpmdb v0.0.0-20220607073645-842f01763e21
 	github.com/knqyf263/nested v0.0.1
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/liamg/iamgo v0.0.6 // indirect
+	github.com/liamg/iamgo v0.0.9 // indirect
 	github.com/liamg/jfather v0.0.7 // indirect
-	github.com/liamg/memoryfs v1.4.2
-	github.com/liamg/tml v0.6.0
-	github.com/lib/pq v1.10.4 // indirect
+	github.com/lib/pq v1.10.6 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
-	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
-	github.com/miekg/pkcs11 v1.1.1 // indirect
-	github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 // indirect
-	github.com/minio/sha256-simd v1.0.0 // indirect
+	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/buildkit v0.10.3
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/sys/mount v0.3.2 // indirect
-	github.com/moby/sys/mountinfo v0.6.1 // indirect
+	github.com/moby/sys/mount v0.3.3 // indirect
+	github.com/moby/sys/mountinfo v0.6.2 // indirect
 	github.com/moby/sys/signal v0.7.0 // indirect
 	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/montanaflynn/stats v0.0.0-20151014174947-eeaced052adb // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/mr-tron/base58 v1.2.0 // indirect
-	github.com/multiformats/go-base32 v0.0.3 // indirect
-	github.com/multiformats/go-base36 v0.1.0 // indirect
-	github.com/multiformats/go-multibase v0.0.3 // indirect
-	github.com/multiformats/go-multihash v0.0.15 // indirect
-	github.com/multiformats/go-varint v0.0.6 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1
-	github.com/opencontainers/runc v1.1.2 // indirect
+	github.com/opencontainers/runc v1.1.3 // indirect
 	github.com/opencontainers/runtime-spec v1.0.3-0.20220311020903-6969a0a09ab1 // indirect
-	github.com/opencontainers/runtime-tools v0.0.0-20190417131837-cd1349b7c47e // indirect
 	github.com/opencontainers/selinux v1.10.1 // indirect
 	github.com/owenrumney/squealer v1.0.1-0.20220510063705-c0be93f0edea // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_golang v1.12.2 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
@@ -244,56 +295,66 @@ require (
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rubenv/sql-migrate v1.1.1 // indirect
 	github.com/russross/blackfriday v1.6.0 // indirect
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e
 	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/shogo82148/go-shuffle v0.0.0-20170808115208-59829097ff3b // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/spdx/tools-golang v0.3.0
-	github.com/spf13/cast v1.4.1 // indirect
-	github.com/spf13/cobra v1.4.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
-	github.com/stretchr/objx v0.3.0 // indirect
-	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
-	github.com/tidwall/gjson v1.14.1 // indirect
-	github.com/tidwall/match v1.1.1 // indirect
-	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/spf13/afero v1.8.2 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/stretchr/objx v0.4.0 // indirect
+	github.com/subosito/gotenv v1.4.0 // indirect
 	github.com/ulikunitz/xz v0.5.8 // indirect
-	github.com/urfave/cli v1.22.9 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
-	github.com/vektah/gqlparser/v2 v2.4.4 // indirect
+	github.com/vektah/gqlparser/v2 v2.4.6 // indirect
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	github.com/yashtewari/glob-intersection v0.1.0 // indirect
+	github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9 // indirect
 	github.com/zclconf/go-cty v1.10.0 // indirect
 	github.com/zclconf/go-cty-yaml v1.0.2 // indirect
-	go.etcd.io/bbolt v1.3.6
-	go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
-	golang.org/x/crypto v0.0.0-20220513210258-46612604a0f9
+	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3
-	golang.org/x/net v0.0.0-20220516133312-45b265872317 // indirect
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sync v0.0.0-20220513210516-0976fa681c29
-	golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect
-	golang.org/x/term v0.0.0-20220411215600-e5f449aeb171 // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
-	golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717 // indirect
-	google.golang.org/api v0.62.0 // indirect
+	golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
+	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
+	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
+	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
+	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
+	golang.org/x/text v0.3.7
+	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
+	golang.org/x/tools v0.1.10 // indirect
+	google.golang.org/api v0.81.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220426171045-31bebdecfb46 // indirect
-	google.golang.org/grpc v1.47.0 // indirect
+	google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
+	google.golang.org/grpc v1.48.0 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.66.4 // indirect
+	gopkg.in/neurosnap/sentences.v1 v1.0.6 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gotest.tools v2.2.0+incompatible
+	gotest.tools/v3 v3.2.0 // indirect
+	helm.sh/helm/v3 v3.9.3 // indirect
+	k8s.io/api v0.25.0-alpha.2 // indirect
+	k8s.io/apiextensions-apiserver v0.24.2 // indirect
+	k8s.io/apimachinery v0.25.0-alpha.2 // indirect
+	k8s.io/apiserver v0.24.2 // indirect
+	k8s.io/cli-runtime v0.24.4 // indirect
+	k8s.io/client-go v0.25.0-alpha.2 // indirect
+	k8s.io/component-base v0.24.4 // indirect
+	k8s.io/klog/v2 v2.70.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20220627174259-011e075b9cb8 // indirect
+	k8s.io/kubectl v0.24.4 // indirect
 	lukechampine.com/uint128 v1.1.1 // indirect
 	modernc.org/cc/v3 v3.36.0 // indirect
 	modernc.org/ccgo/v3 v3.16.6 // indirect
@@ -304,25 +365,7 @@ require (
 	modernc.org/sqlite v1.17.3 // indirect
 	modernc.org/strutil v1.1.1 // indirect
 	modernc.org/token v1.0.0 // indirect
-)
-
-require (
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gotest.tools v2.2.0+incompatible
-	helm.sh/helm/v3 v3.9.0 // indirect
-	k8s.io/api v0.24.1 // indirect
-	k8s.io/apiextensions-apiserver v0.24.0 // indirect
-	k8s.io/apimachinery v0.24.1 // indirect
-	k8s.io/apiserver v0.24.1 // indirect
-	k8s.io/cli-runtime v0.24.1 // indirect
-	k8s.io/client-go v0.24.1 // indirect
-	k8s.io/component-base v0.24.1 // indirect
-	k8s.io/klog/v2 v2.60.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
-	k8s.io/kubectl v0.24.1 // indirect
-	oras.land/oras-go v1.1.1 // indirect
+	oras.land/oras-go v1.2.0 // indirect
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
 	sigs.k8s.io/kustomize/api v0.11.4 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.13.6 // indirect
@@ -330,9 +373,9 @@ require (
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
-replace (
-	// containerd main
-	github.com/containerd/containerd => github.com/containerd/containerd v1.6.1-0.20220606171923-c1bcabb45419
-	// See https://github.com/moby/moby/issues/42939#issuecomment-1114255529
-	github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220224222438-c78f6963a1c0+incompatible
-)
+// See https://github.com/moby/moby/issues/42939#issuecomment-1114255529
+replace github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220224222438-c78f6963a1c0+incompatible
+
+// v1.2.0 is taken from github.com/open-policy-agent/opa v0.42.0
+// v1.2.0 incompatible with github.com/docker/docker v20.10.3-0.20220224222438-c78f6963a1c0+incompatible
+replace oras.land/oras-go => oras.land/oras-go v1.1.1

goreleaser-canary.yml

@@ -0,0 +1,31 @@
+project_name: trivy_canary_build
+builds:
+  -
+    main: cmd/trivy/main.go
+    binary: trivy
+    ldflags:
+      - -s -w
+      - "-extldflags '-static'"
+      - -X main.version={{.Version}}
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+      - linux
+    goarch:
+      - amd64
+      - arm64
+
+archives:
+  -
+    format: tar.gz
+    name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}"
+    replacements:
+      amd64: 64bit
+      arm64: ARM64
+      darwin: macOS
+      linux: Linux
+    files:
+      - README.md
+      - LICENSE
+      - contrib/*.tpl

helm/trivy/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: trivy
-version: 0.4.15
-appVersion: 0.27.0
+version: 0.4.17
+appVersion: 0.30.4
 description: Trivy helm chart
 keywords:
   - scanner

helm/trivy/README.md

@@ -73,6 +73,7 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `trivy.cache.redis.enabled`           | Enable Redis as caching backend                                         | `false` |
 | `trivy.cache.redis.url`               | Specify redis connection url, e.g. redis://redis.redis.svc:6379         | `` |
 | `trivy.serverToken`                   | The token to authenticate Trivy client with Trivy server                | `` |
+| `trivy.existingSecret`                | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
 | `trivy.podAnnotations`                | Annotations for pods created by statefulset                             | `{}` |
 | `service.name`                        | If specified, the name used for the Trivy service                       |     |
 | `service.type`                        | Kubernetes service type                                                 | `ClusterIP` |
@@ -102,5 +103,5 @@ This chart uses a PersistentVolumeClaim to reduce the number of database downloa
 
 ## Caching
 
-You can specify a Redis server as cache backend. This Redis server has to be already present. You can use the [bitname chart](https://bitnami.com/stack/redis/helm).
+You can specify a Redis server as cache backend. This Redis server has to be already present. You can use the [bitnami chart](https://bitnami.com/stack/redis/helm).
 More Information about the caching backends can be found [here](https://github.com/aquasecurity/trivy#specify-cache-backend).

helm/trivy/templates/secret.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.trivy.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -12,3 +13,4 @@ data:
   TRIVY_USERNAME: {{ .Values.trivy.registryUsername | default "" | b64enc | quote }}
   TRIVY_PASSWORD: {{ .Values.trivy.registryPassword | default "" | b64enc | quote }}
 {{- end -}}
+{{- end }}

helm/trivy/templates/statefulset.yaml

@@ -90,7 +90,11 @@ spec:
             - configMapRef:
                 name: {{ include "trivy.fullname" . }}
             - secretRef:
+                {{- if not .Values.trivy.existingSecret }}
                 name: {{ include "trivy.fullname" . }}
+                {{- else }}
+                name: {{ .Values.trivy.existingSecret }}
+                {{- end }}
           ports:
             - name: trivy-http
               containerPort: {{ .Values.service.port }}

helm/trivy/values.yaml

@@ -120,6 +120,9 @@ trivy:
   labels: {}
   # serverToken is the token to authenticate Trivy client with Trivy server.
   serverToken: ""
+  # existingSecret if an existing secret has been created outside the chart.
+  # Overrides gitHubToken, registryUsername, registryPassword, serverToken
+  existingSecret: ""
 
 service:
   # If specified, the name used for the Trivy service.

integration/client_server_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package integration
 
@@ -7,22 +6,21 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 
+	"github.com/samber/lo"
+
 	cdx "github.com/CycloneDX/cyclonedx-go"
 	"github.com/docker/go-connections/nat"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	testcontainers "github.com/testcontainers/testcontainers-go"
-	"github.com/urfave/cli/v2"
 
 	"github.com/aquasecurity/trivy/pkg/clock"
-	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/report"
 )
 
@@ -39,6 +37,7 @@ type csArgs struct {
 	ClientTokenHeader string
 	ListAllPackages   bool
 	Target            string
+	secretConfig      string
 }
 
 func TestClientServer(t *testing.T) {
@@ -240,16 +239,30 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/pom.json.golden",
 		},
+		{
+			name: "scan sample.pem with fs command in client/server mode",
+			args: csArgs{
+				Command:          "fs",
+				RemoteAddrOption: "--server",
+				secretConfig:     "testdata/fixtures/fs/secrets/trivy-secret.yaml",
+				Target:           "testdata/fixtures/fs/secrets/",
+			},
+			golden: "testdata/secrets.json.golden",
+		},
 	}
 
-	app, addr, cacheDir := setup(t, setupOptions{})
+	addr, cacheDir := setup(t, setupOptions{})
 
 	for _, c := range tests {
 		t.Run(c.name, func(t *testing.T) {
 			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)
 
-			// Run Trivy client
-			err := app.Run(osArgs)
+			if c.args.secretConfig != "" {
+				osArgs = append(osArgs, "--secret-config", c.args.secretConfig)
+			}
+
+			//
+			err := execute(osArgs)
 			require.NoError(t, err)
 
 			compareReports(t, c.golden, outputFile)
@@ -340,7 +353,7 @@ func TestClientServerWithFormat(t *testing.T) {
 		report.CustomTemplateFuncMap = map[string]interface{}{}
 	})
 
-	app, addr, cacheDir := setup(t, setupOptions{})
+	addr, cacheDir := setup(t, setupOptions{})
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -349,7 +362,7 @@ func TestClientServerWithFormat(t *testing.T) {
 			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)
 
 			// Run Trivy client
-			err := app.Run(osArgs)
+			err := execute(osArgs)
 			require.NoError(t, err)
 
 			want, err := os.ReadFile(tt.golden)
@@ -386,13 +399,13 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 		},
 	}
 
-	app, addr, cacheDir := setup(t, setupOptions{})
+	addr, cacheDir := setup(t, setupOptions{})
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, "")
 
 			// Run Trivy client
-			err := app.Run(osArgs)
+			err := execute(osArgs)
 			require.NoError(t, err)
 
 			f, err := os.Open(outputFile)
@@ -403,10 +416,10 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 			err = json.NewDecoder(f).Decode(&got)
 			require.NoError(t, err)
 
-			assert.EqualValues(t, tt.wantComponentsCount, len(*got.Components))
-			assert.EqualValues(t, tt.wantDependenciesCount, len(*got.Dependencies))
+			assert.EqualValues(t, tt.wantComponentsCount, len(lo.FromPtr(got.Components)))
+			assert.EqualValues(t, tt.wantDependenciesCount, len(lo.FromPtr(got.Dependencies)))
 			for i, dep := range *got.Dependencies {
-				assert.EqualValues(t, tt.wantDependsOnCount[i], len(*dep.Dependencies))
+				assert.EqualValues(t, tt.wantDependsOnCount[i], len(lo.FromPtr(dep.Dependencies)))
 			}
 		})
 	}
@@ -450,7 +463,7 @@ func TestClientServerWithToken(t *testing.T) {
 
 	serverToken := "token"
 	serverTokenHeader := "Trivy-Token"
-	app, addr, cacheDir := setup(t, setupOptions{
+	addr, cacheDir := setup(t, setupOptions{
 		token:       serverToken,
 		tokenHeader: serverTokenHeader,
 	})
@@ -460,16 +473,14 @@ func TestClientServerWithToken(t *testing.T) {
 			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)
 
 			// Run Trivy client
-			err := app.Run(osArgs)
-
+			err := execute(osArgs)
 			if c.wantErr != "" {
-				require.NotNil(t, err, c.name)
+				require.Error(t, err, c.name)
 				assert.Contains(t, err.Error(), c.wantErr, c.name)
 				return
-			} else {
-				assert.NoError(t, err, c.name)
 			}
 
+			require.NoError(t, err, c.name)
 			compareReports(t, c.golden, outputFile)
 		})
 	}
@@ -481,7 +492,7 @@ func TestClientServerWithRedis(t *testing.T) {
 	redisC, addr := setupRedis(t, ctx)
 
 	// Set up Trivy server
-	app, addr, cacheDir := setup(t, setupOptions{cacheBackend: addr})
+	addr, cacheDir := setup(t, setupOptions{cacheBackend: addr})
 	t.Cleanup(func() { os.RemoveAll(cacheDir) })
 
 	// Test parameters
@@ -494,7 +505,7 @@ func TestClientServerWithRedis(t *testing.T) {
 		osArgs, outputFile := setupClient(t, testArgs, addr, cacheDir, golden)
 
 		// Run Trivy client
-		err := app.Run(osArgs)
+		err := execute(osArgs)
 		require.NoError(t, err)
 
 		compareReports(t, golden, outputFile)
@@ -507,8 +518,8 @@ func TestClientServerWithRedis(t *testing.T) {
 		osArgs, _ := setupClient(t, testArgs, addr, cacheDir, golden)
 
 		// Run Trivy client
-		err := app.Run(osArgs)
-		require.NotNil(t, err)
+		err := execute(osArgs)
+		require.Error(t, err)
 		assert.Contains(t, err.Error(), "connect: connection refused")
 	})
 }
@@ -519,9 +530,8 @@ type setupOptions struct {
 	cacheBackend string
 }
 
-func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
+func setup(t *testing.T, options setupOptions) (string, string) {
 	t.Helper()
-	version := "dev"
 
 	// Set up testing DB
 	cacheDir := initDB(t)
@@ -534,28 +544,21 @@ func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
 	addr := fmt.Sprintf("localhost:%d", port)
 
 	go func() {
-		// Setup CLI App
-		app := commands.NewApp(version)
-		app.Writer = io.Discard
 		osArgs := setupServer(addr, options.token, options.tokenHeader, cacheDir, options.cacheBackend)
 
 		// Run Trivy server
-		app.Run(osArgs)
+		require.NoError(t, execute(osArgs))
 	}()
 
 	ctx, _ := context.WithTimeout(context.Background(), 5*time.Second)
 	err = waitPort(ctx, addr)
 	assert.NoError(t, err)
 
-	// Setup CLI App
-	app := commands.NewApp(version)
-	app.Writer = io.Discard
-
-	return app, addr, cacheDir
+	return addr, cacheDir
 }
 
 func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []string {
-	osArgs := []string{"trivy", "--cache-dir", cacheDir, "server", "--skip-update", "--listen", addr}
+	osArgs := []string{"--cache-dir", cacheDir, "server", "--skip-update", "--listen", addr}
 	if token != "" {
 		osArgs = append(osArgs, []string{"--token", token, "--token-header", tokenHeader}...)
 	}
@@ -573,7 +576,7 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
 		c.RemoteAddrOption = "--server"
 	}
 	t.Helper()
-	osArgs := []string{"trivy", "--cache-dir", cacheDir, c.Command, c.RemoteAddrOption, "http://" + addr}
+	osArgs := []string{"--cache-dir", cacheDir, c.Command, c.RemoteAddrOption, "http://" + addr}
 
 	if c.Format != "" {
 		osArgs = append(osArgs, "--format", c.Format)

integration/docker_engine_test.go

@@ -15,8 +15,6 @@ import (
 	"github.com/docker/docker/client"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-
-	"github.com/aquasecurity/trivy/pkg/commands"
 )
 
 func TestDockerEngine(t *testing.T) {
@@ -233,16 +231,14 @@ func TestDockerEngine(t *testing.T) {
 			tmpDir := t.TempDir()
 			output := filepath.Join(tmpDir, "result.json")
 
-			// run trivy
-			app := commands.NewApp("dev")
-			trivyArgs := []string{"trivy", "--cache-dir", cacheDir, "image",
+			osArgs := []string{"--cache-dir", cacheDir, "image",
 				"--skip-update", "--format=json", "--output", output}
 
 			if tt.ignoreUnfixed {
-				trivyArgs = append(trivyArgs, "--ignore-unfixed")
+				osArgs = append(osArgs, "--ignore-unfixed")
 			}
 			if len(tt.severity) != 0 {
-				trivyArgs = append(trivyArgs,
+				osArgs = append(osArgs,
 					[]string{"--severity", strings.Join(tt.severity, ",")}...,
 				)
 			}
@@ -252,11 +248,12 @@ func TestDockerEngine(t *testing.T) {
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
-			trivyArgs = append(trivyArgs, tt.input)
+			osArgs = append(osArgs, tt.input)
 
-			err = app.Run(trivyArgs)
+			// Run Trivy
+			err = execute(osArgs)
 			if tt.wantErr != "" {
-				require.NotNil(t, err)
+				require.Error(t, err)
 				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
 				return
 			}

integration/fs_test.go

@@ -4,15 +4,13 @@
 package integration
 
 import (
-	"io"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-
-	"github.com/aquasecurity/trivy/pkg/commands"
+	"github.com/stretchr/testify/require"
 )
 
 func TestFilesystem(t *testing.T) {
@@ -25,6 +23,9 @@ func TestFilesystem(t *testing.T) {
 		listAllPkgs    bool
 		input          string
 		secretConfig   string
+		filePatterns   []string
+		helmSet        []string
+		helmValuesFile []string
 	}
 	tests := []struct {
 		name   string
@@ -47,6 +48,14 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/nodejs.json.golden",
 		},
+		{
+			name: "pnpm",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/pnpm",
+			},
+			golden: "testdata/pnpm.json.golden",
+		},
 		{
 			name: "pip",
 			args: args{
@@ -73,6 +82,16 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/dockerfile.json.golden",
 		},
+		{
+			name: "dockerfile with custom file pattern",
+			args: args{
+				securityChecks: "config",
+				input:          "testdata/fixtures/fs/dockerfile_file_pattern",
+				namespaces:     []string{"testing"},
+				filePatterns:   []string{"dockerfile:Customfile"},
+			},
+			golden: "testdata/dockerfile_file_pattern.json.golden",
+		},
 		{
 			name: "dockerfile with rule exception",
 			args: args{
@@ -117,6 +136,32 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/helm_testchart.json.golden",
 		},
+		{
+			name: "helm chart directory scanning with value overrides using set",
+			args: args{
+				securityChecks: "config",
+				input:          "testdata/fixtures/fs/helm_testchart",
+				helmSet:        []string{"securityContext.runAsUser=0"},
+			},
+			golden: "testdata/helm_testchart.overridden.json.golden",
+		},
+		{
+			name: "helm chart directory scanning with value overrides using value file",
+			args: args{
+				securityChecks: "config",
+				input:          "testdata/fixtures/fs/helm_testchart",
+				helmValuesFile: []string{"testdata/fixtures/fs/helm_values/values.yaml"},
+			},
+			golden: "testdata/helm_testchart.overridden.json.golden",
+		},
+		{
+			name: "helm chart directory scanning with builtin policies and non string Chart name",
+			args: args{
+				securityChecks: "config",
+				input:          "testdata/fixtures/fs/helm_badname",
+			},
+			golden: "testdata/helm_badname.json.golden",
+		},
 		{
 			name: "secrets",
 			args: args{
@@ -137,7 +182,7 @@ func TestFilesystem(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			osArgs := []string{
-				"trivy", "--cache-dir", cacheDir, "fs", "--skip-db-update", "--skip-policy-update",
+				"-q", "--cache-dir", cacheDir, "fs", "--skip-db-update", "--skip-policy-update",
 				"--format", "json", "--offline-scan", "--security-checks", tt.args.securityChecks,
 			}
 
@@ -164,6 +209,24 @@ func TestFilesystem(t *testing.T) {
 				defer os.Remove(trivyIgnore)
 			}
 
+			if len(tt.args.filePatterns) != 0 {
+				for _, filePattern := range tt.args.filePatterns {
+					osArgs = append(osArgs, "--file-patterns", filePattern)
+				}
+			}
+
+			if len(tt.args.helmSet) != 0 {
+				for _, helmSet := range tt.args.helmSet {
+					osArgs = append(osArgs, "--helm-set", helmSet)
+				}
+			}
+
+			if len(tt.args.helmValuesFile) != 0 {
+				for _, helmValuesFile := range tt.args.helmValuesFile {
+					osArgs = append(osArgs, "--helm-values", helmValuesFile)
+				}
+			}
+
 			// Setup the output file
 			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
@@ -181,12 +244,9 @@ func TestFilesystem(t *testing.T) {
 			osArgs = append(osArgs, "--output", outputFile)
 			osArgs = append(osArgs, tt.args.input)
 
-			// Setup CLI App
-			app := commands.NewApp("dev")
-			app.Writer = io.Discard
-
 			// Run "trivy fs"
-			assert.Nil(t, app.Run(osArgs))
+			err := execute(osArgs)
+			require.NoError(t, err)
 
 			// Compare want and got
 			compareReports(t, tt.golden, outputFile)

integration/integration_test.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"encoding/json"
 	"flag"
+	"io"
 	"net"
 	"os"
 	"path/filepath"
@@ -18,6 +19,7 @@ import (
 
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	"github.com/aquasecurity/trivy-db/pkg/metadata"
+	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/dbtest"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
@@ -120,6 +122,16 @@ func readReport(t *testing.T, filePath string) types.Report {
 	return report
 }
 
+func execute(osArgs []string) error {
+	// Setup CLI App
+	app := commands.NewApp("dev")
+	app.SetOut(io.Discard)
+
+	// Run Trivy
+	app.SetArgs(osArgs)
+	return app.Execute()
+}
+
 func compareReports(t *testing.T, wantFile, gotFile string) {
 	want := readReport(t, wantFile)
 	got := readReport(t, gotFile)

integration/module_test.go

@@ -3,7 +3,6 @@
 package integration
 
 import (
-	"io"
 	"os"
 	"path/filepath"
 	"testing"
@@ -11,7 +10,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/module"
 	"github.com/aquasecurity/trivy/pkg/utils"
 )
@@ -48,13 +46,9 @@ func TestModule(t *testing.T) {
 		filepath.Join(moduleDir, "spring4shell.wasm"))
 	require.NoError(t, err)
 
-	// Setup CLI App
-	app := commands.NewApp("dev")
-	app.Writer = io.Discard
-
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			osArgs := []string{"trivy", "--cache-dir", cacheDir, "image", "--ignore-unfixed", "--format", "json",
+			osArgs := []string{"--cache-dir", cacheDir, "image", "--ignore-unfixed", "--format", "json",
 				"--skip-update", "--offline-scan", "--input", tt.input}
 
 			// Set up the output file
@@ -66,7 +60,8 @@ func TestModule(t *testing.T) {
 			osArgs = append(osArgs, []string{"--output", outputFile}...)
 
 			// Run Trivy
-			assert.Nil(t, app.Run(osArgs))
+			err = execute(osArgs)
+			assert.NoError(t, err)
 
 			// Compare want and got
 			compareReports(t, tt.golden, outputFile)

integration/registry_test.go

@@ -27,8 +27,6 @@ import (
 	"github.com/stretchr/testify/require"
 	testcontainers "github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/wait"
-
-	"github.com/aquasecurity/trivy/pkg/commands"
 )
 
 const (
@@ -235,15 +233,11 @@ func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt
 		return "", err
 	}
 
-	// Setup CLI App
-	app := commands.NewApp("dev")
-	app.Writer = io.Discard
-
-	osArgs := []string{"trivy", "--cache-dir", cacheDir, "image", "--format", "json", "--skip-update",
+	osArgs := []string{"-q", "--cache-dir", cacheDir, "image", "--format", "json", "--skip-update",
 		"--output", outputFile, imageRef.Name()}
 
 	// Run Trivy
-	if err := app.Run(osArgs); err != nil {
+	if err := execute(osArgs); err != nil {
 		return "", err
 	}
 	return outputFile, nil

integration/sbom_test.go

@@ -0,0 +1,98 @@
+//go:build integration
+
+package integration
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	cdx "github.com/CycloneDX/cyclonedx-go"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCycloneDX(t *testing.T) {
+	type args struct {
+		input        string
+		format       string
+		artifactType string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		golden string
+	}{
+		{
+			name: "centos7-bom by trivy",
+			args: args{
+				input:        "testdata/fixtures/sbom/centos-7-cyclonedx.json",
+				format:       "cyclonedx",
+				artifactType: "cyclonedx",
+			},
+			golden: "testdata/centos-7-cyclonedx.json.golden",
+		},
+		{
+			name: "fluentd-multiple-lockfiles-bom by trivy",
+			args: args{
+				input:        "testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json",
+				format:       "cyclonedx",
+				artifactType: "cyclonedx",
+			},
+			golden: "testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden",
+		},
+		{
+			name: "centos7-bom in in-toto attestation",
+			args: args{
+				input:        "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl",
+				format:       "cyclonedx",
+				artifactType: "cyclonedx",
+			},
+			golden: "testdata/centos-7-cyclonedx.json.golden",
+		},
+	}
+
+	// Set up testing DB
+	cacheDir := initDB(t)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			osArgs := []string{
+				"--cache-dir", cacheDir, "sbom", "-q", "--skip-db-update", "--format", tt.args.format,
+			}
+
+			// Setup the output file
+			outputFile := filepath.Join(t.TempDir(), "output.json")
+			if *update {
+				outputFile = tt.golden
+			}
+
+			osArgs = append(osArgs, "--output", outputFile)
+			osArgs = append(osArgs, tt.args.input)
+
+			// Run "trivy sbom"
+			err := execute(osArgs)
+			assert.NoError(t, err)
+
+			// Compare want and got
+			want := decodeCycloneDX(t, tt.golden)
+			got := decodeCycloneDX(t, outputFile)
+			assert.Equal(t, want, got)
+		})
+	}
+}
+
+func decodeCycloneDX(t *testing.T, filePath string) *cdx.BOM {
+	f, err := os.Open(filePath)
+	require.NoError(t, err)
+	defer f.Close()
+
+	bom := cdx.NewBOM()
+	decoder := cdx.NewBOMDecoder(f, cdx.BOMFileFormatJSON)
+	err = decoder.Decode(bom)
+	require.NoError(t, err)
+
+	bom.Metadata.Timestamp = ""
+
+	return bom
+}

integration/standalone_tar_test.go

@@ -1,18 +1,15 @@
 //go:build integration
-// +build integration
 
 package integration
 
 import (
-	"io"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-
-	"github.com/aquasecurity/trivy/pkg/commands"
+	"github.com/stretchr/testify/require"
 )
 
 func TestTar(t *testing.T) {
@@ -264,13 +261,9 @@ func TestTar(t *testing.T) {
 	// Set a temp dir so that modules will not be loaded
 	t.Setenv("XDG_DATA_HOME", cacheDir)
 
-	// Setup CLI App
-	app := commands.NewApp("dev")
-	app.Writer = io.Discard
-
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			osArgs := []string{"trivy", "--cache-dir", cacheDir, "image", "--format", tt.testArgs.Format, "--skip-update"}
+			osArgs := []string{"--cache-dir", cacheDir, "image", "-q", "--format", tt.testArgs.Format, "--skip-update"}
 
 			if tt.testArgs.IgnoreUnfixed {
 				osArgs = append(osArgs, "--ignore-unfixed")
@@ -310,7 +303,8 @@ func TestTar(t *testing.T) {
 			osArgs = append(osArgs, []string{"--output", outputFile}...)
 
 			// Run Trivy
-			assert.Nil(t, app.Run(osArgs))
+			err := execute(osArgs)
+			require.NoError(t, err)
 
 			// Compare want and got
 			compareReports(t, tt.golden, outputFile)

integration/testdata/alpine-310.gitlab.golden

@@ -1,5 +1,5 @@
 {
-  "version": "2.3",
+  "version": "14.0.6",
   "vulnerabilities": [
     {
       "id": "CVE-2019-1549",
@@ -8,7 +8,6 @@
       "description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
       "cve": "CVE-2019-1549",
       "severity": "Medium",
-      "confidence": "Unknown",
       "solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
       "scanner": {
         "id": "trivy",
@@ -22,7 +21,7 @@
           "version": "1.1.1c-r0"
         },
         "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
+        "image": "testdata/fixtures/images/alpine-310.tar.gz"
       },
       "identifiers": [
         {
@@ -82,7 +81,6 @@
       "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
       "cve": "CVE-2019-1551",
       "severity": "Medium",
-      "confidence": "Unknown",
       "solution": "Upgrade libcrypto1.1 to 1.1.1d-r2",
       "scanner": {
         "id": "trivy",
@@ -96,7 +94,7 @@
           "version": "1.1.1c-r0"
         },
         "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
+        "image": "testdata/fixtures/images/alpine-310.tar.gz"
       },
       "identifiers": [
         {
@@ -176,7 +174,6 @@
       "description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
       "cve": "CVE-2019-1549",
       "severity": "Medium",
-      "confidence": "Unknown",
       "solution": "Upgrade libssl1.1 to 1.1.1d-r0",
       "scanner": {
         "id": "trivy",
@@ -190,7 +187,7 @@
           "version": "1.1.1c-r0"
         },
         "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
+        "image": "testdata/fixtures/images/alpine-310.tar.gz"
       },
       "identifiers": [
         {
@@ -250,7 +247,6 @@
       "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
       "cve": "CVE-2019-1551",
       "severity": "Medium",
-      "confidence": "Unknown",
       "solution": "Upgrade libssl1.1 to 1.1.1d-r2",
       "scanner": {
         "id": "trivy",
@@ -264,7 +260,7 @@
           "version": "1.1.1c-r0"
         },
         "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
+        "image": "testdata/fixtures/images/alpine-310.tar.gz"
       },
       "identifiers": [
         {

integration/testdata/centos-7-cyclonedx.json.golden

@@ -0,0 +1,526 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2022-08-14T12:39:11+00:00",
+    "tools": [
+      {
+        "vendor": "aquasecurity",
+        "name": "trivy",
+        "version": "dev"
+      }
+    ],
+    "component": {
+      "bom-ref": "urn:uuid:1455c02d-64ca-453e-a5df-ddfb70a7c804/1",
+      "type": "container",
+      "name": "integration/testdata/fixtures/images/centos-7.tar.gz"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "id": "CVE-2019-18276",
+      "ratings": [
+        {
+          "source": {
+            "name": "cbl-mariner"
+          },
+          "severity": "high"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 7.2,
+          "severity": "high",
+          "method": "CVSSv2",
+          "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 7.8,
+          "severity": "high",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+        },
+        {
+          "source": {
+            "name": "oracle-oval"
+          },
+          "severity": "low"
+        },
+        {
+          "source": {
+            "name": "photon"
+          },
+          "severity": "high"
+        },
+        {
+          "source": {
+            "name": "redhat"
+          },
+          "score": 7.8,
+          "severity": "low",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+        },
+        {
+          "source": {
+            "name": "ubuntu"
+          },
+          "severity": "low"
+        }
+      ],
+      "cwes": [
+        273
+      ],
+      "description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
+      "advisories": [
+        {
+          "url": "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html"
+        },
+        {
+          "url": "https://access.redhat.com/security/cve/CVE-2019-18276"
+        },
+        {
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"
+        },
+        {
+          "url": "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff"
+        },
+        {
+          "url": "https://linux.oracle.com/cve/CVE-2019-18276.html"
+        },
+        {
+          "url": "https://linux.oracle.com/errata/ELSA-2021-1679.html"
+        },
+        {
+          "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"
+        },
+        {
+          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18276"
+        },
+        {
+          "url": "https://security.gentoo.org/glsa/202105-34"
+        },
+        {
+          "url": "https://security.netapp.com/advisory/ntap-20200430-0003/"
+        },
+        {
+          "url": "https://www.youtube.com/watch?v=-wGtxJ8opa8"
+        }
+      ],
+      "published": "2019-11-28T01:15:00+00:00",
+      "updated": "2021-05-26T12:15:00+00:00",
+      "affects": [
+        {
+          "ref": "urn:cdx:1455c02d-64ca-453e-a5df-ddfb70a7c804/1#pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64\u0026distro=centos-7.6.1810",
+          "versions": [
+            {
+              "version": "4.2.46-31.el7",
+              "status": "affected"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "id": "CVE-2019-1559",
+      "ratings": [
+        {
+          "source": {
+            "name": "amazon"
+          },
+          "severity": "medium"
+        },
+        {
+          "source": {
+            "name": "arch-linux"
+          },
+          "severity": "medium"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 4.3,
+          "severity": "medium",
+          "method": "CVSSv2",
+          "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 5.9,
+          "severity": "medium",
+          "method": "CVSSv3",
+          "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+        },
+        {
+          "source": {
+            "name": "oracle-oval"
+          },
+          "severity": "medium"
+        },
+        {
+          "source": {
+            "name": "redhat"
+          },
+          "score": 5.9,
+          "severity": "medium",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+        },
+        {
+          "source": {
+            "name": "ubuntu"
+          },
+          "severity": "medium"
+        }
+      ],
+      "cwes": [
+        203
+      ],
+      "description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
+      "advisories": [
+        {
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
+        },
+        {
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html"
+        },
+        {
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
+        },
+        {
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html"
+        },
+        {
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html"
+        },
+        {
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html"
+        },
+        {
+          "url": "http://www.securityfocus.com/bid/107174"
+        },
+        {
+          "url": "https://access.redhat.com/errata/RHSA-2019:2304"
+        },
+        {
+          "url": "https://access.redhat.com/errata/RHSA-2019:2437"
+        },
+        {
+          "url": "https://access.redhat.com/errata/RHSA-2019:2439"
+        },
+        {
+          "url": "https://access.redhat.com/errata/RHSA-2019:2471"
+        },
+        {
+          "url": "https://access.redhat.com/errata/RHSA-2019:3929"
+        },
+        {
+          "url": "https://access.redhat.com/errata/RHSA-2019:3931"
+        },
+        {
+          "url": "https://access.redhat.com/security/cve/CVE-2019-1559"
+        },
+        {
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559"
+        },
+        {
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e"
+        },
+        {
+          "url": "https://github.com/RUB-NDS/TLS-Padding-Oracles"
+        },
+        {
+          "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282"
+        },
+        {
+          "url": "https://linux.oracle.com/cve/CVE-2019-1559.html"
+        },
+        {
+          "url": "https://linux.oracle.com/errata/ELSA-2019-2471.html"
+        },
+        {
+          "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html"
+        },
+        {
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/"
+        },
+        {
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/"
+        },
+        {
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/"
+        },
+        {
+          "url": "https://security.gentoo.org/glsa/201903-10"
+        },
+        {
+          "url": "https://security.netapp.com/advisory/ntap-20190301-0001/"
+        },
+        {
+          "url": "https://security.netapp.com/advisory/ntap-20190301-0002/"
+        },
+        {
+          "url": "https://security.netapp.com/advisory/ntap-20190423-0002/"
+        },
+        {
+          "url": "https://support.f5.com/csp/article/K18549143"
+        },
+        {
+          "url": "https://support.f5.com/csp/article/K18549143?utm_source=f5support\u0026amp;utm_medium=RSS"
+        },
+        {
+          "url": "https://ubuntu.com/security/notices/USN-3899-1"
+        },
+        {
+          "url": "https://ubuntu.com/security/notices/USN-4376-2"
+        },
+        {
+          "url": "https://usn.ubuntu.com/3899-1/"
+        },
+        {
+          "url": "https://usn.ubuntu.com/4376-2/"
+        },
+        {
+          "url": "https://www.debian.org/security/2019/dsa-4400"
+        },
+        {
+          "url": "https://www.openssl.org/news/secadv/20190226.txt"
+        },
+        {
+          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
+        },
+        {
+          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
+        },
+        {
+          "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
+        },
+        {
+          "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
+        },
+        {
+          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
+        },
+        {
+          "url": "https://www.tenable.com/security/tns-2019-02"
+        },
+        {
+          "url": "https://www.tenable.com/security/tns-2019-03"
+        }
+      ],
+      "published": "2019-02-27T23:29:00+00:00",
+      "updated": "2021-01-20T15:15:00+00:00",
+      "affects": [
+        {
+          "ref": "urn:cdx:1455c02d-64ca-453e-a5df-ddfb70a7c804/1#pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810",
+          "versions": [
+            {
+              "version": "1:1.0.2k-16.el7",
+              "status": "affected"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "id": "CVE-2018-0734",
+      "ratings": [
+        {
+          "source": {
+            "name": "amazon"
+          },
+          "severity": "medium"
+        },
+        {
+          "source": {
+            "name": "arch-linux"
+          },
+          "severity": "low"
+        },
+        {
+          "source": {
+            "name": "cbl-mariner"
+          },
+          "severity": "medium"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 4.3,
+          "severity": "medium",
+          "method": "CVSSv2",
+          "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 5.9,
+          "severity": "medium",
+          "method": "CVSSv3",
+          "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+        },
+        {
+          "source": {
+            "name": "oracle-oval"
+          },
+          "severity": "low"
+        },
+        {
+          "source": {
+            "name": "photon"
+          },
+          "severity": "medium"
+        },
+        {
+          "source": {
+            "name": "redhat"
+          },
+          "score": 5.1,
+          "severity": "low",
+          "method": "CVSSv3",
+          "vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+        },
+        {
+          "source": {
+            "name": "ubuntu"
+          },
+          "severity": "low"
+        }
+      ],
+      "cwes": [
+        327
+      ],
+      "description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
+      "advisories": [
+        {
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html"
+        },
+        {
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html"
+        },
+        {
+          "url": "http://www.securityfocus.com/bid/105758"
+        },
+        {
+          "url": "https://access.redhat.com/errata/RHSA-2019:2304"
+        },
+        {
+          "url": "https://access.redhat.com/errata/RHSA-2019:3700"
+        },
+        {
+          "url": "https://access.redhat.com/errata/RHSA-2019:3932"
+        },
+        {
+          "url": "https://access.redhat.com/errata/RHSA-2019:3933"
+        },
+        {
+          "url": "https://access.redhat.com/errata/RHSA-2019:3935"
+        },
+        {
+          "url": "https://access.redhat.com/security/cve/CVE-2018-0734"
+        },
+        {
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734"
+        },
+        {
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac"
+        },
+        {
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f"
+        },
+        {
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7"
+        },
+        {
+          "url": "https://linux.oracle.com/cve/CVE-2018-0734.html"
+        },
+        {
+          "url": "https://linux.oracle.com/errata/ELSA-2019-3700.html"
+        },
+        {
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/"
+        },
+        {
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/"
+        },
+        {
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/"
+        },
+        {
+          "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
+        },
+        {
+          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0734"
+        },
+        {
+          "url": "https://security.netapp.com/advisory/ntap-20181105-0002/"
+        },
+        {
+          "url": "https://security.netapp.com/advisory/ntap-20190118-0002/"
+        },
+        {
+          "url": "https://security.netapp.com/advisory/ntap-20190423-0002/"
+        },
+        {
+          "url": "https://ubuntu.com/security/notices/USN-3840-1"
+        },
+        {
+          "url": "https://usn.ubuntu.com/3840-1/"
+        },
+        {
+          "url": "https://www.debian.org/security/2018/dsa-4348"
+        },
+        {
+          "url": "https://www.debian.org/security/2018/dsa-4355"
+        },
+        {
+          "url": "https://www.openssl.org/news/secadv/20181030.txt"
+        },
+        {
+          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
+        },
+        {
+          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
+        },
+        {
+          "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
+        },
+        {
+          "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
+        },
+        {
+          "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
+        },
+        {
+          "url": "https://www.tenable.com/security/tns-2018-16"
+        },
+        {
+          "url": "https://www.tenable.com/security/tns-2018-17"
+        }
+      ],
+      "published": "2018-10-30T12:29:00+00:00",
+      "updated": "2020-08-24T17:37:00+00:00",
+      "affects": [
+        {
+          "ref": "urn:cdx:1455c02d-64ca-453e-a5df-ddfb70a7c804/1#pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810",
+          "versions": [
+            {
+              "version": "1:1.0.2k-16.el7",
+              "status": "affected"
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

integration/testdata/debian-stretch.json.golden

@@ -5,7 +5,8 @@
   "Metadata": {
     "OS": {
       "Family": "debian",
-      "Name": "9.9"
+      "Name": "9.9",
+      "EOSL": true
     },
     "ImageID": "sha256:f26939cc87ef44a6fc554eedd0a976ab30b5bc2769d65d2e986b6c5f1fd4053d",
     "DiffIDs": [

integration/testdata/distroless-base.json.golden

@@ -5,7 +5,8 @@
   "Metadata": {
     "OS": {
       "Family": "debian",
-      "Name": "9.9"
+      "Name": "9.9",
+      "EOSL": true
     },
     "ImageID": "sha256:7f04a8d247173b1f2546d22913af637bbab4e7411e00ae6207da8d94c445750d",
     "DiffIDs": [

integration/testdata/distroless-python27.json.golden

@@ -5,7 +5,8 @@
   "Metadata": {
     "OS": {
       "Family": "debian",
-      "Name": "9.9"
+      "Name": "9.9",
+      "EOSL": true
     },
     "ImageID": "sha256:6fcac2cc8a710f21577b5bbd534e0bfc841c0cca569b57182ba19054696cddda",
     "DiffIDs": [

integration/testdata/dockerfile-rule-exception.json.golden

@@ -28,6 +28,7 @@
         {
           "Type": "Dockerfile Security Check",
           "ID": "DS002",
+          "AVDID": "AVD-DS-0002",
           "Title": "Image user should not be 'root'",
           "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
           "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",

integration/testdata/dockerfile.json.golden

@@ -28,6 +28,7 @@
         {
           "Type": "Dockerfile Security Check",
           "ID": "DS002",
+          "AVDID": "AVD-DS-0002",
           "Title": "Image user should not be 'root'",
           "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
           "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",

integration/testdata/dockerfile_file_pattern.json.golden

@@ -0,0 +1,57 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/dockerfile_file_pattern",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "Customfile",
+      "Class": "config",
+      "Type": "dockerfile",
+      "MisconfSummary": {
+        "Successes": 21,
+        "Failures": 1,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "Dockerfile Security Check",
+          "ID": "DS002",
+          "AVDID": "AVD-DS-0002",
+          "Title": "Image user should not be 'root'",
+          "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
+          "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
+          "Namespace": "builtin.dockerfile.DS002",
+          "Query": "data.builtin.dockerfile.DS002.deny",
+          "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
+          "References": [
+            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
+            "https://avd.aquasec.com/misconfig/ds002"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Dockerfile",
+            "Service": "general",
+            "Code": {
+              "Lines": null
+            }
+          }
+        }
+      ]
+    }
+  ]
+}

integration/testdata/fixtures/fs/dockerfile_file_pattern/Customfile

@@ -0,0 +1 @@
+FROM alpine:3.13

integration/testdata/fixtures/fs/helm_badname/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: 1001
+version: 1.0.0

integration/testdata/fixtures/fs/helm_values/values.yaml

@@ -0,0 +1,2 @@
+securityContext:
+  runAsUser: 0

integration/testdata/fixtures/fs/pnpm/pnpm-lock.yaml

@@ -0,0 +1,19 @@
+lockfileVersion: 5.4
+
+specifiers:
+  jquery: 3.3.9
+  lodash: 4.17.4
+
+dependencies:
+  jquery: 3.3.9
+  lodash: 4.17.4
+
+packages:
+
+  /jquery/3.3.9:
+    resolution: {integrity: sha512-ggRCXln9zEqv6OqAGXFEcshF5dSBvCkzj6Gm2gzuR5fWawaX8t7cxKVkkygKODrDAzKdoYw3l/e3pm3vlT4IbQ==}
+    dev: false
+
+  /lodash/4.17.4:
+    resolution: {integrity: sha1-5QNHYR1+aQlDIIu9r+vLwvuGbUY=}
+    dev: false

integration/testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl

@@ -0,0 +1 @@
+{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2N5Y2xvbmVkeC5vcmcvc2NoZW1hIiwic3ViamVjdCI6W3sibmFtZSI6ImdoY3IuaW8vYXF1YXNlY3VyaXR5L3RyaXZ5LXRlc3QtaW1hZ2VzIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjcyYzQyZWQ0OGMzYTJkYjMxYjdkYWZlMTdkMjc1YjYzNDY2NGE3MDhkOTAxZWM5ZmQ1N2IxNTI5MjgwZjAxZmIifX1dLCJwcmVkaWNhdGUiOnsiRGF0YSI6eyJib21Gb3JtYXQiOiJDeWNsb25lRFgiLCJjb21wb25lbnRzIjpbeyJib20tcmVmIjoicGtnOnJwbS9jZW50b3MvYmFzaEA0LjIuNDYtMzEuZWw3P2FyY2g9eDg2XzY0XHUwMDI2ZGlzdHJvPWNlbnRvcy03LjYuMTgxMCIsImxpY2Vuc2VzIjpbeyJleHByZXNzaW9uIjoiR1BMdjMrIn1dLCJuYW1lIjoiYmFzaCIsInByb3BlcnRpZXMiOlt7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6U3JjTmFtZSIsInZhbHVlIjoiYmFzaCJ9LHsibmFtZSI6ImFxdWFzZWN1cml0eTp0cml2eTpTcmNWZXJzaW9uIiwidmFsdWUiOiI0LjIuNDYifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6U3JjUmVsZWFzZSIsInZhbHVlIjoiMzEuZWw3In0seyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OkxheWVyRGlnZXN0IiwidmFsdWUiOiJzaGEyNTY6YWM5MjA4MjA3YWRhYWMzYTQ4ZTU0YTRkYzZiNDljNjllNzhjMzA3MmQyYjNhZGQ3ZWZkYWJmODE0ZGIyMTMzYiJ9LHsibmFtZSI6ImFxdWFzZWN1cml0eTp0cml2eTpMYXllckRpZmZJRCIsInZhbHVlIjoic2hhMjU2Ojg5MTY5ZDg3ZGJlMmI3MmJhNDJiZmJiMzU3OWM5NTczMjJiYWNhMjhlMDNhMWU1NTgwNzY1NDJhMWMxYjJiNGEifV0sInB1cmwiOiJwa2c6cnBtL2NlbnRvcy9iYXNoQDQuMi40Ni0zMS5lbDc/YXJjaD14ODZfNjRcdTAwMjZkaXN0cm89Y2VudG9zLTcuNi4xODEwIiwidHlwZSI6ImxpYnJhcnkiLCJ2ZXJzaW9uIjoiNC4yLjQ2LTMxLmVsNyJ9LHsiYm9tLXJlZiI6InBrZzpycG0vY2VudG9zL29wZW5zc2wtbGlic0AxOjEuMC4yay0xNi5lbDc/YXJjaD14ODZfNjRcdTAwMjZkaXN0cm89Y2VudG9zLTcuNi4xODEwIiwibGljZW5zZXMiOlt7ImV4cHJlc3Npb24iOiJPcGVuU1NMIn1dLCJuYW1lIjoib3BlbnNzbC1saWJzIiwicHJvcGVydGllcyI6W3sibmFtZSI6ImFxdWFzZWN1cml0eTp0cml2eTpTcmNOYW1lIiwidmFsdWUiOiJvcGVuc3NsIn0seyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OlNyY1ZlcnNpb24iLCJ2YWx1ZSI6IjEuMC4yayJ9LHsibmFtZSI6ImFxdWFzZWN1cml0eTp0cml2eTpTcmNSZWxlYXNlIiwidmFsdWUiOiIxNi5lbDcifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6U3JjRXBvY2giLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6TGF5ZXJEaWdlc3QiLCJ2YWx1ZSI6InNoYTI1NjphYzkyMDgyMDdhZGFhYzNhNDhlNTRhNGRjNmI0OWM2OWU3OGMzMDcyZDJiM2FkZDdlZmRhYmY4MTRkYjIxMzNiIn0seyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OkxheWVyRGlmZklEIiwidmFsdWUiOiJzaGEyNTY6ODkxNjlkODdkYmUyYjcyYmE0MmJmYmIzNTc5Yzk1NzMyMmJhY2EyOGUwM2ExZTU1ODA3NjU0MmExYzFiMmI0YSJ9XSwicHVybCI6InBrZzpycG0vY2VudG9zL29wZW5zc2wtbGlic0AxOjEuMC4yay0xNi5lbDc/YXJjaD14ODZfNjRcdTAwMjZkaXN0cm89Y2VudG9zLTcuNi4xODEwIiwidHlwZSI6ImxpYnJhcnkiLCJ2ZXJzaW9uIjoiMToxLjAuMmstMTYuZWw3In0seyJib20tcmVmIjoiMDE3NWY3MzItZGY5ZC00YmI4LTlmNTYtODcwODk4ZTNmZjg5IiwibmFtZSI6ImNlbnRvcyIsInByb3BlcnRpZXMiOlt7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6VHlwZSIsInZhbHVlIjoiY2VudG9zIn0seyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OkNsYXNzIiwidmFsdWUiOiJvcy1wa2dzIn1dLCJ0eXBlIjoib3BlcmF0aW5nLXN5c3RlbSIsInZlcnNpb24iOiI3LjYuMTgxMCJ9XSwiZGVwZW5kZW5jaWVzIjpbeyJkZXBlbmRzT24iOlsicGtnOnJwbS9jZW50b3MvYmFzaEA0LjIuNDYtMzEuZWw3P2FyY2g9eDg2XzY0XHUwMDI2ZGlzdHJvPWNlbnRvcy03LjYuMTgxMCIsInBrZzpycG0vY2VudG9zL29wZW5zc2wtbGlic0AxOjEuMC4yay0xNi5lbDc/YXJjaD14ODZfNjRcdTAwMjZkaXN0cm89Y2VudG9zLTcuNi4xODEwIl0sInJlZiI6IjAxNzVmNzMyLWRmOWQtNGJiOC05ZjU2LTg3MDg5OGUzZmY4OSJ9LHsiZGVwZW5kc09uIjpbIjAxNzVmNzMyLWRmOWQtNGJiOC05ZjU2LTg3MDg5OGUzZmY4OSJdLCJyZWYiOiJkMGQ0MWUzMC05NjUwLTQ4OWQtOTQ4ZC00MjVmZjJlZDYzZDIifV0sIm1ldGFkYXRhIjp7ImNvbXBvbmVudCI6eyJib20tcmVmIjoiZDBkNDFlMzAtOTY1MC00ODlkLTk0OGQtNDI1ZmYyZWQ2M2QyIiwibmFtZSI6ImludGVncmF0aW9uL3Rlc3RkYXRhL2ZpeHR1cmVzL2ltYWdlcy9jZW50b3MtNy50YXIuZ3oiLCJwcm9wZXJ0aWVzIjpbeyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OlNjaGVtYVZlcnNpb24iLCJ2YWx1ZSI6IjIifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6SW1hZ2VJRCIsInZhbHVlIjoic2hhMjU2OmYxY2I3YzdkNThiNzNlYWM4NTljMzk1ODgyZWVjNDlkNTA2NTEyNDRlMzQyY2Q2YzY4YTVjNzgwOTc4NWY0MjcifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6RGlmZklEIiwidmFsdWUiOiJzaGEyNTY6ODkxNjlkODdkYmUyYjcyYmE0MmJmYmIzNTc5Yzk1NzMyMmJhY2EyOGUwM2ExZTU1ODA3NjU0MmExYzFiMmI0YSJ9XSwidHlwZSI6ImNvbnRhaW5lciJ9LCJ0aW1lc3RhbXAiOiIyMDIyLTA2LTE0VDE1OjA4OjQ4KzAwOjAwIiwidG9vbHMiOlt7Im5hbWUiOiJ0cml2eSIsInZlbmRvciI6ImFxdWFzZWN1cml0eSIsInZlcnNpb24iOiJkZXYifV19LCJzZXJpYWxOdW1iZXIiOiJ1cm46dXVpZDoxNDU1YzAyZC02NGNhLTQ1M2UtYTVkZi1kZGZiNzBhN2M4MDQiLCJzcGVjVmVyc2lvbiI6IjEuNCIsInZlcnNpb24iOjF9LCJUaW1lc3RhbXAiOiIifX0=","signatures":[{"keyid":"","sig":"MEUCIF52Th/Uxp9iGoqyP8ioikcefayjXh/+GhKyhhdczihaAiEAwOedZ0ovOanwY+u9Dl+/bHp8398YcXA2n0zG8Q2gnb0="}]}

integration/testdata/fixtures/sbom/centos-7-cyclonedx.json

@@ -0,0 +1,140 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:1455c02d-64ca-453e-a5df-ddfb70a7c804",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2022-06-14T15:08:48+00:00",
+    "tools": [
+      {
+        "vendor": "aquasecurity",
+        "name": "trivy",
+        "version": "dev"
+      }
+    ],
+    "component": {
+      "bom-ref": "d0d41e30-9650-489d-948d-425ff2ed63d2",
+      "type": "container",
+      "name": "integration/testdata/fixtures/images/centos-7.tar.gz",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SchemaVersion",
+          "value": "2"
+        },
+        {
+          "name": "aquasecurity:trivy:ImageID",
+          "value": "sha256:f1cb7c7d58b73eac859c395882eec49d50651244e342cd6c68a5c7809785f427"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
+      "type": "library",
+      "name": "bash",
+      "version": "4.2.46-31.el7",
+      "licenses": [
+        {
+          "expression": "GPLv3+"
+        }
+      ],
+      "purl": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "bash"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "4.2.46"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcRelease",
+          "value": "31.el7"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810",
+      "type": "library",
+      "name": "openssl-libs",
+      "version": "1:1.0.2k-16.el7",
+      "licenses": [
+        {
+          "expression": "OpenSSL"
+        }
+      ],
+      "purl": "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "openssl"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "1.0.2k"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcRelease",
+          "value": "16.el7"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcEpoch",
+          "value": "1"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"
+        }
+      ]
+    },
+    {
+      "bom-ref": "0175f732-df9d-4bb8-9f56-870898e3ff89",
+      "type": "operating-system",
+      "name": "centos",
+      "version": "7.6.1810",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:Type",
+          "value": "centos"
+        },
+        {
+          "name": "aquasecurity:trivy:Class",
+          "value": "os-pkgs"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "0175f732-df9d-4bb8-9f56-870898e3ff89",
+      "dependsOn": [
+        "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
+        "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"
+      ]
+    },
+    {
+      "ref": "d0d41e30-9650-489d-948d-425ff2ed63d2",
+      "dependsOn": [
+        "0175f732-df9d-4bb8-9f56-870898e3ff89"
+      ]
+    }
+  ]
+}

integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json

@@ -0,0 +1,169 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:31ee662c-480e-4f63-9765-23ea8afc754d",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2022-06-14T15:10:14+00:00",
+    "tools": [
+      {
+        "vendor": "aquasecurity",
+        "name": "trivy",
+        "version": "dev"
+      }
+    ],
+    "component": {
+      "bom-ref": "95de56ee-980c-413d-8f68-6c674dc3e9d1",
+      "type": "container",
+      "name": "integration/testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SchemaVersion",
+          "value": "2"
+        },
+        {
+          "name": "aquasecurity:trivy:ImageID",
+          "value": "sha256:5a992077baba51b97f27591a10d54d2f2723dc9c81a3fe419e261023f2554933"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:02874b2b269dea8dde0f7edb4c9906904dfe38a09de1a214f20c650cfb15c60e"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:3752e1f6fd759c795c13aff2c93c081529366e27635ba6621e849b0f9cfc77f0"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:788c00e2cfc8f2a018ae4344ccf0b2c226ebd756d7effd1ce50eea1a4252cd89"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:25165eb51d15842f870f97873e0a58409d5e860e6108e3dd829bd10e484c0065"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2",
+      "type": "library",
+      "name": "bash",
+      "version": "5.0-4",
+      "purl": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "bash"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "5.0-4"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2",
+      "type": "library",
+      "name": "libidn2-0",
+      "version": "2.0.5-1",
+      "purl": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "libidn2"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "2.0.5-1"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+        }
+      ]
+    },
+    {
+      "bom-ref": "353f2470-9c8b-4647-9d0d-96d893838dc8",
+      "type": "operating-system",
+      "name": "debian",
+      "version": "10.2",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:Type",
+          "value": "debian"
+        },
+        {
+          "name": "aquasecurity:trivy:Class",
+          "value": "os-pkgs"
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec",
+      "type": "library",
+      "name": "activesupport",
+      "version": "6.0.2.1",
+      "licenses": [
+        {
+          "expression": "MIT"
+        }
+      ],
+      "purl": "pkg:gem/activesupport@6.0.2.1",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:FilePath",
+          "value": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:a8877cad19f14a7044524a145ce33170085441a7922458017db1631dcd5f7602"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9"
+        },
+        {
+          "name": "aquasecurity:trivy:Type",
+          "value": "gemspec"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "353f2470-9c8b-4647-9d0d-96d893838dc8",
+      "dependsOn": [
+        "pkg:deb/debian/bash@5.0-4?distro=debian-10.2",
+        "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2"
+      ]
+    },
+    {
+      "ref": "95de56ee-980c-413d-8f68-6c674dc3e9d1",
+      "dependsOn": [
+        "353f2470-9c8b-4647-9d0d-96d893838dc8",
+        "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec"
+      ]
+    }
+  ]
+}

integration/testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden

@@ -0,0 +1,346 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2022-08-14T12:39:11+00:00",
+    "tools": [
+      {
+        "vendor": "aquasecurity",
+        "name": "trivy",
+        "version": "dev"
+      }
+    ],
+    "component": {
+      "bom-ref": "urn:uuid:31ee662c-480e-4f63-9765-23ea8afc754d/1",
+      "type": "container",
+      "name": "integration/testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "id": "CVE-2020-8165",
+      "source": {
+        "name": "ghsa",
+        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Arubygems"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "ghsa"
+          },
+          "severity": "high"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 7.5,
+          "severity": "high",
+          "method": "CVSSv2",
+          "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 9.8,
+          "severity": "critical",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+        },
+        {
+          "source": {
+            "name": "redhat"
+          },
+          "score": 9.8,
+          "severity": "high",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+        }
+      ],
+      "cwes": [
+        502
+      ],
+      "description": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.",
+      "advisories": [
+        {
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html"
+        },
+        {
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html"
+        },
+        {
+          "url": "https://access.redhat.com/security/cve/CVE-2020-8165"
+        },
+        {
+          "url": "https://github.com/advisories/GHSA-2p68-f74v-9wc6"
+        },
+        {
+          "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml"
+        },
+        {
+          "url": "https://groups.google.com/forum/#!msg/rubyonrails-security/bv6fW4S0Y1c/KnkEqM7AAQAJ"
+        },
+        {
+          "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c"
+        },
+        {
+          "url": "https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c"
+        },
+        {
+          "url": "https://hackerone.com/reports/413388"
+        },
+        {
+          "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
+        },
+        {
+          "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
+        },
+        {
+          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8165"
+        },
+        {
+          "url": "https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/"
+        },
+        {
+          "url": "https://www.debian.org/security/2020/dsa-4766"
+        }
+      ],
+      "published": "2020-06-19T18:15:00+00:00",
+      "updated": "2020-10-17T12:15:00+00:00",
+      "affects": [
+        {
+          "ref": "urn:cdx:31ee662c-480e-4f63-9765-23ea8afc754d/1#pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec",
+          "versions": [
+            {
+              "version": "6.0.2.1",
+              "status": "affected"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "id": "CVE-2019-18276",
+      "source": {
+        "name": "debian",
+        "url": "https://salsa.debian.org/security-tracker-team/security-tracker"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "cbl-mariner"
+          },
+          "severity": "high"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 7.2,
+          "severity": "high",
+          "method": "CVSSv2",
+          "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 7.8,
+          "severity": "high",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+        },
+        {
+          "source": {
+            "name": "oracle-oval"
+          },
+          "severity": "low"
+        },
+        {
+          "source": {
+            "name": "photon"
+          },
+          "severity": "high"
+        },
+        {
+          "source": {
+            "name": "redhat"
+          },
+          "score": 7.8,
+          "severity": "low",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+        },
+        {
+          "source": {
+            "name": "ubuntu"
+          },
+          "severity": "low"
+        }
+      ],
+      "cwes": [
+        273
+      ],
+      "description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
+      "advisories": [
+        {
+          "url": "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html"
+        },
+        {
+          "url": "https://access.redhat.com/security/cve/CVE-2019-18276"
+        },
+        {
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"
+        },
+        {
+          "url": "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff"
+        },
+        {
+          "url": "https://linux.oracle.com/cve/CVE-2019-18276.html"
+        },
+        {
+          "url": "https://linux.oracle.com/errata/ELSA-2021-1679.html"
+        },
+        {
+          "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"
+        },
+        {
+          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18276"
+        },
+        {
+          "url": "https://security.gentoo.org/glsa/202105-34"
+        },
+        {
+          "url": "https://security.netapp.com/advisory/ntap-20200430-0003/"
+        },
+        {
+          "url": "https://www.youtube.com/watch?v=-wGtxJ8opa8"
+        }
+      ],
+      "published": "2019-11-28T01:15:00+00:00",
+      "updated": "2021-05-26T12:15:00+00:00",
+      "affects": [
+        {
+          "ref": "urn:cdx:31ee662c-480e-4f63-9765-23ea8afc754d/1#pkg:deb/debian/bash@5.0-4?distro=debian-10.2",
+          "versions": [
+            {
+              "version": "5.0-4",
+              "status": "affected"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "id": "CVE-2019-18224",
+      "source": {
+        "name": "debian",
+        "url": "https://salsa.debian.org/security-tracker-team/security-tracker"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "amazon"
+          },
+          "severity": "medium"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 7.5,
+          "severity": "high",
+          "method": "CVSSv2",
+          "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 9.8,
+          "severity": "critical",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+        },
+        {
+          "source": {
+            "name": "redhat"
+          },
+          "score": 5.6,
+          "severity": "medium",
+          "method": "CVSSv3",
+          "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
+        },
+        {
+          "source": {
+            "name": "ubuntu"
+          },
+          "severity": "medium"
+        }
+      ],
+      "cwes": [
+        787
+      ],
+      "description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
+      "advisories": [
+        {
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html"
+        },
+        {
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html"
+        },
+        {
+          "url": "https://access.redhat.com/security/cve/CVE-2019-18224"
+        },
+        {
+          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420"
+        },
+        {
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224"
+        },
+        {
+          "url": "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c"
+        },
+        {
+          "url": "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1"
+        },
+        {
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/"
+        },
+        {
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/"
+        },
+        {
+          "url": "https://seclists.org/bugtraq/2020/Feb/4"
+        },
+        {
+          "url": "https://security.gentoo.org/glsa/202003-63"
+        },
+        {
+          "url": "https://ubuntu.com/security/notices/USN-4168-1"
+        },
+        {
+          "url": "https://usn.ubuntu.com/4168-1/"
+        },
+        {
+          "url": "https://www.debian.org/security/2020/dsa-4613"
+        }
+      ],
+      "published": "2019-10-21T17:15:00+00:00",
+      "updated": "2019-10-29T19:15:00+00:00",
+      "affects": [
+        {
+          "ref": "urn:cdx:31ee662c-480e-4f63-9765-23ea8afc754d/1#pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2",
+          "versions": [
+            {
+              "version": "2.0.5-1",
+              "status": "affected"
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

integration/testdata/helm.json.golden

@@ -20,7 +20,7 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 32,
+        "Successes": 76,
         "Failures": 2,
         "Exceptions": 0
       },
@@ -28,6 +28,7 @@
         {
           "Type": "Helm Security Check",
           "ID": "KSV001",
+          "AVDID": "AVD-KSV-0001",
           "Title": "Process can elevate its own privileges",
           "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
           "Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.allowPrivilegeEscalation' to false",
@@ -146,6 +147,7 @@
         {
           "Type": "Helm Security Check",
           "ID": "KSV030",
+          "AVDID": "AVD-KSV-0030",
           "Title": "Default Seccomp profile not set",
           "Description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.",
           "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'",
@@ -268,7 +270,7 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 34,
+        "Successes": 78,
         "Failures": 0,
         "Exceptions": 0
       }
@@ -278,7 +280,7 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 34,
+        "Successes": 78,
         "Failures": 0,
         "Exceptions": 0
       }

integration/testdata/helm_badname.json.golden

@@ -0,0 +1,17 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/helm_badname",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  }
+}