refactor(k8s): custom reports (#3076)

Co-authored-by: knqyf263 <knqyf263@gmail.com>

.github/CODEOWNERS

@@ -4,6 +4,16 @@
 # Helm chart
 helm/trivy/ @krol3
 
+# Misconfiguration scanning
+examples/misconf/           @owenrumney @liamg @knqyf263
+docs/docs/misconfiguration  @owenrumney @liamg @knqyf263
+docs/docs/cloud             @owenrumney @liamg @knqyf263
+pkg/fanal/analyzer/config   @owenrumney @liamg @knqyf263
+pkg/fanal/handler/misconf   @owenrumney @liamg @knqyf263
+pkg/cloud                   @owenrumney @liamg @knqyf263
+pkg/flag/aws_flags.go       @owenrumney @liamg @knqyf263
+pkg/flag/misconf_flags.go   @owenrumney @liamg @knqyf263
+
 # Kubernetes scanning
-pkg/k8s/                @josedonizetti @chen-keinan
-docs/docs/kubernetes/   @josedonizetti @chen-keinan
+pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
+docs/docs/kubernetes/   @josedonizetti @chen-keinan @knqyf263

.github/workflows/canary.yaml

@@ -0,0 +1,59 @@
+name: Canary build
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '**.go'
+      - 'Dockerfile.canary'
+      - '.github/workflows/canary.yaml'
+  workflow_dispatch:
+
+jobs:
+  build-binaries:
+    name: Build binaries
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser-canary.yml
+      goreleaser_options: '--snapshot --rm-dist --timeout 60m' # will not release
+    secrets: inherit
+
+  upload-binaries:
+    name: Upload binaries
+    needs: build-binaries # run this job after 'build-binaries' job completes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.0.9
+        with:
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+        # Upload artifacts
+      - name: Upload artifacts (trivy_Linux-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-64bit
+          path: dist/trivy_*_Linux-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_Linux-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-ARM64
+          path: dist/trivy_*_Linux-ARM64.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-64bit
+          path: dist/trivy_*_macOS-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-ARM64
+          path: dist/trivy_*_macOS-ARM64.tar.gz
+          if-no-files-found: error

.github/workflows/mkdocs-dev.yaml

@@ -16,7 +16,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/mkdocs-latest.yaml

@@ -18,7 +18,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.x
       - name: Install dependencies
@@ -35,7 +35,7 @@ jobs:
         if: ${{ github.event.inputs.version == '' }}
         run: |
           VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
-          mike deploy --push --update-aliases $VERSION latest
+          mike deploy --push --update-aliases ${VERSION%.*} latest
       - name: Deploy the latest documents from manual trigger
         if: ${{ github.event.inputs.version != '' }}
         run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest

.github/workflows/publish-chart.yaml

@@ -15,8 +15,8 @@ env:
   HELM_REP: helm-charts
   GH_OWNER: aquasecurity
   CHART_DIR: helm/trivy
-  KIND_VERSION: "v0.11.1"
-  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
+  KIND_VERSION: "v0.14.0"
+  KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
 jobs:
   test-chart:
     runs-on: ubuntu-20.04
@@ -26,18 +26,18 @@ jobs:
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab
+        uses: azure/setup-helm@b5b231a831f96336bbfeccc1329990f0005c5bb1
         with:
           version: v3.5.0
       - name: Set up python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: 3.7
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a
+        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec
       - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478
+        uses: helm/kind-action@9e8295d178de23cbfbd8fa16cf844eec1d773a07
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}
@@ -45,7 +45,7 @@ jobs:
         run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
       - name: Run chart-testing (Ingress enabled)
         run: |
-          sed -i -e '117s,false,'true',g' ./helm/trivy/values.yaml
+          sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
           ct lint-and-install --validate-maintainers=false --charts helm/trivy
 
   publish-chart:

.github/workflows/release.yaml

@@ -3,76 +3,37 @@ on:
   push:
     tags:
       - "v*"
-env:
-  GO_VERSION: "1.18"
-  GH_USER: "aqua-bot"
+
 jobs:
   release:
     name: Release
-    runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
-    env:
-      DOCKER_CLI_EXPERIMENTAL: "enabled"
-    permissions:
-      id-token: write # For cosign
-      packages: write # For GHCR
-      contents: read  # Not required for public repositories, but for clarity
-    steps:
-      - name: Install dependencies
-        run: |
-          sudo apt-get -y update
-          sudo apt-get -y install rpm reprepro createrepo distro-info
-      - uses: sigstore/cosign-installer@536b37ec5d5b543420bdfd9b744c5965bd4d8730
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2
-      - name: Show available Docker Buildx platforms
-        run: echo ${{ steps.buildx.outputs.platforms }}
-      - name: Setup Go
-        uses: actions/setup-go@v3
+    uses: ./.github/workflows/reusable-release.yaml
     with:
-          go-version: ${{ env.GO_VERSION }}
+      goreleaser_config: goreleaser.yml
+      goreleaser_options: '--rm-dist --timeout 90m'
+    secrets: inherit
+
+  deploy-packages:
+    name: Deploy rpm/dep packages
+    needs: release # run this job after 'release' job completes
+    runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
+    steps:
       - name: Checkout code
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: Cache Go modules
-        uses: actions/cache@v3.0.2
+
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.0.9
         with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: Login to docker.io registry
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to ghcr.io registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ env.GH_USER }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login to ECR
-        uses: docker/login-action@v2
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
-          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
-      - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v1
-        with:
-          args: mod -licenses -json -output bom.json
-          version: ^v1
-      - name: Release
-        uses: goreleaser/goreleaser-action@v3
-        with:
-          version: v1.4.1
-          args: release --rm-dist --timeout 60m
-        env:
-          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install rpm reprepro createrepo distro-info
+
       - name: Checkout trivy-repo
         uses: actions/checkout@v3
         with:
@@ -80,13 +41,17 @@ jobs:
           path: trivy-repo
           fetch-depth: 0
           token: ${{ secrets.ORG_REPO_TOKEN }}
+
       - name: Setup git settings
         run: |
           git config --global user.email "knqyf263@gmail.com"
           git config --global user.name "Teppei Fukuda"
+
       - name: Create rpm repository
         run: ci/deploy-rpm.sh
+
       - name: Import GPG key
         run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import
+
       - name: Create deb repository
         run: ci/deploy-deb.sh

.github/workflows/reusable-release.yaml

@@ -0,0 +1,108 @@
+name: Reusable release
+on:
+  workflow_call:
+    inputs:
+      goreleaser_config:
+        description: 'file path to GoReleaser config'
+        required: true
+        type: string
+      goreleaser_options:
+        description: 'GoReleaser options separated by spaces'
+        default: ''
+        required: false
+        type: string
+
+env:
+  GH_USER: "aqua-bot"
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: read  # Not required for public repositories, but for clarity
+    steps:
+      - name: Cosign install
+        uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Show available Docker Buildx platforms
+        run: echo ${{ steps.buildx.outputs.platforms }}
+
+      - name: Login to docker.io registry
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to ghcr.io registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ env.GH_USER }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to ECR
+        uses: docker/login-action@v2
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
+          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: Generate SBOM
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
+        with:
+          args: mod -licenses -json -output bom.json
+          version: ^v1
+
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          version: v1.4.1
+          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
+        env:
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
+      ## push images to registries
+      ## only for canary build
+      - name: Build and push
+        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
+        uses: docker/build-push-action@v3
+        with:
+          platforms: linux/amd64, linux/arm64
+          file: ./Dockerfile.canary # path to Dockerfile
+          context: .
+          push: true
+          tags: |
+            aquasec/trivy:canary
+            ghcr.io/aquasecurity/trivy:canary
+            public.ecr.aws/aquasecurity/trivy:canary
+
+      - name: Cache Trivy binaries
+        uses: actions/cache@v3.0.9
+        with:
+          path: dist/
+          # use 'github.sha' to create a unique cache folder for each run.
+          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
+          # e.g. build and release runs
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/scan.yaml

@@ -18,6 +18,6 @@ jobs:
           assignee: knqyf263
           severity: CRITICAL
           skip-dirs: integration,examples
-          label: vulnerability
+          label: kind/security
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/semantic-pr.yaml

@@ -34,6 +34,7 @@ jobs:
             vuln
             misconf
             secret
+            license
 
             image
             fs
@@ -63,6 +64,8 @@ jobs:
             dotnet
             java
             go
+            c
+            c++
             
             os
             lang
@@ -80,6 +83,9 @@ jobs:
             cli
             flag
             
+            cyclonedx
+            spdx
+
             helm
             report
             db

.github/workflows/stale-issues.yaml

@@ -7,7 +7,7 @@ jobs:
     timeout-minutes: 1
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v5
+    - uses: actions/stale@v6
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'

.github/workflows/test.yaml

@@ -10,8 +10,7 @@ on:
       - 'LICENSE'
   pull_request:
 env:
-  GO_VERSION: "1.18"
-  TINYGO_VERSION: "0.23.0"
+  TINYGO_VERSION: "0.25.0"
 jobs:
   test:
     name: Test
@@ -22,19 +21,20 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
 
       - name: go mod tidy
         run: |
           go mod tidy
           if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'go mod tidy' and push it"
             exit 1
           fi
 
       - name: Lint
         uses: golangci/golangci-lint-action@v3.2.0
         with:
-          version: v1.45
+          version: v1.49
           args: --deadline=30m
           skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
 
@@ -50,14 +50,13 @@ jobs:
     name: Integration Test
     runs-on: ubuntu-latest
     steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-        go-version: ${{ env.GO_VERSION }}
-      id: go
-
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+          go-version-file: go.mod
 
       - name: Run integration tests
         run: make test-integration
@@ -66,20 +65,19 @@ jobs:
     name: Module Integration Test
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
+          go-version-file: go.mod
 
       - name: Install TinyGo
         run: |
           wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
           sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb
 
-      - name: Checkout
-        uses: actions/checkout@v3
-
       - name: Run module integration tests
         run: |
           make test-module-integration
@@ -106,13 +104,13 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: ${{ env.GO_VERSION }}
+        go-version-file: go.mod
 
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v3
       with:
         version: v1.4.1
-        args: release --snapshot --rm-dist --skip-publish --timeout 60m
+        args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m
 
   build-documents:
     name: Documentation Test
@@ -123,7 +121,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: true
-    - uses: actions/setup-python@v3
+    - uses: actions/setup-python@v4
       with:
         python-version: 3.x
     - name: Install dependencies

.golangci.yaml

@@ -21,19 +21,17 @@ linters-settings:
     local-prefixes: github.com/aquasecurity
   gosec:
     excludes:
+      - G114
       - G204
       - G402
 
 linters:
   disable-all: true
   enable:
-    - structcheck
+    - unused
     - ineffassign
     - typecheck
     - govet
-    - errcheck
-    - varcheck
-    - deadcode
     - revive
     - gosec
     - unconvert
@@ -44,7 +42,7 @@ linters:
     - misspell
 
 run:
-  go: 1.18
+  go: 1.19
   skip-files:
     - ".*._mock.go$"
     - ".*._test.go$"

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.16.0
+FROM alpine:3.16.2
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.canary

@@ -0,0 +1,10 @@
+FROM alpine:3.16.2
+RUN apk --no-cache add ca-certificates git
+
+# binaries were created with GoReleaser
+# need to copy binaries from folder with correct architecture
+# example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
+ARG TARGETARCH
+COPY "dist/trivy_canary_build_linux_${TARGETARCH}/trivy" /usr/local/bin/trivy
+COPY contrib/*.tpl contrib/
+ENTRYPOINT ["trivy"]

Dockerfile.protoc

@@ -1,4 +1,4 @@
-FROM golang:1.18.2
+FROM golang:1.19.1
 
 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

Makefile

@@ -1,4 +1,4 @@
-VERSION := $(shell git describe --tags --always)
+VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
 LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"
 
 GOPATH := $(shell go env GOPATH)
@@ -26,7 +26,7 @@ $(GOBIN)/crane:
 	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0
 
 $(GOBIN)/golangci-lint:
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.45.2
+	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
 
 $(GOBIN)/labeler:
 	go install github.com/knqyf263/labeler@latest

README.md

@@ -39,7 +39,9 @@ Get Trivy by your favorite installation method. See [installation] section in th
 
 - `apt-get install trivy`
 - `yum install trivy`
+- `pacman -S trivy`
 - `brew install aquasecurity/trivy/trivy`
+- `sudo port install trivy`
 - `docker run aquasec/trivy`
 - Download binary from https://github.com/aquasecurity/trivy/releases/latest/
 
@@ -74,7 +76,7 @@ https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b
 </details>
 
 ```bash
-$ trivy k8s mycluster
+$ trivy k8s --report summary cluster
 ```
 
 <details>
@@ -84,6 +86,8 @@ $ trivy k8s mycluster
 
 </details>
 
+Note that you can also receive a detailed scan, scan only a specific namespace, resource and more.
+
 Find out more in the [Trivy Documentation][docs] - [Getting Started][getting-started]
 
 
@@ -134,7 +138,7 @@ Contact us about any matter by opening a GitHub Discussion [here][discussions]
 
 [getting-started]: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
 [docs]: https://aquasecurity.github.io/trivy
-[integrations]:https://aquasecurity.github.io/trivy/latest/docs/integrations/
+[integrations]:https://aquasecurity.github.io/trivy/latest/tutorials/integrations/
 [installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
 [releases]: https://github.com/aquasecurity/trivy/releases
 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/

brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g>
+	<path fill="#07242D" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#07242D" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#07242D" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#07242D" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#07242D" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.106-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.151,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#07242D" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#07242D" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#07242D" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>

brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg

@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g display="none">
+	<g display="inline">
+		<path fill="#07242D" d="M-483.763,450.803h-11.559l-22.557-22.807c-0.919,0.114-1.853,0.174-2.802,0.174v22.632h-8.238v-63.931
+			h8.239c0,0-0.016,33.158,0,33.158c4.013,0,7.684-1.656,10.29-4.32l9.86-10.073h11.814l-16.032,15.918
+			c-1.42,1.421-3.031,2.655-4.787,3.659L-483.763,450.803z"/>
+		<path fill="#07242D" d="M-438.316,405.517v22.819c0,0,0,0.033,0,0.049c0,12.39-10.039,22.418-22.429,22.418
+			c-12.389,0-22.421-10.059-22.421-22.448c0-0.017,0-22.837,0-22.837h7.989v22.819c0,7.967,6.466,14.457,14.433,14.457
+			c7.966,0,14.424-6.491,14.424-14.457v-22.819H-438.316z"/>
+		<path fill="#07242D" d="M-385.244,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.217l-0.004,23.854c3.918-3.246,8.947-5.196,14.432-5.196
+			C-395.377,405.529-385.242,415.664-385.244,428.166z M-393.437,428.166c0-7.976-6.466-14.441-14.442-14.441
+			c-7.793,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-399.903,442.607-393.437,436.142-393.437,428.166z"/>
+		<path fill="#07242D" d="M-335.539,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-344.426,405.411-333.664,417.688-335.539,431.11z M-344.611,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-344.611z"/>
+		<path fill="#07242D" d="M-306.194,420.895v7.548h-23.302v-7.548H-306.194z"/>
+		<path fill="#07242D" d="M-252.987,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.218l-0.004,23.854c3.918-3.246,8.946-5.196,14.431-5.196
+			C-263.12,405.529-252.985,415.664-252.987,428.166z M-261.181,428.166c0-7.976-6.467-14.441-14.442-14.441
+			c-7.794,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-267.647,442.607-261.181,436.142-261.181,428.166z"/>
+		<path fill="#07242D" d="M-203.283,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-212.17,405.411-201.408,417.688-203.283,431.11z M-212.355,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-212.355z"/>
+		<path fill="#07242D" d="M-151.113,428.114c0,15.871,0,22.688,0,22.688h-8.262c0,0,0-14.878,0-22.688
+			c0-8.095-6.591-14.327-14.363-14.327c-7.772,0-14.393,6.163-14.393,14.327c0,7.814,0,22.688,0,22.688h-8.26v-45.285
+			c0,0,3.539,0,8.26,0v5.101c0,0,5.421-5.101,14.393-5.101C-163.095,405.517-151.113,413.789-151.113,428.114z"/>
+		<path fill="#07242D" d="M-112.598,438.373l5.799,5.798c-4.098,4.097-9.758,6.632-16.01,6.632c-6.252,0-11.912-2.534-16.01-6.632
+			c-4.097-4.098-6.632-9.758-6.632-16.01s2.534-11.912,6.632-16.01c4.098-4.097,9.758-6.632,16.01-6.632
+			c6.252,0,11.912,2.534,16.01,6.632l-5.799,5.799c-2.613-2.615-6.224-4.231-10.212-4.231c-3.988,0-7.599,1.617-10.212,4.231
+			c-2.614,2.613-4.23,6.224-4.23,10.212s1.616,7.599,4.23,10.213c2.613,2.613,6.224,4.229,10.212,4.229
+			C-118.821,442.602-115.211,440.986-112.598,438.373z"/>
+		<path fill="#07242D" d="M-55.678,428.174c0,15.827,0,22.626,0,22.626h-8.239c0,0,0-14.838,0-22.626
+			c0-8.072-6.575-14.287-14.324-14.287c-7.751,0-14.353,6.146-14.353,14.287c0,7.793,0,22.626,0,22.626h-8.238v-63.929h8.238v23.856
+			c0,0,5.405-5.086,14.353-5.086C-67.626,405.641-55.678,413.889-55.678,428.174z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M186.582,442.579v8.203c-5.588,0-10.623-2.012-14.594-5.346c-4.989-4.186-8.157-10.469-8.157-17.489
+			v-41.085h8.157v18.642h14.594v8.257h-14.594v14.386C172.1,436.134,178.571,442.579,186.582,442.579z"/>
+		<path fill="#07242D" d="M215.674,405.503v8.149c-7.739,0.015-14.037,6.152-14.317,13.818v23.312h-8.176v-45.279h8.176v5.169
+			C205.243,407.446,210.232,405.51,215.674,405.503z"/>
+		<path fill="#07242D" d="M220.928,395.003v-8.165h8.161v8.165H220.928z M220.928,450.782v-45.279h8.161v45.279H220.928z"/>
+		<path fill="#07242D" d="M279.137,405.503l-22.624,45.279l-22.647-45.279h9.271l13.376,26.737l13.349-26.737H279.137z"/>
+		<path fill="#07242D" d="M328.08,405.503c0,0,0,49.504,0,52.776c0,12.643-10.369,22.736-22.655,22.728
+			c-5.753,0-11.084-2.181-15.131-5.807l5.868-5.868c2.504,2.12,5.734,3.41,9.263,3.403c7.95,0,14.386-6.498,14.386-14.456v-12.651
+			c-3.944,3.264-8.979,5.154-14.386,5.154c-12.309,0.008-22.674-9.924-22.674-22.659c0-0.269,0-22.62,0-22.62h8.265
+			c0,0,0.004,22.014,0.004,22.62c0,7.919,6.448,14.463,14.406,14.456c7.95,0,14.386-6.506,14.386-14.456v-22.62H328.08z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1186.898,438.384c-0.411,4.687-4.656,12.67-15.302,12.67c-10.092,0-16.135-6.761-16.135-6.761
+			l5.797-5.801c4.906,4.664,10.338,4.372,10.338,4.372c3.473-0.238,6.258-2.643,6.469-5.471c0.242-3.235-2.009-5.486-6.469-6.124
+			c-2.098-0.307-7.184-0.791-11.36-4.533c-1.36-1.222-6.489-6.577-2.217-14.191c0.834-1.491,4.556-6.769,13.577-6.769
+			c0,0,7.434-0.53,14.311,5.086l-5.866,5.863c-1.16-0.96-4.46-2.904-8.444-2.881c-7.207,0.046-7.007,4.011-7.007,4.011
+			c0.061,3.166,2.874,4.864,7.007,5.409C1185.672,425.114,1187.309,433.743,1186.898,438.384z"/>
+		<path fill="#07242D" d="M1215.419,442.848v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495v-41.099
+			h8.16v18.648h14.599v8.26h-14.599v14.391C1200.932,436.401,1207.405,442.848,1215.419,442.848z"/>
+		<path fill="#07242D" d="M1263.522,428.372v22.682h-22.705c-0.5,0-0.999-0.015-1.495-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1263.068,423.132,1263.522,425.76,1263.522,428.372z M1255.131,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1255.131,432.352,1255.131,428.372z"/>
+		<path fill="#07242D" d="M1293.898,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1283.464,407.704,1288.454,405.767,1293.898,405.76z"/>
+		<path fill="#07242D" d="M1344.448,428.411c0,12.509-10.135,22.643-22.639,22.643c-5.486,0-10.515-1.952-14.433-5.194v5.194h-8.221
+			c0.008-0.515,0.008-63.942,0.008-63.942h8.217l-0.004,23.857c3.919-3.25,8.947-5.202,14.433-5.202
+			C1334.313,405.767,1344.452,415.91,1344.448,428.411z M1336.254,428.411c0-7.975-6.466-14.445-14.445-14.445
+			c-7.795,0-14.445,6.331-14.445,14.422c0,8.091,6.65,14.468,14.445,14.468C1329.788,442.856,1336.254,436.394,1336.254,428.411z"/>
+		<path fill="#07242D" d="M1394.394,428.411c0,12.509-10.15,22.643-22.643,22.643s-22.651-10.135-22.651-22.643
+			s10.157-22.651,22.651-22.651S1394.394,415.91,1394.394,428.411z M1386.127,428.411c0-7.937-6.431-14.376-14.376-14.376
+			c-7.941,0-14.387,6.431-14.387,14.376s6.446,14.383,14.387,14.383C1379.696,442.794,1386.127,436.355,1386.127,428.411z"/>
+		<path fill="#07242D" d="M1444.414,428.372v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054
+			c-6.431-0.423-12.128-3.527-15.985-8.214c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1443.961,423.132,1444.414,425.76,1444.414,428.372z M1436.024,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1436.024,432.352,1436.024,428.372z"/>
+		<path fill="#07242D" d="M1474.791,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1464.356,407.704,1469.347,405.767,1474.791,405.76z"/>
+		<path fill="#07242D" d="M1521.556,451.031h-8.214v-5.194c-3.919,3.242-8.951,5.194-14.43,5.194
+			c-12.501,0-22.635-10.127-22.635-22.628s10.135-22.636,22.635-22.636c5.478,0,10.511,1.952,14.43,5.194l0.008-23.85h8.221
+			C1521.572,387.112,1521.556,450.516,1521.556,451.031z M1513.35,428.38c0-8.091-6.646-14.422-14.437-14.422
+			c-7.975,0-14.445,6.469-14.445,14.445s6.469,14.437,14.445,14.437C1506.704,442.84,1513.35,436.471,1513.35,428.38z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1711.171,438.276l5.802,5.802c-4.1,4.096-9.763,6.632-16.014,6.632c-6.255,0-11.918-2.536-16.018-6.632
+			c-4.1-4.103-6.635-9.759-6.635-16.014s2.536-11.918,6.635-16.022c4.1-4.096,9.763-6.632,16.018-6.632
+			c6.251,0,11.915,2.536,16.014,6.632l-5.802,5.802c-2.613-2.613-6.224-4.234-10.213-4.234c-3.992,0-7.604,1.621-10.216,4.234
+			c-2.617,2.613-4.234,6.224-4.234,10.22c0,3.988,1.618,7.6,4.234,10.213c2.613,2.613,6.224,4.234,10.216,4.234
+			C1704.947,442.511,1708.559,440.889,1711.171,438.276z"/>
+		<path fill="#07242D" d="M1722.967,450.71v-63.95h8.241v63.95H1722.967z"/>
+		<path fill="#07242D" d="M1783.282,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C1773.131,405.41,1783.282,415.561,1783.282,428.064z M1775.013,428.064
+			c0-7.938-6.432-14.378-14.378-14.378c-7.942,0-14.389,6.432-14.389,14.378c0,7.946,6.447,14.385,14.389,14.385
+			C1768.581,442.449,1775.013,436.01,1775.013,428.064z"/>
+		<path fill="#07242D" d="M1833.833,405.41v22.823c0,0,0,0.038,0,0.054c0,12.395-10.04,22.423-22.435,22.423
+			c-12.395,0-22.427-10.059-22.427-22.454c0-0.015,0-22.846,0-22.846h7.992v22.823c0,7.976,6.466,14.462,14.435,14.462
+			c7.969,0,14.431-6.486,14.431-14.462V405.41H1833.833z"/>
+		<path fill="#07242D" d="M1884.777,450.687h-8.218v-5.195c-3.915,3.243-8.945,5.195-14.431,5.195
+			c-12.503,0-22.634-10.128-22.634-22.631c0-12.503,10.132-22.638,22.634-22.638c5.487,0,10.516,1.952,14.431,5.195l0.011-23.852
+			h8.219C1884.789,386.76,1884.773,450.172,1884.777,450.687z M1876.574,428.033c0-8.092-6.651-14.424-14.447-14.424
+			c-7.973,0-14.443,6.47-14.443,14.447c0,7.976,6.466,14.439,14.443,14.439C1869.923,442.495,1876.574,436.125,1876.574,428.033z"/>
+		<path fill="#07242D" d="M1922.865,438.038c-0.411,4.687-4.657,12.672-15.303,12.672c-10.094,0-16.137-6.762-16.137-6.762
+			l5.798-5.802c4.906,4.664,10.339,4.372,10.339,4.372c3.473-0.238,6.259-2.643,6.47-5.471c0.242-3.235-2.009-5.487-6.47-6.124
+			c-2.098-0.307-7.185-0.792-11.361-4.534c-1.36-1.222-6.489-6.578-2.217-14.193c0.834-1.491,4.557-6.77,13.578-6.77
+			c0,0,7.435-0.53,14.312,5.087l-5.867,5.863c-1.16-0.961-4.461-2.905-8.445-2.882c-7.208,0.046-7.008,4.011-7.008,4.011
+			c0.062,3.166,2.874,4.864,7.008,5.41C1921.639,424.767,1923.276,433.397,1922.865,438.038z"/>
+		<path fill="#07242D" d="M1975.107,428.041c0,12.526-10.151,22.73-22.661,22.73c-5.471,0-10.493-1.952-14.416-5.195v35.371h-8.276
+			V405.41h8.276v5.156c3.923-3.22,8.945-5.156,14.416-5.156C1964.956,405.41,1975.107,415.523,1975.107,428.041z M1966.831,428.041
+			c0-7.953-6.432-14.347-14.385-14.347s-14.416,6.393-14.416,14.347s6.463,14.462,14.416,14.462S1966.831,435.994,1966.831,428.041z
+			"/>
+		<path fill="#07242D" d="M1981.877,450.71v-63.95h8.245v63.95H1981.877z"/>
+		<path fill="#07242D" d="M2042.192,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C2032.041,405.41,2042.192,415.561,2042.192,428.064z M2033.916,428.064
+			c0-7.938-6.432-14.378-14.37-14.378c-7.946,0-14.393,6.432-14.393,14.378c0,7.946,6.447,14.385,14.393,14.385
+			C2027.484,442.449,2033.916,436.01,2033.916,428.064z"/>
+		<path fill="#07242D" d="M2049.016,394.906v-8.168h8.168v8.168H2049.016z M2049.016,450.71v-45.3h8.168v45.3H2049.016z"/>
+		<path fill="#07242D" d="M2087.737,442.503v8.207c-5.594,0-10.627-2.013-14.6-5.348c-4.987-4.188-8.161-10.474-8.161-17.497V386.76
+			h8.161v18.65h14.6v8.261h-14.6v14.393C2073.252,436.056,2079.722,442.503,2087.737,442.503z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M690.837,442.596v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495V386.86
+			h8.16v18.648h14.599v8.26h-14.599v14.391C676.35,436.15,682.823,442.596,690.837,442.596z"/>
+		<path fill="#07242D" d="M719.939,405.508v8.152c-7.737,0.015-14.042,6.154-14.322,13.823v23.319h-8.179v-45.294h8.179v5.171
+			C709.504,407.452,714.495,405.516,719.939,405.508z"/>
+		<path fill="#07242D" d="M766.789,428.12v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.183-14.414c0.523-25.548,35.102-31.264,44.026-7.699C766.335,422.88,766.789,425.508,766.789,428.12z
+			 M758.398,428.12c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008c-2.609,2.605-4.226,6.17-4.226,10.142
+			c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0S758.398,432.101,758.398,428.12z"/>
+		<path fill="#07242D" d="M805.36,438.37l5.801,5.801c-4.099,4.095-9.762,6.631-16.016,6.631c-6.254,0-11.913-2.536-16.012-6.631
+			c-4.099-4.103-6.631-9.766-6.631-16.02c0-6.247,2.532-11.909,6.631-16.012c4.099-4.095,9.758-6.631,16.012-6.631
+			c6.254,0,11.917,2.536,16.016,6.631l-5.801,5.801c-2.612-2.612-6.224-4.234-10.215-4.234c-3.988,0-7.599,1.621-10.211,4.234
+			c-2.616,2.612-4.234,6.224-4.234,10.211c0,3.995,1.617,7.607,4.234,10.219c2.612,2.612,6.224,4.234,10.211,4.234
+			C799.136,442.604,802.747,440.983,805.36,438.37z"/>
+		<path fill="#07242D" d="M858.664,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C849.774,405.4,860.539,417.679,858.664,431.109z M849.59,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H849.59z"/>
+		<path fill="#07242D" d="M908.514,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C899.625,405.4,910.389,417.679,908.514,431.109z M899.44,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H899.44z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#07242D" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#07242D" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#07242D" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#07242D" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#07242D" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#07242D" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#07242D" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>

brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg

@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g display="none">
+	<polygon display="inline" fill="#FFFFFF" points="65.469,9.61 12.669,40.117 12.669,101.621 65.463,132.371 118.268,101.639 
+		118.268,40.115 	"/>
+	<g display="inline">
+		<path fill="#08B1D5" d="M64.511,80.035c-5.972-2.687-9.502-8.433-9.313-14.534l-12.765-7.371c-0.952,7.062,0.569,14.449,4.4,20.85
+			c4.078,6.813,9.966,11.887,17.678,14.825V80.035L64.511,80.035z"/>
+		<path fill="#08B1D5" d="M64.511,111.257V95.432c-8.26-3.017-14.588-8.448-18.931-15.703c-4.108-6.864-5.671-14.819-4.507-22.384
+			l-11.864-6.851C22.412,75.299,37.662,101.72,64.511,111.257z"/>
+		<path fill="#0D819B" d="M66.259,95.288v15.969c26.352-9.758,42.17-36.132,35.489-60.682l-11.8,6.874
+			c1.473,8.16,0.189,16.115-3.759,22.77C82.134,87.057,75.052,92.189,66.259,95.288z"/>
+		<path fill="#0D819B" d="M75.879,65.569c0.053,5.924-3.429,11.136-9.62,14.466v13.769c8.227-2.999,14.873-7.918,18.675-14.329
+			c3.681-6.207,4.934-13.613,3.671-21.243L75.879,65.569z"/>
+		<path fill="#F69421" d="M77.717,44.4c4.977,2.427,9.031,6.315,11.724,11.244c0.035,0.065,0.069,0.132,0.104,0.198l11.574-6.684
+			c-0.184-0.232-0.361-0.466-0.506-0.701c-4.246-6.868-9.855-12.036-16.673-15.361c-19.245-9.385-42.827-2.309-54.094,16.087
+			l11.546,6.665C49.232,43.242,65.013,38.204,77.717,44.4z"/>
+		<path fill="#F69421" d="M70.489,59.089c2.06,1.005,3.731,2.627,4.832,4.692c0.037,0.07,0.07,0.143,0.105,0.214l12.854-7.423
+			c-0.04-0.076-0.079-0.153-0.12-0.228c-2.546-4.662-6.379-8.339-11.082-10.632c-12.018-5.861-26.965-1.08-34.421,10.866
+			l12.783,7.379C58.771,58.613,65.217,56.518,70.489,59.089z"/>
+		<path fill="#0D819B" d="M116.672,41.881l-13.621,7.936c7.185,25.544-9.291,53.076-36.791,62.992v17.294l50.413-29.381V41.881z"/>
+		<path fill="#08B1D5" d="M14.265,41.864v58.842l50.245,29.397v-17.294C36.51,103.127,20.607,75.545,27.905,49.74l-13.001-7.508
+			L14.265,41.864z"/>
+		<path fill="#F69421" d="M14.987,40.606l1.484,0.857l12.109,6.989C40.23,29.398,64.649,22.066,84.579,31.784
+			c7.069,3.448,12.881,8.799,17.274,15.904c0.139,0.225,0.333,0.472,0.543,0.731l13.542-7.82l-50.47-29.146L14.987,40.606z"/>
+		<path fill="#F0DF36" d="M66.202,78.433c4.968-2.778,7.95-7.226,8.141-12.159c0,0,0.022-0.489-0.015-1.283
+			c-0.007-0.163-1.102-2.766-4.435-4.583c-4.476-2.441-10.828-0.093-13.372,4.583c0,0-0.061,0.574-0.033,1.283
+			c0.182,4.483,2.945,9.749,7.836,12.159l0.991,0.473L66.202,78.433z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#FFFFFF" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#FFFFFF" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#FFFFFF" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#FFFFFF" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.105-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.15,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#FFFFFF" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#FFFFFF" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#FFFFFF" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>

brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g>
+	<path fill="#FFFFFF" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#FFFFFF" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#FFFFFF" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#FFFFFF" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#FFFFFF" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#FFFFFF" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#FFFFFF" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#FFFFFF" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>

brand/readme.md

@@ -0,0 +1,2 @@
+This directory contains media assets, such as the Trivy logo.
+Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>

ci/deploy-rpm.sh

@@ -15,7 +15,7 @@ function create_rpm_repo () {
 
 cd trivy-repo
 
-VERSIONS=(5 6 7 8)
+VERSIONS=(5 6 7 8 9)
 for version in ${VERSIONS[@]}; do
         echo "Processing RHEL/CentOS $version..."
         create_rpm_repo $version

cmd/trivy/main.go

@@ -1,10 +1,14 @@
 package main
 
 import (
+	"context"
 	"os"
 
+	"golang.org/x/xerrors"
+
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/plugin"
 )
 
 var (
@@ -12,9 +16,26 @@ var (
 )
 
 func main() {
-	app := commands.NewApp(version)
-	err := app.Run(os.Args)
-	if err != nil {
+	if err := run(); err != nil {
 		log.Fatal(err)
 	}
 }
+
+func run() error {
+	// Trivy behaves as the specified plugin.
+	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
+		if !plugin.IsPredefined(runAsPlugin) {
+			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
+		}
+		if err := plugin.RunWithArgs(context.Background(), runAsPlugin, os.Args[1:]); err != nil {
+			return xerrors.Errorf("plugin error: %w", err)
+		}
+		return nil
+	}
+
+	app := commands.NewApp(version)
+	if err := app.Execute(); err != nil {
+		return err
+	}
+	return nil
+}

contrib/gitlab-codequality.tpl

@@ -45,7 +45,7 @@
       "type": "issue",
       "check_name": "container_scanning",
       "categories": [ "Security" ],
-      "description": {{ list .ID .Title | join ": " | printf "%q" }},
+      "description": {{ list "Misconfig" .ID .Title | join " - " | printf "%q" }},
       "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
       "content": {{ .Description | printf "%q" }},
       "severity": {{ if eq .Severity "LOW" -}}
@@ -67,5 +67,37 @@
       }
     }
     {{- end -}}
+    {{- range .Secrets -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Secret" .RuleID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .RuleID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Title | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .StartLine }}
+        }
+      }
+    }
+    {{- end -}}
   {{- end }}
 ]

contrib/gitlab.tpl

@@ -1,10 +1,11 @@
 {{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
 {
-  "version": "2.3",
+  "version": "14.0.6",
   "vulnerabilities": [
   {{- $t_first := true }}
   {{- range . }}
   {{- $target := .Target }}
+    {{- $image := $target | regexFind "[^\\s]+" }}
     {{- range .Vulnerabilities -}}
     {{- if $t_first -}}
       {{- $t_first = false -}}
@@ -31,8 +32,6 @@
                   {{-  else -}}
                     "{{ .Severity }}"
                   {{- end }},
-      {{- /* TODO: Define confidence */}}
-      "confidence": "Unknown",
       "solution": {{ if .FixedVersion -}}
                     "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
                   {{- else -}}
@@ -51,7 +50,7 @@
         },
         {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
         "operating_system": "Unknown",
-        "image": "{{ $target }}"
+        "image": "{{ $image }}"
       },
       "identifiers": [
         {
@@ -71,7 +70,7 @@
           ,
         {{- end -}}
         {
-          "url": "{{ . }}"
+          "url": "{{ regexFind "[^ ]+" . }}"
         }
         {{- end }}
       ]

contrib/junit.tpl

@@ -1,5 +1,5 @@
 <?xml version="1.0" ?>
-<testsuites>
+<testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
     <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">

docs/build/Dockerfile

@@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material:8.2.10
+FROM squidfunk/mkdocs-material:8.3.9
 
 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.

docs/build/requirements.txt

@@ -11,13 +11,13 @@ mergedeep==1.3.4
 mike==1.1.2
 mkdocs==1.3.0
 mkdocs-macros-plugin==0.7.0
-mkdocs-material==8.2.10
+mkdocs-material==8.3.9
 mkdocs-material-extensions==1.0.3
 mkdocs-minify-plugin==0.5.0
 mkdocs-redirects==1.0.4
 packaging==21.3
-Pygments==2.11.2
-pymdown-extensions==9.3
+Pygments==2.12.0
+pymdown-extensions==9.5
 pyparsing==3.0.8
 python-dateutil==2.8.2
 PyYAML==6.0

docs/community/contribute/pr.md

@@ -42,6 +42,7 @@ checks:
 - vuln
 - misconf
 - secret
+- license
 
 mode:
 

docs/community/credit.md

@@ -1,10 +0,0 @@
-# Author
-
-[Teppei Fukuda][knqyf263] (knqyf263)
-
-# Contributors
-
-Thanks to all [contributors][contributors]
-
-[knqyf263]: https://github.com/knqyf263
-[contributors]: https://github.com/aquasecurity/trivy/graphs/contributors

docs/community/references.md

@@ -1,48 +0,0 @@
-# Additional References
-There are external blogs and evaluations.
-
-## Blogs
-- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join]
-- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license]
-- [DevSecOps with Trivy and GitHub Actions][actions]
-- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
-- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
-- [the vulnerability remediation lifecycle of Alpine containers][alpine]
-- [Continuous Container Vulnerability Testing with Trivy][semaphore]
-- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
-- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
-
-## Links
-- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
-- [Istio evaluates scanners][istio]
-
-## Presentations
-- Aqua Security YouTube Channel
-    - [Trivy - container image scanning][intro]
-    - [Using Trivy in client server mode][server]
-    - [Tweaking Trivy output to fit your workflow][tweaking]
-    - [How does a vulnerability scanner identify packages?][identify]
-- CNCF Webinar 2020
-    - [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf]
-- KubeCon + CloudNativeCon Europe 2020 Virtual
-    - [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon]
-
-[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
-[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
-[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
-
-[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
-[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
-[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
-[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4
-[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M
-[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU
-
-[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family
-[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license
-[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
-[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
-[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code

docs/community/tools.md

@@ -1,37 +0,0 @@
-# Community Tools
-The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
-
-Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
-
-## GitHub Actions
-
-| Actions                                    | Description                                                                      |
-| ------------------------------------------ | -------------------------------------------------------------------------------- |
-| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
-| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
-
-## Semaphore
-
-| Name                                                   | Description                               |
-| -------------------------------------------------------| ----------------------------------------- |
-| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
-
-
-## CircleCI
-
-| Orb                                      | Description                               |
-| -----------------------------------------| ----------------------------------------- |
-| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
-
-## Others
-
-| Name                                     | Description                               |
-| -----------------------------------------| ----------------------------------------- |
-| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
-
-
-[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
-[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
-[gitrivy]: https://github.com/marketplace/actions/trivy-action
-[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
-[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy

docs/docs/advanced/air-gap.md

@@ -5,13 +5,33 @@ Trivy can be used in air-gapped environments. Note that an allowlist is [here][a
 ## Air-Gapped Environment for vulnerabilities
 
 ### Download the vulnerability database
+=== "Trivy"
+
+    ```
+    TRIVY_TEMP_DIR=$(mktemp -d)
+    trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+    tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+    rm -rf $TRIVY_TEMP_DIR
+    ```
+
+=== "oras >= v0.13.0"
     At first, you need to download the vulnerability database for use in air-gapped environments.
     Please follow [oras installation instruction][oras].
 
     Download `db.tar.gz`:
 
     ```
-$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a
+    $ oras pull ghcr.io/aquasecurity/trivy-db:2
+    ```
+
+=== "oras < v0.13.0"
+    At first, you need to download the vulnerability database for use in air-gapped environments.
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
     ```
 
 ### Transfer the DB file into the air-gapped environment
@@ -43,7 +63,7 @@ $ rm /path/to/db.tar.gz
 
 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
 
-### Run Trivy with --skip-update and --offline-scan option
+### Run Trivy with `--skip-update` and `--offline-scan` option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
 In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
 
@@ -55,7 +75,7 @@ $ trivy image --skip-update --offline-scan alpine:3.12
 
 No special measures are required to detect misconfigurations in an air-gapped environment.
 
-### Run Trivy with --skip-policy-update option
+### Run Trivy with `--skip-policy-update` option
 In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
 
 ```

docs/docs/attestation/rekor.md

@@ -0,0 +1,142 @@
+# Scan SBOM attestation in Rekor
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+## Container images
+Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+ 
+
+### Scanning
+You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor.
+
+!!! note
+    `--sbom-sources` can be used only with `trivy image` at the moment.
+
+```bash
+$ trivy image --sbom-sources rekor otms61/alpine:3.7.3                                                                            [~/src/github.com/aquasecurity/trivy]
+2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
+2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
+2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
+2022-09-16T17:37:14.903+0900	INFO	Detecting Alpine vulnerabilities...
+2022-09-16T17:37:14.907+0900	INFO	Number of language-specific files: 0
+2022-09-16T17:37:14.908+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
+2022-09-16T17:37:14.908+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided
+
+otms61/alpine:3.7.3 (alpine 3.7.3)
+==================================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+
+```
+
+If you have your own Rekor instance, you can specify the URL via `--rekor-url`.
+
+```bash
+$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3
+```
+
+## Non-packaged binaries
+Trivy can retrieve SBOM attestation of non-packaged binaries in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+
+Cosign currently does not support keyless signing for blob attestation, so use our plugin at the moment.
+This example uses a cat clone [bat][bat] written in Rust.
+You need to generate SBOM from lock files like `Cargo.lock` at first.
+
+```bash
+$ git clone -b v0.20.0 https://github.com/sharkdp/bat
+$ trivy fs --format cyclonedx --output bat.cdx ./bat/Cargo.lock
+```
+
+Then [our attestation plugin][plugin-attest] allows you to store the SBOM attestation linking to a `bat` binary in the Rekor instance.
+
+```bash
+$ wget https://github.com/sharkdp/bat/releases/download/v0.20.0/bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ tar xvf bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ trivy plugin install github.com/aquasecurity/trivy-plugin-attest
+$ trivy attest --predicate ./bat.cdx --type cyclonedx ./bat-v0.20.0-x86_64-apple-darwin/bat
+```
+
+### Scan a non-packaged binary
+Trivy calculates the digest of the `bat` binary and searches for the SBOM attestation by the digest in Rekor.
+If it is found, Trivy uses that for vulnerability scanning.
+
+```bash
+$ trivy fs --sbom-sources rekor ./bat-v0.20.0-x86_64-apple-darwin/bat
+2022-10-25T13:27:25.950+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:27:25.993+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:27:25.993+0300    INFO    Detecting cargo vulnerabilities...
+
+bat (cargo)
+===========
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+Also, it is applied to non-packaged binaries even in container images.
+
+```bash
+$ trivy image --sbom-sources rekor --security-checks vuln alpine-with-bat
+2022-10-25T13:40:14.920+0300    INFO    Vulnerability scanning is enabled
+2022-10-25T13:40:18.047+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:40:18.186+0300    INFO    Detected OS: alpine
+2022-10-25T13:40:18.186+0300    INFO    Detecting Alpine vulnerabilities...
+2022-10-25T13:40:18.199+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:40:18.199+0300    INFO    Detecting cargo vulnerabilities...
+
+alpine-with-bat (alpine 3.15.6)
+===============================
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+
+bat (cargo)
+===========
+Total: 4 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+
+!!! note
+    The `--sbom-sources rekor` flag slows down the scanning as it queries Rekor on the Internet for all non-packaged binaries.
+
+[rekor]: https://github.com/sigstore/rekor
+[sbom-attest]: sbom.md#keyless-signing
+
+[plugin-attest]: https://github.com/aquasecurity/trivy-plugin-attest
+
+[bat]: https://github.com/sharkdp/bat

docs/docs/attestation/sbom.md

@@ -0,0 +1,87 @@
+# SBOM attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify SBOM attestation.
+And, Trivy can take an SBOM attestation as input and scan for vulnerabilities
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+## Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates an SBOM in the CycloneDX format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE>
+```
+
+You can also create attestations of other formatted SBOM.
+
+```bash
+# spdx
+$ trivy image --format spdx -o sbom.spdx <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx <IMAGE>
+
+# spdx-json
+$ trivy image --format spdx-json -o sbom.spdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json <IMAGE>
+```
+
+## Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+# The following command uploads SBOM attestation to the public Rekor instance.
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
+```
+
+You can verify attestations.
+```bash
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>
+```
+
+## Scanning
+
+Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
+
+In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it.
+You must create CycloneDX-type attestation before trying the example.
+To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+```

docs/docs/attestation/vuln.md

@@ -0,0 +1,190 @@
+# Cosign Vulnerability Attestation
+
+## Generate Cosign Vulnerability Scan Record
+
+Trivy generates reports in the [Cosign vulnerability scan record format][vuln-attest-spec].
+
+You can use the regular subcommands (like image, fs and rootfs) and specify `cosign-vuln` with the --format option.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json alpine:3.10
+```
+
+<details>
+<summary>Result</summary>
+
+```json
+{
+  "invocation": {
+    "parameters": null,
+    "uri": "",
+    "event_id": "",
+    "builder.id": ""
+  },
+  "scanner": {
+    "uri": "pkg:github/aquasecurity/trivy@v0.30.1-8-gf9cb8a28",
+    "version": "v0.30.1-8-gf9cb8a28",
+    "db": {
+      "uri": "",
+      "version": ""
+    },
+    "result": {
+      "SchemaVersion": 2,
+      "ArtifactName": "alpine:3.10",
+      "ArtifactType": "container_image",
+      "Metadata": {
+        "OS": {
+          "Family": "alpine",
+          "Name": "3.10.9",
+          "EOSL": true
+        },
+        "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
+        "DiffIDs": [
+          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+        ],
+        "RepoTags": [
+          "alpine:3.10"
+        ],
+        "RepoDigests": [
+          "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
+        ],
+        "ImageConfig": {
+          "architecture": "amd64",
+          "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
+          "created": "2021-04-14T19:20:05.338397761Z",
+          "docker_version": "19.03.12",
+          "history": [
+            {
+              "created": "2021-04-14T19:20:04.987219124Z",
+              "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
+            },
+            {
+              "created": "2021-04-14T19:20:05.338397761Z",
+              "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+              "empty_layer": true
+            }
+          ],
+          "os": "linux",
+          "rootfs": {
+            "type": "layers",
+            "diff_ids": [
+              "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+            ]
+          },
+          "config": {
+            "Cmd": [
+              "/bin/sh"
+            ],
+            "Env": [
+              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+            ],
+            "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
+          }
+        }
+      },
+      "Results": [
+        {
+          "Target": "alpine:3.10 (alpine 3.10.9)",
+          "Class": "os-pkgs",
+          "Type": "alpine",
+          "Vulnerabilities": [
+            {
+              "VulnerabilityID": "CVE-2021-36159",
+              "PkgName": "apk-tools",
+              "InstalledVersion": "2.10.6-r0",
+              "FixedVersion": "2.10.7-r0",
+              "Layer": {
+                "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
+                "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+              },
+              "SeveritySource": "nvd",
+              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
+              "DataSource": {
+                "ID": "alpine",
+                "Name": "Alpine Secdb",
+                "URL": "https://secdb.alpinelinux.org/"
+              },
+              "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
+              "Severity": "CRITICAL",
+              "CweIDs": [
+                "CWE-125"
+              ],
+              "CVSS": {
+                "nvd": {
+                  "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
+                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
+                  "V2Score": 6.4,
+                  "V3Score": 9.1
+                }
+              },
+              "References": [
+                "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
+                "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
+              ],
+              "PublishedDate": "2021-08-03T14:15:00Z",
+              "LastModifiedDate": "2021-10-18T12:19:00Z"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "metadata": {
+    "scanStartedOn": "2022-07-24T17:14:04.864682+09:00",
+    "scanFinishedOn": "2022-07-24T17:14:04.864682+09:00"
+  }
+}
+```
+
+</details>
+
+## Create Cosign Vulnerability Attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify Cosign vulnerability attestation.
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+
+### Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates a cosign vulnerability scan record, and then Cosign attaches an attestation of it to a container image with a local key pair.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type vuln --predicate vuln.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```
+$ cosign verify-attestation --key /path/to/cosign.pub --type vuln <IMAGE>
+```
+
+### Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```
+$ trivy image --format cosign-vuln -o vuln.json <IMAGE>
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>
+```
+
+You can verify attestations.
+
+```
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type vuln <IMAGE>
+```
+
+[vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md

docs/docs/cloud/aws/scanning.md

@@ -0,0 +1,59 @@
+# Amazon Web Services
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. 
+
+Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
+
+The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
+
+Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
+
+You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
+
+Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region.
+
+## CLI Commands
+
+Scan a full AWS account (all supported services):
+
+```shell
+trivy aws --region us-east-1
+```
+
+You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
+
+![AWS Summary Report](../../../imgs/trivy-aws.png)
+
+The summary view is the default when scanning multiple services.
+
+Scan a specific service:
+
+```shell
+trivy aws --service s3
+```
+
+Scan multiple services:
+
+```shell
+# --service s3,ec2 works too
+trivy aws --service s3 --service ec2
+```
+
+Show results for a specific AWS resource:
+
+```shell
+trivy aws --service s3 --arn arn:aws:s3:::example-bucket
+```
+
+All ARNs with detected issues will be displayed when showing results for their associated service.
+
+## Cached Results
+
+By default, Trivy will cache a representation of each AWS service for 24 hours. This means you can filter and view results for a service without having to wait for the entire scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.). Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`.
+
+## Custom Policies
+
+You can write custom policies for Trivy to evaluate against your AWS account. These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). See the [Custom Policies](../../misconfiguration/custom/index.md) page for more information.

docs/docs/compliance/compliance.md

@@ -0,0 +1,8 @@
+# Compliance Reports
+
+Trivy support producing compliance reports.
+
+## Supported reports
+
+- [NSA, CISA Kubernetes Hardening Guidance v1.0](../kubernetes/cli/compliance.md) 
+

docs/docs/index.md

@@ -1,34 +1,12 @@
 # Docs
 
-Trivy detects two types of security issues:
-
-- [Vulnerabilities][vuln]
-- [Misconfigurations][misconf]
-
-Trivy can scan four different artifacts:
-
-- [Container Images][container]
-- [Filesystem][filesystem] and [Rootfs][rootfs]
-- [Git Repositories][repo]
-- [Kubernetes][kubernetes]
-
-Trivy can be run in two different modes:
-
-- [Standalone][standalone]
-- [Client/Server][client-server]
-
-Trivy can be run as a Kubernetes Operator:
-
-- [Kubernetes Operator][kubernetesoperator]
-
-It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
-See [Integrations][integrations] for details.
+This documentation details how to use Trivy to access the features listed below.
 
 ## Features
 
 - Comprehensive vulnerability detection
     - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
+    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
 - Detect IaC misconfigurations
     - A wide variety of [built-in policies][builtin] are provided **out of the box**:
         - Kubernetes
@@ -63,10 +41,11 @@ See [Integrations][integrations] for details.
 - [SBOM][sbom] (Software Bill of Materials) support
     - CycloneDX
     - SPDX
+    - GitHub Dependency Snapshots
 
 Please see [LICENSE][license] for Trivy licensing information.
 
-[installation]: ../getting-started/installation.md
+[installation]: ../index.md
 [vuln]: ../docs/vulnerability/scanning/index.md
 [misconf]: ../docs/misconfiguration/scanning.md
 [kubernetesoperator]: ../docs/kubernetes/operator/index.md
@@ -78,7 +57,7 @@ Please see [LICENSE][license] for Trivy licensing information.
 
 [standalone]: ../docs/references/modes/standalone.md
 [client-server]: ../docs/references/modes/client-server.md
-[integrations]: ../docs/integrations/index.md
+[integrations]: ../tutorials/integrations/index.md
 
 [os]: ../docs/vulnerability/detection/os.md
 [lang]: ../docs/vulnerability/detection/language.md

docs/docs/integrations/aws-security-hub.md

@@ -1,29 +0,0 @@
-# AWS Security Hub
-
-## Upload findings to Security Hub
-
-In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
-
-```
-$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
-```
-
-ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
-
-Then, you can upload it with AWS CLI.
-
-```
-$ aws securityhub batch-import-findings --findings file://report.asff
-```
-
-## Customize
-You can customize [asff.tpl](https://github.com/aquasecurity/trivy/blob/main/contrib/asff.tpl)
-
-```
-$ export AWS_REGION=us-west-1
-$ export AWS_ACCOUNT_ID=123456789012
-$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
-```
-
-## Reference
-https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/

docs/docs/integrations/woodpecker-ci.md

@@ -0,0 +1,17 @@
+# Woodpecker CI
+
+This is a simple example configuration `.woodpecker/trivy.yml` that shows how you could get started:
+
+```yml
+pipeline:
+  securitycheck:
+    image: aquasec/trivy:latest
+    commands:
+      # use any trivy command, if exit code is 0 woodpecker marks it as passed, else it assumes it failed
+      - trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL .
+```
+
+Woodpecker does use Trivy itself so you can see an [Example][example] run at its [Repository][repository] and how it was [added](https://github.com/woodpecker-ci/woodpecker/pull/1163).
+
+[example]: https://ci.woodpecker-ci.org/woodpecker-ci/woodpecker/build/3520/37
+[repository]: https://github.com/woodpecker-ci/woodpecker

docs/docs/kubernetes/cli/compliance.md

@@ -0,0 +1,68 @@
+# Kubernetes Compliance
+
+## NSA Complaince Report
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+The Trivy K8s CLI allows you to scan your Kubernetes cluster resources and generate the `NSA, CISA Kubernetes Hardening Guidance` report
+
+[NSA, CISA Kubernetes Hardening Guidance v1.2](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) cybersecurity technical report is produced by trivy and validate the following control checks :
+
+| NAME                                                     | DESCRIPTION                                                                                             |          |
+|----------------------------------------------------------|---------------------------------------------------------------------------------------------------------|---------------|
+| Non-root containers                                      | Check that container is not running as root                                                       |
+| Immutable container file systems                         | Check that container root file system is immutable                                                  |
+| Preventing privileged containers                         | Controls whether Pods can run privileged containers                                                 |
+| Share containers process namespaces                      | Controls whether containers can share process namespaces                                                 |
+| Share host process namespaces                            | Controls whether share host process namespaces                                                 |
+| Use the host network                                     | Controls whether containers can use the host network                                                    |
+| Run with root privileges or with root group membership   | Controls whether container applications can run with <br/>root privileges or with root group membership                   |
+| Restricts escalation to root privileges                  | Control check restrictions escalation to root privileges                                                 |
+| Sets the SELinux context of the container                | Control checks if pod sets the SELinux context of the container                                                  |
+| Restrict a container's access to resources with AppArmor | Control checks the restriction of containers access to resources with AppArmor                                    | 
+| Sets the seccomp profile used to sandbox containers      | Control checks the sets the seccomp profile used to sandbox containers                                                 |
+| Protecting Pod service account tokens                    | Control check whether disable secret token been mount ,automountServiceAccountToken: false                        | 
+| Namespace kube-system should not be used by users        | Control check whether Namespace kube-system is not be used by users                                                      |
+| Pod and/or namespace Selectors usage                     | Control check validate the pod and/or namespace Selectors usage                                                      |
+| Use CNI plugin that supports NetworkPolicy API           | Control check whether check cni plugin installed                                                  |
+| Use ResourceQuota policies to limit resources            | Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace                  | 
+| Use LimitRange policies to limit resources               | Control check the use of LimitRange policy limit resource usage for namespaces or nodes                              |
+| Control plan disable insecure port                       | Control check whether control plan disable insecure port                                                       |
+| Encrypt etcd communication                               | Control check whether etcd communication is encrypted                                                  |
+| Ensure kube config file permission                       | Control check whether kube config file permissions                                                |
+| Check that encryption resource has been set              | Control checks whether encryption resource has been set                                                        |
+| Check encryption provider                                | Control checks whether encryption provider has been set                                                        |
+| Make sure anonymous-auth is unset                        | Control checks whether anonymous-auth is unset                                                      |
+| Make sure -authorization-mode=RBAC                       | Control check whether RBAC permission is in use                                                        |
+| Audit policy is configure                                | Control check whether audit policy is configure                                                  |
+| Audit log path is configure                              | Control check whether audit log path is configure                                                  |
+| Audit log aging                                          | Control check whether audit log aging is configure                                                  |
+
+## CLI Commands
+
+Scan a full cluster and generate a complliance NSA summary report:
+
+```
+$ trivy k8s cluster --compliance=nsa --report summary
+```
+
+![k8s Summary Report](../../../imgs/trivy-nsa-summary.png)
+
+***Note*** : The `compliance` column represent the calculation of all tests pass vs. fail for all resources per control check in percentage format.
+
+Example: if I have two resources in cluster and one resource scan result show pass while the other one show fail for `1.0 Non-root Containers` then it compliance will show 50%
+
+An additional report is supported to get all of the detail the output contains, use `--report all`
+```
+$ trivy k8s cluster --compliance=nsa --report all
+```
+Report also supported in json format examples :
+
+```
+$ trivy k8s cluster --compliance=nsa --report summary --format json
+```
+
+```
+$ trivy k8s cluster --compliance=nsa --report all --format json
+```

docs/docs/kubernetes/cli/scanning.md

@@ -5,7 +5,7 @@
 
 The Trivy K8s CLI allows you to scan your Kubernetes cluster for Vulnerabilities, Secrets and Misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.
 
-If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/getting-started.md)
+If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/index.md)
 
 Trivy uses your local kubectl configuration to access the API server to list artifacts.
 
@@ -41,12 +41,25 @@ Scan a specific namespace:
 $ trivy k8s -n kube-system --report=summary all
 ```
 
+Use a specific kubeconfig file:
+
+```
+$ trivy k8s --kubeconfig ~/.kube/config2 -n kube-system --report=summary all
+```
+
 Scan a specific resource and get all the output:
 
 ```
 $ trivy k8s deployment appname
 ```
 
+Scan all deploys, or deploys and configmaps:
+
+```
+$ trivy k8s --report=summary deployment
+$ trivy k8s --report=summary deployment,configmaps
+```
+
 If you want to pass in flags before scanning specific workloads, you will have to do it before the resource name.
 For example, scanning a deployment in the app namespace of your Kubernetes cluster for critical vulnerabilities would be done through the following command:
 
@@ -218,3 +231,49 @@ $ trivy k8s --format json -o results.json cluster
 
 </details>
 
+
+
+## Infra checks
+
+Trivy by default scans kubernetes infra components (apiserver, controller-manager, scheduler and etcd)
+if they exist under the `kube-system` namespace. For example, if you run a full cluster scan, or scan all
+components under `kube-system` with commands:
+
+```
+$ trivy k8s cluster --report summary # full cluster scan
+$ trivy k8s all -n kube-system --report summary # scan all componetns under kube-system
+```
+
+A table will be printed about misconfigurations found on kubernetes core components:
+
+```
+Summary Report for minikube
+┌─────────────┬──────────────────────────────────────┬─────────────────────────────┐
+│  Namespace  │               Resource               │ Kubernetes Infra Assessment │
+│             │                                      ├────┬────┬────┬─────┬────────┤
+│             │                                      │ C  │ H  │ M  │ L   │   U    │
+├─────────────┼──────────────────────────────────────┼────┼────┼────┼─────┼────────┤
+│ kube-system │ Pod/kube-apiserver-minikube          │    │    │ 1  │ 10  │        │
+│ kube-system │ Pod/kube-controller-manager-minikube │    │    │    │ 3   │        │
+│ kube-system │ Pod/kube-scheduler-minikube          │    │    │    │ 1   │        │
+└─────────────┴──────────────────────────────────────┴────┴────┴────┴─────┴────────┘
+Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
+```
+
+The infra checks are based on CIS Benchmarks recommendations for kubernetes.
+
+
+If you want filter only for the infra checks, you can use the flag `--components` along with the `--security-checks=config`
+
+```
+$ trivy k8s cluster --report summary --components=infra --security-checks=config # scan only infra
+```
+
+Or, to filter for all other checks besides the infra checks, you can:
+
+```
+$ trivy k8s cluster --report summary --components=workload --security-checks=config # scan all components besides infra
+```
+
+	
+

docs/docs/kubernetes/operator/index.md

@@ -1,17 +1,14 @@
 # Trivy Operator  
 
-Trivy has a native [Kubernetes Operator](operator) which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources](crd). It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
+Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
 
 
-> Kubernetes-native security toolkit. ([Documentation](https://aquasecurity.github.io/trivy-operator/latest)).
-
+> Kubernetes-native security toolkit. ([Documentation][trivy-operator]).
 
 <figure>
-  <img src="./images/operator/trivy-operator-workloads.png" />
   <figcaption>Workload reconcilers discover K8s controllers, manage scan jobs, and create VulnerabilityReport and ConfigAuditReport objects.</figcaption>
 </figure>
 
 [operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/
 [crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
-[Starboard]: https://github.com/aquasecurity/starboard
-[starboard-announcement]: https://github.com/aquasecurity/starboard/discussions/1173
+[trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest

docs/docs/licenses/scanning.md

@@ -0,0 +1,320 @@
+# License Scanning
+
+Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
+
+License are classified using the [Google License Classification][google-license-classification] -
+
+ - Forbidden
+ - Restricted 
+ - Reciprocal
+ - Notice
+ - Permissive
+ - Unencumbered
+ - Unknown
+
+!!! tip
+    Licenses that Trivy fails to recognize are classified as UNKNOWN.
+    As those licenses may be in violation, it is recommended to check those unknown licenses as well.    
+
+By default, Trivy scans licenses for packages installed by `apk`, `apt-get`, `dnf`, `npm`, `pip`, `gem`, etc.
+To enable extended license scanning, you can use `--license-full`.
+In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
+
+!!! note
+    The full license scanning is expensive. It takes a while.
+
+Currently, the standard license scanning doesn't support filesystem and repository scanning.
+
+|   License scnanning   | Image | Rootfs    | Filesystem | Repository |
+|:---------------------:|:-----:|:---------:|:----------:|:----------:|
+|       Standard        |  ✅   |     ✅    |   -        |      -     |
+| Full (--license-full) |  ✅   |     ✅    |     ✅     |     ✅     |
+
+
+License checking classifies the identified licenses and map the classification to severity.
+
+| Classification | Severity |
+|----------------|----------|
+| Forbidden      | CRITICAL |
+| Restricted     | HIGH     |
+| Reciprocal     | MEDIUM   |
+| Notice         | LOW      |
+| Permissive     | LOW      |
+| Unencumbered   | LOW      |
+| Unknown        | UNKNOWN  |
+
+## Quick start
+This section shows how to scan license in container image and filesystem.
+
+### Standard scanning
+Specify an image name with `--security-cheks license`.
+
+``` shell
+$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
+2022-07-13T17:28:39.526+0300    INFO    License scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
+
+┌───────────────────┬─────────┬────────────────┬──────────┐
+│      Package      │ License │ Classification │ Severity │
+├───────────────────┼─────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
+├───────────────────┤         │                │          │
+│ apk-tools         │         │                │          │
+├───────────────────┤         │                │          │
+│ busybox           │         │                │          │
+├───────────────────┤         │                │          │
+│ musl-utils        │         │                │          │
+├───────────────────┤         │                │          │
+│ scanelf           │         │                │          │
+├───────────────────┤         │                │          │
+│ ssl_client        │         │                │          │
+└───────────────────┴─────────┴────────────────┴──────────┘
+```
+
+### Full scanning
+Specify `--license-full`
+
+``` shell
+$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
+2022-07-13T17:48:40.905+0300    INFO    Full license scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 20 (UNKNOWN: 9, HIGH: 11, CRITICAL: 0)
+
+┌───────────────────┬───────────────────┬────────────────┬──────────┐
+│      Package      │      License      │ Classification │ Severity │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0           │ Restricted     │ HIGH     │
+├───────────────────┤                   │                │          │
+│ apk-tools         │                   │                │          │
+├───────────────────┼───────────────────┤                │          │
+│ bash              │ GPL-3.0           │                │          │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ keyutils-libs     │ GPL-2.0           │ Restricted     │ HIGH     │
+│                   ├───────────────────┼────────────────┼──────────┤
+│                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
+├───────────────────┼───────────────────┤                │          │
+│ libaio            │ LGPL-2.1-or-later │                │          │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ libcom_err        │ GPL-2.0           │ Restricted     │ HIGH     │
+│                   ├───────────────────┼────────────────┼──────────┤
+│                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
+├───────────────────┼───────────────────┼────────────────┼──────────┤
+│ tzdata            │ Public-Domain     │ Non Standard   │ UNKNOWN  │
+└───────────────────┴───────────────────┴────────────────┴──────────┘
+
+Loose File License(s) (license)
+===============================
+Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)
+
+┌────────────────┬──────────┬──────────────┬──────────────────────────────────────────────────────────────┐
+│ Classification │ Severity │   License    │                        File Location                         │
+├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
+│ Forbidden      │ CRITICAL │ AGPL-3.0     │ /usr/share/grafana/LICENSE                                   │
+│                │          │              │                                                              │
+│                │          │              │                                                              │
+├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
+│ Non Standard   │ UNKNOWN  │ BSD-0-Clause │ /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/7889.d6aae9dd11d49c741a80.j- │
+│                │          │              │ s.LICENSE.txt                                                │
+│                │          │              ├──────────────────────────────────────────────────────────────┤
+│                │          │              │ /usr/share/grafana/public/build/canvasPanel.d6aae9dd11d49c7- │
+│                │          │              │ 41a80.js.LICENSE.txt                                         │
+└────────────────┴──────────┴──────────────┴──────────────────────────────────────────────────────────────┘
+```
+
+## Configuration
+
+Trivy has number of configuration flags for use with license scanning;
+                                 
+### Ignored Licenses
+
+Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the `--ignored-licenses` flag;
+
+```shell
+$ trivy image --security-checks license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
+2022-07-13T18:15:28.605Z        INFO    License scanning is enabled
+
+OS Packages (license)
+=====================
+Total: 2 (HIGH: 2, CRITICAL: 0)
+
+┌───────────────────┬─────────┬────────────────┬──────────┐
+│      Package      │ License │ Classification │ Severity │
+├───────────────────┼─────────┼────────────────┼──────────┤
+│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
+├───────────────────┤         │                │          │
+│ ssl_client        │         │                │          │
+└───────────────────┴─────────┴────────────────┴──────────┘
+
+```
+
+### Custom Classification
+You can generate the default config by the `--generate-default-config` flag and customize the license classification.
+For example, if you want to forbid only AGPL-3.0, you can leave it under `forbidden` and move other licenses to another classification.
+
+```shell
+$ trivy image --generate-default-config
+$ vim trivy.yaml
+license:
+  forbidden:
+  - AGPL-3.0
+  
+  restricted:
+  - AGPL-1.0
+  - CC-BY-NC-1.0
+  - CC-BY-NC-2.0
+  - CC-BY-NC-2.5
+  - CC-BY-NC-3.0
+  - CC-BY-NC-4.0
+  - CC-BY-NC-ND-1.0
+  - CC-BY-NC-ND-2.0
+  - CC-BY-NC-ND-2.5
+  - CC-BY-NC-ND-3.0
+  - CC-BY-NC-ND-4.0
+  - CC-BY-NC-SA-1.0
+  - CC-BY-NC-SA-2.0
+  - CC-BY-NC-SA-2.5
+  - CC-BY-NC-SA-3.0
+  - CC-BY-NC-SA-4.0
+  - Commons-Clause
+  - Facebook-2-Clause
+  - Facebook-3-Clause
+  - Facebook-Examples
+  - WTFPL
+  - BCL
+  - CC-BY-ND-1.0
+  - CC-BY-ND-2.0
+  - CC-BY-ND-2.5
+  - CC-BY-ND-3.0
+  - CC-BY-ND-4.0
+  - CC-BY-SA-1.0
+  - CC-BY-SA-2.0
+  - CC-BY-SA-2.5
+  - CC-BY-SA-3.0
+  - CC-BY-SA-4.0
+  - GPL-1.0
+  - GPL-2.0
+  - GPL-2.0-with-autoconf-exception
+  - GPL-2.0-with-bison-exception
+  - GPL-2.0-with-classpath-exception
+  - GPL-2.0-with-font-exception
+  - GPL-2.0-with-GCC-exception
+  - GPL-3.0
+  - GPL-3.0-with-autoconf-exception
+  - GPL-3.0-with-GCC-exception
+  - LGPL-2.0
+  - LGPL-2.1
+  - LGPL-3.0
+  - NPL-1.0
+  - NPL-1.1
+  - OSL-1.0
+  - OSL-1.1
+  - OSL-2.0
+  - OSL-2.1
+  - OSL-3.0
+  - QPL-1.0
+  - Sleepycat
+  
+  reciprocal:
+  - APSL-1.0
+  - APSL-1.1
+  - APSL-1.2
+  - APSL-2.0
+  - CDDL-1.0
+  - CDDL-1.1
+  - CPL-1.0
+  - EPL-1.0
+  - EPL-2.0
+  - FreeImage
+  - IPL-1.0
+  - MPL-1.0
+  - MPL-1.1
+  - MPL-2.0
+  - Ruby
+  
+  notice:
+  - AFL-1.1
+  - AFL-1.2
+  - AFL-2.0
+  - AFL-2.1
+  - AFL-3.0
+  - Apache-1.0
+  - Apache-1.1
+  - Apache-2.0
+  - Artistic-1.0-cl8
+  - Artistic-1.0-Perl
+  - Artistic-1.0
+  - Artistic-2.0
+  - BSL-1.0
+  - BSD-2-Clause-FreeBSD
+  - BSD-2-Clause-NetBSD
+  - BSD-2-Clause
+  - BSD-3-Clause-Attribution
+  - BSD-3-Clause-Clear
+  - BSD-3-Clause-LBNL
+  - BSD-3-Clause
+  - BSD-4-Clause
+  - BSD-4-Clause-UC
+  - BSD-Protection
+  - CC-BY-1.0
+  - CC-BY-2.0
+  - CC-BY-2.5
+  - CC-BY-3.0
+  - CC-BY-4.0
+  - FTL
+  - ISC
+  - ImageMagick
+  - Libpng
+  - Lil-1.0
+  - Linux-OpenIB
+  - LPL-1.02
+  - LPL-1.0
+  - MS-PL
+  - MIT
+  - NCSA
+  - OpenSSL
+  - PHP-3.01
+  - PHP-3.0
+  - PIL
+  - Python-2.0
+  - Python-2.0-complete
+  - PostgreSQL
+  - SGI-B-1.0
+  - SGI-B-1.1
+  - SGI-B-2.0
+  - Unicode-DFS-2015
+  - Unicode-DFS-2016
+  - Unicode-TOU
+  - UPL-1.0
+  - W3C-19980720
+  - W3C-20150513
+  - W3C
+  - X11
+  - Xnet
+  - Zend-2.0
+  - zlib-acknowledgement
+  - Zlib
+  - ZPL-1.1
+  - ZPL-2.0
+  - ZPL-2.1
+  
+  unencumbered:
+  - CC0-1.0
+  - Unlicense
+  - 0BSD
+  
+  permissive: []
+```
+
+
+[google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses

docs/docs/misconfiguration/custom/index.md

@@ -36,27 +36,23 @@ A single package must contain only one policy.
 
 !!!example
     ``` rego
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # schemas:
+    #   - input: schema.input
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector: 
+    #     - type: kubernetes
     package user.kubernetes.ID001
     
-    import lib.result
-
-    __rego_metadata__ := {
-    	"id": "ID001",
-    	"title": "Deployment not allowed",
-    	"severity": "LOW",
-    	"description": "Deployments are not allowed because of some reasons.",
-    }
-
-    __rego_input__ := {
-        "selector": [
-            {"type": "kubernetes"},
-        ],
-    }
-    
     deny[res] {
         input.kind == "Deployment"
         msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name])
-        res := result.new(msg, input)
+        res := result.new(msg, input.kind)
     }
     ```
 
@@ -65,6 +61,10 @@ If you add a new custom policy, it must be defined under a new package like `use
 
 ### Policy structure
 
+`# METADATA` (optional)
+:   - SHOULD be defined for clarity since these values will be displayed in the scan results
+    - `custom.input` SHOULD be set to indicate the input type the policy should be applied to. See [list of available types](https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
+
 `package` (required)
 :   - MUST follow the Rego's [specification][package]
     - MUST be unique per policy
@@ -72,15 +72,6 @@ If you add a new custom policy, it must be defined under a new package like `use
     - MAY include the group name such as `kubernetes` for clarity
         - Group name has no effect on policy evaluation
 
-`import data.lib.result` (optional)
-:   - MAY be defined if you would like to embellish your result(s) with line numbers and code highlighting
-
-`__rego_metadata__` (optional)
-:   - SHOULD be defined for clarity since these values will be displayed in the scan results
-
-`__rego_input__` (optional)
-:   - MAY be defined when you want to specify input format
-
 `deny` (required)
 :   - SHOULD be `deny` or start with `deny_`
         - Although `warn`, `warn_*`, `violation`, `violation_` also work for compatibility, `deny` is recommended as severity can be defined in `__rego_metadata__`.
@@ -112,29 +103,39 @@ Any package prefixes such as `main` and `user` are allowed.
 ### Metadata
 Metadata helps enrich Trivy's scan results with useful information.
 
+The annotation format is described in the [OPA documentation](https://www.openpolicyagent.org/docs/latest/annotations/).
+
+Trivy supports extra fields in the `custom` section as described below.
+
 !!!example
     ``` rego
-    __rego_metadata__ := {
-    	"id": "ID001",
-    	"title": "Deployment not allowed",
-    	"severity": "LOW",
-    	"description": "Deployments are not allowed because of some reasons.",
-    	"recommended_actions": "Remove Deployment",
-    	"url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits",
-    }
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector:
+    #     - type: kubernetes
     ```
   
-All fields under `__rego_metadata__` are optional.
+All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The 
+schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are 
+correct and do not reference incorrect properties/values.
 
 | Field name                 | Allowed values                           |        Default value         |     In table     |     In JSON      |
-|---------------------|-------------------------------------|:-------------:|:----------------:|:----------------:|
-| id                  | Any characters                      |      N/A      | :material-check: | :material-check: |
+|----------------------------|------------------------------------------|:----------------------------:|:----------------:|:----------------:|
 | title                      | Any characters                           |             N/A              | :material-check: | :material-check: |
-| severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` |    UNKNOWN    | :material-check: | :material-check: |
 | description                | Any characters                           |                              | :material-close: | :material-check: |
-| recommended_actions | Any characters                      |               | :material-close: | :material-check: | 
+| schemas.input              | `schema.input`                           | (applied to all input types) | :material-close: | :material-close: |
+| custom.id                  | Any characters                           |             N/A              | :material-check: | :material-check: |
+| custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`      |           UNKNOWN            | :material-check: | :material-check: |
+| custom.recommended_actions | Any characters                           |                              | :material-close: | :material-check: | 
+| custom.input.selector.type | Any item(s) in [this list][source-types] |                              | :material-close: | :material-check: | 
 | url                        | Any characters                           |                              | :material-close: | :material-check: |
 
+
 Some fields are displayed in scan results.
 
 ``` bash
@@ -156,17 +157,16 @@ Deployments are not allowed because of some reasons.
 ```
 
 ### Input
-You can specify input format via `__rego_input__`.
-All fields under `__rego_input` are optional.
+You can specify input format via the `custom.input` annotation.
 
 !!!example
     ``` rego
-    __rego_input__ := {
-        "combine": false,
-        "selector": [
-            {"type": "kubernetes"},
-        ],
-    }
+    # METADATA
+    # custom:
+    #   input:
+    #     combine: false
+    #     selector:
+    #     - type: kubernetes
     ```
 
 `combine` (boolean)
@@ -177,6 +177,15 @@ All fields under `__rego_input` are optional.
     In the above example, Trivy passes only Kubernetes files to this policy.
     Even if a Dockerfile exists in the specified directory, it will not be passed to the policy as input.
 
+    Possible values for input types are:
+    - `dockerfile` (Dockerfile)
+    - `kubernetes` (Kubernetes YAML/JSON)
+    - `rbac` (Kubernetes RBAC YAML/JSON)
+    - `cloud` (Cloud format, as defined by defsec - this is used for Terraform, CloudFormation, and Cloud/AWS scanning)
+    - `yaml` (Generic YAML)
+    - `json` (Generic JSON)
+    - `toml` (Generic TOML)
+
     When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as `type`.
     When a configuration language is identified, it will overwrite `type`.
     
@@ -186,5 +195,15 @@ All fields under `__rego_input` are optional.
 
     `type` accepts `kubernetes`, `dockerfile`, `cloudformation`, `terraform`, `terraformplan`, `json`, or `yaml`.
 
+### Schemas
+
+You can explore the format of input documents by browsing the schema for the relevant input type:
+
+- [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
+- [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
+- [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
+- [RBAC](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/rbac.json)
+
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [package]: https://www.openpolicyagent.org/docs/latest/policy-language/#packages
+[source-types]: https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)

docs/docs/misconfiguration/options/others.md

@@ -2,21 +2,3 @@
 
 !!! hint
     See also [Others](../../vulnerability/examples/others.md) in Vulnerability section.
-
-## File patterns
-When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
-The default file patterns are [here](../custom/index.md).
-
-In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
-For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
-
-This can be repeated for specifying multiple file patterns.
-Allowed values are here:
-
-- dockerfile
-- yaml
-- json
-- toml
-- hcl
-
-For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)

docs/docs/misconfiguration/options/values.md

@@ -0,0 +1,48 @@
+# Value Overrides
+
+Value files can be passed for supported scannable config files.
+
+## Terraform value overrides
+You can pass `tf-vars` files to Trivy to override default values found in the Terraform HCL code.
+
+```bash
+trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
+```
+
+## Helm value overrides
+There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
+
+### Setting inline value overrides
+Overrides can be set inline on the command line
+
+```bash
+trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
+```
+
+### Setting value file overrides
+Overrides can be in a file that has the key=value set. 
+
+```yaml
+# Example override file (overrides.yaml)
+
+securityContext:
+  runAsUser: 0
+```
+
+```bash
+trivy conf --helm-values overrides.yaml ./charts/mySql
+``` 
+
+### Setting value as explicit string
+the `--helm-set-string` is the same as `--helm-set` but explicitly retains the value as a string
+
+```bash
+trivy config --helm-set-string name=false ./infrastructure/tf
+```
+
+### Setting specific values from files
+Specific override values can come from specific files
+
+```bash
+trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
+```

docs/docs/misconfiguration/policy/builtin.md

@@ -11,6 +11,7 @@ Those policies are managed under [defsec repository][defsec].
 | Dockerfile, Containerfile | [defsec][docker]     |
 | Terraform                 | [defsec][defsec]     |
 | CloudFormation            | [defsec][defsec]     |
+| Azure ARM Template        | [defsec][defsec]     |
 | Helm Chart                | [defsec][kubernetes] |      
 | RBAC                      | [defsec][rbac]       |      
 

docs/docs/misconfiguration/scanning.md

@@ -6,7 +6,7 @@ Also, you can write your own policies in [Rego][rego] to scan JSON, YAML, etc, l
 
 ## Quick start
 
-Simply specify a directory containing IaC files such as Terraform, CloudFormation and Dockerfile.
+Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.
 
 ``` bash
 $ trivy config [YOUR_IaC_DIRECTORY]

docs/docs/references/cli/client.md

@@ -1,32 +1,70 @@
 # Client
 
 ```bash
-NAME:
-   trivy client - DEPRECATED client mode, use `trivy image` with `--server` option for remote scans now.
+Usage:
+  trivy client [flags] IMAGE_NAME
 
-USAGE:
-   trivy image --server value
+Aliases:
+  client, c
 
-   trivy client [deprecated command options] image_name
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
 
-DEPRECATED OPTIONS:
-   --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
-   --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value    output file name [$TRIVY_OUTPUT]
-   --exit-code value           Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --ignore-unfixed            display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs              detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
-   --vuln-type value           comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --ignorefile value          specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --token value               for authentication [$TRIVY_TOKEN]
-   --token-header value        specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --remote value              server address (default: "http://localhost:4954") [$TRIVY_REMOTE]
-   --custom-headers value      custom headers [$TRIVY_CUSTOM_HEADERS]
-   --help, -h                  show help (default: false)
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+      --report string          specify a report format for the output. (all,summary) (default "all")
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --remote string            server address (default "http://localhost:4954")
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/config.md

@@ -1,29 +1,49 @@
 # Config
 
 ``` bash
-NAME:
-   trivy config - scan config files
+Scan config files for misconfigurations
 
-USAGE:
-   trivy config [command options] dir
+Usage:
+  trivy config [flags] DIR
 
-OPTIONS:
-   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value                       output file name [$TRIVY_OUTPUT]
-   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --reset                                        remove all caches and database (default: false) [$TRIVY_RESET]
-   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
-   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
-   --policy value, --config-policy value          specify paths to the Rego policy files directory, applying config files [$TRIVY_POLICY]
-   --data value, --config-data value              specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_DATA]
-   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
-   --file-patterns value                          specify file patterns [$TRIVY_FILE_PATTERNS]
-   --include-successes                            include successes of misconfigurations (default: false) [$TRIVY_INCLUDE_SUCCESSES]
-   --help, -h                                     show help (default: false)
+Aliases:
+  config, conf
+
+Scan Flags
+      --skip-dirs strings    specify the directories where the traversal is skipped
+      --skip-files strings   specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int       specify exit code when any security issues are found
+  -f, --format string       format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignorefile string   specify .trivyignore file (default ".trivyignore")
+  -o, --output string       output file name
+  -s, --severity string     severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string     output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/fs.md

@@ -1,42 +1,85 @@
 # Filesystem
 
 ```bash
-NAME:
-   trivy filesystem - scan local filesystem for language-specific dependencies and config files
+Scan local filesystem
 
-USAGE:
-   trivy filesystem [command options] path
+Usage:
+  trivy filesystem [flags] PATH
 
-OPTIONS:
-   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value                       output file name [$TRIVY_OUTPUT]
-   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update                skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --insecure                                     allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --cache-backend value                          cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                              cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --db-repository value                          OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --skip-files value                             specify the file paths to skip traversal                                        (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                              specify the directories where the traversal is skipped                          (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --config-policy value                          specify paths to the Rego policy files directory, applying config files         (accepts multiple inputs) [$TRIVY_CONFIG_POLICY]
-   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded  (accepts multiple inputs) [$TRIVY_CONFIG_DATA]
-   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users")                                              (accepts multiple inputs) [$TRIVY_POLICY_NAMESPACES]
-   --server value                                 server address [$TRIVY_SERVER]
-   --token value                                  for authentication in client/server mode [$TRIVY_TOKEN]
-   --token-header value                           specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --custom-headers value                         custom headers in client/server mode  (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS]
-   --help, -h                                     show help (default: false)
+Aliases:
+  filesystem, fs
+
+Examples:
+  # Scan a local project including language-specific files
+  $ trivy fs /path/to/your_project
+
+  # Scan a single file
+  $ trivy fs ./trivy-ci-test/Pipfile.lock
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/image.md

@@ -1,43 +1,103 @@
 # Image
 
 ```bash
-NAME:
-   trivy image - scan an image
+Scan a container image
 
-USAGE:
-   trivy image [command options] image_name
+Usage:
+  trivy image [flags] IMAGE_NAME
 
-OPTIONS:
-   --template value, -t value       output template [$TRIVY_TEMPLATE]
-   --format value, -f value         format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value          input file path instead of image name [$TRIVY_INPUT]
-   --severity value, -s value       severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value         output file name [$TRIVY_OUTPUT]
-   --exit-code value                Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update  skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --download-db-only               download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
-   --reset                          remove all caches and database (default: false) [$TRIVY_RESET]
-   --clear-cache, -c                clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --no-progress                    suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --ignore-unfixed                 display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs                   detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
-   --vuln-type value                comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value          comma-separated list of what security issues to detect (vuln,config,secret) (default: "vuln,secret") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value               specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value                  timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --light                          deprecated (default: false) [$TRIVY_LIGHT]
-   --ignore-policy value            specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                  enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --cache-backend value            cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --offline-scan                   do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --insecure                       allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --db-repository value            OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --skip-files value               specify the file paths to skip traversal                (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                specify the directories where the traversal is skipped  (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --server value                   server address [$TRIVY_SERVER]
-   --token value                    for authentication in client/server mode [$TRIVY_TOKEN]
-   --token-header value             specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --custom-headers value           custom headers in client/server mode  (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS]
-   --help, -h                       show help (default: false)
+Aliases:
+  image, i
+
+Examples:
+  # Scan a container image
+  $ trivy image python:3.4-alpine
+
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
+
+  # Filter by severities
+  $ trivy image --severity HIGH,CRITICAL alpine:3.15
+
+  # Ignore unfixed/unpatched vulnerabilities
+  $ trivy image --ignore-unfixed alpine:3.15
+
+  # Scan a container image in client mode
+  $ trivy image --server http://127.0.0.1:4954 alpine:latest
+
+  # Generate json result
+  $ trivy image --format json --output result.json alpine:3.15
+
+  # Generate a report in the CycloneDX format
+  $ trivy image --format cyclonedx --output result.cdx alpine:3.15
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Image Flags
+      --input string   input file path instead of image name
+      --removed-pkgs   detect vulnerabilities of removed packages (only for Alpine)
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/index.md

@@ -1,32 +1,50 @@
 Trivy has several sub commands, image, fs, repo, client and server.
 
 ``` bash
-NAME:
-   trivy - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
+Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
 
-USAGE:
-   trivy [global options] command [command options] target
+Usage:
+  trivy [global flags] command [flags] target
+  trivy [command]
 
-VERSION:
-   dev
+Examples:
+  # Scan a container image
+  $ trivy image python:3.4-alpine
 
-COMMANDS:
-   image, i          scan an image
-   filesystem, fs    scan local filesystem for language-specific dependencies and config files
-   rootfs            scan rootfs
-   repository, repo  scan remote repository
-   server, s         server mode
-   config, conf      scan config files
-   plugin, p         manage plugins
-   kubernetes, k8s   scan kubernetes vulnerabilities and misconfigurations
-   sbom              generate SBOM for an artifact
-   version           print the version
-   help, h           Shows a list of commands or help for one command
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
 
-GLOBAL OPTIONS:
-   --quiet, -q        suppress progress bar and log output (default: false) [$TRIVY_QUIET]
-   --debug, -d        debug mode (default: false) [$TRIVY_DEBUG]
-   --cache-dir value  cache directory (default: "/Users/teppei/Library/Caches/trivy") [$TRIVY_CACHE_DIR]
-   --help, -h         show help (default: false)
-   --version, -v      print the version (default: false)
+  # Scan local filesystem
+  $ trivy fs .
+
+  # Run in server mode
+  $ trivy server
+
+Available Commands:
+  config      Scan config files for misconfigurations
+  filesystem  Scan local filesystem
+  help        Help about any command
+  image       Scan a container image
+  kubernetes  scan kubernetes cluster
+  module      Manage modules
+  plugin      Manage plugins
+  repository  Scan a remote repository
+  rootfs      Scan rootfs
+  sbom        Scan SBOM for vulnerabilities
+  server      Server mode
+  version     Print the version
+
+Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+  -f, --format string             version format (json)
+      --generate-default-config   write the default config to trivy-default.yaml
+  -h, --help                      help for trivy
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy [command] --help" for more information about a command.
 ```

docs/docs/references/cli/module.md

@@ -1,17 +1,30 @@
 # Module
 
 ```bash
-NAME:
-   trivy module - manage modules
+Manage modules
 
-USAGE:
-   trivy module command [command options] [arguments...]
+Usage:
+  trivy module [command]
 
-COMMANDS:
-   install, i    install a module
-   uninstall, u  uninstall a module
-   help, h       Shows a list of commands or help for one command
+Aliases:
+  module, m
 
-OPTIONS:
-   --help, -h  show help (default: false)
+Available Commands:
+  install     Install a module
+  uninstall   Uninstall a module
+
+Flags:
+  -h, --help   help for module
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy module [command] --help" for more information about a command.
 ```

docs/docs/references/cli/plugin.md

@@ -1,21 +1,34 @@
 # Plugin
 
 ```bash
-NAME:
-   trivy plugin - manage plugins
+Manage plugins
 
-USAGE:
-   trivy plugin command [command options] plugin_uri
+Usage:
+  trivy plugin [command]
 
-COMMANDS:
-   install, i    install a plugin
-   uninstall, u  uninstall a plugin
-   list, l       list installed plugin
-   info          information about a plugin
-   run, r        run a plugin on the fly
-   update        update an existing plugin
-   help, h       Shows a list of commands or help for one command
+Aliases:
+  plugin, p
 
-OPTIONS:
-   --help, -h  show help (default: false)
+Available Commands:
+  info        Show information about the specified plugin
+  install     Install a plugin
+  list        List installed plugin
+  run         Run a plugin on the fly
+  uninstall   Uninstall a plugin
+  update      Update an existing plugin
+
+Flags:
+  -h, --help   help for plugin
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy plugin [command] --help" for more information about a command.
 ```

docs/docs/references/cli/repo.md

@@ -1,38 +1,87 @@
 # Repository
 
 ```bash
-NAME:
-   trivy repository - scan remote repository
+Scan a remote repository
 
-USAGE:
-   trivy repository [command options] repo_url
+Usage:
+  trivy repository [flags] REPO_URL
 
-OPTIONS:
-   --template value, -t value       output template [$TRIVY_TEMPLATE]
-   --format value, -f value         format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value          input file path instead of image name [$TRIVY_INPUT]
-   --severity value, -s value       severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value         output file name [$TRIVY_OUTPUT]
-   --exit-code value                Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update  skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --skip-policy-update             skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --clear-cache, -c                clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignore-unfixed                 display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs                   detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
-   --vuln-type value                comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value          comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value               specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --cache-backend value            cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --timeout value                  timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --no-progress                    suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --quiet, -q                      suppress progress bar and log output (default: false) [$TRIVY_QUIET]
-   --ignore-policy value            specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                  enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan                   do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --insecure                       allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --db-repository value            OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --skip-files value               specify the file paths to skip traversal                (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                specify the directories where the traversal is skipped  (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --help, -h                       show help (default: false)
+Aliases:
+  repository, repo
+
+Examples:
+  # Scan your remote git repository
+  $ trivy repo https://github.com/knqyf263/trivy-ci-test
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Repository Flags
+      --branch string   pass the branch name to be scanned
+      --commit string   pass the commit hash to be scanned
+      --tag string      pass the tag name to be scanned
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/rootfs.md

@@ -1,36 +1,94 @@
 # Rootfs
 
 ```bash
-NAME:
-   trivy rootfs - scan rootfs
+Scan rootfs
 
-USAGE:
-   trivy rootfs [command options] dir
+Usage:
+  trivy rootfs [flags] ROOTDIR
 
-OPTIONS:
-   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value                       output file name [$TRIVY_OUTPUT]
-   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update                skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --insecure                                     allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --cache-backend value                          cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
-   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
-   --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
-   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
-   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
-   --help, -h                                     show help (default: false)
+Examples:
+  # Scan unpacked filesystem
+  $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
+  $ trivy rootfs /tmp/rootfs
+
+  # Scan from inside a container
+  $ docker run --rm -it alpine:3.11
+  / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+  / # trivy rootfs /
+
+Scan Flags
+      --file-patterns strings     specify config file patterns
+      --offline-scan              do not issue API requests to identify dependencies
+      --rekor-url string          [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --sbom-sources strings      [EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)
+      --security-checks strings   comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --skip-dirs strings         specify the directories where the traversal is skipped
+      --skip-files strings        specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --helm-set strings          specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings     specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings   specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings       specify paths to override the Helm values.yaml files
+      --include-non-failures      include successes and exceptions, available with '--security-checks config'
+      --tf-vars strings           specify paths to override the Terraform tfvars files
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
+Rego Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/sbom.md

@@ -1,27 +1,70 @@
 # SBOM
 
 ```bash
-NAME:
-   trivy sbom - generate SBOM for an artifact
+Scan SBOM for vulnerabilities
 
-USAGE:
-   trivy sbom [command options] ARTIFACT
+Usage:
+  trivy sbom [flags] SBOM_PATH
 
-DESCRIPTION:
-   ARTIFACT can be a container image, file path/directory, git repository or container image archive. See examples.
+Examples:
+  # Scan CycloneDX and show the result in tables
+  $ trivy sbom /path/to/report.cdx
 
-OPTIONS:
-   --output value, -o value             output file name [$TRIVY_OUTPUT]
-   --clear-cache, -c                    clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignorefile value                   specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value                      timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --severity value, -s value           severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --offline-scan                       do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --db-repository value                OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --insecure                           allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --skip-files value                   specify the file paths to skip traversal                (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                    specify the directories where the traversal is skipped  (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --artifact-type value, --type value  input artifact type (image, fs, repo, archive) (default: "image") [$TRIVY_ARTIFACT_TYPE]
-   --sbom-format value, --format value  SBOM format (cyclonedx, spdx, spdx-json) (default: "cyclonedx") [$TRIVY_SBOM_FORMAT]
-   --help, -h                           show help (default: false)
+  # Scan CycloneDX and generate a CycloneDX report
+  $ trivy sbom --format cyclonedx /path/to/report.cdx
+
+  # Scan CycloneDX-type attestation and show the result in tables
+  $ trivy sbom /path/to/report.cdx.intoto.jsonl
+
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal
+
+Report Flags
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/cli/server.md

@@ -1,22 +1,49 @@
 # Server
 
 ```bash
-NAME:
-   trivy server - server mode
+Server mode
 
-USAGE:
-   trivy server [command options] [arguments...]
+Usage:
+  trivy server [flags]
 
-OPTIONS:
-   --skip-db-update, --skip-update  skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --download-db-only               download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
-   --insecure                       allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --reset                          remove all caches and database (default: false) [$TRIVY_RESET]
-   --cache-backend value            cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --db-repository value            OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --token value                    for authentication in client/server mode [$TRIVY_TOKEN]
-   --token-header value             specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --listen value                   listen address (default: "localhost:4954") [$TRIVY_LISTEN]
-   --help, -h                       show help (default: false)
+Aliases:
+  server, s
+
+Examples:
+  # Run a server
+  $ trivy server
+
+  # Listen on 0.0.0.0:10000
+  $ trivy server --listen 0.0.0.0:10000
+
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Client/Server Flags
+      --listen string         listen address in server mode (default "localhost:4954")
+      --token string          for authentication in client/server mode
+      --token-header string   specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```

docs/docs/references/customization/config-file.md

@@ -0,0 +1,340 @@
+# Config file
+
+Trivy can be customized by tweaking a `trivy.yaml` file. The config path can be overridden by the `--config` flag.
+
+An example is [here][example].
+
+## Global Options
+
+```yaml
+# Same as '--quiet'
+# Default is false
+quiet: false
+
+# Same as '--debug'
+# Default is false
+debug: false
+
+# Same as '--insecure'
+# Default is false
+insecure: false
+
+# Same as '--timeout'
+# Default is '5m'
+timeout: 10m
+
+# Same as '--cache-dir'
+# Default is your system cache dir
+cache-dir: $HOME/.cache/trivy
+```
+
+## Report Options
+
+```yaml
+# Same as '--format'
+# Default is 'table'
+format: table
+
+# Same as '--report' (available with 'trivy k8s')
+# Default is all
+report: all
+
+# Same as '--template'
+# Default is empty
+template: 
+
+# Same as '--dependency-tree'
+# Default is false
+dependency-tree: false
+
+# Same as '--list-all-pkgs'
+# Default is false
+list-all-pkgs: false
+
+# Same as '--ignorefile'
+# Default is '.trivyignore'
+ignorefile: .trivyignore
+
+# Same as '--ignore-policy'
+# Default is empty
+ignore-policy:
+
+# Same as '--exit-code'
+# Default is 0
+exit-code: 0
+
+# Same as '--output'
+# Default is empty (stdout)
+output:
+
+# Same as '--severity'
+# Default is all severities
+severity:
+  - UNKNOWN
+  - LOW
+  - MEDIUM
+  - HIGH
+  - CRITICAL
+```
+
+## Scan Options
+Available in client/server mode
+
+```yaml
+scan:
+  # Same as '--file-patterns'
+  # Default is empty
+  file-patterns:
+    -
+
+  # Same as '--skip-dirs'
+  # Default is empty
+  skip-dirs:
+    - usr/local/
+    - etc/
+  
+  # Same as '--skip-files'
+  # Default is empty
+  skip-files:
+    - package-dev.json
+  
+  # Same as '--offline-scan'
+  # Default is false
+  offline-scan: false
+  
+  # Same as '--security-checks'
+  # Default depends on subcommand
+  security-checks:
+    - vuln
+    - config
+    - secret
+```
+
+## Cache Options
+
+```yaml
+cache:
+  # Same as '--cache-backend'
+  # Default is 'fs' 
+  backend: 'fs'
+  
+  # Same as '--cache-ttl'
+  # Default is 0 (no ttl) 
+  ttl: 0
+  
+  # Redis options
+  redis:
+    # Same as '--redis-ca'
+    # Default is empty
+    ca:
+    
+    # Same as '--redis-cert'
+    # Default is empty
+    cert:
+    
+    # Same as '--redis-key'
+    # Default is empty
+    key:
+```
+
+## DB Options
+
+```yaml
+db:
+  # Same as '--skip-db-update'
+  # Default is false
+  skip-update: false
+  
+  # Same as '--no-progress'
+  # Default is false
+  no-progress: false
+  
+  # Same as '--db-repository'
+  # Default is 'github.com/aquasecurity-trivy-repo'
+  repository: github.com/aquasecurity-trivy-repo
+```
+
+## Image Options
+Available with container image scanning
+
+```yaml
+image:
+  # Same as '--input' (available with 'trivy image')
+  # Default is empty
+  input:
+  
+  # Same as '--removed-pkgs'
+  # Default is false
+  removed-pkgs: false
+```
+
+## Vulnerability Options
+Available with vulnerability scanning
+
+```yaml
+vulnerability:
+  # Same as '--vuln-type'
+  # Default is 'os,library'
+  type:
+    - os
+    - library
+  
+  # Same as '--ignore-unfixed'
+  # Default is false
+  ignore-unfixed: false
+```
+
+## Secret Options
+Available with secret scanning
+
+```yaml
+secret:
+  # Same as '--secret-config'
+  # Default is 'trivy-secret.yaml'
+  config: config/trivy/secret.yaml
+```
+
+
+## Misconfiguration Options
+Available with misconfiguration scanning
+
+```yaml
+misconfiguration:
+  # Same as '--include-non-failures'
+  # Default is false
+  include-non-failures: false
+  
+  # Same as '--trace'
+  # Default is false
+  trace: false
+  
+  # Same as '--config-policy'
+  # Default is empty
+  policy:
+    - policy/repository
+    - policy/custom
+    
+  # Same as '--config-data'
+  # Default is empty
+  data:
+    - data/
+    
+  # Same as '--policy-namespaces'
+  # Default is empty
+  namespaces:
+    - opa.examples
+    - users
+
+  # helm value override configurations
+  # set individual values
+  helm:
+    set:
+      - securityContext.runAsUser=10001
+
+  # set values with file
+  helm:
+    values:
+      - overrides.yaml
+
+  # set specific values from specific files
+  helm:
+    set-file:
+      - image=dev-overrides.yaml
+
+  # set as string and preserve type
+  helm:
+    set-string:
+      - name=true
+
+  # terraform tfvars overrrides
+  terraform:
+    vars:
+      - dev-terraform.tfvars
+      - common-terraform.tfvars
+```
+
+## Kubernetes Options
+Available with Kubernetes scanning
+
+```yaml
+kubernetes:
+  # Same as '--context'
+  # Default is empty
+  context:
+  
+  # Same as '--namespace'
+  # Default is empty
+  namespace:
+```
+
+## Repository Options
+Available with git repository scanning (`trivy repo`) 
+
+```yaml
+repository:
+  # Same as '--branch'
+  # Default is empty
+  branch:
+  
+  # Same as '--commit'
+  # Default is empty
+  commit:
+  
+  # Same as '--tag'
+  # Default is empty
+  tag:
+```
+
+## Client/Server Options
+Available in client/server mode
+
+```yaml
+server:
+  # Same as '--server' (available in client mode)
+  # Default is empty
+  addr: http://localhost:4954
+  
+  # Same as '--token'
+  # Default is empty
+  token: "something-secret"
+  
+  # Same as '--token-header'
+  # Default is 'Trivy-Token'
+  token-header: 'My-Token-Header'
+  
+  # Same as '--custom-headers'
+  # Default is empty
+  custom-headers:
+    - scanner: trivy
+    - x-api-token: xxx
+    
+  # Same as '--listen' (available in server mode)
+  # Default is 'localhost:4954'
+  listen: 0.0.0.0:10000
+```
+
+## Cloud Options
+
+Available for cloud scanning (currently only `trivy aws`)
+
+```yaml
+cloud:
+  # whether to force a cache update for every scan
+  update-cache: false
+  
+  # how old cached results can be before being invalidated
+  max-cache-age: 24h
+  
+  # aws-specific cloud settings
+  aws:
+    # the aws region to use
+    region: us-east-1
+    
+    # the aws endpoint to use (not required for general use)
+    endpoint: https://my.custom.aws.endpoint
+    
+    # the aws account to use (this will be determined from your environment when not set)
+    account: 123456789012
+```
+
+[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml

docs/docs/references/customization/envs.md

@@ -0,0 +1,17 @@
+# Environment variables
+
+Trivy can be customized by environment variables.
+The environment variable key is the flag name converted by the following procedure.
+
+- Add `TRIVY_` prefix
+- Make it all uppercase
+- Replace `-` with `_`
+
+For example, 
+
+- `--debug` => `TRIVY_DEBUG`
+- `--cache-dir` => `TRIVY_CACHE_DIR`
+
+```
+$ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15
+```

docs/docs/references/modes/client-server.md

@@ -175,6 +175,30 @@ Total: 24 (CRITICAL: 24)
 +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
 </details>
 
+## Remote scan of root filesystem
+Also, there is a way to scan root file system:
+```shell
+$ trivy rootfs --server http://localhost:8080 --severity CRITICAL /tmp/rootfs
+```
+**Note**: It's important to specify the protocol (http or https).
+<details>
+<summary>Result</summary>
+/tmp/rootfs (alpine 3.10.2)
+
+Total: 1 (CRITICAL: 1)
+
+┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.4-r2         │ 2.10.7-r0     │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │
+│           │                │          │                   │               │ other products, mishandles...                               │
+│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36159                  │
+└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+
+</details>
+
+
+
 ## Authentication
 
 ```

docs/docs/references/troubleshooting.md

@@ -106,7 +106,32 @@ If trivy is running behind corporate firewall, you have to add the following url
 !!! error
     --skip-update cannot be specified with the old DB schema.
 
-Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][../advanced/air-gap.md].
+Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
+
+### Multiple Trivy servers
+
+!!! error
+    ```
+    $ trivy image --server http://xxx.com:xxxx test-image
+    ...
+    - twirp error internal: failed scan, test-image: failed to apply layers: layer cache missing: sha256:*****
+    ```
+To run multiple Trivy servers, you need to use Redis as the cache backend so that those servers can share the cache. 
+Follow [this instruction][redis-cache] to do so.
+
+
+### Problems with `/tmp` on remote Git repository scans
+
+!!! error
+    FATAL repository scan error: scan error: unable to initialize a scanner: unable to initialize a filesystem scanner: git clone error: write /tmp/fanal-remote...
+
+Trivy clones remote Git repositories under the `/tmp` directory before scanning them. If `/tmp` doesn't work for you, you can change it by setting the `TMPDIR` environment variable.
+
+Try:
+
+```
+$ TMPDIR=/my/custom/path trivy repo ...
+```
 
 ## Homebrew
 ### Scope error
@@ -157,4 +182,5 @@ Try again with `--reset` option:
 $ trivy image --reset
 ```
 
-[air-gapped]: ../how-to-guides/air-gap.md
+[air-gapped]: ../advanced/air-gap.md
+[redis-cache]: ../../vulnerability/examples/cache/#cache-backend

docs/docs/sbom/cyclonedx.md

@@ -1,12 +1,21 @@
 # CycloneDX
 
-Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
+## Generating
+Trivy can generate SBOM in the [CycloneDX][cyclonedx] format.
 Note that XML format is not supported at the moment.
 
 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.
 
+CycloneDX can represent either or both SBOM or BOV.
+
+- [Software Bill of Materials (SBOM)][sbom]
+- [Bill of Vulnerabilities (BOV)][bov]
+
+By default, `--format cyclonedx` represents SBOM and doesn't include vulnerabilities in the CycloneDX output.
+
 ```
 $ trivy image --format cyclonedx --output result.json alpine:3.15
+2022-07-19T07:47:27.624Z        INFO    "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
 ```
 
 <details>
@@ -230,4 +239,41 @@ $ cat result.json | jq .
 
 </details>
 
+If you want to include vulnerabilities, you can enable vulnerability scanning via `--security-checks vuln`.
+
+```
+$ trivy image --security-checks vuln --format cyclonedx --output result.json alpine:3.15
+```
+
+## Scanning
+Trivy can take CycloneDX as an input and scan for vulnerabilities.
+To scan SBOM, you can use the `sbom` subcommand and pass the path to your CycloneDX report. 
+
+```bash
+$ trivy sbom /path/to/cyclonedx.json
+
+cyclonedx.json (alpine 3.7.1)
+=========================
+Total: 3 (CRITICAL: 3)
+
+┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
+│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ curl        │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ libbz2      │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
+├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
+│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
+└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
+```
+
+!!! note
+    If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
+    The report is called [BOV][bov].
+
 [cyclonedx]: https://cyclonedx.org/
+[sbom]: https://cyclonedx.org/capabilities/sbom/
+[bov]: https://cyclonedx.org/capabilities/bov/

docs/docs/sbom/index.md

@@ -1,6 +1,7 @@
 # SBOM
 
-Trivy currently supports the following SBOM formats.
+## Generating
+Trivy can generate the following SBOM formats.
 
 - [CycloneDX][cyclonedx]
 - [SPDX][spdx]
@@ -8,13 +9,12 @@ Trivy currently supports the following SBOM formats.
 To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.
 
 ```
-$ trivy image --format cyclonedx --output result.json alpine:3.15
+$ trivy image --format spdx-json --output result.json alpine:3.15
 ```
 
-In addition, you can use the `trivy sbom` subcommand.
 
 ```
-$ trivy sbom alpine:3.15
+$ trivy fs --format cyclonedx --output result.json /app/myproject
 ```
 
 <details>
@@ -177,18 +177,56 @@ $ trivy sbom alpine:3.15
 
 </details>
 
-`fs`, `repo` and `archive` also work with `sbom` subcommand.
+## Scanning
+Trivy also can take the following SBOM formats as an input and scan for vulnerabilities.
 
+- CycloneDX
+- SPDX
+- SPDX JSON
+- CycloneDX-type attestation
+
+To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
+
+```bash
+$ trivy sbom /path/to/cyclonedx.json
 ```
-# filesystem
-$ trivy sbom --artifact-type fs /path/to/project
 
-# repository
-$ trivy sbom --artifact-type repo github.com/aquasecurity/trivy-ci-test
+See [here][cyclonedx] for the detail.
 
-# container image archive
-$ trivy sbom --artifact-type archive alpine.tar
+!!! note
+    CycloneDX XML is not supported at the moment.
+
+```bash
+$ trivy sbom /path/to/spdx.json
+```
+
+See [here][spdx] for the detail.
+
+
+You can also scan an SBOM attestation.
+In the following example, [Cosign][Cosign] can get an attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page][sbom_attestation].
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
 ```
 
 [cyclonedx]: cyclonedx.md
 [spdx]: spdx.md
+[Cosign]: https://github.com/sigstore/cosign
+[sbom_attestation]: ../attestation/sbom.md#sign-with-a-local-key-pair

docs/docs/sbom/spdx.md

@@ -1,6 +1,7 @@
 # SPDX
 
-Trivy generates reports in the [SPDX][spdx] format.
+## Generating
+Trivy can generate SBOM in the [SPDX][spdx] format.
 
 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `spdx` with the `--format` option.
 
@@ -294,4 +295,50 @@ $ cat result.spdx.json | jq .
 
 </details>
 
+## Scanning
+Trivy can take the SPDX SBOM as an input and scan for vulnerabilities.
+To scan SBOM, you can use the `sbom` subcommand and pass the path to your SPDX report.
+The input format is automatically detected.
+
+The following formats are supported:
+
+- Tag-value (`--format spdx`)
+- JSON (`--format spdx-json`)
+
+```bash
+$ trivy image --format spdx-json --output spdx.json alpine:3.16.0
+$ trivy sbom spdx.json
+2022-09-15T21:32:27.168+0300    INFO    Vulnerability scanning is enabled
+2022-09-15T21:32:27.169+0300    INFO    Detected SBOM format: spdx-json
+2022-09-15T21:32:27.210+0300    INFO    Detected OS: alpine
+2022-09-15T21:32:27.210+0300    INFO    Detecting Alpine vulnerabilities...
+2022-09-15T21:32:27.211+0300    INFO    Number of language-specific files: 0
+
+spdx.json (alpine 3.16.0)
+=========================
+Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)
+
+┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│   Library    │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ busybox      │ CVE-2022-30065 │ HIGH     │ 1.35.0-r13        │ 1.35.0-r15    │ busybox: A use-after-free in Busybox's awk applet leads to │
+│              │                │          │                   │               │ denial of service...                                       │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ libcrypto1.1 │ CVE-2022-2097  │ MEDIUM   │ 1.1.1o-r0         │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes               │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                  │
+├──────────────┤                │          │                   │               │                                                            │
+│ libssl1.1    │                │          │                   │               │                                                            │
+│              │                │          │                   │               │                                                            │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ ssl_client   │ CVE-2022-30065 │ HIGH     │ 1.35.0-r13        │ 1.35.0-r15    │ busybox: A use-after-free in Busybox's awk applet leads to │
+│              │                │          │                   │               │ denial of service...                                       │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ zlib         │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1         │ 1.2.12-r2     │ zlib: a heap-based buffer over-read or buffer overflow in  │
+│              │                │          │                   │               │ inflate in inflate.c...                                    │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                 │
+└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
 [spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf

docs/docs/secret/configuration.md

@@ -137,6 +137,6 @@ disable-allow-rules:
 ```
 
 
-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-allow-rules.go
+[builtin]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go
+[builtin-allow]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-allow-rules.go
 [examples]: ./examples.md

docs/docs/secret/scanning.md

@@ -116,8 +116,8 @@ $ trivy image --security-checks vuln alpine:3.15
 ## Credit
 This feature is inspired by [gitleaks][gitleaks]. 
 
-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
-[builtin-allow]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-allow-rules.go
+[builtin]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go
+[builtin-allow]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-allow-rules.go
 [configuration]: ./configuration.md
 [allow-rules]: ./configuration.md#allow-rules
 [enable-rules]: ./configuration.md#enable-rules

docs/docs/vulnerability/detection/data-source.md

@@ -1,11 +1,10 @@
 # OS
 
 | OS                 | Source                                      |
-| ---------------| ---------------------------------------- |
+|--------------------|---------------------------------------------|
 | Arch Linux         | [Vulnerable Issues][arch]                   |
 | Alpine Linux       | [secdb][alpine]                             |
-| Amazon Linux 1 | [Amazon Linux Security Center][amazon1]  |
-| Amazon Linux 2 | [Amazon Linux Security Center][amazon2]  |
+| Amazon Linux       | [Amazon Linux Security Center][amazon]      |
 | Debian             | [Security Bug Tracker][debian-tracker]      |
 |                    | [OVAL][debian-oval]                         |
 | Ubuntu             | [Ubuntu CVE Tracker][ubuntu]                |
@@ -21,7 +20,7 @@
 # Programming Language
 
 | Language | Source                                              | Commercial Use  | Delay[^1]|
-| ---------------------------- | ----------------------------------------------------|:---------------:|:--------:|
+|----------|-----------------------------------------------------|:---------------:|:--------:|
 | PHP      | [PHP Security Advisories Database][php]             | ✅              | -        |
 |          | [GitHub Advisory Database (Composer)][php-ghsa]     | ✅              | -        |
 | Python   | [GitHub Advisory Database (pip)][python-ghsa]       | ✅              | -        |
@@ -36,6 +35,7 @@
 |          | [The Go Vulnerability Database][go]                 | ✅              | -        |
 | Rust     | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅              | -        |
 | .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     | ✅              | -        |
+| C/C++    | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
@@ -57,8 +57,7 @@ The severity is from the selected data source. If the data source does not provi
 
 [arch]: https://security.archlinux.org/
 [alpine]: https://secdb.alpinelinux.org/
-[amazon1]: https://alas.aws.amazon.com/
-[amazon2]: https://alas.aws.amazon.com/alas2.html
+[amazon]: https://alas.aws.amazon.com/
 [debian-tracker]: https://security-tracker.debian.org/tracker/
 [debian-oval]: https://www.debian.org/security/oval/
 [ubuntu]: https://ubuntu.com/security/cve

docs/docs/vulnerability/detection/language.md

@@ -3,7 +3,7 @@
 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
 
 | Language | File                                                                                       | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies |
-|----------|--------------------------|:---------:|:----------:|:--------------:|:--------------:|-----------------|
+| -------- |--------------------------------------------------------------------------------------------| :-------: | :--------: | :-------------: | :-------------: | ---------------- |
 | Ruby     | Gemfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | included         |
 |          | gemspec                                                                                    |     ✅     |     ✅      |        -        |        -        | included         |
 | Python   | Pipfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | excluded         |
@@ -14,14 +14,19 @@
 | PHP      | composer.lock                                                                              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
 | Node.js  | package-lock.json                                                                          |     -     |     -      |        ✅        |        ✅        | excluded         |
 |          | yarn.lock                                                                                  |     -     |     -      |        ✅        |        ✅        | included         |
+|          | pnpm-lock.yaml                                                                             |     -     |     -      |        ✅        |        ✅        | excluded         |
 |          | package.json                                                                               |     ✅     |     ✅      |        -        |        -        | excluded         |
 | .NET     | packages.lock.json                                                                         |     ✅     |     ✅      |        ✅        |        ✅        | included         |
 |          | packages.config                                                                            |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
+|          | .deps.json                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
 | Java     | JAR/WAR/PAR/EAR[^3][^4]                                                                    |     ✅     |     ✅      |        -        |        -        | included         |
 |          | pom.xml[^5]                                                                                |     -     |     -      |        ✅        |        ✅        | excluded         |
+|          | *gradle.lockfile                                                                           |     -     |     -      |        ✅        |        ✅        | excluded         |
 | Go       | Binaries built by Go[^6]                                                                   |     ✅     |     ✅      |        -        |        -        | excluded         |
 |          | go.mod[^7]                                                                                 |     -     |     -      |        ✅        |        ✅        | included         |
 | Rust     | Cargo.lock                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | included         |
+|          | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |        -        |        -        | excluded   
+| C/C++    | conan.lock[^12]                                                                            |     -     |     -      |        ✅        |        ✅        | excluded         |
 
 The path of these files does not matter.
 
@@ -38,3 +43,4 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [^9]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
 [^10]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
 [^11]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^12]: To scan a filename other than the default filename(`conan.lock`) use [file-patterns](../examples/others.md#file-patterns)

docs/docs/vulnerability/detection/os.md

@@ -12,7 +12,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 | Rocky Linux                      | 8                                         | Installed by yum/rpm          |                  NO                  |
 | Oracle Linux                     | 5, 6, 7, 8                                | Installed by yum/rpm          |                  NO                  |
 | CBL-Mariner                      | 1.0, 2.0                                  | Installed by yum/rpm          |                 YES                  |
-| Amazon Linux                     | 1, 2                                      | Installed by yum/rpm          |                  NO                  |
+| Amazon Linux                     | 1, 2, 2022                                | Installed by yum/rpm          |                  NO                  |
 | openSUSE Leap                    | 42, 15                                    | Installed by zypper/rpm       |                  NO                  |
 | SUSE Enterprise Linux            | 11, 12, 15                                | Installed by zypper/rpm       |                  NO                  |
 | Photon OS                        | 1.0, 2.0, 3.0, 4.0                        | Installed by tdnf/yum/rpm     |                  NO                  |

docs/docs/vulnerability/distributions.md

@@ -6,20 +6,49 @@ The following table provides an outline of the features Trivy offers.
 
 | Version | Container image | Virtual machine | Distroless |  Multi-arch  | Unfixed support |
 |---------|:---------------:|:---------------:|:----------:|:------------:|:---------------:|
-| 1.0     |        ✔        |        ✔        |            | amd64, arm64 |        ✔        |
+| 1.0     |        ✔        |        ✔        |      ✔     | amd64, arm64 |        ✔        |
 | 2.0     |        ✔        |        ✔        |      ✔     | amd64, arm64 |        ✔        |
 
 ### Examples
 
+=== "image"
     ```
-$ trivy image cblmariner.azurecr.io/base/core:1.0
-2022-01-31T15:02:27.754+0200    INFO    Detected OS: cbl-mariner
-2022-01-31T15:02:27.754+0200    INFO    Detecting CBL-Mariner vulnerabilities...
-2022-01-31T15:02:27.757+0200    INFO    Number of language-specific files: 0
+    ➜ trivy image mcr.microsoft.com/cbl-mariner/base/core:2.0
+    2022-07-27T14:48:20.355+0600	INFO	Detected OS: cbl-mariner
+    2022-07-27T14:48:20.355+0600	INFO	Detecting CBL-Mariner vulnerabilities...
+    2022-07-27T14:48:20.356+0600	INFO	Number of language-specific files: 0
     
-cblmariner.azurecr.io/base/core:1.0 (cbl-mariner 1.0.20220122)
-==============================================================
-Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 4, CRITICAL: 5) 
+    mcr.microsoft.com/cbl-mariner/base/core:2.0 (cbl-mariner 2.0.20220527)
+    
+    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
+    ```
+
+=== "fs"
+    ```
+    ➜ docker run  -it --rm --entrypoint bin/bash mcr.microsoft.com/cbl-mariner/base/core:2.0 
+    
+    root [ / ]# tdnf -y install ca-certificates
+    ...
+
+    root [ / ]# rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.30.4/trivy_0.30.4_Linux-64bit.rpm
+    ...
+    
+    root [ / ]# trivy fs /
+    2022-07-27T09:30:06.815Z	INFO	Need to update DB
+    2022-07-27T09:30:06.815Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
+    2022-07-27T09:30:06.815Z	INFO	Downloading DB...
+    33.25 MiB / 33.25 MiB [------------------------------] 100.00% 4.20 MiB p/s 8.1s
+    2022-07-27T09:30:21.756Z	INFO	Vulnerability scanning is enabled
+    2022-07-27T09:30:21.756Z	INFO	Secret scanning is enabled
+    2022-07-27T09:30:21.756Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+    2022-07-27T09:30:21.756Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection
+    2022-07-27T09:30:22.205Z	INFO	Detected OS: cbl-mariner
+    2022-07-27T09:30:22.205Z	INFO	Detecting CBL-Mariner vulnerabilities...
+    2022-07-27T09:30:22.205Z	INFO	Number of language-specific files: 0
+    
+    40ba9a55397c (cbl-mariner 2.0.20220527)
+    
+    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
     ```
 
 ### Data source

docs/docs/vulnerability/examples/others.md

@@ -16,6 +16,64 @@ If your image contains lock files which are not maintained by you, you can skip
 $ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
 ```
 
+## Scan Image on a specific Architecture and OS
+
+By default, Trivy loads an image on a "linux/amd64" machine.
+To customise this, pass a `--platform` argument in the format OS/Architecture for the image:
+
+```
+$ trivy image --platform=os/architecture [YOUR_IMAGE_NAME]
+```
+
+For example:
+
+```
+$ trivy image --platform=linux/arm alpine:3.16.1
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2022-10-25T21:00:50.972+0300    INFO    Vulnerability scanning is enabled
+2022-10-25T21:00:50.972+0300    INFO    Secret scanning is enabled
+2022-10-25T21:00:50.972+0300    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+2022-10-25T21:00:50.972+0300    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-10-25T21:00:56.190+0300    INFO    Detected OS: alpine
+2022-10-25T21:00:56.190+0300    INFO    Detecting Alpine vulnerabilities...
+2022-10-25T21:00:56.191+0300    INFO    Number of language-specific files: 0
+
+alpine:3.16.1 (alpine 3.16.1)
+=============================
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
+
+┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ zlib    │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1         │ 1.2.12-r2     │ zlib: heap-based buffer over-read and overflow in inflate() │
+│         │                │          │                   │               │ in inflate.c via a...                                       │
+│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                  │
+└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+```
+
+</details>
+
+## File patterns
+When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
+The default file patterns are [here](../../misconfiguration/custom/index.md).
+
+In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
+For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
+
+This can be repeated for specifying multiple file patterns.
+
+A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
+```
+--file-patterns "dockerfile:.*.docker" --file-patterns "yaml:deployment" --file-patterns "pip:requirements-.*\.txt"
+```
+
+For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)
+
 ## Exit Code
 By default, `Trivy` exits with code 0 even when vulnerabilities are detected.
 Use the `--exit-code` option if you want to exit with a non-zero exit code.

docs/docs/vulnerability/examples/report.md

@@ -15,7 +15,10 @@ Modern software development relies on the use of third-party libraries.
 Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph.
 In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree.
 To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
-This flag is available with the `--format table` flag only.
+This flag is only available with the `--format table` flag.
+
+!!! note
+    Only Node.js (package-lock.json) and Rust Binaries built with [cargo-auditable][cargo-auditable] are supported at the moment.
 
 This tree is the reverse of the npm list command.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -60,36 +63,6 @@ Also, **glob-parent@3.1.0** with some vulnerabilities is included through chain
 
 Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to resolve vulnerabilities in **follow-redirects@1.14.6** and **glob-parent@3.1.0**.
 
-!!! note
-    Only Node.js (package-lock.json) is supported at the moment.
-
-## JSON
-Similar structure is included in JSON output format
-```json
-          "VulnerabilityID": "CVE-2022-0235",
-          "PkgID": "node-fetch@1.7.3",
-          "PkgName": "node-fetch",
-          "PkgParents": [
-            {
-              "ID": "isomorphic-fetch@2.2.1",
-              "Parents": [
-                {
-                  "ID": "fbjs@0.8.18",
-                  "Parents": [
-                    {
-                      "ID": "styled-components@3.1.3"
-                    }
-                  ]
-                }
-              ]
-            }
-          ],
-
-```
-
-!!! caution
-As of May 2022 the feature is supported for `npm` dependency parser only
-
 ## JSON
 
 ```
@@ -300,9 +273,9 @@ The following example shows use of default HTML template when Trivy is installed
 $ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine
 ```
 
-
+[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
-[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/advanced/integrations/aws-security-hub.md
+[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/docs/integrations/aws-security-hub.md
 [sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
 [sprig]: http://masterminds.github.io/sprig/

docs/docs/vulnerability/scanning/git-repository.md

@@ -147,6 +147,30 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
 
 </details>
 
+## Scanning a Branch
+
+Pass a `--branch` agrument with a valid branch name on the remote repository provided:
+
+```
+$ trivy repo --branch <branch-name> <repo-name>
+```
+
+## Scanning upto a Commit
+
+Pass a `--commit` agrument with a valid commit hash on the remote repository provided:
+
+```
+$ trivy repo --commit <commit-hash> <repo-name>
+```
+
+## Scanning a Tag
+
+Pass a `--tag` agrument with a valid tag on the remote repository provided:
+
+```
+$ trivy repo --tag <tag-name> <repo-name>
+```
+
 ## Scanning Private Repositories
 
 In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.

docs/docs/vulnerability/scanning/image.md

@@ -88,4 +88,3 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 
 </details>
 
-

docs/docs/vulnerability/scanning/rootfs.md

@@ -6,7 +6,8 @@ Scan a root filesystem (such as a host machine, a virtual machine image, or an u
 $ trivy rootfs /path/to/rootfs
 ```
 
-## From Inside Containers
+## Standalone mode
+### From Inside Containers
 Scan your container from inside the container.
 
 ```bash
@@ -60,6 +61,40 @@ Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)
 
 </details>
 
+## Client/Server mode
+You must launch Trivy server in advance.
+
+```sh
+$ trivy server
+```
+
+Then, Trivy works as a client if you specify the `--server` option.
+
+```sh
+$ trivy rootfs --server http://localhost:4954 --severity CRITICAL /tmp/rootfs
+```
+
+<details>
+<summary>Result</summary>
+
+```
+/tmp/rootfs (alpine 3.10.2)
+
+Total: 1 (CRITICAL: 1)
+
+┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.4-r2         │ 2.10.7-r0     │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │
+│           │                │          │                   │               │ other products, mishandles...                               │
+│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36159                  │
+└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+
+```
+</details>
+
+
+
 ## Other Examples
 - [Embed in Dockerfile][embedding]
 - [Unpacked container image filesystem][unpacked]

docs/ecosystem/tools.md

@@ -0,0 +1,93 @@
+#  Tools
+This section includes several tools either added by the core maintainers from Aqua Security or the open source community.
+
+## Official Trivy Tools
+
+### GitHub Actions
+
+| Actions                      | Description                                                    |
+| ---------------------------- | -------------------------------------------------------------- |
+| [trivy-action][trivy-action] | GitHub Actions for integrating Trivy into your GitHub pipeline |
+
+### VSCode Extension
+
+| Orb                | Description                 |
+| ------------------ | --------------------------- |
+| [vs-code][vs-code] | VS Code extension for trivy |
+
+
+### Vim Plugin
+
+| Orb                    | Description          |
+| ---------------------- | -------------------- |
+| [vim-trivy][vim-trivy] | Vim plugin for trivy |
+
+
+### Docker Desktop Extension
+
+| Orb                              | Description                                                                                           |
+| ---------------------------------| ----------------------------------------------------------------------------------------------------- |
+| [docker-desktop][docker-desktop] | Trivy Docker Desktop extension for scanning container images for vulnerabilities and generating SBOMs |
+
+
+### Azure DevOps Pipelines Task
+
+| Orb                          | Description                                                     |
+| ---------------------------- | --------------------------------------------------------------- |
+| [azure-devops][azure-devops] | An Azure DevOps Pipelines Task for Trivy, with an integrated UI |
+
+
+### Trivy Kubernetes Operator
+
+| Orb                              | Description                              |
+| ---------------------------------| ---------------------------------------- |
+| [trivy-operator][trivy-operator] | Kubernetes Operator for installing Trivy |
+
+
+### Kubernetes Lens Extension
+
+| Orb                          | Description                         |
+| ---------------------------- | ----------------------------------- |
+| [lens-extension][trivy-lens] | Trivy Extension for Kubernetes Lens |
+
+## Community Tools
+
+### GitHub Actions
+
+| Actions                                    | Description                                                                      |
+| ------------------------------------------ | -------------------------------------------------------------------------------- |
+| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
+| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
+
+### Semaphore
+
+| Name                                                   | Description                               |
+| -------------------------------------------------------| ----------------------------------------- |
+| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
+
+
+### CircleCI
+
+| Orb                                      | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
+
+
+### Others
+
+| Name                                     | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
+
+[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
+[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
+[gitrivy]: https://github.com/marketplace/actions/trivy-action
+[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
+[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
+[trivy-action]: https://github.com/aquasecurity/trivy-action
+[vs-code]: https://github.com/aquasecurity/trivy-vscode-extension
+[vim-trivy]: https://github.com/aquasecurity/vim-trivy
+[docker-desktop]: https://github.com/aquasecurity/trivy-docker-extension
+[azure-devops]: https://github.com/aquasecurity/trivy-azure-pipelines-task
+[trivy-operator]: https://github.com/aquasecurity/trivy-operator
+[trivy-lens]: https://github.com/aquasecurity/trivy-operator-lens-extension

docs/getting-started/further.md

@@ -1,32 +0,0 @@
-# Further Reading
-
-## Presentations
-- Aqua Security YouTube Channel
-    - [Trivy - container image scanning][intro]
-    - [Using Trivy in client server mode][server]
-    - [Tweaking Trivy output to fit your workflow][tweaking]
-    - [How does a vulnerability scanner identify packages?][identify]
-- CNCF Webinar 2020
-    - [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf]
-- KubeCon + CloudNativeCon Europe 2020 Virtual
-    - [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon]
-  
-## Blogs
-- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join]
-- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license]
-- [DevSecOps with Trivy and GitHub Actions][actions]
-- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
-- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
-
-[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
-[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
-[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
-[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4
-[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M
-[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU
-
-[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family
-[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license
-[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
-[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
-[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code

docs/getting-started/installation.md

@@ -1,4 +1,4 @@
-# Installation
+# CLI Installation
 
 ## RHEL/CentOS
 
@@ -31,8 +31,8 @@
 
     ``` bash
     sudo apt-get install wget apt-transport-https gnupg lsb-release
-    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
-    echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+    echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
     sudo apt-get update
     sudo apt-get install trivy
     ```
@@ -46,18 +46,10 @@
 
 ## Arch Linux
 
-Package trivy-bin can be installed from the Arch User Repository.
-
-=== "pikaur"
+Package trivy can be installed from the Arch Community Package Manager.
 
 ```bash
-    pikaur -Sy trivy-bin
-    ```
-
-=== "yay"
-
-    ``` bash
-    yay -Sy trivy-bin
+pacman -S trivy
 ```
 
 ## Homebrew
@@ -68,6 +60,16 @@ You can use homebrew on macOS and Linux.
 brew install aquasecurity/trivy/trivy
 ```
 
+## MacPorts
+
+You can also install `trivy` via [MacPorts](https://www.macports.org) on macOS:
+
+```bash
+sudo port install trivy
+```
+
+More info [here](https://ports.macports.org/port/trivy/).
+
 ## Nix/NixOS
 
 Direct issues installing `trivy` via `nix` through the channels mentioned [here](https://nixos.wiki/wiki/Support)
@@ -144,14 +146,14 @@ Example:
 === "macOS"
 
     ``` bash
-    docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image [YOUR_IMAGE_NAME
+    docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image [YOUR_IMAGE_NAME]
     ```
 
 If you would like to scan the image on your host machine, you need to mount `docker.sock`.
 
 ```bash
 docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-    -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} python:3.4-alpine
+    -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image python:3.4-alpine
 ```
 
 Please re-pull latest `aquasec/trivy` if an error occurred.
@@ -193,28 +195,6 @@ The same image is hosted on [Amazon ECR Public][ecr] as well.
 docker pull public.ecr.aws/aquasecurity/trivy:{{ git.tag[1:] }}
 ```
 
-## Helm
-
-### Installing from the Aqua Chart Repository
-
-```
-helm repo add aquasecurity https://aquasecurity.github.io/helm-charts/
-helm repo update
-helm search repo trivy
-helm install my-trivy aquasecurity/trivy
-```
-
-### Installing the Chart
-
-To install the chart with the release name `my-release`:
-
-```
-helm install my-release .
-```
-
-The command deploys Trivy on the Kubernetes cluster in the default configuration. The [Parameters][helm]
-section lists the parameters that can be configured during installation.
-
 ### AWS private registry permissions
 
 You may need to grant permissions to allow trivy to pull images from private registry (AWS ECR).
@@ -248,6 +228,37 @@ podAnnotations: {}
 
 > **Tip**: List all releases using `helm list`.
 
+## Other Tools to use and deploy Trivy
+
+For additional tools and ways to install and use Trivy in different envrionments such as in Docker Desktop and Kubernetes clusters, see the links in the [Ecosystem section](../ecosystem/tools.md).
+
+
 [ecr]: https://gallery.ecr.aws/aquasecurity/trivy
 [registry]: https://github.com/orgs/aquasecurity/packages/container/package/trivy
 [helm]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/helm/trivy
+[slack]: https://slack.aquasec.com
+[operator-docs]: https://aquasecurity.github.io/trivy-operator/latest/
+
+[vuln]: ./docs/vulnerability/scanning/index.md
+[misconf]: ./docs/misconfiguration/scanning.md
+[kubernetesoperator]: ./docs/kubernetes/operator/index.md
+[container]: ./docs/vulnerability/scanning/image.md
+[rootfs]: ./docs/vulnerability/scanning/rootfs.md
+[filesystem]: ./docs/vulnerability/scanning/filesystem.md
+[repo]: ./docs/vulnerability/scanning/git-repository.md
+[kubernetes]: ./docs/kubernetes/cli/scanning.md
+
+[standalone]: ./docs/references/modes/standalone.md
+[client-server]: ./docs/references/modes/client-server.md
+[integrations]: ./tutorials/integrations/index.md
+
+[os]: ./docs/vulnerability/detection/os.md
+[lang]: ./docs/vulnerability/detection/language.md
+[builtin]: ./docs/misconfiguration/policy/builtin.md
+[quickstart]: ./getting-started/quickstart.md
+[podman]: ./docs/advanced/container/podman.md
+
+[sbom]: ./docs/sbom/index.md
+
+[oci]: https://github.com/opencontainers/image-spec
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE

docs/getting-started/overview.md

@@ -1,44 +0,0 @@
-# Overview
-
-Trivy detects three types of security issues:
-
-- [Vulnerabilities][vuln]
-    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-    - [Language-specific packages][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
-- [Misconfigurations][misconf]
-    - Kubernetes
-    - Docker
-    - Terraform
-    - CloudFormation
-    - more coming soon
-- [Secrets][secret]
-    - AWS access key
-    - GCP service account
-    - GitHub personal access token
-    - etc.
-
-Trivy can scan three different artifacts:
-
-- [Container Images][container]
-- [Filesystem][filesystem]
-- [Git Repositories][repo]
-
-It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
-See [Integrations][integrations] for details.
-
-[vuln]: ../docs/vulnerability/scanning/index.md
-[os]: ../docs/vulnerability/detection/os.md
-[lang]: ../docs/vulnerability/detection/language.md
-
-[misconf]: ../docs/misconfiguration/scanning.md
-
-[secret]: ../docs/secret/scanning.md
-
-[container]: ../docs/vulnerability/scanning/image.md
-[rootfs]: ../docs/vulnerability/scanning/rootfs.md
-[filesystem]: ../docs/vulnerability/scanning/filesystem.md
-[repo]: ../docs/vulnerability/scanning/git-repository.md
-
-[integrations]: ../docs/integrations/index.md
-
-[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE

docs/getting-started/quickstart.md

@@ -1,5 +1,9 @@
 # Quick Start
 
+## Prerequisites
+
+- Make sure to have the Trivy [CLI installed][installation]
+
 ## Scan image for vulnerabilities and secrets
 
 Simply specify an image name (and a tag).
@@ -47,7 +51,7 @@ For more details, see [vulnerability][vulnerability] and [secret][secret] pages.
 
 ## Scan directory for misconfigurations
 
-Simply specify a directory containing IaC files such as Terraform and Dockerfile.
+Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm and Dockerfile.
 
 ```
 $ trivy config [YOUR_IAC_DIR]
@@ -80,6 +84,7 @@ See https://avd.aquasec.com/misconfig/ds001
 
 For more details, see [here][misconf].
 
+[installation]: ./installation.md
 [vulnerability]: ../docs/vulnerability/scanning/index.md
 [misconf]: ../docs/misconfiguration/scanning.md
 [secret]: ../docs/secret/scanning.md

docs/index.md

@@ -1,34 +1,46 @@
 ---
 hide:
-- navigation
 - toc
 ---
 
-![logo](imgs/logo.png){ align=left }
+![logo](imgs/logo.png){ align=right }
 
-`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive [vulnerability][vulnerability]/[misconfiguration][misconf]/[secret][secret] scanner for containers and other artifacts.
-`Trivy` detects vulnerabilities of [OS packages][os] (Alpine, RHEL, CentOS, etc.) and [language-specific packages][lang] (Bundler, Composer, npm, yarn, etc.).
-In addition, `Trivy` scans [Infrastructure as Code (IaC) files][misconf] such as Terraform and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack.
-`Trivy` also scans [hardcoded secrets][secret] like passwords, API keys and tokens.
-`Trivy` is easy to use. Just install the binary and you're ready to scan.
-All you need to do for scanning is to specify a target such as an image name of the container.
+Trivy (tri pronounced like trigger, vy pronounced like envy) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.
 
-<div style="text-align: center">
-    <img src="imgs/overview.png" width="800">
-</div>
+Trivy has different scanners that look for different security issues, and different targets where it can find those issues.
 
+Targets:
 
-<div style="text-align: center; margin-top: 150px">
-    <h1 id="demo">Demo</h1>
-</div>
+- Container Image
+- Filesystem
+- Git repository (remote)
+- Kubernetes cluster or resource
+
+Scanners:
+
+- OS packages and software dependencies in use (SBOM)
+- Known vulnerabilities (CVEs)
+- IaC misconfigurations
+- Sensitive information and secrets
+
+It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
+See [Integrations][integrations] for details.
+
+Much more scanners and targets are coming up. [Join the Slack][slack] channel to stay up to date, ask questions, and let us know what features you would like to see.
+
+Please see [LICENSE][license] for Trivy licensing information.
 
 <figure style="text-align: center">
-  <img src="imgs/vuln-demo.gif" width="1000">
+  <video width="1000" autoplay muted controls loop>
+    <source src="https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov" type="video/mp4" />
+  </video>
   <figcaption>Demo: Vulnerability Detection</figcaption>
 </figure>
 
 <figure style="text-align: center">
-  <img src="imgs/misconf-demo.gif" width="1000">
+  <video width="1000" autoplay muted controls loop>
+    <source src="https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov" type="video/mp4" />
+  </video>
   <figcaption>Demo: Misconfiguration Detection</figcaption>
 </figure>
 
@@ -37,18 +49,6 @@ All you need to do for scanning is to specify a target such as an image name of
   <figcaption>Demo: Secret Detection</figcaption>
 </figure>
 
----
-
-Trivy is an [Aqua Security][aquasec] open source project.  
-Learn about our open source work and portfolio [here][oss].  
-Contact us about any matter by opening a GitHub Discussion [here][discussions]
-
-[vulnerability]: docs/vulnerability/scanning/index.md
-[misconf]: docs/misconfiguration/scanning.md
-[secret]: docs/secret/scanning.md
-[os]: docs/vulnerability/detection/os.md
-[lang]: docs/vulnerability/detection/language.md
-
-[aquasec]: https://aquasec.com
-[oss]: https://www.aquasec.com/products/open-source-projects/
-[discussions]: https://github.com/aquasecurity/trivy/discussions
+[integrations]: ./tutorials/integrations/index.md
+[slack]: https://slack.aquasec.com
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE

docs/tutorials/additional-resources/cks.md

@@ -1,21 +1,26 @@
 # CKS preparation resources
 
-Community Resources
+The [Certified Kubernetes Security Specialist (CKS) Exam](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/) is offered by The Linux Foundation. It provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam.
+
+### Community Resources
 
 - [Trivy Video overview (short)][overview]
 - [Example questions from the exam][exam]
 - [More example questions][questions]
+- [CKS exam study guide](study-guide)
+- [Docker Image Vulnerabilities & Trivy Image Scanning Demo | K21Academy](https://youtu.be/gHz10UsEdys)
 
-Aqua Security Blog posts
+### Aqua Security Blog posts to learn more
 
 - Supply chain security best [practices][supply-chain-best-practices]
 - Supply chain [attacks][supply-chain-attacks]
-- 
+
 If you know of interesting resources, please start a PR to add those to the list.
 
 [overview]: https://youtu.be/2cjH6Zkieys
 [exam]: https://jonathan18186.medium.com/certified-kubernetes-security-specialist-cks-preparation-part-7-supply-chain-security-9cf62c34cf6a
 [questions]: https://github.com/kodekloudhub/certified-kubernetes-security-specialist-cks-course/blob/main/docs/06-Supply-Chain-Security/09-Scan-images-for-known-vulnerabilities-(Trivy).md
+[study-guide]: https://devopscube.com/cks-exam-guide-tips/
 
 [supply-chain-best-practices]: https://blog.aquasec.com/supply-chain-security-best-practices
 [supply-chain-attacks]: https://blog.aquasec.com/supply-chain-threats-using-container-images

docs/tutorials/additional-resources/community.md

@@ -0,0 +1,37 @@
+# Community References
+Below is a list of additional resources from the community.
+
+## Vulnderability Scanning
+
+- [Detecting Spring4Shell with Trivy and Grype](https://youtu.be/mOfBcpJWwSs)
+
+## CI/CD Pipelines
+
+- [How to use Tekton to set up a CI pipeline with OpenShift Pipelines](https://www.redhat.com/architect/cicd-pipeline-openshift-tekton)
+- [Continuous Container Vulnerability Testing with Trivy](https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy)
+- [Getting Started With Trivy and Jenkins](https://youtu.be/MWe01VdwuMA)
+- [How to use Tekton to set up a CI pipeline with OpenShift Pipelines](https://www.redhat.com/architect/cicd-pipeline-openshift-tekton)
+
+## Misconfiguration Scanning
+
+- [Identifying Misconfigurations in your Terraform](https://youtu.be/cps1V5fOHtE)
+- [How to write custom policies for Trivy](https://blog.ediri.io/how-to-write-custom-policies-for-trivy)
+
+## SBOM, Attestation & related
+
+- [Attesting Image Scans With Kyverno](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/)
+
+## Trivy Kubernetes
+
+- [Using Trivy Kubernetes in OVHCloud documentation.](https://docs.ovh.com/gb/en/kubernetes/installing-trivy/)
+
+## Comparisons
+
+- [the vulnerability remediation lifecycle of Alpine containers](https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/)
+- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy](https://boxboat.com/2020/04/24/image-scanning-tech-compared/)
+- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy](https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/)
+
+### Evaluations
+
+- [Istio evaluating to use Trivy](https://github.com/istio/release-builder/pull/687#issuecomment-874938417)
+- [Research Spike: evaluate Trivy for scanning running containers](https://gitlab.com/gitlab-org/gitlab/-/issues/270888)

docs/tutorials/additional-resources/references.md

@@ -0,0 +1,38 @@
+# Additional Resources and Tutorials
+Below is a list of additional resources from Aqua Security.
+
+## Announcements
+
+- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family](https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family)
+- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License](https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license)
+
+## Vulnderability Scanning
+
+- [Using Trivy to Discover Vulnerabilities in VS Code Projects](https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code)
+- [How does a vulnerability scanner identify packages?](https://youtu.be/PaMnzeHBa8M)
+- [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security](https://youtu.be/WKE2XNZ2zr4)
+
+## CI/CD Pipelines
+
+- [DevSecOps with Trivy and GitHub Actions](https://blog.aquasec.com/devsecops-with-trivy-github-actions)
+- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action](https://blog.aquasec.com/github-vulnerability-scanner-trivy)
+
+## Misconfiguration Scanning
+
+- [Identifying Misconfigurations in your Terraform](https://youtu.be/cps1V5fOHtE)
+
+## Client/Server
+
+- [Using Trivy in client server mode](https://youtu.be/tNQ-VlahtYM)
+ 
+## Workshops
+
+- [Trivy Live Demo & Q&A](https://youtu.be/6Vw0QgJ-k5o)
+- [First Steps to Full Lifecycle Security with Open Source Tools - Rory McCune & Anais Urlichs](https://youtu.be/nwJ0366rs6s)
+
+
+## Older Resources
+
+- [Webinar: Trivy Open Source Scanner for Container Images – Just Download and Run!](https://youtu.be/XnYxX9uueoQ)
+- [Kubernetes Security through GitOps Best Practices: ArgoCD and Starboard](https://youtu.be/YvMY8to9aHI)
+- [Get started with Kubernetes Security and Starboard](https://youtu.be/QgctrpTpJec)