fix(flag): add error when there are no supported security checks (#2713 )

fix(vuln): continue scanning when no vuln found in the first application (#2712 )
revert: add new classes for vulnerabilities (#2701 )
2025-12-19 02:32:41 -08:00 · 2022-08-16 09:57:46 +03:00 · 2022-08-16 08:41:01 +03:00 · 2022-08-15 21:40:29 +03:00 · 2022-08-15 20:40:54 +03:00 · 2022-08-15 16:15:22 +03:00
165 changed files with 5614 additions and 719 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -7,8 +7,11 @@ helm/trivy/ @krol3
 # Misconfiguration scanning
 examples/misconf/           @owenrumney @liamg @knqyf263
 docs/docs/misconfiguration  @owenrumney @liamg @knqyf263
+docs/docs/cloud             @owenrumney @liamg @knqyf263
 pkg/fanal/analyzer/config   @owenrumney @liamg @knqyf263
 pkg/fanal/handler/misconf   @owenrumney @liamg @knqyf263
+pkg/cloud                   @owenrumney @liamg @knqyf263
+pkg/flag                    @owenrumney @liamg @knqyf263

 # Kubernetes scanning
 pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
--- a/.github/workflows/canary.yaml
+++ b/.github/workflows/canary.yaml
@@ -24,7 +24,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.0.4
+        uses: actions/cache@v3.0.5
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -24,7 +24,7 @@ jobs:
          fetch-depth: 0

      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.0.4
+        uses: actions/cache@v3.0.5
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -28,7 +28,7 @@ jobs:
      contents: read  # Not required for public repositories, but for clarity
    steps:
      - name: Cosign install
-        uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2
+        uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
@@ -100,7 +100,7 @@ jobs:
            public.ecr.aws/aquasecurity/trivy:canary

      - name: Cache Trivy binaries
-        uses: actions/cache@v3.0.4
+        uses: actions/cache@v3.0.5
        with:
          path: dist/
          # use 'github.sha' to create a unique cache folder for each run.
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -11,7 +11,7 @@ on:
  pull_request:
 env:
  GO_VERSION: "1.18"
-  TINYGO_VERSION: "0.23.0"
+  TINYGO_VERSION: "0.24.0"
 jobs:
  test:
    name: Test
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.16.0
+FROM alpine:3.16.1
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -1,4 +1,4 @@
-FROM alpine:3.16.0
+FROM alpine:3.16.1
 RUN apk --no-cache add ca-certificates git

 # binaries were created with GoReleaser
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -1,4 +1,4 @@
-FROM golang:1.18.3
+FROM golang:1.18.4

 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-VERSION := $(shell git describe --tags --always)
+VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
 LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"

 GOPATH := $(shell go env GOPATH)
--- a/cmd/trivy/main.go
+++ b/cmd/trivy/main.go
@@ -1,8 +1,14 @@
 package main

 import (
+	"context"
+	"os"
+
+	"golang.org/x/xerrors"
+
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/plugin"
 )

 var (
@@ -10,8 +16,26 @@ var (
 )

 func main() {
-	app := commands.NewApp(version)
-	if err := app.Execute(); err != nil {
+	if err := run(); err != nil {
 		log.Fatal(err)
 	}
 }
+
+func run() error {
+	// Trivy behaves as the specified plugin.
+	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
+		if !plugin.IsPredefined(runAsPlugin) {
+			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
+		}
+		if err := plugin.RunWithArgs(context.Background(), runAsPlugin, os.Args[1:]); err != nil {
+			return xerrors.Errorf("plugin error: %w", err)
+		}
+		return nil
+	}
+
+	app := commands.NewApp(version)
+	if err := app.Execute(); err != nil {
+		return err
+	}
+	return nil
+}
--- a/contrib/gitlab-codequality.tpl
+++ b/contrib/gitlab-codequality.tpl
@@ -45,7 +45,7 @@
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
-      "description": {{ list .ID .Title | join ": " | printf "%q" }},
+      "description": {{ list "Misconfig" .ID .Title | join " - " | printf "%q" }},
      "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
      "content": {{ .Description | printf "%q" }},
      "severity": {{ if eq .Severity "LOW" -}}
@@ -67,5 +67,37 @@
      }
    }
    {{- end -}}
+    {{- range .Secrets -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Secret" .RuleID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .RuleID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Title | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .StartLine }}
+        }
+      }
+    }
+    {{- end -}}
  {{- end }}
 ]
--- a/contrib/gitlab.tpl
+++ b/contrib/gitlab.tpl
@@ -1,10 +1,11 @@
 {{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
 {
-  "version": "2.3",
+  "version": "14.0.6",
  "vulnerabilities": [
  {{- $t_first := true }}
  {{- range . }}
  {{- $target := .Target }}
+    {{- $image := $target | regexFind "[^\\s]+" }}
    {{- range .Vulnerabilities -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
@@ -31,8 +32,6 @@
                  {{-  else -}}
                    "{{ .Severity }}"
                  {{- end }},
-      {{- /* TODO: Define confidence */}}
-      "confidence": "Unknown",
      "solution": {{ if .FixedVersion -}}
                    "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
                  {{- else -}}
@@ -51,7 +50,7 @@
        },
        {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
        "operating_system": "Unknown",
-        "image": "{{ $target }}"
+        "image": "{{ $image }}"
      },
      "identifiers": [
        {
--- a/contrib/junit.tpl
+++ b/contrib/junit.tpl
@@ -1,5 +1,5 @@
 <?xml version="1.0" ?>
-<testsuites>
+<testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
--- a/docs/build/Dockerfile
+++ b/docs/build/Dockerfile
@@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material:8.2.10
+FROM squidfunk/mkdocs-material:8.3.9

 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.
--- a/docs/build/requirements.txt
+++ b/docs/build/requirements.txt
@@ -11,13 +11,13 @@ mergedeep==1.3.4
 mike==1.1.2
 mkdocs==1.3.0
 mkdocs-macros-plugin==0.7.0
-mkdocs-material==8.2.10
+mkdocs-material==8.3.9
 mkdocs-material-extensions==1.0.3
 mkdocs-minify-plugin==0.5.0
 mkdocs-redirects==1.0.4
 packaging==21.3
-Pygments==2.11.2
-pymdown-extensions==9.3
+Pygments==2.12.0
+pymdown-extensions==9.5
 pyparsing==3.0.8
 python-dateutil==2.8.2
 PyYAML==6.0
--- a/docs/docs/advanced/air-gap.md
+++ b/docs/docs/advanced/air-gap.md
@@ -5,13 +5,33 @@ Trivy can be used in air-gapped environments. Note that an allowlist is [here][a
 ## Air-Gapped Environment for vulnerabilities

 ### Download the vulnerability database
+=== "Trivy"
+
+    ```
+    TRIVY_TEMP_DIR=$(mktemp -d)
+    trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+    tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+    rm -rf $TRIVY_TEMP_DIR
+    ```
+
+=== "oras >= v0.13.0"
    At first, you need to download the vulnerability database for use in air-gapped environments.
    Please follow [oras installation instruction][oras].

    Download `db.tar.gz`:

    ```
-$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a
+    $ oras pull ghcr.io/aquasecurity/trivy-db:2
+    ```
+
+=== "oras < v0.13.0"
+    At first, you need to download the vulnerability database for use in air-gapped environments.
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
    ```

 ### Transfer the DB file into the air-gapped environment
@@ -43,7 +63,7 @@ $ rm /path/to/db.tar.gz

 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 

-### Run Trivy with --skip-update and --offline-scan option
+### Run Trivy with `--skip-update` and `--offline-scan` option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
 In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.

@@ -55,7 +75,7 @@ $ trivy image --skip-update --offline-scan alpine:3.12

 No special measures are required to detect misconfigurations in an air-gapped environment.

-### Run Trivy with --skip-policy-update option
+### Run Trivy with `--skip-policy-update` option
 In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.

 ```
--- a/docs/docs/attestation/sbom.md
+++ b/docs/docs/attestation/sbom.md
@@ -1,6 +1,7 @@
 # SBOM attestation

 [Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify SBOM attestation.
+And, Trivy can take an SBOM attestation as input and scan for vulnerabilities

 !!! note
    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
@@ -8,43 +9,76 @@

 ## Sign with a local key pair

-Cosign can generate key pairs and use them for signing and verification. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
-
-In the following example, Trivy generates an SBOM in the spdx format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).

+```bash
+$ cosign generate-key-pair
 ```
-$ trivy image --format spdx -o predicate <IMAGE>
-$ cosign attest --key /path/to/cosign.key --type spdx --predicate predicate <IMAGE>
+
+In the following example, Trivy generates an SBOM in the CycloneDX format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>
 ```

 Then, you can verify attestations on the image.

-```
-$ cosign verify-attestation --key /path/to/cosign.pub <IMAGE>
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE>
 ```

 You can also create attestations of other formatted SBOM.

-```
-# spdx-json
-$ trivy image --format spdx-json -o predicate <IMAGE>
-$ cosign attest --key /path/to/cosign.key --type spdx --predicate predicate <IMAGE>
+```bash
+# spdx
+$ trivy image --format spdx -o sbom.spdx <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx <IMAGE>

-# cyclonedx
-$ trivy image --format cyclonedx -o predicate <IMAGE>
-$ cosign attest --key /path/to/cosign.key --type https://cyclonedx.org/schema --predicate predicate <IMAGE>
+# spdx-json
+$ trivy image --format spdx-json -o sbom.spdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json <IMAGE>
 ```

 ## Keyless signing

 You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).

-```
-$ trivy image --format spdx -o predicate <IMAGE>
-$ COSIGN_EXPERIMENTAL=1 cosign attest --type spdx --predicate predicate <IMAGE>
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
 ```

 You can verify attestations.
+```bash
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>
 ```
-$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation <IMAGE>
+
+## Scanning
+
+Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
+
+In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
 ```
--- a/docs/docs/attestation/vuln.md
+++ b/docs/docs/attestation/vuln.md
@@ -0,0 +1,190 @@
+# Cosign Vulnerability Attestation
+
+## Generate Cosign Vulnerability Scan Record
+
+Trivy generates reports in the [Cosign vulnerability scan record format][vuln-attest-spec].
+
+You can use the regular subcommands (like image, fs and rootfs) and specify `cosign-vuln` with the --format option.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json alpine:3.10
+```
+
+<details>
+<summary>Result</summary>
+
+```json
+{
+  "invocation": {
+    "parameters": null,
+    "uri": "",
+    "event_id": "",
+    "builder.id": ""
+  },
+  "scanner": {
+    "uri": "pkg:github/aquasecurity/trivy@v0.30.1-8-gf9cb8a28",
+    "version": "v0.30.1-8-gf9cb8a28",
+    "db": {
+      "uri": "",
+      "version": ""
+    },
+    "result": {
+      "SchemaVersion": 2,
+      "ArtifactName": "alpine:3.10",
+      "ArtifactType": "container_image",
+      "Metadata": {
+        "OS": {
+          "Family": "alpine",
+          "Name": "3.10.9",
+          "EOSL": true
+        },
+        "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
+        "DiffIDs": [
+          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+        ],
+        "RepoTags": [
+          "alpine:3.10"
+        ],
+        "RepoDigests": [
+          "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
+        ],
+        "ImageConfig": {
+          "architecture": "amd64",
+          "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
+          "created": "2021-04-14T19:20:05.338397761Z",
+          "docker_version": "19.03.12",
+          "history": [
+            {
+              "created": "2021-04-14T19:20:04.987219124Z",
+              "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
+            },
+            {
+              "created": "2021-04-14T19:20:05.338397761Z",
+              "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+              "empty_layer": true
+            }
+          ],
+          "os": "linux",
+          "rootfs": {
+            "type": "layers",
+            "diff_ids": [
+              "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+            ]
+          },
+          "config": {
+            "Cmd": [
+              "/bin/sh"
+            ],
+            "Env": [
+              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+            ],
+            "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
+          }
+        }
+      },
+      "Results": [
+        {
+          "Target": "alpine:3.10 (alpine 3.10.9)",
+          "Class": "os-pkgs",
+          "Type": "alpine",
+          "Vulnerabilities": [
+            {
+              "VulnerabilityID": "CVE-2021-36159",
+              "PkgName": "apk-tools",
+              "InstalledVersion": "2.10.6-r0",
+              "FixedVersion": "2.10.7-r0",
+              "Layer": {
+                "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
+                "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+              },
+              "SeveritySource": "nvd",
+              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
+              "DataSource": {
+                "ID": "alpine",
+                "Name": "Alpine Secdb",
+                "URL": "https://secdb.alpinelinux.org/"
+              },
+              "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
+              "Severity": "CRITICAL",
+              "CweIDs": [
+                "CWE-125"
+              ],
+              "CVSS": {
+                "nvd": {
+                  "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
+                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
+                  "V2Score": 6.4,
+                  "V3Score": 9.1
+                }
+              },
+              "References": [
+                "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
+                "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
+              ],
+              "PublishedDate": "2021-08-03T14:15:00Z",
+              "LastModifiedDate": "2021-10-18T12:19:00Z"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "metadata": {
+    "scanStartedOn": "2022-07-24T17:14:04.864682+09:00",
+    "scanFinishedOn": "2022-07-24T17:14:04.864682+09:00"
+  }
+}
+```
+
+</details>
+
+## Create Cosign Vulnerability Attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify Cosign vulnerability attestation.
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+
+### Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates a cosign vulnerability scan record, and then Cosign attaches an attestation of it to a container image with a local key pair.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type vuln --predicate vuln.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```
+$ cosign verify-attestation --key /path/to/cosign.pub --type vuln <IMAGE>
+```
+
+### Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```
+$ trivy image --format cosign-vuln -o vuln.json <IMAGE>
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>
+```
+
+You can verify attestations.
+
+```
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type vuln <IMAGE>
+```
+
+[vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md
--- a/docs/docs/cloud/aws/scanning.md
+++ b/docs/docs/cloud/aws/scanning.md
@@ -0,0 +1,55 @@
+# Amazon Web Services
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. 
+
+Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
+
+The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
+
+Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
+
+You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` and `SecurityAudit` policies attached.
+
+Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - results are cached locally per AWS account/region.
+
+## CLI Commands
+
+Scan a full AWS account (all supported services):
+
+```shell
+trivy aws --region us-east-1
+```
+
+You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
+
+![AWS Summary Report](../../../imgs/trivy-aws.png)
+
+The summary view is the default when scanning multiple services.
+
+Scan a specific service:
+
+```shell
+trivy aws --service s3
+```
+
+Scan multiple services:
+
+```shell
+# --service s3,ec2 works too
+trivy aws --service s3 --service ec2
+```
+
+Show results for a specific AWS resource:
+
+```shell
+trivy aws --service s3 --arn arn:aws:s3:::example-bucket
+```
+
+All ARNs with detected issues will be displayed when showing results for their associated service.
+
+## Cached Results
+
+By default, Trivy will cache results for each service for 24 hours. This means you can filter and view results for a service without having to wait for the scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.)
--- a/docs/docs/integrations/gitlab-ci.md
+++ b/docs/docs/integrations/gitlab-ci.md
@@ -11,7 +11,7 @@ include:

 If you're a GitLab 14.x Ultimate customer, you can use the same configuration above.

-Alternatively, you can always use the example configurations below. Note that the examples use [`contrib/gitlab.tpl`](https://github.com/aquasecurity/trivy/blob/main/contrib/gitlab.tpl), which does not work with GitLab 15.0 and above (for details, see [issue 1598](https://github.com/aquasecurity/trivy/issues/1598)).
+Alternatively, you can always use the example configurations below.

 ```yaml
 stages:
--- a/docs/docs/kubernetes/cli/scanning.md
+++ b/docs/docs/kubernetes/cli/scanning.md
@@ -41,6 +41,12 @@ Scan a specific namespace:
 $ trivy k8s -n kube-system --report=summary all
 ```

+Use a specific kubeconfig file:
+
+```
+$ trivy k8s --kubeconfig ~/.kube/config2 -n kube-system --report=summary all
+```
+
 Scan a specific resource and get all the output:

 ```
--- a/docs/docs/misconfiguration/options/values.md
+++ b/docs/docs/misconfiguration/options/values.md
@@ -0,0 +1,48 @@
+# Value Overrides
+
+Value files can be passed for supported scannable config files.
+
+## Terraform value overrides
+You can pass `tf-vars` files to Trivy to override default values found in the Terraform HCL code.
+
+```bash
+trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
+```
+
+## Helm value overrides
+There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
+
+### Setting inline value overrides
+Overrides can be set inline on the command line
+
+```bash
+trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
+```
+
+### Setting value file overrides
+Overrides can be in a file that has the key=value set. 
+
+```yaml
+# Example override file (overrides.yaml)
+
+securityContext:
+  runAsUser: 0
+```
+
+```bash
+trivy conf --helm-values overrides.yaml ./charts/mySql
+``` 
+
+### Setting value as explicit string
+the `--helm-set-string` is the same as `--helm-set` but explicitly retains the value as a string
+
+```bash
+trivy config --helm-set-string name=false ./infrastructure/tf
+```
+
+### Setting sepecific values from files
+Specific override values can come from specific files
+
+```bash
+trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
+```
--- a/docs/docs/references/cli/client.md
+++ b/docs/docs/references/cli/client.md
@@ -2,7 +2,7 @@

 ```bash
 Usage:
-  [DEPRECATED] trivy client [flags] IMAGE_NAME
+  trivy client [flags] IMAGE_NAME

 Aliases:
  client, c
@@ -10,13 +10,13 @@ Aliases:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -34,7 +34,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -62,6 +62,7 @@ Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
--- a/docs/docs/references/cli/config.md
+++ b/docs/docs/references/cli/config.md
@@ -10,16 +10,13 @@ Aliases:
  config, conf

 Scan Flags
-      --skip-dirs string    specify the directories where the traversal is skipped
-      --skip-files string   specify the file paths to skip traversal
+      --skip-dirs strings    specify the directories where the traversal is skipped
+      --skip-files strings   specify the file paths to skip traversal

 Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int       specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
-      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+  -f, --format string       format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignorefile string   specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
  -o, --output string       output file name
  -s, --severity string     severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
  -t, --template string     output template
@@ -44,9 +41,9 @@ Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
-
 ```
--- a/docs/docs/references/cli/fs.md
+++ b/docs/docs/references/cli/fs.md
@@ -19,13 +19,13 @@ Examples:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -42,7 +42,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -63,6 +63,10 @@ Misconfiguration Flags
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
@@ -73,6 +77,7 @@ Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
--- a/docs/docs/references/cli/image.md
+++ b/docs/docs/references/cli/image.md
@@ -34,13 +34,12 @@ Examples:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -57,7 +56,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -82,6 +81,10 @@ Misconfiguration Flags
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
@@ -92,6 +95,7 @@ Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
--- a/docs/docs/references/cli/index.md
+++ b/docs/docs/references/cli/index.md
@@ -4,6 +4,7 @@ Trivy has several sub commands, image, fs, repo, client and server.
 Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets

 Usage:
+  trivy [global flags] command [flags] target
  trivy [command]

 Examples:
@@ -24,7 +25,6 @@ Available Commands:
  filesystem  Scan local filesystem
  help        Help about any command
  image       Scan a container image
-  kubectl     scan kubectl resources
  kubernetes  scan kubernetes cluster
  module      Manage modules
  plugin      Manage plugins
@@ -39,6 +39,7 @@ Flags:
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
  -f, --format string             version format (json)
+      --generate-default-config   write the default config to trivy-default.yaml
  -h, --help                      help for trivy
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
--- a/docs/docs/references/cli/module.md
+++ b/docs/docs/references/cli/module.md
@@ -20,8 +20,11 @@ Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
+
+Use "trivy module [command] --help" for more information about a command.
 ```
--- a/docs/docs/references/cli/plugin.md
+++ b/docs/docs/references/cli/plugin.md
@@ -10,11 +10,11 @@ Aliases:
  plugin, p

 Available Commands:
-  Uninstall   uninstall a plugin
  info        Show information about the specified plugin
  install     Install a plugin
  list        List installed plugin
  run         Run a plugin on the fly
+  uninstall   Uninstall a plugin
  update      Update an existing plugin

 Flags:
@@ -24,8 +24,11 @@ Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
+
+Use "trivy plugin [command] --help" for more information about a command.
 ```
--- a/docs/docs/references/cli/repo.md
+++ b/docs/docs/references/cli/repo.md
@@ -16,13 +16,13 @@ Examples:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -39,7 +39,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -60,6 +60,10 @@ Misconfiguration Flags
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
@@ -75,6 +79,7 @@ Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
--- a/docs/docs/references/cli/rootfs.md
+++ b/docs/docs/references/cli/rootfs.md
@@ -19,13 +19,13 @@ Examples:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -42,7 +42,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -63,10 +63,15 @@ Misconfiguration Flags
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
 Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
--- a/docs/docs/references/cli/sbom.md
+++ b/docs/docs/references/cli/sbom.md
@@ -13,17 +13,19 @@ Examples:
  # Scan CycloneDX and generate a CycloneDX report
  $ trivy sbom --format cyclonedx /path/to/report.cdx

+  # Scan CycloneDX-type attestation and show the result in tables
+  $ trivy sbom /path/to/report.cdx.intoto.jsonl
+

 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -40,7 +42,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -60,6 +62,7 @@ Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
--- a/docs/docs/references/cli/server.md
+++ b/docs/docs/references/cli/server.md
@@ -26,7 +26,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -41,6 +41,7 @@ Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
--- a/docs/docs/references/customization/config-file.md
+++ b/docs/docs/references/customization/config-file.md
@@ -6,7 +6,7 @@ An example is [here][example].

 ## Global Options

-```
+```yaml
 # Same as '--quiet'
 # Default is false
 quiet: false
@@ -30,7 +30,7 @@ cache-dir: $HOME/.cache/trivy

 ## Report Options

-```
+```yaml
 # Same as '--format'
 # Default is 'table'
 format: table
@@ -80,7 +80,7 @@ severity:
 ## Scan Options
 Available in client/server mode

-```
+```yaml
 scan:
  # Same as '--skip-dirs'
  # Default is empty
@@ -107,7 +107,7 @@ scan:

 ## Cache Options

-```
+```yaml
 cache:
  # Same as '--cache-backend'
  # Default is 'fs' 
@@ -134,7 +134,7 @@ cache:

 ## DB Options

-```
+```yaml
 db:
  # Same as '--skip-db-update'
  # Default is false
@@ -152,7 +152,7 @@ db:
 ## Image Options
 Available with container image scanning

-```
+```yaml
 image:
  # Same as '--input' (available with 'trivy image')
  # Default is empty
@@ -166,7 +166,7 @@ image:
 ## Vulnerability Options
 Available with vulnerability scanning

-```
+```yaml
 vulnerability:
  # Same as '--vuln-type'
  # Default is 'os,library'
@@ -182,7 +182,7 @@ vulnerability:
 ## Secret Options
 Available with secret scanning

-```
+```yaml
 secret:
  # Same as '--secret-config'
  # Default is 'trivy-secret.yaml'
@@ -193,7 +193,7 @@ secret:
 ## Misconfiguration Options
 Available with misconfiguration scanning

-```
+```yaml
 misconfiguration:
  # Same as '--file-patterns'
  # Default is empty
@@ -224,12 +224,39 @@ misconfiguration:
  namespaces:
    - opa.examples
    - users
+
+  # helm value override configurations
+  # set individual values
+  helm:
+    set:
+      - securityContext.runAsUser=10001
+
+  # set values with file
+  helm:
+    values:
+      - overrides.yaml
+
+  # set specific values from specific files
+  helm:
+    set-file:
+      - image=dev-overrides.yaml
+
+  # set as string and preserve type
+  helm:
+    set-string:
+      - name=true
+
+  # terraform tfvars overrrides
+  terraform:
+    vars:
+      - dev-terraform.tfvars
+      - common-terraform.tfvars
 ```

 ## Kubernetes Options
 Available with Kubernetes scanning

-```
+```yaml
 kubernetes:
  # Same as '--context'
  # Default is empty
@@ -243,7 +270,7 @@ kubernetes:
 ## Repository Options
 Available with git repository scanning (`trivy repo`) 

-```
+```yaml
 repository:
  # Same as '--branch'
  # Default is empty
@@ -261,7 +288,7 @@ repository:
 ## Client/Server Options
 Available in client/server mode

-```
+```yaml
 server:
  # Same as '--server' (available in client mode)
  # Default is empty
@@ -286,4 +313,28 @@ server:
  listen: 0.0.0.0:10000
 ```

+## Cloud Options
+
+Available for cloud scanning (currently only `trivy aws`)
+
+```yaml
+cloud:
+  # whether to force a cache update for every scan
+  update-cache: false
+  
+  # how old cached results can be before being invalidated
+  max-cache-age: 24h
+  
+  # aws-specific cloud settings
+  aws:
+    # the aws region to use
+    region: us-east-1
+    
+    # the aws endpoint to use (not required for general use)
+    endpoint: https://my.custom.aws.endpoint
+    
+    # the aws account to use (this will be determined from your environment when not set)
+    account: 123456789012
+```
+
 [example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml
--- a/docs/docs/sbom/cyclonedx.md
+++ b/docs/docs/sbom/cyclonedx.md
@@ -6,8 +6,16 @@ Note that XML format is not supported at the moment.

 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.

+CycloneDX can represent either or both SBOM or BOV.
+
+- [Software Bill of Materials (SBOM)][sbom]
+- [Bill of Vulnerabilities (BOV)][bov]
+
+By default, `--format cyclonedx` represents SBOM and doesn't include vulnerabilities in the CycloneDX output.
+
 ```
 $ trivy image --format cyclonedx --output result.json alpine:3.15
+2022-07-19T07:47:27.624Z        INFO    "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
 ```

 <details>
@@ -231,6 +239,12 @@ $ cat result.json | jq .

 </details>

+If you want to include vulnerabilities, you can enable vulnerability scanning via `--security-checks vuln`.
+
+```
+$ trivy image --security-checks vuln --format cyclonedx --output result.json alpine:3.15
+```
+
 ## Scanning
 Trivy can take CycloneDX as an input and scan for vulnerabilities.
 To scan SBOM, you can use the `sbom` subcommand and pass the path to your CycloneDX report. 
@@ -258,5 +272,8 @@ Total: 3 (CRITICAL: 3)

 !!! note
    If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
+    The report is called [BOV][bov].

 [cyclonedx]: https://cyclonedx.org/
+[sbom]: https://cyclonedx.org/capabilities/sbom/
+[bov]: https://cyclonedx.org/capabilities/bov/
--- a/docs/docs/sbom/index.md
+++ b/docs/docs/sbom/index.md
@@ -9,9 +9,10 @@ Trivy can generate the following SBOM formats.
 To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.

 ```
-$ trivy image --format cyclonedx --output result.json alpine:3.15
+$ trivy image --format spdx-json --output result.json alpine:3.15
 ```

+
 ```
 $ trivy fs --format cyclonedx --output result.json /app/myproject
 ```
@@ -180,6 +181,7 @@ $ trivy fs --format cyclonedx --output result.json /app/myproject
 Trivy also can take the following SBOM formats as an input and scan for vulnerabilities.

 - CycloneDX
+- CycloneDX-type attestation

 To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.

@@ -208,5 +210,30 @@ Total: 3 (CRITICAL: 3)
 !!! note
    CycloneDX XML and SPDX are not supported at the moment.

+You can also scan an SBOM attestation.
+In the following example, [Cosign][Cosign] can get an attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page][sbom_attestation].
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+```
+
 [cyclonedx]: cyclonedx.md
 [spdx]: spdx.md
+[Cosign]: https://github.com/sigstore/cosign
+[sbom_attestation]: ../attestation/sbom.md#sign-with-a-local-key-pair
--- a/docs/docs/secret/configuration.md
+++ b/docs/docs/secret/configuration.md
@@ -137,6 +137,6 @@ disable-allow-rules:
 ```


-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-allow-rules.go
+[builtin]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go
+[builtin-allow]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-allow-rules.go
 [examples]: ./examples.md
--- a/docs/docs/secret/scanning.md
+++ b/docs/docs/secret/scanning.md
@@ -116,8 +116,8 @@ $ trivy image --security-checks vuln alpine:3.15
 ## Credit
 This feature is inspired by [gitleaks][gitleaks]. 

-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
-[builtin-allow]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-allow-rules.go
+[builtin]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go
+[builtin-allow]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-allow-rules.go
 [configuration]: ./configuration.md
 [allow-rules]: ./configuration.md#allow-rules
 [enable-rules]: ./configuration.md#enable-rules
--- a/docs/docs/vulnerability/detection/language.md
+++ b/docs/docs/vulnerability/detection/language.md
@@ -24,6 +24,7 @@
 | Go       | Binaries built by Go[^6] |     ✅     |     ✅      |        -        |        -        | excluded         |
 |          | go.mod[^7]              |     -     |     -      |        ✅        |        ✅        | included         |
 | Rust     | Cargo.lock              |     ✅     |     ✅      |        ✅        |        ✅        | included         |
+|          | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |        -        |        -        | excluded   

 The path of these files does not matter.

--- a/docs/docs/vulnerability/distributions.md
+++ b/docs/docs/vulnerability/distributions.md
@@ -11,15 +11,44 @@ The following table provides an outline of the features Trivy offers.

 ### Examples

+=== "image"
    ```
-$ trivy image cblmariner.azurecr.io/base/core:1.0
-2022-01-31T15:02:27.754+0200    INFO    Detected OS: cbl-mariner
-2022-01-31T15:02:27.754+0200    INFO    Detecting CBL-Mariner vulnerabilities...
-2022-01-31T15:02:27.757+0200    INFO    Number of language-specific files: 0
+    ➜ trivy image mcr.microsoft.com/cbl-mariner/base/core:2.0
+    2022-07-27T14:48:20.355+0600	INFO	Detected OS: cbl-mariner
+    2022-07-27T14:48:20.355+0600	INFO	Detecting CBL-Mariner vulnerabilities...
+    2022-07-27T14:48:20.356+0600	INFO	Number of language-specific files: 0
    
-cblmariner.azurecr.io/base/core:1.0 (cbl-mariner 1.0.20220122)
-==============================================================
-Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 4, CRITICAL: 5) 
+    mcr.microsoft.com/cbl-mariner/base/core:2.0 (cbl-mariner 2.0.20220527)
+    
+    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
+    ```
+
+=== "fs"
+    ```
+    ➜ docker run  -it --rm --entrypoint bin/bash mcr.microsoft.com/cbl-mariner/base/core:2.0 
+    
+    root [ / ]# tdnf -y install ca-certificates
+    ...
+
+    root [ / ]# rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.30.4/trivy_0.30.4_Linux-64bit.rpm
+    ...
+    
+    root [ / ]# trivy fs /
+    2022-07-27T09:30:06.815Z	INFO	Need to update DB
+    2022-07-27T09:30:06.815Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
+    2022-07-27T09:30:06.815Z	INFO	Downloading DB...
+    33.25 MiB / 33.25 MiB [------------------------------] 100.00% 4.20 MiB p/s 8.1s
+    2022-07-27T09:30:21.756Z	INFO	Vulnerability scanning is enabled
+    2022-07-27T09:30:21.756Z	INFO	Secret scanning is enabled
+    2022-07-27T09:30:21.756Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+    2022-07-27T09:30:21.756Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection
+    2022-07-27T09:30:22.205Z	INFO	Detected OS: cbl-mariner
+    2022-07-27T09:30:22.205Z	INFO	Detecting CBL-Mariner vulnerabilities...
+    2022-07-27T09:30:22.205Z	INFO	Number of language-specific files: 0
+    
+    40ba9a55397c (cbl-mariner 2.0.20220527)
+    
+    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
    ```

 ### Data source
--- a/docs/docs/vulnerability/examples/report.md
+++ b/docs/docs/vulnerability/examples/report.md
@@ -276,6 +276,6 @@ $ trivy image --format template --template "@/usr/local/share/trivy/templates/ht

 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
-[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/advanced/integrations/aws-security-hub.md
+[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/docs/integrations/aws-security-hub.md
 [sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
 [sprig]: http://masterminds.github.io/sprig/
--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@@ -31,8 +31,8 @@

    ``` bash
    sudo apt-get install wget apt-transport-https gnupg lsb-release
-    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
-    echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+    echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
    sudo apt-get update
    sudo apt-get install trivy
    ```
--- a/docs/imgs/trivy-aws.png
+++ b/docs/imgs/trivy-aws.png
--- a/go.mod
+++ b/go.mod
@@ -8,18 +8,21 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alicebob/miniredis/v2 v2.22.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/go-dep-parser v0.0.0-20220626060741-179d0b167e5f
+	github.com/aquasecurity/go-dep-parser v0.0.0-20220815163410-fcf26eb92b86
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/table v1.6.0
+	github.com/aquasecurity/table v1.7.2
 	github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516
 	github.com/aquasecurity/trivy-db v0.0.0-20220627104749-930461748b63
-	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220719205641-79488fbb4710
+	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220727123250-2cfd49c5b6c3
+	github.com/aws/aws-sdk-go-v2 v1.16.8
+	github.com/aws/aws-sdk-go-v2/config v1.15.15
+	github.com/aws/aws-sdk-go-v2/service/sts v1.16.10
 	github.com/caarlos0/env/v6 v6.9.3
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/cheggaaa/pb/v3 v3.0.8
+	github.com/cheggaaa/pb/v3 v3.1.0
 	github.com/containerd/containerd v1.6.6
 	github.com/docker/docker v20.10.17+incompatible
 	github.com/docker/go-connections v0.4.0
@@ -29,27 +32,30 @@ require (
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.2
 	github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
-	github.com/google/licenseclassifier/v2 v2.0.0-pre5
+	github.com/google/licenseclassifier/v2 v2.0.0-pre6
 	github.com/google/uuid v1.3.0
 	github.com/google/wire v0.5.0
 	github.com/hashicorp/go-getter v1.6.2
+	github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
 	github.com/kylelemons/godebug v1.1.0
+	github.com/liamg/loading v0.0.4
 	github.com/liamg/memoryfs v1.4.2
 	github.com/liamg/tml v0.6.0
 	github.com/mailru/easyjson v0.7.7
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/open-policy-agent/opa v0.42.0
+	github.com/open-policy-agent/opa v0.43.0
 	github.com/owenrumney/go-sarif/v2 v2.1.2
 	github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
-	github.com/samber/lo v1.24.0
+	github.com/samber/lo v1.27.0
+	github.com/secure-systems-lab/go-securesystemslib v0.4.0
 	github.com/sosedoff/gitkit v0.3.0
 	github.com/spf13/cobra v1.5.0
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.8.1
+	github.com/spf13/viper v1.12.0
 	github.com/stretchr/testify v1.8.0
 	github.com/testcontainers/testcontainers-go v0.13.0
 	github.com/tetratelabs/wazero v0.0.0-20220701105919-891761ac1ee2
@@ -59,12 +65,66 @@ require (
 	go.uber.org/zap v1.21.0
 	golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4
 	golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df
-	google.golang.org/protobuf v1.28.0
+	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
 )

-require github.com/emicklei/go-restful/v3 v3.8.0 // indirect
+require (
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.3 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.12.10 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.12.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/athena v1.18.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.18.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.16.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.19.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/docdb v1.19.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.15.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.51.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecs v1.18.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/efs v1.17.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/eks v1.21.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticache v1.22.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.18.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/emr v1.20.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/iam v1.18.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kafka v1.17.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.18.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lambda v1.23.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/mq v1.13.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/neptune v1.17.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/rds v1.23.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/redshift v1.26.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.27.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sns v1.17.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sqs v1.19.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/workspaces v1.22.0 // indirect
+	github.com/aws/smithy-go v1.12.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	gonum.org/v1/gonum v0.7.0 // indirect
+)

 require (
 	cloud.google.com/go v0.100.2 // indirect
@@ -74,20 +134,20 @@ require (
 	github.com/Azure/azure-sdk-for-go v66.0.0+incompatible
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.27
-	github.com/Azure/go-autorest/autorest/adal v0.9.20
+	github.com/Azure/go-autorest/autorest v0.11.28
+	github.com/Azure/go-autorest/autorest/adal v0.9.21
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/BurntSushi/toml v1.1.0 // indirect
+	github.com/BurntSushi/toml v1.2.0 // indirect
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
-	github.com/Masterminds/squirrel v1.5.2 // indirect
+	github.com/Masterminds/squirrel v1.5.3 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/Microsoft/hcsshim v0.9.3 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
@@ -102,9 +162,9 @@ require (
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/aquasecurity/defsec v0.68.10
+	github.com/aquasecurity/defsec v0.71.5
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
-	github.com/aws/aws-sdk-go v1.44.46
+	github.com/aws/aws-sdk-go v1.44.66
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/bmatcuk/doublestar v1.3.4 // indirect
@@ -167,9 +227,8 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
-	github.com/hashicorp/go-version v1.4.0 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.12.0 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.13.0 // indirect
 	github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
@@ -177,7 +236,7 @@ require (
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jdkato/prose v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/jmoiron/sqlx v1.3.4 // indirect
+	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
@@ -189,13 +248,14 @@ require (
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/liamg/iamgo v0.0.9 // indirect
 	github.com/liamg/jfather v0.0.7 // indirect
-	github.com/lib/pq v1.10.4 // indirect
+	github.com/lib/pq v1.10.6 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/microsoft/go-rustaudit v0.0.0-20220805122630-097fff025e34 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
@@ -235,12 +295,11 @@ require (
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rubenv/sql-migrate v1.1.1 // indirect
 	github.com/russross/blackfriday v1.6.0 // indirect
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/shogo82148/go-shuffle v0.0.0-20170808115208-59829097ff3b // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/spdx/tools-golang v0.3.0
 	github.com/spf13/afero v1.8.2 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
@@ -249,7 +308,7 @@ require (
 	github.com/subosito/gotenv v1.4.0 // indirect
 	github.com/ulikunitz/xz v0.5.8 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
-	github.com/vektah/gqlparser/v2 v2.4.5 // indirect
+	github.com/vektah/gqlparser/v2 v2.4.6 // indirect
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@@ -262,21 +321,20 @@ require (
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
-	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e
+	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3
 	golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
 	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
-	golang.org/x/sys v0.0.0-20220624220833-87e55d714810 // indirect
-	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
+	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
+	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
 	golang.org/x/text v0.3.7
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
 	golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717 // indirect
-	gonum.org/v1/gonum v0.7.0 // indirect
 	google.golang.org/api v0.81.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
-	google.golang.org/grpc v1.47.0 // indirect
+	google.golang.org/grpc v1.48.0 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -286,11 +344,11 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gotest.tools v2.2.0+incompatible
 	gotest.tools/v3 v3.2.0 // indirect
-	helm.sh/helm/v3 v3.9.0 // indirect
+	helm.sh/helm/v3 v3.9.2 // indirect
 	k8s.io/api v0.25.0-alpha.2 // indirect
-	k8s.io/apiextensions-apiserver v0.24.0 // indirect
+	k8s.io/apiextensions-apiserver v0.24.2 // indirect
 	k8s.io/apimachinery v0.25.0-alpha.2 // indirect
-	k8s.io/apiserver v0.24.1 // indirect
+	k8s.io/apiserver v0.24.2 // indirect
 	k8s.io/cli-runtime v0.24.3 // indirect
 	k8s.io/client-go v0.25.0-alpha.2 // indirect
 	k8s.io/component-base v0.24.3 // indirect
--- a/go.sum
+++ b/go.sum
@@ -77,15 +77,15 @@ github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKn
 github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA=
 github.com/Azure/go-autorest/autorest v0.11.20/go.mod h1:o3tqFY+QR40VOlk+pV4d77mORO64jOXSgEnPQgLK6JY=
 github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc=
-github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A=
-github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U=
+github.com/Azure/go-autorest/autorest v0.11.28 h1:ndAExarwr5Y+GaHE6VCaY1kyS/HwwGGyuimVhWsHOEM=
+github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA=
 github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg=
 github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
 github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M=
 github.com/Azure/go-autorest/autorest/adal v0.9.15/go.mod h1:tGMin8I49Yij6AQ+rvV+Xa/zwxYQB5hmsd6DkfAx2+A=
 github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
-github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg=
-github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
+github.com/Azure/go-autorest/autorest/adal v0.9.21 h1:jjQnVFXPfekaqb8vIsv2G1lxshoW+oGv4MDlhRtnYZk=
+github.com/Azure/go-autorest/autorest/adal v0.9.21/go.mod h1:zua7mBUaCc5YnSLKYgGJR/w5ePdMDA6H56upLsHzA9U=
 github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA=
 github.com/Azure/go-autorest/autorest/azure/auth v0.5.11/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg=
 github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 h1:0W/yGmFdTIT77fvdlGZ0LMISoLHFJ7Tx4U0yeB+uFs4=
@@ -103,8 +103,8 @@ github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZ
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.1.0 h1:ksErzDEI1khOiGPgpwuI7x2ebx/uXQNw7xJpn9Eq1+I=
-github.com/BurntSushi/toml v1.1.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.2.0 h1:Rt8g24XnyGTyglgET/PRUNlrUeu9F5L+7FilkXfZgs0=
+github.com/BurntSushi/toml v1.2.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/CycloneDX/cyclonedx-go v0.6.0 h1:SizWGbZzFTC/O/1yh072XQBMxfvsoWqd//oKCIyzFyE=
 github.com/CycloneDX/cyclonedx-go v0.6.0/go.mod h1:nQCiF4Tvrg5Ieu8qPhYMvzPGMu5I7fANZkrSsJjl5mg=
@@ -123,8 +123,8 @@ github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0
 github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
 github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8=
 github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk=
-github.com/Masterminds/squirrel v1.5.2 h1:UiOEi2ZX4RCSkpiNDQN5kro/XIBpSRk9iTqdIRPzUXE=
-github.com/Masterminds/squirrel v1.5.2/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
+github.com/Masterminds/squirrel v1.5.3 h1:YPpoceAcxuzIljlr5iWpNKaql7hLeG1KLSrhvdHpkZc=
+github.com/Masterminds/squirrel v1.5.3/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
 github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
@@ -172,7 +172,6 @@ github.com/VividCortex/ewma v1.1.1 h1:MnEK4VOv6n0RSY4vtRe3h11qjxL3+t0B8yOL8iMXdc
 github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmxzcbUokwA=
 github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
 github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
-github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agnivade/levenshtein v1.0.1 h1:3oJU7J3FGFmyhn8KHjmVaZCN5hxTr7GxgRue+sxIXdQ=
@@ -200,18 +199,18 @@ github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kd
 github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20210826220005-b48c857c3a0e/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
 github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU=
 github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
-github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM=
 github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/defsec v0.68.10 h1:RSOPI43PWckgDzdSg6EifGcbF6DeoZBuo2tAy8XXH2w=
-github.com/aquasecurity/defsec v0.68.10/go.mod h1:NdjAkq2LAbsu3sFHbWfA+DDR5BxiajELQAMUrfJ6PFg=
-github.com/aquasecurity/go-dep-parser v0.0.0-20220626060741-179d0b167e5f h1:ObiLf3DY/Mr3hfqWHNgQ4vjVo/fFni216otahWzQXIE=
-github.com/aquasecurity/go-dep-parser v0.0.0-20220626060741-179d0b167e5f/go.mod h1:MDQj3aeTQHSRbM1ZOGQVFziHvJtwf7moK+f9gYlUdeE=
+github.com/aquasecurity/defsec v0.71.5 h1:HOao1TaP74lhbsLUmYaNgHx1afdYImDicB8b/f54FIM=
+github.com/aquasecurity/defsec v0.71.5/go.mod h1:+ouYrROGLz3lGutl+K+ilXX5V41S76JIi+L8aXPBsAQ=
+github.com/aquasecurity/go-dep-parser v0.0.0-20220815163410-fcf26eb92b86 h1:sc8hDjSxO3aiG0R7HvaAVnY6329NTtv9AqDGpVQxAPQ=
+github.com/aquasecurity/go-dep-parser v0.0.0-20220815163410-fcf26eb92b86/go.mod h1:wwxn1SyOEY8W5hy8aDQDoExX+ybVsi+xfIllXz93+Fk=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
+github.com/aquasecurity/go-mock-aws v0.0.0-20220726154943-99847deb62b0 h1:tihCUjLWkF0b1SAjAKcFltUs3SpsqGrLtI+Frye0D10=
 github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 h1:eveqE9ivrt30CJ7dOajOfBavhZ4zPqHcZe/4tKp0alc=
 github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798/go.mod h1:hxbJZtKlO4P8sZ9nztizR6XLoE33O+BkPmuYQ4ACyz0=
 github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 h1:vmXNl+HDfqqXgr0uY1UgK1GAhps8nbAAtqHNBcgyf+4=
@@ -219,14 +218,14 @@ github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46/go.
 github.com/aquasecurity/go-version v0.0.0-20201107203531-5e48ac5d022a/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
 github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 h1:rcEG5HI490FF0a7zuvxOxen52ddygCfNVjP0XOCMl+M=
 github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
-github.com/aquasecurity/table v1.6.0 h1:Tfv21bD6GgoAlfrYvwrxuCLqomxPvMY87+SWoZyzfiY=
-github.com/aquasecurity/table v1.6.0/go.mod h1:1MFKrEPJ8NchM917BrVGvsqoXJo1OL1Ja7dF3PgUea4=
+github.com/aquasecurity/table v1.7.2 h1:mextUtadM4WdDRtwmUVYPKaDSRCDDSvTam+aPMQg9eE=
+github.com/aquasecurity/table v1.7.2/go.mod h1:eqOmvjjB7AhXFgFqpJUEE/ietg7RrMSJZXyTN8E/wZw=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbpLo5dxHQCyEhqzizsDSNrNhn/7uRTCZzo4A1o=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516/go.mod h1:gTd97VdQ0rg8Mkiic3rPgNOQdprZ7feTAhiD5mGQjgM=
 github.com/aquasecurity/trivy-db v0.0.0-20220627104749-930461748b63 h1:hgGD7zqlNe6sWJZPFFv1Z6T1EuYW8XD/hqx/dxjNp3Q=
 github.com/aquasecurity/trivy-db v0.0.0-20220627104749-930461748b63/go.mod h1:/nULgnDeq/JMPMVwE1dmf4kWlYn++7VrM3O2naj4BHA=
-github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220719205641-79488fbb4710 h1:lI/CZBmHdxLWY2QEvMHoOXmV0EOzCdtwqcx6TvOeqyU=
-github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220719205641-79488fbb4710/go.mod h1:ZHtpUrBrJ6gZ8Gd4IaXbZwTNOg5KW2m7ClC33qnSlY8=
+github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220727123250-2cfd49c5b6c3 h1:qhWeovRDnbjC1kdyzRhrJNMJtJwNWicQrXjCnuF64JU=
+github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220727123250-2cfd49c5b6c3/go.mod h1:ZHtpUrBrJ6gZ8Gd4IaXbZwTNOg5KW2m7ClC33qnSlY8=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
@@ -239,8 +238,108 @@ github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:o
 github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
 github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3ATZkfNZeM=
 github.com/aws/aws-sdk-go v1.34.9/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
-github.com/aws/aws-sdk-go v1.44.46 h1:BsKENvu24eXg7CWQ2wJAjKbDFkGP+hBtxKJIR3UdcB8=
-github.com/aws/aws-sdk-go v1.44.46/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go v1.44.66 h1:xdH4EvHyUnkm4I8d536ui7yMQKYzrkbSDQ2LvRRHqsg=
+github.com/aws/aws-sdk-go v1.44.66/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go-v2 v1.16.8 h1:gOe9UPR98XSf7oEJCcojYg+N2/jCRm4DdeIsP85pIyQ=
+github.com/aws/aws-sdk-go-v2 v1.16.8/go.mod h1:6CpKuLXg2w7If3ABZCl/qZ6rEgwtjZTn4eAf4RcEyuw=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.3 h1:S/ZBwevQkr7gv5YxONYpGQxlMFFYSRfz3RMcjsC9Qhk=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.3/go.mod h1:gNsR5CaXKmQSSzrmGxmwmct/r+ZBfbxorAuXYsj/M5Y=
+github.com/aws/aws-sdk-go-v2/config v1.15.15 h1:yBV+J7Au5KZwOIrIYhYkTGJbifZPCkAnCFSvGsF3ui8=
+github.com/aws/aws-sdk-go-v2/config v1.15.15/go.mod h1:A1Lzyy/o21I5/s2FbyX5AevQfSVXpvvIDCoVFD0BC4E=
+github.com/aws/aws-sdk-go-v2/credentials v1.12.10 h1:7gGcMQePejwiKoDWjB9cWnpfVdnz/e5JwJFuT6OrroI=
+github.com/aws/aws-sdk-go-v2/credentials v1.12.10/go.mod h1:g5eIM5XRs/OzIIK81QMBl+dAuDyoLN0VYaLP+tBqEOk=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.9 h1:hz8tc+OW17YqxyFFPSkvfSikbqWcyyHRyPVSTzC0+aI=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.9/go.mod h1:KDCCm4ONIdHtUloDcFvK2+vshZvx4Zmj7UMDfusuz5s=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.15 h1:bx5F2mr6H6FC7zNIQoDoUr8wEKnvmwRncujT3FYRtic=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.15/go.mod h1:pWrr2OoHlT7M/Pd2y4HV3gJyPb3qj5qMmnPkKSNPYK4=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.9 h1:5sbyznZC2TeFpa4fvtpvpcGbzeXEEs1l1Jo51ynUNsQ=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.9/go.mod h1:08tUpeSGN33QKSO7fwxXczNfiwCpbj+GxK6XKwqWVv0=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.16 h1:f0ySVcmQhwmzn7zQozd8wBM3yuGBfzdpsOaKQ0/Epzw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.16/go.mod h1:CYmI+7x03jjJih8kBEEFKRQc40UjUokT0k7GbvrhhTc=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.6 h1:3L8pcjvgaSOs0zzZcMKzxDSkYKEpwJ2dNVDdxm68jAY=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.6/go.mod h1:O7Oc4peGZDEKlddivslfYFvAbgzvl/GH3J8j3JIGBXc=
+github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.11 h1:dLu3dF3ruiSZsG+in4ZzZWL3F7w4TeOX/F257qE2mT0=
+github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.11/go.mod h1:Hb+D/fjqxVd1jAkIjTZF8Cg540F3E4YK5Uu4unA3rS0=
+github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.12.9 h1:MkWoCyvIqAhaMO+LTSFag8s0wd6zV6Pd+X0urDKn2I8=
+github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.12.9/go.mod h1:Va1mvuuqN0pejuszzc1nMPAsqGbIqIxBowdXzPYR9Gw=
+github.com/aws/aws-sdk-go-v2/service/athena v1.18.1 h1:RzNtlZanMLTYe3dcq7cZEEv40YvHY6hYylHz32jwEbk=
+github.com/aws/aws-sdk-go-v2/service/athena v1.18.1/go.mod h1:JBXnq5zXBUeQo+bbMrsg1Fx3+7+vxxwYLB+EDJiLP94=
+github.com/aws/aws-sdk-go-v2/service/cloudfront v1.18.5 h1:MWmwy+Py1HXLNILagezUP9JPEV4CS33tU8xTJR65vMY=
+github.com/aws/aws-sdk-go-v2/service/cloudfront v1.18.5/go.mod h1:xi7heuDU7iKWmWhvGCpsEvBko0NylAm4cmiJoxJKv9w=
+github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.16.5 h1:dxrJ5ki6GuqZB9AqbE6HsqT8mrLcI2E+POgYt98YWTs=
+github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.16.5/go.mod h1:55qJ5OVAwXAGgoBu9bPqoFlUj0iExM6UgvxiCqrHgYU=
+github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.19.1 h1:JvOaYDuqyFn5JYggztv688+7eRMVtNp81vQ+F6OrBIw=
+github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.19.1/go.mod h1:ZmYbhXLOStOS1+PItLyb9BNm8QtAQWkT5Nbd/tT19c4=
+github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.11 h1:d9d/Vg1zkmo4OY0tWDywu5je9fXS4KXL5bW2T8wJ1cU=
+github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.11/go.mod h1:0vT2mfhUL63/UT1RvYF/1wuqvvuvY0e+CiLB1paT+qI=
+github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.9 h1:SBw4owb6Y9cKOmY0Z8PnY75PeceVYxnIgXNkuT3XGRU=
+github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.9/go.mod h1:cQpAzFHSPsL/an19DbTTRb7kvuzMq8EcCX3WGO3+P0I=
+github.com/aws/aws-sdk-go-v2/service/docdb v1.19.1 h1:5EL1Sx9cwNXiX5z3gC6lbm/YyleuCwcssiOMi4zg7PI=
+github.com/aws/aws-sdk-go-v2/service/docdb v1.19.1/go.mod h1:gBnPk1RQP1qnmscOIiezJRsaQDrT6SDG3OwUmx6IA6c=
+github.com/aws/aws-sdk-go-v2/service/dynamodb v1.15.10 h1:GLklbtMUQCToju09LyT+AjbwTQ0KCQudNLTA0H2xbBk=
+github.com/aws/aws-sdk-go-v2/service/dynamodb v1.15.10/go.mod h1:zM5dQf0mZfcW4s8OsJFXvzedbY5n1rO581X4xei6XcA=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.51.1 h1:y88XFO3AJWDVJ3HjcYc+Oo38fB948armdg6ulfphkUM=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.51.1/go.mod h1:bKs78Qpk4syfUFXKhA0hIqT3X0sxmvIAPlEHV4qVbP0=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.17.9 h1:9nU17hDiQCBptGMuCnx6UbN/RUGEDV+YOM+6W8i8zII=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.17.9/go.mod h1:fkIc4qe3SfQhPt/HAmDG7DJMjMBHElHV44axRyUSojA=
+github.com/aws/aws-sdk-go-v2/service/ecs v1.18.12 h1:PWpVksq9WWpOM7SiWD4gaiPDwUm8K/rn4nxQkdkYRtw=
+github.com/aws/aws-sdk-go-v2/service/ecs v1.18.12/go.mod h1:h1UvIIC+fPNj4PkuQ/o9QyRH0/vC+qlHRNGefwwYzv8=
+github.com/aws/aws-sdk-go-v2/service/efs v1.17.7 h1:FfmUBdGQ5tuFIIIwjmvy/DeGvvW0myQVFToQjPjjtEQ=
+github.com/aws/aws-sdk-go-v2/service/efs v1.17.7/go.mod h1:cCrmFuFfPmhBtdw5YD3IzqtrpytrOYDDNhIMwuNrXTU=
+github.com/aws/aws-sdk-go-v2/service/eks v1.21.5 h1:miWUBz+htptzay+IZl70zYkTlO1FD7JIypv1D+8+rm0=
+github.com/aws/aws-sdk-go-v2/service/eks v1.21.5/go.mod h1:t2jyBeR+NLVCfPHpqT/1aygIu9yrW29JZREUJjgxnWg=
+github.com/aws/aws-sdk-go-v2/service/elasticache v1.22.1 h1:ctpT3Cl9LCSnzfDsulH5kECwXLL0jMXAnjukWeIdSZ4=
+github.com/aws/aws-sdk-go-v2/service/elasticache v1.22.1/go.mod h1:1Yuus60M9YJNgRxEYkfcAZs8NIyK2QAutQX2uYFbA+s=
+github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.18.9 h1:ce76ovZsRsjqBEUHw/6sK1u3lMzrCi253ba1vaqBujQ=
+github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.18.9/go.mod h1:HCDI4POpmQJpQK4UaQMDEHd3FsqfdzV8YGCwpznWhak=
+github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.1 h1:x6/McT+Lxlr1hcADHu3dFzG2jRZope4BeBNTaCF2kYM=
+github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.1/go.mod h1:A4rBOsc7JmoqJI0QlhMVmaeBA1gY504A9Pt/Z1vVDPc=
+github.com/aws/aws-sdk-go-v2/service/emr v1.20.2 h1:G66jwQlixBxtbxUh5AxRfeNFrA9FvjtbvxyGl9xY8gw=
+github.com/aws/aws-sdk-go-v2/service/emr v1.20.2/go.mod h1:FFLSJvJVSw9px5ZHi5KRq/JNOBu1d9n95V40SD/QWfs=
+github.com/aws/aws-sdk-go-v2/service/iam v1.18.10 h1:lB6TiFIJR0sZNWC2rGZ9+7OMtGpUEh/u/wYAn6HfbKk=
+github.com/aws/aws-sdk-go-v2/service/iam v1.18.10/go.mod h1:fhDORN+qPbMYyu98/RaDDiV60LXb9gvJ5UNZXY2hBNs=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.3 h1:4n4KCtv5SUoT5Er5XV41huuzrCqepxlW3SDI9qHQebc=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.3/go.mod h1:gkb2qADY+OHaGLKNTYxMaQNacfeyQpZ4csDTQMeFmcw=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.10 h1:7LJcuRalaLw+GYQTMGmVUl4opg2HrDZkvn/L3KvIQfw=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.10/go.mod h1:Qks+dxK3O+Z2deAhNo6cJ8ls1bam3tUGUAcgxQP1c70=
+github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.9 h1:COsLtfmOSgPGnKUreE99/5pIgtmGLzmLtVrQa12QzU4=
+github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.9/go.mod h1:IixPDVckNk0HhYDQwUmTonTAfQlfABg9E72whAbq5k0=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.9 h1:sHfDuhbOuuWSIAEDd3pma6p0JgUcR2iePxtCE8gfCxQ=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.9/go.mod h1:yQowTpvdZkFVuHrLBXmczat4W+WJKg/PafBZnGBLga0=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.9 h1:sJdKvydGYDML9LTFcp6qq6Z5fIjN0Rdq2Gvw1hUg8tc=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.9/go.mod h1:Rc5+wn2k8gFSi3V1Ch4mhxOzjMh+bYSXVFfVaqowQOY=
+github.com/aws/aws-sdk-go-v2/service/kafka v1.17.10 h1:ZsFXMWeNEkUjLEuVZY0jZb1uvAcDIYX67BI16ISG8LE=
+github.com/aws/aws-sdk-go-v2/service/kafka v1.17.10/go.mod h1:j3dSazeOhP6nWt7C3FAnYAwEGhYeLfneaapKIFJSlPk=
+github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.10 h1:MKiqeOllGwLLP3PawduTfkQqPavNtGrSG9J9gahaSwA=
+github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.10/go.mod h1:0Nz7L2pwh2bOumoDyt5oWFaC+qqw7BCzM46wxwR68O4=
+github.com/aws/aws-sdk-go-v2/service/kms v1.18.1 h1:y07kzPdcjuuyDVYWf1CCsQQ6kcAWMbFy+yIJ71xQBS0=
+github.com/aws/aws-sdk-go-v2/service/kms v1.18.1/go.mod h1:4PZMUkc9rXHWGVB5J9vKaZy3D7Nai79ORworQ3ASMiM=
+github.com/aws/aws-sdk-go-v2/service/lambda v1.23.5 h1:/tq5WZODNF3juZkpTIIMfzeJx6c8kLk73SjTTvOAphY=
+github.com/aws/aws-sdk-go-v2/service/lambda v1.23.5/go.mod h1:7YjiELsNgxpiMMG2KapRbAnOF1O+e1UnoLwARPNHKYc=
+github.com/aws/aws-sdk-go-v2/service/mq v1.13.5 h1:ztNwJLLJxGWc140Ixh+5316UxJd2N4sSCViA6lT1UUk=
+github.com/aws/aws-sdk-go-v2/service/mq v1.13.5/go.mod h1:Ap0H9UgOdD2eP1CEFGA50iIQFpJ/qxXogr4UDSozjTA=
+github.com/aws/aws-sdk-go-v2/service/neptune v1.17.3 h1:w3a/x4gSzMcHcS/ZiflrX+PygI9xr7T8po4uU3jPcGQ=
+github.com/aws/aws-sdk-go-v2/service/neptune v1.17.3/go.mod h1:yIMXrISmxkkek9J7e61+c1gP2PwJk2hFjyxBQ+mgaG4=
+github.com/aws/aws-sdk-go-v2/service/rds v1.23.2 h1:PiW9+dKNwnRCfpln8UukyBBOHhOGfS4NV0qkZQg+uPM=
+github.com/aws/aws-sdk-go-v2/service/rds v1.23.2/go.mod h1:OiFKbn0c0/8hLpOLFg4P8Pw9bofLnuweWWqZPY7chBM=
+github.com/aws/aws-sdk-go-v2/service/redshift v1.26.1 h1:PXlUX4ErwlY1u7lZoMt3fuWSWebdSLMxsBDd0DqnpiA=
+github.com/aws/aws-sdk-go-v2/service/redshift v1.26.1/go.mod h1:XTvP5x9LIIgImxvUtXUHXdi3R56P+8BsSI7UeXCPz2U=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.27.2 h1:NvzGue25jKnuAsh6yQ+TZ4ResMcnp49AWgWGm2L4b5o=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.27.2/go.mod h1:u+566cosFI+d+motIz3USXEh6sN8Nq4GrNXSg2RXVMo=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.14 h1:dvvIB9OYsOH10RUNAY7yiCq5fQwGebXx1auBOkBTUlg=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.14/go.mod h1:xakbH8KMsQQKqzX87uyyzTHshc/0/Df8bsTneTS5pFU=
+github.com/aws/aws-sdk-go-v2/service/sns v1.17.10 h1:ZZuqucIwjbUEJqxxR++VDZX9BcMbX5ZcQaKoWul/ELk=
+github.com/aws/aws-sdk-go-v2/service/sns v1.17.10/go.mod h1:uITsRNVMeCB3MkWpXxXw0eDz8pW4TYLzj+eyQtbhSxM=
+github.com/aws/aws-sdk-go-v2/service/sqs v1.19.1 h1:HaQD4g8eumwEW218TgQzhnwTXmq77ZogA67SxBnGyPc=
+github.com/aws/aws-sdk-go-v2/service/sqs v1.19.1/go.mod h1:A94o564Gj+Yn+7QO1eLFeI7UVv3riy/YBFOfICVqFvU=
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.13 h1:DQpf+al+aWozOEmVEdml67qkVZ6vdtGUi71BZZWw40k=
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.13/go.mod h1:d7ptRksDDgvXaUvxyHZ9SYh+iMDymm94JbVcgvSYSzU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.16.10 h1:7tquJrhjYz2EsCBvA9VTl+sBAAh1bv7h/sGASdZOGGo=
+github.com/aws/aws-sdk-go-v2/service/sts v1.16.10/go.mod h1:cftkHYN6tCDNfkSasAmclSfl4l7cySoay8vz7p/ce0E=
+github.com/aws/aws-sdk-go-v2/service/workspaces v1.22.0 h1:6CPEYECdt2tRdtGObCxYN+NXFc46vC0tYpwY4mf2tS4=
+github.com/aws/aws-sdk-go-v2/service/workspaces v1.22.0/go.mod h1:ziCHySWl+3sgDxO+9lXeXZOmKtiUqXf1RPqcbYDlsb8=
+github.com/aws/smithy-go v1.12.0 h1:gXpeZel/jPoWQ7OEmLIgCUnhkFftqNfwWUwAHSlp1v0=
+github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
@@ -301,8 +400,8 @@ github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOo
 github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M=
 github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E=
 github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s=
-github.com/cheggaaa/pb/v3 v3.0.8 h1:bC8oemdChbke2FHIIGy9mn4DPJ2caZYQnfbRqwmdCoA=
-github.com/cheggaaa/pb/v3 v3.0.8/go.mod h1:UICbiLec/XO6Hw6k+BHEtHeQFzzBH4i2/qk/ow1EJTA=
+github.com/cheggaaa/pb/v3 v3.1.0 h1:3uouEsl32RL7gTiQsuaXD4Bzbfl5tGztXGUvXbs4O04=
+github.com/cheggaaa/pb/v3 v3.1.0/go.mod h1:YjrevcBqadFDaGQKRdmZxTY42pXEqda48Ea3lt0K/BE=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@@ -326,6 +425,7 @@ github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:z
 github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
 github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
+github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
 github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE=
 github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU=
 github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU=
@@ -503,8 +603,8 @@ github.com/dgryski/go-spooky v0.0.0-20170606183049-ed3d087f40e2 h1:lx1ZQgST/imDh
 github.com/dgryski/go-spooky v0.0.0-20170606183049-ed3d087f40e2/go.mod h1:hgHYKsoIw7S/hlWtP7wD1wZ7SX1jPTtKko5X9jrOgPQ=
 github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=
 github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
-github.com/distribution/distribution/v3 v3.0.0-20211118083504-a29a3c99a684 h1:DBZ2sN7CK6dgvHVpQsQj4sRMCbWTmd17l+5SUCjnQSY=
 github.com/distribution/distribution/v3 v3.0.0-20211118083504-a29a3c99a684/go.mod h1:UfCu3YXJJCI+IdnqGgYP82dk2+Joxmv+mUTVBES6wac=
+github.com/distribution/distribution/v3 v3.0.0-20220526142353-ffbd94cbe269 h1:hbCT8ZPPMqefiAWD2ZKjn7ypokIGViTvBBg/ExLSdCk=
 github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E=
 github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
 github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
@@ -673,7 +773,6 @@ github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
-github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/gobuffalo/logger v1.0.6 h1:nnZNpxYo0zx+Aj9RfMPBm+x9zAU2OayFh/xrAWi34HU=
 github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs=
 github.com/gobuffalo/packd v1.0.1 h1:U2wXfRr4E9DH8IdsDLlRFwTZTK7hLfq9qT/QHXGVe/0=
@@ -790,8 +889,8 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/licenseclassifier/v2 v2.0.0-pre5 h1:glsMqvBI3S7ZZ58FGrEZubz+0W6N/8MJS5HYVWxZH3M=
-github.com/google/licenseclassifier/v2 v2.0.0-pre5/go.mod h1:cOjbdH0kyC9R22sdQbYsFkto4NGCAc+ZSwbeThazEtM=
+github.com/google/licenseclassifier/v2 v2.0.0-pre6 h1:ytJvfOEiKcN1m5vkAJXkK2olICdrXqwNKFkBpKQ5Q+I=
+github.com/google/licenseclassifier/v2 v2.0.0-pre6/go.mod h1:cOjbdH0kyC9R22sdQbYsFkto4NGCAc+ZSwbeThazEtM=
 github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -873,8 +972,8 @@ github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9n
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-getter v1.6.2 h1:7jX7xcB+uVCliddZgeKyNxv0xoT7qL5KDtH7rU4IqIk=
 github.com/hashicorp/go-getter v1.6.2/go.mod h1:IZCrswsZPeWv9IkVnLElzRU/gz/QPi6pZHn4tv6vbwA=
-github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxCsHI=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+github.com/hashicorp/go-hclog v1.2.0 h1:La19f8d7WIlm4ogzNHB0JGqs5AUDAZ2UfCY4sJXcJdM=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
@@ -893,15 +992,15 @@ github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/go-version v1.4.0 h1:aAQzgqIrRKRa7w75CKpbBxYsmUoPjzVm1W59ca1L0J4=
-github.com/hashicorp/go-version v1.4.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
+github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/hcl/v2 v2.12.0 h1:PsYxySWpMD4KPaoJLnsHwtK5Qptvj/4Q6s0t4sUxZf4=
-github.com/hashicorp/hcl/v2 v2.12.0/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg=
+github.com/hashicorp/hcl/v2 v2.13.0 h1:0Apadu1w6M11dyGFxWnmhhcMjkbAiKCv7G1r/2QgCNc=
+github.com/hashicorp/hcl/v2 v2.13.0/go.mod h1:e4z5nxYlWNPdDSNYX+ph14EvWYMFm3eP0zIUqPc2jr0=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
@@ -922,6 +1021,8 @@ github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH
 github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
 github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
+github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add h1:DAh7mHiRT7wc6kKepYdCpH16ElPciMPQWJaJ7H3l/ng=
+github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add/go.mod h1:DQI8vlV6h6qSY/tCOoYKtxjWrkyiNpJ3WTV/WoBllmQ=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/intel/goresctrl v0.2.0/go.mod h1:+CZdzouYFn5EsxgqAQTEzMfwKwuc0fVdMrT9FCCAVRQ=
@@ -940,8 +1041,8 @@ github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9Y
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
-github.com/jmoiron/sqlx v1.3.4 h1:wv+0IJZfL5z0uZoUjlpKgHkgaFSYD+r9CfrXjEXsO7w=
-github.com/jmoiron/sqlx v1.3.4/go.mod h1:2BljVx/86SuTyjE+aPYlHCTNvZrnJXghYGpNiXLBMCQ=
+github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g=
+github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ=
 github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
@@ -1019,14 +1120,16 @@ github.com/liamg/iamgo v0.0.9 h1:tADGm3xVotyRJmuKKaH4+zsBn7LOcvgdpuF3WsSKW3c=
 github.com/liamg/iamgo v0.0.9/go.mod h1:Kk6ZxBF/GQqG9nnaUjIi6jf+WXNpeOTyhwc6gnguaZQ=
 github.com/liamg/jfather v0.0.7 h1:Xf78zS263yfT+xr2VSo6+kyAy4ROlCacRqJG7s5jt4k=
 github.com/liamg/jfather v0.0.7/go.mod h1:xXBGiBoiZ6tmHhfy5Jzw8sugzajwYdi6VosIpB3/cPM=
+github.com/liamg/loading v0.0.4 h1:i3+8cxqCbwVnz6RLqRZG4zHPKnY31T6NfM0h48mucvg=
+github.com/liamg/loading v0.0.4/go.mod h1:MpUOigKhyrByiW/te5JtMB9/f2MbZ4ZDk4wjorOwlpI=
 github.com/liamg/memoryfs v1.4.2 h1:6T9Oy1DdWxGCzIY89p0Ykeya5H0uAlzG2xHEGcvo6MU=
 github.com/liamg/memoryfs v1.4.2/go.mod h1:z7mfqXFQS8eSeBBsFjYLlxYRMRyiPktytvYCYTb3BSk=
 github.com/liamg/tml v0.6.0 h1:yOC/Q9p9Io3J11U9LdYVIwpRTnTE1GPMNFLrygkmE2Y=
 github.com/liamg/tml v0.6.0/go.mod h1:0h4EAV/zBOsqI91EWONedjRpO8O0itjGJVd+wG5eC+E=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lib/pq v1.10.4 h1:SO9z7FRPzA03QhHKJrH5BXA6HU1rS4V2nIVrrNC1iYk=
-github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.6 h1:jbk+ZieJ0D7EVGJYpL9QTz7/YW6UHbmdnZWYyK5cdBs=
+github.com/lib/pq v1.10.6/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
@@ -1089,6 +1192,8 @@ github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY=
+github.com/microsoft/go-rustaudit v0.0.0-20220805122630-097fff025e34 h1:W/tuIksfbU5I1xVm2zxi0afcIhDvmnebpdq+tA3OPAE=
+github.com/microsoft/go-rustaudit v0.0.0-20220805122630-097fff025e34/go.mod h1:vYT9HE7WCvL64iVeZylKmCsWKfE+JZ8105iuh2Trk8g=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.25/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
 github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
@@ -1106,7 +1211,6 @@ github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
-github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
@@ -1206,8 +1310,8 @@ github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDs
 github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
-github.com/open-policy-agent/opa v0.42.0 h1:CTJ240+A+sZEYSuLDYiT5l8Q3lcQf2eZc53jCbWNjZE=
-github.com/open-policy-agent/opa v0.42.0/go.mod h1:MrmoTi/BsKWT58kXlVayBb+rYVeaMwuBm3nYAN3923s=
+github.com/open-policy-agent/opa v0.43.0 h1:UKTpyFUPMs4wYYL1qsXpYQQurBCPoEjFbxaD/4V46gY=
+github.com/open-policy-agent/opa v0.43.0/go.mod h1:xfTsKQEMvy7CxxgsCFoYuzT9jA/8C4JWLignCkN4Dzw=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -1260,11 +1364,13 @@ github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrap
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
+github.com/pelletier/go-toml/v2 v2.0.1 h1:8e3L2cCQzLFi2CR4g7vGFuFxX7Jl1kKX8gW+iV0GUKU=
+github.com/pelletier/go-toml/v2 v2.0.1/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/peterh/liner v0.0.0-20170211195444-bf27d3ba8e1d/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc=
-github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2 h1:JhzVVoYvbOACxoUmOs6V/G4D5nPVUW73rKvXxP4XUJc=
 github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
+github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -1344,8 +1450,8 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
 github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
-github.com/samber/lo v1.24.0 h1:8BtUIUpAK2UfLv4/yI+1+1ux8brGwjhTpSndNWjRsjs=
-github.com/samber/lo v1.24.0/go.mod h1:2I7tgIv8Q1SG2xEIkRq0F2i2zgxVpnyPOP0d3Gj2r+A=
+github.com/samber/lo v1.27.0 h1:GOyDWxsblvqYobqsmUuMddPa2/mMzkKyojlXol4+LaQ=
+github.com/samber/lo v1.27.0/go.mod h1:it33p9UtPMS7z72fP4gw/EIfQB2eI8ke7GR2wc6+Rhg=
 github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e h1:NO86zOn5ScSKW8wRbMaSIcjDZUFpWdCQQnexRqZ9h9A=
 github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e/go.mod h1:G0Z6yVPru183i2MuRJx1DcR4dgIZtLcTdaaE/pC1BJU=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
@@ -1355,9 +1461,12 @@ github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg
 github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
 github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
 github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
-github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/secure-systems-lab/go-securesystemslib v0.4.0 h1:b23VGrQhTA8cN2CbBw7/FulN9fTtqYUdS5+Oxzt+DUE=
+github.com/secure-systems-lab/go-securesystemslib v0.4.0/go.mod h1:FGBZgq2tXWICsxWQW1msNf49F0Pf2Op5Htayx335Qbs=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=
+github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
 github.com/shogo82148/go-shuffle v0.0.0-20170808115208-59829097ff3b h1:VI1u+o2KZPZ5AhuPpXY0JBdpQPnkTx6Dd5XJhK/9MYE=
 github.com/shogo82148/go-shuffle v0.0.0-20170808115208-59829097ff3b/go.mod h1:2htx6lmL0NGLHlO8ZCf+lQBGBHIbEujyywxJArf+2Yc=
 github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
@@ -1371,8 +1480,9 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMB
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
+github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
@@ -1409,15 +1519,15 @@ github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
-github.com/spf13/viper v1.8.1 h1:Kq1fyeebqsBfbjZj4EL7gj2IO0mMaiyjYUWcUsl2O44=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
+github.com/spf13/viper v1.12.0 h1:CZ7eSOd3kZoaYDLbXnmzgQI5RlciuXBMA+18HwHRfZQ=
+github.com/spf13/viper v1.12.0/go.mod h1:b6COn30jlNxbm/V2IqWiNWkJ+vZNiMNksliPCiuKtSI=
 github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -1467,8 +1577,8 @@ github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtX
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
 github.com/vbatts/tar-split v0.11.2 h1:Via6XqJr0hceW4wff3QRzD5gAk/tatMw/4ZA7cTlIME=
 github.com/vbatts/tar-split v0.11.2/go.mod h1:vV3ZuO2yWSVsz+pfFzDG/upWH1JhjOiEaWq6kXyQ3VI=
-github.com/vektah/gqlparser/v2 v2.4.5 h1:C02NsyEsL4TXJB7ndonqTfuQOL4XPIu0aAWugdmTgmc=
-github.com/vektah/gqlparser/v2 v2.4.5/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0=
+github.com/vektah/gqlparser/v2 v2.4.6 h1:Yjzp66g6oVq93Jihbi0qhGnf/6zIWjcm8H6gA27zstE=
+github.com/vektah/gqlparser/v2 v2.4.6/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0=
 github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
 github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
@@ -1516,11 +1626,8 @@ github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPS
 github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY=
 github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg=
 github.com/zclconf/go-cty v1.0.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s=
-github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
-github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty v1.10.0 h1:mp9ZXQeIcN8kAwuqorjH+Q+njbJKjLrvB2yIh4q7U+0=
 github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
-github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
 github.com/zclconf/go-cty-yaml v1.0.2 h1:dNyg4QLTrv2IfJpm7Wtxi55ed5gLGOlPrZ6kMd51hY0=
 github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
 github.com/ziutek/mymysql v1.5.4 h1:GB0qdRGsTwQSBVYuVShFBKaXSnSnYYC2d9knnE1LHFs=
@@ -1608,7 +1715,6 @@ golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -1632,8 +1738,8 @@ golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e h1:T8NU3HyQ8ClP4SEE+KbFlg6n0NhuTsN4MyznaarGsZM=
-golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1803,7 +1909,6 @@ golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190522044717-8097e1b27ff5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1916,10 +2021,11 @@ golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220624220833-87e55d714810 h1:rHZQSjJdAI4Xf5Qzeh2bBc5YJIkPFVM6oDtMFYmgws0=
-golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1945,8 +2051,9 @@ golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U=
+golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -2209,8 +2316,9 @@ google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ5
 google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
 google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.47.0 h1:9n77onPX5F3qfFCqjy9dhn8PbNQsIKeVU04J9G7umt8=
 google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
+google.golang.org/grpc v1.48.0 h1:rQOsyJ/8+ufEDJd/Gdsz7HG220Mh9HAhFHRGnIjda0w=
+google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@@ -2225,8 +2333,9 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
+google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -2287,8 +2396,8 @@ gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 gotest.tools/v3 v3.2.0 h1:I0DwBVMGAx26dttAj1BtJLAkVGncrkkUXfJLC4Flt/I=
 gotest.tools/v3 v3.2.0/go.mod h1:Mcr9QNxkg0uMvy/YElmo4SpXgJKWgQvYrT7Kw5RzJ1A=
-helm.sh/helm/v3 v3.9.0 h1:qDSWViuF6SzZX5s5AB/NVRGWmdao7T5j4S4ebIkMGag=
-helm.sh/helm/v3 v3.9.0/go.mod h1:fzZfyslcPAWwSdkXrXlpKexFeE2Dei8N27FFQWt+PN0=
+helm.sh/helm/v3 v3.9.2 h1:bx7kdhr5VAhYoWv9bIdT1C6qWR+/7SIoPCwLx22l78g=
+helm.sh/helm/v3 v3.9.2/go.mod h1:y/dJc/0Lzcn40jgd85KQXnufhFF7sr4v6L/vYMLRaRM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -2300,20 +2409,18 @@ k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
 k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ=
 k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8=
 k8s.io/api v0.22.5/go.mod h1:mEhXyLaSD1qTOf40rRiKXkc+2iCem09rWLlFwhCEiAs=
-k8s.io/api v0.24.0/go.mod h1:5Jl90IUrJHUJYEMANRURMiVvJ0g7Ax7r3R1bqO8zx8I=
-k8s.io/api v0.24.1/go.mod h1:JhoOvNiLXKTPQ60zh2g0ewpA+bnEYf5q44Flhquh4vQ=
+k8s.io/api v0.24.2/go.mod h1:AHqbSkTm6YrQ0ObxjO3Pmp/ubFF/KuM7jU+3khoBsOg=
 k8s.io/api v0.24.3/go.mod h1:elGR/XSZrS7z7cSZPzVWaycpJuGIw57j9b95/1PdJNI=
 k8s.io/api v0.25.0-alpha.2 h1:azwXduCht76Ecuv80QzZkCDzcFcLotKPXiE9/+jx5Qk=
 k8s.io/api v0.25.0-alpha.2/go.mod h1:wOntqHYj8WveLW2sh6q4tkE2vMZTtxe0MrFyVwO8JCM=
-k8s.io/apiextensions-apiserver v0.24.0 h1:JfgFqbA8gKJ/uDT++feAqk9jBIwNnL9YGdQvaI9DLtY=
-k8s.io/apiextensions-apiserver v0.24.0/go.mod h1:iuVe4aEpe6827lvO6yWQVxiPSpPoSKVjkq+MIdg84cM=
+k8s.io/apiextensions-apiserver v0.24.2 h1:/4NEQHKlEz1MlaK/wHT5KMKC9UKYz6NZz6JE6ov4G6k=
+k8s.io/apiextensions-apiserver v0.24.2/go.mod h1:e5t2GMFVngUEHUd0wuCJzw8YDwZoqZfJiGOW6mm2hLQ=
 k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
 k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
 k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc=
 k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
 k8s.io/apimachinery v0.22.5/go.mod h1:xziclGKwuuJ2RM5/rSFQSYAj0zdbci3DH8kj+WvyN0U=
-k8s.io/apimachinery v0.24.0/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM=
-k8s.io/apimachinery v0.24.1/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM=
+k8s.io/apimachinery v0.24.2/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM=
 k8s.io/apimachinery v0.24.3/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM=
 k8s.io/apimachinery v0.25.0-alpha.2 h1:y6uTWaiqsPTPRewnXJ15IFyGmBo2qPt6enm4zszG8Z0=
 k8s.io/apimachinery v0.25.0-alpha.2/go.mod h1:h34FtK3eCxige6ZIACdBSYExtDaKAUxoc7hVe2LOxzw=
@@ -2321,29 +2428,26 @@ k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
 k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM=
 k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q=
 k8s.io/apiserver v0.22.5/go.mod h1:s2WbtgZAkTKt679sYtSudEQrTGWUSQAPe6MupLnlmaQ=
-k8s.io/apiserver v0.24.0/go.mod h1:WFx2yiOMawnogNToVvUYT9nn1jaIkMKj41ZYCVycsBA=
-k8s.io/apiserver v0.24.1 h1:LAA5UpPOeaREEtFAQRUQOI3eE5So/j5J3zeQJjeLdz4=
-k8s.io/apiserver v0.24.1/go.mod h1:dQWNMx15S8NqJMp0gpYfssyvhYnkilc1LpExd/dkLh0=
+k8s.io/apiserver v0.24.2 h1:orxipm5elPJSkkFNlwH9ClqaKEDJJA3yR2cAAlCnyj4=
+k8s.io/apiserver v0.24.2/go.mod h1:pSuKzr3zV+L+MWqsEo0kHHYwCo77AT5qXbFXP2jbvFI=
 k8s.io/cli-runtime v0.24.3 h1:O9YvUHrDSCQUPlsqVmaqDrueqjpJ7IO6Yas9B6xGSoo=
 k8s.io/cli-runtime v0.24.3/go.mod h1:In84wauoMOqa7JDvDSXGbf8lTNlr70fOGpYlYfJtSqA=
 k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
 k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k=
 k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0=
 k8s.io/client-go v0.22.5/go.mod h1:cs6yf/61q2T1SdQL5Rdcjg9J1ElXSwbjSrW2vFImM4Y=
-k8s.io/client-go v0.24.0/go.mod h1:VFPQET+cAFpYxh6Bq6f4xyMY80G6jKKktU6G0m00VDw=
-k8s.io/client-go v0.24.1/go.mod h1:f1kIDqcEYmwXS/vTbbhopMUbhKp2JhOeVTfxgaCIlF8=
+k8s.io/client-go v0.24.2/go.mod h1:zg4Xaoo+umDsfCWr4fCnmLEtQXyCNXCvJuSsglNcV30=
 k8s.io/client-go v0.24.3/go.mod h1:AAovolf5Z9bY1wIg2FZ8LPQlEdKHjLI7ZD4rw920BJw=
 k8s.io/client-go v0.25.0-alpha.2 h1:kXlDl2L/CmdubzbRTPOCXj9JDPv9U0MuEjRXSCltQ00=
 k8s.io/client-go v0.25.0-alpha.2/go.mod h1:AN5W2BkXTu2lNm2BANn5lC6VnGlv6AM5HNPQLsriBOA=
 k8s.io/code-generator v0.19.7/go.mod h1:lwEq3YnLYb/7uVXLorOJfxg+cUu2oihFhHZ0n9NIla0=
-k8s.io/code-generator v0.24.0/go.mod h1:dpVhs00hTuTdTY6jvVxvTFCk6gSMrtfRydbhZwHI15w=
+k8s.io/code-generator v0.24.2/go.mod h1:dpVhs00hTuTdTY6jvVxvTFCk6gSMrtfRydbhZwHI15w=
 k8s.io/code-generator v0.24.3/go.mod h1:dpVhs00hTuTdTY6jvVxvTFCk6gSMrtfRydbhZwHI15w=
 k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk=
 k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI=
 k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM=
 k8s.io/component-base v0.22.5/go.mod h1:VK3I+TjuF9eaa+Ln67dKxhGar5ynVbwnGrUiNF4MqCI=
-k8s.io/component-base v0.24.0/go.mod h1:Dgazgon0i7KYUsS8krG8muGiMVtUZxG037l1MKyXgrA=
-k8s.io/component-base v0.24.1/go.mod h1:DW5vQGYVCog8WYpNob3PMmmsY8A3L9QZNg4j/dV3s38=
+k8s.io/component-base v0.24.2/go.mod h1:ucHwW76dajvQ9B7+zecZAP3BVqvrHoOxm8olHEg0nmM=
 k8s.io/component-base v0.24.3 h1:u99WjuHYCRJjS1xeLOx72DdRaghuDnuMgueiGMFy1ec=
 k8s.io/component-base v0.24.3/go.mod h1:bqom2IWN9Lj+vwAkPNOv2TflsP1PeVDIwIN0lRthxYY=
 k8s.io/component-helpers v0.24.3/go.mod h1:/1WNW8TfBOijQ1ED2uCHb4wtXYWDVNMqUll8h36iNVo=
--- a/helm/trivy/Chart.yaml
+++ b/helm/trivy/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: trivy
-version: 0.4.16
-appVersion: 0.29.2
+version: 0.4.17
+appVersion: 0.30.4
 description: Trivy helm chart
 keywords:
  - scanner
--- a/helm/trivy/README.md
+++ b/helm/trivy/README.md
@@ -73,6 +73,7 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `trivy.cache.redis.enabled`           | Enable Redis as caching backend                                         | `false` |
 | `trivy.cache.redis.url`               | Specify redis connection url, e.g. redis://redis.redis.svc:6379         | `` |
 | `trivy.serverToken`                   | The token to authenticate Trivy client with Trivy server                | `` |
+| `trivy.existingSecret`                | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
 | `trivy.podAnnotations`                | Annotations for pods created by statefulset                             | `{}` |
 | `service.name`                        | If specified, the name used for the Trivy service                       |     |
 | `service.type`                        | Kubernetes service type                                                 | `ClusterIP` |
--- a/helm/trivy/templates/secret.yaml
+++ b/helm/trivy/templates/secret.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.trivy.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -12,3 +13,4 @@ data:
  TRIVY_USERNAME: {{ .Values.trivy.registryUsername | default "" | b64enc | quote }}
  TRIVY_PASSWORD: {{ .Values.trivy.registryPassword | default "" | b64enc | quote }}
 {{- end -}}
+{{- end }}
--- a/helm/trivy/templates/statefulset.yaml
+++ b/helm/trivy/templates/statefulset.yaml
@@ -90,7 +90,11 @@ spec:
            - configMapRef:
                name: {{ include "trivy.fullname" . }}
            - secretRef:
+                {{- if not .Values.trivy.existingSecret }}
                name: {{ include "trivy.fullname" . }}
+                {{- else }}
+                name: {{ .Values.trivy.existingSecret }}
+                {{- end }}
          ports:
            - name: trivy-http
              containerPort: {{ .Values.service.port }}
--- a/helm/trivy/values.yaml
+++ b/helm/trivy/values.yaml
@@ -120,6 +120,9 @@ trivy:
  labels: {}
  # serverToken is the token to authenticate Trivy client with Trivy server.
  serverToken: ""
+  # existingSecret if an existing secret has been created outside the chart.
+  # Overrides gitHubToken, registryUsername, registryPassword, serverToken
+  existingSecret: ""

 service:
  # If specified, the name used for the Trivy service.
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -12,6 +12,8 @@ import (
 	"testing"
 	"time"

+	"github.com/samber/lo"
+
 	cdx "github.com/CycloneDX/cyclonedx-go"
 	"github.com/docker/go-connections/nat"
 	"github.com/stretchr/testify/assert"
@@ -399,10 +401,10 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 			err = json.NewDecoder(f).Decode(&got)
 			require.NoError(t, err)

-			assert.EqualValues(t, tt.wantComponentsCount, len(*got.Components))
-			assert.EqualValues(t, tt.wantDependenciesCount, len(*got.Dependencies))
+			assert.EqualValues(t, tt.wantComponentsCount, len(lo.FromPtr(got.Components)))
+			assert.EqualValues(t, tt.wantDependenciesCount, len(lo.FromPtr(got.Dependencies)))
 			for i, dep := range *got.Dependencies {
-				assert.EqualValues(t, tt.wantDependsOnCount[i], len(*dep.Dependencies))
+				assert.EqualValues(t, tt.wantDependsOnCount[i], len(lo.FromPtr(dep.Dependencies)))
 			}
 		})
 	}
--- a/integration/fs_test.go
+++ b/integration/fs_test.go
@@ -23,6 +23,9 @@ func TestFilesystem(t *testing.T) {
 		listAllPkgs    bool
 		input          string
 		secretConfig   string
+		filePatterns   []string
+		helmSet        []string
+		helmValuesFile []string
 	}
 	tests := []struct {
 		name   string
@@ -79,6 +82,16 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/dockerfile.json.golden",
 		},
+		{
+			name: "dockerfile with custom file pattern",
+			args: args{
+				securityChecks: "config",
+				input:          "testdata/fixtures/fs/dockerfile_file_pattern",
+				namespaces:     []string{"testing"},
+				filePatterns:   []string{"dockerfile:Customfile"},
+			},
+			golden: "testdata/dockerfile_file_pattern.json.golden",
+		},
 		{
 			name: "dockerfile with rule exception",
 			args: args{
@@ -123,6 +136,24 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/helm_testchart.json.golden",
 		},
+		{
+			name: "helm chart directory scanning with value overrides using set",
+			args: args{
+				securityChecks: "config",
+				input:          "testdata/fixtures/fs/helm_testchart",
+				helmSet:        []string{"securityContext.runAsUser=0"},
+			},
+			golden: "testdata/helm_testchart.overridden.json.golden",
+		},
+		{
+			name: "helm chart directory scanning with value overrides using value file",
+			args: args{
+				securityChecks: "config",
+				input:          "testdata/fixtures/fs/helm_testchart",
+				helmValuesFile: []string{"testdata/fixtures/fs/helm_values/values.yaml"},
+			},
+			golden: "testdata/helm_testchart.overridden.json.golden",
+		},
 		{
 			name: "helm chart directory scanning with builtin policies and non string Chart name",
 			args: args{
@@ -178,6 +209,24 @@ func TestFilesystem(t *testing.T) {
 				defer os.Remove(trivyIgnore)
 			}

+			if len(tt.args.filePatterns) != 0 {
+				for _, filePattern := range tt.args.filePatterns {
+					osArgs = append(osArgs, "--file-patterns", filePattern)
+				}
+			}
+
+			if len(tt.args.helmSet) != 0 {
+				for _, helmSet := range tt.args.helmSet {
+					osArgs = append(osArgs, "--helm-set", helmSet)
+				}
+			}
+
+			if len(tt.args.helmValuesFile) != 0 {
+				for _, helmValuesFile := range tt.args.helmValuesFile {
+					osArgs = append(osArgs, "--helm-values", helmValuesFile)
+				}
+			}
+
 			// Setup the output file
 			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
--- a/integration/sbom_test.go
+++ b/integration/sbom_test.go
@@ -41,6 +41,15 @@ func TestCycloneDX(t *testing.T) {
 			},
 			golden: "testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden",
 		},
+		{
+			name: "centos7-bom in in-toto attestation",
+			args: args{
+				input:        "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl",
+				format:       "cyclonedx",
+				artifactType: "cyclonedx",
+			},
+			golden: "testdata/centos-7-cyclonedx.json.golden",
+		},
 	}

 	// Set up testing DB
--- a/integration/testdata/alpine-310.gitlab.golden
+++ b/integration/testdata/alpine-310.gitlab.golden
@@ -1,5 +1,5 @@
 {
-  "version": "2.3",
+  "version": "14.0.6",
  "vulnerabilities": [
    {
      "id": "CVE-2019-1549",
@@ -8,7 +8,6 @@
      "description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
      "cve": "CVE-2019-1549",
      "severity": "Medium",
-      "confidence": "Unknown",
      "solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
      "scanner": {
        "id": "trivy",
@@ -22,7 +21,7 @@
          "version": "1.1.1c-r0"
        },
        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
+        "image": "testdata/fixtures/images/alpine-310.tar.gz"
      },
      "identifiers": [
        {
@@ -82,7 +81,6 @@
      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
      "cve": "CVE-2019-1551",
      "severity": "Medium",
-      "confidence": "Unknown",
      "solution": "Upgrade libcrypto1.1 to 1.1.1d-r2",
      "scanner": {
        "id": "trivy",
@@ -96,7 +94,7 @@
          "version": "1.1.1c-r0"
        },
        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
+        "image": "testdata/fixtures/images/alpine-310.tar.gz"
      },
      "identifiers": [
        {
@@ -176,7 +174,6 @@
      "description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
      "cve": "CVE-2019-1549",
      "severity": "Medium",
-      "confidence": "Unknown",
      "solution": "Upgrade libssl1.1 to 1.1.1d-r0",
      "scanner": {
        "id": "trivy",
@@ -190,7 +187,7 @@
          "version": "1.1.1c-r0"
        },
        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
+        "image": "testdata/fixtures/images/alpine-310.tar.gz"
      },
      "identifiers": [
        {
@@ -250,7 +247,6 @@
      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
      "cve": "CVE-2019-1551",
      "severity": "Medium",
-      "confidence": "Unknown",
      "solution": "Upgrade libssl1.1 to 1.1.1d-r2",
      "scanner": {
        "id": "trivy",
@@ -264,7 +260,7 @@
          "version": "1.1.1c-r0"
        },
        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
+        "image": "testdata/fixtures/images/alpine-310.tar.gz"
      },
      "identifiers": [
        {
--- a/integration/testdata/centos-7-cyclonedx.json.golden
+++ b/integration/testdata/centos-7-cyclonedx.json.golden
@@ -3,7 +3,7 @@
  "specVersion": "1.4",
  "version": 1,
  "metadata": {
-    "timestamp": "2022-07-03T08:45:54+00:00",
+    "timestamp": "2022-08-14T12:39:11+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
--- a/integration/testdata/debian-stretch.json.golden
+++ b/integration/testdata/debian-stretch.json.golden
@@ -6,7 +6,7 @@
    "OS": {
      "Family": "debian",
      "Name": "9.9",
-      "Eosl": true
+      "EOSL": true
    },
    "ImageID": "sha256:f26939cc87ef44a6fc554eedd0a976ab30b5bc2769d65d2e986b6c5f1fd4053d",
    "DiffIDs": [
--- a/integration/testdata/distroless-base.json.golden
+++ b/integration/testdata/distroless-base.json.golden
@@ -6,7 +6,7 @@
    "OS": {
      "Family": "debian",
      "Name": "9.9",
-      "Eosl": true
+      "EOSL": true
    },
    "ImageID": "sha256:7f04a8d247173b1f2546d22913af637bbab4e7411e00ae6207da8d94c445750d",
    "DiffIDs": [
--- a/integration/testdata/distroless-python27.json.golden
+++ b/integration/testdata/distroless-python27.json.golden
@@ -6,7 +6,7 @@
    "OS": {
      "Family": "debian",
      "Name": "9.9",
-      "Eosl": true
+      "EOSL": true
    },
    "ImageID": "sha256:6fcac2cc8a710f21577b5bbd534e0bfc841c0cca569b57182ba19054696cddda",
    "DiffIDs": [
--- a/integration/testdata/dockerfile_file_pattern.json.golden
+++ b/integration/testdata/dockerfile_file_pattern.json.golden
@@ -0,0 +1,56 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/dockerfile_file_pattern",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "Customfile",
+      "Class": "config",
+      "Type": "dockerfile",
+      "MisconfSummary": {
+        "Successes": 21,
+        "Failures": 1,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "Dockerfile Security Check",
+          "ID": "DS002",
+          "Title": "Image user should not be 'root'",
+          "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
+          "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
+          "Namespace": "builtin.dockerfile.DS002",
+          "Query": "data.builtin.dockerfile.DS002.deny",
+          "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
+          "References": [
+            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
+            "https://avd.aquasec.com/misconfig/ds002"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Dockerfile",
+            "Service": "general",
+            "Code": {
+              "Lines": null
+            }
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/fixtures/fs/dockerfile_file_pattern/Customfile
+++ b/integration/testdata/fixtures/fs/dockerfile_file_pattern/Customfile
@@ -0,0 +1 @@
+FROM alpine:3.13
--- a/integration/testdata/fixtures/fs/helm_values/values.yaml
+++ b/integration/testdata/fixtures/fs/helm_values/values.yaml
@@ -0,0 +1,2 @@
+securityContext:
+  runAsUser: 0
--- a/integration/testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl
+++ b/integration/testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl
@@ -0,0 +1 @@
+{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2N5Y2xvbmVkeC5vcmcvc2NoZW1hIiwic3ViamVjdCI6W3sibmFtZSI6ImdoY3IuaW8vYXF1YXNlY3VyaXR5L3RyaXZ5LXRlc3QtaW1hZ2VzIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjcyYzQyZWQ0OGMzYTJkYjMxYjdkYWZlMTdkMjc1YjYzNDY2NGE3MDhkOTAxZWM5ZmQ1N2IxNTI5MjgwZjAxZmIifX1dLCJwcmVkaWNhdGUiOnsiRGF0YSI6eyJib21Gb3JtYXQiOiJDeWNsb25lRFgiLCJjb21wb25lbnRzIjpbeyJib20tcmVmIjoicGtnOnJwbS9jZW50b3MvYmFzaEA0LjIuNDYtMzEuZWw3P2FyY2g9eDg2XzY0XHUwMDI2ZGlzdHJvPWNlbnRvcy03LjYuMTgxMCIsImxpY2Vuc2VzIjpbeyJleHByZXNzaW9uIjoiR1BMdjMrIn1dLCJuYW1lIjoiYmFzaCIsInByb3BlcnRpZXMiOlt7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6U3JjTmFtZSIsInZhbHVlIjoiYmFzaCJ9LHsibmFtZSI6ImFxdWFzZWN1cml0eTp0cml2eTpTcmNWZXJzaW9uIiwidmFsdWUiOiI0LjIuNDYifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6U3JjUmVsZWFzZSIsInZhbHVlIjoiMzEuZWw3In0seyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OkxheWVyRGlnZXN0IiwidmFsdWUiOiJzaGEyNTY6YWM5MjA4MjA3YWRhYWMzYTQ4ZTU0YTRkYzZiNDljNjllNzhjMzA3MmQyYjNhZGQ3ZWZkYWJmODE0ZGIyMTMzYiJ9LHsibmFtZSI6ImFxdWFzZWN1cml0eTp0cml2eTpMYXllckRpZmZJRCIsInZhbHVlIjoic2hhMjU2Ojg5MTY5ZDg3ZGJlMmI3MmJhNDJiZmJiMzU3OWM5NTczMjJiYWNhMjhlMDNhMWU1NTgwNzY1NDJhMWMxYjJiNGEifV0sInB1cmwiOiJwa2c6cnBtL2NlbnRvcy9iYXNoQDQuMi40Ni0zMS5lbDc/YXJjaD14ODZfNjRcdTAwMjZkaXN0cm89Y2VudG9zLTcuNi4xODEwIiwidHlwZSI6ImxpYnJhcnkiLCJ2ZXJzaW9uIjoiNC4yLjQ2LTMxLmVsNyJ9LHsiYm9tLXJlZiI6InBrZzpycG0vY2VudG9zL29wZW5zc2wtbGlic0AxOjEuMC4yay0xNi5lbDc/YXJjaD14ODZfNjRcdTAwMjZkaXN0cm89Y2VudG9zLTcuNi4xODEwIiwibGljZW5zZXMiOlt7ImV4cHJlc3Npb24iOiJPcGVuU1NMIn1dLCJuYW1lIjoib3BlbnNzbC1saWJzIiwicHJvcGVydGllcyI6W3sibmFtZSI6ImFxdWFzZWN1cml0eTp0cml2eTpTcmNOYW1lIiwidmFsdWUiOiJvcGVuc3NsIn0seyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OlNyY1ZlcnNpb24iLCJ2YWx1ZSI6IjEuMC4yayJ9LHsibmFtZSI6ImFxdWFzZWN1cml0eTp0cml2eTpTcmNSZWxlYXNlIiwidmFsdWUiOiIxNi5lbDcifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6U3JjRXBvY2giLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6TGF5ZXJEaWdlc3QiLCJ2YWx1ZSI6InNoYTI1NjphYzkyMDgyMDdhZGFhYzNhNDhlNTRhNGRjNmI0OWM2OWU3OGMzMDcyZDJiM2FkZDdlZmRhYmY4MTRkYjIxMzNiIn0seyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OkxheWVyRGlmZklEIiwidmFsdWUiOiJzaGEyNTY6ODkxNjlkODdkYmUyYjcyYmE0MmJmYmIzNTc5Yzk1NzMyMmJhY2EyOGUwM2ExZTU1ODA3NjU0MmExYzFiMmI0YSJ9XSwicHVybCI6InBrZzpycG0vY2VudG9zL29wZW5zc2wtbGlic0AxOjEuMC4yay0xNi5lbDc/YXJjaD14ODZfNjRcdTAwMjZkaXN0cm89Y2VudG9zLTcuNi4xODEwIiwidHlwZSI6ImxpYnJhcnkiLCJ2ZXJzaW9uIjoiMToxLjAuMmstMTYuZWw3In0seyJib20tcmVmIjoiMDE3NWY3MzItZGY5ZC00YmI4LTlmNTYtODcwODk4ZTNmZjg5IiwibmFtZSI6ImNlbnRvcyIsInByb3BlcnRpZXMiOlt7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6VHlwZSIsInZhbHVlIjoiY2VudG9zIn0seyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OkNsYXNzIiwidmFsdWUiOiJvcy1wa2dzIn1dLCJ0eXBlIjoib3BlcmF0aW5nLXN5c3RlbSIsInZlcnNpb24iOiI3LjYuMTgxMCJ9XSwiZGVwZW5kZW5jaWVzIjpbeyJkZXBlbmRzT24iOlsicGtnOnJwbS9jZW50b3MvYmFzaEA0LjIuNDYtMzEuZWw3P2FyY2g9eDg2XzY0XHUwMDI2ZGlzdHJvPWNlbnRvcy03LjYuMTgxMCIsInBrZzpycG0vY2VudG9zL29wZW5zc2wtbGlic0AxOjEuMC4yay0xNi5lbDc/YXJjaD14ODZfNjRcdTAwMjZkaXN0cm89Y2VudG9zLTcuNi4xODEwIl0sInJlZiI6IjAxNzVmNzMyLWRmOWQtNGJiOC05ZjU2LTg3MDg5OGUzZmY4OSJ9LHsiZGVwZW5kc09uIjpbIjAxNzVmNzMyLWRmOWQtNGJiOC05ZjU2LTg3MDg5OGUzZmY4OSJdLCJyZWYiOiJkMGQ0MWUzMC05NjUwLTQ4OWQtOTQ4ZC00MjVmZjJlZDYzZDIifV0sIm1ldGFkYXRhIjp7ImNvbXBvbmVudCI6eyJib20tcmVmIjoiZDBkNDFlMzAtOTY1MC00ODlkLTk0OGQtNDI1ZmYyZWQ2M2QyIiwibmFtZSI6ImludGVncmF0aW9uL3Rlc3RkYXRhL2ZpeHR1cmVzL2ltYWdlcy9jZW50b3MtNy50YXIuZ3oiLCJwcm9wZXJ0aWVzIjpbeyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OlNjaGVtYVZlcnNpb24iLCJ2YWx1ZSI6IjIifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6SW1hZ2VJRCIsInZhbHVlIjoic2hhMjU2OmYxY2I3YzdkNThiNzNlYWM4NTljMzk1ODgyZWVjNDlkNTA2NTEyNDRlMzQyY2Q2YzY4YTVjNzgwOTc4NWY0MjcifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6RGlmZklEIiwidmFsdWUiOiJzaGEyNTY6ODkxNjlkODdkYmUyYjcyYmE0MmJmYmIzNTc5Yzk1NzMyMmJhY2EyOGUwM2ExZTU1ODA3NjU0MmExYzFiMmI0YSJ9XSwidHlwZSI6ImNvbnRhaW5lciJ9LCJ0aW1lc3RhbXAiOiIyMDIyLTA2LTE0VDE1OjA4OjQ4KzAwOjAwIiwidG9vbHMiOlt7Im5hbWUiOiJ0cml2eSIsInZlbmRvciI6ImFxdWFzZWN1cml0eSIsInZlcnNpb24iOiJkZXYifV19LCJzZXJpYWxOdW1iZXIiOiJ1cm46dXVpZDoxNDU1YzAyZC02NGNhLTQ1M2UtYTVkZi1kZGZiNzBhN2M4MDQiLCJzcGVjVmVyc2lvbiI6IjEuNCIsInZlcnNpb24iOjF9LCJUaW1lc3RhbXAiOiIifX0=","signatures":[{"keyid":"","sig":"MEUCIF52Th/Uxp9iGoqyP8ioikcefayjXh/+GhKyhhdczihaAiEAwOedZ0ovOanwY+u9Dl+/bHp8398YcXA2n0zG8Q2gnb0="}]}
--- a/integration/testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden
+++ b/integration/testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden
@@ -3,7 +3,7 @@
  "specVersion": "1.4",
  "version": 1,
  "metadata": {
-    "timestamp": "2022-07-03T08:45:54+00:00",
+    "timestamp": "2022-08-14T12:39:11+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
--- a/integration/testdata/helm.json.golden
+++ b/integration/testdata/helm.json.golden
@@ -20,7 +20,7 @@
      "Class": "config",
      "Type": "helm",
      "MisconfSummary": {
-        "Successes": 32,
+        "Successes": 76,
        "Failures": 2,
        "Exceptions": 0
      },
@@ -268,7 +268,7 @@
      "Class": "config",
      "Type": "helm",
      "MisconfSummary": {
-        "Successes": 34,
+        "Successes": 78,
        "Failures": 0,
        "Exceptions": 0
      }
@@ -278,7 +278,7 @@
      "Class": "config",
      "Type": "helm",
      "MisconfSummary": {
-        "Successes": 34,
+        "Successes": 78,
        "Failures": 0,
        "Exceptions": 0
      }
--- a/integration/testdata/helm_testchart.json.golden
+++ b/integration/testdata/helm_testchart.json.golden
@@ -20,7 +20,7 @@
      "Class": "config",
      "Type": "helm",
      "MisconfSummary": {
-        "Successes": 32,
+        "Successes": 76,
        "Failures": 2,
        "Exceptions": 0
      },
@@ -268,7 +268,7 @@
      "Class": "config",
      "Type": "helm",
      "MisconfSummary": {
-        "Successes": 34,
+        "Successes": 78,
        "Failures": 0,
        "Exceptions": 0
      }
@@ -278,7 +278,7 @@
      "Class": "config",
      "Type": "helm",
      "MisconfSummary": {
-        "Successes": 34,
+        "Successes": 78,
        "Failures": 0,
        "Exceptions": 0
      }
--- a/integration/testdata/helm_testchart.overridden.json.golden
+++ b/integration/testdata/helm_testchart.overridden.json.golden
@@ -0,0 +1,496 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/helm_testchart",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "templates/deployment.yaml",
+      "Class": "config",
+      "Type": "helm",
+      "MisconfSummary": {
+        "Successes": 74,
+        "Failures": 4,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "Helm Security Check",
+          "ID": "KSV001",
+          "Title": "Process can elevate its own privileges",
+          "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
+          "Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.allowPrivilegeEscalation' to false",
+          "Namespace": "builtin.kubernetes.KSV001",
+          "Query": "data.builtin.kubernetes.KSV001.deny",
+          "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.",
+          "Severity": "MEDIUM",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001",
+          "References": [
+            "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
+            "https://avd.aquasec.com/misconfig/ksv001"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Kubernetes",
+            "Service": "general",
+            "StartLine": 28,
+            "EndLine": 57,
+            "Code": {
+              "Lines": [
+                {
+                  "Number": 28,
+                  "Content": "        - name: testchart",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": true,
+                  "LastCause": false
+                },
+                {
+                  "Number": 29,
+                  "Content": "          securityContext:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 30,
+                  "Content": "            capabilities:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 31,
+                  "Content": "              drop:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 32,
+                  "Content": "              - ALL",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 33,
+                  "Content": "            readOnlyRootFilesystem: true",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 34,
+                  "Content": "            runAsGroup: 10001",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 35,
+                  "Content": "            runAsNonRoot: true",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 36,
+                  "Content": "            runAsUser: 0",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": true
+                },
+                {
+                  "Number": 37,
+                  "Content": "",
+                  "IsCause": false,
+                  "Annotation": "",
+                  "Truncated": true,
+                  "FirstCause": false,
+                  "LastCause": false
+                }
+              ]
+            }
+          }
+        },
+        {
+          "Type": "Helm Security Check",
+          "ID": "KSV020",
+          "Title": "Runs with low user ID",
+          "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.",
+          "Message": "Container 'testchart' of Deployment 'testchart' should set 'securityContext.runAsUser' \u003e 10000",
+          "Namespace": "builtin.kubernetes.KSV020",
+          "Query": "data.builtin.kubernetes.KSV020.deny",
+          "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.",
+          "Severity": "LOW",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020",
+          "References": [
+            "https://kubesec.io/basics/containers-securitycontext-runasuser/",
+            "https://avd.aquasec.com/misconfig/ksv020"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Kubernetes",
+            "Service": "general",
+            "StartLine": 28,
+            "EndLine": 57,
+            "Code": {
+              "Lines": [
+                {
+                  "Number": 28,
+                  "Content": "        - name: testchart",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": true,
+                  "LastCause": false
+                },
+                {
+                  "Number": 29,
+                  "Content": "          securityContext:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 30,
+                  "Content": "            capabilities:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 31,
+                  "Content": "              drop:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 32,
+                  "Content": "              - ALL",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 33,
+                  "Content": "            readOnlyRootFilesystem: true",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 34,
+                  "Content": "            runAsGroup: 10001",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 35,
+                  "Content": "            runAsNonRoot: true",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 36,
+                  "Content": "            runAsUser: 0",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": true
+                },
+                {
+                  "Number": 37,
+                  "Content": "",
+                  "IsCause": false,
+                  "Annotation": "",
+                  "Truncated": true,
+                  "FirstCause": false,
+                  "LastCause": false
+                }
+              ]
+            }
+          }
+        },
+        {
+          "Type": "Helm Security Check",
+          "ID": "KSV030",
+          "Title": "Default Seccomp profile not set",
+          "Description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.",
+          "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'",
+          "Namespace": "builtin.kubernetes.KSV030",
+          "Query": "data.builtin.kubernetes.KSV030.deny",
+          "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.",
+          "Severity": "LOW",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030",
+          "References": [
+            "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
+            "https://avd.aquasec.com/misconfig/ksv030"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Kubernetes",
+            "Service": "general",
+            "StartLine": 28,
+            "EndLine": 57,
+            "Code": {
+              "Lines": [
+                {
+                  "Number": 28,
+                  "Content": "        - name: testchart",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": true,
+                  "LastCause": false
+                },
+                {
+                  "Number": 29,
+                  "Content": "          securityContext:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 30,
+                  "Content": "            capabilities:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 31,
+                  "Content": "              drop:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 32,
+                  "Content": "              - ALL",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 33,
+                  "Content": "            readOnlyRootFilesystem: true",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 34,
+                  "Content": "            runAsGroup: 10001",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 35,
+                  "Content": "            runAsNonRoot: true",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 36,
+                  "Content": "            runAsUser: 0",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": true
+                },
+                {
+                  "Number": 37,
+                  "Content": "",
+                  "IsCause": false,
+                  "Annotation": "",
+                  "Truncated": true,
+                  "FirstCause": false,
+                  "LastCause": false
+                }
+              ]
+            }
+          }
+        },
+        {
+          "Type": "Helm Security Check",
+          "ID": "KSV105",
+          "Title": "Containers must not set runAsUser to 0",
+          "Description": "Containers should be forbidden from running with a root UID.",
+          "Message": "securityContext.runAsUser should be set to a value greater than 0",
+          "Namespace": "builtin.kubernetes.KSV105",
+          "Query": "data.builtin.kubernetes.KSV105.deny",
+          "Resolution": "Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.",
+          "Severity": "LOW",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv105",
+          "References": [
+            "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
+            "https://avd.aquasec.com/misconfig/ksv105"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Kubernetes",
+            "Service": "general",
+            "StartLine": 30,
+            "EndLine": 36,
+            "Code": {
+              "Lines": [
+                {
+                  "Number": 30,
+                  "Content": "            capabilities:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": true,
+                  "LastCause": false
+                },
+                {
+                  "Number": 31,
+                  "Content": "              drop:",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 32,
+                  "Content": "              - ALL",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 33,
+                  "Content": "            readOnlyRootFilesystem: true",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 34,
+                  "Content": "            runAsGroup: 10001",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 35,
+                  "Content": "            runAsNonRoot: true",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 36,
+                  "Content": "            runAsUser: 0",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": true
+                }
+              ]
+            }
+          }
+        }
+      ]
+    },
+    {
+      "Target": "templates/service.yaml",
+      "Class": "config",
+      "Type": "helm",
+      "MisconfSummary": {
+        "Successes": 78,
+        "Failures": 0,
+        "Exceptions": 0
+      }
+    },
+    {
+      "Target": "templates/serviceaccount.yaml",
+      "Class": "config",
+      "Type": "helm",
+      "MisconfSummary": {
+        "Successes": 78,
+        "Failures": 0,
+        "Exceptions": 0
+      }
+    }
+  ]
+}
--- a/integration/testdata/pnpm.json.golden
+++ b/integration/testdata/pnpm.json.golden
@@ -2,6 +2,18 @@
  "SchemaVersion": 2,
  "ArtifactName": "testdata/fixtures/fs/pnpm",
  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
  "Results": [
    {
      "Target": "pnpm-lock.yaml",
--- a/integration/testdata/rockylinux-8.json.golden
+++ b/integration/testdata/rockylinux-8.json.golden
@@ -118,11 +118,6 @@
          "LastModifiedDate": "2022-01-06T09:15:00Z"
        }
      ]
-    },
-    {
-      "Target": "Python",
-      "Class": "lang-pkgs",
-      "Type": "python-pkg"
    }
  ]
 }
--- a/integration/testdata/secrets.json.golden
+++ b/integration/testdata/secrets.json.golden
@@ -26,7 +26,6 @@
          "Title": "AWS Access Key ID",
          "StartLine": 3,
          "EndLine": 3,
-          "Match": "export AWS_ACCESS_KEY_ID=********************",
          "Code": {
            "Lines": [
              {
@@ -45,7 +44,6 @@
                "IsCause": false,
                "Annotation": "",
                "Truncated": false,
-               "Highlighted": "",
                "FirstCause": false,
                "LastCause": false
              },
@@ -65,12 +63,12 @@
                "IsCause": false,
                "Annotation": "",
                "Truncated": false,
-               "Highlighted": "",
                "FirstCause": false,
                "LastCause": false
              }
            ]
-          }
+          },
+          "Match": "export AWS_ACCESS_KEY_ID=********************"
        },
        {
          "RuleID": "mysecret",
@@ -79,7 +77,6 @@
          "Title": "My Secret",
          "StartLine": 7,
          "EndLine": 7,
-          "Match": "echo ********",
          "Code": {
            "Lines": [
              {
@@ -98,7 +95,6 @@
                "IsCause": false,
                "Annotation": "",
                "Truncated": false,
-                "Highlighted": "",
                "FirstCause": false,
                "LastCause": false
              },
@@ -113,7 +109,8 @@
                "LastCause": true
              }
            ]
-          }
+          },
+          "Match": "echo ********"
        }
      ]
    }
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -52,6 +52,7 @@ nav:
              - Policy: docs/misconfiguration/options/policy.md
              - Filtering: docs/misconfiguration/options/filter.md
              - Report Formats: docs/misconfiguration/options/report.md
+              - Value Overrides: docs/misconfiguration/options/values.md
              - Others: docs/misconfiguration/options/others.md
          - Comparison:
              - vs Conftest: docs/misconfiguration/comparison/conftest.md
@@ -68,12 +69,15 @@ nav:
              - Scanning: docs/kubernetes/cli/scanning.md
          - Operator:
              - Overview: docs/kubernetes/operator/index.md
+      - Cloud:
+          - AWS: docs/cloud/aws/scanning.md
      - SBOM:
          - Overview: docs/sbom/index.md
          - CycloneDX: docs/sbom/cyclonedx.md
          - SPDX: docs/sbom/spdx.md
      - Attestation:
          - SBOM: docs/attestation/sbom.md
+          - Cosign Vulnerability Scan Record: docs/attestation/vuln.md
      - Integrations:
          - Overview: docs/integrations/index.md
          - GitHub Actions: docs/integrations/github-actions.md
@@ -138,6 +142,7 @@ theme:
    - navigation.tabs
    - navigation.tabs.sticky
    - navigation.sections
+    - content.tabs.link

 markdown_extensions:
  - pymdownx.highlight
@@ -145,7 +150,8 @@ markdown_extensions:
  - admonition
  - footnotes
  - attr_list
-  - pymdownx.tabbed
+  - pymdownx.tabbed:
+      alternate_style: true
  - def_list
  - pymdownx.details
  - pymdownx.emoji:
--- a/pkg/attestation/attestation.go
+++ b/pkg/attestation/attestation.go
@@ -0,0 +1,44 @@
+package attestation
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+
+	"github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	"golang.org/x/xerrors"
+)
+
+// CosignPredicate specifies the format of the Custom Predicate.
+// Cosign uses this structure when creating an SBOM attestation.
+// cf. https://github.com/sigstore/cosign/blob/e0547cff64f98585a837a524ff77ff6b47ff5609/pkg/cosign/attestation/attestation.go#L39-L43
+type CosignPredicate struct {
+	Data interface{}
+}
+
+// Statement holds in-toto statement headers and the predicate.
+type Statement in_toto.Statement
+
+func (s *Statement) UnmarshalJSON(b []byte) error {
+	var envelope dsse.Envelope
+	err := json.NewDecoder(bytes.NewReader(b)).Decode(&envelope)
+	if err != nil {
+		return xerrors.Errorf("failed to decode as a dsse envelope: %w", err)
+	}
+	if envelope.PayloadType != in_toto.PayloadType {
+		return xerrors.Errorf("invalid attestation payload type: %s", envelope.PayloadType)
+	}
+
+	decoded, err := base64.StdEncoding.DecodeString(envelope.Payload)
+	if err != nil {
+		return xerrors.Errorf("failed to decode attestation payload: %w", err)
+	}
+
+	statement := (*in_toto.Statement)(s)
+	if err = json.NewDecoder(bytes.NewReader(decoded)).Decode(statement); err != nil {
+		return xerrors.Errorf("failed to decode attestation payload as in-toto statement: %w", err)
+	}
+
+	return nil
+}
--- a/pkg/attestation/attestation_test.go
+++ b/pkg/attestation/attestation_test.go
@@ -0,0 +1,55 @@
+package attestation_test
+
+import (
+	"encoding/json"
+	"os"
+	"testing"
+
+	"github.com/in-toto/in-toto-golang/in_toto"
+	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/attestation"
+)
+
+func TestStatement_UnmarshalJSON(t *testing.T) {
+	tests := []struct {
+		name      string
+		inputFile string
+		want      attestation.Statement
+	}{
+		{
+			name:      "happy path",
+			inputFile: "testdata/attestation.json",
+			want: attestation.Statement{
+				StatementHeader: in_toto.StatementHeader{
+					Type:          "https://in-toto.io/Statement/v0.1",
+					PredicateType: "cosign.sigstore.dev/attestation/v1",
+					Subject: []in_toto.Subject{
+						{
+							Name: "ghcr.io/aquasecurity/trivy-test-images",
+							Digest: slsa.DigestSet{
+								"sha256": "72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb",
+							},
+						},
+					},
+				},
+				Predicate: &attestation.CosignPredicate{
+					Data: "foo\n",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			f, err := os.Open(tt.inputFile)
+			require.NoError(t, err)
+			defer f.Close()
+
+			got := attestation.Statement{Predicate: &attestation.CosignPredicate{}}
+			err = json.NewDecoder(f).Decode(&got)
+			require.NoError(t, err)
+			require.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/pkg/attestation/testdata/attestation.json
+++ b/pkg/attestation/testdata/attestation.json
@@ -0,0 +1 @@
+{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3YxIiwic3ViamVjdCI6W3sibmFtZSI6ImdoY3IuaW8vYXF1YXNlY3VyaXR5L3RyaXZ5LXRlc3QtaW1hZ2VzIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjcyYzQyZWQ0OGMzYTJkYjMxYjdkYWZlMTdkMjc1YjYzNDY2NGE3MDhkOTAxZWM5ZmQ1N2IxNTI5MjgwZjAxZmIifX1dLCJwcmVkaWNhdGUiOnsiRGF0YSI6ImZvb1xuIiwiVGltZXN0YW1wIjoiMjAyMi0wOC0wM1QxMzowODoyN1oifX0=","signatures":[{"keyid":"","sig":"MEUCIQClJhJ2mS78MWy4L32wxd+8gPXYwpvyn0nmuY9r5t8iiAIgHKKoIJbKAKQ8i/bgN76ocuGhwUMdbgqpgKF0yFfPfGI="}]}
--- a/pkg/cloud/aws/commands/run.go
+++ b/pkg/cloud/aws/commands/run.go
@@ -0,0 +1,187 @@
+package commands
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/aquasecurity/defsec/pkg/errs"
+
+	cmd "github.com/aquasecurity/trivy/pkg/commands/artifact"
+
+	"github.com/aquasecurity/trivy/pkg/cloud"
+
+	"github.com/aquasecurity/trivy/pkg/cloud/cache"
+
+	"github.com/aquasecurity/trivy/pkg/flag"
+
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+
+	"github.com/aquasecurity/trivy/pkg/cloud/aws/scanner"
+	"github.com/aquasecurity/trivy/pkg/cloud/report"
+
+	"github.com/aquasecurity/trivy/pkg/log"
+
+	awsScanner "github.com/aquasecurity/defsec/pkg/scanners/cloud/aws"
+)
+
+func getAccountIDAndRegion(ctx context.Context, region string) (string, string, error) {
+	log.Logger.Debug("Looking for AWS credentials provider...")
+
+	cfg, err := config.LoadDefaultConfig(context.TODO())
+	if err != nil {
+		return "", "", err
+	}
+	if region != "" {
+		cfg.Region = region
+	}
+
+	svc := sts.NewFromConfig(cfg)
+
+	log.Logger.Debug("Looking up AWS caller identity...")
+	result, err := svc.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
+	if err != nil {
+		return "", "", fmt.Errorf("failed to discover AWS caller identity: %w", err)
+	}
+	if result.Account == nil {
+		return "", "", fmt.Errorf("missing account id for aws account")
+	}
+	log.Logger.Debugf("Verified AWS credentials for account %s!", *result.Account)
+	return *result.Account, cfg.Region, nil
+}
+
+func processOptions(ctx context.Context, opt *flag.Options) error {
+	// support comma separated services too
+	var splitServices []string
+	for _, service := range opt.Services {
+		splitServices = append(splitServices, strings.Split(service, ",")...)
+	}
+	opt.Services = splitServices
+
+	if len(opt.Services) != 1 && opt.ARN != "" {
+		return fmt.Errorf("you must specify the single --service which the --arn relates to")
+	}
+
+	if opt.Account == "" || opt.Region == "" {
+		var err error
+		opt.Account, opt.Region, err = getAccountIDAndRegion(ctx, opt.Region)
+		if err != nil {
+			return err
+		}
+	}
+
+	if len(opt.Services) == 0 {
+		log.Logger.Debug("No service(s) specified, scanning all services...")
+		opt.Services = awsScanner.AllSupportedServices()
+	} else {
+		log.Logger.Debugf("Specific services were requested: [%s]...", strings.Join(opt.Services, ", "))
+		for _, service := range opt.Services {
+			var found bool
+			supported := awsScanner.AllSupportedServices()
+			for _, allowed := range supported {
+				if allowed == service {
+					found = true
+					break
+				}
+			}
+			if !found {
+				return fmt.Errorf("service '%s' is not currently supported - supported services are: %s", service, strings.Join(supported, ", "))
+			}
+		}
+	}
+
+	return nil
+}
+
+func Run(ctx context.Context, opt flag.Options) error {
+
+	ctx, cancel := context.WithTimeout(ctx, opt.GlobalOptions.Timeout)
+	defer cancel()
+
+	if err := log.InitLogger(opt.Debug, false); err != nil {
+		return fmt.Errorf("logger error: %w", err)
+	}
+
+	var err error
+	defer func() {
+		if errors.Is(err, context.DeadlineExceeded) {
+			log.Logger.Warn("Increase --timeout value")
+		}
+	}()
+
+	if err := processOptions(ctx, &opt); err != nil {
+		return err
+	}
+
+	cached := cache.New(opt.CacheDir, opt.MaxCacheAge, cloud.ProviderAWS, opt.Account, opt.Region)
+	servicesInCache := cached.ListAvailableServices(false)
+	var servicesToLoadFromCache []string
+	var servicesToScan []string
+	for _, service := range opt.Services {
+		if cached != nil {
+			var inCache bool
+			for _, cacheSvc := range servicesInCache {
+				if cacheSvc == service {
+					log.Logger.Debugf("Results for service '%s' found in cache.", service)
+					inCache = true
+					break
+				}
+			}
+			if inCache && !opt.UpdateCache {
+				servicesToLoadFromCache = append(servicesToLoadFromCache, service)
+				continue
+			}
+		}
+		servicesToScan = append(servicesToScan, service)
+	}
+
+	var r *report.Report
+
+	// if there is anything we need that wasn't in the cache, scan it now
+	if len(servicesToScan) > 0 {
+		log.Logger.Debugf("Scanning the following services using the AWS API: [%s]...", strings.Join(servicesToScan, ", "))
+		opt.Services = servicesToScan
+		results, err := scanner.NewScanner().Scan(ctx, opt)
+		if err != nil {
+			var aerr errs.AdapterError
+			if errors.As(err, &aerr) {
+				for _, e := range aerr.Errors() {
+					log.Logger.Warnf("Adapter error: %s", e)
+				}
+			}
+			return fmt.Errorf("aws scan error: %w", err)
+		}
+		r = report.New(cloud.ProviderAWS, opt.Account, opt.Region, results.GetFailed(), opt.Services)
+	} else {
+		log.Logger.Debug("No more services to scan - everything was found in the cache.")
+		r = report.New(cloud.ProviderAWS, opt.Account, opt.Region, nil, opt.Services)
+	}
+	if len(servicesToLoadFromCache) > 0 {
+		log.Logger.Debug("Loading cached results...")
+		cachedReport, err := cached.LoadReport(servicesToLoadFromCache...)
+		if err != nil {
+			return err
+		}
+		for service, results := range cachedReport.Results {
+			log.Logger.Debugf("Adding cached results for '%s'...", service)
+			r.AddResultsForService(service, results.Results, results.CreationTime)
+		}
+	}
+
+	if len(servicesToScan) > 0 { // don't write cache if we didn't scan anything new
+		log.Logger.Debugf("Writing results to cache for services [%s]...", strings.Join(r.ServicesInScope, ", "))
+		if err := cached.Save(r); err != nil {
+			return err
+		}
+	}
+
+	log.Logger.Debug("Writing report to output...")
+	if err := report.Write(r, opt, len(servicesToLoadFromCache) > 0); err != nil {
+		return fmt.Errorf("unable to write results: %w", err)
+	}
+
+	cmd.Exit(opt, r.Failed())
+	return nil
+}
--- a/pkg/cloud/aws/scanner/progress.go
+++ b/pkg/cloud/aws/scanner/progress.go
@@ -0,0 +1,79 @@
+package scanner
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/liamg/loading/pkg/bar"
+)
+
+type progressTracker struct {
+	serviceBar     *bar.Bar
+	serviceTotal   int
+	serviceCurrent int
+	isTTY          bool
+}
+
+func newProgressTracker() *progressTracker {
+	var isTTY bool
+	if stat, err := os.Stdout.Stat(); err == nil {
+		isTTY = stat.Mode()&os.ModeCharDevice == os.ModeCharDevice
+	}
+	return &progressTracker{
+		isTTY: isTTY,
+	}
+}
+
+func (m *progressTracker) Finish() {
+	if !m.isTTY || m.serviceBar == nil {
+		return
+	}
+	m.serviceBar.Finish()
+}
+
+func (m *progressTracker) IncrementResource() {
+	if !m.isTTY {
+		return
+	}
+	m.serviceBar.Increment()
+}
+
+func (m *progressTracker) SetTotalResources(i int) {
+	if !m.isTTY {
+		return
+	}
+	m.serviceBar.SetTotal(i)
+}
+
+func (m *progressTracker) SetTotalServices(i int) {
+	m.serviceTotal = i
+}
+
+func (m *progressTracker) SetServiceLabel(label string) {
+	if !m.isTTY {
+		return
+	}
+	m.serviceBar.SetLabel("└╴" + label)
+	m.serviceBar.SetCurrent(0)
+}
+
+func (m *progressTracker) FinishService() {
+	if !m.isTTY {
+		return
+	}
+	m.serviceCurrent++
+	m.serviceBar.Finish()
+}
+
+func (m *progressTracker) StartService(name string) {
+	if !m.isTTY {
+		return
+	}
+	fmt.Printf("[%d/%d] Scanning %s...\n", m.serviceCurrent+1, m.serviceTotal, name)
+	m.serviceBar = bar.New(
+		bar.OptionHideOnFinish(true),
+		bar.OptionWithAutoComplete(false),
+		bar.OptionWithRenderFunc(bar.RenderColoured(0xff, 0x66, 0x00)),
+	)
+	m.SetServiceLabel("Initializing...")
+}
--- a/pkg/cloud/aws/scanner/scanner.go
+++ b/pkg/cloud/aws/scanner/scanner.go
@@ -0,0 +1,74 @@
+package scanner
+
+import (
+	"context"
+	"strings"
+
+	"github.com/aquasecurity/defsec/pkg/framework"
+
+	"github.com/aquasecurity/trivy/pkg/flag"
+	"github.com/aquasecurity/trivy/pkg/log"
+
+	"github.com/aquasecurity/defsec/pkg/scan"
+	"github.com/aquasecurity/defsec/pkg/scanners/cloud/aws"
+	"github.com/aquasecurity/defsec/pkg/scanners/options"
+)
+
+type AWSScanner struct {
+}
+
+func NewScanner() *AWSScanner {
+	return &AWSScanner{}
+}
+
+func (s *AWSScanner) Scan(ctx context.Context, option flag.Options) (scan.Results, error) {
+
+	var scannerOpts []options.ScannerOption
+	if !option.NoProgress {
+		tracker := newProgressTracker()
+		defer tracker.Finish()
+		scannerOpts = append(scannerOpts, aws.ScannerWithProgressTracker(tracker))
+	}
+
+	if len(option.Services) > 0 {
+		scannerOpts = append(scannerOpts, aws.ScannerWithAWSServices(option.Services...))
+	}
+
+	if option.Debug {
+		scannerOpts = append(scannerOpts, options.ScannerWithDebug(&defsecLogger{}))
+	}
+
+	if option.Region != "" {
+		scannerOpts = append(
+			scannerOpts,
+			aws.ScannerWithAWSRegion(option.Region),
+		)
+	}
+
+	if option.Endpoint != "" {
+		scannerOpts = append(
+			scannerOpts,
+			aws.ScannerWithAWSEndpoint(option.Endpoint),
+		)
+	}
+
+	scannerOpts = append(scannerOpts, options.ScannerWithFrameworks(
+		framework.Default,
+		framework.CIS_AWS_1_2,
+	))
+
+	defsecResults, err := aws.New(scannerOpts...).Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return defsecResults, nil
+}
+
+type defsecLogger struct {
+}
+
+func (d *defsecLogger) Write(p []byte) (n int, err error) {
+	log.Logger.Debug("[defsec] " + strings.TrimSpace(string(p)))
+	return len(p), nil
+}
--- a/pkg/cloud/cache/cache.go
+++ b/pkg/cloud/cache/cache.go
@@ -0,0 +1,65 @@
+package cache
+
+import (
+	"fmt"
+	"path"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+const (
+	metadataFilename = "metadata.json"
+	cacheFilename    = "cache.json"
+	dataDirName      = "data"
+	cacheSubDir      = "cloud"
+)
+
+var ErrCacheNotFound = fmt.Errorf("cache record not found")
+
+type Cache struct {
+	path      string
+	provider  string
+	accountID string
+	region    string
+	maxAge    time.Duration
+}
+
+func New(basePath string, maxAge time.Duration, provider string, accountID string, region string) *Cache {
+	return &Cache{
+		path:      path.Join(basePath, cacheSubDir, strings.ToLower(provider), accountID, strings.ToLower(region)),
+		provider:  provider,
+		accountID: accountID,
+		region:    region,
+		maxAge:    maxAge,
+	}
+}
+
+func (c *Cache) ListAvailableServices(includeExpired bool) []string {
+	metadata, err := c.loadMetadata()
+	if err != nil {
+		return nil
+	}
+	r, err := c.LoadReport(metadata.ServicesInScope...)
+	if err != nil {
+		return nil
+	}
+	var available []string
+	for _, service := range metadata.ServicesInScope {
+		if entry, ok := r.Results[service]; ok {
+			if includeExpired || entry.CreationTime.Add(c.maxAge).After(time.Now()) {
+				available = append(available, service)
+			}
+		}
+	}
+	return available
+}
+
+func (c *Cache) getServicePath(service string) string {
+	service = strings.NewReplacer(" ", "_", ".", "_").Replace(service)
+	return filepath.Join(c.path, dataDirName, service, cacheFilename)
+}
+
+func (c *Cache) getMetadataPath() string {
+	return filepath.Join(c.path, metadataFilename)
+}
--- a/pkg/cloud/cache/cache_test.go
+++ b/pkg/cloud/cache/cache_test.go
@@ -0,0 +1,166 @@
+package cache
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/cloud/report"
+)
+
+func TestCache(t *testing.T) {
+
+	tests := []struct {
+		name     string
+		input    report.Report
+		services []string
+	}{
+		{
+			name: "no services",
+			input: report.Report{
+				Provider:        "AWS",
+				AccountID:       "1234567890",
+				Region:          "us-east-1",
+				Results:         make(map[string]report.ResultsAtTime),
+				ServicesInScope: nil,
+			},
+			services: nil,
+		},
+		{
+			name: "all services",
+			input: report.Report{
+				Provider:  "AWS",
+				AccountID: "1234567890",
+				Region:    "us-east-1",
+				Results: map[string]report.ResultsAtTime{
+					"s3": {
+						Results:      nil,
+						CreationTime: time.Now(),
+					},
+					"ec2": {
+						Results:      nil,
+						CreationTime: time.Now(),
+					},
+				},
+				ServicesInScope: []string{"ec2", "s3"},
+			},
+			services: []string{"ec2", "s3"},
+		},
+		{
+			name: "partial services",
+			input: report.Report{
+				Provider:  "AWS",
+				AccountID: "1234567890",
+				Region:    "us-east-1",
+				Results: map[string]report.ResultsAtTime{
+					"s3": {
+						Results:      nil,
+						CreationTime: time.Now(),
+					},
+					"ec2": {
+						Results:      nil,
+						CreationTime: time.Now(),
+					},
+				},
+				ServicesInScope: []string{"ec2", "s3"},
+			},
+			services: []string{"ec2"},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+
+			baseDir := t.TempDir()
+
+			// ensure saving doesn't error
+			cache := New(baseDir, time.Hour, test.input.Provider, test.input.AccountID, test.input.Region)
+			require.NoError(t, cache.Save(&test.input))
+
+			// ensure all scoped services were cached
+			available := cache.ListAvailableServices(false)
+			assert.Equal(t, test.input.ServicesInScope, available)
+
+			// ensure all cached services are really available
+			fullReport, err := cache.LoadReport(available...)
+			require.NoError(t, err)
+			assert.Equal(t, available, fullReport.ServicesInScope)
+
+			// ensure loading restores all (specified) data
+			loaded, err := cache.LoadReport(test.services...)
+			require.NoError(t, err)
+
+			assert.Equal(t, test.input.Provider, loaded.Provider)
+			assert.Equal(t, test.input.AccountID, loaded.AccountID)
+			assert.Equal(t, test.input.Region, loaded.Region)
+			assert.ElementsMatch(t, test.services, loaded.ServicesInScope)
+
+			var actualServices []string
+			for service := range loaded.Results {
+				actualServices = append(actualServices, service)
+			}
+			assert.ElementsMatch(t, test.services, actualServices)
+
+			for _, service := range test.services {
+				assert.Equal(t, test.input.Results[service].CreationTime.Format(time.RFC3339), loaded.Results[service].CreationTime.Format(time.RFC3339))
+				assert.Equal(t, test.input.Results[service].Results, loaded.Results[service].Results)
+			}
+		})
+	}
+}
+
+func TestPartialCacheOverwrite(t *testing.T) {
+	baseDir := t.TempDir()
+
+	r1 := report.Report{
+		Provider:  "AWS",
+		AccountID: "1234567890",
+		Region:    "us-east-1",
+		Results: map[string]report.ResultsAtTime{
+			"a": {
+				Results:      nil,
+				CreationTime: time.Now(),
+			},
+			"b": {
+				Results:      nil,
+				CreationTime: time.Now(),
+			},
+			"c": {
+				Results:      nil,
+				CreationTime: time.Now(),
+			},
+			"d": {
+				Results:      nil,
+				CreationTime: time.Now(),
+			},
+		},
+		ServicesInScope: []string{"a", "b", "c", "d"},
+	}
+
+	// ensure saving doesn't error
+	cache := New(baseDir, time.Hour, "AWS", "1234567890", "us-east-1")
+	require.NoError(t, cache.Save(&r1))
+
+	r2 := report.Report{
+		Provider:  "AWS",
+		AccountID: "1234567890",
+		Region:    "us-east-1",
+		Results: map[string]report.ResultsAtTime{
+			"a": {
+				Results:      nil,
+				CreationTime: time.Now(),
+			},
+			"b": {
+				Results:      nil,
+				CreationTime: time.Now(),
+			},
+		},
+		ServicesInScope: []string{"a", "b"},
+	}
+	require.NoError(t, cache.Save(&r2))
+
+	assert.ElementsMatch(t, []string{"a", "b", "c", "d"}, cache.ListAvailableServices(false))
+}
--- a/pkg/cloud/cache/load.go
+++ b/pkg/cloud/cache/load.go
@@ -0,0 +1,59 @@
+package cache
+
+import (
+	"encoding/json"
+	"os"
+
+	"github.com/aquasecurity/trivy/pkg/cloud/report"
+)
+
+func (c *Cache) loadMetadata() (*Metadata, error) {
+	metadataFile := c.getMetadataPath()
+	m, err := os.Open(metadataFile)
+	if err != nil {
+		return nil, ErrCacheNotFound
+	}
+
+	var metadata Metadata
+	if err := json.NewDecoder(m).Decode(&metadata); err != nil {
+		return nil, err
+	}
+	return &metadata, nil
+}
+
+func (c *Cache) LoadReport(services ...string) (*report.Report, error) {
+
+	metadata, err := c.loadMetadata()
+	if err != nil {
+		return nil, err
+	}
+
+	base := report.New(c.provider, c.accountID, c.region, nil, nil)
+
+	for _, service := range services {
+		if !contains(metadata.ServicesInScope, service) {
+			continue
+		}
+		serviceFile := c.getServicePath(service)
+		s, err := os.Open(serviceFile)
+		if err != nil {
+			return nil, err
+		}
+		var serviceRecord Record
+		if err := json.NewDecoder(s).Decode(&serviceRecord); err != nil {
+			return nil, err
+		}
+		base.AddResultsForService(service, serviceRecord.Results, serviceRecord.CreationTime)
+	}
+
+	return base, nil
+}
+
+func contains(s []string, e string) bool {
+	for _, a := range s {
+		if a == e {
+			return true
+		}
+	}
+	return false
+}
--- a/pkg/cloud/cache/save.go
+++ b/pkg/cloud/cache/save.go
@@ -0,0 +1,77 @@
+package cache
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+
+	"github.com/aquasecurity/trivy/pkg/cloud/report"
+)
+
+func (c *Cache) Save(r *report.Report) error {
+
+	existingServices := c.ListAvailableServices(true)
+
+	if err := os.MkdirAll(
+		filepath.Dir(c.getMetadataPath()),
+		0700,
+	); err != nil { // only the current user is allowed to see this report
+		return err
+	}
+
+	var retainedServices []string
+	for _, existing := range existingServices {
+		var found bool
+		for _, service := range r.ServicesInScope {
+			if service == existing {
+				found = true
+				break
+			}
+		}
+		if found {
+			continue
+		}
+		retainedServices = append(retainedServices, existing)
+	}
+
+	for _, service := range r.ServicesInScope {
+		serviceFile := c.getServicePath(service)
+		if err := os.MkdirAll(
+			filepath.Dir(serviceFile),
+			0700,
+		); err != nil {
+			return err
+		}
+		resultSet, err := r.GetResultsForService(service)
+		if err != nil {
+			return err
+		}
+		s, err := os.Create(serviceFile)
+		if err != nil {
+			return err
+		}
+		record := Record{
+			SchemaVersion: SchemaVersion,
+			Service:       service,
+			Results:       resultSet.Results,
+			CreationTime:  resultSet.CreationTime,
+		}
+		if err := json.NewEncoder(s).Encode(record); err != nil {
+			return err
+		}
+	}
+
+	metadataFile := c.getMetadataPath()
+	metadata := Metadata{
+		SchemaVersion:   SchemaVersion,
+		Provider:        c.provider,
+		AccountID:       c.accountID,
+		Region:          c.region,
+		ServicesInScope: append(r.ServicesInScope, retainedServices...),
+	}
+	m, err := os.Create(metadataFile)
+	if err != nil {
+		return err
+	}
+	return json.NewEncoder(m).Encode(metadata)
+}
--- a/pkg/cloud/cache/schema.go
+++ b/pkg/cloud/cache/schema.go
@@ -0,0 +1,24 @@
+package cache
+
+import (
+	"time"
+
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+const SchemaVersion = 1
+
+type Metadata struct {
+	SchemaVersion   int      `json:"schema_version"`
+	Provider        string   `json:"provider"`
+	AccountID       string   `json:"account_id"`
+	Region          string   `json:"region"`
+	ServicesInScope []string `json:"services"`
+}
+
+type Record struct {
+	SchemaVersion int           `json:"schema_version"`
+	Service       string        `json:"service"`
+	Results       types.Results `json:"results"`
+	CreationTime  time.Time     `json:"creation_time"`
+}
--- a/pkg/cloud/provider.go
+++ b/pkg/cloud/provider.go
@@ -0,0 +1,5 @@
+package cloud
+
+const (
+	ProviderAWS = "AWS"
+)
--- a/pkg/cloud/report/convert.go
+++ b/pkg/cloud/report/convert.go
@@ -0,0 +1,95 @@
+package report
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/aquasecurity/defsec/pkg/scan"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+func convertResults(results scan.Results, provider string, scoped []string) map[string]ResultsAtTime {
+	convertedResults := make(map[string]ResultsAtTime)
+	resultsByServiceAndARN := make(map[string]map[string]scan.Results)
+	for _, result := range results {
+		existingService, ok := resultsByServiceAndARN[result.Rule().Service]
+		if !ok {
+			existingService = make(map[string]scan.Results)
+		}
+		resource := result.Flatten().Resource
+
+		existingService[resource] = append(existingService[resource], result)
+		resultsByServiceAndARN[result.Rule().Service] = existingService
+	}
+	// ensure we have entries for all scoped services, even if there are no results
+	for _, service := range scoped {
+		if _, ok := resultsByServiceAndARN[service]; !ok {
+			resultsByServiceAndARN[service] = nil
+		}
+	}
+	for service, arnResults := range resultsByServiceAndARN {
+
+		var convertedArnResults []types.Result
+
+		for arn, serviceResults := range arnResults {
+
+			arnResult := types.Result{
+				Target: arn,
+				Class:  types.ClassConfig,
+				Type:   ftypes.Cloud,
+			}
+
+			for _, result := range serviceResults {
+
+				var primaryURL string
+
+				// empty namespace implies a go rule from defsec, "builtin" refers to a built-in rego rule
+				// this ensures we don't generate bad links for custom policies
+				if result.RegoNamespace() == "" || strings.HasPrefix(result.RegoNamespace(), "builtin.") {
+					primaryURL = fmt.Sprintf("https://avd.aquasec.com/misconfig/%s", strings.ToLower(result.Rule().AVDID))
+				}
+
+				status := types.StatusFailure
+				switch result.Status() {
+				case scan.StatusPassed:
+					status = types.StatusPassed
+				case scan.StatusIgnored:
+					status = types.StatusException
+				}
+
+				flat := result.Flatten()
+
+				arnResult.Misconfigurations = append(arnResult.Misconfigurations, types.DetectedMisconfiguration{
+					Type:        provider,
+					ID:          result.Rule().AVDID,
+					Title:       result.Rule().Summary,
+					Description: strings.TrimSpace(result.Rule().Explanation),
+					Message:     strings.TrimSpace(result.Description()),
+					Namespace:   result.RegoNamespace(),
+					Query:       result.RegoRule(),
+					Resolution:  result.Rule().Resolution,
+					Severity:    string(result.Severity()),
+					PrimaryURL:  primaryURL,
+					References:  []string{primaryURL},
+					Status:      status,
+					CauseMetadata: ftypes.CauseMetadata{
+						Resource:  flat.Resource,
+						Provider:  string(flat.RuleProvider),
+						Service:   flat.RuleService,
+						StartLine: flat.Location.StartLine,
+						EndLine:   flat.Location.EndLine,
+					},
+				})
+			}
+
+			convertedArnResults = append(convertedArnResults, arnResult)
+		}
+		convertedResults[service] = ResultsAtTime{
+			Results:      convertedArnResults,
+			CreationTime: time.Now(),
+		}
+	}
+	return convertedResults
+}
--- a/pkg/cloud/report/convert_test.go
+++ b/pkg/cloud/report/convert_test.go
@@ -0,0 +1,241 @@
+package report
+
+import (
+	"sort"
+	"testing"
+
+	fanaltypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+
+	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/types"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/aquasecurity/defsec/pkg/scan"
+)
+
+func Test_ResultConversion(t *testing.T) {
+
+	tests := []struct {
+		name     string
+		results  scan.Results
+		provider string
+		scoped   []string
+		expected map[string]ResultsAtTime
+	}{
+		{
+			name:     "no results",
+			results:  scan.Results{},
+			provider: "AWS",
+			expected: make(map[string]ResultsAtTime),
+		},
+		{
+			name:     "no results, multiple scoped services",
+			results:  scan.Results{},
+			provider: "AWS",
+			scoped:   []string{"s3", "ec2"},
+			expected: map[string]ResultsAtTime{
+				"s3":  {},
+				"ec2": {},
+			},
+		},
+		{
+			name: "multiple results",
+			results: func() scan.Results {
+
+				baseRule := scan.Rule{
+					AVDID:       "AVD-AWS-9999",
+					Aliases:     []string{"AWS999"},
+					ShortCode:   "no-bad-stuff",
+					Summary:     "Do not use bad stuff",
+					Explanation: "Bad stuff is... bad",
+					Impact:      "Bad things",
+					Resolution:  "Remove bad stuff",
+					Provider:    "AWS",
+					Severity:    "HIGH",
+				}
+
+				var s3Results scan.Results
+				s3Results.Add(
+					"something failed",
+					defsecTypes.NewRemoteMetadata((arn.ARN{
+						Partition: "aws",
+						Service:   "s3",
+						Region:    "us-east-1",
+						AccountID: "1234567890",
+						Resource:  "bucket1",
+					}).String()),
+				)
+				s3Results.Add(
+					"something else failed",
+					defsecTypes.NewRemoteMetadata((arn.ARN{
+						Partition: "aws",
+						Service:   "s3",
+						Region:    "us-east-1",
+						AccountID: "1234567890",
+						Resource:  "bucket2",
+					}).String()),
+				)
+				s3Results.Add(
+					"something else failed again",
+					defsecTypes.NewRemoteMetadata((arn.ARN{
+						Partition: "aws",
+						Service:   "s3",
+						Region:    "us-east-1",
+						AccountID: "1234567890",
+						Resource:  "bucket2",
+					}).String()),
+				)
+				baseRule.Service = "s3"
+				s3Results.SetRule(baseRule)
+				var ec2Results scan.Results
+				ec2Results.Add(
+					"instance is bad",
+					defsecTypes.NewRemoteMetadata((arn.ARN{
+						Partition: "aws",
+						Service:   "ec2",
+						Region:    "us-east-1",
+						AccountID: "1234567890",
+						Resource:  "instance1",
+					}).String()),
+				)
+				baseRule.Service = "ec2"
+				ec2Results.SetRule(baseRule)
+				return append(s3Results, ec2Results...)
+			}(),
+			provider: "AWS",
+			expected: map[string]ResultsAtTime{
+				"s3": {
+					Results: types.Results{
+						{
+							Target: "arn:aws:s3:us-east-1:1234567890:bucket1",
+							Class:  "config",
+							Type:   "cloud",
+							Misconfigurations: []types.DetectedMisconfiguration{
+								{
+									Type:        "AWS",
+									ID:          "AVD-AWS-9999",
+									Title:       "Do not use bad stuff",
+									Description: "Bad stuff is... bad",
+									Message:     "something failed",
+									Resolution:  "Remove bad stuff",
+									Severity:    "HIGH",
+									PrimaryURL:  "https://avd.aquasec.com/misconfig/avd-aws-9999",
+									References: []string{
+										"https://avd.aquasec.com/misconfig/avd-aws-9999",
+									},
+									Status: "FAIL",
+									CauseMetadata: fanaltypes.CauseMetadata{
+										Resource:  "arn:aws:s3:us-east-1:1234567890:bucket1",
+										Provider:  "AWS",
+										Service:   "s3",
+										StartLine: 0,
+										EndLine:   0,
+										Code:      fanaltypes.Code{},
+									},
+								},
+							},
+						},
+						{
+							Target: "arn:aws:s3:us-east-1:1234567890:bucket2",
+							Class:  "config",
+							Type:   "cloud",
+							Misconfigurations: []types.DetectedMisconfiguration{
+								{
+									Type:        "AWS",
+									ID:          "AVD-AWS-9999",
+									Title:       "Do not use bad stuff",
+									Description: "Bad stuff is... bad",
+									Message:     "something else failed",
+									Resolution:  "Remove bad stuff",
+									Severity:    "HIGH",
+									PrimaryURL:  "https://avd.aquasec.com/misconfig/avd-aws-9999",
+									References: []string{
+										"https://avd.aquasec.com/misconfig/avd-aws-9999",
+									},
+									Status: "FAIL",
+									CauseMetadata: fanaltypes.CauseMetadata{
+										Resource: "arn:aws:s3:us-east-1:1234567890:bucket2",
+										Provider: "AWS",
+										Service:  "s3",
+									},
+								},
+								{
+									Type:        "AWS",
+									ID:          "AVD-AWS-9999",
+									Title:       "Do not use bad stuff",
+									Description: "Bad stuff is... bad",
+									Message:     "something else failed again",
+									Resolution:  "Remove bad stuff",
+									Severity:    "HIGH",
+									PrimaryURL:  "https://avd.aquasec.com/misconfig/avd-aws-9999",
+									References: []string{
+										"https://avd.aquasec.com/misconfig/avd-aws-9999",
+									},
+									Status: "FAIL",
+									CauseMetadata: fanaltypes.CauseMetadata{
+										Resource: "arn:aws:s3:us-east-1:1234567890:bucket2",
+										Provider: "AWS",
+										Service:  "s3",
+									},
+								},
+							},
+						},
+					},
+				},
+				"ec2": {
+					Results: types.Results{
+						{
+							Target: "arn:aws:ec2:us-east-1:1234567890:instance1",
+							Class:  "config",
+							Type:   "cloud",
+							Misconfigurations: []types.DetectedMisconfiguration{
+								{
+									Type:        "AWS",
+									ID:          "AVD-AWS-9999",
+									Title:       "Do not use bad stuff",
+									Description: "Bad stuff is... bad",
+									Message:     "instance is bad",
+									Resolution:  "Remove bad stuff",
+									Severity:    "HIGH",
+									PrimaryURL:  "https://avd.aquasec.com/misconfig/avd-aws-9999",
+									References: []string{
+										"https://avd.aquasec.com/misconfig/avd-aws-9999",
+									},
+									Status: "FAIL",
+									CauseMetadata: fanaltypes.CauseMetadata{
+										Resource: "arn:aws:ec2:us-east-1:1234567890:instance1",
+										Provider: "AWS",
+										Service:  "ec2",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			converted := convertResults(test.results, test.provider, test.scoped)
+			assertConvertedResultsMatch(t, test.expected, converted)
+		})
+	}
+
+}
+
+func assertConvertedResultsMatch(t *testing.T, expected, actual map[string]ResultsAtTime) {
+	assert.Equal(t, len(expected), len(actual))
+	for service, resultsAtTime := range expected {
+		_, ok := actual[service]
+		assert.True(t, ok)
+		sort.Slice(actual[service].Results, func(i, j int) bool {
+			return actual[service].Results[i].Target < actual[service].Results[j].Target
+		})
+		assert.ElementsMatch(t, resultsAtTime.Results, actual[service].Results)
+	}
+}
--- a/pkg/cloud/report/report.go
+++ b/pkg/cloud/report/report.go
@@ -0,0 +1,175 @@
+package report
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"sort"
+	"time"
+
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+
+	"github.com/liamg/tml"
+
+	"github.com/aquasecurity/trivy/pkg/flag"
+
+	"github.com/aquasecurity/trivy/pkg/report"
+
+	"github.com/aquasecurity/trivy/pkg/result"
+
+	"github.com/aquasecurity/defsec/pkg/scan"
+	pkgReport "github.com/aquasecurity/trivy/pkg/report"
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+const (
+	tableFormat = "table"
+)
+
+// Report represents a kubernetes scan report
+type Report struct {
+	Provider        string
+	AccountID       string
+	Region          string
+	Results         map[string]ResultsAtTime
+	ServicesInScope []string
+}
+
+type ResultsAtTime struct {
+	Results      types.Results
+	CreationTime time.Time
+}
+
+func New(provider, accountID, region string, defsecResults scan.Results, scopedServices []string) *Report {
+	return &Report{
+		Provider:        provider,
+		AccountID:       accountID,
+		Results:         convertResults(defsecResults, provider, scopedServices),
+		ServicesInScope: scopedServices,
+		Region:          region,
+	}
+}
+
+// Failed returns whether the aws report includes any "failed" results
+func (r *Report) Failed() bool {
+	for _, set := range r.Results {
+		if set.Results.Failed() {
+			return true
+		}
+	}
+	return false
+}
+
+// Write writes the results in the give format
+func Write(rep *Report, opt flag.Options, fromCache bool) error {
+
+	var filtered []types.Result
+
+	ctx := context.Background()
+
+	// filter results
+	for _, resultsAtTime := range rep.Results {
+		for _, res := range resultsAtTime.Results {
+			resCopy := res
+			if err := result.Filter(
+				ctx,
+				&resCopy,
+				opt.Severities,
+				false,
+				false,
+				"",
+				"",
+				nil,
+			); err != nil {
+				return err
+			}
+			sort.Slice(resCopy.Misconfigurations, func(i, j int) bool {
+				return resCopy.Misconfigurations[i].CauseMetadata.Resource < resCopy.Misconfigurations[i].CauseMetadata.Resource
+			})
+			filtered = append(filtered, resCopy)
+		}
+	}
+	sort.Slice(filtered, func(i, j int) bool {
+		return filtered[i].Target < filtered[j].Target
+	})
+
+	base := types.Report{
+		ArtifactName: rep.AccountID,
+		ArtifactType: ftypes.ArtifactAWSAccount,
+		Results:      filtered,
+	}
+
+	switch opt.Format {
+	case tableFormat:
+
+		// ensure color/formatting is disabled for pipes/non-pty
+		var useANSI bool
+		if opt.Output == os.Stdout {
+			if o, err := os.Stdout.Stat(); err == nil {
+				useANSI = (o.Mode() & os.ModeCharDevice) == os.ModeCharDevice
+			}
+		}
+		if !useANSI {
+			tml.DisableFormatting()
+		}
+
+		switch {
+		case len(opt.Services) == 1 && opt.ARN == "":
+			if err := writeResourceTable(rep, filtered, opt.Output, opt.Services[0]); err != nil {
+				return err
+			}
+		case len(opt.Services) == 1 && opt.ARN != "":
+			if err := writeResultsForARN(rep, filtered, opt.Output, opt.Services[0], opt.ARN, opt.Severities); err != nil {
+				return err
+			}
+		default:
+			if err := writeServiceTable(rep, filtered, opt.Output); err != nil {
+				return err
+			}
+		}
+
+		// render cache info
+		if fromCache {
+			_ = tml.Fprintf(opt.Output, "\n<blue>This scan report was loaded from cached results. If you'd like to run a fresh scan, use --update-cache.</blue>\n")
+		}
+
+		return nil
+	default:
+		return report.Write(base, pkgReport.Option{
+			Format:             opt.Format,
+			Output:             opt.Output,
+			Severities:         opt.Severities,
+			OutputTemplate:     opt.Template,
+			IncludeNonFailures: opt.IncludeNonFailures,
+			Trace:              opt.Trace,
+		})
+	}
+}
+
+func (r *Report) GetResultsForService(service string) (*ResultsAtTime, error) {
+	if set, ok := r.Results[service]; ok {
+		return &set, nil
+	}
+	for _, scoped := range r.ServicesInScope {
+		if scoped == service {
+			return &ResultsAtTime{
+				Results:      nil,
+				CreationTime: time.Now(),
+			}, nil
+		}
+	}
+	return nil, fmt.Errorf("service %q not found", service)
+}
+
+func (r *Report) AddResultsForService(service string, results types.Results, creation time.Time) {
+	r.Results[service] = ResultsAtTime{
+		Results:      results,
+		CreationTime: creation,
+	}
+	for _, exists := range r.ServicesInScope {
+		if exists == service {
+			return
+		}
+	}
+	r.ServicesInScope = append(r.ServicesInScope, service)
+}
--- a/pkg/cloud/report/resource.go
+++ b/pkg/cloud/report/resource.go
@@ -0,0 +1,89 @@
+package report
+
+import (
+	"fmt"
+	"io"
+	"sort"
+	"strconv"
+
+	"github.com/liamg/tml"
+
+	"golang.org/x/term"
+
+	"github.com/aquasecurity/table"
+	pkgReport "github.com/aquasecurity/trivy/pkg/report/table"
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+type sortableRow struct {
+	name   string
+	counts map[string]int
+}
+
+func writeResourceTable(report *Report, results types.Results, output io.Writer, service string) error {
+
+	termWidth, _, err := term.GetSize(0)
+	if err != nil {
+		termWidth = 80
+	}
+	maxWidth := termWidth - 48
+	if maxWidth < 20 {
+		maxWidth = 20
+	}
+
+	t := table.New(output)
+	t.SetColumnMaxWidth(maxWidth)
+	t.SetHeaders("Resource", "Misconfigurations")
+	t.AddHeaders("Resource", "Critical", "High", "Medium", "Low", "Unknown")
+	t.SetHeaderVerticalAlignment(table.AlignBottom)
+	t.SetHeaderAlignment(table.AlignLeft, table.AlignCenter, table.AlignCenter, table.AlignCenter, table.AlignCenter, table.AlignCenter)
+	t.SetAlignment(table.AlignLeft, table.AlignRight, table.AlignRight, table.AlignRight, table.AlignRight, table.AlignRight)
+	t.SetRowLines(false)
+	t.SetAutoMergeHeaders(true)
+	t.SetHeaderColSpans(0, 1, 5)
+
+	// map resource -> severity -> count
+	grouped := make(map[string]map[string]int)
+	for _, result := range results {
+		for _, misconfiguration := range result.Misconfigurations {
+			if misconfiguration.CauseMetadata.Service != service {
+				continue
+			}
+			if _, ok := grouped[misconfiguration.CauseMetadata.Resource]; !ok {
+				grouped[misconfiguration.CauseMetadata.Resource] = make(map[string]int)
+			}
+			grouped[misconfiguration.CauseMetadata.Resource][misconfiguration.Severity]++
+		}
+	}
+
+	var sortable []sortableRow
+	for resource, severityCounts := range grouped {
+		sortable = append(sortable, sortableRow{
+			name:   resource,
+			counts: severityCounts,
+		})
+	}
+	sort.Slice(sortable, func(i, j int) bool { return sortable[i].name < sortable[j].name })
+	for _, row := range sortable {
+		t.AddRow(
+			row.name,
+			pkgReport.ColorizeSeverity(strconv.Itoa(row.counts["CRITICAL"]), "CRITICAL"),
+			pkgReport.ColorizeSeverity(strconv.Itoa(row.counts["HIGH"]), "HIGH"),
+			pkgReport.ColorizeSeverity(strconv.Itoa(row.counts["MEDIUM"]), "MEDIUM"),
+			pkgReport.ColorizeSeverity(strconv.Itoa(row.counts["LOW"]), "LOW"),
+			pkgReport.ColorizeSeverity(strconv.Itoa(row.counts["UNKNOWN"]), "UNKNOWN"),
+		)
+	}
+
+	// render scan title
+	_ = tml.Fprintf(output, "\n<bold>Resource Summary for Service '%s' (%s Account %s)</bold>\n", service, report.Provider, report.AccountID)
+
+	// render table
+	if len(sortable) > 0 {
+		t.Render()
+	} else {
+		_, _ = fmt.Fprint(output, "\nNo problems detected.\n")
+	}
+
+	return nil
+}
--- a/pkg/cloud/report/resource_test.go
+++ b/pkg/cloud/report/resource_test.go
@@ -0,0 +1,123 @@
+package report
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/flag"
+)
+
+func Test_ResourceReport(t *testing.T) {
+	tests := []struct {
+		name      string
+		options   flag.Options
+		fromCache bool
+		expected  string
+	}{
+		{
+			name: "simple table output",
+			options: flag.Options{
+				ReportOptions: flag.ReportOptions{
+					Format: tableFormat,
+					Severities: []types.Severity{
+						types.SeverityLow,
+						types.SeverityMedium,
+						types.SeverityHigh,
+						types.SeverityCritical,
+					},
+				},
+				AWSOptions: flag.AWSOptions{
+					Services: []string{"s3"},
+				},
+			},
+			fromCache: false,
+			expected: `
+Resource Summary for Service 's3' (AWS Account )
+┌─────────────────────────────────────────┬──────────────────────────────────────────┐
+│                                         │            Misconfigurations             │
+│                                         ├──────────┬──────┬────────┬─────┬─────────┤
+│ Resource                                │ Critical │ High │ Medium │ Low │ Unknown │
+├─────────────────────────────────────────┼──────────┼──────┼────────┼─────┼─────────┤
+│ arn:aws:s3:us-east-1:1234567890:bucket1 │        0 │    1 │      0 │   0 │       0 │
+│ arn:aws:s3:us-east-1:1234567890:bucket2 │        0 │    2 │      0 │   0 │       0 │
+└─────────────────────────────────────────┴──────────┴──────┴────────┴─────┴─────────┘
+`,
+		},
+		{
+			name: "results from cache",
+			options: flag.Options{
+				ReportOptions: flag.ReportOptions{
+					Format: tableFormat,
+					Severities: []types.Severity{
+						types.SeverityLow,
+						types.SeverityMedium,
+						types.SeverityHigh,
+						types.SeverityCritical,
+					},
+				},
+				AWSOptions: flag.AWSOptions{
+					Services: []string{"s3"},
+				},
+			},
+			fromCache: true,
+			expected: `
+Resource Summary for Service 's3' (AWS Account )
+┌─────────────────────────────────────────┬──────────────────────────────────────────┐
+│                                         │            Misconfigurations             │
+│                                         ├──────────┬──────┬────────┬─────┬─────────┤
+│ Resource                                │ Critical │ High │ Medium │ Low │ Unknown │
+├─────────────────────────────────────────┼──────────┼──────┼────────┼─────┼─────────┤
+│ arn:aws:s3:us-east-1:1234567890:bucket1 │        0 │    1 │      0 │   0 │       0 │
+│ arn:aws:s3:us-east-1:1234567890:bucket2 │        0 │    2 │      0 │   0 │       0 │
+└─────────────────────────────────────────┴──────────┴──────┴────────┴─────┴─────────┘
+
+This scan report was loaded from cached results. If you'd like to run a fresh scan, use --update-cache.
+`,
+		},
+		{
+			name: "no problems",
+			options: flag.Options{
+				ReportOptions: flag.ReportOptions{
+					Format: tableFormat,
+					Severities: []types.Severity{
+						types.SeverityLow,
+					},
+				},
+				AWSOptions: flag.AWSOptions{
+					Services: []string{"s3"},
+				},
+			},
+			fromCache: false,
+			expected: `
+Resource Summary for Service 's3' (AWS Account )
+
+No problems detected.
+`,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			report := New(
+				"AWS",
+				tt.options.AWSOptions.Account,
+				tt.options.AWSOptions.Region,
+				createTestResults(),
+				tt.options.AWSOptions.Services,
+			)
+
+			buffer := bytes.NewBuffer([]byte{})
+			tt.options.Output = buffer
+			require.NoError(t, Write(report, tt.options, tt.fromCache))
+
+			assert.Equal(t, "AWS", report.Provider)
+			assert.Equal(t, tt.options.AWSOptions.Account, report.AccountID)
+			assert.Equal(t, tt.options.AWSOptions.Region, report.Region)
+			assert.ElementsMatch(t, tt.options.AWSOptions.Services, report.ServicesInScope)
+			assert.Equal(t, tt.expected, buffer.String())
+		})
+	}
+}
--- a/pkg/cloud/report/result.go
+++ b/pkg/cloud/report/result.go
@@ -0,0 +1,37 @@
+package report
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/liamg/tml"
+
+	renderer "github.com/aquasecurity/trivy/pkg/report/table"
+
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+func writeResultsForARN(report *Report, results types.Results, output io.Writer, service, arn string, severities []dbTypes.Severity) error {
+
+	// render scan title
+	_ = tml.Fprintf(output, "\n<bold>Results for '%s' (%s Account %s)</bold>\n\n", arn, report.Provider, report.AccountID)
+
+	for _, result := range results {
+		var filtered []types.DetectedMisconfiguration
+		for _, misconfiguration := range result.Misconfigurations {
+			if arn != "" && misconfiguration.CauseMetadata.Resource != arn {
+				continue
+			}
+			if service != "" && misconfiguration.CauseMetadata.Service != service {
+				continue
+			}
+			filtered = append(filtered, misconfiguration)
+		}
+		if len(filtered) > 0 {
+			_, _ = fmt.Fprint(output, renderer.NewMisconfigRenderer(result, severities, false, false, true).Render())
+		}
+	}
+
+	return nil
+}
--- a/pkg/cloud/report/result_test.go
+++ b/pkg/cloud/report/result_test.go
@@ -0,0 +1,82 @@
+package report
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/flag"
+)
+
+func Test_ARNReport(t *testing.T) {
+	tests := []struct {
+		name      string
+		options   flag.Options
+		fromCache bool
+		expected  string
+	}{
+		{
+			name: "simple output",
+			options: flag.Options{
+				ReportOptions: flag.ReportOptions{
+					Format: tableFormat,
+					Severities: []types.Severity{
+						types.SeverityLow,
+						types.SeverityMedium,
+						types.SeverityHigh,
+						types.SeverityCritical,
+					},
+				},
+				AWSOptions: flag.AWSOptions{
+					Services: []string{"s3"},
+					ARN:      "arn:aws:s3:us-east-1:1234567890:bucket1",
+					Account:  "1234567890",
+				},
+			},
+			fromCache: false,
+			expected: `
+Results for 'arn:aws:s3:us-east-1:1234567890:bucket1' (AWS Account 1234567890)
+
+
+arn:aws:s3:us-east-1:1234567890:bucket1 (cloud)
+
+Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+HIGH: something failed
+════════════════════════════════════════
+Bad stuff is... bad
+
+See https://avd.aquasec.com/misconfig/avd-aws-9999
+────────────────────────────────────────
+
+
+`,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			report := New(
+				"AWS",
+				tt.options.AWSOptions.Account,
+				tt.options.AWSOptions.Region,
+				createTestResults(),
+				tt.options.AWSOptions.Services,
+			)
+
+			buffer := bytes.NewBuffer([]byte{})
+			tt.options.Output = buffer
+			require.NoError(t, Write(report, tt.options, tt.fromCache))
+
+			assert.Equal(t, "AWS", report.Provider)
+			assert.Equal(t, tt.options.AWSOptions.Account, report.AccountID)
+			assert.Equal(t, tt.options.AWSOptions.Region, report.Region)
+			assert.ElementsMatch(t, tt.options.AWSOptions.Services, report.ServicesInScope)
+			assert.Equal(t, tt.expected, strings.ReplaceAll(buffer.String(), "\r\n", "\n"))
+		})
+	}
+}
--- a/pkg/cloud/report/service.go
+++ b/pkg/cloud/report/service.go
@@ -0,0 +1,86 @@
+package report
+
+import (
+	"fmt"
+	"io"
+	"sort"
+	"strconv"
+	"time"
+
+	"github.com/liamg/tml"
+
+	"github.com/aquasecurity/table"
+	pkgReport "github.com/aquasecurity/trivy/pkg/report/table"
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+func writeServiceTable(report *Report, results types.Results, output io.Writer) error {
+
+	t := table.New(output)
+
+	t.SetHeaders("Service", "Misconfigurations", "Last Scanned")
+	t.AddHeaders("Service", "Critical", "High", "Medium", "Low", "Unknown", "Last Scanned")
+	t.SetRowLines(false)
+	t.SetHeaderVerticalAlignment(table.AlignBottom)
+	t.SetHeaderAlignment(table.AlignLeft, table.AlignCenter, table.AlignCenter, table.AlignCenter, table.AlignCenter, table.AlignCenter, table.AlignLeft)
+	t.SetAlignment(table.AlignLeft, table.AlignRight, table.AlignRight, table.AlignRight, table.AlignRight, table.AlignRight, table.AlignLeft)
+	t.SetAutoMergeHeaders(true)
+	t.SetHeaderColSpans(0, 1, 5, 1)
+
+	// map service -> severity -> count
+	grouped := make(map[string]map[string]int)
+	// set zero counts for all services
+	for _, service := range report.ServicesInScope {
+		grouped[service] = make(map[string]int)
+	}
+	for _, result := range results {
+		for _, misconfiguration := range result.Misconfigurations {
+			service := misconfiguration.CauseMetadata.Service
+			if _, ok := grouped[service]; !ok {
+				grouped[service] = make(map[string]int)
+			}
+			grouped[service][misconfiguration.Severity]++
+		}
+	}
+
+	var sortable []sortableRow
+	for service, severityCounts := range grouped {
+		sortable = append(sortable, sortableRow{
+			name:   service,
+			counts: severityCounts,
+		})
+	}
+	sort.Slice(sortable, func(i, j int) bool { return sortable[i].name < sortable[j].name })
+	for _, row := range sortable {
+		var lastScanned string
+		scanAgo := time.Since(report.Results[row.name].CreationTime).Truncate(time.Minute)
+		switch {
+		case scanAgo.Hours() >= 48:
+			lastScanned = fmt.Sprintf("%d days ago", int(scanAgo.Hours()/24))
+		case scanAgo.Hours() > 1:
+			lastScanned = fmt.Sprintf("%d hours ago", int(scanAgo.Hours()))
+		case scanAgo.Minutes() > 1:
+			lastScanned = fmt.Sprintf("%d minutes ago", int(scanAgo.Minutes()))
+		default:
+			lastScanned = "just now"
+		}
+
+		t.AddRow(
+			row.name,
+			pkgReport.ColorizeSeverity(strconv.Itoa(row.counts["CRITICAL"]), "CRITICAL"),
+			pkgReport.ColorizeSeverity(strconv.Itoa(row.counts["HIGH"]), "HIGH"),
+			pkgReport.ColorizeSeverity(strconv.Itoa(row.counts["MEDIUM"]), "MEDIUM"),
+			pkgReport.ColorizeSeverity(strconv.Itoa(row.counts["LOW"]), "LOW"),
+			pkgReport.ColorizeSeverity(strconv.Itoa(row.counts["UNKNOWN"]), "UNKNOWN"),
+			lastScanned,
+		)
+	}
+
+	// render scan title
+	_ = tml.Fprintf(output, "\n<bold>Scan Overview for %s Account %s</bold>\n", report.Provider, report.AccountID)
+
+	// render table
+	t.Render()
+
+	return nil
+}
--- a/pkg/cloud/report/service_test.go
+++ b/pkg/cloud/report/service_test.go
@@ -0,0 +1,407 @@
+package report
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/aquasecurity/trivy-db/pkg/types"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/flag"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+
+	"github.com/aquasecurity/defsec/pkg/scan"
+	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
+)
+
+func Test_ServiceReport(t *testing.T) {
+	tests := []struct {
+		name      string
+		options   flag.Options
+		fromCache bool
+		expected  string
+	}{
+		{
+			name: "simple table output",
+			options: flag.Options{
+				ReportOptions: flag.ReportOptions{
+					Format: tableFormat,
+					Severities: []types.Severity{
+						types.SeverityLow,
+						types.SeverityMedium,
+						types.SeverityHigh,
+						types.SeverityCritical,
+					},
+				},
+			},
+			fromCache: false,
+			expected: `
+Scan Overview for AWS Account 
+┌─────────┬──────────────────────────────────────────────────┬──────────────┐
+│         │                Misconfigurations                 │              │
+│         ├──────────┬──────────────┬────────┬─────┬─────────┤              │
+│ Service │ Critical │     High     │ Medium │ Low │ Unknown │ Last Scanned │
+├─────────┼──────────┼──────────────┼────────┼─────┼─────────┼──────────────┤
+│ ec2     │        0 │            1 │      0 │   0 │       0 │ just now     │
+│ s3      │        0 │            3 │      0 │   0 │       0 │ just now     │
+└─────────┴──────────┴──────────────┴────────┴─────┴─────────┴──────────────┘
+`,
+		},
+		{
+			name: "results from cache",
+			options: flag.Options{
+				ReportOptions: flag.ReportOptions{
+					Format: tableFormat,
+					Severities: []types.Severity{
+						types.SeverityLow,
+						types.SeverityMedium,
+						types.SeverityHigh,
+						types.SeverityCritical,
+					},
+				},
+			},
+			fromCache: true,
+			expected: `
+Scan Overview for AWS Account 
+┌─────────┬──────────────────────────────────────────────────┬──────────────┐
+│         │                Misconfigurations                 │              │
+│         ├──────────┬──────────────┬────────┬─────┬─────────┤              │
+│ Service │ Critical │     High     │ Medium │ Low │ Unknown │ Last Scanned │
+├─────────┼──────────┼──────────────┼────────┼─────┼─────────┼──────────────┤
+│ ec2     │        0 │            1 │      0 │   0 │       0 │ just now     │
+│ s3      │        0 │            3 │      0 │   0 │       0 │ just now     │
+└─────────┴──────────┴──────────────┴────────┴─────┴─────────┴──────────────┘
+
+This scan report was loaded from cached results. If you'd like to run a fresh scan, use --update-cache.
+`,
+		},
+		{
+			name: "filter severities",
+			options: flag.Options{
+				ReportOptions: flag.ReportOptions{
+					Format: tableFormat,
+					Severities: []types.Severity{
+						types.SeverityMedium,
+					},
+				},
+				AWSOptions: flag.AWSOptions{
+					Services: []string{"s3", "ec2"},
+				},
+			},
+			fromCache: false,
+			expected: `
+Scan Overview for AWS Account 
+┌─────────┬──────────────────────────────────────────────────┬──────────────┐
+│         │                Misconfigurations                 │              │
+│         ├──────────┬──────────────┬────────┬─────┬─────────┤              │
+│ Service │ Critical │     High     │ Medium │ Low │ Unknown │ Last Scanned │
+├─────────┼──────────┼──────────────┼────────┼─────┼─────────┼──────────────┤
+│ ec2     │        0 │            0 │      0 │   0 │       0 │ just now     │
+│ s3      │        0 │            0 │      0 │   0 │       0 │ just now     │
+└─────────┴──────────┴──────────────┴────────┴─────┴─────────┴──────────────┘
+`,
+		},
+		{
+			name: "scoped services without results",
+			options: flag.Options{
+				ReportOptions: flag.ReportOptions{
+					Format: tableFormat,
+					Severities: []types.Severity{
+						types.SeverityLow,
+						types.SeverityMedium,
+						types.SeverityHigh,
+						types.SeverityCritical,
+					},
+				},
+				AWSOptions: flag.AWSOptions{
+					Services: []string{"ec2", "s3", "iam"},
+				},
+			},
+			fromCache: false,
+			expected: `
+Scan Overview for AWS Account 
+┌─────────┬──────────────────────────────────────────────────┬──────────────┐
+│         │                Misconfigurations                 │              │
+│         ├──────────┬──────────────┬────────┬─────┬─────────┤              │
+│ Service │ Critical │     High     │ Medium │ Low │ Unknown │ Last Scanned │
+├─────────┼──────────┼──────────────┼────────┼─────┼─────────┼──────────────┤
+│ ec2     │        0 │            1 │      0 │   0 │       0 │ just now     │
+│ iam     │        0 │            0 │      0 │   0 │       0 │ just now     │
+│ s3      │        0 │            3 │      0 │   0 │       0 │ just now     │
+└─────────┴──────────┴──────────────┴────────┴─────┴─────────┴──────────────┘
+`,
+		},
+		{
+			name: "json output",
+			options: flag.Options{
+				ReportOptions: flag.ReportOptions{
+					Format: "json",
+					Severities: []types.Severity{
+						types.SeverityLow,
+						types.SeverityMedium,
+						types.SeverityHigh,
+						types.SeverityCritical,
+					},
+				},
+			},
+			fromCache: false,
+			expected: `{
+  "ArtifactType": "aws_account",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "arn:aws:ec2:us-east-1:1234567890:instance1",
+      "Class": "config",
+      "Type": "cloud",
+      "MisconfSummary": {
+        "Successes": 0,
+        "Failures": 1,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "AWS",
+          "ID": "AVD-AWS-9999",
+          "Title": "Do not use bad stuff",
+          "Description": "Bad stuff is... bad",
+          "Message": "instance is bad",
+          "Resolution": "Remove bad stuff",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-9999",
+          "References": [
+            "https://avd.aquasec.com/misconfig/avd-aws-9999"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Resource": "arn:aws:ec2:us-east-1:1234567890:instance1",
+            "Provider": "AWS",
+            "Service": "ec2",
+            "Code": {
+              "Lines": null
+            }
+          }
+        }
+      ]
+    },
+    {
+      "Target": "arn:aws:s3:us-east-1:1234567890:bucket1",
+      "Class": "config",
+      "Type": "cloud",
+      "MisconfSummary": {
+        "Successes": 0,
+        "Failures": 1,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "AWS",
+          "ID": "AVD-AWS-9999",
+          "Title": "Do not use bad stuff",
+          "Description": "Bad stuff is... bad",
+          "Message": "something failed",
+          "Resolution": "Remove bad stuff",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-9999",
+          "References": [
+            "https://avd.aquasec.com/misconfig/avd-aws-9999"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Resource": "arn:aws:s3:us-east-1:1234567890:bucket1",
+            "Provider": "AWS",
+            "Service": "s3",
+            "Code": {
+              "Lines": null
+            }
+          }
+        }
+      ]
+    },
+    {
+      "Target": "arn:aws:s3:us-east-1:1234567890:bucket2",
+      "Class": "config",
+      "Type": "cloud",
+      "MisconfSummary": {
+        "Successes": 0,
+        "Failures": 2,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "AWS",
+          "ID": "AVD-AWS-9999",
+          "Title": "Do not use bad stuff",
+          "Description": "Bad stuff is... bad",
+          "Message": "something else failed",
+          "Resolution": "Remove bad stuff",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-9999",
+          "References": [
+            "https://avd.aquasec.com/misconfig/avd-aws-9999"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Resource": "arn:aws:s3:us-east-1:1234567890:bucket2",
+            "Provider": "AWS",
+            "Service": "s3",
+            "Code": {
+              "Lines": null
+            }
+          }
+        },
+        {
+          "Type": "AWS",
+          "ID": "AVD-AWS-9999",
+          "Title": "Do not use bad stuff",
+          "Description": "Bad stuff is... bad",
+          "Message": "something else failed again",
+          "Resolution": "Remove bad stuff",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-9999",
+          "References": [
+            "https://avd.aquasec.com/misconfig/avd-aws-9999"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Resource": "arn:aws:s3:us-east-1:1234567890:bucket2",
+            "Provider": "AWS",
+            "Service": "s3",
+            "Code": {
+              "Lines": null
+            }
+          }
+        }
+      ]
+    },
+    {
+      "Target": "arn:aws:s3:us-east-1:1234567890:bucket3",
+      "Class": "config",
+      "Type": "cloud",
+      "MisconfSummary": {
+        "Successes": 1,
+        "Failures": 0,
+        "Exceptions": 0
+      }
+    }
+  ]
+}`,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			report := New(
+				"AWS",
+				tt.options.AWSOptions.Account,
+				tt.options.AWSOptions.Region,
+				createTestResults(),
+				tt.options.AWSOptions.Services,
+			)
+
+			buffer := bytes.NewBuffer([]byte{})
+			tt.options.Output = buffer
+			require.NoError(t, Write(report, tt.options, tt.fromCache))
+
+			assert.Equal(t, "AWS", report.Provider)
+			assert.Equal(t, tt.options.AWSOptions.Account, report.AccountID)
+			assert.Equal(t, tt.options.AWSOptions.Region, report.Region)
+			assert.ElementsMatch(t, tt.options.AWSOptions.Services, report.ServicesInScope)
+			if tt.options.Format == "json" {
+				// json output can be formatted/ordered differently - we just care that the data matches
+				assert.JSONEq(t, tt.expected, buffer.String())
+			} else {
+				assert.Equal(t, tt.expected, buffer.String())
+			}
+		})
+	}
+}
+
+func createTestResults() scan.Results {
+
+	baseRule := scan.Rule{
+		AVDID:       "AVD-AWS-9999",
+		Aliases:     []string{"AWS999"},
+		ShortCode:   "no-bad-stuff",
+		Summary:     "Do not use bad stuff",
+		Explanation: "Bad stuff is... bad",
+		Impact:      "Bad things",
+		Resolution:  "Remove bad stuff",
+		Provider:    "AWS",
+		Severity:    "HIGH",
+	}
+
+	var s3Results scan.Results
+	s3Results.Add(
+		"something failed",
+		defsecTypes.NewRemoteMetadata((arn.ARN{
+			Partition: "aws",
+			Service:   "s3",
+			Region:    "us-east-1",
+			AccountID: "1234567890",
+			Resource:  "bucket1",
+		}).String()),
+	)
+	s3Results.Add(
+		"something else failed",
+		defsecTypes.NewRemoteMetadata((arn.ARN{
+			Partition: "aws",
+			Service:   "s3",
+			Region:    "us-east-1",
+			AccountID: "1234567890",
+			Resource:  "bucket2",
+		}).String()),
+	)
+	s3Results.Add(
+		"something else failed again",
+		defsecTypes.NewRemoteMetadata((arn.ARN{
+			Partition: "aws",
+			Service:   "s3",
+			Region:    "us-east-1",
+			AccountID: "1234567890",
+			Resource:  "bucket2",
+		}).String()),
+	)
+	s3Results.AddPassed(
+		defsecTypes.NewRemoteMetadata((arn.ARN{
+			Partition: "aws",
+			Service:   "s3",
+			Region:    "us-east-1",
+			AccountID: "1234567890",
+			Resource:  "bucket3",
+		}).String()),
+	)
+	baseRule.Service = "s3"
+	s3Results.SetRule(baseRule)
+	var ec2Results scan.Results
+	ec2Results.Add(
+		"instance is bad",
+		defsecTypes.NewRemoteMetadata((arn.ARN{
+			Partition: "aws",
+			Service:   "ec2",
+			Region:    "us-east-1",
+			AccountID: "1234567890",
+			Resource:  "instance1",
+		}).String()),
+	)
+	baseRule.Service = "ec2"
+	ec2Results.SetRule(baseRule)
+	return append(s3Results, ec2Results...)
+}
--- a/pkg/commands/app.go
+++ b/pkg/commands/app.go
@@ -6,12 +6,17 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"strings"
+	"time"
+
+	awsScanner "github.com/aquasecurity/defsec/pkg/scanners/cloud/aws"

 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy-db/pkg/metadata"
+	awscommands "github.com/aquasecurity/trivy/pkg/cloud/aws/commands"
 	"github.com/aquasecurity/trivy/pkg/commands/artifact"
 	"github.com/aquasecurity/trivy/pkg/commands/server"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
@@ -68,15 +73,6 @@ func SetOut(out io.Writer) {
 func NewApp(version string) *cobra.Command {
 	globalFlags := flag.NewGlobalFlagGroup()
 	rootCmd := NewRootCommand(version, globalFlags)
-
-	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
-		rootCmd.RunE = func(cmd *cobra.Command, args []string) error {
-			return plugin.RunWithArgs(cmd.Context(), runAsPlugin, args)
-		}
-		rootCmd.DisableFlagParsing = true
-		return rootCmd
-	}
-
 	rootCmd.AddCommand(
 		NewImageCommand(globalFlags),
 		NewFilesystemCommand(globalFlags),
@@ -90,6 +86,7 @@ func NewApp(version string) *cobra.Command {
 		NewKubernetesCommand(globalFlags),
 		NewSBOMCommand(globalFlags),
 		NewVersionCommand(globalFlags),
+		NewAWSCommand(globalFlags),
 	)
 	rootCmd.AddCommand(loadPluginCommands()...)

@@ -249,7 +246,7 @@ func NewImageCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
  $ trivy image --format json --output result.json alpine:3.15

  # Generate a report in the CycloneDX format
-  $ trivy image --format cyclonedx --output result.cdx alpine:3.15`,
+  $ trivy image --format cyclonedx --output result.cdx --security-checks none alpine:3.15`,

 		// 'Args' cannot be used since it is called before PreRunE and viper is not configured yet.
 		// cmd.Args     -> cannot validate args here
@@ -796,6 +793,66 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	return cmd
 }

+func NewAWSCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
+
+	awsFlags := &flag.Flags{
+		AWSFlagGroup:     flag.NewAWSFlagGroup(),
+		CloudFlagGroup:   flag.NewCloudFlagGroup(),
+		MisconfFlagGroup: flag.NewMisconfFlagGroup(),
+		ReportFlagGroup:  flag.NewReportFlagGroup(),
+	}
+
+	services := awsScanner.AllSupportedServices()
+
+	cmd := &cobra.Command{
+		Use:     "aws [flags]",
+		Aliases: []string{},
+		Args:    cobra.ExactArgs(0),
+		Short:   "scan aws account",
+		Long: fmt.Sprintf(`Scan an AWS account for misconfigurations. Trivy uses the same authentication methods as the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
+
+The following services are supported:
+- %s
+`, strings.Join(services, "\n- ")),
+		Example: `  # basic scanning
+  $ trivy aws --region us-east-1
+
+  # limit scan to a single service:
+  $ trivy aws --region us-east-1 --service s3
+
+  # limit scan to multiple services:
+  $ trivy aws --region us-east-1 --service s3 --service ec2
+
+  # force refresh of cache for fresh results
+  $ trivy aws --region us-east-1 --update-cache
+`,
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			if err := awsFlags.Bind(cmd); err != nil {
+				return xerrors.Errorf("flag bind error: %w", err)
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts, err := awsFlags.ToOptions(cmd.Version, args, globalFlags, outputWriter)
+			if err != nil {
+				return xerrors.Errorf("flag error: %w", err)
+			}
+			if opts.Timeout < time.Hour {
+				opts.Timeout = time.Hour
+				log.Logger.Debug("Timeout is set to less than 1 hour - upgrading to 1 hour for this command.")
+			}
+			return awscommands.Run(cmd.Context(), opts)
+		},
+		SilenceErrors: true,
+		SilenceUsage:  true,
+	}
+	cmd.SetFlagErrorFunc(flagErrorFunc)
+	awsFlags.AddFlags(cmd)
+	cmd.SetUsageTemplate(fmt.Sprintf(usageTemplate, awsFlags.Usages(cmd)))
+
+	return cmd
+}
+
 func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	reportFlagGroup := flag.NewReportFlagGroup()
 	reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
@@ -822,6 +879,9 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {

  # Scan CycloneDX and generate a CycloneDX report
  $ trivy sbom --format cyclonedx /path/to/report.cdx
+
+  # Scan CycloneDX-type attestation and show the result in tables
+  $ trivy sbom /path/to/report.cdx.intoto.jsonl
 `,
 		PreRunE: func(cmd *cobra.Command, args []string) error {
 			if err := sbomFlags.Bind(cmd); err != nil {
--- a/pkg/commands/artifact/run.go
+++ b/pkg/commands/artifact/run.go
@@ -10,6 +10,7 @@ import (
 	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

+	"github.com/aquasecurity/go-version/pkg/semver"
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	tcache "github.com/aquasecurity/trivy/pkg/cache"
 	"github.com/aquasecurity/trivy/pkg/commands/operation"
@@ -39,6 +40,8 @@ const (
 	TargetRepository     TargetKind = "repo"
 	TargetImageArchive   TargetKind = "archive"
 	TargetSBOM           TargetKind = "sbom"
+
+	devVersion = "dev"
 )

 var (
@@ -461,14 +464,20 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 			PolicyPaths:      opts.PolicyPaths,
 			DataPaths:        opts.DataPaths,
 			FilePatterns:     opts.FilePatterns,
+			HelmValues:       opts.HelmValues,
+			HelmValueFiles:   opts.HelmValueFiles,
+			HelmFileValues:   opts.HelmFileValues,
+			HelmStringValues: opts.HelmStringValues,
+			TerraformTFVars:  opts.TerraformTFVars,
 		}
 	}

 	// Do not load config file for secret scanning
 	if slices.Contains(opts.SecurityChecks, types.SecurityCheckSecret) {
+		ver := canonicalVersion(opts.AppVersion)
 		log.Logger.Info("Secret scanning is enabled")
 		log.Logger.Info("If your scanning is slow, please try '--security-checks vuln' to disable secret scanning")
-		log.Logger.Infof("Please see also https://aquasecurity.github.io/trivy/%s/docs/secret/scanning/#recommendation for faster secret detection", opts.AppVersion)
+		log.Logger.Infof("Please see also https://aquasecurity.github.io/trivy/%s/docs/secret/scanning/#recommendation for faster secret detection", ver)
 	} else {
 		opts.SecretConfigPath = ""
 	}
@@ -528,7 +537,7 @@ func scan(ctx context.Context, opts flag.Options, initializeScanner InitializeSc

 	report, err := s.ScanArtifact(ctx, scanOptions)
 	if err != nil {
-		return types.Report{}, xerrors.Errorf("image scan failed: %w", err)
+		return types.Report{}, xerrors.Errorf("scan failed: %w", err)
 	}
 	return report, nil
 }
@@ -538,3 +547,21 @@ func Exit(opts flag.Options, failedResults bool) {
 		os.Exit(opts.ExitCode)
 	}
 }
+
+func canonicalVersion(ver string) string {
+	if ver == devVersion {
+		return ver
+	}
+	v, err := semver.Parse(ver)
+	if err != nil {
+		return devVersion
+	}
+	// Replace pre-release with "dev"
+	// e.g. v0.34.0-beta1+snapshot-1
+	if v.IsPreRelease() || v.Metadata() != "" {
+		return devVersion
+	}
+
+	// Add "v" prefix, "0.34.0" => "v0.34.0" for the url
+	return "v" + ver
+}
--- a/pkg/db/db.go
+++ b/pkg/db/db.go
@@ -149,15 +149,16 @@ func (c *Client) Download(ctx context.Context, dst string) error {
 		log.Logger.Debug("no metadata file")
 	}

-	if err := c.populateOCIArtifact(); err != nil {
+	art, err := c.initOCIArtifact()
+	if err != nil {
 		return xerrors.Errorf("OCI artifact error: %w", err)
 	}

-	if err := c.artifact.Download(ctx, db.Dir(dst)); err != nil {
+	if err = art.Download(ctx, db.Dir(dst)); err != nil {
 		return xerrors.Errorf("database download error: %w", err)
 	}

-	if err := c.updateDownloadedAt(dst); err != nil {
+	if err = c.updateDownloadedAt(dst); err != nil {
 		return xerrors.Errorf("failed to update downloaded_at: %w", err)
 	}
 	return nil
@@ -182,14 +183,15 @@ func (c *Client) updateDownloadedAt(dst string) error {
 	return nil
 }

-func (c *Client) populateOCIArtifact() error {
-	if c.artifact == nil {
+func (c *Client) initOCIArtifact() (*oci.Artifact, error) {
+	if c.artifact != nil {
+		return c.artifact, nil
+	}
+
 	repo := fmt.Sprintf("%s:%d", c.dbRepository, db.SchemaVersion)
 	art, err := oci.NewArtifact(repo, dbMediaType, c.quiet, c.insecureSkipTLSVerify)
 	if err != nil {
-			return xerrors.Errorf("OCI artifact error: %w", err)
+		return nil, xerrors.Errorf("OCI artifact error: %w", err)
 	}
-		c.artifact = art
-	}
-	return nil
+	return art, nil
 }
--- a/pkg/detector/library/driver.go
+++ b/pkg/detector/library/driver.go
@@ -28,7 +28,7 @@ func NewDriver(libType string) (Driver, error) {
 	case ftypes.Bundler, ftypes.GemSpec:
 		ecosystem = vulnerability.RubyGems
 		comparer = rubygems.Comparer{}
-	case ftypes.Cargo:
+	case ftypes.RustBinary, ftypes.Cargo:
 		ecosystem = vulnerability.Cargo
 		comparer = compare.GenericComparer{}
 	case ftypes.Composer:
--- a/pkg/detector/ospkg/alma/alma.go
+++ b/pkg/detector/ospkg/alma/alma.go
@@ -18,8 +18,9 @@ import (
 var (
 	eolDates = map[string]time.Time{
 		// Source:
-		// https://wiki.almalinux.org/FAQ.html#how-long-will-cloudlinux-support-almalinux
-		"8": time.Date(2029, 12, 31, 23, 59, 59, 0, time.UTC),
+		// https://endoflife.date/almalinux
+		"8": time.Date(2029, 3, 1, 23, 59, 59, 0, time.UTC),
+		"9": time.Date(2032, 5, 31, 23, 59, 59, 0, time.UTC),
 	}
 )

--- a/pkg/detector/ospkg/oracle/oracle.go
+++ b/pkg/detector/ospkg/oracle/oracle.go
@@ -26,6 +26,7 @@ var (
 		"6": time.Date(2021, 3, 21, 23, 59, 59, 0, time.UTC),
 		"7": time.Date(2024, 7, 23, 23, 59, 59, 0, time.UTC),
 		"8": time.Date(2029, 7, 18, 23, 59, 59, 0, time.UTC),
+		"9": time.Date(2032, 7, 18, 23, 59, 59, 0, time.UTC),
 	}
 )

--- a/pkg/fanal/analyzer/all/import.go
+++ b/pkg/fanal/analyzer/all/import.go
@@ -20,6 +20,7 @@ import (
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/poetry"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/ruby/bundler"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/ruby/gemspec"
+	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/rust/binary"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/rust/cargo"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/licensing"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/alpine"
--- a/pkg/fanal/analyzer/config/config.go
+++ b/pkg/fanal/analyzer/config/config.go
@@ -27,6 +27,12 @@ type ScannerOption struct {
 	PolicyPaths             []string
 	DataPaths               []string
 	DisableEmbeddedPolicies bool
+
+	HelmValues       []string
+	HelmValueFiles   []string
+	HelmFileValues   []string
+	HelmStringValues []string
+	TerraformTFVars  []string
 }

 func (o *ScannerOption) Sort() {
--- a/pkg/fanal/analyzer/const.go
+++ b/pkg/fanal/analyzer/const.go
@@ -40,6 +40,7 @@ const (
 	TypeGemSpec Type = "gemspec"

 	// Rust
+	TypeRustBinary Type = "rustbinary"
 	TypeCargo      Type = "cargo"

 	// PHP
@@ -104,16 +105,17 @@ const (
 var (
 	// TypeOSes has all OS-related analyzers
 	TypeOSes = []Type{
-		TypeAlpine, TypeAmazon, TypeDebian, TypePhoton, TypeCentOS,
+		TypeOSRelease, TypeAlpine, TypeAmazon, TypeCBLMariner, TypeDebian, TypePhoton, TypeCentOS,
 		TypeRocky, TypeAlma, TypeFedora, TypeOracle, TypeRedHatBase, TypeSUSE, TypeUbuntu,
-		TypeApk, TypeDpkg, TypeRpm,
+		TypeApk, TypeDpkg, TypeDpkgLicense, TypeRpm, TypeRpmqa,
+		TypeApkRepo,
 	}

 	// TypeLanguages has all language analyzers
 	TypeLanguages = []Type{
 		TypeBundler, TypeGemSpec, TypeCargo, TypeComposer, TypeJar, TypePom,
-		TypeNpmPkgLock, TypeNodePkg, TypeYarn, TypePnpm, TypeNuget, TypePythonPkg, TypePip, TypePipenv,
-		TypePoetry, TypeGoBinary, TypeGoMod,
+		TypeNpmPkgLock, TypeNodePkg, TypeYarn, TypePnpm, TypeNuget, TypeDotNetDeps,
+		TypePythonPkg, TypePip, TypePipenv, TypePoetry, TypeGoBinary, TypeGoMod, TypeRustBinary,
 	}

 	// TypeLockfiles has all lock file analyzers
@@ -123,7 +125,7 @@ var (
 	}

 	// TypeIndividualPkgs has all analyzers for individual packages
-	TypeIndividualPkgs = []Type{TypeGemSpec, TypeNodePkg, TypePythonPkg, TypeGoBinary, TypeJar}
+	TypeIndividualPkgs = []Type{TypeGemSpec, TypeNodePkg, TypePythonPkg, TypeGoBinary, TypeJar, TypeRustBinary}

 	// TypeConfigFiles has all config file analyzers
 	TypeConfigFiles = []Type{TypeYaml, TypeJSON, TypeDockerfile, TypeTerraform, TypeCloudFormation, TypeHelm}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
DmitriyLewen	917f388852	fix(flag): add error when there are no supported security checks (#2713 )	2022-08-16 09:57:46 +03:00
Teppei Fukuda	aef02aa174	fix(vuln): continue scanning when no vuln found in the first application (#2712 )	2022-08-16 08:41:01 +03:00
Teppei Fukuda	ed1fa89117	revert: add new classes for vulnerabilities (#2701 )	2022-08-15 21:40:29 +03:00
DmitriyLewen	a5d4f7fbd9	feat(secret): detect secrets removed or overwritten in upper layer (#2611 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-08-15 20:40:54 +03:00
Moulick Aggarwal	ddffb1b451	fix(cli): secret scanning perf link fix (#2607 )	2022-08-15 16:15:22 +03:00
dependabot[bot]	bc85441f7d	chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (#2650 )	2022-08-15 12:33:41 +03:00
Liam Galvin	b259b25ce4	feat: Add AWS Cloud scanning (#2493 ) * feat: Added AWS Cloud scanning Co-authored-by: Owen Rumney <owen.rumney@aquasec.com>	2022-08-11 14:59:32 +01:00
saso	f8edda8479	docs: specify the type when verifying an attestation (#2697 )	2022-08-11 13:17:44 +03:00
saso	687941390e	docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation (#2690 )	2022-08-10 15:47:40 +03:00
Ankush K	babfb17465	fix(rpc): scanResponse rpc conversion for custom resources (#2692 )	2022-08-10 13:45:32 +03:00
Tom Fay	517d2e0109	feat(rust): Add support for cargo-auditable (#2675 )	2022-08-10 13:43:23 +03:00
Owen Rumney	01123854b4	feat: Support passing value overrides for configuration checks (#2679 )	2022-08-08 18:22:58 +03:00
saso	317a026616	feat(sbom): add support for scanning a sbom attestation (#2652 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-08-08 16:27:05 +03:00
DmitriyLewen	390c256c38	chore(image): skip symlinks and hardlinks from tar scan (#2634 )	2022-08-08 15:57:08 +03:00
Matteo Vitali	63c33bfa43	fix(report): Update junit.tpl (#2677 ) Add explicit name="trivy" in the testsuite element	2022-08-08 15:47:18 +03:00
Masahiro331	de365c8e92	fix(cyclonedx): add nil check to metadata.component (#2673 )	2022-08-08 15:15:38 +03:00
Lior Vaisman Argon	50db7da947	docs(secret): fix missing and broken links (#2674 )	2022-08-08 15:14:55 +03:00
Teppei Fukuda	e848e6d009	refactor(cyclonedx): implement json.Unmarshaler (#2662 ) * refactor(cyclonedx): implement json.Unmarshaler * fix: use pointer	2022-08-04 14:15:33 +03:00
dependabot[bot]	df0b5e40db	chore(deps): bump github.com/aquasecurity/table from 1.6.0 to 1.7.2 (#2643 ) Bumps [github.com/aquasecurity/table](https://github.com/aquasecurity/table) from 1.6.0 to 1.7.2. - [Release notes](https://github.com/aquasecurity/table/releases) - [Commits](https://github.com/aquasecurity/table/compare/v1.6.0...v1.7.2) --- updated-dependencies: - dependency-name: github.com/aquasecurity/table dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-08-04 11:44:55 +03:00
dependabot[bot]	006b8a5c29	chore(deps): bump github.com/Azure/go-autorest/autorest (#2642 )	2022-08-04 11:43:18 +03:00
Magesh Dhasayyan	8d10de8b4f	feat(kubernetes): add option to specify kubeconfig file path (#2576 )	2022-08-04 10:18:18 +03:00
Axit Patel	169c55c688	docs: follow Debian's "instructions to connect to a third-party repository" (#2511 )	2022-08-04 10:11:38 +03:00
dependabot[bot]	9b21831440	chore(deps): bump github.com/google/licenseclassifier/v2 (#2644 )	2022-08-03 15:04:13 +03:00
dependabot[bot]	94db37e541	chore(deps): bump github.com/samber/lo from 1.24.0 to 1.27.0 (#2645 )	2022-08-03 14:58:40 +03:00
dependabot[bot]	d9838053df	chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#2647 )	2022-08-03 14:43:51 +03:00
dependabot[bot]	d8a9572930	chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (#2646 )	2022-08-03 10:46:37 +03:00
dependabot[bot]	3ab3050992	chore(deps): bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#2641 )	2022-08-03 10:46:00 +03:00
dependabot[bot]	75984f347b	chore(deps): bump actions/cache from 3.0.4 to 3.0.5 (#2640 )	2022-08-03 10:44:59 +03:00
dependabot[bot]	525c2530d5	chore(deps): bump alpine from 3.16.0 to 3.16.1 (#2639 )	2022-08-03 10:44:27 +03:00
dependabot[bot]	5e327e41a6	chore(deps): bump golang from 1.18.3 to 1.18.4 (#2638 )	2022-08-03 10:44:05 +03:00
dependabot[bot]	469d771a59	chore(deps): bump github.com/aws/aws-sdk-go from 1.44.48 to 1.44.66 (#2648 )	2022-08-03 10:43:40 +03:00
dependabot[bot]	6bc8c87bc1	chore(deps): bump github.com/open-policy-agent/opa from 0.42.0 to 0.43.0 (#2649 )	2022-08-03 10:43:17 +03:00
dependabot[bot]	6ab832d099	chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#2651 )	2022-08-03 10:40:57 +03:00
MaineK00n	3a10497a6f	feat(alma): set AlmaLinux 9 EOL (#2653 )	2022-08-03 10:40:07 +03:00
Liam Galvin	55825d760b	fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs (#2636 )	2022-08-01 15:38:04 +03:00
DmitriyLewen	6bb0e4b036	test(misconf): add tests for misconf handler for dockerfiles (#2621 )	2022-08-01 14:56:53 +03:00
DmitriyLewen	44d53bed48	feat(oracle): set Oracle Linux 9 EOL (#2635 )	2022-08-01 10:36:30 +03:00
Teppei Fukuda	f396c677a2	BREAKING: add new classes for vulnerabilities (#2541 )	2022-07-31 10:47:08 +03:00
DmitriyLewen	3cd88abec5	fix(secret): add newline escaping for asymmetric private key (#2532 )	2022-07-31 10:18:16 +03:00
Ben Bodenmiller	ea91fb91b0	docs: improve formatting (#2572 )	2022-07-31 10:17:42 +03:00
cebidhem	d0ca610a96	feat(helm): allows users to define an existing secret for tokens (#2587 ) Signed-off-by: cebidhem <cebidhem@pm.me>	2022-07-31 09:56:14 +03:00
DmitriyLewen	d0ba59a44d	docs(mariner): use tdnf in fs usage example (#2616 )	2022-07-31 09:50:27 +03:00
saso	d7742b6c17	docs: remove unnecessary double quotation marks (#2609 )	2022-07-31 09:45:00 +03:00
Liam Galvin	27027cf40d	fix: Fix --file-patterns flag (#2625 )	2022-07-29 21:54:57 +03:00
saso	c2a7ad5c01	feat(report): add support for Cosign vulnerability attestation (#2567 )	2022-07-27 17:39:35 +03:00
DmitriyLewen	dfb86f41f8	docs(mariner): use v2.0 in examples (#2602 )	2022-07-27 14:42:09 +03:00
Nate	946ce1672d	feat(report): add secrets template for codequality report (#2461 )	2022-07-27 10:55:32 +03:00
Teppei Fukuda	f9c17bd2d8	fix: remove the first arg when running as a plugin (#2595 )	2022-07-26 21:54:43 +03:00
Jose Donizetti	cccfade374	fix: k8s controlplaner scanning (#2593 ) Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>	2022-07-26 16:35:34 +03:00
thiago-gitlab	5a65548662	fix(vuln): GitLab report template (#2578 ) * fix(vuln): GitLab report template - Upgrade to schema 14.0.6 (https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v14.0.6/dist/container-scanning-report-format.json). - Drop unsupported `confidence` property. Currently optional and will be removed by GitLab in schema 15-0-0. * docs(vuln): remove note about broken GitLab integration	2022-07-26 15:51:20 +03:00
afdesk	fa8a8ba7dc	fix(server): use a new db worker for hot updates (#2581 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-07-25 17:26:08 +03:00
DmitriyLewen	769ed554b0	docs: add trivy with download-db-only flag to Air-Gapped Environment (#2583 )	2022-07-25 16:50:26 +03:00
DmitriyLewen	5f9a963ef6	docs: split commands to download db for different versions of oras (#2582 )	2022-07-25 15:19:04 +03:00
Alexander Lauster	d93a997800	feat(report): export exitcode for license checks (#2564 ) Also export the exit code for license checks fixes #2562	2022-07-25 14:26:12 +03:00
afdesk	f9be138aab	fix: cli can use lowercase for severities (#2565 )	2022-07-25 14:25:16 +03:00
Teppei Fukuda	c7f0bc92ae	fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577 )	2022-07-25 11:27:47 +03:00
MaineK00n	c2f3731873	fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569 )	2022-07-24 17:24:13 +03:00
saso	7b4f2dc72f	fix: enable some features of the wasm runtime (#2575 )	2022-07-24 08:31:54 +03:00
Denys Mazhar	84677903a6	fix(k8s): no error logged if trivy can't get docker image in kubernetes mode (#2521 ) * Enable k8s logging and increase log level of the image scan errors * Rework errors reporting * Rework GetErrors method into printErrors Print errors during report writing * Increase log level for scan errors logging	2022-07-21 15:34:47 -03:00
saso	e1e02d785f	docs(sbom): improve sbom attestation documentation (#2566 )	2022-07-21 17:54:21 +03:00
afdesk	80c7b91637	fix(report): show the summary without results (#2548 )	2022-07-21 14:41:51 +03:00
DmitriyLewen	07c3ac4de1	fix(cli): replace '-' to '_' for env vars (#2561 )	2022-07-21 13:41:56 +03:00
				`@@ -0,0 +1 @@`
				{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2N5Y2xvbmVkeC5vcmcvc2NoZW1hIiwic3ViamVjdCI6W3sibmFtZSI6ImdoY3IuaW8vYXF1YXNlY3VyaXR5L3RyaXZ5LXRlc3QtaW1hZ2VzIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjcyYzQyZWQ0OGMzYTJkYjMxYjdkYWZlMTdkMjc1YjYzNDY2NGE3MDhkOTAxZWM5ZmQ1N2IxNTI5MjgwZjAxZmIifX1dLCJwcmVkaWNhdGUiOnsiRGF0YSI6eyJib21Gb3JtYXQiOiJDeWNsb25lRFgiLCJjb21wb25lbnRzIjpbeyJib20tcmVmIjoicGtnOnJwbS9jZW50b3MvYmFzaEA0LjIuNDYtMzEuZWw3P2FyY2g9eDg2XzY0XHUwMDI2ZGlzdHJvPWNlbnRvcy03LjYuMTgxMCIsImxpY2Vuc2VzIjpbeyJleHByZXNzaW9uIjoiR1BMdjMrIn1dLCJuYW1lIjoiYmFzaCIsInByb3BlcnRpZXMiOlt7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6U3JjTmFtZSIsInZhbHVlIjoiYmFzaCJ9LHsibmFtZSI6ImFxdWFzZWN1cml0eTp0cml2eTpTcmNWZXJzaW9uIiwidmFsdWUiOiI0LjIuNDYifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6U3JjUmVsZWFzZSIsInZhbHVlIjoiMzEuZWw3In0seyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OkxheWVyRGlnZXN0IiwidmFsdWUiOiJzaGEyNTY6YWM5MjA4MjA3YWRhYWMzYTQ4ZTU0YTRkYzZiNDljNjllNzhjMzA3MmQyYjNhZGQ3ZWZkYWJmODE0ZGIyMTMzYiJ9LHsibmFtZSI6ImFxdWFzZWN1cml0eTp0cml2eTpMYXllckRpZmZJRCIsInZhbHVlIjoic2hhMjU2Ojg5MTY5ZDg3ZGJlMmI3MmJhNDJiZmJiMzU3OWM5NTczMjJiYWNhMjhlMDNhMWU1NTgwNzY1NDJhMWMxYjJiNGEifV0sInB1cmwiOiJwa2c6cnBtL2NlbnRvcy9iYXNoQDQuMi40Ni0zMS5lbDc/YXJjaD14ODZfNjRcdTAwMjZkaXN0cm89Y2VudG9zLTcuNi4xODEwIiwidHlwZSI6ImxpYnJhcnkiLCJ2ZXJzaW9uIjoiNC4yLjQ2LTMxLmVsNyJ9LHsiYm9tLXJlZiI6InBrZzpycG0vY2VudG9zL29wZW5zc2wtbGlic0AxOjEuMC4yay0xNi5lbDc/YXJjaD14ODZfNjRcdTAwMjZkaXN0cm89Y2VudG9zLTcuNi4xODEwIiwibGljZW5zZXMiOlt7ImV4cHJlc3Npb24iOiJPcGVuU1NMIn1dLCJuYW1lIjoib3BlbnNzbC1saWJzIiwicHJvcGVydGllcyI6W3sibmFtZSI6ImFxdWFzZWN1cml0eTp0cml2eTpTcmNOYW1lIiwidmFsdWUiOiJvcGVuc3NsIn0seyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OlNyY1ZlcnNpb24iLCJ2YWx1ZSI6IjEuMC4yayJ9LHsibmFtZSI6ImFxdWFzZWN1cml0eTp0cml2eTpTcmNSZWxlYXNlIiwidmFsdWUiOiIxNi5lbDcifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6U3JjRXBvY2giLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6TGF5ZXJEaWdlc3QiLCJ2YWx1ZSI6InNoYTI1NjphYzkyMDgyMDdhZGFhYzNhNDhlNTRhNGRjNmI0OWM2OWU3OGMzMDcyZDJiM2FkZDdlZmRhYmY4MTRkYjIxMzNiIn0seyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OkxheWVyRGlmZklEIiwidmFsdWUiOiJzaGEyNTY6ODkxNjlkODdkYmUyYjcyYmE0MmJmYmIzNTc5Yzk1NzMyMmJhY2EyOGUwM2ExZTU1ODA3NjU0MmExYzFiMmI0YSJ9XSwicHVybCI6InBrZzpycG0vY2VudG9zL29wZW5zc2wtbGlic0AxOjEuMC4yay0xNi5lbDc/YXJjaD14ODZfNjRcdTAwMjZkaXN0cm89Y2VudG9zLTcuNi4xODEwIiwidHlwZSI6ImxpYnJhcnkiLCJ2ZXJzaW9uIjoiMToxLjAuMmstMTYuZWw3In0seyJib20tcmVmIjoiMDE3NWY3MzItZGY5ZC00YmI4LTlmNTYtODcwODk4ZTNmZjg5IiwibmFtZSI6ImNlbnRvcyIsInByb3BlcnRpZXMiOlt7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6VHlwZSIsInZhbHVlIjoiY2VudG9zIn0seyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OkNsYXNzIiwidmFsdWUiOiJvcy1wa2dzIn1dLCJ0eXBlIjoib3BlcmF0aW5nLXN5c3RlbSIsInZlcnNpb24iOiI3LjYuMTgxMCJ9XSwiZGVwZW5kZW5jaWVzIjpbeyJkZXBlbmRzT24iOlsicGtnOnJwbS9jZW50b3MvYmFzaEA0LjIuNDYtMzEuZWw3P2FyY2g9eDg2XzY0XHUwMDI2ZGlzdHJvPWNlbnRvcy03LjYuMTgxMCIsInBrZzpycG0vY2VudG9zL29wZW5zc2wtbGlic0AxOjEuMC4yay0xNi5lbDc/YXJjaD14ODZfNjRcdTAwMjZkaXN0cm89Y2VudG9zLTcuNi4xODEwIl0sInJlZiI6IjAxNzVmNzMyLWRmOWQtNGJiOC05ZjU2LTg3MDg5OGUzZmY4OSJ9LHsiZGVwZW5kc09uIjpbIjAxNzVmNzMyLWRmOWQtNGJiOC05ZjU2LTg3MDg5OGUzZmY4OSJdLCJyZWYiOiJkMGQ0MWUzMC05NjUwLTQ4OWQtOTQ4ZC00MjVmZjJlZDYzZDIifV0sIm1ldGFkYXRhIjp7ImNvbXBvbmVudCI6eyJib20tcmVmIjoiZDBkNDFlMzAtOTY1MC00ODlkLTk0OGQtNDI1ZmYyZWQ2M2QyIiwibmFtZSI6ImludGVncmF0aW9uL3Rlc3RkYXRhL2ZpeHR1cmVzL2ltYWdlcy9jZW50b3MtNy50YXIuZ3oiLCJwcm9wZXJ0aWVzIjpbeyJuYW1lIjoiYXF1YXNlY3VyaXR5OnRyaXZ5OlNjaGVtYVZlcnNpb24iLCJ2YWx1ZSI6IjIifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6SW1hZ2VJRCIsInZhbHVlIjoic2hhMjU2OmYxY2I3YzdkNThiNzNlYWM4NTljMzk1ODgyZWVjNDlkNTA2NTEyNDRlMzQyY2Q2YzY4YTVjNzgwOTc4NWY0MjcifSx7Im5hbWUiOiJhcXVhc2VjdXJpdHk6dHJpdnk6RGlmZklEIiwidmFsdWUiOiJzaGEyNTY6ODkxNjlkODdkYmUyYjcyYmE0MmJmYmIzNTc5Yzk1NzMyMmJhY2EyOGUwM2ExZTU1ODA3NjU0MmExYzFiMmI0YSJ9XSwidHlwZSI6ImNvbnRhaW5lciJ9LCJ0aW1lc3RhbXAiOiIyMDIyLTA2LTE0VDE1OjA4OjQ4KzAwOjAwIiwidG9vbHMiOlt7Im5hbWUiOiJ0cml2eSIsInZlbmRvciI6ImFxdWFzZWN1cml0eSIsInZlcnNpb24iOiJkZXYifV19LCJzZXJpYWxOdW1iZXIiOiJ1cm46dXVpZDoxNDU1YzAyZC02NGNhLTQ1M2UtYTVkZi1kZGZiNzBhN2M4MDQiLCJzcGVjVmVyc2lvbiI6IjEuNCIsInZlcnNpb24iOjF9LCJUaW1lc3RhbXAiOiIifX0=","signatures":[{"keyid":"","sig":"MEUCIF52Th/Uxp9iGoqyP8ioikcefayjXh/+GhKyhhdczihaAiEAwOedZ0ovOanwY+u9Dl+/bHp8398YcXA2n0zG8Q2gnb0="}]}