docs: add Rekor SBOM attestation scanning (#2893 )

Signed-off-by: knqyf263 <knqyf263@gmail.com>
chore: narrow the owner scope (#2894 )
2025-12-09 22:30:46 -08:00 · 2022-09-16 15:43:01 +03:00 · 2022-09-16 15:42:31 +03:00 · 2022-09-16 12:23:58 +03:00 · 2022-09-16 11:16:41 +03:00 · 2022-09-16 10:20:40 +03:00
313 changed files with 13041 additions and 2729 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -7,8 +7,12 @@ helm/trivy/ @krol3
 # Misconfiguration scanning
 examples/misconf/           @owenrumney @liamg @knqyf263
 docs/docs/misconfiguration  @owenrumney @liamg @knqyf263
+docs/docs/cloud             @owenrumney @liamg @knqyf263
 pkg/fanal/analyzer/config   @owenrumney @liamg @knqyf263
 pkg/fanal/handler/misconf   @owenrumney @liamg @knqyf263
+pkg/cloud                   @owenrumney @liamg @knqyf263
+pkg/flag/aws_flags.go       @owenrumney @liamg @knqyf263
+pkg/flag/misconf_flags.go   @owenrumney @liamg @knqyf263

 # Kubernetes scanning
 pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
--- a/.github/workflows/canary.yaml
+++ b/.github/workflows/canary.yaml
@@ -24,7 +24,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.0.4
+        uses: actions/cache@v3.0.8
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/mkdocs-latest.yaml
+++ b/.github/workflows/mkdocs-latest.yaml
@@ -35,7 +35,7 @@ jobs:
        if: ${{ github.event.inputs.version == '' }}
        run: |
          VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
-          mike deploy --push --update-aliases $VERSION latest
+          mike deploy --push --update-aliases ${VERSION%.*} latest
      - name: Deploy the latest documents from manual trigger
        if: ${{ github.event.inputs.version != '' }}
        run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -15,8 +15,8 @@ env:
  HELM_REP: helm-charts
  GH_OWNER: aquasecurity
  CHART_DIR: helm/trivy
-  KIND_VERSION: "v0.11.1"
-  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
+  KIND_VERSION: "v0.14.0"
+  KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
 jobs:
  test-chart:
    runs-on: ubuntu-20.04
@@ -26,7 +26,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab
+        uses: azure/setup-helm@b5b231a831f96336bbfeccc1329990f0005c5bb1
        with:
          version: v3.5.0
      - name: Set up python
@@ -35,7 +35,7 @@ jobs:
          python-version: 3.7
      - name: Setup Chart Linting
        id: lint
-        uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a
+        uses: helm/chart-testing-action@09ed88797198755e5031f25be13da255e7e33aad
      - name: Setup Kubernetes cluster (KIND)
        uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d
        with:
@@ -45,7 +45,7 @@ jobs:
        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
      - name: Run chart-testing (Ingress enabled)
        run: |
-          sed -i -e '117s,false,'true',g' ./helm/trivy/values.yaml
+          sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
          ct lint-and-install --validate-maintainers=false --charts helm/trivy

  publish-chart:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,7 +10,7 @@ jobs:
    uses: ./.github/workflows/reusable-release.yaml
    with:
      goreleaser_config: goreleaser.yml
-      goreleaser_options: '--rm-dist --timeout 60m'
+      goreleaser_options: '--rm-dist --timeout 90m'
    secrets: inherit

  deploy-packages:
@@ -24,7 +24,7 @@ jobs:
          fetch-depth: 0

      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.0.4
+        uses: actions/cache@v3.0.8
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -54,4 +54,4 @@ jobs:
        run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import

      - name: Create deb repository
-        run: ci/deploy-deb.sh
+        run: ci/deploy-deb.sh
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -13,7 +13,6 @@ on:
        type: string

 env:
-  GO_VERSION: "1.18"
  GH_USER: "aqua-bot"

 jobs:
@@ -28,7 +27,7 @@ jobs:
      contents: read  # Not required for public repositories, but for clarity
    steps:
      - name: Cosign install
-        uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2
+        uses: sigstore/cosign-installer@b3413d484cc23cf8778c3d2aa361568d4eb54679

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
@@ -60,16 +59,16 @@ jobs:
          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}

-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
      - name: Generate SBOM
        uses: CycloneDX/gh-gomod-generate-sbom@v1
        with:
@@ -100,10 +99,10 @@ jobs:
            public.ecr.aws/aquasecurity/trivy:canary

      - name: Cache Trivy binaries
-        uses: actions/cache@v3.0.4
+        uses: actions/cache@v3.0.8
        with:
          path: dist/
          # use 'github.sha' to create a unique cache folder for each run.
          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
          # e.g. build and release runs
-          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/semantic-pr.yaml
+++ b/.github/workflows/semantic-pr.yaml
@@ -64,6 +64,8 @@ jobs:
            dotnet
            java
            go
+            c
+            c++
            
            os
            lang
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -10,8 +10,7 @@ on:
      - 'LICENSE'
  pull_request:
 env:
-  GO_VERSION: "1.18"
-  TINYGO_VERSION: "0.23.0"
+  TINYGO_VERSION: "0.25.0"
 jobs:
  test:
    name: Test
@@ -22,7 +21,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod

      - name: go mod tidy
        run: |
@@ -35,7 +34,7 @@ jobs:
      - name: Lint
        uses: golangci/golangci-lint-action@v3.2.0
        with:
-          version: v1.45
+          version: v1.49
          args: --deadline=30m
          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778

@@ -51,36 +50,34 @@ jobs:
    name: Integration Test
    runs-on: ubuntu-latest
    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: ${{ env.GO_VERSION }}
-      id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod

-    - name: Run integration tests
-      run: make test-integration
+      - name: Run integration tests
+        run: make test-integration

  module-test:
    name: Module Integration Test
    runs-on: ubuntu-latest
    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
+          go-version-file: go.mod

      - name: Install TinyGo
        run: |
          wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
          sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb

-      - name: Checkout
-        uses: actions/checkout@v3
-
      - name: Run module integration tests
        run: |
          make test-module-integration
@@ -107,13 +104,13 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version: ${{ env.GO_VERSION }}
+        go-version-file: go.mod

    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@v3
      with:
        version: v1.4.1
-        args: release --snapshot --rm-dist --skip-publish --timeout 60m
+        args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m

  build-documents:
    name: Documentation Test
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -21,18 +21,17 @@ linters-settings:
    local-prefixes: github.com/aquasecurity
  gosec:
    excludes:
+      - G114
      - G204
      - G402

 linters:
  disable-all: true
  enable:
-    - structcheck
+    - unused
    - ineffassign
    - typecheck
    - govet
-    - varcheck
-    - deadcode
    - revive
    - gosec
    - unconvert
@@ -43,7 +42,7 @@ linters:
    - misspell

 run:
-  go: 1.18
+  go: 1.19
  skip-files:
    - ".*._mock.go$"
    - ".*._test.go$"
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.16.0
+FROM alpine:3.16.2
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -1,4 +1,4 @@
-FROM alpine:3.16.0
+FROM alpine:3.16.2
 RUN apk --no-cache add ca-certificates git

 # binaries were created with GoReleaser
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -1,4 +1,4 @@
-FROM golang:1.18.3
+FROM golang:1.19.1

 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
--- a/4
+++ b/4
@@ -1,4 +1,4 @@
-VERSION := $(shell git describe --tags --always)
+VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
 LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"

 GOPATH := $(shell go env GOPATH)
@@ -26,7 +26,7 @@ $(GOBIN)/crane:
 	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0

 $(GOBIN)/golangci-lint:
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.45.2
+	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0

 $(GOBIN)/labeler:
 	go install github.com/knqyf263/labeler@latest
--- a/README.md
+++ b/README.md
@@ -39,7 +39,9 @@ Get Trivy by your favorite installation method. See [installation] section in th

 - `apt-get install trivy`
 - `yum install trivy`
+- `pacman -S trivy`
 - `brew install aquasecurity/trivy/trivy`
+- `sudo port install trivy`
 - `docker run aquasec/trivy`
 - Download binary from https://github.com/aquasecurity/trivy/releases/latest/

--- a/cmd/trivy/main.go
+++ b/cmd/trivy/main.go
@@ -1,8 +1,14 @@
 package main

 import (
+	"context"
+	"os"
+
+	"golang.org/x/xerrors"
+
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/plugin"
 )

 var (
@@ -10,8 +16,26 @@ var (
 )

 func main() {
-	app := commands.NewApp(version)
-	if err := app.Execute(); err != nil {
+	if err := run(); err != nil {
 		log.Fatal(err)
 	}
 }
+
+func run() error {
+	// Trivy behaves as the specified plugin.
+	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
+		if !plugin.IsPredefined(runAsPlugin) {
+			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
+		}
+		if err := plugin.RunWithArgs(context.Background(), runAsPlugin, os.Args[1:]); err != nil {
+			return xerrors.Errorf("plugin error: %w", err)
+		}
+		return nil
+	}
+
+	app := commands.NewApp(version)
+	if err := app.Execute(); err != nil {
+		return err
+	}
+	return nil
+}
--- a/contrib/gitlab-codequality.tpl
+++ b/contrib/gitlab-codequality.tpl
@@ -45,7 +45,7 @@
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
-      "description": {{ list .ID .Title | join ": " | printf "%q" }},
+      "description": {{ list "Misconfig" .ID .Title | join " - " | printf "%q" }},
      "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
      "content": {{ .Description | printf "%q" }},
      "severity": {{ if eq .Severity "LOW" -}}
@@ -67,5 +67,37 @@
      }
    }
    {{- end -}}
+    {{- range .Secrets -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list "Secret" .RuleID .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .RuleID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Title | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .StartLine }}
+        }
+      }
+    }
+    {{- end -}}
  {{- end }}
 ]
--- a/contrib/gitlab.tpl
+++ b/contrib/gitlab.tpl
@@ -1,10 +1,11 @@
 {{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
 {
-  "version": "2.3",
+  "version": "14.0.6",
  "vulnerabilities": [
  {{- $t_first := true }}
  {{- range . }}
  {{- $target := .Target }}
+    {{- $image := $target | regexFind "[^\\s]+" }}
    {{- range .Vulnerabilities -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
@@ -31,8 +32,6 @@
                  {{-  else -}}
                    "{{ .Severity }}"
                  {{- end }},
-      {{- /* TODO: Define confidence */}}
-      "confidence": "Unknown",
      "solution": {{ if .FixedVersion -}}
                    "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
                  {{- else -}}
@@ -51,7 +50,7 @@
        },
        {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
        "operating_system": "Unknown",
-        "image": "{{ $target }}"
+        "image": "{{ $image }}"
      },
      "identifiers": [
        {
@@ -71,7 +70,7 @@
          ,
        {{- end -}}
        {
-          "url": "{{ . }}"
+          "url": "{{ regexFind "[^ ]+" . }}"
        }
        {{- end }}
      ]
--- a/contrib/junit.tpl
+++ b/contrib/junit.tpl
@@ -1,5 +1,5 @@
 <?xml version="1.0" ?>
-<testsuites>
+<testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
@@ -28,4 +28,4 @@
    {{- end }}
    </testsuite>
 {{- end }}
-</testsuites>
+</testsuites>
--- a/docs/build/Dockerfile
+++ b/docs/build/Dockerfile
@@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material:8.2.10
+FROM squidfunk/mkdocs-material:8.3.9

 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.
--- a/docs/build/requirements.txt
+++ b/docs/build/requirements.txt
@@ -11,13 +11,13 @@ mergedeep==1.3.4
 mike==1.1.2
 mkdocs==1.3.0
 mkdocs-macros-plugin==0.7.0
-mkdocs-material==8.2.10
+mkdocs-material==8.3.9
 mkdocs-material-extensions==1.0.3
 mkdocs-minify-plugin==0.5.0
 mkdocs-redirects==1.0.4
 packaging==21.3
-Pygments==2.11.2
-pymdown-extensions==9.3
+Pygments==2.12.0
+pymdown-extensions==9.5
 pyparsing==3.0.8
 python-dateutil==2.8.2
 PyYAML==6.0
--- a/docs/community/credit.md
+++ b/docs/community/credit.md
@@ -1,10 +0,0 @@
-# Author
-
-[Teppei Fukuda][knqyf263] (knqyf263)
-
-# Contributors
-
-Thanks to all [contributors][contributors]
-
-[knqyf263]: https://github.com/knqyf263
-[contributors]: https://github.com/aquasecurity/trivy/graphs/contributors
--- a/docs/community/references.md
+++ b/docs/community/references.md
@@ -1,48 +0,0 @@
-# Additional References
-There are external blogs and evaluations.
-
-## Blogs
- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join]
- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license]
- [DevSecOps with Trivy and GitHub Actions][actions]
- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
- [the vulnerability remediation lifecycle of Alpine containers][alpine]
- [Continuous Container Vulnerability Testing with Trivy][semaphore]
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
-
-## Links
- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
- [Istio evaluates scanners][istio]
-
-## Presentations
- Aqua Security YouTube Channel
-    - [Trivy - container image scanning][intro]
-    - [Using Trivy in client server mode][server]
-    - [Tweaking Trivy output to fit your workflow][tweaking]
-    - [How does a vulnerability scanner identify packages?][identify]
- CNCF Webinar 2020
-    - [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf]
- KubeCon + CloudNativeCon Europe 2020 Virtual
-    - [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon]
-
-[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
-[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
-[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
-
-[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
-[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
-[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
-[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4
-[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M
-[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU
-
-[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family
-[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license
-[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
-[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
-[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code
--- a/docs/community/tools.md
+++ b/docs/community/tools.md
@@ -1,37 +0,0 @@
-# Community Tools
-The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
-
-Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
-
-## GitHub Actions
-
-| Actions                                    | Description                                                                      |
-| ------------------------------------------ | -------------------------------------------------------------------------------- |
-| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
-| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
-
-## Semaphore
-
-| Name                                                   | Description                               |
-| -------------------------------------------------------| ----------------------------------------- |
-| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
-
-
-## CircleCI
-
-| Orb                                      | Description                               |
-| -----------------------------------------| ----------------------------------------- |
-| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
-
-## Others
-
-| Name                                     | Description                               |
-| -----------------------------------------| ----------------------------------------- |
-| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
-
-
-[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
-[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
-[gitrivy]: https://github.com/marketplace/actions/trivy-action
-[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
-[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
--- a/docs/docs/advanced/air-gap.md
+++ b/docs/docs/advanced/air-gap.md
@@ -5,14 +5,34 @@ Trivy can be used in air-gapped environments. Note that an allowlist is [here][a
 ## Air-Gapped Environment for vulnerabilities

 ### Download the vulnerability database
-At first, you need to download the vulnerability database for use in air-gapped environments.
-Please follow [oras installation instruction][oras].
+=== "Trivy"

-Download `db.tar.gz`:
+    ```
+    TRIVY_TEMP_DIR=$(mktemp -d)
+    trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+    tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+    rm -rf $TRIVY_TEMP_DIR
+    ```

-```
-$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a
-```
+=== "oras >= v0.13.0"
+    At first, you need to download the vulnerability database for use in air-gapped environments.
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull ghcr.io/aquasecurity/trivy-db:2
+    ```
+
+=== "oras < v0.13.0"
+    At first, you need to download the vulnerability database for use in air-gapped environments.
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
+    ```

 ### Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.
@@ -43,7 +63,7 @@ $ rm /path/to/db.tar.gz

 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 

-### Run Trivy with --skip-update and --offline-scan option
+### Run Trivy with `--skip-update` and `--offline-scan` option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
 In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.

@@ -55,7 +75,7 @@ $ trivy image --skip-update --offline-scan alpine:3.12

 No special measures are required to detect misconfigurations in an air-gapped environment.

-### Run Trivy with --skip-policy-update option
+### Run Trivy with `--skip-policy-update` option
 In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.

 ```
--- a/docs/docs/attestation/rekor.md
+++ b/docs/docs/attestation/rekor.md
@@ -0,0 +1,58 @@
+# Scan SBOM attestation in Rekor
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+## Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+ 
+
+## Scanning
+You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor.
+
+!!! note
+    `--sbom-sources` can be used only with `trivy image` at the moment.
+
+```bash
+$ trivy image --sbom-sources rekor otms61/alpine:3.7.3                                                                            [~/src/github.com/aquasecurity/trivy]
+2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
+2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
+2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
+2022-09-16T17:37:14.903+0900	INFO	Detecting Alpine vulnerabilities...
+2022-09-16T17:37:14.907+0900	INFO	Number of language-specific files: 0
+2022-09-16T17:37:14.908+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
+2022-09-16T17:37:14.908+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided
+
+otms61/alpine:3.7.3 (alpine 3.7.3)
+==================================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+
+```
+
+If you have your own Rekor instance, you can specify the URL via `--rekor-url`.
+
+```bash
+$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3
+```
+
+[rekor]: https://github.com/sigstore/rekor
+[sbom-attest]: sbom.md#keyless-signing
--- a/docs/docs/attestation/sbom.md
+++ b/docs/docs/attestation/sbom.md
@@ -1,6 +1,7 @@
 # SBOM attestation

 [Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify SBOM attestation.
+And, Trivy can take an SBOM attestation as input and scan for vulnerabilities

 !!! note
    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
@@ -8,43 +9,77 @@

 ## Sign with a local key pair

-Cosign can generate key pairs and use them for signing and verification. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
-
-In the following example, Trivy generates an SBOM in the spdx format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).

+```bash
+$ cosign generate-key-pair
 ```
-$ trivy image --format spdx -o predicate <IMAGE>
-$ cosign attest --key /path/to/cosign.key --type spdx --predicate predicate <IMAGE>
+
+In the following example, Trivy generates an SBOM in the CycloneDX format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
+
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>
 ```

 Then, you can verify attestations on the image.

-```
-$ cosign verify-attestation --key /path/to/cosign.pub <IMAGE>
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE>
 ```

 You can also create attestations of other formatted SBOM.

-```
-# spdx-json
-$ trivy image --format spdx-json -o predicate <IMAGE>
-$ cosign attest --key /path/to/cosign.key --type spdx --predicate predicate <IMAGE>
+```bash
+# spdx
+$ trivy image --format spdx -o sbom.spdx <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx <IMAGE>

-# cyclonedx
-$ trivy image --format cyclonedx -o predicate <IMAGE>
-$ cosign attest --key /path/to/cosign.key --type https://cyclonedx.org/schema --predicate predicate <IMAGE>
+# spdx-json
+$ trivy image --format spdx-json -o sbom.spdx.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json <IMAGE>
 ```

 ## Keyless signing

 You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).

-```
-$ trivy image --format spdx -o predicate <IMAGE>
-$ COSIGN_EXPERIMENTAL=1 cosign attest --type spdx --predicate predicate <IMAGE>
+```bash
+# The cyclonedx type is supported in Cosign v1.10.0 or later.
+$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+# The following command uploads SBOM attestation to the public Rekor instance.
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
 ```

 You can verify attestations.
+```bash
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>
 ```
-$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation <IMAGE>
+
+## Scanning
+
+Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
+
+In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
 ```
--- a/docs/docs/attestation/vuln.md
+++ b/docs/docs/attestation/vuln.md
@@ -0,0 +1,190 @@
+# Cosign Vulnerability Attestation
+
+## Generate Cosign Vulnerability Scan Record
+
+Trivy generates reports in the [Cosign vulnerability scan record format][vuln-attest-spec].
+
+You can use the regular subcommands (like image, fs and rootfs) and specify `cosign-vuln` with the --format option.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json alpine:3.10
+```
+
+<details>
+<summary>Result</summary>
+
+```json
+{
+  "invocation": {
+    "parameters": null,
+    "uri": "",
+    "event_id": "",
+    "builder.id": ""
+  },
+  "scanner": {
+    "uri": "pkg:github/aquasecurity/trivy@v0.30.1-8-gf9cb8a28",
+    "version": "v0.30.1-8-gf9cb8a28",
+    "db": {
+      "uri": "",
+      "version": ""
+    },
+    "result": {
+      "SchemaVersion": 2,
+      "ArtifactName": "alpine:3.10",
+      "ArtifactType": "container_image",
+      "Metadata": {
+        "OS": {
+          "Family": "alpine",
+          "Name": "3.10.9",
+          "EOSL": true
+        },
+        "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
+        "DiffIDs": [
+          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+        ],
+        "RepoTags": [
+          "alpine:3.10"
+        ],
+        "RepoDigests": [
+          "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
+        ],
+        "ImageConfig": {
+          "architecture": "amd64",
+          "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
+          "created": "2021-04-14T19:20:05.338397761Z",
+          "docker_version": "19.03.12",
+          "history": [
+            {
+              "created": "2021-04-14T19:20:04.987219124Z",
+              "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
+            },
+            {
+              "created": "2021-04-14T19:20:05.338397761Z",
+              "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+              "empty_layer": true
+            }
+          ],
+          "os": "linux",
+          "rootfs": {
+            "type": "layers",
+            "diff_ids": [
+              "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+            ]
+          },
+          "config": {
+            "Cmd": [
+              "/bin/sh"
+            ],
+            "Env": [
+              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+            ],
+            "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
+          }
+        }
+      },
+      "Results": [
+        {
+          "Target": "alpine:3.10 (alpine 3.10.9)",
+          "Class": "os-pkgs",
+          "Type": "alpine",
+          "Vulnerabilities": [
+            {
+              "VulnerabilityID": "CVE-2021-36159",
+              "PkgName": "apk-tools",
+              "InstalledVersion": "2.10.6-r0",
+              "FixedVersion": "2.10.7-r0",
+              "Layer": {
+                "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
+                "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
+              },
+              "SeveritySource": "nvd",
+              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
+              "DataSource": {
+                "ID": "alpine",
+                "Name": "Alpine Secdb",
+                "URL": "https://secdb.alpinelinux.org/"
+              },
+              "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
+              "Severity": "CRITICAL",
+              "CweIDs": [
+                "CWE-125"
+              ],
+              "CVSS": {
+                "nvd": {
+                  "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
+                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
+                  "V2Score": 6.4,
+                  "V3Score": 9.1
+                }
+              },
+              "References": [
+                "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
+                "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
+                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
+              ],
+              "PublishedDate": "2021-08-03T14:15:00Z",
+              "LastModifiedDate": "2021-10-18T12:19:00Z"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "metadata": {
+    "scanStartedOn": "2022-07-24T17:14:04.864682+09:00",
+    "scanFinishedOn": "2022-07-24T17:14:04.864682+09:00"
+  }
+}
+```
+
+</details>
+
+## Create Cosign Vulnerability Attestation
+
+[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify Cosign vulnerability attestation.
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
+
+
+### Sign with a local key pair
+
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+
+```bash
+$ cosign generate-key-pair
+```
+
+In the following example, Trivy generates a cosign vulnerability scan record, and then Cosign attaches an attestation of it to a container image with a local key pair.
+
+```
+$ trivy image --format cosign-vuln --output vuln.json <IMAGE>
+$ cosign attest --key /path/to/cosign.key --type vuln --predicate vuln.json <IMAGE>
+```
+
+Then, you can verify attestations on the image.
+
+```
+$ cosign verify-attestation --key /path/to/cosign.pub --type vuln <IMAGE>
+```
+
+### Keyless signing
+
+You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
+
+```
+$ trivy image --format cosign-vuln -o vuln.json <IMAGE>
+$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>
+```
+
+You can verify attestations.
+
+```
+$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type vuln <IMAGE>
+```
+
+[vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md
--- a/docs/docs/cloud/aws/scanning.md
+++ b/docs/docs/cloud/aws/scanning.md
@@ -0,0 +1,55 @@
+# Amazon Web Services
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. 
+
+Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
+
+The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
+
+Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
+
+You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
+
+Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - results are cached locally per AWS account/region.
+
+## CLI Commands
+
+Scan a full AWS account (all supported services):
+
+```shell
+trivy aws --region us-east-1
+```
+
+You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
+
+![AWS Summary Report](../../../imgs/trivy-aws.png)
+
+The summary view is the default when scanning multiple services.
+
+Scan a specific service:
+
+```shell
+trivy aws --service s3
+```
+
+Scan multiple services:
+
+```shell
+# --service s3,ec2 works too
+trivy aws --service s3 --service ec2
+```
+
+Show results for a specific AWS resource:
+
+```shell
+trivy aws --service s3 --arn arn:aws:s3:::example-bucket
+```
+
+All ARNs with detected issues will be displayed when showing results for their associated service.
+
+## Cached Results
+
+By default, Trivy will cache results for each service for 24 hours. This means you can filter and view results for a service without having to wait for the scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.)
--- a/docs/docs/index.md
+++ b/docs/docs/index.md
@@ -1,28 +1,6 @@
 # Docs

-Trivy detects two types of security issues:
-
- [Vulnerabilities][vuln]
- [Misconfigurations][misconf]
-
-Trivy can scan four different artifacts:
-
- [Container Images][container]
- [Filesystem][filesystem] and [Rootfs][rootfs]
- [Git Repositories][repo]
- [Kubernetes][kubernetes]
-
-Trivy can be run in two different modes:
-
- [Standalone][standalone]
- [Client/Server][client-server]
-
-Trivy can be run as a Kubernetes Operator:
-
- [Kubernetes Operator][kubernetesoperator]
-
-It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
-See [Integrations][integrations] for details.
+This documentation details how to use Trivy to access the features listed below.

 ## Features

@@ -67,7 +45,7 @@ See [Integrations][integrations] for details.

 Please see [LICENSE][license] for Trivy licensing information.

-[installation]: ../getting-started/installation.md
+[installation]: ../index.md
 [vuln]: ../docs/vulnerability/scanning/index.md
 [misconf]: ../docs/misconfiguration/scanning.md
 [kubernetesoperator]: ../docs/kubernetes/operator/index.md
@@ -79,7 +57,7 @@ Please see [LICENSE][license] for Trivy licensing information.

 [standalone]: ../docs/references/modes/standalone.md
 [client-server]: ../docs/references/modes/client-server.md
-[integrations]: ../docs/integrations/index.md
+[integrations]: ../tutorials/integrations/index.md

 [os]: ../docs/vulnerability/detection/os.md
 [lang]: ../docs/vulnerability/detection/language.md
@@ -91,4 +69,4 @@ Please see [LICENSE][license] for Trivy licensing information.
 [sbom]: ../docs/sbom/index.md

 [oci]: https://github.com/opencontainers/image-spec
-[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/docs/integrations/aws-security-hub.md
+++ b/docs/docs/integrations/aws-security-hub.md
@@ -1,29 +0,0 @@
-# AWS Security Hub
-
-## Upload findings to Security Hub
-
-In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
-
-```
-$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
-```
-
-ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
-
-Then, you can upload it with AWS CLI.
-
-```
-$ aws securityhub batch-import-findings --findings file://report.asff
-```
-
-## Customize
-You can customize [asff.tpl](https://github.com/aquasecurity/trivy/blob/main/contrib/asff.tpl)
-
-```
-$ export AWS_REGION=us-west-1
-$ export AWS_ACCOUNT_ID=123456789012
-$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
-```
-
-## Reference
-https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/
--- a/docs/docs/kubernetes/cli/scanning.md
+++ b/docs/docs/kubernetes/cli/scanning.md
@@ -5,7 +5,7 @@

 The Trivy K8s CLI allows you to scan your Kubernetes cluster for Vulnerabilities, Secrets and Misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.

-If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/getting-started.md)
+If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/index.md)

 Trivy uses your local kubectl configuration to access the API server to list artifacts.

@@ -41,6 +41,12 @@ Scan a specific namespace:
 $ trivy k8s -n kube-system --report=summary all
 ```

+Use a specific kubeconfig file:
+
+```
+$ trivy k8s --kubeconfig ~/.kube/config2 -n kube-system --report=summary all
+```
+
 Scan a specific resource and get all the output:

 ```
--- a/docs/docs/misconfiguration/options/others.md
+++ b/docs/docs/misconfiguration/options/others.md
@@ -2,21 +2,3 @@

 !!! hint
    See also [Others](../../vulnerability/examples/others.md) in Vulnerability section.
-
-## File patterns
-When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
-The default file patterns are [here](../custom/index.md).
-
-In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
-For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
-
-This can be repeated for specifying multiple file patterns.
-Allowed values are here:
-
- dockerfile
- yaml
- json
- toml
- hcl
-
-For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)
--- a/docs/docs/misconfiguration/options/values.md
+++ b/docs/docs/misconfiguration/options/values.md
@@ -0,0 +1,48 @@
+# Value Overrides
+
+Value files can be passed for supported scannable config files.
+
+## Terraform value overrides
+You can pass `tf-vars` files to Trivy to override default values found in the Terraform HCL code.
+
+```bash
+trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
+```
+
+## Helm value overrides
+There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
+
+### Setting inline value overrides
+Overrides can be set inline on the command line
+
+```bash
+trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
+```
+
+### Setting value file overrides
+Overrides can be in a file that has the key=value set. 
+
+```yaml
+# Example override file (overrides.yaml)
+
+securityContext:
+  runAsUser: 0
+```
+
+```bash
+trivy conf --helm-values overrides.yaml ./charts/mySql
+``` 
+
+### Setting value as explicit string
+the `--helm-set-string` is the same as `--helm-set` but explicitly retains the value as a string
+
+```bash
+trivy config --helm-set-string name=false ./infrastructure/tf
+```
+
+### Setting sepecific values from files
+Specific override values can come from specific files
+
+```bash
+trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
+```
--- a/docs/docs/references/cli/client.md
+++ b/docs/docs/references/cli/client.md
@@ -2,7 +2,7 @@

 ```bash
 Usage:
-  [DEPRECATED] trivy client [flags] IMAGE_NAME
+  trivy client [flags] IMAGE_NAME

 Aliases:
  client, c
@@ -10,13 +10,13 @@ Aliases:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -34,7 +34,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -59,11 +59,12 @@ Client/Server Flags
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/config.md
+++ b/docs/docs/references/cli/config.md
@@ -10,19 +10,16 @@ Aliases:
  config, conf

 Scan Flags
-      --skip-dirs string    specify the directories where the traversal is skipped
-      --skip-files string   specify the file paths to skip traversal
+      --skip-dirs strings    specify the directories where the traversal is skipped
+      --skip-files strings   specify the file paths to skip traversal

 Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
-      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
-      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
-      --ignorefile string      specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
-  -o, --output string          output file name
-  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-  -t, --template string        output template
+      --exit-code int       specify exit code when any security issues are found
+  -f, --format string       format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --ignorefile string   specify .trivyignore file (default ".trivyignore")
+  -o, --output string       output file name
+  -s, --severity string     severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string     output template

 Cache Flags
      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
@@ -41,12 +38,12 @@ Misconfiguration Flags
      --trace                       enable more verbose trace output for custom queries

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
-
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/fs.md
+++ b/docs/docs/references/cli/fs.md
@@ -19,13 +19,13 @@ Examples:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -42,7 +42,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -63,6 +63,10 @@ Misconfiguration Flags
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
@@ -70,11 +74,12 @@ Client/Server Flags
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/image.md
+++ b/docs/docs/references/cli/image.md
@@ -34,13 +34,12 @@ Examples:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -57,7 +56,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -82,6 +81,10 @@ Misconfiguration Flags
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
@@ -89,11 +92,12 @@ Client/Server Flags
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/index.md
+++ b/docs/docs/references/cli/index.md
@@ -4,6 +4,7 @@ Trivy has several sub commands, image, fs, repo, client and server.
 Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets

 Usage:
+  trivy [global flags] command [flags] target
  trivy [command]

 Examples:
@@ -24,7 +25,6 @@ Available Commands:
  filesystem  Scan local filesystem
  help        Help about any command
  image       Scan a container image
-  kubectl     scan kubectl resources
  kubernetes  scan kubernetes cluster
  module      Manage modules
  plugin      Manage plugins
@@ -35,15 +35,16 @@ Available Commands:
  version     Print the version

 Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-  -f, --format string      version format (json)
-  -h, --help               help for trivy
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+  -f, --format string             version format (json)
+      --generate-default-config   write the default config to trivy-default.yaml
+  -h, --help                      help for trivy
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version

 Use "trivy [command] --help" for more information about a command.
 ```
--- a/docs/docs/references/cli/module.md
+++ b/docs/docs/references/cli/module.md
@@ -17,11 +17,14 @@ Flags:
  -h, --help   help for module

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy module [command] --help" for more information about a command.
 ```
--- a/docs/docs/references/cli/plugin.md
+++ b/docs/docs/references/cli/plugin.md
@@ -10,22 +10,25 @@ Aliases:
  plugin, p

 Available Commands:
-  Uninstall   uninstall a plugin
  info        Show information about the specified plugin
  install     Install a plugin
  list        List installed plugin
  run         Run a plugin on the fly
+  uninstall   Uninstall a plugin
  update      Update an existing plugin

 Flags:
  -h, --help   help for plugin

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+
+Use "trivy plugin [command] --help" for more information about a command.
 ```
--- a/docs/docs/references/cli/repo.md
+++ b/docs/docs/references/cli/repo.md
@@ -16,13 +16,13 @@ Examples:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -39,7 +39,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -60,23 +60,28 @@ Misconfiguration Flags
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
      --token string             for authentication in client/server mode
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
-      
+
 Repository Flags
      --branch string   pass the branch name to be scanned
      --commit string   pass the commit hash to be scanned
      --tag string      pass the tag name to be scanned

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/rootfs.md
+++ b/docs/docs/references/cli/rootfs.md
@@ -19,13 +19,13 @@ Examples:
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -42,7 +42,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -63,12 +63,17 @@ Misconfiguration Flags
 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

+License Flags
+      --ignored-licenses strings   specify a list of license to ignore
+      --license-full               eagerly look for licenses in source code headers and license files
+
 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/sbom.md
+++ b/docs/docs/references/cli/sbom.md
@@ -13,17 +13,19 @@ Examples:
  # Scan CycloneDX and generate a CycloneDX report
  $ trivy sbom --format cyclonedx /path/to/report.cdx

+  # Scan CycloneDX-type attestation and show the result in tables
+  $ trivy sbom /path/to/report.cdx.intoto.jsonl
+

 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs string         specify the directories where the traversal is skipped
-      --skip-files string        specify the file paths to skip traversal
+      --skip-dirs strings        specify the directories where the traversal is skipped
+      --skip-files strings       specify the file paths to skip traversal

 Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
@@ -40,7 +42,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -57,11 +59,12 @@ Client/Server Flags
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/cli/server.md
+++ b/docs/docs/references/cli/server.md
@@ -26,7 +26,7 @@ Cache Flags
      --redis-key string       redis key file location, if using redis as cache backend

 DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
@@ -38,11 +38,12 @@ Client/Server Flags
      --token-header string   specify a header name for token in client/server mode (default "Trivy-Token")

 Global Flags:
-      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string      config path (default "trivy.yaml")
-  -d, --debug              debug mode
-      --insecure           allow insecure server connections when using TLS
-  -q, --quiet              suppress progress bar and log output
-      --timeout duration   timeout (default 5m0s)
-  -v, --version            show version
+      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections when using TLS
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
 ```
--- a/docs/docs/references/customization/config-file.md
+++ b/docs/docs/references/customization/config-file.md
@@ -6,7 +6,7 @@ An example is [here][example].

 ## Global Options

-```
+```yaml
 # Same as '--quiet'
 # Default is false
 quiet: false
@@ -30,7 +30,7 @@ cache-dir: $HOME/.cache/trivy

 ## Report Options

-```
+```yaml
 # Same as '--format'
 # Default is 'table'
 format: table
@@ -80,8 +80,13 @@ severity:
 ## Scan Options
 Available in client/server mode

-```
+```yaml
 scan:
+  # Same as '--file-patterns'
+  # Default is empty
+  file-patterns:
+    -
+
  # Same as '--skip-dirs'
  # Default is empty
  skip-dirs:
@@ -107,7 +112,7 @@ scan:

 ## Cache Options

-```
+```yaml
 cache:
  # Same as '--cache-backend'
  # Default is 'fs' 
@@ -134,7 +139,7 @@ cache:

 ## DB Options

-```
+```yaml
 db:
  # Same as '--skip-db-update'
  # Default is false
@@ -152,7 +157,7 @@ db:
 ## Image Options
 Available with container image scanning

-```
+```yaml
 image:
  # Same as '--input' (available with 'trivy image')
  # Default is empty
@@ -166,7 +171,7 @@ image:
 ## Vulnerability Options
 Available with vulnerability scanning

-```
+```yaml
 vulnerability:
  # Same as '--vuln-type'
  # Default is 'os,library'
@@ -182,7 +187,7 @@ vulnerability:
 ## Secret Options
 Available with secret scanning

-```
+```yaml
 secret:
  # Same as '--secret-config'
  # Default is 'trivy-secret.yaml'
@@ -193,13 +198,8 @@ secret:
 ## Misconfiguration Options
 Available with misconfiguration scanning

-```
+```yaml
 misconfiguration:
-  # Same as '--file-patterns'
-  # Default is empty
-  file-patterns:
-    -
-  
  # Same as '--include-non-failures'
  # Default is false
  include-non-failures: false
@@ -224,12 +224,39 @@ misconfiguration:
  namespaces:
    - opa.examples
    - users
+
+  # helm value override configurations
+  # set individual values
+  helm:
+    set:
+      - securityContext.runAsUser=10001
+
+  # set values with file
+  helm:
+    values:
+      - overrides.yaml
+
+  # set specific values from specific files
+  helm:
+    set-file:
+      - image=dev-overrides.yaml
+
+  # set as string and preserve type
+  helm:
+    set-string:
+      - name=true
+
+  # terraform tfvars overrrides
+  terraform:
+    vars:
+      - dev-terraform.tfvars
+      - common-terraform.tfvars
 ```

 ## Kubernetes Options
 Available with Kubernetes scanning

-```
+```yaml
 kubernetes:
  # Same as '--context'
  # Default is empty
@@ -243,7 +270,7 @@ kubernetes:
 ## Repository Options
 Available with git repository scanning (`trivy repo`) 

-```
+```yaml
 repository:
  # Same as '--branch'
  # Default is empty
@@ -261,7 +288,7 @@ repository:
 ## Client/Server Options
 Available in client/server mode

-```
+```yaml
 server:
  # Same as '--server' (available in client mode)
  # Default is empty
@@ -286,4 +313,28 @@ server:
  listen: 0.0.0.0:10000
 ```

+## Cloud Options
+
+Available for cloud scanning (currently only `trivy aws`)
+
+```yaml
+cloud:
+  # whether to force a cache update for every scan
+  update-cache: false
+  
+  # how old cached results can be before being invalidated
+  max-cache-age: 24h
+  
+  # aws-specific cloud settings
+  aws:
+    # the aws region to use
+    region: us-east-1
+    
+    # the aws endpoint to use (not required for general use)
+    endpoint: https://my.custom.aws.endpoint
+    
+    # the aws account to use (this will be determined from your environment when not set)
+    account: 123456789012
+```
+
 [example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml
--- a/docs/docs/sbom/cyclonedx.md
+++ b/docs/docs/sbom/cyclonedx.md
@@ -1,13 +1,21 @@
 # CycloneDX

-## Reporting
-Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
+## Generating
+Trivy can generate SBOM in the [CycloneDX][cyclonedx] format.
 Note that XML format is not supported at the moment.

 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.

+CycloneDX can represent either or both SBOM or BOV.
+
+- [Software Bill of Materials (SBOM)][sbom]
+- [Bill of Vulnerabilities (BOV)][bov]
+
+By default, `--format cyclonedx` represents SBOM and doesn't include vulnerabilities in the CycloneDX output.
+
 ```
 $ trivy image --format cyclonedx --output result.json alpine:3.15
+2022-07-19T07:47:27.624Z        INFO    "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
 ```

 <details>
@@ -231,6 +239,12 @@ $ cat result.json | jq .

 </details>

+If you want to include vulnerabilities, you can enable vulnerability scanning via `--security-checks vuln`.
+
+```
+$ trivy image --security-checks vuln --format cyclonedx --output result.json alpine:3.15
+```
+
 ## Scanning
 Trivy can take CycloneDX as an input and scan for vulnerabilities.
 To scan SBOM, you can use the `sbom` subcommand and pass the path to your CycloneDX report. 
@@ -258,5 +272,8 @@ Total: 3 (CRITICAL: 3)

 !!! note
    If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
+    The report is called [BOV][bov].

-[cyclonedx]: https://cyclonedx.org/
+[cyclonedx]: https://cyclonedx.org/
+[sbom]: https://cyclonedx.org/capabilities/sbom/
+[bov]: https://cyclonedx.org/capabilities/bov/
--- a/docs/docs/sbom/index.md
+++ b/docs/docs/sbom/index.md
@@ -1,6 +1,6 @@
 # SBOM

-## Reporting
+## Generating
 Trivy can generate the following SBOM formats.

 - [CycloneDX][cyclonedx]
@@ -9,9 +9,10 @@ Trivy can generate the following SBOM formats.
 To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.

 ```
-$ trivy image --format cyclonedx --output result.json alpine:3.15
+$ trivy image --format spdx-json --output result.json alpine:3.15
 ```

+
 ```
 $ trivy fs --format cyclonedx --output result.json /app/myproject
 ```
@@ -180,33 +181,52 @@ $ trivy fs --format cyclonedx --output result.json /app/myproject
 Trivy also can take the following SBOM formats as an input and scan for vulnerabilities.

 - CycloneDX
+- SPDX
+- SPDX JSON
+- CycloneDX-type attestation

 To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.

 ```bash
 $ trivy sbom /path/to/cyclonedx.json
-
-cyclonedx.json (alpine 3.7.1)
-=========================
-Total: 3 (CRITICAL: 3)
-
-┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
-│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ curl        │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ libbz2      │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
-└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
 ```

+See [here][cyclonedx] for the detail.

 !!! note
-    CycloneDX XML and SPDX are not supported at the moment.
+    CycloneDX XML is not supported at the moment.
+
+```bash
+$ trivy sbom /path/to/spdx.json
+```
+
+See [here][spdx] for the detail.
+
+
+You can also scan an SBOM attestation.
+In the following example, [Cosign][Cosign] can get an attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page][sbom_attestation].
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+```

 [cyclonedx]: cyclonedx.md
 [spdx]: spdx.md
+[Cosign]: https://github.com/sigstore/cosign
+[sbom_attestation]: ../attestation/sbom.md#sign-with-a-local-key-pair
--- a/docs/docs/sbom/spdx.md
+++ b/docs/docs/sbom/spdx.md
@@ -1,6 +1,7 @@
 # SPDX

-Trivy generates reports in the [SPDX][spdx] format.
+## Generating
+Trivy can generate SBOM in the [SPDX][spdx] format.

 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `spdx` with the `--format` option.

@@ -294,4 +295,50 @@ $ cat result.spdx.json | jq .

 </details>

+## Scanning
+Trivy can take the SPDX SBOM as an input and scan for vulnerabilities.
+To scan SBOM, you can use the `sbom` subcommand and pass the path to your SPDX report.
+The input format is automatically detected.
+
+The following formats are supported:
+
+- Tag-value (`--format spdx`)
+- JSON (`--format spdx-json`)
+
+```bash
+$ trivy image --format spdx-json --output spdx.json alpine:3.16.0
+$ trivy sbom spdx.json
+2022-09-15T21:32:27.168+0300    INFO    Vulnerability scanning is enabled
+2022-09-15T21:32:27.169+0300    INFO    Detected SBOM format: spdx-json
+2022-09-15T21:32:27.210+0300    INFO    Detected OS: alpine
+2022-09-15T21:32:27.210+0300    INFO    Detecting Alpine vulnerabilities...
+2022-09-15T21:32:27.211+0300    INFO    Number of language-specific files: 0
+
+spdx.json (alpine 3.16.0)
+=========================
+Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)
+
+┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│   Library    │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ busybox      │ CVE-2022-30065 │ HIGH     │ 1.35.0-r13        │ 1.35.0-r15    │ busybox: A use-after-free in Busybox's awk applet leads to │
+│              │                │          │                   │               │ denial of service...                                       │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ libcrypto1.1 │ CVE-2022-2097  │ MEDIUM   │ 1.1.1o-r0         │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes               │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                  │
+├──────────────┤                │          │                   │               │                                                            │
+│ libssl1.1    │                │          │                   │               │                                                            │
+│              │                │          │                   │               │                                                            │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ ssl_client   │ CVE-2022-30065 │ HIGH     │ 1.35.0-r13        │ 1.35.0-r15    │ busybox: A use-after-free in Busybox's awk applet leads to │
+│              │                │          │                   │               │ denial of service...                                       │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ zlib         │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1         │ 1.2.12-r2     │ zlib: a heap-based buffer over-read or buffer overflow in  │
+│              │                │          │                   │               │ inflate in inflate.c...                                    │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                 │
+└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
 [spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf
--- a/docs/docs/secret/configuration.md
+++ b/docs/docs/secret/configuration.md
@@ -137,6 +137,6 @@ disable-allow-rules:
 ```


-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-allow-rules.go
+[builtin]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go
+[builtin-allow]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-allow-rules.go
 [examples]: ./examples.md
--- a/docs/docs/secret/scanning.md
+++ b/docs/docs/secret/scanning.md
@@ -116,8 +116,8 @@ $ trivy image --security-checks vuln alpine:3.15
 ## Credit
 This feature is inspired by [gitleaks][gitleaks]. 

-[builtin]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
-[builtin-allow]: https://github.com/aquasecurity/fanal/blob/main/secret/builtin-allow-rules.go
+[builtin]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go
+[builtin-allow]: https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-allow-rules.go
 [configuration]: ./configuration.md
 [allow-rules]: ./configuration.md#allow-rules
 [enable-rules]: ./configuration.md#enable-rules
--- a/docs/docs/vulnerability/detection/data-source.md
+++ b/docs/docs/vulnerability/detection/data-source.md
@@ -19,22 +19,23 @@

 # Programming Language

-| Language                     | Source                                              | Commercial Use  | Delay[^1]|
-| ---------------------------- | ----------------------------------------------------|:---------------:|:--------:|
-| PHP                          | [PHP Security Advisories Database][php]             | ✅              | -        |
-|                              | [GitHub Advisory Database (Composer)][php-ghsa]     | ✅              | -        |
-| Python                       | [GitHub Advisory Database (pip)][python-ghsa]       | ✅              | -        |
-|                              | [Open Source Vulnerabilities (PyPI)][python-osv]    | ✅              | -        |
-| Ruby                         | [Ruby Advisory Database][ruby]                      | ✅              | -        |
-|                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    | ✅              | -        |
-| Node.js                      | [Ecosystem Security Working Group][nodejs]          | ✅              | -        |
-|                              | [GitHub Advisory Database (npm)][nodejs-ghsa]       | ✅              | -        |
-| Java                         | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
-|                              | [GitHub Advisory Database (Maven)][java-ghsa]       | ✅              | -        |
-| Go                           | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
-|                              | [The Go Vulnerability Database][go]                 | ✅              | -        |
-| Rust                         | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅              | -        |
-| .NET                         | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     | ✅              | -        |
+| Language | Source                                              | Commercial Use  | Delay[^1]|
+|----------|-----------------------------------------------------|:---------------:|:--------:|
+| PHP      | [PHP Security Advisories Database][php]             | ✅              | -        |
+|          | [GitHub Advisory Database (Composer)][php-ghsa]     | ✅              | -        |
+| Python   | [GitHub Advisory Database (pip)][python-ghsa]       | ✅              | -        |
+|          | [Open Source Vulnerabilities (PyPI)][python-osv]    | ✅              | -        |
+| Ruby     | [Ruby Advisory Database][ruby]                      | ✅              | -        |
+|          | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    | ✅              | -        |
+| Node.js  | [Ecosystem Security Working Group][nodejs]          | ✅              | -        |
+|          | [GitHub Advisory Database (npm)][nodejs-ghsa]       | ✅              | -        |
+| Java     | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
+|          | [GitHub Advisory Database (Maven)][java-ghsa]       | ✅              | -        |
+| Go       | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
+|          | [The Go Vulnerability Database][go]                 | ✅              | -        |
+| Rust     | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅              | -        |
+| .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     | ✅              | -        |
+| C/C++    | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |

 [^1]: Intentional delay between vulnerability disclosure and registration in the DB

--- a/docs/docs/vulnerability/detection/language.md
+++ b/docs/docs/vulnerability/detection/language.md
@@ -2,28 +2,31 @@

 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

-| Language | File                    | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies |
-| -------- |-------------------------| :-------: | :--------: | :-------------: | :-------------: | ---------------- |
-| Ruby     | Gemfile.lock            |     -     |     -      |        ✅        |        ✅        | included         |
-|          | gemspec                 |     ✅     |     ✅      |        -        |        -        | included         |
-| Python   | Pipfile.lock            |     -     |     -      |        ✅        |        ✅        | excluded         |
-|          | poetry.lock             |     -     |     -      |        ✅        |        ✅        | included         |
-|          | requirements.txt        |     -     |     -      |        ✅        |        ✅        | included         |
-|          | egg package[^1]         |     ✅     |     ✅      |        -        |        -        | excluded         |
-|          | wheel package[^2]       |     ✅     |     ✅      |        -        |        -        | excluded         |
-| PHP      | composer.lock           |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
-| Node.js  | package-lock.json       |     -     |     -      |        ✅        |        ✅        | excluded         |
-|          | yarn.lock               |     -     |     -      |        ✅        |        ✅        | included         |
-|          | pnpm-lock.yaml          |     -     |     -      |        ✅        |        ✅        | excluded         |
-|          | package.json            |     ✅     |     ✅      |        -        |        -        | excluded         |
-| .NET     | packages.lock.json      |     ✅     |     ✅      |        ✅        |        ✅        | included         |
-|          | packages.config         |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
-|          | .deps.json              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
-| Java     | JAR/WAR/PAR/EAR[^3][^4] |     ✅     |     ✅      |        -        |        -        | included         |
-|          | pom.xml[^5]             |     -     |     -      |        ✅        |        ✅        | excluded         |
-| Go       | Binaries built by Go[^6] |     ✅     |     ✅      |        -        |        -        | excluded         |
-|          | go.mod[^7]              |     -     |     -      |        ✅        |        ✅        | included         |
-| Rust     | Cargo.lock              |     ✅     |     ✅      |        ✅        |        ✅        | included         |
+| Language | File                                                                                       | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies |
+| -------- |--------------------------------------------------------------------------------------------| :-------: | :--------: | :-------------: | :-------------: | ---------------- |
+| Ruby     | Gemfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | included         |
+|          | gemspec                                                                                    |     ✅     |     ✅      |        -        |        -        | included         |
+| Python   | Pipfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | excluded         |
+|          | poetry.lock                                                                                |     -     |     -      |        ✅        |        ✅        | included         |
+|          | requirements.txt                                                                           |     -     |     -      |        ✅        |        ✅        | included         |
+|          | egg package[^1]                                                                            |     ✅     |     ✅      |        -        |        -        | excluded         |
+|          | wheel package[^2]                                                                          |     ✅     |     ✅      |        -        |        -        | excluded         |
+| PHP      | composer.lock                                                                              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
+| Node.js  | package-lock.json                                                                          |     -     |     -      |        ✅        |        ✅        | excluded         |
+|          | yarn.lock                                                                                  |     -     |     -      |        ✅        |        ✅        | included         |
+|          | pnpm-lock.yaml                                                                             |     -     |     -      |        ✅        |        ✅        | excluded         |
+|          | package.json                                                                               |     ✅     |     ✅      |        -        |        -        | excluded         |
+| .NET     | packages.lock.json                                                                         |     ✅     |     ✅      |        ✅        |        ✅        | included         |
+|          | packages.config                                                                            |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
+|          | .deps.json                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
+| Java     | JAR/WAR/PAR/EAR[^3][^4]                                                                    |     ✅     |     ✅      |        -        |        -        | included         |
+|          | pom.xml[^5]                                                                                |     -     |     -      |        ✅        |        ✅        | excluded         |
+|          | *gradle.lockfile                                                                           |     -     |     -      |        ✅        |        ✅        | excluded         |
+| Go       | Binaries built by Go[^6]                                                                   |     ✅     |     ✅      |        -        |        -        | excluded         |
+|          | go.mod[^7]                                                                                 |     -     |     -      |        ✅        |        ✅        | included         |
+| Rust     | Cargo.lock                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | included         |
+|          | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |        -        |        -        | excluded   
+| C/C++    | conan.lock[^12]                                                                            |     -     |     -      |        ✅        |        ✅        | excluded         |

 The path of these files does not matter.

@@ -40,3 +43,4 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [^9]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
 [^10]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
 [^11]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^12]: To scan a filename other than the default filename(`conan.lock`) use [file-patterns](../examples/others.md#file-patterns)
--- a/docs/docs/vulnerability/distributions.md
+++ b/docs/docs/vulnerability/distributions.md
@@ -11,19 +11,48 @@ The following table provides an outline of the features Trivy offers.

 ### Examples

-```
-$ trivy image cblmariner.azurecr.io/base/core:1.0
-2022-01-31T15:02:27.754+0200    INFO    Detected OS: cbl-mariner
-2022-01-31T15:02:27.754+0200    INFO    Detecting CBL-Mariner vulnerabilities...
-2022-01-31T15:02:27.757+0200    INFO    Number of language-specific files: 0
+=== "image"
+    ```
+    ➜ trivy image mcr.microsoft.com/cbl-mariner/base/core:2.0
+    2022-07-27T14:48:20.355+0600	INFO	Detected OS: cbl-mariner
+    2022-07-27T14:48:20.355+0600	INFO	Detecting CBL-Mariner vulnerabilities...
+    2022-07-27T14:48:20.356+0600	INFO	Number of language-specific files: 0
+    
+    mcr.microsoft.com/cbl-mariner/base/core:2.0 (cbl-mariner 2.0.20220527)
+    
+    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
+    ```

-cblmariner.azurecr.io/base/core:1.0 (cbl-mariner 1.0.20220122)
-==============================================================
-Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 4, CRITICAL: 5) 
-```
+=== "fs"
+    ```
+    ➜ docker run  -it --rm --entrypoint bin/bash mcr.microsoft.com/cbl-mariner/base/core:2.0 
+    
+    root [ / ]# tdnf -y install ca-certificates
+    ...
+
+    root [ / ]# rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.30.4/trivy_0.30.4_Linux-64bit.rpm
+    ...
+    
+    root [ / ]# trivy fs /
+    2022-07-27T09:30:06.815Z	INFO	Need to update DB
+    2022-07-27T09:30:06.815Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
+    2022-07-27T09:30:06.815Z	INFO	Downloading DB...
+    33.25 MiB / 33.25 MiB [------------------------------] 100.00% 4.20 MiB p/s 8.1s
+    2022-07-27T09:30:21.756Z	INFO	Vulnerability scanning is enabled
+    2022-07-27T09:30:21.756Z	INFO	Secret scanning is enabled
+    2022-07-27T09:30:21.756Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+    2022-07-27T09:30:21.756Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection
+    2022-07-27T09:30:22.205Z	INFO	Detected OS: cbl-mariner
+    2022-07-27T09:30:22.205Z	INFO	Detecting CBL-Mariner vulnerabilities...
+    2022-07-27T09:30:22.205Z	INFO	Number of language-specific files: 0
+    
+    40ba9a55397c (cbl-mariner 2.0.20220527)
+    
+    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
+    ```

 ### Data source
 See [here][source].

 [mariner]: https://github.com/microsoft/CBL-Mariner
-[source]: detection/data-source.md
+[source]: detection/data-source.md
--- a/docs/docs/vulnerability/examples/others.md
+++ b/docs/docs/vulnerability/examples/others.md
@@ -16,6 +16,22 @@ If your image contains lock files which are not maintained by you, you can skip
 $ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
 ```

+## File patterns
+When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
+The default file patterns are [here](../../misconfiguration/custom/index.md).
+
+In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
+For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
+
+This can be repeated for specifying multiple file patterns.
+
+A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
+```
+--file-patterns "dockerfile:.*.docker" --file-patterns "yaml:deployment" --file-patterns "pip:requirements-.*\.txt"
+```
+
+For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)
+
 ## Exit Code
 By default, `Trivy` exits with code 0 even when vulnerabilities are detected.
 Use the `--exit-code` option if you want to exit with a non-zero exit code.
--- a/docs/docs/vulnerability/examples/report.md
+++ b/docs/docs/vulnerability/examples/report.md
@@ -15,7 +15,10 @@ Modern software development relies on the use of third-party libraries.
 Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph.
 In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree.
 To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
-This flag is only available with the `fs` or `repo` commands and the `--format table` flag.
+This flag is only available with the `--format table` flag.
+
+!!! note
+    Only Node.js (package-lock.json) and Rust Binaries built with [cargo-auditable][cargo-auditable] are supported at the moment.

 This tree is the reverse of the npm list command.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -60,9 +63,6 @@ Also, **glob-parent@3.1.0** with some vulnerabilities is included through chain

 Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to resolve vulnerabilities in **follow-redirects@1.14.6** and **glob-parent@3.1.0**.

-!!! note
-    Only Node.js (package-lock.json) is supported at the moment.
-
 ## JSON

 ```
@@ -273,9 +273,9 @@ The following example shows use of default HTML template when Trivy is installed
 $ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine
 ```

-
+[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
-[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/advanced/integrations/aws-security-hub.md
+[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/docs/integrations/aws-security-hub.md
 [sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
 [sprig]: http://masterminds.github.io/sprig/
--- a/docs/ecosystem/tools.md
+++ b/docs/ecosystem/tools.md
@@ -0,0 +1,93 @@
+#  Tools
+This section includes several tools either added by the core maintainers from Aqua Security or the open source community.
+
+## Official Trivy Tools
+
+### GitHub Actions
+
+| Actions                      | Description                                                    |
+| ---------------------------- | -------------------------------------------------------------- |
+| [trivy-action][trivy-action] | GitHub Actions for integrating Trivy into your GitHub pipeline |
+
+### VSCode Extension
+
+| Orb                | Description                 |
+| ------------------ | --------------------------- |
+| [vs-code][vs-code] | VS Code extension for trivy |
+
+
+### Vim Plugin
+
+| Orb                    | Description          |
+| ---------------------- | -------------------- |
+| [vim-trivy][vim-trivy] | Vim plugin for trivy |
+
+
+### Docker Desktop Extension
+
+| Orb                              | Description                                                                                           |
+| ---------------------------------| ----------------------------------------------------------------------------------------------------- |
+| [docker-desktop][docker-desktop] | Trivy Docker Desktop extension for scanning container images for vulnerabilities and generating SBOMs |
+
+
+### Azure DevOps Pipelines Task
+
+| Orb                          | Description                                                     |
+| ---------------------------- | --------------------------------------------------------------- |
+| [azure-devops][azure-devops] | An Azure DevOps Pipelines Task for Trivy, with an integrated UI |
+
+
+### Trivy Kubernetes Operator
+
+| Orb                              | Description                              |
+| ---------------------------------| ---------------------------------------- |
+| [trivy-operator][trivy-operator] | Kubernetes Operator for installing Trivy |
+
+
+### Kubernetes Lens Extension
+
+| Orb                          | Description                         |
+| ---------------------------- | ----------------------------------- |
+| [lens-extension][trivy-lens] | Trivy Extension for Kubernetes Lens |
+
+## Community Tools
+
+### GitHub Actions
+
+| Actions                                    | Description                                                                      |
+| ------------------------------------------ | -------------------------------------------------------------------------------- |
+| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
+| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
+
+### Semaphore
+
+| Name                                                   | Description                               |
+| -------------------------------------------------------| ----------------------------------------- |
+| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
+
+
+### CircleCI
+
+| Orb                                      | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
+
+
+### Others
+
+| Name                                     | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
+
+[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
+[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
+[gitrivy]: https://github.com/marketplace/actions/trivy-action
+[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
+[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
+[trivy-action]: https://github.com/aquasecurity/trivy-action
+[vs-code]: https://github.com/aquasecurity/trivy-vscode-extension
+[vim-trivy]: https://github.com/aquasecurity/vim-trivy
+[docker-desktop]: https://github.com/aquasecurity/trivy-docker-extension
+[azure-devops]: https://github.com/aquasecurity/trivy-azure-pipelines-task
+[trivy-operator]: https://github.com/aquasecurity/trivy-operator
+[trivy-lens]: https://github.com/aquasecurity/trivy-operator-lens-extension
--- a/docs/getting-started/further.md
+++ b/docs/getting-started/further.md
@@ -1,32 +0,0 @@
-# Further Reading
-
-## Presentations
- Aqua Security YouTube Channel
-    - [Trivy - container image scanning][intro]
-    - [Using Trivy in client server mode][server]
-    - [Tweaking Trivy output to fit your workflow][tweaking]
-    - [How does a vulnerability scanner identify packages?][identify]
- CNCF Webinar 2020
-    - [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf]
- KubeCon + CloudNativeCon Europe 2020 Virtual
-    - [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon]
-  
-## Blogs
- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join]
- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license]
- [DevSecOps with Trivy and GitHub Actions][actions]
- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
-
-[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
-[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
-[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
-[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4
-[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M
-[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU
-
-[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family
-[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license
-[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
-[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
-[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code
--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@@ -1,4 +1,4 @@
-# Installation
+# CLI Installation

 ## RHEL/CentOS

@@ -31,8 +31,8 @@

    ``` bash
    sudo apt-get install wget apt-transport-https gnupg lsb-release
-    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
-    echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+    echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
    sudo apt-get update
    sudo apt-get install trivy
    ```
@@ -46,19 +46,11 @@

 ## Arch Linux

-Package trivy-bin can be installed from the Arch User Repository.
+Package trivy can be installed from the Arch Community Package Manager.

-=== "pikaur"
-
-    ``` bash
-    pikaur -Sy trivy-bin
-    ```
-
-=== "yay"
-
-    ``` bash
-    yay -Sy trivy-bin
-    ```
+```bash
+pacman -S trivy
+```

 ## Homebrew

@@ -68,6 +60,16 @@ You can use homebrew on macOS and Linux.
 brew install aquasecurity/trivy/trivy
 ```

+## MacPorts
+
+You can also install `trivy` via [MacPorts](https://www.macports.org) on macOS:
+
+```bash
+sudo port install trivy
+```
+
+More info [here](https://ports.macports.org/port/trivy/).
+
 ## Nix/NixOS

 Direct issues installing `trivy` via `nix` through the channels mentioned [here](https://nixos.wiki/wiki/Support)
@@ -193,28 +195,6 @@ The same image is hosted on [Amazon ECR Public][ecr] as well.
 docker pull public.ecr.aws/aquasecurity/trivy:{{ git.tag[1:] }}
 ```

-## Helm
-
-### Installing from the Aqua Chart Repository
-
-```
-helm repo add aquasecurity https://aquasecurity.github.io/helm-charts/
-helm repo update
-helm search repo trivy
-helm install my-trivy aquasecurity/trivy
-```
-
-### Installing the Chart
-
-To install the chart with the release name `my-release`:
-
-```
-helm install my-release .
-```
-
-The command deploys Trivy on the Kubernetes cluster in the default configuration. The [Parameters][helm]
-section lists the parameters that can be configured during installation.
-
 ### AWS private registry permissions

 You may need to grant permissions to allow trivy to pull images from private registry (AWS ECR).
@@ -248,6 +228,37 @@ podAnnotations: {}

 > **Tip**: List all releases using `helm list`.

+## Other Tools to use and deploy Trivy
+
+For additional tools and ways to install and use Trivy in different envrionments such as in Docker Desktop and Kubernetes clusters, see the links in the [Ecosystem section](../ecosystem/tools.md).
+
+
 [ecr]: https://gallery.ecr.aws/aquasecurity/trivy
 [registry]: https://github.com/orgs/aquasecurity/packages/container/package/trivy
 [helm]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/helm/trivy
+[slack]: https://slack.aquasec.com
+[operator-docs]: https://aquasecurity.github.io/trivy-operator/latest/
+
+[vuln]: ./docs/vulnerability/scanning/index.md
+[misconf]: ./docs/misconfiguration/scanning.md
+[kubernetesoperator]: ./docs/kubernetes/operator/index.md
+[container]: ./docs/vulnerability/scanning/image.md
+[rootfs]: ./docs/vulnerability/scanning/rootfs.md
+[filesystem]: ./docs/vulnerability/scanning/filesystem.md
+[repo]: ./docs/vulnerability/scanning/git-repository.md
+[kubernetes]: ./docs/kubernetes/cli/scanning.md
+
+[standalone]: ./docs/references/modes/standalone.md
+[client-server]: ./docs/references/modes/client-server.md
+[integrations]: ./tutorials/integrations/index.md
+
+[os]: ./docs/vulnerability/detection/os.md
+[lang]: ./docs/vulnerability/detection/language.md
+[builtin]: ./docs/misconfiguration/policy/builtin.md
+[quickstart]: ./getting-started/quickstart.md
+[podman]: ./docs/advanced/container/podman.md
+
+[sbom]: ./docs/sbom/index.md
+
+[oci]: https://github.com/opencontainers/image-spec
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/getting-started/overview.md
+++ b/docs/getting-started/overview.md
@@ -1,44 +0,0 @@
-# Overview
-
-Trivy detects three types of security issues:
-
- [Vulnerabilities][vuln]
-    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-    - [Language-specific packages][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
- [Misconfigurations][misconf]
-    - Kubernetes
-    - Docker
-    - Terraform
-    - CloudFormation
-    - more coming soon
- [Secrets][secret]
-    - AWS access key
-    - GCP service account
-    - GitHub personal access token
-    - etc.
-
-Trivy can scan three different artifacts:
-
- [Container Images][container]
- [Filesystem][filesystem]
- [Git Repositories][repo]
-
-It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
-See [Integrations][integrations] for details.
-
-[vuln]: ../docs/vulnerability/scanning/index.md
-[os]: ../docs/vulnerability/detection/os.md
-[lang]: ../docs/vulnerability/detection/language.md
-
-[misconf]: ../docs/misconfiguration/scanning.md
-
-[secret]: ../docs/secret/scanning.md
-
-[container]: ../docs/vulnerability/scanning/image.md
-[rootfs]: ../docs/vulnerability/scanning/rootfs.md
-[filesystem]: ../docs/vulnerability/scanning/filesystem.md
-[repo]: ../docs/vulnerability/scanning/git-repository.md
-
-[integrations]: ../docs/integrations/index.md
-
-[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/getting-started/quickstart.md
+++ b/docs/getting-started/quickstart.md
@@ -1,5 +1,9 @@
 # Quick Start

+## Prerequisites
+
+- Make sure to have the Trivy [CLI installed][installation]
+
 ## Scan image for vulnerabilities and secrets

 Simply specify an image name (and a tag).
@@ -80,6 +84,7 @@ See https://avd.aquasec.com/misconfig/ds001

 For more details, see [here][misconf].

+[installation]: ./installation.md
 [vulnerability]: ../docs/vulnerability/scanning/index.md
 [misconf]: ../docs/misconfiguration/scanning.md
 [secret]: ../docs/secret/scanning.md
--- a/docs/imgs/argocd-ui.png
+++ b/docs/imgs/argocd-ui.png
--- a/docs/imgs/docker-desktop.png
+++ b/docs/imgs/docker-desktop.png
--- a/docs/imgs/trivy-aws.png
+++ b/docs/imgs/trivy-aws.png
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,26 +1,34 @@
 ---
 hide:
- navigation
 - toc
 ---

-![logo](imgs/logo.png){ align=left }
+![logo](imgs/logo.png){ align=right }

-`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive [vulnerability][vulnerability]/[misconfiguration][misconf]/[secret][secret] scanner for containers and other artifacts.
-`Trivy` detects vulnerabilities of [OS packages][os] (Alpine, RHEL, CentOS, etc.) and [language-specific packages][lang] (Bundler, Composer, npm, yarn, etc.).
-In addition, `Trivy` scans [Infrastructure as Code (IaC) files][misconf] such as Terraform and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack.
-`Trivy` also scans [hardcoded secrets][secret] like passwords, API keys and tokens.
-`Trivy` is easy to use. Just install the binary and you're ready to scan.
-All you need to do for scanning is to specify a target such as an image name of the container.
+Trivy (tri pronounced like trigger, vy pronounced like envy) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.

-<div style="text-align: center">
-    <img src="imgs/overview.png" width="800">
-</div>
+Trivy has different scanners that look for different security issues, and different targets where it can find those issues.

+Targets:

-<div style="text-align: center; margin-top: 150px">
-    <h1 id="demo">Demo</h1>
-</div>
+- Container Image
+- Filesystem
+- Git repository (remote)
+- Kubernetes cluster or resource
+
+Scanners:
+
+- OS packages and software dependencies in use (SBOM)
+- Known vulnerabilities (CVEs)
+- IaC misconfigurations
+- Sensitive information and secrets
+
+It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
+See [Integrations][integrations] for details.
+
+Much more scanners and targets are coming up. [Join the Slack][slack] channel to stay up to date, ask questions, and let us know what features you would like to see.
+
+Please see [LICENSE][license] for Trivy licensing information.

 <figure style="text-align: center">
  <video width="1000" autoplay muted controls loop>
@@ -41,18 +49,6 @@ All you need to do for scanning is to specify a target such as an image name of
  <figcaption>Demo: Secret Detection</figcaption>
 </figure>

---
-
-Trivy is an [Aqua Security][aquasec] open source project.  
-Learn about our open source work and portfolio [here][oss].  
-Contact us about any matter by opening a GitHub Discussion [here][discussions]
-
-[vulnerability]: docs/vulnerability/scanning/index.md
-[misconf]: docs/misconfiguration/scanning.md
-[secret]: docs/secret/scanning.md
-[os]: docs/vulnerability/detection/os.md
-[lang]: docs/vulnerability/detection/language.md
-
-[aquasec]: https://aquasec.com
-[oss]: https://www.aquasec.com/products/open-source-projects/
-[discussions]: https://github.com/aquasecurity/trivy/discussions
+[integrations]: ./tutorials/integrations/index.md
+[slack]: https://slack.aquasec.com
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/tutorials/additional-resources/cks.md
+++ b/docs/tutorials/additional-resources/cks.md
@@ -1,21 +1,26 @@
 # CKS preparation resources

-Community Resources
+The [Certified Kubernetes Security Specialist (CKS) Exam](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/) is offered by The Linux Foundation. It provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam.
+
+### Community Resources

 - [Trivy Video overview (short)][overview]
 - [Example questions from the exam][exam]
 - [More example questions][questions]
+- [CKS exam study guide](study-guide)
+- [Docker Image Vulnerabilities & Trivy Image Scanning Demo | K21Academy](https://youtu.be/gHz10UsEdys)

-Aqua Security Blog posts
+### Aqua Security Blog posts to learn more

 - Supply chain security best [practices][supply-chain-best-practices]
 - Supply chain [attacks][supply-chain-attacks]
- 
+
 If you know of interesting resources, please start a PR to add those to the list.

 [overview]: https://youtu.be/2cjH6Zkieys
 [exam]: https://jonathan18186.medium.com/certified-kubernetes-security-specialist-cks-preparation-part-7-supply-chain-security-9cf62c34cf6a
 [questions]: https://github.com/kodekloudhub/certified-kubernetes-security-specialist-cks-course/blob/main/docs/06-Supply-Chain-Security/09-Scan-images-for-known-vulnerabilities-(Trivy).md
+[study-guide]: https://devopscube.com/cks-exam-guide-tips/

 [supply-chain-best-practices]: https://blog.aquasec.com/supply-chain-security-best-practices
 [supply-chain-attacks]: https://blog.aquasec.com/supply-chain-threats-using-container-images
--- a/docs/tutorials/additional-resources/community.md
+++ b/docs/tutorials/additional-resources/community.md
@@ -0,0 +1,37 @@
+# Community References
+Below is a list of additional resources from the community.
+
+## Vulnderability Scanning
+
+- [Detecting Spring4Shell with Trivy and Grype](https://youtu.be/mOfBcpJWwSs)
+
+## CI/CD Pipelines
+
+- [How to use Tekton to set up a CI pipeline with OpenShift Pipelines](https://www.redhat.com/architect/cicd-pipeline-openshift-tekton)
+- [Continuous Container Vulnerability Testing with Trivy](https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy)
+- [Getting Started With Trivy and Jenkins](https://youtu.be/MWe01VdwuMA)
+- [How to use Tekton to set up a CI pipeline with OpenShift Pipelines](https://www.redhat.com/architect/cicd-pipeline-openshift-tekton)
+
+## Misconfiguration Scanning
+
+- [Identifying Misconfigurations in your Terraform](https://youtu.be/cps1V5fOHtE)
+- [How to write custom policies for Trivy](https://blog.ediri.io/how-to-write-custom-policies-for-trivy)
+
+## SBOM, Attestation & related
+
+- [Attesting Image Scans With Kyverno](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/)
+
+## Trivy Kubernetes
+
+- [Using Trivy Kubernetes in OVHCloud documentation.](https://docs.ovh.com/gb/en/kubernetes/installing-trivy/)
+
+## Comparisons
+
+- [the vulnerability remediation lifecycle of Alpine containers](https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/)
+- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy](https://boxboat.com/2020/04/24/image-scanning-tech-compared/)
+- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy](https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/)
+
+### Evaluations
+
+- [Istio evaluating to use Trivy](https://github.com/istio/release-builder/pull/687#issuecomment-874938417)
+- [Research Spike: evaluate Trivy for scanning running containers](https://gitlab.com/gitlab-org/gitlab/-/issues/270888)
--- a/docs/tutorials/additional-resources/references.md
+++ b/docs/tutorials/additional-resources/references.md
@@ -0,0 +1,38 @@
+# Additional Resources and Tutorials
+Below is a list of additional resources from Aqua Security.
+
+## Announcements
+
+- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family](https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family)
+- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License](https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license)
+
+## Vulnderability Scanning
+
+- [Using Trivy to Discover Vulnerabilities in VS Code Projects](https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code)
+- [How does a vulnerability scanner identify packages?](https://youtu.be/PaMnzeHBa8M)
+- [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security](https://youtu.be/WKE2XNZ2zr4)
+
+## CI/CD Pipelines
+
+- [DevSecOps with Trivy and GitHub Actions](https://blog.aquasec.com/devsecops-with-trivy-github-actions)
+- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action](https://blog.aquasec.com/github-vulnerability-scanner-trivy)
+
+## Misconfiguration Scanning
+
+- [Identifying Misconfigurations in your Terraform](https://youtu.be/cps1V5fOHtE)
+
+## Client/Server
+
+- [Using Trivy in client server mode](https://youtu.be/tNQ-VlahtYM)
+ 
+## Workshops
+
+- [Trivy Live Demo & Q&A](https://youtu.be/6Vw0QgJ-k5o)
+- [First Steps to Full Lifecycle Security with Open Source Tools - Rory McCune & Anais Urlichs](https://youtu.be/nwJ0366rs6s)
+
+
+## Older Resources
+
+- [Webinar: Trivy Open Source Scanner for Container Images – Just Download and Run!](https://youtu.be/XnYxX9uueoQ)
+- [Kubernetes Security through GitOps Best Practices: ArgoCD and Starboard](https://youtu.be/YvMY8to9aHI)
+- [Get started with Kubernetes Security and Starboard](https://youtu.be/QgctrpTpJec)
--- a/docs/tutorials/integrations/aws-codepipeline.md
+++ b/docs/tutorials/integrations/aws-codepipeline.md
--- a/docs/tutorials/integrations/aws-security-hub.md
+++ b/docs/tutorials/integrations/aws-security-hub.md
@@ -0,0 +1,51 @@
+# AWS Security Hub
+
+## Upload findings to Security Hub
+
+In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
+
+```
+$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
+```
+
+ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
+
+The Product [ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) field follows the pattern below to match what AWS requires for the [product resource type](https://github.com/awsdocs/aws-security-hub-user-guide/blob/master/doc_source/securityhub-partner-providers.md#aqua-security--aqua-cloud-native-security-platform-sends-findings).
+
+{% raw %}
+```
+"ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+```
+{% endraw %}
+
+In order to upload results you must first run [enable-import-findings-for-product](https://docs.aws.amazon.com/cli/latest/reference/securityhub/enable-import-findings-for-product.html) like:
+
+```
+aws securityhub enable-import-findings-for-product --product-arn arn:aws:securityhub:<AWS_REGION>::product/aquasecurity/aquasecurity
+```
+
+Then, you can upload it with AWS CLI.
+
+```
+$ aws securityhub batch-import-findings --findings file://report.asff
+```
+
+### Note
+
+The [batch-import-findings](https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-import-findings.html#options) command limits the number of findings uploaded to 100 per request. The best known workaround to this problem is using [jq](https://stedolan.github.io/jq/) to run the following command
+
+```
+jq '.[:100]' report.asff 1> short_report.asff
+```
+
+## Customize
+You can customize [asff.tpl](https://github.com/aquasecurity/trivy/blob/main/contrib/asff.tpl)
+
+```
+$ export AWS_REGION=us-west-1
+$ export AWS_ACCOUNT_ID=123456789012
+$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
+```
+
+## Reference
+https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/
--- a/docs/tutorials/integrations/azure-devops.md
+++ b/docs/tutorials/integrations/azure-devops.md
@@ -0,0 +1,22 @@
+# Azure Devops
+
+- Here is the [Azure DevOps Pipelines Task for Trivy][action]
+
+![trivy-azure](https://github.com/aquasecurity/trivy-azure-pipelines-task/blob/main/screenshot.png?raw=true)
+
+### [Use ImageCleaner to clean up stale images on your Azure Kubernetes Service cluster][azure2]
+
+It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities. By cleaning these unreferenced images, you can remove an area of risk in your clusters. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.
+
+ Vulnerability is determined based on a trivy scan, after which images with a LOW, MEDIUM, HIGH, or CRITICAL classification are flagged. An updated ImageList will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually.
+### [Microsoft Defender for container registries and Trivy][azure]
+
+This blog explains how to scan your Azure Container Registry-based container images with the integrated vulnerability scanner when they're built as part of your GitHub workflows.
+
+To set up the scanner, you'll need to enable Microsoft Defender for Containers and the CI/CD integration. When your CI/CD workflows push images to your registries, you can view registry scan results and a summary of CI/CD scan results.
+
+The findings of the CI/CD scans are an enrichment to the existing registry scan findings by Qualys. Defender for Cloud's CI/CD scanning is powered by Aqua Trivy
+
+[action]: https://github.com/aquasecurity/trivy-azure-pipelines-task
+[azure]: https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-cicd
+[azure2]: https://docs.microsoft.com/en-us/azure/aks/image-cleaner?tabs=azure-cli
--- a/docs/tutorials/integrations/bitbucket.md
+++ b/docs/tutorials/integrations/bitbucket.md
--- a/docs/tutorials/integrations/circleci.md
+++ b/docs/tutorials/integrations/circleci.md
--- a/docs/tutorials/integrations/github-actions.md
+++ b/docs/tutorials/integrations/github-actions.md
--- a/docs/tutorials/integrations/gitlab-ci.md
+++ b/docs/tutorials/integrations/gitlab-ci.md
@@ -11,7 +11,7 @@ include:

 If you're a GitLab 14.x Ultimate customer, you can use the same configuration above.

-Alternatively, you can always use the example configurations below. Note that the examples use [`contrib/gitlab.tpl`](https://github.com/aquasecurity/trivy/blob/main/contrib/gitlab.tpl), which does not work with GitLab 15.0 and above (for details, see [issue 1598](https://github.com/aquasecurity/trivy/issues/1598)).
+Alternatively, you can always use the example configurations below.

 ```yaml
 stages:
--- a/docs/tutorials/integrations/index.md
+++ b/docs/tutorials/integrations/index.md
--- a/docs/tutorials/integrations/travis-ci.md
+++ b/docs/tutorials/integrations/travis-ci.md
--- a/docs/tutorials/kubernetes/cluster-scanning.md
+++ b/docs/tutorials/kubernetes/cluster-scanning.md
@@ -0,0 +1,120 @@
+# Kubernetes Scanning Tutorial
+
+## Prerequisites 
+
+To test the following commands yourself, make sure that you’re connected to a Kubernetes cluster. A simple kind, a Docker-Desktop or microk8s cluster will do. In our case, we’ll use a one-node kind cluster.  
+ 
+Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster. 
+
+## Cluster Scanning
+
+Trivy K8s is great to get an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster. You would want to use the Trivy K8s command either on your own local cluster or in your CI/CD pipeline post deployments.  
+
+The Trivy K8s command is part of the Trivy CLI: 
+
+
+With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan: 
+
+```
+trivy k8s --report=summary 
+```
+
+To get detailed information for all your resources, just replace ‘summary’ with ‘all’: 
+
+```
+trivy k8s --report=all 
+```
+
+However, we recommend displaying all information only in case you scan a specific namespace or resource since you can get overwhelmed with additional details. 
+
+Furthermore, we can specify the namespace that Trivy is supposed to scan to focus on specific resources in the scan result: 
+
+```
+trivy k8s -n kube-system --report=summary 
+```
+
+Again, if you’d like to receive additional details, use the ‘--report=all’ flag: 
+
+```
+trivy k8s -n kube-system --report=all 
+```
+
+Like with scanning for vulnerabilities, we can also filter in-cluster security issues by severity of the vulnerabilities: 
+
+```
+trivy k8s --severity=CRITICAL --report=summary 
+```
+
+Note that you can use any of the Trivy flags on the Trivy K8s command. 
+
+With the Trivy K8s command, you can also scan specific workloads that are running within your cluster, such as our deployment: 
+
+```
+trivy k8s –n app --report=summary deployments/react-application
+```
+
+## Trivy Operator 
+
+The Trivy K8s command is an imperative model to scan resources. We wouldn’t want to manually scan each resource across different environments. The larger the cluster and the more workloads are running in it, the more error-prone this process would become. With the Trivy Operator, we can automate the scanning process after the deployment.  
+
+The Trivy Operator follows the Kubernetes Operator Model. Operators automate human actions, and the result of the task is saved as custom resource definitions (CRDs) within your cluster. 
+
+This has several benefits: 
+
+- Trivy Operator is installed CRDs in our cluster. As a result, all our resources, including our security scanner and its scan results, are Kubernetes resources. This makes it much easier to integrate the Trivy Operator directly into our existing processes, such as connecting Trivy with Prometheus, a monitoring system. 
+
+- The Trivy Operator will automatically scan your resources every six hours. You can set up automatic alerting in case new critical security issues are discovered. 
+
+- The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator. 
+
+ 
+There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/kubernetes/operator/index.md)
+
+Make sure that you have the [Helm CLI installed.](https://helm.sh/docs/intro/install/)
+Next, run the following commands.
+
+First, we are going to add the Aqua Security Helm repository to our Helm repository list:
+```
+helm repo add aqua https://aquasecurity.github.io/helm-charts/
+```
+
+Then, we will update all of our Helm repositories. Even if you have just added a new repository to your existing charts, this is generally good practice to have access to the latest changes:
+```
+helm repo update
+```
+
+Lastly, we can install the Trivy operator Helm Chart to our cluster:
+```
+helm install trivy-operator aqua/trivy-operator \
+   --namespace trivy-system \
+   --create-namespace \
+   --set="trivy.ignoreUnfixed=true" \
+   --version v0.0.3
+```
+
+You can make sure that the operator is installed correctly via the following command: 
+```
+kubectl get deployment -n trivy-system 
+```
+
+Trivy will automatically start scanning your Kubernetes resources. 
+For instance, you can view vulnerability reports with the following command: 
+
+```
+kubectl get vulnerabilityreports --all-namespaces -o wide 
+```
+
+And then you can access the details of a security scan: 
+```
+kubectl describe  vulnerabilityreports <name of one of the above reports> 
+```
+
+The same process can be applied to access Configauditreports: 
+
+```
+kubectl get configauditreports --all-namespaces -o wide 
+```
+
+
+ 
+
--- a/docs/tutorials/kubernetes/gitops.md
+++ b/docs/tutorials/kubernetes/gitops.md
@@ -0,0 +1,125 @@
+# Installing the Trivy-Operator through GitOps
+
+This tutorial shows you how to install the Trivy Operator through GitOps platforms, namely ArgoCD and FluxCD.
+
+## ArgoCD
+
+Make sure to have [ArgoCD installed](https://argo-cd.readthedocs.io/en/stable/getting_started/) and running in your Kubernetes cluster.
+
+You can either deploy the Trivy Operator through the argocd CLI or by applying a Kubernetes manifest.
+
+ArgoCD command:
+```
+> kubectl create ns trivy-system
+> argocd app create trivy-operator --repo https://github.com/aquasecurity/trivy-operator --path deploy/helm --dest-server https://kubernetes.default.svc --dest-namespace trivy-system
+```
+Note that this installation is directly related to our official Helm Chart. If you want to change any of the value, we'd suggest you to create a separate values.yaml file.
+
+Kubernetes manifest `trivy-operator.yaml`:
+```
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: trivy-operator
+  namespace: argocd
+spec:
+  project: default
+  source:
+    chart: trivy-operator
+    repoURL: https://aquasecurity.github.io/helm-charts/
+    targetRevision: 0.0.3
+    helm:
+      values: |
+        trivy:
+          ignoreUnfixed: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: trivy-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+```
+
+The apply the Kubernetes manifest. If you have the manifest locally, you can use the following command through kubectl:
+```
+> kubectl apply -f trivy-operator.yaml
+
+application.argoproj.io/trivy-operator created
+```
+
+If you have the manifest in a Git repository, you can apply it to your cluster through the following command:
+```
+> kubectl apply -n argocd -f https://raw.githubusercontent.com/AnaisUrlichs/argocd-starboard/main/starboard/argocd-starboard.yaml
+```
+The latter command would allow you to make changes to the YAML manifest that ArgoCD would register automatically.
+
+Once deployed, you want to tell ArgoCD to sync the application from the actual state to the desired state:
+```
+argocd app sync trivy-operator
+```
+
+Now you can see the deployment in the ArgoCD UI. Have a look at the ArgoCD documentation to know how to access the UI.
+
+![ArgoCD UI after deploying the Trivy Operator](../../imgs/argocd-ui.png)
+
+Note that ArgoCD is unable to show the Trivy CRDs as synced.
+
+
+## FluxCD
+
+Make sure to have [FluxCD installed](https://fluxcd.io/docs/installation/#install-the-flux-cli) and running in your Kubernetes cluster.
+
+You can either deploy the Trivy Operator through the Flux CLI or by applying a Kubernetes manifest.
+
+Flux command:
+```
+> kubectl create ns trivy-system
+> flux create source helm trivy-operator --url https://aquasecurity.github.io/helm-charts --namespace trivy-system
+> flux create helmrelease trivy-operator --chart trivy-operator
+  --source HelmRepository/trivy-operator
+  --chart-version 0.0.3
+  --namespace trivy-system
+```
+
+Kubernetes manifest `trivy-operator.yaml`:
+```
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: trivy-operator
+  namespace: flux-system
+spec:
+  interval: 60m
+  url: https://aquasecurity.github.io/helm-charts/
+
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: trivy-operator
+  namespace: trivy-system
+spec:
+  chart:
+    spec:
+      chart: trivy-operator
+      sourceRef:
+        kind: HelmRepository
+        name: trivy-operator
+				namespace: flux-system
+      version: 0.0.5
+  interval: 60m
+```
+
+You can then apply the file to your Kubernetes cluster:
+```
+kubectl apply -f trivy-operator.yaml
+```
+
+## After the installation
+
+After the install, you want to check that the Trivy operator is running in the trivy-system namespace:
+```
+kubectl get deployment -n trivy-system
+```
+
--- a/docs/tutorials/kubernetes/kyverno.md
+++ b/docs/tutorials/kubernetes/kyverno.md
@@ -0,0 +1,114 @@
+# Attesting Image Scans With Kyverno
+
+This tutorial is based on the following blog post by Chip Zoller: [Attesting Image Scans With Kyverno](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/)
+
+This tutorial details 
+
+- Verify the container image has an attestation with Kyverno
+
+### Prerequisites
+1. [Attestation of the vulnerability scan uploaded][vuln-attestation]
+2. A running Kubernetes cluster that kubectl is connected to
+
+### Kyverno Policy to check attestation
+
+The following policy ensures that the attestation is no older than 168h:
+
+vuln-attestation.yaml
+
+{% raw %}
+
+```bash
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-vulnerabilities
+spec:
+  validationFailureAction: enforce
+  webhookTimeoutSeconds: 10
+  failurePolicy: Fail
+  rules:
+    - name: not-older-than-one-week
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - imageReferences:
+        - "CONTAINER-REGISTRY/*:*"
+        attestations:
+        - predicateType: cosign.sigstore.dev/attestation/vuln/v1
+          conditions:
+          - all:
+            - key: "{{ time_since('','{{metadata.scanFinishedOn}}','') }}"
+              operator: LessThanOrEquals
+              value: "168h"
+```
+
+{% endraw %}
+
+### Apply the policy to your Kubernetes cluster
+
+Ensure that you have Kyverno already deployed and running on your cluster -- for instance throught he Kyverno Helm Chart.
+
+Next, apply the above policy:
+```
+kubectl apply -f vuln-attestation.yaml
+```
+
+To ensure that the policy worked, we can deploye an example deployment file with our container image:
+
+deployment.yaml
+```
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cns-website
+  namespace: app
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      run: cns-website
+  template:
+    metadata:
+      labels:
+        run: cns-website
+    spec:
+      containers:
+      - name: cns-website
+        image: docker.io/anaisurlichs/cns-website:0.0.6
+        ports:
+          - containerPort: 80
+        imagePullPolicy: Always
+        resources:
+          limits:
+            memory: 512Mi
+            cpu: 200m
+        securityContext:
+          allowPrivilegeEscalation: false
+```
+
+Once we apply the deployment, it should pass since our attestation is available:
+```
+kubectl apply -f deployment.yaml -n app
+deployment.apps/cns-website created
+```
+
+However, if we try to deploy any other container image, our deployment will fail. We can verify this by replacing the image referenced in the deployment with `docker.io/anaisurlichs/cns-website:0.0.5` and applying the deployment:
+```
+kubectl apply -f deployment-two.yaml
+
+Resource: "apps/v1, Resource=deployments", GroupVersionKind: "apps/v1, Kind=Deployment"
+Name: "cns-website", Namespace: "app"
+for: "deployment-two.yaml": admission webhook "mutate.kyverno.svc-fail" denied the request: 
+
+resource Deployment/app/cns-website was blocked due to the following policies
+
+check-image:
+  autogen-check-image: |
+    failed to verify signature for docker.io/anaisurlichs/cns-website:0.0.5: .attestors[0].entries[0].keys: no matching signatures:
+```
+
+[vuln-attestation]: ../signing/vuln-attestation.md
--- a/docs/tutorials/overview.md
+++ b/docs/tutorials/overview.md
@@ -0,0 +1,27 @@
+# Tutorials
+
+Tutorials are a great way to learn about use cases and integrations. We highly encourage community members to share their Trivy use cases with us in the documentation.
+
+There are two ways to contributor to the tutorials section
+
+1. If you are creating any external content on Trivy, we would love to have it as part of our list of [external community resources][community-resources]
+2. If you are creating an end-to-end tutorial on a specific Trivy use-case, we would love to feature it in our tutorial section. Read below how you can contribute tutorials to the docs.
+
+## Process for adding new tutorials
+
+Requirements
+- The tutorial has to provide an end-to-end set of instructions
+- Ideally, tutorials should focus on a specific use case
+- If the tutorial is featuring other tools, those should be open source, too
+- Make sure to describe the expected outcome after each instruction
+
+**Tip:** Make sure that your tutorial is concise about a specific use case or integration. 
+
+How to add a tutorial
+
+1. Simply create a new `.md` file in the tutorials folder of the docs
+2. Add your content 
+3. Create a new index in the mkdocs.yaml file which is in the [root directory](https://github.com/aquasecurity/trivy) of the repository
+4. Create a PR
+
+[community-resources]: additional-resources/community.md
--- a/docs/tutorials/signing/vuln-attestation.md
+++ b/docs/tutorials/signing/vuln-attestation.md
@@ -0,0 +1,36 @@
+# Vulnerability Scan Record Attestation
+
+This tutorial details 
+
+- Scan your container image for vulnerabilities
+- Generate an attestation with Cosign
+
+#### Prerequisites
+
+1. Trivy CLI installed
+2. Cosign installed 
+
+#### Scan Container Image for vulnerabilities
+
+Scan your container image for vulnerabilities and save the scan result to a scan.json file:
+```
+trivy image --ignore-unfixed --format json --output scan.json anaisurlichs/cns-website:0.0.6
+```
+
+* --ignore-unfixed: Ensures that only the vulnerabilities are displayed that have a already a fix available
+* --output scan.json: The scan output is scaved to a scan.json file instead of being displayed in the terminal.
+
+Note: Replace the container image with the container image that you would like to scan.
+
+#### Attestation of the vulnerability scan with Cosign
+
+The following command generates an attestation for the vulnerability scan and uploads it to our container image:
+```
+cosign attest --replace --predicate scan.json --type vuln anaisurlichs/cns-website:0.0.6
+```
+
+Note: Replace the container image with the container image that you would like to scan.
+
+See [here][vuln-attestation] for more details.
+
+[vuln-attestation]: ../../docs/attestation/vuln.md
--- a/go.mod
+++ b/go.mod
@@ -1,99 +1,175 @@
 module github.com/aquasecurity/trivy

-go 1.18
+go 1.19

 require (
 	github.com/CycloneDX/cyclonedx-go v0.6.0
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/NYTimes/gziphandler v1.1.1
-	github.com/alicebob/miniredis/v2 v2.22.0
+	github.com/alicebob/miniredis/v2 v2.23.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/go-dep-parser v0.0.0-20220626060741-179d0b167e5f
+	github.com/aquasecurity/defsec v0.75.3
+	github.com/aquasecurity/go-dep-parser v0.0.0-20220912084514-9d42a63ca964
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/table v1.6.0
+	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516
 	github.com/aquasecurity/trivy-db v0.0.0-20220627104749-930461748b63
-	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220719205641-79488fbb4710
-	github.com/caarlos0/env/v6 v6.9.3
+	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220823151349-b90b48958b91
+	github.com/aws/aws-sdk-go v1.44.95
+	github.com/aws/aws-sdk-go-v2 v1.16.14
+	github.com/aws/aws-sdk-go-v2/config v1.17.5
+	github.com/aws/aws-sdk-go-v2/service/sts v1.16.17
+	github.com/caarlos0/env/v6 v6.10.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/cheggaaa/pb/v3 v3.0.8
+	github.com/cheggaaa/pb/v3 v3.1.0
 	github.com/containerd/containerd v1.6.6
 	github.com/docker/docker v20.10.17+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/fatih/color v1.13.0
 	github.com/go-enry/go-license-detector/v4 v4.3.0
+	github.com/go-openapi/runtime v0.24.1
+	github.com/go-openapi/strfmt v0.21.3
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.2
-	github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
-	github.com/google/licenseclassifier/v2 v2.0.0-pre5
+	github.com/google/go-containerregistry v0.11.0
+	github.com/google/licenseclassifier/v2 v2.0.0-pre6
 	github.com/google/uuid v1.3.0
 	github.com/google/wire v0.5.0
 	github.com/hashicorp/go-getter v1.6.2
+	github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
 	github.com/kylelemons/godebug v1.1.0
+	github.com/liamg/loading v0.0.4
 	github.com/liamg/memoryfs v1.4.2
 	github.com/liamg/tml v0.6.0
 	github.com/mailru/easyjson v0.7.7
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/open-policy-agent/opa v0.42.0
+	github.com/open-policy-agent/opa v0.43.0
 	github.com/owenrumney/go-sarif/v2 v2.1.2
 	github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
-	github.com/samber/lo v1.24.0
+	github.com/samber/lo v1.27.1
+	github.com/secure-systems-lab/go-securesystemslib v0.4.0
+	github.com/sigstore/rekor v0.12.0
 	github.com/sosedoff/gitkit v0.3.0
 	github.com/spf13/cobra v1.5.0
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.8.1
+	github.com/spf13/viper v1.12.0
 	github.com/stretchr/testify v1.8.0
 	github.com/testcontainers/testcontainers-go v0.13.0
-	github.com/tetratelabs/wazero v0.0.0-20220701105919-891761ac1ee2
+	github.com/tetratelabs/wazero v1.0.0-pre.1
 	github.com/twitchtv/twirp v8.1.2+incompatible
 	github.com/xlab/treeprint v1.1.0
 	go.etcd.io/bbolt v1.3.6
-	go.uber.org/zap v1.21.0
-	golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4
-	golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df
-	google.golang.org/protobuf v1.28.0
+	go.uber.org/zap v1.23.0
+	golang.org/x/exp v0.0.0-20220823124025-807a23277127
+	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f
+	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
 )

-require github.com/emicklei/go-restful/v3 v3.8.0 // indirect
+require (
+	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.4 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.12.18 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.22 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.15.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.12.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/athena v1.18.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.18.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.16.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.20.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/docdb v1.19.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.15.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.52.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecs v1.18.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/efs v1.17.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/eks v1.21.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticache v1.22.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.18.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/emr v1.20.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/iam v1.18.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kafka v1.17.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.18.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lambda v1.23.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/mq v1.13.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/neptune v1.17.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/rds v1.23.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/redshift v1.26.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.27.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sns v1.17.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sqs v1.19.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/workspaces v1.22.3 // indirect
+	github.com/aws/smithy-go v1.13.2 // indirect
+	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
+	github.com/go-openapi/analysis v0.21.4 // indirect
+	github.com/go-openapi/errors v0.20.3 // indirect
+	github.com/go-openapi/loads v0.21.2 // indirect
+	github.com/go-openapi/spec v0.20.7 // indirect
+	github.com/go-openapi/validate v0.22.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
+	github.com/googleapis/go-type-adapters v1.0.0 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	go.mongodb.org/mongo-driver v1.10.0 // indirect
+	gonum.org/v1/gonum v0.7.0 // indirect
+)

 require (
-	cloud.google.com/go v0.100.2 // indirect
-	cloud.google.com/go/compute v1.6.1 // indirect
+	cloud.google.com/go v0.103.0 // indirect
+	cloud.google.com/go/compute v1.7.0 // indirect
 	cloud.google.com/go/iam v0.3.0 // indirect
-	cloud.google.com/go/storage v1.14.0 // indirect
+	cloud.google.com/go/storage v1.23.0 // indirect
 	github.com/Azure/azure-sdk-for-go v66.0.0+incompatible
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.27
-	github.com/Azure/go-autorest/autorest/adal v0.9.20
+	github.com/Azure/go-autorest/autorest v0.11.28
+	github.com/Azure/go-autorest/autorest/adal v0.9.21
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/BurntSushi/toml v1.1.0 // indirect
+	github.com/BurntSushi/toml v1.2.0 // indirect
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
-	github.com/Masterminds/squirrel v1.5.2 // indirect
+	github.com/Masterminds/squirrel v1.5.3 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/Microsoft/hcsshim v0.9.3 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/VividCortex/ewma v1.1.1 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
@@ -102,9 +178,6 @@ require (
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/aquasecurity/defsec v0.68.10
-	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
-	github.com/aws/aws-sdk-go v1.44.46
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/bmatcuk/doublestar v1.3.4 // indirect
@@ -115,7 +188,7 @@ require (
 	github.com/containerd/cgroups v1.0.4 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
 	github.com/containerd/fifo v1.0.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.11.4 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect
 	github.com/containerd/ttrpc v1.1.1-0.20220420014843-944ef4a40df3 // indirect
 	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
@@ -143,8 +216,8 @@ require (
 	github.com/go-gorp/gorp/v3 v3.0.2 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-yaml v1.8.2 // indirect
 	github.com/gofrs/uuid v4.0.0+incompatible // indirect
@@ -167,9 +240,8 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
-	github.com/hashicorp/go-version v1.4.0 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.12.0 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.13.0 // indirect
 	github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
@@ -177,32 +249,33 @@ require (
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jdkato/prose v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/jmoiron/sqlx v1.3.4 // indirect
+	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
-	github.com/klauspost/compress v1.15.6 // indirect
+	github.com/klauspost/compress v1.15.8 // indirect
 	github.com/knqyf263/go-rpmdb v0.0.0-20220607073645-842f01763e21
 	github.com/knqyf263/nested v0.0.1
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/liamg/iamgo v0.0.9 // indirect
 	github.com/liamg/jfather v0.0.7 // indirect
-	github.com/lib/pq v1.10.4 // indirect
+	github.com/lib/pq v1.10.6 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/moby/buildkit v0.10.3
+	github.com/moby/buildkit v0.10.4
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/moby/sys/mount v0.3.3 // indirect
@@ -212,7 +285,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
-	github.com/montanaflynn/stats v0.0.0-20151014174947-eeaced052adb // indirect
+	github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
@@ -226,30 +299,29 @@ require (
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.12.2 // indirect
+	github.com/prometheus/client_golang v1.13.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.32.1 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/prometheus/common v0.37.0 // indirect
+	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rubenv/sql-migrate v1.1.1 // indirect
 	github.com/russross/blackfriday v1.6.0 // indirect
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/shogo82148/go-shuffle v0.0.0-20170808115208-59829097ff3b // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/spdx/tools-golang v0.3.0
 	github.com/spf13/afero v1.8.2 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/stretchr/objx v0.4.0 // indirect
 	github.com/subosito/gotenv v1.4.0 // indirect
-	github.com/ulikunitz/xz v0.5.8 // indirect
+	github.com/ulikunitz/xz v0.5.10 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
-	github.com/vektah/gqlparser/v2 v2.4.5 // indirect
+	github.com/vektah/gqlparser/v2 v2.4.6 // indirect
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@@ -260,43 +332,42 @@ require (
 	github.com/zclconf/go-cty-yaml v1.0.2 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.7.0 // indirect
-	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e
-	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3
-	golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
-	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
-	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
-	golang.org/x/sys v0.0.0-20220624220833-87e55d714810 // indirect
-	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.8.0 // indirect
+	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
+	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
+	golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
+	golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92 // indirect
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
+	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
+	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
 	golang.org/x/text v0.3.7
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
-	golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717 // indirect
-	gonum.org/v1/gonum v0.7.0 // indirect
-	google.golang.org/api v0.81.0 // indirect
+	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
+	golang.org/x/tools v0.1.12 // indirect
+	google.golang.org/api v0.92.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
-	google.golang.org/grpc v1.47.0 // indirect
+	google.golang.org/genproto v0.0.0-20220720214146-176da50484ac // indirect
+	google.golang.org/grpc v1.49.0 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.66.4 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/neurosnap/sentences.v1 v1.0.6 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gotest.tools v2.2.0+incompatible
 	gotest.tools/v3 v3.2.0 // indirect
-	helm.sh/helm/v3 v3.9.0 // indirect
+	helm.sh/helm/v3 v3.9.3 // indirect
 	k8s.io/api v0.25.0-alpha.2 // indirect
-	k8s.io/apiextensions-apiserver v0.24.0 // indirect
+	k8s.io/apiextensions-apiserver v0.24.2 // indirect
 	k8s.io/apimachinery v0.25.0-alpha.2 // indirect
-	k8s.io/apiserver v0.24.1 // indirect
-	k8s.io/cli-runtime v0.24.3 // indirect
+	k8s.io/apiserver v0.24.2 // indirect
+	k8s.io/cli-runtime v0.24.4 // indirect
 	k8s.io/client-go v0.25.0-alpha.2 // indirect
-	k8s.io/component-base v0.24.3 // indirect
+	k8s.io/component-base v0.24.4 // indirect
 	k8s.io/klog/v2 v2.70.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20220603121420-31174f50af60 // indirect
-	k8s.io/kubectl v0.24.3 // indirect
+	k8s.io/kube-openapi v0.0.0-20220627174259-011e075b9cb8 // indirect
+	k8s.io/kubectl v0.24.4 // indirect
 	lukechampine.com/uint128 v1.1.1 // indirect
 	modernc.org/cc/v3 v3.36.0 // indirect
 	modernc.org/ccgo/v3 v3.16.6 // indirect
--- a/go.sum
+++ b/go.sum
--- a/goreleaser-canary.yml
+++ b/goreleaser-canary.yml
@@ -28,4 +28,4 @@ archives:
    files:
      - README.md
      - LICENSE
-      - contrib/*.tpl
+      - contrib/*.tpl
--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -235,6 +235,21 @@ docker_manifests:
    - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'
    - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-ppc64le'

+signs:
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  signature: "${artifact}.sig"
+  certificate: "${artifact}.pem"
+  args:
+    - "sign-blob"
+    - "--oidc-issuer=https://token.actions.githubusercontent.com"
+    - "--output-certificate=${certificate}"
+    - "--output-signature=${signature}"
+    - "${artifact}"
+  artifacts: all
+  output: true
+
 docker_signs:
 - cmd: cosign
  env:
--- a/helm/trivy/Chart.yaml
+++ b/helm/trivy/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: trivy
-version: 0.4.16
-appVersion: 0.29.2
+version: 0.4.17
+appVersion: 0.30.4
 description: Trivy helm chart
 keywords:
  - scanner
--- a/helm/trivy/README.md
+++ b/helm/trivy/README.md
@@ -72,7 +72,9 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `trivy.dbRepository`                  | OCI repository to retrieve the trivy vulnerability database from        | `ghcr.io/aquasecurity/trivy-db`        |
 | `trivy.cache.redis.enabled`           | Enable Redis as caching backend                                         | `false` |
 | `trivy.cache.redis.url`               | Specify redis connection url, e.g. redis://redis.redis.svc:6379         | `` |
+| `trivy.cache.redis.ttl`               | Specify redis TTL, e.g. 3600s or 24h                                    | `` |
 | `trivy.serverToken`                   | The token to authenticate Trivy client with Trivy server                | `` |
+| `trivy.existingSecret`                | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
 | `trivy.podAnnotations`                | Annotations for pods created by statefulset                             | `{}` |
 | `service.name`                        | If specified, the name used for the Trivy service                       |     |
 | `service.type`                        | Kubernetes service type                                                 | `ClusterIP` |
--- a/helm/trivy/templates/configmap.yaml
+++ b/helm/trivy/templates/configmap.yaml
@@ -9,6 +9,7 @@ data:
  TRIVY_CACHE_DIR: "/home/scanner/.cache/trivy"
 {{- if .Values.trivy.cache.redis.enabled }}
  TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
+  TRIVY_CACHE_TTL: {{ .Values.trivy.cache.redis.ttl | quote }}
 {{- end }}
  TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
  TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}
--- a/helm/trivy/templates/secret.yaml
+++ b/helm/trivy/templates/secret.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.trivy.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -12,3 +13,4 @@ data:
  TRIVY_USERNAME: {{ .Values.trivy.registryUsername | default "" | b64enc | quote }}
  TRIVY_PASSWORD: {{ .Values.trivy.registryPassword | default "" | b64enc | quote }}
 {{- end -}}
+{{- end }}
--- a/helm/trivy/templates/statefulset.yaml
+++ b/helm/trivy/templates/statefulset.yaml
@@ -90,7 +90,11 @@ spec:
            - configMapRef:
                name: {{ include "trivy.fullname" . }}
            - secretRef:
+                {{- if not .Values.trivy.existingSecret }}
                name: {{ include "trivy.fullname" . }}
+                {{- else }}
+                name: {{ .Values.trivy.existingSecret }}
+                {{- end }}
          ports:
            - name: trivy-http
              containerPort: {{ .Values.service.port }}
--- a/helm/trivy/values.yaml
+++ b/helm/trivy/values.yaml
@@ -28,7 +28,7 @@ resources:

 rbac:
  create: true
-  pspEnabled: true
+  pspEnabled: false

 podSecurityContext:
  runAsUser: 65534
@@ -113,6 +113,7 @@ trivy:
    redis:
      enabled: false
      url: ""  # e.g. redis://redis.redis.svc:6379
+      ttl: ""  # e.g 3600s, 24h
  serviceAccount:
    annotations: {}
      # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
@@ -120,6 +121,9 @@ trivy:
  labels: {}
  # serverToken is the token to authenticate Trivy client with Trivy server.
  serverToken: ""
+  # existingSecret if an existing secret has been created outside the chart.
+  # Overrides gitHubToken, registryUsername, registryPassword, serverToken
+  existingSecret: ""

 service:
  # If specified, the name used for the Trivy service.
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -14,6 +14,7 @@ import (

 	cdx "github.com/CycloneDX/cyclonedx-go"
 	"github.com/docker/go-connections/nat"
+	"github.com/samber/lo"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	testcontainers "github.com/testcontainers/testcontainers-go"
@@ -35,6 +36,7 @@ type csArgs struct {
 	ClientTokenHeader string
 	ListAllPackages   bool
 	Target            string
+	secretConfig      string
 }

 func TestClientServer(t *testing.T) {
@@ -236,6 +238,16 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/pom.json.golden",
 		},
+		{
+			name: "scan sample.pem with fs command in client/server mode",
+			args: csArgs{
+				Command:          "fs",
+				RemoteAddrOption: "--server",
+				secretConfig:     "testdata/fixtures/fs/secrets/trivy-secret.yaml",
+				Target:           "testdata/fixtures/fs/secrets/",
+			},
+			golden: "testdata/secrets.json.golden",
+		},
 	}

 	addr, cacheDir := setup(t, setupOptions{})
@@ -244,6 +256,10 @@ func TestClientServer(t *testing.T) {
 		t.Run(c.name, func(t *testing.T) {
 			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)

+			if c.args.secretConfig != "" {
+				osArgs = append(osArgs, "--secret-config", c.args.secretConfig)
+			}
+
 			//
 			err := execute(osArgs)
 			require.NoError(t, err)
@@ -399,10 +415,10 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 			err = json.NewDecoder(f).Decode(&got)
 			require.NoError(t, err)

-			assert.EqualValues(t, tt.wantComponentsCount, len(*got.Components))
-			assert.EqualValues(t, tt.wantDependenciesCount, len(*got.Dependencies))
+			assert.EqualValues(t, tt.wantComponentsCount, len(lo.FromPtr(got.Components)))
+			assert.EqualValues(t, tt.wantDependenciesCount, len(lo.FromPtr(got.Dependencies)))
 			for i, dep := range *got.Dependencies {
-				assert.EqualValues(t, tt.wantDependsOnCount[i], len(*dep.Dependencies))
+				assert.EqualValues(t, tt.wantDependsOnCount[i], len(lo.FromPtr(dep.Dependencies)))
 			}
 		})
 	}
--- a/integration/docker_engine_test.go
+++ b/integration/docker_engine_test.go
@@ -11,7 +11,7 @@ import (
 	"strings"
 	"testing"

-	"github.com/docker/docker/api/types"
+	api "github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -213,7 +213,7 @@ func TestDockerEngine(t *testing.T) {
 				require.NoError(t, err, tt.name)

 				// ensure image doesnt already exists
-				_, _ = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
+				_, _ = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
 					Force:         true,
 					PruneChildren: true,
 				})
@@ -264,11 +264,11 @@ func TestDockerEngine(t *testing.T) {
 			compareReports(t, tt.golden, output)

 			// cleanup
-			_, err = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
+			_, err = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
 				Force:         true,
 				PruneChildren: true,
 			})
-			_, err = cli.ImageRemove(ctx, tt.imageTag, types.ImageRemoveOptions{
+			_, err = cli.ImageRemove(ctx, tt.imageTag, api.ImageRemoveOptions{
 				Force:         true,
 				PruneChildren: true,
 			})
--- a/integration/fs_test.go
+++ b/integration/fs_test.go
@@ -23,6 +23,9 @@ func TestFilesystem(t *testing.T) {
 		listAllPkgs    bool
 		input          string
 		secretConfig   string
+		filePatterns   []string
+		helmSet        []string
+		helmValuesFile []string
 	}
 	tests := []struct {
 		name   string
@@ -70,6 +73,23 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/pom.json.golden",
 		},
+		{
+			name: "gradle",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/gradle",
+			},
+			golden: "testdata/gradle.json.golden",
+		},
+		{
+			name: "conan",
+			args: args{
+				securityChecks: "vuln",
+				listAllPkgs:    true,
+				input:          "testdata/fixtures/fs/conan",
+			},
+			golden: "testdata/conan.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{
@@ -79,6 +99,16 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/dockerfile.json.golden",
 		},
+		{
+			name: "dockerfile with custom file pattern",
+			args: args{
+				securityChecks: "config",
+				input:          "testdata/fixtures/fs/dockerfile_file_pattern",
+				namespaces:     []string{"testing"},
+				filePatterns:   []string{"dockerfile:Customfile"},
+			},
+			golden: "testdata/dockerfile_file_pattern.json.golden",
+		},
 		{
 			name: "dockerfile with rule exception",
 			args: args{
@@ -123,6 +153,24 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/helm_testchart.json.golden",
 		},
+		{
+			name: "helm chart directory scanning with value overrides using set",
+			args: args{
+				securityChecks: "config",
+				input:          "testdata/fixtures/fs/helm_testchart",
+				helmSet:        []string{"securityContext.runAsUser=0"},
+			},
+			golden: "testdata/helm_testchart.overridden.json.golden",
+		},
+		{
+			name: "helm chart directory scanning with value overrides using value file",
+			args: args{
+				securityChecks: "config",
+				input:          "testdata/fixtures/fs/helm_testchart",
+				helmValuesFile: []string{"testdata/fixtures/fs/helm_values/values.yaml"},
+			},
+			golden: "testdata/helm_testchart.overridden.json.golden",
+		},
 		{
 			name: "helm chart directory scanning with builtin policies and non string Chart name",
 			args: args{
@@ -178,6 +226,24 @@ func TestFilesystem(t *testing.T) {
 				defer os.Remove(trivyIgnore)
 			}

+			if len(tt.args.filePatterns) != 0 {
+				for _, filePattern := range tt.args.filePatterns {
+					osArgs = append(osArgs, "--file-patterns", filePattern)
+				}
+			}
+
+			if len(tt.args.helmSet) != 0 {
+				for _, helmSet := range tt.args.helmSet {
+					osArgs = append(osArgs, "--helm-set", helmSet)
+				}
+			}
+
+			if len(tt.args.helmValuesFile) != 0 {
+				for _, helmValuesFile := range tt.args.helmValuesFile {
+					osArgs = append(osArgs, "--helm-values", helmValuesFile)
+				}
+			}
+
 			// Setup the output file
 			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
--- a/integration/integration_test.go
+++ b/integration/integration_test.go
@@ -103,7 +103,6 @@ func readReport(t *testing.T, filePath string) types.Report {

 	// We don't compare repo tags because the archive doesn't support it
 	report.Metadata.RepoTags = nil
-
 	report.Metadata.RepoDigests = nil

 	for i, result := range report.Results {
--- a/integration/sbom_test.go
+++ b/integration/sbom_test.go
@@ -8,23 +8,28 @@ import (
 	"testing"

 	cdx "github.com/CycloneDX/cyclonedx-go"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/types"
 )

-func TestCycloneDX(t *testing.T) {
+func TestSBOM(t *testing.T) {
 	type args struct {
 		input        string
 		format       string
 		artifactType string
 	}
 	tests := []struct {
-		name   string
-		args   args
-		golden string
+		name     string
+		args     args
+		golden   string
+		override types.Report
 	}{
 		{
-			name: "centos7-bom by trivy",
+			name: "centos7 cyclonedx",
 			args: args{
 				input:        "testdata/fixtures/sbom/centos-7-cyclonedx.json",
 				format:       "cyclonedx",
@@ -33,7 +38,7 @@ func TestCycloneDX(t *testing.T) {
 			golden: "testdata/centos-7-cyclonedx.json.golden",
 		},
 		{
-			name: "fluentd-multiple-lockfiles-bom by trivy",
+			name: "fluentd-multiple-lockfiles cyclonedx",
 			args: args{
 				input:        "testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json",
 				format:       "cyclonedx",
@@ -41,6 +46,61 @@ func TestCycloneDX(t *testing.T) {
 			},
 			golden: "testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden",
 		},
+		{
+			name: "centos7 in in-toto attestation",
+			args: args{
+				input:        "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl",
+				format:       "cyclonedx",
+				artifactType: "cyclonedx",
+			},
+			golden: "testdata/centos-7-cyclonedx.json.golden",
+		},
+		{
+			name: "centos7 spdx tag-value",
+			args: args{
+				input:        "testdata/fixtures/sbom/centos-7-spdx.txt",
+				format:       "json",
+				artifactType: "spdx",
+			},
+			golden: "testdata/centos-7.json.golden",
+			override: types.Report{
+				ArtifactName: "testdata/fixtures/sbom/centos-7-spdx.txt",
+				ArtifactType: ftypes.ArtifactType("spdx"),
+				Results: types.Results{
+					{
+						Target: "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)",
+						Vulnerabilities: []types.DetectedVulnerability{
+							{Ref: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
+							{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
+							{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "centos7 spdx json",
+			args: args{
+				input:        "testdata/fixtures/sbom/centos-7-spdx.json",
+				format:       "json",
+				artifactType: "spdx",
+			},
+			golden: "testdata/centos-7.json.golden",
+			override: types.Report{
+				ArtifactName: "testdata/fixtures/sbom/centos-7-spdx.json",
+				ArtifactType: ftypes.ArtifactType("spdx"),
+				Results: types.Results{
+					{
+						Target: "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)",
+						Vulnerabilities: []types.DetectedVulnerability{
+							{Ref: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
+							{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
+							{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
+						},
+					},
+				},
+			},
+		},
 	}

 	// Set up testing DB
@@ -52,7 +112,7 @@ func TestCycloneDX(t *testing.T) {
 				"--cache-dir", cacheDir, "sbom", "-q", "--skip-db-update", "--format", tt.args.format,
 			}

-			// Setup the output file
+			// Set up the output file
 			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
 				outputFile = tt.golden
@@ -66,13 +126,46 @@ func TestCycloneDX(t *testing.T) {
 			assert.NoError(t, err)

 			// Compare want and got
-			want := decodeCycloneDX(t, tt.golden)
-			got := decodeCycloneDX(t, outputFile)
-			assert.Equal(t, want, got)
+			switch tt.args.format {
+			case "cyclonedx":
+				want := decodeCycloneDX(t, tt.golden)
+				got := decodeCycloneDX(t, outputFile)
+				assert.Equal(t, want, got)
+			case "json":
+				compareSBOMReports(t, tt.golden, outputFile, tt.override)
+			default:
+				require.Fail(t, "invalid format", "format: %s", tt.args.format)
+			}
 		})
 	}
 }

+// TODO(teppei): merge into compareReports
+func compareSBOMReports(t *testing.T, wantFile, gotFile string, overrideWant types.Report) {
+	want := readReport(t, wantFile)
+
+	want.ArtifactName = overrideWant.ArtifactName
+	want.ArtifactType = overrideWant.ArtifactType
+	want.Metadata.ImageID = ""
+	want.Metadata.ImageConfig = v1.ConfigFile{}
+	want.Metadata.DiffIDs = nil
+	for i, result := range want.Results {
+		for j := range result.Vulnerabilities {
+			want.Results[i].Vulnerabilities[j].Layer.DiffID = ""
+		}
+	}
+
+	for i, result := range overrideWant.Results {
+		want.Results[i].Target = result.Target
+		for j, vuln := range result.Vulnerabilities {
+			want.Results[i].Vulnerabilities[j].Ref = vuln.Ref
+		}
+	}
+
+	got := readReport(t, gotFile)
+	assert.Equal(t, want, got)
+}
+
 func decodeCycloneDX(t *testing.T, filePath string) *cdx.BOM {
 	f, err := os.Open(filePath)
 	require.NoError(t, err)
--- a/integration/testdata/alpine-310.gitlab.golden
+++ b/integration/testdata/alpine-310.gitlab.golden
@@ -1,5 +1,5 @@
 {
-  "version": "2.3",
+  "version": "14.0.6",
  "vulnerabilities": [
    {
      "id": "CVE-2019-1549",
@@ -8,7 +8,6 @@
      "description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
      "cve": "CVE-2019-1549",
      "severity": "Medium",
-      "confidence": "Unknown",
      "solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
      "scanner": {
        "id": "trivy",
@@ -22,7 +21,7 @@
          "version": "1.1.1c-r0"
        },
        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
+        "image": "testdata/fixtures/images/alpine-310.tar.gz"
      },
      "identifiers": [
        {
@@ -82,7 +81,6 @@
      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
      "cve": "CVE-2019-1551",
      "severity": "Medium",
-      "confidence": "Unknown",
      "solution": "Upgrade libcrypto1.1 to 1.1.1d-r2",
      "scanner": {
        "id": "trivy",
@@ -96,7 +94,7 @@
          "version": "1.1.1c-r0"
        },
        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
+        "image": "testdata/fixtures/images/alpine-310.tar.gz"
      },
      "identifiers": [
        {
@@ -176,7 +174,6 @@
      "description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
      "cve": "CVE-2019-1549",
      "severity": "Medium",
-      "confidence": "Unknown",
      "solution": "Upgrade libssl1.1 to 1.1.1d-r0",
      "scanner": {
        "id": "trivy",
@@ -190,7 +187,7 @@
          "version": "1.1.1c-r0"
        },
        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
+        "image": "testdata/fixtures/images/alpine-310.tar.gz"
      },
      "identifiers": [
        {
@@ -250,7 +247,6 @@
      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
      "cve": "CVE-2019-1551",
      "severity": "Medium",
-      "confidence": "Unknown",
      "solution": "Upgrade libssl1.1 to 1.1.1d-r2",
      "scanner": {
        "id": "trivy",
@@ -264,7 +260,7 @@
          "version": "1.1.1c-r0"
        },
        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
+        "image": "testdata/fixtures/images/alpine-310.tar.gz"
      },
      "identifiers": [
        {
--- a/integration/testdata/centos-7-cyclonedx.json.golden
+++ b/integration/testdata/centos-7-cyclonedx.json.golden
@@ -3,7 +3,7 @@
  "specVersion": "1.4",
  "version": 1,
  "metadata": {
-    "timestamp": "2022-07-03T08:45:54+00:00",
+    "timestamp": "2022-08-14T12:39:11+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
--- a/integration/testdata/conan.json.golden
+++ b/integration/testdata/conan.json.golden
@@ -0,0 +1,76 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/conan",
+  "ArtifactType": "filesystem",
+  "Results": [
+    {
+      "Target": "conan.lock",
+      "Class": "lang-pkgs",
+      "Type": "conan",
+      "Packages": [
+        {
+          "ID": "bzip2/1.0.8",
+          "Name": "bzip2",
+          "Version": "1.0.8",
+          "Indirect": true
+        },
+        {
+          "ID": "expat/2.4.8",
+          "Name": "expat",
+          "Version": "2.4.8",
+          "Indirect": true
+        },
+        {
+          "ID": "openssl/1.1.1q",
+          "Name": "openssl",
+          "Version": "1.1.1q",
+          "Indirect": true
+        },
+        {
+          "ID": "pcre/8.43",
+          "Name": "pcre",
+          "Version": "8.43",
+          "Indirect": true,
+          "DependsOn": [
+            "bzip2/1.0.8",
+            "zlib/1.2.12"
+          ]
+        },
+        {
+          "ID": "poco/1.9.4",
+          "Name": "poco",
+          "Version": "1.9.4",
+          "DependsOn": [
+            "pcre/8.43",
+            "zlib/1.2.12",
+            "expat/2.4.8",
+            "sqlite3/3.39.2",
+            "openssl/1.1.1q"
+          ]
+        },
+        {
+          "ID": "sqlite3/3.39.2",
+          "Name": "sqlite3",
+          "Version": "3.39.2",
+          "Indirect": true
+        },
+        {
+          "ID": "zlib/1.2.12",
+          "Name": "zlib",
+          "Version": "1.2.12",
+          "Indirect": true
+        }
+      ],
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2020-14155",
+          "PkgID": "pcre/8.43",
+          "PkgName": "pcre",
+          "InstalledVersion": "8.43",
+          "FixedVersion": "8.45",
+          "Severity": "UNKNOWN"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/debian-stretch.json.golden
+++ b/integration/testdata/debian-stretch.json.golden
@@ -6,7 +6,7 @@
    "OS": {
      "Family": "debian",
      "Name": "9.9",
-      "Eosl": true
+      "EOSL": true
    },
    "ImageID": "sha256:f26939cc87ef44a6fc554eedd0a976ab30b5bc2769d65d2e986b6c5f1fd4053d",
    "DiffIDs": [
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Teppei Fukuda	585985edb3	docs: add Rekor SBOM attestation scanning (#2893 ) Signed-off-by: knqyf263 <knqyf263@gmail.com>	2022-09-16 15:43:01 +03:00
Teppei Fukuda	d30fa00adc	chore: narrow the owner scope (#2894 )	2022-09-16 15:42:31 +03:00
afdesk	38c1513af6	fix: remove a patch number from the recommendation link (#2891 )	2022-09-16 12:23:58 +03:00
saso	ba29ce648c	fix: enable parsing of UUID-only rekor entry ID (#2887 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-16 11:16:41 +03:00
Teppei Fukuda	018eda618b	docs(sbom): add SPDX scanning (#2885 )	2022-09-16 10:20:40 +03:00
Anais Urlichs	20f1e5991a	docs: restructure docs and add tutorials (#2883 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-15 21:27:58 +03:00
saso	192fd78ca2	feat(sbom): scan sbom attestation in the rekor record (#2699 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-15 20:16:39 +03:00
chenk	597836c3a2	feat(k8s): support outdated-api (#2877 )	2022-09-15 13:02:16 +03:00
dependabot[bot]	6c7bd67c04	chore(deps): bump github.com/moby/buildkit from 0.10.3 to 0.10.4 (#2815 )	2022-09-15 11:40:54 +03:00
François Poirotte	41270434fe	fix(c): support revisions in Conan parser (#2878 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-15 11:35:44 +03:00
chenk	b677d7e2e8	feat: dynamic links support for scan results (#2838 )	2022-09-15 10:42:33 +03:00
dependabot[bot]	8e03bbb422	chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 (#2818 )	2022-09-15 10:16:47 +03:00
George Rodrigues	27005c7d6a	docs: update archlinux commands (#2876 )	2022-09-15 10:14:53 +03:00
DmitriyLewen	b6e394dc80	feat(secret): add line from dockerfile where secret was added to secret result (#2780 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-15 10:13:20 +03:00
Masahiro331	9f6680a1fa	feat(sbom): Add unmarshal for spdx (#2868 ) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-15 08:39:59 +03:00
dependabot[bot]	db0aaf18e6	chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#2827 )	2022-09-14 17:28:14 +03:00
AndrewCharlesHay	bb3220c3de	fix: revert asff arn and add documentation (#2852 )	2022-09-14 17:27:46 +03:00
AndrewCharlesHay	c51f2b82e4	docs: batch-import-findings limit (#2851 )	2022-09-14 17:26:32 +03:00
dependabot[bot]	552732b5d7	chore(deps): bump golang from 1.19.0 to 1.19.1 (#2872 )	2022-09-14 17:23:51 +03:00
Masahiro331	3165c376e2	feat(sbom): Add marshal for spdx (#2867 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-14 13:36:10 +03:00
Teppei Fukuda	dac2b4a281	build: checkout before setting up Go (#2873 )	2022-09-14 13:27:27 +03:00
Teppei Fukuda	39f83afefe	chore: bump Go to 1.19 (#2861 ) Signed-off-by: knqyf263 <knqyf263@gmail.com>	2022-09-14 11:41:55 +03:00
Carol Valencia	0ce95830c8	docs: azure doc and trivy (#2869 ) Co-authored-by: carolina valencia <krol3@users.noreply.github.com>	2022-09-14 09:20:57 +03:00
Owen Rumney	2f37961661	fix: Scan tarr'd dependencies (#2857 ) Signed-off-by: Owen Rumney <owen.rumney@aquasec.com>	2022-09-12 14:55:38 +03:00
Carol Valencia	db14ef3cb5	chore(helm): helm test with ingress (#2630 ) Co-authored-by: carolina valencia <krol3@users.noreply.github.com>	2022-09-12 12:13:08 +03:00
DmitriyLewen	acb65d565a	feat(report): add secrets to sarif format (#2820 ) Co-authored-by: AMF <work@afdesk.com>	2022-09-12 12:12:13 +03:00
dependabot[bot]	a18cd7c00a	chore(deps): bump azure/setup-helm from 1.1 to 3.3 (#2807 )	2022-09-12 12:11:02 +03:00
Teppei Fukuda	2de903ca35	refactor: add a new interface for initializing analyzers (#2835 ) Signed-off-by: knqyf263 <knqyf263@gmail.com>	2022-09-12 11:46:53 +03:00
dependabot[bot]	63c3b8ed19	chore(deps): bump github.com/aws/aws-sdk-go from 1.44.77 to 1.44.92 (#2840 )	2022-09-08 09:21:40 +03:00
AndrewCharlesHay	6717665ab0	fix: update ProductArn with account id (#2782 )	2022-09-08 09:21:05 +03:00
Helge Eichelberg	41a8496716	feat(helm): make cache TTL configurable (#2798 ) Signed-off-by: elchenberg <elchenberg@users.noreply.github.com>	2022-09-08 09:12:18 +03:00
Juan Antonio Osorio	0f1f2c1b29	build(): Sign releaser artifacts, not only container manifests (#2789 )	2022-09-07 16:56:10 +03:00
Carol Valencia	b389a6f4fc	chore: improve doc about azure devops (#2795 ) Co-authored-by: carolina valencia <krol3@users.noreply.github.com>	2022-09-07 16:52:53 +03:00
dependabot[bot]	9ef9fce589	chore(deps): bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#2804 )	2022-09-07 16:48:15 +03:00
dependabot[bot]	7b3225d0d8	chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.16.11 to 1.16.14 (#2828 )	2022-09-07 16:47:38 +03:00
dependabot[bot]	37733edc4b	chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#2825 )	2022-09-07 16:46:01 +03:00
Itay Shakury	44d7e8dde1	docs: don't push patch versions (#2824 )	2022-09-07 16:40:28 +03:00
DmitriyLewen	4839075c28	feat: add support for conan.lock file (#2779 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-06 21:59:13 +03:00
Teppei Fukuda	6b4ddaaef2	feat: cache merged layers igned-off-by: knqyf263 <knqyf263@gmail.com>	2022-09-06 11:04:00 +03:00
dependabot[bot]	a18f398ac0	chore(deps): bump helm/chart-testing-action from 2.2.1 to 2.3.0 (#2805 )	2022-09-04 12:32:45 +03:00
dependabot[bot]	4dcce14051	chore(deps): bump actions/cache from 3.0.5 to 3.0.8 (#2806 )	2022-09-04 12:32:04 +03:00
dependabot[bot]	db4544711a	chore(deps): bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2811 )	2022-09-04 12:15:53 +03:00
dependabot[bot]	a246d0f280	chore(deps): bump github.com/aquasecurity/table from 1.7.2 to 1.8.0 (#2810 )	2022-09-04 12:11:31 +03:00
dependabot[bot]	1800017a9a	chore(deps): bump github.com/samber/lo from 1.27.0 to 1.27.1 (#2808 )	2022-09-04 12:08:54 +03:00
dependabot[bot]	218e41a435	chore(deps): bump github.com/alicebob/miniredis/v2 from 2.22.0 to 2.23.0 (#2814 )	2022-09-04 12:08:13 +03:00
DmitriyLewen	a000adeed0	feat: add support for gradle.lockfile (#2759 )	2022-09-01 11:27:36 +03:00
Crypt Keeper	43113bc01f	chore(mod): updates wazero to 1.0.0-pre.1 #2791 Signed-off-by: Adrian Cole <adrian@tetrate.io>	2022-09-01 11:09:48 +03:00
jerbob92	5f0bf1445a	feat: move file patterns to a global level to be able to use it on any analyzer (#2539 )	2022-09-01 11:01:57 +03:00
Alex Samorukov	2580ea1583	Fix url validaton failures (#2783 ) While analyzing failure of the report schema validation i found URL looks like that: `https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)`. This causing gitlab to mark report as invalid. Patch provided just using first word of the url word.	2022-08-30 15:57:40 +03:00
DmitriyLewen	2473b2c881	fix(image): add logic to detect empty layers (#2790 ) * add logic to detect empty layers * add test for createdBy from buildkit	2022-08-30 15:56:14 +03:00
afdesk	9d018d44b9	feat(rust): add dependency graph from Rust binaries (#2771 )	2022-08-30 15:46:38 +03:00
Teppei Fukuda	db67f16ac6	fix: handle empty OS family (#2768 )	2022-08-29 08:53:13 +03:00
Jose Donizetti	77616bebae	fix: fix k8s summary report (#2777 ) Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>	2022-08-25 10:43:39 +03:00
DmitriyLewen	fcccfced23	fix: don't skip packages that don't contain vulns, when using --list-all-pkgs flag (#2767 )	2022-08-25 10:40:03 +03:00
Jose Donizetti	8bc215ccf6	chore: bump trivy-kubernetes (#2770 ) Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>	2022-08-25 09:37:47 +03:00
Ankush K	d8d8e62793	fix(secret): Consider secrets in rpc calls (#2753 )	2022-08-25 09:36:51 +03:00
DmitriyLewen	b0e89d4c57	fix(java): check depManagement from upper pom's (#2747 )	2022-08-24 11:22:22 +03:00
afdesk	da6f1b6f25	fix(php): skip `composer.lock` inside `vendor` folder (#2718 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2022-08-23 13:17:09 +03:00
Jose Donizetti	2f2952c658	fix: fix k8s rbac filter (#2765 )	2022-08-23 11:56:06 +03:00
afdesk	8bc56bf2fc	feat(misconf): skipping misconfigurations by AVD ID (#2743 )	2022-08-22 11:06:04 +03:00
Alexander Lauster	9c1ce5afe8	chore(deps): Upgrade Alpine to 3.16.2 to fix zlib issue (#2741 )	2022-08-18 17:05:39 +03:00
Herby Gillot	3cd10b2358	docs: add MacPorts install instructions (#2727 )	2022-08-17 13:41:55 +03:00
will Farrell	f369bd3e3d	docs: typo (#2730 )	2022-08-17 10:58:44 +01:00
Liam Galvin	fefe7c4a7b	fix: Correctly handle recoverable AWS scanning errors (#2726 )	2022-08-16 18:00:44 +03:00
Liam Galvin	9c92e3d185	docs: Remove reference to SecurityAudit policy for AWS scanning (#2721 )	2022-08-16 16:31:49 +03:00
Liam Galvin	d343d13ac6	fix: upgrade defsec to v0.71.7 for elb scan panic (#2720 )	2022-08-16 15:00:18 +03:00
DmitriyLewen	917f388852	fix(flag): add error when there are no supported security checks (#2713 )	2022-08-16 09:57:46 +03:00
Teppei Fukuda	aef02aa174	fix(vuln): continue scanning when no vuln found in the first application (#2712 )	2022-08-16 08:41:01 +03:00
Teppei Fukuda	ed1fa89117	revert: add new classes for vulnerabilities (#2701 )	2022-08-15 21:40:29 +03:00
DmitriyLewen	a5d4f7fbd9	feat(secret): detect secrets removed or overwritten in upper layer (#2611 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-08-15 20:40:54 +03:00
Moulick Aggarwal	ddffb1b451	fix(cli): secret scanning perf link fix (#2607 )	2022-08-15 16:15:22 +03:00
dependabot[bot]	bc85441f7d	chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (#2650 )	2022-08-15 12:33:41 +03:00
Liam Galvin	b259b25ce4	feat: Add AWS Cloud scanning (#2493 ) * feat: Added AWS Cloud scanning Co-authored-by: Owen Rumney <owen.rumney@aquasec.com>	2022-08-11 14:59:32 +01:00
saso	f8edda8479	docs: specify the type when verifying an attestation (#2697 )	2022-08-11 13:17:44 +03:00
saso	687941390e	docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation (#2690 )	2022-08-10 15:47:40 +03:00
Ankush K	babfb17465	fix(rpc): scanResponse rpc conversion for custom resources (#2692 )	2022-08-10 13:45:32 +03:00
Tom Fay	517d2e0109	feat(rust): Add support for cargo-auditable (#2675 )	2022-08-10 13:43:23 +03:00
Owen Rumney	01123854b4	feat: Support passing value overrides for configuration checks (#2679 )	2022-08-08 18:22:58 +03:00
saso	317a026616	feat(sbom): add support for scanning a sbom attestation (#2652 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-08-08 16:27:05 +03:00
DmitriyLewen	390c256c38	chore(image): skip symlinks and hardlinks from tar scan (#2634 )	2022-08-08 15:57:08 +03:00
Matteo Vitali	63c33bfa43	fix(report): Update junit.tpl (#2677 ) Add explicit name="trivy" in the testsuite element	2022-08-08 15:47:18 +03:00
Masahiro331	de365c8e92	fix(cyclonedx): add nil check to metadata.component (#2673 )	2022-08-08 15:15:38 +03:00
Lior Vaisman Argon	50db7da947	docs(secret): fix missing and broken links (#2674 )	2022-08-08 15:14:55 +03:00
Teppei Fukuda	e848e6d009	refactor(cyclonedx): implement json.Unmarshaler (#2662 ) * refactor(cyclonedx): implement json.Unmarshaler * fix: use pointer	2022-08-04 14:15:33 +03:00
dependabot[bot]	df0b5e40db	chore(deps): bump github.com/aquasecurity/table from 1.6.0 to 1.7.2 (#2643 ) Bumps [github.com/aquasecurity/table](https://github.com/aquasecurity/table) from 1.6.0 to 1.7.2. - [Release notes](https://github.com/aquasecurity/table/releases) - [Commits](https://github.com/aquasecurity/table/compare/v1.6.0...v1.7.2) --- updated-dependencies: - dependency-name: github.com/aquasecurity/table dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-08-04 11:44:55 +03:00
dependabot[bot]	006b8a5c29	chore(deps): bump github.com/Azure/go-autorest/autorest (#2642 )	2022-08-04 11:43:18 +03:00
Magesh Dhasayyan	8d10de8b4f	feat(kubernetes): add option to specify kubeconfig file path (#2576 )	2022-08-04 10:18:18 +03:00
Axit Patel	169c55c688	docs: follow Debian's "instructions to connect to a third-party repository" (#2511 )	2022-08-04 10:11:38 +03:00
dependabot[bot]	9b21831440	chore(deps): bump github.com/google/licenseclassifier/v2 (#2644 )	2022-08-03 15:04:13 +03:00
dependabot[bot]	94db37e541	chore(deps): bump github.com/samber/lo from 1.24.0 to 1.27.0 (#2645 )	2022-08-03 14:58:40 +03:00
dependabot[bot]	d9838053df	chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#2647 )	2022-08-03 14:43:51 +03:00
dependabot[bot]	d8a9572930	chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (#2646 )	2022-08-03 10:46:37 +03:00
dependabot[bot]	3ab3050992	chore(deps): bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#2641 )	2022-08-03 10:46:00 +03:00
dependabot[bot]	75984f347b	chore(deps): bump actions/cache from 3.0.4 to 3.0.5 (#2640 )	2022-08-03 10:44:59 +03:00
dependabot[bot]	525c2530d5	chore(deps): bump alpine from 3.16.0 to 3.16.1 (#2639 )	2022-08-03 10:44:27 +03:00
dependabot[bot]	5e327e41a6	chore(deps): bump golang from 1.18.3 to 1.18.4 (#2638 )	2022-08-03 10:44:05 +03:00
dependabot[bot]	469d771a59	chore(deps): bump github.com/aws/aws-sdk-go from 1.44.48 to 1.44.66 (#2648 )	2022-08-03 10:43:40 +03:00
dependabot[bot]	6bc8c87bc1	chore(deps): bump github.com/open-policy-agent/opa from 0.42.0 to 0.43.0 (#2649 )	2022-08-03 10:43:17 +03:00
dependabot[bot]	6ab832d099	chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#2651 )	2022-08-03 10:40:57 +03:00
MaineK00n	3a10497a6f	feat(alma): set AlmaLinux 9 EOL (#2653 )	2022-08-03 10:40:07 +03:00
Liam Galvin	55825d760b	fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs (#2636 )	2022-08-01 15:38:04 +03:00
DmitriyLewen	6bb0e4b036	test(misconf): add tests for misconf handler for dockerfiles (#2621 )	2022-08-01 14:56:53 +03:00
DmitriyLewen	44d53bed48	feat(oracle): set Oracle Linux 9 EOL (#2635 )	2022-08-01 10:36:30 +03:00
Teppei Fukuda	f396c677a2	BREAKING: add new classes for vulnerabilities (#2541 )	2022-07-31 10:47:08 +03:00
DmitriyLewen	3cd88abec5	fix(secret): add newline escaping for asymmetric private key (#2532 )	2022-07-31 10:18:16 +03:00
Ben Bodenmiller	ea91fb91b0	docs: improve formatting (#2572 )	2022-07-31 10:17:42 +03:00
cebidhem	d0ca610a96	feat(helm): allows users to define an existing secret for tokens (#2587 ) Signed-off-by: cebidhem <cebidhem@pm.me>	2022-07-31 09:56:14 +03:00
DmitriyLewen	d0ba59a44d	docs(mariner): use tdnf in fs usage example (#2616 )	2022-07-31 09:50:27 +03:00
saso	d7742b6c17	docs: remove unnecessary double quotation marks (#2609 )	2022-07-31 09:45:00 +03:00
Liam Galvin	27027cf40d	fix: Fix --file-patterns flag (#2625 )	2022-07-29 21:54:57 +03:00
saso	c2a7ad5c01	feat(report): add support for Cosign vulnerability attestation (#2567 )	2022-07-27 17:39:35 +03:00
DmitriyLewen	dfb86f41f8	docs(mariner): use v2.0 in examples (#2602 )	2022-07-27 14:42:09 +03:00
Nate	946ce1672d	feat(report): add secrets template for codequality report (#2461 )	2022-07-27 10:55:32 +03:00
Teppei Fukuda	f9c17bd2d8	fix: remove the first arg when running as a plugin (#2595 )	2022-07-26 21:54:43 +03:00
Jose Donizetti	cccfade374	fix: k8s controlplaner scanning (#2593 ) Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>	2022-07-26 16:35:34 +03:00
thiago-gitlab	5a65548662	fix(vuln): GitLab report template (#2578 ) * fix(vuln): GitLab report template - Upgrade to schema 14.0.6 (https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v14.0.6/dist/container-scanning-report-format.json). - Drop unsupported `confidence` property. Currently optional and will be removed by GitLab in schema 15-0-0. * docs(vuln): remove note about broken GitLab integration	2022-07-26 15:51:20 +03:00
afdesk	fa8a8ba7dc	fix(server): use a new db worker for hot updates (#2581 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-07-25 17:26:08 +03:00
DmitriyLewen	769ed554b0	docs: add trivy with download-db-only flag to Air-Gapped Environment (#2583 )	2022-07-25 16:50:26 +03:00
DmitriyLewen	5f9a963ef6	docs: split commands to download db for different versions of oras (#2582 )	2022-07-25 15:19:04 +03:00
Alexander Lauster	d93a997800	feat(report): export exitcode for license checks (#2564 ) Also export the exit code for license checks fixes #2562	2022-07-25 14:26:12 +03:00
afdesk	f9be138aab	fix: cli can use lowercase for severities (#2565 )	2022-07-25 14:25:16 +03:00
Teppei Fukuda	c7f0bc92ae	fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577 )	2022-07-25 11:27:47 +03:00
MaineK00n	c2f3731873	fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569 )	2022-07-24 17:24:13 +03:00
saso	7b4f2dc72f	fix: enable some features of the wasm runtime (#2575 )	2022-07-24 08:31:54 +03:00
Denys Mazhar	84677903a6	fix(k8s): no error logged if trivy can't get docker image in kubernetes mode (#2521 ) * Enable k8s logging and increase log level of the image scan errors * Rework errors reporting * Rework GetErrors method into printErrors Print errors during report writing * Increase log level for scan errors logging	2022-07-21 15:34:47 -03:00
saso	e1e02d785f	docs(sbom): improve sbom attestation documentation (#2566 )	2022-07-21 17:54:21 +03:00
afdesk	80c7b91637	fix(report): show the summary without results (#2548 )	2022-07-21 14:41:51 +03:00
DmitriyLewen	07c3ac4de1	fix(cli): replace '-' to '_' for env vars (#2561 )	2022-07-21 13:41:56 +03:00