refactor(k8s): custom reports (#3076 )

fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068 )
Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-10 06:40:46 -08:00 · 2022-10-26 00:02:33 +03:00 · 2022-10-25 23:41:27 +03:00 · 2022-10-25 22:03:50 +03:00 · 2022-10-25 21:05:54 +03:00 · 2022-10-25 21:04:29 +03:00
356 changed files with 16153 additions and 4019 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -11,7 +11,8 @@ docs/docs/cloud             @owenrumney @liamg @knqyf263
 pkg/fanal/analyzer/config   @owenrumney @liamg @knqyf263
 pkg/fanal/handler/misconf   @owenrumney @liamg @knqyf263
 pkg/cloud                   @owenrumney @liamg @knqyf263
-pkg/flag                    @owenrumney @liamg @knqyf263
+pkg/flag/aws_flags.go       @owenrumney @liamg @knqyf263
+pkg/flag/misconf_flags.go   @owenrumney @liamg @knqyf263

 # Kubernetes scanning
 pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
--- a/.github/workflows/canary.yaml
+++ b/.github/workflows/canary.yaml
@@ -24,7 +24,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.0.5
+        uses: actions/cache@v3.0.9
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/mkdocs-latest.yaml
+++ b/.github/workflows/mkdocs-latest.yaml
@@ -35,7 +35,7 @@ jobs:
        if: ${{ github.event.inputs.version == '' }}
        run: |
          VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
-          mike deploy --push --update-aliases $VERSION latest
+          mike deploy --push --update-aliases ${VERSION%.*} latest
      - name: Deploy the latest documents from manual trigger
        if: ${{ github.event.inputs.version != '' }}
        run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -15,8 +15,8 @@ env:
  HELM_REP: helm-charts
  GH_OWNER: aquasecurity
  CHART_DIR: helm/trivy
-  KIND_VERSION: "v0.11.1"
-  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
+  KIND_VERSION: "v0.14.0"
+  KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
 jobs:
  test-chart:
    runs-on: ubuntu-20.04
@@ -26,7 +26,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab
+        uses: azure/setup-helm@b5b231a831f96336bbfeccc1329990f0005c5bb1
        with:
          version: v3.5.0
      - name: Set up python
@@ -35,9 +35,9 @@ jobs:
          python-version: 3.7
      - name: Setup Chart Linting
        id: lint
-        uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a
+        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec
      - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d
+        uses: helm/kind-action@9e8295d178de23cbfbd8fa16cf844eec1d773a07
        with:
          version: ${{ env.KIND_VERSION }}
          image: ${{ env.KIND_IMAGE }}
@@ -45,7 +45,7 @@ jobs:
        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
      - name: Run chart-testing (Ingress enabled)
        run: |
-          sed -i -e '117s,false,'true',g' ./helm/trivy/values.yaml
+          sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
          ct lint-and-install --validate-maintainers=false --charts helm/trivy

  publish-chart:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,7 +10,7 @@ jobs:
    uses: ./.github/workflows/reusable-release.yaml
    with:
      goreleaser_config: goreleaser.yml
-      goreleaser_options: '--rm-dist --timeout 60m'
+      goreleaser_options: '--rm-dist --timeout 90m'
    secrets: inherit

  deploy-packages:
@@ -24,7 +24,7 @@ jobs:
          fetch-depth: 0

      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.0.5
+        uses: actions/cache@v3.0.9
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -54,4 +54,4 @@ jobs:
        run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import

      - name: Create deb repository
-        run: ci/deploy-deb.sh
+        run: ci/deploy-deb.sh
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -13,7 +13,6 @@ on:
        type: string

 env:
-  GO_VERSION: "1.18"
  GH_USER: "aqua-bot"

 jobs:
@@ -28,7 +27,7 @@ jobs:
      contents: read  # Not required for public repositories, but for clarity
    steps:
      - name: Cosign install
-        uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0
+        uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
@@ -60,16 +59,16 @@ jobs:
          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}

-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
      - name: Generate SBOM
        uses: CycloneDX/gh-gomod-generate-sbom@v1
        with:
@@ -100,10 +99,10 @@ jobs:
            public.ecr.aws/aquasecurity/trivy:canary

      - name: Cache Trivy binaries
-        uses: actions/cache@v3.0.5
+        uses: actions/cache@v3.0.9
        with:
          path: dist/
          # use 'github.sha' to create a unique cache folder for each run.
          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
          # e.g. build and release runs
-          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/semantic-pr.yaml
+++ b/.github/workflows/semantic-pr.yaml
@@ -64,6 +64,8 @@ jobs:
            dotnet
            java
            go
+            c
+            c++
            
            os
            lang
--- a/.github/workflows/stale-issues.yaml
+++ b/.github/workflows/stale-issues.yaml
@@ -7,7 +7,7 @@ jobs:
    timeout-minutes: 1
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/stale@v5
+    - uses: actions/stale@v6
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -10,8 +10,7 @@ on:
      - 'LICENSE'
  pull_request:
 env:
-  GO_VERSION: "1.18"
-  TINYGO_VERSION: "0.24.0"
+  TINYGO_VERSION: "0.25.0"
 jobs:
  test:
    name: Test
@@ -22,7 +21,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod

      - name: go mod tidy
        run: |
@@ -35,7 +34,7 @@ jobs:
      - name: Lint
        uses: golangci/golangci-lint-action@v3.2.0
        with:
-          version: v1.45
+          version: v1.49
          args: --deadline=30m
          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778

@@ -51,36 +50,34 @@ jobs:
    name: Integration Test
    runs-on: ubuntu-latest
    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: ${{ env.GO_VERSION }}
-      id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod

-    - name: Run integration tests
-      run: make test-integration
+      - name: Run integration tests
+        run: make test-integration

  module-test:
    name: Module Integration Test
    runs-on: ubuntu-latest
    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
+          go-version-file: go.mod

      - name: Install TinyGo
        run: |
          wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
          sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb

-      - name: Checkout
-        uses: actions/checkout@v3
-
      - name: Run module integration tests
        run: |
          make test-module-integration
@@ -107,13 +104,13 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version: ${{ env.GO_VERSION }}
+        go-version-file: go.mod

    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@v3
      with:
        version: v1.4.1
-        args: release --snapshot --rm-dist --skip-publish --timeout 60m
+        args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m

  build-documents:
    name: Documentation Test
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -21,18 +21,17 @@ linters-settings:
    local-prefixes: github.com/aquasecurity
  gosec:
    excludes:
+      - G114
      - G204
      - G402

 linters:
  disable-all: true
  enable:
-    - structcheck
+    - unused
    - ineffassign
    - typecheck
    - govet
-    - varcheck
-    - deadcode
    - revive
    - gosec
    - unconvert
@@ -43,7 +42,7 @@ linters:
    - misspell

 run:
-  go: 1.18
+  go: 1.19
  skip-files:
    - ".*._mock.go$"
    - ".*._test.go$"
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.16.1
+FROM alpine:3.16.2
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -1,4 +1,4 @@
-FROM alpine:3.16.1
+FROM alpine:3.16.2
 RUN apk --no-cache add ca-certificates git

 # binaries were created with GoReleaser
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -1,4 +1,4 @@
-FROM golang:1.18.4
+FROM golang:1.19.1

 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
--- a/2
+++ b/2
@@ -26,7 +26,7 @@ $(GOBIN)/crane:
 	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0

 $(GOBIN)/golangci-lint:
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.45.2
+	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0

 $(GOBIN)/labeler:
 	go install github.com/knqyf263/labeler@latest
--- a/README.md
+++ b/README.md
@@ -39,7 +39,9 @@ Get Trivy by your favorite installation method. See [installation] section in th

 - `apt-get install trivy`
 - `yum install trivy`
+- `pacman -S trivy`
 - `brew install aquasecurity/trivy/trivy`
+- `sudo port install trivy`
 - `docker run aquasec/trivy`
 - Download binary from https://github.com/aquasecurity/trivy/releases/latest/

@@ -136,7 +138,7 @@ Contact us about any matter by opening a GitHub Discussion [here][discussions]

 [getting-started]: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
 [docs]: https://aquasecurity.github.io/trivy
-[integrations]:https://aquasecurity.github.io/trivy/latest/docs/integrations/
+[integrations]:https://aquasecurity.github.io/trivy/latest/tutorials/integrations/
 [installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
 [releases]: https://github.com/aquasecurity/trivy/releases
 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
--- a/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g>
+	<path fill="#07242D" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#07242D" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#07242D" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#07242D" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#07242D" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.106-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.151,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#07242D" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#07242D" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#07242D" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>
--- a/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg
@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g display="none">
+	<g display="inline">
+		<path fill="#07242D" d="M-483.763,450.803h-11.559l-22.557-22.807c-0.919,0.114-1.853,0.174-2.802,0.174v22.632h-8.238v-63.931
+			h8.239c0,0-0.016,33.158,0,33.158c4.013,0,7.684-1.656,10.29-4.32l9.86-10.073h11.814l-16.032,15.918
+			c-1.42,1.421-3.031,2.655-4.787,3.659L-483.763,450.803z"/>
+		<path fill="#07242D" d="M-438.316,405.517v22.819c0,0,0,0.033,0,0.049c0,12.39-10.039,22.418-22.429,22.418
+			c-12.389,0-22.421-10.059-22.421-22.448c0-0.017,0-22.837,0-22.837h7.989v22.819c0,7.967,6.466,14.457,14.433,14.457
+			c7.966,0,14.424-6.491,14.424-14.457v-22.819H-438.316z"/>
+		<path fill="#07242D" d="M-385.244,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.217l-0.004,23.854c3.918-3.246,8.947-5.196,14.432-5.196
+			C-395.377,405.529-385.242,415.664-385.244,428.166z M-393.437,428.166c0-7.976-6.466-14.441-14.442-14.441
+			c-7.793,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-399.903,442.607-393.437,436.142-393.437,428.166z"/>
+		<path fill="#07242D" d="M-335.539,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-344.426,405.411-333.664,417.688-335.539,431.11z M-344.611,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-344.611z"/>
+		<path fill="#07242D" d="M-306.194,420.895v7.548h-23.302v-7.548H-306.194z"/>
+		<path fill="#07242D" d="M-252.987,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.218l-0.004,23.854c3.918-3.246,8.946-5.196,14.431-5.196
+			C-263.12,405.529-252.985,415.664-252.987,428.166z M-261.181,428.166c0-7.976-6.467-14.441-14.442-14.441
+			c-7.794,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-267.647,442.607-261.181,436.142-261.181,428.166z"/>
+		<path fill="#07242D" d="M-203.283,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-212.17,405.411-201.408,417.688-203.283,431.11z M-212.355,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-212.355z"/>
+		<path fill="#07242D" d="M-151.113,428.114c0,15.871,0,22.688,0,22.688h-8.262c0,0,0-14.878,0-22.688
+			c0-8.095-6.591-14.327-14.363-14.327c-7.772,0-14.393,6.163-14.393,14.327c0,7.814,0,22.688,0,22.688h-8.26v-45.285
+			c0,0,3.539,0,8.26,0v5.101c0,0,5.421-5.101,14.393-5.101C-163.095,405.517-151.113,413.789-151.113,428.114z"/>
+		<path fill="#07242D" d="M-112.598,438.373l5.799,5.798c-4.098,4.097-9.758,6.632-16.01,6.632c-6.252,0-11.912-2.534-16.01-6.632
+			c-4.097-4.098-6.632-9.758-6.632-16.01s2.534-11.912,6.632-16.01c4.098-4.097,9.758-6.632,16.01-6.632
+			c6.252,0,11.912,2.534,16.01,6.632l-5.799,5.799c-2.613-2.615-6.224-4.231-10.212-4.231c-3.988,0-7.599,1.617-10.212,4.231
+			c-2.614,2.613-4.23,6.224-4.23,10.212s1.616,7.599,4.23,10.213c2.613,2.613,6.224,4.229,10.212,4.229
+			C-118.821,442.602-115.211,440.986-112.598,438.373z"/>
+		<path fill="#07242D" d="M-55.678,428.174c0,15.827,0,22.626,0,22.626h-8.239c0,0,0-14.838,0-22.626
+			c0-8.072-6.575-14.287-14.324-14.287c-7.751,0-14.353,6.146-14.353,14.287c0,7.793,0,22.626,0,22.626h-8.238v-63.929h8.238v23.856
+			c0,0,5.405-5.086,14.353-5.086C-67.626,405.641-55.678,413.889-55.678,428.174z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M186.582,442.579v8.203c-5.588,0-10.623-2.012-14.594-5.346c-4.989-4.186-8.157-10.469-8.157-17.489
+			v-41.085h8.157v18.642h14.594v8.257h-14.594v14.386C172.1,436.134,178.571,442.579,186.582,442.579z"/>
+		<path fill="#07242D" d="M215.674,405.503v8.149c-7.739,0.015-14.037,6.152-14.317,13.818v23.312h-8.176v-45.279h8.176v5.169
+			C205.243,407.446,210.232,405.51,215.674,405.503z"/>
+		<path fill="#07242D" d="M220.928,395.003v-8.165h8.161v8.165H220.928z M220.928,450.782v-45.279h8.161v45.279H220.928z"/>
+		<path fill="#07242D" d="M279.137,405.503l-22.624,45.279l-22.647-45.279h9.271l13.376,26.737l13.349-26.737H279.137z"/>
+		<path fill="#07242D" d="M328.08,405.503c0,0,0,49.504,0,52.776c0,12.643-10.369,22.736-22.655,22.728
+			c-5.753,0-11.084-2.181-15.131-5.807l5.868-5.868c2.504,2.12,5.734,3.41,9.263,3.403c7.95,0,14.386-6.498,14.386-14.456v-12.651
+			c-3.944,3.264-8.979,5.154-14.386,5.154c-12.309,0.008-22.674-9.924-22.674-22.659c0-0.269,0-22.62,0-22.62h8.265
+			c0,0,0.004,22.014,0.004,22.62c0,7.919,6.448,14.463,14.406,14.456c7.95,0,14.386-6.506,14.386-14.456v-22.62H328.08z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1186.898,438.384c-0.411,4.687-4.656,12.67-15.302,12.67c-10.092,0-16.135-6.761-16.135-6.761
+			l5.797-5.801c4.906,4.664,10.338,4.372,10.338,4.372c3.473-0.238,6.258-2.643,6.469-5.471c0.242-3.235-2.009-5.486-6.469-6.124
+			c-2.098-0.307-7.184-0.791-11.36-4.533c-1.36-1.222-6.489-6.577-2.217-14.191c0.834-1.491,4.556-6.769,13.577-6.769
+			c0,0,7.434-0.53,14.311,5.086l-5.866,5.863c-1.16-0.96-4.46-2.904-8.444-2.881c-7.207,0.046-7.007,4.011-7.007,4.011
+			c0.061,3.166,2.874,4.864,7.007,5.409C1185.672,425.114,1187.309,433.743,1186.898,438.384z"/>
+		<path fill="#07242D" d="M1215.419,442.848v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495v-41.099
+			h8.16v18.648h14.599v8.26h-14.599v14.391C1200.932,436.401,1207.405,442.848,1215.419,442.848z"/>
+		<path fill="#07242D" d="M1263.522,428.372v22.682h-22.705c-0.5,0-0.999-0.015-1.495-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1263.068,423.132,1263.522,425.76,1263.522,428.372z M1255.131,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1255.131,432.352,1255.131,428.372z"/>
+		<path fill="#07242D" d="M1293.898,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1283.464,407.704,1288.454,405.767,1293.898,405.76z"/>
+		<path fill="#07242D" d="M1344.448,428.411c0,12.509-10.135,22.643-22.639,22.643c-5.486,0-10.515-1.952-14.433-5.194v5.194h-8.221
+			c0.008-0.515,0.008-63.942,0.008-63.942h8.217l-0.004,23.857c3.919-3.25,8.947-5.202,14.433-5.202
+			C1334.313,405.767,1344.452,415.91,1344.448,428.411z M1336.254,428.411c0-7.975-6.466-14.445-14.445-14.445
+			c-7.795,0-14.445,6.331-14.445,14.422c0,8.091,6.65,14.468,14.445,14.468C1329.788,442.856,1336.254,436.394,1336.254,428.411z"/>
+		<path fill="#07242D" d="M1394.394,428.411c0,12.509-10.15,22.643-22.643,22.643s-22.651-10.135-22.651-22.643
+			s10.157-22.651,22.651-22.651S1394.394,415.91,1394.394,428.411z M1386.127,428.411c0-7.937-6.431-14.376-14.376-14.376
+			c-7.941,0-14.387,6.431-14.387,14.376s6.446,14.383,14.387,14.383C1379.696,442.794,1386.127,436.355,1386.127,428.411z"/>
+		<path fill="#07242D" d="M1444.414,428.372v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054
+			c-6.431-0.423-12.128-3.527-15.985-8.214c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1443.961,423.132,1444.414,425.76,1444.414,428.372z M1436.024,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1436.024,432.352,1436.024,428.372z"/>
+		<path fill="#07242D" d="M1474.791,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1464.356,407.704,1469.347,405.767,1474.791,405.76z"/>
+		<path fill="#07242D" d="M1521.556,451.031h-8.214v-5.194c-3.919,3.242-8.951,5.194-14.43,5.194
+			c-12.501,0-22.635-10.127-22.635-22.628s10.135-22.636,22.635-22.636c5.478,0,10.511,1.952,14.43,5.194l0.008-23.85h8.221
+			C1521.572,387.112,1521.556,450.516,1521.556,451.031z M1513.35,428.38c0-8.091-6.646-14.422-14.437-14.422
+			c-7.975,0-14.445,6.469-14.445,14.445s6.469,14.437,14.445,14.437C1506.704,442.84,1513.35,436.471,1513.35,428.38z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1711.171,438.276l5.802,5.802c-4.1,4.096-9.763,6.632-16.014,6.632c-6.255,0-11.918-2.536-16.018-6.632
+			c-4.1-4.103-6.635-9.759-6.635-16.014s2.536-11.918,6.635-16.022c4.1-4.096,9.763-6.632,16.018-6.632
+			c6.251,0,11.915,2.536,16.014,6.632l-5.802,5.802c-2.613-2.613-6.224-4.234-10.213-4.234c-3.992,0-7.604,1.621-10.216,4.234
+			c-2.617,2.613-4.234,6.224-4.234,10.22c0,3.988,1.618,7.6,4.234,10.213c2.613,2.613,6.224,4.234,10.216,4.234
+			C1704.947,442.511,1708.559,440.889,1711.171,438.276z"/>
+		<path fill="#07242D" d="M1722.967,450.71v-63.95h8.241v63.95H1722.967z"/>
+		<path fill="#07242D" d="M1783.282,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C1773.131,405.41,1783.282,415.561,1783.282,428.064z M1775.013,428.064
+			c0-7.938-6.432-14.378-14.378-14.378c-7.942,0-14.389,6.432-14.389,14.378c0,7.946,6.447,14.385,14.389,14.385
+			C1768.581,442.449,1775.013,436.01,1775.013,428.064z"/>
+		<path fill="#07242D" d="M1833.833,405.41v22.823c0,0,0,0.038,0,0.054c0,12.395-10.04,22.423-22.435,22.423
+			c-12.395,0-22.427-10.059-22.427-22.454c0-0.015,0-22.846,0-22.846h7.992v22.823c0,7.976,6.466,14.462,14.435,14.462
+			c7.969,0,14.431-6.486,14.431-14.462V405.41H1833.833z"/>
+		<path fill="#07242D" d="M1884.777,450.687h-8.218v-5.195c-3.915,3.243-8.945,5.195-14.431,5.195
+			c-12.503,0-22.634-10.128-22.634-22.631c0-12.503,10.132-22.638,22.634-22.638c5.487,0,10.516,1.952,14.431,5.195l0.011-23.852
+			h8.219C1884.789,386.76,1884.773,450.172,1884.777,450.687z M1876.574,428.033c0-8.092-6.651-14.424-14.447-14.424
+			c-7.973,0-14.443,6.47-14.443,14.447c0,7.976,6.466,14.439,14.443,14.439C1869.923,442.495,1876.574,436.125,1876.574,428.033z"/>
+		<path fill="#07242D" d="M1922.865,438.038c-0.411,4.687-4.657,12.672-15.303,12.672c-10.094,0-16.137-6.762-16.137-6.762
+			l5.798-5.802c4.906,4.664,10.339,4.372,10.339,4.372c3.473-0.238,6.259-2.643,6.47-5.471c0.242-3.235-2.009-5.487-6.47-6.124
+			c-2.098-0.307-7.185-0.792-11.361-4.534c-1.36-1.222-6.489-6.578-2.217-14.193c0.834-1.491,4.557-6.77,13.578-6.77
+			c0,0,7.435-0.53,14.312,5.087l-5.867,5.863c-1.16-0.961-4.461-2.905-8.445-2.882c-7.208,0.046-7.008,4.011-7.008,4.011
+			c0.062,3.166,2.874,4.864,7.008,5.41C1921.639,424.767,1923.276,433.397,1922.865,438.038z"/>
+		<path fill="#07242D" d="M1975.107,428.041c0,12.526-10.151,22.73-22.661,22.73c-5.471,0-10.493-1.952-14.416-5.195v35.371h-8.276
+			V405.41h8.276v5.156c3.923-3.22,8.945-5.156,14.416-5.156C1964.956,405.41,1975.107,415.523,1975.107,428.041z M1966.831,428.041
+			c0-7.953-6.432-14.347-14.385-14.347s-14.416,6.393-14.416,14.347s6.463,14.462,14.416,14.462S1966.831,435.994,1966.831,428.041z
+			"/>
+		<path fill="#07242D" d="M1981.877,450.71v-63.95h8.245v63.95H1981.877z"/>
+		<path fill="#07242D" d="M2042.192,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C2032.041,405.41,2042.192,415.561,2042.192,428.064z M2033.916,428.064
+			c0-7.938-6.432-14.378-14.37-14.378c-7.946,0-14.393,6.432-14.393,14.378c0,7.946,6.447,14.385,14.393,14.385
+			C2027.484,442.449,2033.916,436.01,2033.916,428.064z"/>
+		<path fill="#07242D" d="M2049.016,394.906v-8.168h8.168v8.168H2049.016z M2049.016,450.71v-45.3h8.168v45.3H2049.016z"/>
+		<path fill="#07242D" d="M2087.737,442.503v8.207c-5.594,0-10.627-2.013-14.6-5.348c-4.987-4.188-8.161-10.474-8.161-17.497V386.76
+			h8.161v18.65h14.6v8.261h-14.6v14.393C2073.252,436.056,2079.722,442.503,2087.737,442.503z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M690.837,442.596v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495V386.86
+			h8.16v18.648h14.599v8.26h-14.599v14.391C676.35,436.15,682.823,442.596,690.837,442.596z"/>
+		<path fill="#07242D" d="M719.939,405.508v8.152c-7.737,0.015-14.042,6.154-14.322,13.823v23.319h-8.179v-45.294h8.179v5.171
+			C709.504,407.452,714.495,405.516,719.939,405.508z"/>
+		<path fill="#07242D" d="M766.789,428.12v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.183-14.414c0.523-25.548,35.102-31.264,44.026-7.699C766.335,422.88,766.789,425.508,766.789,428.12z
+			 M758.398,428.12c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008c-2.609,2.605-4.226,6.17-4.226,10.142
+			c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0S758.398,432.101,758.398,428.12z"/>
+		<path fill="#07242D" d="M805.36,438.37l5.801,5.801c-4.099,4.095-9.762,6.631-16.016,6.631c-6.254,0-11.913-2.536-16.012-6.631
+			c-4.099-4.103-6.631-9.766-6.631-16.02c0-6.247,2.532-11.909,6.631-16.012c4.099-4.095,9.758-6.631,16.012-6.631
+			c6.254,0,11.917,2.536,16.016,6.631l-5.801,5.801c-2.612-2.612-6.224-4.234-10.215-4.234c-3.988,0-7.599,1.621-10.211,4.234
+			c-2.616,2.612-4.234,6.224-4.234,10.211c0,3.995,1.617,7.607,4.234,10.219c2.612,2.612,6.224,4.234,10.211,4.234
+			C799.136,442.604,802.747,440.983,805.36,438.37z"/>
+		<path fill="#07242D" d="M858.664,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C849.774,405.4,860.539,417.679,858.664,431.109z M849.59,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H849.59z"/>
+		<path fill="#07242D" d="M908.514,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C899.625,405.4,910.389,417.679,908.514,431.109z M899.44,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H899.44z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#07242D" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#07242D" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#07242D" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#07242D" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#07242D" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#07242D" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#07242D" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>
--- a/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g display="none">
+	<polygon display="inline" fill="#FFFFFF" points="65.469,9.61 12.669,40.117 12.669,101.621 65.463,132.371 118.268,101.639 
+		118.268,40.115 	"/>
+	<g display="inline">
+		<path fill="#08B1D5" d="M64.511,80.035c-5.972-2.687-9.502-8.433-9.313-14.534l-12.765-7.371c-0.952,7.062,0.569,14.449,4.4,20.85
+			c4.078,6.813,9.966,11.887,17.678,14.825V80.035L64.511,80.035z"/>
+		<path fill="#08B1D5" d="M64.511,111.257V95.432c-8.26-3.017-14.588-8.448-18.931-15.703c-4.108-6.864-5.671-14.819-4.507-22.384
+			l-11.864-6.851C22.412,75.299,37.662,101.72,64.511,111.257z"/>
+		<path fill="#0D819B" d="M66.259,95.288v15.969c26.352-9.758,42.17-36.132,35.489-60.682l-11.8,6.874
+			c1.473,8.16,0.189,16.115-3.759,22.77C82.134,87.057,75.052,92.189,66.259,95.288z"/>
+		<path fill="#0D819B" d="M75.879,65.569c0.053,5.924-3.429,11.136-9.62,14.466v13.769c8.227-2.999,14.873-7.918,18.675-14.329
+			c3.681-6.207,4.934-13.613,3.671-21.243L75.879,65.569z"/>
+		<path fill="#F69421" d="M77.717,44.4c4.977,2.427,9.031,6.315,11.724,11.244c0.035,0.065,0.069,0.132,0.104,0.198l11.574-6.684
+			c-0.184-0.232-0.361-0.466-0.506-0.701c-4.246-6.868-9.855-12.036-16.673-15.361c-19.245-9.385-42.827-2.309-54.094,16.087
+			l11.546,6.665C49.232,43.242,65.013,38.204,77.717,44.4z"/>
+		<path fill="#F69421" d="M70.489,59.089c2.06,1.005,3.731,2.627,4.832,4.692c0.037,0.07,0.07,0.143,0.105,0.214l12.854-7.423
+			c-0.04-0.076-0.079-0.153-0.12-0.228c-2.546-4.662-6.379-8.339-11.082-10.632c-12.018-5.861-26.965-1.08-34.421,10.866
+			l12.783,7.379C58.771,58.613,65.217,56.518,70.489,59.089z"/>
+		<path fill="#0D819B" d="M116.672,41.881l-13.621,7.936c7.185,25.544-9.291,53.076-36.791,62.992v17.294l50.413-29.381V41.881z"/>
+		<path fill="#08B1D5" d="M14.265,41.864v58.842l50.245,29.397v-17.294C36.51,103.127,20.607,75.545,27.905,49.74l-13.001-7.508
+			L14.265,41.864z"/>
+		<path fill="#F69421" d="M14.987,40.606l1.484,0.857l12.109,6.989C40.23,29.398,64.649,22.066,84.579,31.784
+			c7.069,3.448,12.881,8.799,17.274,15.904c0.139,0.225,0.333,0.472,0.543,0.731l13.542-7.82l-50.47-29.146L14.987,40.606z"/>
+		<path fill="#F0DF36" d="M66.202,78.433c4.968-2.778,7.95-7.226,8.141-12.159c0,0,0.022-0.489-0.015-1.283
+			c-0.007-0.163-1.102-2.766-4.435-4.583c-4.476-2.441-10.828-0.093-13.372,4.583c0,0-0.061,0.574-0.033,1.283
+			c0.182,4.483,2.945,9.749,7.836,12.159l0.991,0.473L66.202,78.433z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#FFFFFF" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#FFFFFF" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#FFFFFF" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#FFFFFF" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.105-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.15,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#FFFFFF" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#FFFFFF" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#FFFFFF" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>
--- a/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g>
+	<path fill="#FFFFFF" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#FFFFFF" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#FFFFFF" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#FFFFFF" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#FFFFFF" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#FFFFFF" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#FFFFFF" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#FFFFFF" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>
--- a/brand/readme.md
+++ b/brand/readme.md
@@ -0,0 +1,2 @@
+This directory contains media assets, such as the Trivy logo.
+Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>
--- a/contrib/gitlab.tpl
+++ b/contrib/gitlab.tpl
@@ -70,7 +70,7 @@
          ,
        {{- end -}}
        {
-          "url": "{{ . }}"
+          "url": "{{ regexFind "[^ ]+" . }}"
        }
        {{- end }}
      ]
--- a/docs/community/credit.md
+++ b/docs/community/credit.md
@@ -1,10 +0,0 @@
-# Author
-
-[Teppei Fukuda][knqyf263] (knqyf263)
-
-# Contributors
-
-Thanks to all [contributors][contributors]
-
-[knqyf263]: https://github.com/knqyf263
-[contributors]: https://github.com/aquasecurity/trivy/graphs/contributors
--- a/docs/community/references.md
+++ b/docs/community/references.md
@@ -1,48 +0,0 @@
-# Additional References
-There are external blogs and evaluations.
-
-## Blogs
- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join]
- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license]
- [DevSecOps with Trivy and GitHub Actions][actions]
- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
- [the vulnerability remediation lifecycle of Alpine containers][alpine]
- [Continuous Container Vulnerability Testing with Trivy][semaphore]
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
-
-## Links
- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
- [Istio evaluates scanners][istio]
-
-## Presentations
- Aqua Security YouTube Channel
-    - [Trivy - container image scanning][intro]
-    - [Using Trivy in client server mode][server]
-    - [Tweaking Trivy output to fit your workflow][tweaking]
-    - [How does a vulnerability scanner identify packages?][identify]
- CNCF Webinar 2020
-    - [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf]
- KubeCon + CloudNativeCon Europe 2020 Virtual
-    - [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon]
-
-[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
-[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
-[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
-
-[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
-[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
-[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
-[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4
-[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M
-[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU
-
-[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family
-[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license
-[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
-[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
-[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code
--- a/docs/community/tools.md
+++ b/docs/community/tools.md
@@ -1,37 +0,0 @@
-# Community Tools
-The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
-
-Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
-
-## GitHub Actions
-
-| Actions                                    | Description                                                                      |
-| ------------------------------------------ | -------------------------------------------------------------------------------- |
-| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
-| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
-
-## Semaphore
-
-| Name                                                   | Description                               |
-| -------------------------------------------------------| ----------------------------------------- |
-| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
-
-
-## CircleCI
-
-| Orb                                      | Description                               |
-| -----------------------------------------| ----------------------------------------- |
-| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
-
-## Others
-
-| Name                                     | Description                               |
-| -----------------------------------------| ----------------------------------------- |
-| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
-
-
-[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
-[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
-[gitrivy]: https://github.com/marketplace/actions/trivy-action
-[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
-[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
--- a/docs/docs/attestation/rekor.md
+++ b/docs/docs/attestation/rekor.md
@@ -0,0 +1,142 @@
+# Scan SBOM attestation in Rekor
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+## Container images
+Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+ 
+
+### Scanning
+You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor.
+
+!!! note
+    `--sbom-sources` can be used only with `trivy image` at the moment.
+
+```bash
+$ trivy image --sbom-sources rekor otms61/alpine:3.7.3                                                                            [~/src/github.com/aquasecurity/trivy]
+2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
+2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
+2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
+2022-09-16T17:37:14.903+0900	INFO	Detecting Alpine vulnerabilities...
+2022-09-16T17:37:14.907+0900	INFO	Number of language-specific files: 0
+2022-09-16T17:37:14.908+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
+2022-09-16T17:37:14.908+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided
+
+otms61/alpine:3.7.3 (alpine 3.7.3)
+==================================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+
+```
+
+If you have your own Rekor instance, you can specify the URL via `--rekor-url`.
+
+```bash
+$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3
+```
+
+## Non-packaged binaries
+Trivy can retrieve SBOM attestation of non-packaged binaries in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+
+Cosign currently does not support keyless signing for blob attestation, so use our plugin at the moment.
+This example uses a cat clone [bat][bat] written in Rust.
+You need to generate SBOM from lock files like `Cargo.lock` at first.
+
+```bash
+$ git clone -b v0.20.0 https://github.com/sharkdp/bat
+$ trivy fs --format cyclonedx --output bat.cdx ./bat/Cargo.lock
+```
+
+Then [our attestation plugin][plugin-attest] allows you to store the SBOM attestation linking to a `bat` binary in the Rekor instance.
+
+```bash
+$ wget https://github.com/sharkdp/bat/releases/download/v0.20.0/bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ tar xvf bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ trivy plugin install github.com/aquasecurity/trivy-plugin-attest
+$ trivy attest --predicate ./bat.cdx --type cyclonedx ./bat-v0.20.0-x86_64-apple-darwin/bat
+```
+
+### Scan a non-packaged binary
+Trivy calculates the digest of the `bat` binary and searches for the SBOM attestation by the digest in Rekor.
+If it is found, Trivy uses that for vulnerability scanning.
+
+```bash
+$ trivy fs --sbom-sources rekor ./bat-v0.20.0-x86_64-apple-darwin/bat
+2022-10-25T13:27:25.950+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:27:25.993+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:27:25.993+0300    INFO    Detecting cargo vulnerabilities...
+
+bat (cargo)
+===========
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+Also, it is applied to non-packaged binaries even in container images.
+
+```bash
+$ trivy image --sbom-sources rekor --security-checks vuln alpine-with-bat
+2022-10-25T13:40:14.920+0300    INFO    Vulnerability scanning is enabled
+2022-10-25T13:40:18.047+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:40:18.186+0300    INFO    Detected OS: alpine
+2022-10-25T13:40:18.186+0300    INFO    Detecting Alpine vulnerabilities...
+2022-10-25T13:40:18.199+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:40:18.199+0300    INFO    Detecting cargo vulnerabilities...
+
+alpine-with-bat (alpine 3.15.6)
+===============================
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+
+bat (cargo)
+===========
+Total: 4 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+
+!!! note
+    The `--sbom-sources rekor` flag slows down the scanning as it queries Rekor on the Internet for all non-packaged binaries.
+
+[rekor]: https://github.com/sigstore/rekor
+[sbom-attest]: sbom.md#keyless-signing
+
+[plugin-attest]: https://github.com/aquasecurity/trivy-plugin-attest
+
+[bat]: https://github.com/sharkdp/bat
--- a/docs/docs/attestation/sbom.md
+++ b/docs/docs/attestation/sbom.md
@@ -48,6 +48,7 @@ You can use Cosign to sign without keys by authenticating with an OpenID Connect
 ```bash
 # The cyclonedx type is supported in Cosign v1.10.0 or later.
 $ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+# The following command uploads SBOM attestation to the public Rekor instance.
 $ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
 ```

@@ -60,7 +61,9 @@ $ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>

 Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.

-In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
+In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it.
+You must create CycloneDX-type attestation before trying the example.
+To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.

 ```bash
 $ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
--- a/docs/docs/cloud/aws/scanning.md
+++ b/docs/docs/cloud/aws/scanning.md
@@ -11,9 +11,9 @@ The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.a

 Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.

-You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` and `SecurityAudit` policies attached.
+You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.

-Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - results are cached locally per AWS account/region.
+Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region.

 ## CLI Commands

@@ -52,4 +52,8 @@ All ARNs with detected issues will be displayed when showing results for their a

 ## Cached Results

-By default, Trivy will cache results for each service for 24 hours. This means you can filter and view results for a service without having to wait for the scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.)
+By default, Trivy will cache a representation of each AWS service for 24 hours. This means you can filter and view results for a service without having to wait for the entire scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.). Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`.
+
+## Custom Policies
+
+You can write custom policies for Trivy to evaluate against your AWS account. These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). See the [Custom Policies](../../misconfiguration/custom/index.md) page for more information.
--- a/docs/docs/compliance/compliance.md
+++ b/docs/docs/compliance/compliance.md
@@ -0,0 +1,8 @@
+# Compliance Reports
+
+Trivy support producing compliance reports.
+
+## Supported reports
+
+- [NSA, CISA Kubernetes Hardening Guidance v1.0](../kubernetes/cli/compliance.md) 
+
--- a/docs/docs/index.md
+++ b/docs/docs/index.md
@@ -1,28 +1,6 @@
 # Docs

-Trivy detects two types of security issues:
-
- [Vulnerabilities][vuln]
- [Misconfigurations][misconf]
-
-Trivy can scan four different artifacts:
-
- [Container Images][container]
- [Filesystem][filesystem] and [Rootfs][rootfs]
- [Git Repositories][repo]
- [Kubernetes][kubernetes]
-
-Trivy can be run in two different modes:
-
- [Standalone][standalone]
- [Client/Server][client-server]
-
-Trivy can be run as a Kubernetes Operator:
-
- [Kubernetes Operator][kubernetesoperator]
-
-It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
-See [Integrations][integrations] for details.
+This documentation details how to use Trivy to access the features listed below.

 ## Features

@@ -67,7 +45,7 @@ See [Integrations][integrations] for details.

 Please see [LICENSE][license] for Trivy licensing information.

-[installation]: ../getting-started/installation.md
+[installation]: ../index.md
 [vuln]: ../docs/vulnerability/scanning/index.md
 [misconf]: ../docs/misconfiguration/scanning.md
 [kubernetesoperator]: ../docs/kubernetes/operator/index.md
@@ -79,7 +57,7 @@ Please see [LICENSE][license] for Trivy licensing information.

 [standalone]: ../docs/references/modes/standalone.md
 [client-server]: ../docs/references/modes/client-server.md
-[integrations]: ../docs/integrations/index.md
+[integrations]: ../tutorials/integrations/index.md

 [os]: ../docs/vulnerability/detection/os.md
 [lang]: ../docs/vulnerability/detection/language.md
@@ -91,4 +69,4 @@ Please see [LICENSE][license] for Trivy licensing information.
 [sbom]: ../docs/sbom/index.md

 [oci]: https://github.com/opencontainers/image-spec
-[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/docs/integrations/aws-security-hub.md
+++ b/docs/docs/integrations/aws-security-hub.md
@@ -1,29 +0,0 @@
-# AWS Security Hub
-
-## Upload findings to Security Hub
-
-In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
-
-```
-$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
-```
-
-ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
-
-Then, you can upload it with AWS CLI.
-
-```
-$ aws securityhub batch-import-findings --findings file://report.asff
-```
-
-## Customize
-You can customize [asff.tpl](https://github.com/aquasecurity/trivy/blob/main/contrib/asff.tpl)
-
-```
-$ export AWS_REGION=us-west-1
-$ export AWS_ACCOUNT_ID=123456789012
-$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
-```
-
-## Reference
-https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/
--- a/docs/docs/integrations/woodpecker-ci.md
+++ b/docs/docs/integrations/woodpecker-ci.md
@@ -0,0 +1,17 @@
+# Woodpecker CI
+
+This is a simple example configuration `.woodpecker/trivy.yml` that shows how you could get started:
+
+```yml
+pipeline:
+  securitycheck:
+    image: aquasec/trivy:latest
+    commands:
+      # use any trivy command, if exit code is 0 woodpecker marks it as passed, else it assumes it failed
+      - trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL .
+```
+
+Woodpecker does use Trivy itself so you can see an [Example][example] run at its [Repository][repository] and how it was [added](https://github.com/woodpecker-ci/woodpecker/pull/1163).
+
+[example]: https://ci.woodpecker-ci.org/woodpecker-ci/woodpecker/build/3520/37
+[repository]: https://github.com/woodpecker-ci/woodpecker
--- a/docs/docs/kubernetes/cli/compliance.md
+++ b/docs/docs/kubernetes/cli/compliance.md
@@ -0,0 +1,68 @@
+# Kubernetes Compliance
+
+## NSA Complaince Report
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+The Trivy K8s CLI allows you to scan your Kubernetes cluster resources and generate the `NSA, CISA Kubernetes Hardening Guidance` report
+
+[NSA, CISA Kubernetes Hardening Guidance v1.2](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) cybersecurity technical report is produced by trivy and validate the following control checks :
+
+| NAME                                                     | DESCRIPTION                                                                                             |          |
+|----------------------------------------------------------|---------------------------------------------------------------------------------------------------------|---------------|
+| Non-root containers                                      | Check that container is not running as root                                                       |
+| Immutable container file systems                         | Check that container root file system is immutable                                                  |
+| Preventing privileged containers                         | Controls whether Pods can run privileged containers                                                 |
+| Share containers process namespaces                      | Controls whether containers can share process namespaces                                                 |
+| Share host process namespaces                            | Controls whether share host process namespaces                                                 |
+| Use the host network                                     | Controls whether containers can use the host network                                                    |
+| Run with root privileges or with root group membership   | Controls whether container applications can run with <br/>root privileges or with root group membership                   |
+| Restricts escalation to root privileges                  | Control check restrictions escalation to root privileges                                                 |
+| Sets the SELinux context of the container                | Control checks if pod sets the SELinux context of the container                                                  |
+| Restrict a container's access to resources with AppArmor | Control checks the restriction of containers access to resources with AppArmor                                    | 
+| Sets the seccomp profile used to sandbox containers      | Control checks the sets the seccomp profile used to sandbox containers                                                 |
+| Protecting Pod service account tokens                    | Control check whether disable secret token been mount ,automountServiceAccountToken: false                        | 
+| Namespace kube-system should not be used by users        | Control check whether Namespace kube-system is not be used by users                                                      |
+| Pod and/or namespace Selectors usage                     | Control check validate the pod and/or namespace Selectors usage                                                      |
+| Use CNI plugin that supports NetworkPolicy API           | Control check whether check cni plugin installed                                                  |
+| Use ResourceQuota policies to limit resources            | Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace                  | 
+| Use LimitRange policies to limit resources               | Control check the use of LimitRange policy limit resource usage for namespaces or nodes                              |
+| Control plan disable insecure port                       | Control check whether control plan disable insecure port                                                       |
+| Encrypt etcd communication                               | Control check whether etcd communication is encrypted                                                  |
+| Ensure kube config file permission                       | Control check whether kube config file permissions                                                |
+| Check that encryption resource has been set              | Control checks whether encryption resource has been set                                                        |
+| Check encryption provider                                | Control checks whether encryption provider has been set                                                        |
+| Make sure anonymous-auth is unset                        | Control checks whether anonymous-auth is unset                                                      |
+| Make sure -authorization-mode=RBAC                       | Control check whether RBAC permission is in use                                                        |
+| Audit policy is configure                                | Control check whether audit policy is configure                                                  |
+| Audit log path is configure                              | Control check whether audit log path is configure                                                  |
+| Audit log aging                                          | Control check whether audit log aging is configure                                                  |
+
+## CLI Commands
+
+Scan a full cluster and generate a complliance NSA summary report:
+
+```
+$ trivy k8s cluster --compliance=nsa --report summary
+```
+
+![k8s Summary Report](../../../imgs/trivy-nsa-summary.png)
+
+***Note*** : The `compliance` column represent the calculation of all tests pass vs. fail for all resources per control check in percentage format.
+
+Example: if I have two resources in cluster and one resource scan result show pass while the other one show fail for `1.0 Non-root Containers` then it compliance will show 50%
+
+An additional report is supported to get all of the detail the output contains, use `--report all`
+```
+$ trivy k8s cluster --compliance=nsa --report all
+```
+Report also supported in json format examples :
+
+```
+$ trivy k8s cluster --compliance=nsa --report summary --format json
+```
+
+```
+$ trivy k8s cluster --compliance=nsa --report all --format json
+```
--- a/docs/docs/kubernetes/cli/scanning.md
+++ b/docs/docs/kubernetes/cli/scanning.md
@@ -5,7 +5,7 @@

 The Trivy K8s CLI allows you to scan your Kubernetes cluster for Vulnerabilities, Secrets and Misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.

-If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/getting-started.md)
+If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/index.md)

 Trivy uses your local kubectl configuration to access the API server to list artifacts.

@@ -231,3 +231,49 @@ $ trivy k8s --format json -o results.json cluster

 </details>

+
+
+## Infra checks
+
+Trivy by default scans kubernetes infra components (apiserver, controller-manager, scheduler and etcd)
+if they exist under the `kube-system` namespace. For example, if you run a full cluster scan, or scan all
+components under `kube-system` with commands:
+
+```
+$ trivy k8s cluster --report summary # full cluster scan
+$ trivy k8s all -n kube-system --report summary # scan all componetns under kube-system
+```
+
+A table will be printed about misconfigurations found on kubernetes core components:
+
+```
+Summary Report for minikube
+┌─────────────┬──────────────────────────────────────┬─────────────────────────────┐
+│  Namespace  │               Resource               │ Kubernetes Infra Assessment │
+│             │                                      ├────┬────┬────┬─────┬────────┤
+│             │                                      │ C  │ H  │ M  │ L   │   U    │
+├─────────────┼──────────────────────────────────────┼────┼────┼────┼─────┼────────┤
+│ kube-system │ Pod/kube-apiserver-minikube          │    │    │ 1  │ 10  │        │
+│ kube-system │ Pod/kube-controller-manager-minikube │    │    │    │ 3   │        │
+│ kube-system │ Pod/kube-scheduler-minikube          │    │    │    │ 1   │        │
+└─────────────┴──────────────────────────────────────┴────┴────┴────┴─────┴────────┘
+Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
+```
+
+The infra checks are based on CIS Benchmarks recommendations for kubernetes.
+
+
+If you want filter only for the infra checks, you can use the flag `--components` along with the `--security-checks=config`
+
+```
+$ trivy k8s cluster --report summary --components=infra --security-checks=config # scan only infra
+```
+
+Or, to filter for all other checks besides the infra checks, you can:
+
+```
+$ trivy k8s cluster --report summary --components=workload --security-checks=config # scan all components besides infra
+```
+
+	
+
--- a/docs/docs/misconfiguration/custom/index.md
+++ b/docs/docs/misconfiguration/custom/index.md
@@ -36,27 +36,23 @@ A single package must contain only one policy.

 !!!example
    ``` rego
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # schemas:
+    #   - input: schema.input
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector: 
+    #     - type: kubernetes
    package user.kubernetes.ID001
    
-    import lib.result
-
-    __rego_metadata__ := {
-    	"id": "ID001",
-    	"title": "Deployment not allowed",
-    	"severity": "LOW",
-    	"description": "Deployments are not allowed because of some reasons.",
-    }
-
-    __rego_input__ := {
-        "selector": [
-            {"type": "kubernetes"},
-        ],
-    }
-    
    deny[res] {
        input.kind == "Deployment"
        msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name])
-        res := result.new(msg, input)
+        res := result.new(msg, input.kind)
    }
    ```

@@ -65,6 +61,10 @@ If you add a new custom policy, it must be defined under a new package like `use

 ### Policy structure

+`# METADATA` (optional)
+:   - SHOULD be defined for clarity since these values will be displayed in the scan results
+    - `custom.input` SHOULD be set to indicate the input type the policy should be applied to. See [list of available types](https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
+
 `package` (required)
 :   - MUST follow the Rego's [specification][package]
    - MUST be unique per policy
@@ -72,15 +72,6 @@ If you add a new custom policy, it must be defined under a new package like `use
    - MAY include the group name such as `kubernetes` for clarity
        - Group name has no effect on policy evaluation

-`import data.lib.result` (optional)
-:   - MAY be defined if you would like to embellish your result(s) with line numbers and code highlighting
-
-`__rego_metadata__` (optional)
-:   - SHOULD be defined for clarity since these values will be displayed in the scan results
-
-`__rego_input__` (optional)
-:   - MAY be defined when you want to specify input format
-
 `deny` (required)
 :   - SHOULD be `deny` or start with `deny_`
        - Although `warn`, `warn_*`, `violation`, `violation_` also work for compatibility, `deny` is recommended as severity can be defined in `__rego_metadata__`.
@@ -112,28 +103,38 @@ Any package prefixes such as `main` and `user` are allowed.
 ### Metadata
 Metadata helps enrich Trivy's scan results with useful information.

+The annotation format is described in the [OPA documentation](https://www.openpolicyagent.org/docs/latest/annotations/).
+
+Trivy supports extra fields in the `custom` section as described below.
+
 !!!example
    ``` rego
-    __rego_metadata__ := {
-    	"id": "ID001",
-    	"title": "Deployment not allowed",
-    	"severity": "LOW",
-    	"description": "Deployments are not allowed because of some reasons.",
-    	"recommended_actions": "Remove Deployment",
-    	"url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits",
-    }
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector:
+    #     - type: kubernetes
    ```
  
-All fields under `__rego_metadata__` are optional.
+All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The 
+schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are 
+correct and do not reference incorrect properties/values.
+
+| Field name                 | Allowed values                           |        Default value         |     In table     |     In JSON      |
+|----------------------------|------------------------------------------|:----------------------------:|:----------------:|:----------------:|
+| title                      | Any characters                           |             N/A              | :material-check: | :material-check: |
+| description                | Any characters                           |                              | :material-close: | :material-check: |
+| schemas.input              | `schema.input`                           | (applied to all input types) | :material-close: | :material-close: |
+| custom.id                  | Any characters                           |             N/A              | :material-check: | :material-check: |
+| custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`      |           UNKNOWN            | :material-check: | :material-check: |
+| custom.recommended_actions | Any characters                           |                              | :material-close: | :material-check: | 
+| custom.input.selector.type | Any item(s) in [this list][source-types] |                              | :material-close: | :material-check: | 
+| url                        | Any characters                           |                              | :material-close: | :material-check: |

-| Field name          | Allowed values                      | Default value |     In table     |     In JSON      |
-|---------------------|-------------------------------------|:-------------:|:----------------:|:----------------:|
-| id                  | Any characters                      |      N/A      | :material-check: | :material-check: |
-| title               | Any characters                      |      N/A      | :material-check: | :material-check: |
-| severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` |    UNKNOWN    | :material-check: | :material-check: |
-| description         | Any characters                      |               | :material-close: | :material-check: |
-| recommended_actions | Any characters                      |               | :material-close: | :material-check: | 
-| url                 | Any characters                      |               | :material-close: | :material-check: |

 Some fields are displayed in scan results.

@@ -156,17 +157,16 @@ Deployments are not allowed because of some reasons.
 ```

 ### Input
-You can specify input format via `__rego_input__`.
-All fields under `__rego_input` are optional.
+You can specify input format via the `custom.input` annotation.

 !!!example
    ``` rego
-    __rego_input__ := {
-        "combine": false,
-        "selector": [
-            {"type": "kubernetes"},
-        ],
-    }
+    # METADATA
+    # custom:
+    #   input:
+    #     combine: false
+    #     selector:
+    #     - type: kubernetes
    ```

 `combine` (boolean)
@@ -177,6 +177,15 @@ All fields under `__rego_input` are optional.
    In the above example, Trivy passes only Kubernetes files to this policy.
    Even if a Dockerfile exists in the specified directory, it will not be passed to the policy as input.

+    Possible values for input types are:
+    - `dockerfile` (Dockerfile)
+    - `kubernetes` (Kubernetes YAML/JSON)
+    - `rbac` (Kubernetes RBAC YAML/JSON)
+    - `cloud` (Cloud format, as defined by defsec - this is used for Terraform, CloudFormation, and Cloud/AWS scanning)
+    - `yaml` (Generic YAML)
+    - `json` (Generic JSON)
+    - `toml` (Generic TOML)
+
    When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as `type`.
    When a configuration language is identified, it will overwrite `type`.
    
@@ -186,5 +195,15 @@ All fields under `__rego_input` are optional.

    `type` accepts `kubernetes`, `dockerfile`, `cloudformation`, `terraform`, `terraformplan`, `json`, or `yaml`.

+### Schemas
+
+You can explore the format of input documents by browsing the schema for the relevant input type:
+
+- [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
+- [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
+- [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
+- [RBAC](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/rbac.json)
+
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [package]: https://www.openpolicyagent.org/docs/latest/policy-language/#packages
+[source-types]: https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
--- a/docs/docs/misconfiguration/options/others.md
+++ b/docs/docs/misconfiguration/options/others.md
@@ -2,21 +2,3 @@

 !!! hint
    See also [Others](../../vulnerability/examples/others.md) in Vulnerability section.
-
-## File patterns
-When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
-The default file patterns are [here](../custom/index.md).
-
-In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
-For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
-
-This can be repeated for specifying multiple file patterns.
-Allowed values are here:
-
- dockerfile
- yaml
- json
- toml
- hcl
-
-For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)
--- a/docs/docs/misconfiguration/options/values.md
+++ b/docs/docs/misconfiguration/options/values.md
@@ -40,7 +40,7 @@ the `--helm-set-string` is the same as `--helm-set` but explicitly retains the v
 trivy config --helm-set-string name=false ./infrastructure/tf
 ```

-### Setting sepecific values from files
+### Setting specific values from files
 Specific override values can come from specific files

 ```bash
--- a/docs/docs/misconfiguration/policy/builtin.md
+++ b/docs/docs/misconfiguration/policy/builtin.md
@@ -11,6 +11,7 @@ Those policies are managed under [defsec repository][defsec].
 | Dockerfile, Containerfile | [defsec][docker]     |
 | Terraform                 | [defsec][defsec]     |
 | CloudFormation            | [defsec][defsec]     |
+| Azure ARM Template        | [defsec][defsec]     |
 | Helm Chart                | [defsec][kubernetes] |      
 | RBAC                      | [defsec][rbac]       |      

--- a/docs/docs/misconfiguration/scanning.md
+++ b/docs/docs/misconfiguration/scanning.md
@@ -6,7 +6,7 @@ Also, you can write your own policies in [Rego][rego] to scan JSON, YAML, etc, l

 ## Quick start

-Simply specify a directory containing IaC files such as Terraform, CloudFormation and Dockerfile.
+Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.

 ``` bash
 $ trivy config [YOUR_IaC_DIRECTORY]
--- a/docs/docs/references/cli/rootfs.md
+++ b/docs/docs/references/cli/rootfs.md
@@ -17,10 +17,13 @@ Examples:
  / # trivy rootfs /

 Scan Flags
-      --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs strings        specify the directories where the traversal is skipped
-      --skip-files strings       specify the file paths to skip traversal
+      --file-patterns strings     specify config file patterns
+      --offline-scan              do not issue API requests to identify dependencies
+      --rekor-url string          [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --sbom-sources strings      [EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)
+      --security-checks strings   comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --skip-dirs strings         specify the directories where the traversal is skipped
+      --skip-files strings        specify the file paths to skip traversal

 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
@@ -53,12 +56,12 @@ Vulnerability Flags
      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")

 Misconfiguration Flags
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
-      --policy-namespaces strings   Rego namespaces
-      --trace                       enable more verbose trace output for custom queries
+      --helm-set strings          specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings     specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings   specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings       specify paths to override the Helm values.yaml files
+      --include-non-failures      include successes and exceptions, available with '--security-checks config'
+      --tf-vars strings           specify paths to override the Terraform tfvars files

 Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -67,6 +70,18 @@ License Flags
      --ignored-licenses strings   specify a list of license to ignore
      --license-full               eagerly look for licenses in source code headers and license files

+Rego Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
 Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
@@ -76,4 +91,4 @@ Global Flags:
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
-```
+```
--- a/docs/docs/references/customization/config-file.md
+++ b/docs/docs/references/customization/config-file.md
@@ -82,6 +82,11 @@ Available in client/server mode

 ```yaml
 scan:
+  # Same as '--file-patterns'
+  # Default is empty
+  file-patterns:
+    -
+
  # Same as '--skip-dirs'
  # Default is empty
  skip-dirs:
@@ -195,11 +200,6 @@ Available with misconfiguration scanning

 ```yaml
 misconfiguration:
-  # Same as '--file-patterns'
-  # Default is empty
-  file-patterns:
-    -
-  
  # Same as '--include-non-failures'
  # Default is false
  include-non-failures: false
--- a/docs/docs/references/modes/client-server.md
+++ b/docs/docs/references/modes/client-server.md
@@ -175,6 +175,30 @@ Total: 24 (CRITICAL: 24)
 +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
 </details>

+## Remote scan of root filesystem
+Also, there is a way to scan root file system:
+```shell
+$ trivy rootfs --server http://localhost:8080 --severity CRITICAL /tmp/rootfs
+```
+**Note**: It's important to specify the protocol (http or https).
+<details>
+<summary>Result</summary>
+/tmp/rootfs (alpine 3.10.2)
+
+Total: 1 (CRITICAL: 1)
+
+┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.4-r2         │ 2.10.7-r0     │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │
+│           │                │          │                   │               │ other products, mishandles...                               │
+│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36159                  │
+└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+
+</details>
+
+
+
 ## Authentication

 ```
--- a/docs/docs/references/troubleshooting.md
+++ b/docs/docs/references/troubleshooting.md
@@ -120,6 +120,19 @@ To run multiple Trivy servers, you need to use Redis as the cache backend so tha
 Follow [this instruction][redis-cache] to do so.


+### Problems with `/tmp` on remote Git repository scans
+
+!!! error
+    FATAL repository scan error: scan error: unable to initialize a scanner: unable to initialize a filesystem scanner: git clone error: write /tmp/fanal-remote...
+
+Trivy clones remote Git repositories under the `/tmp` directory before scanning them. If `/tmp` doesn't work for you, you can change it by setting the `TMPDIR` environment variable.
+
+Try:
+
+```
+$ TMPDIR=/my/custom/path trivy repo ...
+```
+
 ## Homebrew
 ### Scope error
 !!! error
--- a/docs/docs/sbom/cyclonedx.md
+++ b/docs/docs/sbom/cyclonedx.md
@@ -1,7 +1,7 @@
 # CycloneDX

-## Reporting
-Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
+## Generating
+Trivy can generate SBOM in the [CycloneDX][cyclonedx] format.
 Note that XML format is not supported at the moment.

 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.
--- a/docs/docs/sbom/index.md
+++ b/docs/docs/sbom/index.md
@@ -1,6 +1,6 @@
 # SBOM

-## Reporting
+## Generating
 Trivy can generate the following SBOM formats.

 - [CycloneDX][cyclonedx]
@@ -181,34 +181,27 @@ $ trivy fs --format cyclonedx --output result.json /app/myproject
 Trivy also can take the following SBOM formats as an input and scan for vulnerabilities.

 - CycloneDX
+- SPDX
+- SPDX JSON
 - CycloneDX-type attestation

 To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.

 ```bash
 $ trivy sbom /path/to/cyclonedx.json
-
-cyclonedx.json (alpine 3.7.1)
-=========================
-Total: 3 (CRITICAL: 3)
-
-┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
-│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ curl        │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ libbz2      │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
-└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
 ```

+See [here][cyclonedx] for the detail.

 !!! note
-    CycloneDX XML and SPDX are not supported at the moment.
+    CycloneDX XML is not supported at the moment.
+
+```bash
+$ trivy sbom /path/to/spdx.json
+```
+
+See [here][spdx] for the detail.
+

 You can also scan an SBOM attestation.
 In the following example, [Cosign][Cosign] can get an attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page][sbom_attestation].
--- a/docs/docs/sbom/spdx.md
+++ b/docs/docs/sbom/spdx.md
@@ -1,6 +1,7 @@
 # SPDX

-Trivy generates reports in the [SPDX][spdx] format.
+## Generating
+Trivy can generate SBOM in the [SPDX][spdx] format.

 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `spdx` with the `--format` option.

@@ -294,4 +295,50 @@ $ cat result.spdx.json | jq .

 </details>

+## Scanning
+Trivy can take the SPDX SBOM as an input and scan for vulnerabilities.
+To scan SBOM, you can use the `sbom` subcommand and pass the path to your SPDX report.
+The input format is automatically detected.
+
+The following formats are supported:
+
+- Tag-value (`--format spdx`)
+- JSON (`--format spdx-json`)
+
+```bash
+$ trivy image --format spdx-json --output spdx.json alpine:3.16.0
+$ trivy sbom spdx.json
+2022-09-15T21:32:27.168+0300    INFO    Vulnerability scanning is enabled
+2022-09-15T21:32:27.169+0300    INFO    Detected SBOM format: spdx-json
+2022-09-15T21:32:27.210+0300    INFO    Detected OS: alpine
+2022-09-15T21:32:27.210+0300    INFO    Detecting Alpine vulnerabilities...
+2022-09-15T21:32:27.211+0300    INFO    Number of language-specific files: 0
+
+spdx.json (alpine 3.16.0)
+=========================
+Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)
+
+┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│   Library    │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ busybox      │ CVE-2022-30065 │ HIGH     │ 1.35.0-r13        │ 1.35.0-r15    │ busybox: A use-after-free in Busybox's awk applet leads to │
+│              │                │          │                   │               │ denial of service...                                       │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ libcrypto1.1 │ CVE-2022-2097  │ MEDIUM   │ 1.1.1o-r0         │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes               │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                  │
+├──────────────┤                │          │                   │               │                                                            │
+│ libssl1.1    │                │          │                   │               │                                                            │
+│              │                │          │                   │               │                                                            │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ ssl_client   │ CVE-2022-30065 │ HIGH     │ 1.35.0-r13        │ 1.35.0-r15    │ busybox: A use-after-free in Busybox's awk applet leads to │
+│              │                │          │                   │               │ denial of service...                                       │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ zlib         │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1         │ 1.2.12-r2     │ zlib: a heap-based buffer over-read or buffer overflow in  │
+│              │                │          │                   │               │ inflate in inflate.c...                                    │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                 │
+└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
 [spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf
--- a/docs/docs/vulnerability/detection/data-source.md
+++ b/docs/docs/vulnerability/detection/data-source.md
@@ -19,22 +19,23 @@

 # Programming Language

-| Language                     | Source                                              | Commercial Use  | Delay[^1]|
-| ---------------------------- | ----------------------------------------------------|:---------------:|:--------:|
-| PHP                          | [PHP Security Advisories Database][php]             | ✅              | -        |
-|                              | [GitHub Advisory Database (Composer)][php-ghsa]     | ✅              | -        |
-| Python                       | [GitHub Advisory Database (pip)][python-ghsa]       | ✅              | -        |
-|                              | [Open Source Vulnerabilities (PyPI)][python-osv]    | ✅              | -        |
-| Ruby                         | [Ruby Advisory Database][ruby]                      | ✅              | -        |
-|                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    | ✅              | -        |
-| Node.js                      | [Ecosystem Security Working Group][nodejs]          | ✅              | -        |
-|                              | [GitHub Advisory Database (npm)][nodejs-ghsa]       | ✅              | -        |
-| Java                         | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
-|                              | [GitHub Advisory Database (Maven)][java-ghsa]       | ✅              | -        |
-| Go                           | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
-|                              | [The Go Vulnerability Database][go]                 | ✅              | -        |
-| Rust                         | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅              | -        |
-| .NET                         | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     | ✅              | -        |
+| Language | Source                                              | Commercial Use  | Delay[^1]|
+|----------|-----------------------------------------------------|:---------------:|:--------:|
+| PHP      | [PHP Security Advisories Database][php]             | ✅              | -        |
+|          | [GitHub Advisory Database (Composer)][php-ghsa]     | ✅              | -        |
+| Python   | [GitHub Advisory Database (pip)][python-ghsa]       | ✅              | -        |
+|          | [Open Source Vulnerabilities (PyPI)][python-osv]    | ✅              | -        |
+| Ruby     | [Ruby Advisory Database][ruby]                      | ✅              | -        |
+|          | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    | ✅              | -        |
+| Node.js  | [Ecosystem Security Working Group][nodejs]          | ✅              | -        |
+|          | [GitHub Advisory Database (npm)][nodejs-ghsa]       | ✅              | -        |
+| Java     | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
+|          | [GitHub Advisory Database (Maven)][java-ghsa]       | ✅              | -        |
+| Go       | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
+|          | [The Go Vulnerability Database][go]                 | ✅              | -        |
+| Rust     | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅              | -        |
+| .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     | ✅              | -        |
+| C/C++    | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |

 [^1]: Intentional delay between vulnerability disclosure and registration in the DB

--- a/docs/docs/vulnerability/detection/language.md
+++ b/docs/docs/vulnerability/detection/language.md
@@ -2,29 +2,31 @@

 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

-| Language | File                    | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies |
-| -------- |-------------------------| :-------: | :--------: | :-------------: | :-------------: | ---------------- |
-| Ruby     | Gemfile.lock            |     -     |     -      |        ✅        |        ✅        | included         |
-|          | gemspec                 |     ✅     |     ✅      |        -        |        -        | included         |
-| Python   | Pipfile.lock            |     -     |     -      |        ✅        |        ✅        | excluded         |
-|          | poetry.lock             |     -     |     -      |        ✅        |        ✅        | included         |
-|          | requirements.txt        |     -     |     -      |        ✅        |        ✅        | included         |
-|          | egg package[^1]         |     ✅     |     ✅      |        -        |        -        | excluded         |
-|          | wheel package[^2]       |     ✅     |     ✅      |        -        |        -        | excluded         |
-| PHP      | composer.lock           |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
-| Node.js  | package-lock.json       |     -     |     -      |        ✅        |        ✅        | excluded         |
-|          | yarn.lock               |     -     |     -      |        ✅        |        ✅        | included         |
-|          | pnpm-lock.yaml          |     -     |     -      |        ✅        |        ✅        | excluded         |
-|          | package.json            |     ✅     |     ✅      |        -        |        -        | excluded         |
-| .NET     | packages.lock.json      |     ✅     |     ✅      |        ✅        |        ✅        | included         |
-|          | packages.config         |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
-|          | .deps.json              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
-| Java     | JAR/WAR/PAR/EAR[^3][^4] |     ✅     |     ✅      |        -        |        -        | included         |
-|          | pom.xml[^5]             |     -     |     -      |        ✅        |        ✅        | excluded         |
-| Go       | Binaries built by Go[^6] |     ✅     |     ✅      |        -        |        -        | excluded         |
-|          | go.mod[^7]              |     -     |     -      |        ✅        |        ✅        | included         |
-| Rust     | Cargo.lock              |     ✅     |     ✅      |        ✅        |        ✅        | included         |
+| Language | File                                                                                       | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies |
+| -------- |--------------------------------------------------------------------------------------------| :-------: | :--------: | :-------------: | :-------------: | ---------------- |
+| Ruby     | Gemfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | included         |
+|          | gemspec                                                                                    |     ✅     |     ✅      |        -        |        -        | included         |
+| Python   | Pipfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | excluded         |
+|          | poetry.lock                                                                                |     -     |     -      |        ✅        |        ✅        | included         |
+|          | requirements.txt                                                                           |     -     |     -      |        ✅        |        ✅        | included         |
+|          | egg package[^1]                                                                            |     ✅     |     ✅      |        -        |        -        | excluded         |
+|          | wheel package[^2]                                                                          |     ✅     |     ✅      |        -        |        -        | excluded         |
+| PHP      | composer.lock                                                                              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
+| Node.js  | package-lock.json                                                                          |     -     |     -      |        ✅        |        ✅        | excluded         |
+|          | yarn.lock                                                                                  |     -     |     -      |        ✅        |        ✅        | included         |
+|          | pnpm-lock.yaml                                                                             |     -     |     -      |        ✅        |        ✅        | excluded         |
+|          | package.json                                                                               |     ✅     |     ✅      |        -        |        -        | excluded         |
+| .NET     | packages.lock.json                                                                         |     ✅     |     ✅      |        ✅        |        ✅        | included         |
+|          | packages.config                                                                            |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
+|          | .deps.json                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
+| Java     | JAR/WAR/PAR/EAR[^3][^4]                                                                    |     ✅     |     ✅      |        -        |        -        | included         |
+|          | pom.xml[^5]                                                                                |     -     |     -      |        ✅        |        ✅        | excluded         |
+|          | *gradle.lockfile                                                                           |     -     |     -      |        ✅        |        ✅        | excluded         |
+| Go       | Binaries built by Go[^6]                                                                   |     ✅     |     ✅      |        -        |        -        | excluded         |
+|          | go.mod[^7]                                                                                 |     -     |     -      |        ✅        |        ✅        | included         |
+| Rust     | Cargo.lock                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | included         |
 |          | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |        -        |        -        | excluded   
+| C/C++    | conan.lock[^12]                                                                            |     -     |     -      |        ✅        |        ✅        | excluded         |

 The path of these files does not matter.

@@ -41,3 +43,4 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [^9]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
 [^10]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
 [^11]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^12]: To scan a filename other than the default filename(`conan.lock`) use [file-patterns](../examples/others.md#file-patterns)
--- a/docs/docs/vulnerability/examples/others.md
+++ b/docs/docs/vulnerability/examples/others.md
@@ -16,6 +16,64 @@ If your image contains lock files which are not maintained by you, you can skip
 $ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
 ```

+## Scan Image on a specific Architecture and OS
+
+By default, Trivy loads an image on a "linux/amd64" machine.
+To customise this, pass a `--platform` argument in the format OS/Architecture for the image:
+
+```
+$ trivy image --platform=os/architecture [YOUR_IMAGE_NAME]
+```
+
+For example:
+
+```
+$ trivy image --platform=linux/arm alpine:3.16.1
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2022-10-25T21:00:50.972+0300    INFO    Vulnerability scanning is enabled
+2022-10-25T21:00:50.972+0300    INFO    Secret scanning is enabled
+2022-10-25T21:00:50.972+0300    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+2022-10-25T21:00:50.972+0300    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-10-25T21:00:56.190+0300    INFO    Detected OS: alpine
+2022-10-25T21:00:56.190+0300    INFO    Detecting Alpine vulnerabilities...
+2022-10-25T21:00:56.191+0300    INFO    Number of language-specific files: 0
+
+alpine:3.16.1 (alpine 3.16.1)
+=============================
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
+
+┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ zlib    │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1         │ 1.2.12-r2     │ zlib: heap-based buffer over-read and overflow in inflate() │
+│         │                │          │                   │               │ in inflate.c via a...                                       │
+│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                  │
+└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+```
+
+</details>
+
+## File patterns
+When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
+The default file patterns are [here](../../misconfiguration/custom/index.md).
+
+In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
+For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
+
+This can be repeated for specifying multiple file patterns.
+
+A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
+```
+--file-patterns "dockerfile:.*.docker" --file-patterns "yaml:deployment" --file-patterns "pip:requirements-.*\.txt"
+```
+
+For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)
+
 ## Exit Code
 By default, `Trivy` exits with code 0 even when vulnerabilities are detected.
 Use the `--exit-code` option if you want to exit with a non-zero exit code.
--- a/docs/docs/vulnerability/examples/report.md
+++ b/docs/docs/vulnerability/examples/report.md
@@ -15,7 +15,10 @@ Modern software development relies on the use of third-party libraries.
 Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph.
 In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree.
 To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
-This flag is only available with the `fs` or `repo` commands and the `--format table` flag.
+This flag is only available with the `--format table` flag.
+
+!!! note
+    Only Node.js (package-lock.json) and Rust Binaries built with [cargo-auditable][cargo-auditable] are supported at the moment.

 This tree is the reverse of the npm list command.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -60,9 +63,6 @@ Also, **glob-parent@3.1.0** with some vulnerabilities is included through chain

 Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to resolve vulnerabilities in **follow-redirects@1.14.6** and **glob-parent@3.1.0**.

-!!! note
-    Only Node.js (package-lock.json) is supported at the moment.
-
 ## JSON

 ```
@@ -273,7 +273,7 @@ The following example shows use of default HTML template when Trivy is installed
 $ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine
 ```

-
+[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
 [asff]: https://github.com/aquasecurity/trivy/blob/main/docs/docs/integrations/aws-security-hub.md
--- a/docs/docs/vulnerability/scanning/image.md
+++ b/docs/docs/vulnerability/scanning/image.md
@@ -88,4 +88,3 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

 </details>

-
--- a/docs/docs/vulnerability/scanning/rootfs.md
+++ b/docs/docs/vulnerability/scanning/rootfs.md
@@ -6,7 +6,8 @@ Scan a root filesystem (such as a host machine, a virtual machine image, or an u
 $ trivy rootfs /path/to/rootfs
 ```

-## From Inside Containers
+## Standalone mode
+### From Inside Containers
 Scan your container from inside the container.

 ```bash
@@ -60,6 +61,40 @@ Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)

 </details>

+## Client/Server mode
+You must launch Trivy server in advance.
+
+```sh
+$ trivy server
+```
+
+Then, Trivy works as a client if you specify the `--server` option.
+
+```sh
+$ trivy rootfs --server http://localhost:4954 --severity CRITICAL /tmp/rootfs
+```
+
+<details>
+<summary>Result</summary>
+
+```
+/tmp/rootfs (alpine 3.10.2)
+
+Total: 1 (CRITICAL: 1)
+
+┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.4-r2         │ 2.10.7-r0     │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │
+│           │                │          │                   │               │ other products, mishandles...                               │
+│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36159                  │
+└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+
+```
+</details>
+
+
+
 ## Other Examples
 - [Embed in Dockerfile][embedding]
 - [Unpacked container image filesystem][unpacked]
--- a/docs/ecosystem/tools.md
+++ b/docs/ecosystem/tools.md
@@ -0,0 +1,93 @@
+#  Tools
+This section includes several tools either added by the core maintainers from Aqua Security or the open source community.
+
+## Official Trivy Tools
+
+### GitHub Actions
+
+| Actions                      | Description                                                    |
+| ---------------------------- | -------------------------------------------------------------- |
+| [trivy-action][trivy-action] | GitHub Actions for integrating Trivy into your GitHub pipeline |
+
+### VSCode Extension
+
+| Orb                | Description                 |
+| ------------------ | --------------------------- |
+| [vs-code][vs-code] | VS Code extension for trivy |
+
+
+### Vim Plugin
+
+| Orb                    | Description          |
+| ---------------------- | -------------------- |
+| [vim-trivy][vim-trivy] | Vim plugin for trivy |
+
+
+### Docker Desktop Extension
+
+| Orb                              | Description                                                                                           |
+| ---------------------------------| ----------------------------------------------------------------------------------------------------- |
+| [docker-desktop][docker-desktop] | Trivy Docker Desktop extension for scanning container images for vulnerabilities and generating SBOMs |
+
+
+### Azure DevOps Pipelines Task
+
+| Orb                          | Description                                                     |
+| ---------------------------- | --------------------------------------------------------------- |
+| [azure-devops][azure-devops] | An Azure DevOps Pipelines Task for Trivy, with an integrated UI |
+
+
+### Trivy Kubernetes Operator
+
+| Orb                              | Description                              |
+| ---------------------------------| ---------------------------------------- |
+| [trivy-operator][trivy-operator] | Kubernetes Operator for installing Trivy |
+
+
+### Kubernetes Lens Extension
+
+| Orb                          | Description                         |
+| ---------------------------- | ----------------------------------- |
+| [lens-extension][trivy-lens] | Trivy Extension for Kubernetes Lens |
+
+## Community Tools
+
+### GitHub Actions
+
+| Actions                                    | Description                                                                      |
+| ------------------------------------------ | -------------------------------------------------------------------------------- |
+| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
+| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
+
+### Semaphore
+
+| Name                                                   | Description                               |
+| -------------------------------------------------------| ----------------------------------------- |
+| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
+
+
+### CircleCI
+
+| Orb                                      | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
+
+
+### Others
+
+| Name                                     | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
+
+[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
+[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
+[gitrivy]: https://github.com/marketplace/actions/trivy-action
+[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
+[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
+[trivy-action]: https://github.com/aquasecurity/trivy-action
+[vs-code]: https://github.com/aquasecurity/trivy-vscode-extension
+[vim-trivy]: https://github.com/aquasecurity/vim-trivy
+[docker-desktop]: https://github.com/aquasecurity/trivy-docker-extension
+[azure-devops]: https://github.com/aquasecurity/trivy-azure-pipelines-task
+[trivy-operator]: https://github.com/aquasecurity/trivy-operator
+[trivy-lens]: https://github.com/aquasecurity/trivy-operator-lens-extension
--- a/docs/getting-started/further.md
+++ b/docs/getting-started/further.md
@@ -1,32 +0,0 @@
-# Further Reading
-
-## Presentations
- Aqua Security YouTube Channel
-    - [Trivy - container image scanning][intro]
-    - [Using Trivy in client server mode][server]
-    - [Tweaking Trivy output to fit your workflow][tweaking]
-    - [How does a vulnerability scanner identify packages?][identify]
- CNCF Webinar 2020
-    - [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf]
- KubeCon + CloudNativeCon Europe 2020 Virtual
-    - [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon]
-  
-## Blogs
- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join]
- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license]
- [DevSecOps with Trivy and GitHub Actions][actions]
- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
-
-[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
-[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
-[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
-[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4
-[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M
-[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU
-
-[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family
-[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license
-[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
-[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
-[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code
--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@@ -1,4 +1,4 @@
-# Installation
+# CLI Installation

 ## RHEL/CentOS

@@ -46,19 +46,11 @@

 ## Arch Linux

-Package trivy-bin can be installed from the Arch User Repository.
+Package trivy can be installed from the Arch Community Package Manager.

-=== "pikaur"
-
-    ``` bash
-    pikaur -Sy trivy-bin
-    ```
-
-=== "yay"
-
-    ``` bash
-    yay -Sy trivy-bin
-    ```
+```bash
+pacman -S trivy
+```

 ## Homebrew

@@ -68,6 +60,16 @@ You can use homebrew on macOS and Linux.
 brew install aquasecurity/trivy/trivy
 ```

+## MacPorts
+
+You can also install `trivy` via [MacPorts](https://www.macports.org) on macOS:
+
+```bash
+sudo port install trivy
+```
+
+More info [here](https://ports.macports.org/port/trivy/).
+
 ## Nix/NixOS

 Direct issues installing `trivy` via `nix` through the channels mentioned [here](https://nixos.wiki/wiki/Support)
@@ -108,7 +110,7 @@ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/inst

 ## Binary

-Download the archive file for your operating system/architecture from [here](https://github.com/aquasecurity/trivy/releases/tag/{{ git.tag }}). 
+Download the archive file for your operating system/architecture from [here](https://github.com/aquasecurity/trivy/releases/tag/{{ git.tag }}).
 Unpack the archive, and put the binary somewhere in your `$PATH` (on UNIX-y systems, /usr/local/bin or the like).
 Make sure it has execution bits turned on.

@@ -144,14 +146,14 @@ Example:
 === "macOS"

    ``` bash
-    docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image [YOUR_IMAGE_NAME
+    docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image [YOUR_IMAGE_NAME]
    ```

 If you would like to scan the image on your host machine, you need to mount `docker.sock`.

 ```bash
 docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-    -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} python:3.4-alpine
+    -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image python:3.4-alpine
 ```

 Please re-pull latest `aquasec/trivy` if an error occurred.
@@ -193,28 +195,6 @@ The same image is hosted on [Amazon ECR Public][ecr] as well.
 docker pull public.ecr.aws/aquasecurity/trivy:{{ git.tag[1:] }}
 ```

-## Helm
-
-### Installing from the Aqua Chart Repository
-
-```
-helm repo add aquasecurity https://aquasecurity.github.io/helm-charts/
-helm repo update
-helm search repo trivy
-helm install my-trivy aquasecurity/trivy
-```
-
-### Installing the Chart
-
-To install the chart with the release name `my-release`:
-
-```
-helm install my-release .
-```
-
-The command deploys Trivy on the Kubernetes cluster in the default configuration. The [Parameters][helm]
-section lists the parameters that can be configured during installation.
-
 ### AWS private registry permissions

 You may need to grant permissions to allow trivy to pull images from private registry (AWS ECR).
@@ -248,6 +228,37 @@ podAnnotations: {}

 > **Tip**: List all releases using `helm list`.

+## Other Tools to use and deploy Trivy
+
+For additional tools and ways to install and use Trivy in different envrionments such as in Docker Desktop and Kubernetes clusters, see the links in the [Ecosystem section](../ecosystem/tools.md).
+
+
 [ecr]: https://gallery.ecr.aws/aquasecurity/trivy
 [registry]: https://github.com/orgs/aquasecurity/packages/container/package/trivy
 [helm]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/helm/trivy
+[slack]: https://slack.aquasec.com
+[operator-docs]: https://aquasecurity.github.io/trivy-operator/latest/
+
+[vuln]: ./docs/vulnerability/scanning/index.md
+[misconf]: ./docs/misconfiguration/scanning.md
+[kubernetesoperator]: ./docs/kubernetes/operator/index.md
+[container]: ./docs/vulnerability/scanning/image.md
+[rootfs]: ./docs/vulnerability/scanning/rootfs.md
+[filesystem]: ./docs/vulnerability/scanning/filesystem.md
+[repo]: ./docs/vulnerability/scanning/git-repository.md
+[kubernetes]: ./docs/kubernetes/cli/scanning.md
+
+[standalone]: ./docs/references/modes/standalone.md
+[client-server]: ./docs/references/modes/client-server.md
+[integrations]: ./tutorials/integrations/index.md
+
+[os]: ./docs/vulnerability/detection/os.md
+[lang]: ./docs/vulnerability/detection/language.md
+[builtin]: ./docs/misconfiguration/policy/builtin.md
+[quickstart]: ./getting-started/quickstart.md
+[podman]: ./docs/advanced/container/podman.md
+
+[sbom]: ./docs/sbom/index.md
+
+[oci]: https://github.com/opencontainers/image-spec
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/getting-started/overview.md
+++ b/docs/getting-started/overview.md
@@ -1,44 +0,0 @@
-# Overview
-
-Trivy detects three types of security issues:
-
- [Vulnerabilities][vuln]
-    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-    - [Language-specific packages][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
- [Misconfigurations][misconf]
-    - Kubernetes
-    - Docker
-    - Terraform
-    - CloudFormation
-    - more coming soon
- [Secrets][secret]
-    - AWS access key
-    - GCP service account
-    - GitHub personal access token
-    - etc.
-
-Trivy can scan three different artifacts:
-
- [Container Images][container]
- [Filesystem][filesystem]
- [Git Repositories][repo]
-
-It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
-See [Integrations][integrations] for details.
-
-[vuln]: ../docs/vulnerability/scanning/index.md
-[os]: ../docs/vulnerability/detection/os.md
-[lang]: ../docs/vulnerability/detection/language.md
-
-[misconf]: ../docs/misconfiguration/scanning.md
-
-[secret]: ../docs/secret/scanning.md
-
-[container]: ../docs/vulnerability/scanning/image.md
-[rootfs]: ../docs/vulnerability/scanning/rootfs.md
-[filesystem]: ../docs/vulnerability/scanning/filesystem.md
-[repo]: ../docs/vulnerability/scanning/git-repository.md
-
-[integrations]: ../docs/integrations/index.md
-
-[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/getting-started/quickstart.md
+++ b/docs/getting-started/quickstart.md
@@ -1,5 +1,9 @@
 # Quick Start

+## Prerequisites
+
+- Make sure to have the Trivy [CLI installed][installation]
+
 ## Scan image for vulnerabilities and secrets

 Simply specify an image name (and a tag).
@@ -47,7 +51,7 @@ For more details, see [vulnerability][vulnerability] and [secret][secret] pages.

 ## Scan directory for misconfigurations

-Simply specify a directory containing IaC files such as Terraform and Dockerfile.
+Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm and Dockerfile.

 ```
 $ trivy config [YOUR_IAC_DIR]
@@ -80,6 +84,7 @@ See https://avd.aquasec.com/misconfig/ds001

 For more details, see [here][misconf].

+[installation]: ./installation.md
 [vulnerability]: ../docs/vulnerability/scanning/index.md
 [misconf]: ../docs/misconfiguration/scanning.md
 [secret]: ../docs/secret/scanning.md
--- a/docs/imgs/Security-Hub.jpeg
+++ b/docs/imgs/Security-Hub.jpeg
--- a/docs/imgs/argocd-ui.png
+++ b/docs/imgs/argocd-ui.png
--- a/docs/imgs/docker-desktop.png
+++ b/docs/imgs/docker-desktop.png
--- a/docs/imgs/trivy-nsa-summary.png
+++ b/docs/imgs/trivy-nsa-summary.png
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,26 +1,34 @@
 ---
 hide:
- navigation
 - toc
 ---

-![logo](imgs/logo.png){ align=left }
+![logo](imgs/logo.png){ align=right }

-`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive [vulnerability][vulnerability]/[misconfiguration][misconf]/[secret][secret] scanner for containers and other artifacts.
-`Trivy` detects vulnerabilities of [OS packages][os] (Alpine, RHEL, CentOS, etc.) and [language-specific packages][lang] (Bundler, Composer, npm, yarn, etc.).
-In addition, `Trivy` scans [Infrastructure as Code (IaC) files][misconf] such as Terraform and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack.
-`Trivy` also scans [hardcoded secrets][secret] like passwords, API keys and tokens.
-`Trivy` is easy to use. Just install the binary and you're ready to scan.
-All you need to do for scanning is to specify a target such as an image name of the container.
+Trivy (tri pronounced like trigger, vy pronounced like envy) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.

-<div style="text-align: center">
-    <img src="imgs/overview.png" width="800">
-</div>
+Trivy has different scanners that look for different security issues, and different targets where it can find those issues.

+Targets:

-<div style="text-align: center; margin-top: 150px">
-    <h1 id="demo">Demo</h1>
-</div>
+- Container Image
+- Filesystem
+- Git repository (remote)
+- Kubernetes cluster or resource
+
+Scanners:
+
+- OS packages and software dependencies in use (SBOM)
+- Known vulnerabilities (CVEs)
+- IaC misconfigurations
+- Sensitive information and secrets
+
+It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
+See [Integrations][integrations] for details.
+
+Much more scanners and targets are coming up. [Join the Slack][slack] channel to stay up to date, ask questions, and let us know what features you would like to see.
+
+Please see [LICENSE][license] for Trivy licensing information.

 <figure style="text-align: center">
  <video width="1000" autoplay muted controls loop>
@@ -41,18 +49,6 @@ All you need to do for scanning is to specify a target such as an image name of
  <figcaption>Demo: Secret Detection</figcaption>
 </figure>

---
-
-Trivy is an [Aqua Security][aquasec] open source project.  
-Learn about our open source work and portfolio [here][oss].  
-Contact us about any matter by opening a GitHub Discussion [here][discussions]
-
-[vulnerability]: docs/vulnerability/scanning/index.md
-[misconf]: docs/misconfiguration/scanning.md
-[secret]: docs/secret/scanning.md
-[os]: docs/vulnerability/detection/os.md
-[lang]: docs/vulnerability/detection/language.md
-
-[aquasec]: https://aquasec.com
-[oss]: https://www.aquasec.com/products/open-source-projects/
-[discussions]: https://github.com/aquasecurity/trivy/discussions
+[integrations]: ./tutorials/integrations/index.md
+[slack]: https://slack.aquasec.com
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/tutorials/additional-resources/cks.md
+++ b/docs/tutorials/additional-resources/cks.md
@@ -1,21 +1,26 @@
 # CKS preparation resources

-Community Resources
+The [Certified Kubernetes Security Specialist (CKS) Exam](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/) is offered by The Linux Foundation. It provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam.
+
+### Community Resources

 - [Trivy Video overview (short)][overview]
 - [Example questions from the exam][exam]
 - [More example questions][questions]
+- [CKS exam study guide](study-guide)
+- [Docker Image Vulnerabilities & Trivy Image Scanning Demo | K21Academy](https://youtu.be/gHz10UsEdys)

-Aqua Security Blog posts
+### Aqua Security Blog posts to learn more

 - Supply chain security best [practices][supply-chain-best-practices]
 - Supply chain [attacks][supply-chain-attacks]
- 
+
 If you know of interesting resources, please start a PR to add those to the list.

 [overview]: https://youtu.be/2cjH6Zkieys
 [exam]: https://jonathan18186.medium.com/certified-kubernetes-security-specialist-cks-preparation-part-7-supply-chain-security-9cf62c34cf6a
 [questions]: https://github.com/kodekloudhub/certified-kubernetes-security-specialist-cks-course/blob/main/docs/06-Supply-Chain-Security/09-Scan-images-for-known-vulnerabilities-(Trivy).md
+[study-guide]: https://devopscube.com/cks-exam-guide-tips/

 [supply-chain-best-practices]: https://blog.aquasec.com/supply-chain-security-best-practices
 [supply-chain-attacks]: https://blog.aquasec.com/supply-chain-threats-using-container-images
--- a/docs/tutorials/additional-resources/community.md
+++ b/docs/tutorials/additional-resources/community.md
@@ -0,0 +1,37 @@
+# Community References
+Below is a list of additional resources from the community.
+
+## Vulnderability Scanning
+
+- [Detecting Spring4Shell with Trivy and Grype](https://youtu.be/mOfBcpJWwSs)
+
+## CI/CD Pipelines
+
+- [How to use Tekton to set up a CI pipeline with OpenShift Pipelines](https://www.redhat.com/architect/cicd-pipeline-openshift-tekton)
+- [Continuous Container Vulnerability Testing with Trivy](https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy)
+- [Getting Started With Trivy and Jenkins](https://youtu.be/MWe01VdwuMA)
+- [How to use Tekton to set up a CI pipeline with OpenShift Pipelines](https://www.redhat.com/architect/cicd-pipeline-openshift-tekton)
+
+## Misconfiguration Scanning
+
+- [Identifying Misconfigurations in your Terraform](https://youtu.be/cps1V5fOHtE)
+- [How to write custom policies for Trivy](https://blog.ediri.io/how-to-write-custom-policies-for-trivy)
+
+## SBOM, Attestation & related
+
+- [Attesting Image Scans With Kyverno](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/)
+
+## Trivy Kubernetes
+
+- [Using Trivy Kubernetes in OVHCloud documentation.](https://docs.ovh.com/gb/en/kubernetes/installing-trivy/)
+
+## Comparisons
+
+- [the vulnerability remediation lifecycle of Alpine containers](https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/)
+- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy](https://boxboat.com/2020/04/24/image-scanning-tech-compared/)
+- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy](https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/)
+
+### Evaluations
+
+- [Istio evaluating to use Trivy](https://github.com/istio/release-builder/pull/687#issuecomment-874938417)
+- [Research Spike: evaluate Trivy for scanning running containers](https://gitlab.com/gitlab-org/gitlab/-/issues/270888)
--- a/docs/tutorials/additional-resources/references.md
+++ b/docs/tutorials/additional-resources/references.md
@@ -0,0 +1,38 @@
+# Additional Resources and Tutorials
+Below is a list of additional resources from Aqua Security.
+
+## Announcements
+
+- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family](https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family)
+- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License](https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license)
+
+## Vulnderability Scanning
+
+- [Using Trivy to Discover Vulnerabilities in VS Code Projects](https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code)
+- [How does a vulnerability scanner identify packages?](https://youtu.be/PaMnzeHBa8M)
+- [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security](https://youtu.be/WKE2XNZ2zr4)
+
+## CI/CD Pipelines
+
+- [DevSecOps with Trivy and GitHub Actions](https://blog.aquasec.com/devsecops-with-trivy-github-actions)
+- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action](https://blog.aquasec.com/github-vulnerability-scanner-trivy)
+
+## Misconfiguration Scanning
+
+- [Identifying Misconfigurations in your Terraform](https://youtu.be/cps1V5fOHtE)
+
+## Client/Server
+
+- [Using Trivy in client server mode](https://youtu.be/tNQ-VlahtYM)
+ 
+## Workshops
+
+- [Trivy Live Demo & Q&A](https://youtu.be/6Vw0QgJ-k5o)
+- [First Steps to Full Lifecycle Security with Open Source Tools - Rory McCune & Anais Urlichs](https://youtu.be/nwJ0366rs6s)
+
+
+## Older Resources
+
+- [Webinar: Trivy Open Source Scanner for Container Images – Just Download and Run!](https://youtu.be/XnYxX9uueoQ)
+- [Kubernetes Security through GitOps Best Practices: ArgoCD and Starboard](https://youtu.be/YvMY8to9aHI)
+- [Get started with Kubernetes Security and Starboard](https://youtu.be/QgctrpTpJec)
--- a/docs/tutorials/integrations/aws-codepipeline.md
+++ b/docs/tutorials/integrations/aws-codepipeline.md
--- a/docs/tutorials/integrations/aws-security-hub.md
+++ b/docs/tutorials/integrations/aws-security-hub.md
@@ -0,0 +1,72 @@
+# AWS Security Hub
+
+<img src="../../imgs/Security-Hub.jpeg" alt="security-hub" width=50 height=50 />
+
+## Upload findings to Security Hub
+
+In the following example using the template `asff.tpl`, [ASFF][asff] file can be generated.
+
+```
+$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
+```
+
+ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
+
+The Product [ARN][arn] field follows the pattern below to match what AWS requires for the [product resource type][resource-type].
+
+{% raw %}
+```
+"ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+```
+{% endraw %}
+
+In order to upload results you must first run [enable-import-findings-for-product][enable] like:
+
+```
+aws securityhub enable-import-findings-for-product --product-arn arn:aws:securityhub:<AWS_REGION>::product/aquasecurity/aquasecurity
+```
+
+The findings are [formatted for the API][asff-syntax] with a key of `Findings` and a value of the array of findings.
+In order to upload via the CLI the outer wrapping must be removed being left with only the array of findings.
+The easiest way of doing this is with the [jq library][jq] using the command 
+
+```
+cat report.asff | jq '.Findings'
+```
+
+Then, you can upload it with AWS CLI.
+
+```
+$ aws securityhub batch-import-findings --findings file://report.asff
+```
+
+### Note
+
+The [batch-import-findings][batch-import-findings] command limits the number of findings uploaded to 100 per request.
+The best known workaround to this problem is using [jq][jq] to run the following command
+
+```
+jq '.[:100]' report.asff 1> short_report.asff
+```
+
+## Customize
+You can customize [asff.tpl][asff.tpl]
+
+```
+$ export AWS_REGION=us-west-1
+$ export AWS_ACCOUNT_ID=123456789012
+$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
+```
+
+## Reference
+https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/
+
+[asff]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html
+[asff-syntax]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-syntax.html
+[arn]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+[resource-type]: https://github.com/awsdocs/aws-security-hub-user-guide/blob/master/doc_source/securityhub-partner-providers.md#aqua-security--aqua-cloud-native-security-platform-sends-findings
+[enable]: https://docs.aws.amazon.com/cli/latest/reference/securityhub/enable-import-findings-for-product.html
+[batch-import-findings]: https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-import-findings.html#options
+[asff.tpl]: https://github.com/aquasecurity/trivy/blob/main/contrib/asff.tpl
+
+[jq]: https://stedolan.github.io/jq/
--- a/docs/tutorials/integrations/azure-devops.md
+++ b/docs/tutorials/integrations/azure-devops.md
@@ -0,0 +1,22 @@
+# Azure Devops
+
+- Here is the [Azure DevOps Pipelines Task for Trivy][action]
+
+![trivy-azure](https://github.com/aquasecurity/trivy-azure-pipelines-task/blob/main/screenshot.png?raw=true)
+
+### [Use ImageCleaner to clean up stale images on your Azure Kubernetes Service cluster][azure2]
+
+It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities. By cleaning these unreferenced images, you can remove an area of risk in your clusters. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.
+
+ Vulnerability is determined based on a trivy scan, after which images with a LOW, MEDIUM, HIGH, or CRITICAL classification are flagged. An updated ImageList will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually.
+### [Microsoft Defender for container registries and Trivy][azure]
+
+This blog explains how to scan your Azure Container Registry-based container images with the integrated vulnerability scanner when they're built as part of your GitHub workflows.
+
+To set up the scanner, you'll need to enable Microsoft Defender for Containers and the CI/CD integration. When your CI/CD workflows push images to your registries, you can view registry scan results and a summary of CI/CD scan results.
+
+The findings of the CI/CD scans are an enrichment to the existing registry scan findings by Qualys. Defender for Cloud's CI/CD scanning is powered by Aqua Trivy
+
+[action]: https://github.com/aquasecurity/trivy-azure-pipelines-task
+[azure]: https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-cicd
+[azure2]: https://docs.microsoft.com/en-us/azure/aks/image-cleaner?tabs=azure-cli
--- a/docs/tutorials/integrations/bitbucket.md
+++ b/docs/tutorials/integrations/bitbucket.md
--- a/docs/tutorials/integrations/circleci.md
+++ b/docs/tutorials/integrations/circleci.md
--- a/docs/tutorials/integrations/github-actions.md
+++ b/docs/tutorials/integrations/github-actions.md
--- a/docs/tutorials/integrations/gitlab-ci.md
+++ b/docs/tutorials/integrations/gitlab-ci.md
--- a/docs/tutorials/integrations/index.md
+++ b/docs/tutorials/integrations/index.md
--- a/docs/tutorials/integrations/travis-ci.md
+++ b/docs/tutorials/integrations/travis-ci.md
--- a/docs/tutorials/kubernetes/cluster-scanning.md
+++ b/docs/tutorials/kubernetes/cluster-scanning.md
@@ -0,0 +1,120 @@
+# Kubernetes Scanning Tutorial
+
+## Prerequisites 
+
+To test the following commands yourself, make sure that you’re connected to a Kubernetes cluster. A simple kind, a Docker-Desktop or microk8s cluster will do. In our case, we’ll use a one-node kind cluster.  
+ 
+Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster. 
+
+## Cluster Scanning
+
+Trivy K8s is great to get an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster. You would want to use the Trivy K8s command either on your own local cluster or in your CI/CD pipeline post deployments.  
+
+The Trivy K8s command is part of the Trivy CLI: 
+
+
+With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan: 
+
+```
+trivy k8s --report=summary 
+```
+
+To get detailed information for all your resources, just replace ‘summary’ with ‘all’: 
+
+```
+trivy k8s --report=all 
+```
+
+However, we recommend displaying all information only in case you scan a specific namespace or resource since you can get overwhelmed with additional details. 
+
+Furthermore, we can specify the namespace that Trivy is supposed to scan to focus on specific resources in the scan result: 
+
+```
+trivy k8s -n kube-system --report=summary 
+```
+
+Again, if you’d like to receive additional details, use the ‘--report=all’ flag: 
+
+```
+trivy k8s -n kube-system --report=all 
+```
+
+Like with scanning for vulnerabilities, we can also filter in-cluster security issues by severity of the vulnerabilities: 
+
+```
+trivy k8s --severity=CRITICAL --report=summary 
+```
+
+Note that you can use any of the Trivy flags on the Trivy K8s command. 
+
+With the Trivy K8s command, you can also scan specific workloads that are running within your cluster, such as our deployment: 
+
+```
+trivy k8s –n app --report=summary deployments/react-application
+```
+
+## Trivy Operator 
+
+The Trivy K8s command is an imperative model to scan resources. We wouldn’t want to manually scan each resource across different environments. The larger the cluster and the more workloads are running in it, the more error-prone this process would become. With the Trivy Operator, we can automate the scanning process after the deployment.  
+
+The Trivy Operator follows the Kubernetes Operator Model. Operators automate human actions, and the result of the task is saved as custom resource definitions (CRDs) within your cluster. 
+
+This has several benefits: 
+
+- Trivy Operator is installed CRDs in our cluster. As a result, all our resources, including our security scanner and its scan results, are Kubernetes resources. This makes it much easier to integrate the Trivy Operator directly into our existing processes, such as connecting Trivy with Prometheus, a monitoring system. 
+
+- The Trivy Operator will automatically scan your resources every six hours. You can set up automatic alerting in case new critical security issues are discovered. 
+
+- The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator. 
+
+ 
+There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/kubernetes/operator/index.md)
+
+Make sure that you have the [Helm CLI installed.](https://helm.sh/docs/intro/install/)
+Next, run the following commands.
+
+First, we are going to add the Aqua Security Helm repository to our Helm repository list:
+```
+helm repo add aqua https://aquasecurity.github.io/helm-charts/
+```
+
+Then, we will update all of our Helm repositories. Even if you have just added a new repository to your existing charts, this is generally good practice to have access to the latest changes:
+```
+helm repo update
+```
+
+Lastly, we can install the Trivy operator Helm Chart to our cluster:
+```
+helm install trivy-operator aqua/trivy-operator \
+   --namespace trivy-system \
+   --create-namespace \
+   --set="trivy.ignoreUnfixed=true" \
+   --version v0.0.3
+```
+
+You can make sure that the operator is installed correctly via the following command: 
+```
+kubectl get deployment -n trivy-system 
+```
+
+Trivy will automatically start scanning your Kubernetes resources. 
+For instance, you can view vulnerability reports with the following command: 
+
+```
+kubectl get vulnerabilityreports --all-namespaces -o wide 
+```
+
+And then you can access the details of a security scan: 
+```
+kubectl describe  vulnerabilityreports <name of one of the above reports> 
+```
+
+The same process can be applied to access Configauditreports: 
+
+```
+kubectl get configauditreports --all-namespaces -o wide 
+```
+
+
+ 
+
--- a/docs/tutorials/kubernetes/gitops.md
+++ b/docs/tutorials/kubernetes/gitops.md
@@ -0,0 +1,125 @@
+# Installing the Trivy-Operator through GitOps
+
+This tutorial shows you how to install the Trivy Operator through GitOps platforms, namely ArgoCD and FluxCD.
+
+## ArgoCD
+
+Make sure to have [ArgoCD installed](https://argo-cd.readthedocs.io/en/stable/getting_started/) and running in your Kubernetes cluster.
+
+You can either deploy the Trivy Operator through the argocd CLI or by applying a Kubernetes manifest.
+
+ArgoCD command:
+```
+> kubectl create ns trivy-system
+> argocd app create trivy-operator --repo https://github.com/aquasecurity/trivy-operator --path deploy/helm --dest-server https://kubernetes.default.svc --dest-namespace trivy-system
+```
+Note that this installation is directly related to our official Helm Chart. If you want to change any of the value, we'd suggest you to create a separate values.yaml file.
+
+Kubernetes manifest `trivy-operator.yaml`:
+```
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: trivy-operator
+  namespace: argocd
+spec:
+  project: default
+  source:
+    chart: trivy-operator
+    repoURL: https://aquasecurity.github.io/helm-charts/
+    targetRevision: 0.0.3
+    helm:
+      values: |
+        trivy:
+          ignoreUnfixed: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: trivy-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+```
+
+The apply the Kubernetes manifest. If you have the manifest locally, you can use the following command through kubectl:
+```
+> kubectl apply -f trivy-operator.yaml
+
+application.argoproj.io/trivy-operator created
+```
+
+If you have the manifest in a Git repository, you can apply it to your cluster through the following command:
+```
+> kubectl apply -n argocd -f https://raw.githubusercontent.com/AnaisUrlichs/argocd-starboard/main/starboard/argocd-starboard.yaml
+```
+The latter command would allow you to make changes to the YAML manifest that ArgoCD would register automatically.
+
+Once deployed, you want to tell ArgoCD to sync the application from the actual state to the desired state:
+```
+argocd app sync trivy-operator
+```
+
+Now you can see the deployment in the ArgoCD UI. Have a look at the ArgoCD documentation to know how to access the UI.
+
+![ArgoCD UI after deploying the Trivy Operator](../../imgs/argocd-ui.png)
+
+Note that ArgoCD is unable to show the Trivy CRDs as synced.
+
+
+## FluxCD
+
+Make sure to have [FluxCD installed](https://fluxcd.io/docs/installation/#install-the-flux-cli) and running in your Kubernetes cluster.
+
+You can either deploy the Trivy Operator through the Flux CLI or by applying a Kubernetes manifest.
+
+Flux command:
+```
+> kubectl create ns trivy-system
+> flux create source helm trivy-operator --url https://aquasecurity.github.io/helm-charts --namespace trivy-system
+> flux create helmrelease trivy-operator --chart trivy-operator
+  --source HelmRepository/trivy-operator
+  --chart-version 0.0.3
+  --namespace trivy-system
+```
+
+Kubernetes manifest `trivy-operator.yaml`:
+```
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: trivy-operator
+  namespace: flux-system
+spec:
+  interval: 60m
+  url: https://aquasecurity.github.io/helm-charts/
+
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: trivy-operator
+  namespace: trivy-system
+spec:
+  chart:
+    spec:
+      chart: trivy-operator
+      sourceRef:
+        kind: HelmRepository
+        name: trivy-operator
+				namespace: flux-system
+      version: 0.0.5
+  interval: 60m
+```
+
+You can then apply the file to your Kubernetes cluster:
+```
+kubectl apply -f trivy-operator.yaml
+```
+
+## After the installation
+
+After the install, you want to check that the Trivy operator is running in the trivy-system namespace:
+```
+kubectl get deployment -n trivy-system
+```
+
--- a/docs/tutorials/kubernetes/kyverno.md
+++ b/docs/tutorials/kubernetes/kyverno.md
@@ -0,0 +1,114 @@
+# Attesting Image Scans With Kyverno
+
+This tutorial is based on the following blog post by Chip Zoller: [Attesting Image Scans With Kyverno](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/)
+
+This tutorial details 
+
+- Verify the container image has an attestation with Kyverno
+
+### Prerequisites
+1. [Attestation of the vulnerability scan uploaded][vuln-attestation]
+2. A running Kubernetes cluster that kubectl is connected to
+
+### Kyverno Policy to check attestation
+
+The following policy ensures that the attestation is no older than 168h:
+
+vuln-attestation.yaml
+
+{% raw %}
+
+```bash
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-vulnerabilities
+spec:
+  validationFailureAction: enforce
+  webhookTimeoutSeconds: 10
+  failurePolicy: Fail
+  rules:
+    - name: not-older-than-one-week
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - imageReferences:
+        - "CONTAINER-REGISTRY/*:*"
+        attestations:
+        - predicateType: cosign.sigstore.dev/attestation/vuln/v1
+          conditions:
+          - all:
+            - key: "{{ time_since('','{{metadata.scanFinishedOn}}','') }}"
+              operator: LessThanOrEquals
+              value: "168h"
+```
+
+{% endraw %}
+
+### Apply the policy to your Kubernetes cluster
+
+Ensure that you have Kyverno already deployed and running on your cluster -- for instance throught he Kyverno Helm Chart.
+
+Next, apply the above policy:
+```
+kubectl apply -f vuln-attestation.yaml
+```
+
+To ensure that the policy worked, we can deploye an example deployment file with our container image:
+
+deployment.yaml
+```
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cns-website
+  namespace: app
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      run: cns-website
+  template:
+    metadata:
+      labels:
+        run: cns-website
+    spec:
+      containers:
+      - name: cns-website
+        image: docker.io/anaisurlichs/cns-website:0.0.6
+        ports:
+          - containerPort: 80
+        imagePullPolicy: Always
+        resources:
+          limits:
+            memory: 512Mi
+            cpu: 200m
+        securityContext:
+          allowPrivilegeEscalation: false
+```
+
+Once we apply the deployment, it should pass since our attestation is available:
+```
+kubectl apply -f deployment.yaml -n app
+deployment.apps/cns-website created
+```
+
+However, if we try to deploy any other container image, our deployment will fail. We can verify this by replacing the image referenced in the deployment with `docker.io/anaisurlichs/cns-website:0.0.5` and applying the deployment:
+```
+kubectl apply -f deployment-two.yaml
+
+Resource: "apps/v1, Resource=deployments", GroupVersionKind: "apps/v1, Kind=Deployment"
+Name: "cns-website", Namespace: "app"
+for: "deployment-two.yaml": admission webhook "mutate.kyverno.svc-fail" denied the request: 
+
+resource Deployment/app/cns-website was blocked due to the following policies
+
+check-image:
+  autogen-check-image: |
+    failed to verify signature for docker.io/anaisurlichs/cns-website:0.0.5: .attestors[0].entries[0].keys: no matching signatures:
+```
+
+[vuln-attestation]: ../signing/vuln-attestation.md
--- a/docs/tutorials/overview.md
+++ b/docs/tutorials/overview.md
@@ -0,0 +1,27 @@
+# Tutorials
+
+Tutorials are a great way to learn about use cases and integrations. We highly encourage community members to share their Trivy use cases with us in the documentation.
+
+There are two ways to contributor to the tutorials section
+
+1. If you are creating any external content on Trivy, we would love to have it as part of our list of [external community resources][community-resources]
+2. If you are creating an end-to-end tutorial on a specific Trivy use-case, we would love to feature it in our tutorial section. Read below how you can contribute tutorials to the docs.
+
+## Process for adding new tutorials
+
+Requirements
+- The tutorial has to provide an end-to-end set of instructions
+- Ideally, tutorials should focus on a specific use case
+- If the tutorial is featuring other tools, those should be open source, too
+- Make sure to describe the expected outcome after each instruction
+
+**Tip:** Make sure that your tutorial is concise about a specific use case or integration. 
+
+How to add a tutorial
+
+1. Simply create a new `.md` file in the tutorials folder of the docs
+2. Add your content 
+3. Create a new index in the mkdocs.yaml file which is in the [root directory](https://github.com/aquasecurity/trivy) of the repository
+4. Create a PR
+
+[community-resources]: additional-resources/community.md
--- a/docs/tutorials/signing/vuln-attestation.md
+++ b/docs/tutorials/signing/vuln-attestation.md
@@ -0,0 +1,36 @@
+# Vulnerability Scan Record Attestation
+
+This tutorial details 
+
+- Scan your container image for vulnerabilities
+- Generate an attestation with Cosign
+
+#### Prerequisites
+
+1. Trivy CLI installed
+2. Cosign installed 
+
+#### Scan Container Image for vulnerabilities
+
+Scan your container image for vulnerabilities and save the scan result to a scan.json file:
+```
+trivy image --ignore-unfixed --format json --output scan.json anaisurlichs/cns-website:0.0.6
+```
+
+* --ignore-unfixed: Ensures that only the vulnerabilities are displayed that have a already a fix available
+* --output scan.json: The scan output is scaved to a scan.json file instead of being displayed in the terminal.
+
+Note: Replace the container image with the container image that you would like to scan.
+
+#### Attestation of the vulnerability scan with Cosign
+
+The following command generates an attestation for the vulnerability scan and uploads it to our container image:
+```
+cosign attest --replace --predicate scan.json --type vuln anaisurlichs/cns-website:0.0.6
+```
+
+Note: Replace the container image with the container image that you would like to scan.
+
+See [here][vuln-attestation] for more details.
+
+[vuln-attestation]: ../../docs/attestation/vuln.md
--- a/examples/misconf/go-testing/go.sum
+++ b/examples/misconf/go-testing/go.sum
@@ -694,9 +694,6 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/liamg/clinch v1.5.6/go.mod h1:IXM+nLBuZ5sOQAYYf9+G51nkaA0WY9cszxE5nPXexhE=
-github.com/liamg/tml v0.3.0/go.mod h1:0h4EAV/zBOsqI91EWONedjRpO8O0itjGJVd+wG5eC+E=
-github.com/liamg/tml v0.4.0/go.mod h1:0h4EAV/zBOsqI91EWONedjRpO8O0itjGJVd+wG5eC+E=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
--- a/examples/module/spring4shell/spring4shell.go
+++ b/examples/module/spring4shell/spring4shell.go
@@ -138,88 +138,90 @@ func (Spring4Shell) PostScanSpec() serialize.PostScanSpec {
 //
 // Example input:
 // [
-//  {
-//    "Target": "",
-//    "Class": "custom",
-//    "CustomResources": [
-//      {
-//        "Type": "spring4shell/java-major-version",
-//        "FilePath": "/usr/local/openjdk-8/release",
-//        "Layer": {
-//          "Digest": "sha256:d7b564a873af313eb2dbcb1ed0d393c57543e3666bdedcbe5d75841d72b1f791",
-//          "DiffID": "sha256:ba40706eccba610401e4942e29f50bdf36807f8638942ce20805b359ae3ac1c1"
-//        },
-//        "Data": "1.8.0_322"
-//      },
-//      {
-//        "Type": "spring4shell/tomcat-version",
-//        "FilePath": "/usr/local/tomcat/RELEASE-NOTES",
-//        "Layer": {
-//          "Digest": "sha256:59c0978ccb117247fd40d936973c40df89195f60466118c5acc6a55f8ba29f06",
-//          "DiffID": "sha256:85595543df2b1115a18284a8ef62d0b235c4bc29e3d33b55f89b54ee1eadf4c6"
-//        },
-//        "Data": "8.5.77"
-//      }
-//    ]
-//  },
-//  {
-//    "Target": "Java",
-//    "Class": "lang-pkgs",
-//    "Type": "jar",
-//    "Vulnerabilities": [
-//      {
-//        "VulnerabilityID": "CVE-2022-22965",
-//        "PkgName": "org.springframework.boot:spring-boot",
-//        "PkgPath": "usr/local/tomcat/webapps/helloworld.war",
-//        "InstalledVersion": "2.6.3",
-//        "FixedVersion": "2.5.12, 2.6.6",
-//        "Layer": {
-//          "Digest": "sha256:cc44af318e91e6f9f9bf73793fa4f0639487613f46aa1f819b02b6e8fb5c6c07",
-//          "DiffID": "sha256:eb769943b91f10a0418f2fc3b4a4fde6c6293be60c37293fcc0fa319edaf27a5"
-//        },
-//        "SeveritySource": "nvd",
-//        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-22965",
-//        "DataSource": {
-//          "ID": "glad",
-//          "Name": "GitLab Advisory Database Community",
-//          "URL": "https://gitlab.com/gitlab-org/advisories-community"
-//        },
-//        "Title": "spring-framework: RCE via Data Binding on JDK 9+",
-//        "Description": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.",
-//        "Severity": "CRITICAL",
-//        "CweIDs": [
-//          "CWE-94"
-//        ],
-//        "VendorSeverity": {
-//          "ghsa": 4,
-//          "nvd": 4,
-//          "redhat": 3
-//        },
-//        "CVSS": {
-//          "ghsa": {
-//            "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-//            "V3Score": 9.8
-//          },
-//          "nvd": {
-//            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-//            "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-//            "V2Score": 7.5,
-//            "V3Score": 9.8
-//          },
-//          "redhat": {
-//            "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
-//            "V3Score": 8.1
-//          }
-//        },
-//        "References": [
-//          "https://github.com/advisories/GHSA-36p3-wjmg-h94x"
-//        ],
-//        "PublishedDate": "2022-04-01T23:15:00Z",
-//        "LastModifiedDate": "2022-05-19T14:21:00Z"
-//      }
-//    ]
-//  }
-//]
+//
+//	{
+//	  "Target": "",
+//	  "Class": "custom",
+//	  "CustomResources": [
+//	    {
+//	      "Type": "spring4shell/java-major-version",
+//	      "FilePath": "/usr/local/openjdk-8/release",
+//	      "Layer": {
+//	        "Digest": "sha256:d7b564a873af313eb2dbcb1ed0d393c57543e3666bdedcbe5d75841d72b1f791",
+//	        "DiffID": "sha256:ba40706eccba610401e4942e29f50bdf36807f8638942ce20805b359ae3ac1c1"
+//	      },
+//	      "Data": "1.8.0_322"
+//	    },
+//	    {
+//	      "Type": "spring4shell/tomcat-version",
+//	      "FilePath": "/usr/local/tomcat/RELEASE-NOTES",
+//	      "Layer": {
+//	        "Digest": "sha256:59c0978ccb117247fd40d936973c40df89195f60466118c5acc6a55f8ba29f06",
+//	        "DiffID": "sha256:85595543df2b1115a18284a8ef62d0b235c4bc29e3d33b55f89b54ee1eadf4c6"
+//	      },
+//	      "Data": "8.5.77"
+//	    }
+//	  ]
+//	},
+//	{
+//	  "Target": "Java",
+//	  "Class": "lang-pkgs",
+//	  "Type": "jar",
+//	  "Vulnerabilities": [
+//	    {
+//	      "VulnerabilityID": "CVE-2022-22965",
+//	      "PkgName": "org.springframework.boot:spring-boot",
+//	      "PkgPath": "usr/local/tomcat/webapps/helloworld.war",
+//	      "InstalledVersion": "2.6.3",
+//	      "FixedVersion": "2.5.12, 2.6.6",
+//	      "Layer": {
+//	        "Digest": "sha256:cc44af318e91e6f9f9bf73793fa4f0639487613f46aa1f819b02b6e8fb5c6c07",
+//	        "DiffID": "sha256:eb769943b91f10a0418f2fc3b4a4fde6c6293be60c37293fcc0fa319edaf27a5"
+//	      },
+//	      "SeveritySource": "nvd",
+//	      "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-22965",
+//	      "DataSource": {
+//	        "ID": "glad",
+//	        "Name": "GitLab Advisory Database Community",
+//	        "URL": "https://gitlab.com/gitlab-org/advisories-community"
+//	      },
+//	      "Title": "spring-framework: RCE via Data Binding on JDK 9+",
+//	      "Description": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.",
+//	      "Severity": "CRITICAL",
+//	      "CweIDs": [
+//	        "CWE-94"
+//	      ],
+//	      "VendorSeverity": {
+//	        "ghsa": 4,
+//	        "nvd": 4,
+//	        "redhat": 3
+//	      },
+//	      "CVSS": {
+//	        "ghsa": {
+//	          "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+//	          "V3Score": 9.8
+//	        },
+//	        "nvd": {
+//	          "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+//	          "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+//	          "V2Score": 7.5,
+//	          "V3Score": 9.8
+//	        },
+//	        "redhat": {
+//	          "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+//	          "V3Score": 8.1
+//	        }
+//	      },
+//	      "References": [
+//	        "https://github.com/advisories/GHSA-36p3-wjmg-h94x"
+//	      ],
+//	      "PublishedDate": "2022-04-01T23:15:00Z",
+//	      "LastModifiedDate": "2022-05-19T14:21:00Z"
+//	    }
+//	  ]
+//	}
+//
+// ]
 func (Spring4Shell) PostScan(results serialize.Results) (serialize.Results, error) {
 	var javaMajorVersion int
 	var tomcatVersion string
--- a/go.mod
+++ b/go.mod
@@ -1,136 +1,158 @@
 module github.com/aquasecurity/trivy

-go 1.18
+go 1.19

 require (
 	github.com/CycloneDX/cyclonedx-go v0.6.0
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/NYTimes/gziphandler v1.1.1
-	github.com/alicebob/miniredis/v2 v2.22.0
+	github.com/alicebob/miniredis/v2 v2.23.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/go-dep-parser v0.0.0-20220815163410-fcf26eb92b86
+	github.com/aquasecurity/defsec v0.82.0
+	github.com/aquasecurity/go-dep-parser v0.0.0-20221024082335-60502daef4ba
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/table v1.7.2
+	github.com/aquasecurity/loading v0.0.5
+	github.com/aquasecurity/memoryfs v1.4.4
+	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516
+	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-db v0.0.0-20220627104749-930461748b63
-	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220727123250-2cfd49c5b6c3
-	github.com/aws/aws-sdk-go-v2 v1.16.8
-	github.com/aws/aws-sdk-go-v2/config v1.15.15
-	github.com/aws/aws-sdk-go-v2/service/sts v1.16.10
-	github.com/caarlos0/env/v6 v6.9.3
+	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20221021174315-8d74450b4506
+	github.com/aws/aws-sdk-go v1.44.114
+	github.com/aws/aws-sdk-go-v2 v1.16.16
+	github.com/aws/aws-sdk-go-v2/config v1.17.8
+	github.com/aws/aws-sdk-go-v2/service/sts v1.16.19
+	github.com/caarlos0/env/v6 v6.10.1
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.1.0
-	github.com/containerd/containerd v1.6.6
-	github.com/docker/docker v20.10.17+incompatible
+	github.com/containerd/containerd v1.6.8
+	github.com/docker/docker v20.10.20+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/fatih/color v1.13.0
 	github.com/go-enry/go-license-detector/v4 v4.3.0
+	github.com/go-openapi/runtime v0.24.1
+	github.com/go-openapi/strfmt v0.21.3
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.2
-	github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
+	github.com/google/go-containerregistry v0.12.0
 	github.com/google/licenseclassifier/v2 v2.0.0-pre6
 	github.com/google/uuid v1.3.0
 	github.com/google/wire v0.5.0
 	github.com/hashicorp/go-getter v1.6.2
-	github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add
+	github.com/in-toto/in-toto-golang v0.5.0
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
 	github.com/kylelemons/godebug v1.1.0
-	github.com/liamg/loading v0.0.4
-	github.com/liamg/memoryfs v1.4.2
-	github.com/liamg/tml v0.6.0
 	github.com/mailru/easyjson v0.7.7
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/open-policy-agent/opa v0.43.0
+	github.com/open-policy-agent/opa v0.44.1-0.20220927105354-00e835a7cc15
 	github.com/owenrumney/go-sarif/v2 v2.1.2
 	github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
-	github.com/samber/lo v1.27.0
+	github.com/samber/lo v1.28.2
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0
+	github.com/sigstore/rekor v1.0.0
 	github.com/sosedoff/gitkit v0.3.0
-	github.com/spf13/cobra v1.5.0
+	github.com/spf13/cobra v1.6.0
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.12.0
+	github.com/spf13/viper v1.13.0
 	github.com/stretchr/testify v1.8.0
 	github.com/testcontainers/testcontainers-go v0.13.0
-	github.com/tetratelabs/wazero v0.0.0-20220701105919-891761ac1ee2
+	github.com/tetratelabs/wazero v1.0.0-pre.2
 	github.com/twitchtv/twirp v8.1.2+incompatible
 	github.com/xlab/treeprint v1.1.0
 	go.etcd.io/bbolt v1.3.6
-	go.uber.org/zap v1.21.0
-	golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4
-	golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df
+	go.uber.org/zap v1.23.0
+	golang.org/x/exp v0.0.0-20220823124025-807a23277127
+	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
+	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed
 )

 require (
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.3 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.12.10 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.16 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.12.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/athena v1.18.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.18.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.16.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.19.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/docdb v1.19.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.15.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.51.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecs v1.18.12 // indirect
-	github.com/aws/aws-sdk-go-v2/service/efs v1.17.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/eks v1.21.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/elasticache v1.22.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.18.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/emr v1.20.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/iam v1.18.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kafka v1.17.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.18.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lambda v1.23.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/mq v1.13.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/neptune v1.17.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/rds v1.23.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/redshift v1.26.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.27.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.14 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sns v1.17.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sqs v1.19.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.11.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/workspaces v1.22.0 // indirect
-	github.com/aws/smithy-go v1.12.0 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.12.21 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.16.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.12.18 // indirect
+	github.com/aws/aws-sdk-go-v2/service/athena v1.18.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.20.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.18.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.21.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/docdb v1.19.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecs v1.18.23 // indirect
+	github.com/aws/aws-sdk-go-v2/service/efs v1.17.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/eks v1.22.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticache v1.22.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.18.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/emr v1.20.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/iam v1.18.19 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kafka v1.17.19 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.19 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.18.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lambda v1.24.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/mq v1.13.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/neptune v1.17.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/rds v1.26.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/redshift v1.26.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.27.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sns v1.18.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sqs v1.19.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.23 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/workspaces v1.23.0 // indirect
+	github.com/aws/smithy-go v1.13.3 // indirect
 	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
+	github.com/go-openapi/analysis v0.21.4 // indirect
+	github.com/go-openapi/errors v0.20.3 // indirect
+	github.com/go-openapi/loads v0.21.2 // indirect
+	github.com/go-openapi/spec v0.20.7 // indirect
+	github.com/go-openapi/validate v0.22.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
+	github.com/googleapis/go-type-adapters v1.0.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
+	github.com/liamg/iamgo v0.0.9 // indirect
+	github.com/liamg/jfather v0.0.7 // indirect
+	github.com/liamg/memoryfs v1.4.3 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	go.mongodb.org/mongo-driver v1.10.0 // indirect
 	gonum.org/v1/gonum v0.7.0 // indirect
 )

 require (
-	cloud.google.com/go v0.100.2 // indirect
-	cloud.google.com/go/compute v1.6.1 // indirect
+	cloud.google.com/go v0.103.0 // indirect
+	cloud.google.com/go/compute v1.10.0 // indirect
 	cloud.google.com/go/iam v0.3.0 // indirect
-	cloud.google.com/go/storage v1.14.0 // indirect
+	cloud.google.com/go/storage v1.23.0 // indirect
 	github.com/Azure/azure-sdk-for-go v66.0.0+incompatible
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -143,39 +165,34 @@ require (
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/BurntSushi/toml v1.2.0 // indirect
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
-	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
+	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
 	github.com/Masterminds/squirrel v1.5.3 // indirect
-	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/Microsoft/hcsshim v0.9.3 // indirect
+	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/Microsoft/hcsshim v0.9.4 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/VividCortex/ewma v1.1.1 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
-	github.com/agnivade/levenshtein v1.0.1 // indirect
+	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/alecthomas/chroma v0.10.0 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/aquasecurity/defsec v0.71.5
-	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
-	github.com/aws/aws-sdk-go v1.44.66
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/bmatcuk/doublestar v1.3.4 // indirect
 	github.com/briandowns/spinner v1.12.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
+	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/containerd/cgroups v1.0.4 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
 	github.com/containerd/fifo v1.0.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.11.4 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
 	github.com/containerd/ttrpc v1.1.1-0.20220420014843-944ef4a40df3 // indirect
 	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
@@ -184,15 +201,15 @@ require (
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/docker/cli v20.10.17+incompatible // indirect
+	github.com/docker/cli v20.10.20+incompatible // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
-	github.com/docker/go-units v0.4.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ekzhu/minhash-lsh v0.0.0-20171225071031-5c06ee8586a1 // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
@@ -203,8 +220,8 @@ require (
 	github.com/go-gorp/gorp/v3 v3.0.2 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-yaml v1.8.2 // indirect
 	github.com/gofrs/uuid v4.0.0+incompatible // indirect
@@ -214,10 +231,10 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.5.1 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
@@ -228,11 +245,11 @@ require (
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.6.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.13.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.14.1 // indirect
 	github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jdkato/prose v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -241,13 +258,11 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
-	github.com/klauspost/compress v1.15.6 // indirect
+	github.com/klauspost/compress v1.15.11 // indirect
 	github.com/knqyf263/go-rpmdb v0.0.0-20220607073645-842f01763e21
 	github.com/knqyf263/nested v0.0.1
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/liamg/iamgo v0.0.9 // indirect
-	github.com/liamg/jfather v0.0.7 // indirect
 	github.com/lib/pq v1.10.6 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
@@ -255,14 +270,14 @@ require (
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
-	github.com/microsoft/go-rustaudit v0.0.0-20220805122630-097fff025e34 // indirect
+	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/moby/buildkit v0.10.3
+	github.com/moby/buildkit v0.10.4
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/moby/sys/mount v0.3.3 // indirect
@@ -272,12 +287,12 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
-	github.com/montanaflynn/stats v0.0.0-20151014174947-eeaced052adb // indirect
+	github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1
+	github.com/opencontainers/image-spec v1.1.0-rc2
 	github.com/opencontainers/runc v1.1.3 // indirect
 	github.com/opencontainers/runtime-spec v1.0.3-0.20220311020903-6969a0a09ab1 // indirect
 	github.com/opencontainers/selinux v1.10.1 // indirect
@@ -286,14 +301,14 @@ require (
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.12.2 // indirect
+	github.com/prometheus/client_golang v1.13.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.32.1 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/prometheus/common v0.37.0 // indirect
+	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
-	github.com/rubenv/sql-migrate v1.1.1 // indirect
+	github.com/rubenv/sql-migrate v1.1.2 // indirect
 	github.com/russross/blackfriday v1.6.0 // indirect
 	github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e
 	github.com/sergi/go-diff v1.1.0 // indirect
@@ -305,10 +320,9 @@ require (
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/stretchr/objx v0.4.0 // indirect
-	github.com/subosito/gotenv v1.4.0 // indirect
-	github.com/ulikunitz/xz v0.5.8 // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
+	github.com/ulikunitz/xz v0.5.10 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
-	github.com/vektah/gqlparser/v2 v2.4.6 // indirect
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@@ -319,42 +333,42 @@ require (
 	github.com/zclconf/go-cty-yaml v1.0.2 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.7.0 // indirect
-	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
-	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3
-	golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
-	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
-	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
-	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
-	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
-	golang.org/x/text v0.3.7
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.8.0 // indirect
+	golang.org/x/crypto v0.1.0
+	golang.org/x/mod v0.6.0
+	golang.org/x/net v0.1.0 // indirect
+	golang.org/x/oauth2 v0.1.0 // indirect
+	golang.org/x/sync v0.1.0
+	golang.org/x/sys v0.1.0 // indirect
+	golang.org/x/term v0.1.0
+	golang.org/x/text v0.4.0
 	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
-	golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717 // indirect
-	google.golang.org/api v0.81.0 // indirect
+	golang.org/x/tools v0.2.0 // indirect
+	google.golang.org/api v0.98.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
-	google.golang.org/grpc v1.48.0 // indirect
+	google.golang.org/genproto v0.0.0-20221018160656-63c7b68cfc55 // indirect
+	google.golang.org/grpc v1.50.1 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.66.4 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/neurosnap/sentences.v1 v1.0.6 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gotest.tools v2.2.0+incompatible
 	gotest.tools/v3 v3.2.0 // indirect
-	helm.sh/helm/v3 v3.9.2 // indirect
-	k8s.io/api v0.25.0-alpha.2 // indirect
-	k8s.io/apiextensions-apiserver v0.24.2 // indirect
-	k8s.io/apimachinery v0.25.0-alpha.2 // indirect
-	k8s.io/apiserver v0.24.2 // indirect
-	k8s.io/cli-runtime v0.24.3 // indirect
-	k8s.io/client-go v0.25.0-alpha.2 // indirect
-	k8s.io/component-base v0.24.3 // indirect
-	k8s.io/klog/v2 v2.70.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20220603121420-31174f50af60 // indirect
-	k8s.io/kubectl v0.24.3 // indirect
+	helm.sh/helm/v3 v3.10.0 // indirect
+	k8s.io/api v0.25.3 // indirect
+	k8s.io/apiextensions-apiserver v0.25.0 // indirect
+	k8s.io/apimachinery v0.25.3 // indirect
+	k8s.io/apiserver v0.25.0 // indirect
+	k8s.io/cli-runtime v0.25.3 // indirect
+	k8s.io/client-go v0.25.3 // indirect
+	k8s.io/component-base v0.25.3 // indirect
+	k8s.io/klog/v2 v2.70.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
+	k8s.io/kubectl v0.25.3 // indirect
 	lukechampine.com/uint128 v1.1.1 // indirect
 	modernc.org/cc/v3 v3.36.0 // indirect
 	modernc.org/ccgo/v3 v3.16.6 // indirect
@@ -366,10 +380,10 @@ require (
 	modernc.org/strutil v1.1.1 // indirect
 	modernc.org/token v1.0.0 // indirect
 	oras.land/oras-go v1.2.0 // indirect
-	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
-	sigs.k8s.io/kustomize/api v0.11.4 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.13.6 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
+	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/kustomize/api v0.12.1 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )

--- a/go.sum
+++ b/go.sum
--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -235,6 +235,21 @@ docker_manifests:
    - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'
    - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-ppc64le'

+signs:
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  signature: "${artifact}.sig"
+  certificate: "${artifact}.pem"
+  args:
+    - "sign-blob"
+    - "--oidc-issuer=https://token.actions.githubusercontent.com"
+    - "--output-certificate=${certificate}"
+    - "--output-signature=${signature}"
+    - "${artifact}"
+  artifacts: all
+  output: true
+
 docker_signs:
 - cmd: cosign
  env:
--- a/helm/trivy/README.md
+++ b/helm/trivy/README.md
@@ -72,6 +72,7 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `trivy.dbRepository`                  | OCI repository to retrieve the trivy vulnerability database from        | `ghcr.io/aquasecurity/trivy-db`        |
 | `trivy.cache.redis.enabled`           | Enable Redis as caching backend                                         | `false` |
 | `trivy.cache.redis.url`               | Specify redis connection url, e.g. redis://redis.redis.svc:6379         | `` |
+| `trivy.cache.redis.ttl`               | Specify redis TTL, e.g. 3600s or 24h                                    | `` |
 | `trivy.serverToken`                   | The token to authenticate Trivy client with Trivy server                | `` |
 | `trivy.existingSecret`                | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
 | `trivy.podAnnotations`                | Annotations for pods created by statefulset                             | `{}` |
--- a/helm/trivy/templates/configmap.yaml
+++ b/helm/trivy/templates/configmap.yaml
@@ -9,6 +9,7 @@ data:
  TRIVY_CACHE_DIR: "/home/scanner/.cache/trivy"
 {{- if .Values.trivy.cache.redis.enabled }}
  TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
+  TRIVY_CACHE_TTL: {{ .Values.trivy.cache.redis.ttl | quote }}
 {{- end }}
  TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
  TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}
--- a/helm/trivy/values.yaml
+++ b/helm/trivy/values.yaml
@@ -28,7 +28,7 @@ resources:

 rbac:
  create: true
-  pspEnabled: true
+  pspEnabled: false

 podSecurityContext:
  runAsUser: 65534
@@ -113,6 +113,7 @@ trivy:
    redis:
      enabled: false
      url: ""  # e.g. redis://redis.redis.svc:6379
+      ttl: ""  # e.g 3600s, 24h
  serviceAccount:
    annotations: {}
      # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -12,10 +12,9 @@ import (
 	"testing"
 	"time"

-	"github.com/samber/lo"
-
 	cdx "github.com/CycloneDX/cyclonedx-go"
 	"github.com/docker/go-connections/nat"
+	"github.com/samber/lo"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	testcontainers "github.com/testcontainers/testcontainers-go"
@@ -37,6 +36,7 @@ type csArgs struct {
 	ClientTokenHeader string
 	ListAllPackages   bool
 	Target            string
+	secretConfig      string
 }

 func TestClientServer(t *testing.T) {
@@ -238,6 +238,16 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/pom.json.golden",
 		},
+		{
+			name: "scan sample.pem with fs command in client/server mode",
+			args: csArgs{
+				Command:          "fs",
+				RemoteAddrOption: "--server",
+				secretConfig:     "testdata/fixtures/fs/secrets/trivy-secret.yaml",
+				Target:           "testdata/fixtures/fs/secrets/",
+			},
+			golden: "testdata/secrets.json.golden",
+		},
 	}

 	addr, cacheDir := setup(t, setupOptions{})
@@ -246,6 +256,10 @@ func TestClientServer(t *testing.T) {
 		t.Run(c.name, func(t *testing.T) {
 			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)

+			if c.args.secretConfig != "" {
+				osArgs = append(osArgs, "--secret-config", c.args.secretConfig)
+			}
+
 			//
 			err := execute(osArgs)
 			require.NoError(t, err)
--- a/integration/docker_engine_test.go
+++ b/integration/docker_engine_test.go
@@ -11,7 +11,7 @@ import (
 	"strings"
 	"testing"

-	"github.com/docker/docker/api/types"
+	api "github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -213,7 +213,7 @@ func TestDockerEngine(t *testing.T) {
 				require.NoError(t, err, tt.name)

 				// ensure image doesnt already exists
-				_, _ = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
+				_, _ = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
 					Force:         true,
 					PruneChildren: true,
 				})
@@ -264,11 +264,11 @@ func TestDockerEngine(t *testing.T) {
 			compareReports(t, tt.golden, output)

 			// cleanup
-			_, err = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
+			_, err = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
 				Force:         true,
 				PruneChildren: true,
 			})
-			_, err = cli.ImageRemove(ctx, tt.imageTag, types.ImageRemoveOptions{
+			_, err = cli.ImageRemove(ctx, tt.imageTag, api.ImageRemoveOptions{
 				Force:         true,
 				PruneChildren: true,
 			})
--- a/integration/fs_test.go
+++ b/integration/fs_test.go
@@ -26,6 +26,8 @@ func TestFilesystem(t *testing.T) {
 		filePatterns   []string
 		helmSet        []string
 		helmValuesFile []string
+		skipFiles      []string
+		skipDirs       []string
 	}
 	tests := []struct {
 		name   string
@@ -40,14 +42,42 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/gomod.json.golden",
 		},
+		{
+			name: "gomod with skip files",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/gomod",
+				skipFiles:      []string{"/testdata/fixtures/fs/gomod/submod2/go.mod"},
+			},
+			golden: "testdata/gomod-skip.json.golden",
+		},
+		{
+			name: "gomod with skip dirs",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/gomod",
+				skipDirs:       []string{"/testdata/fixtures/fs/gomod/submod2"},
+			},
+			golden: "testdata/gomod-skip.json.golden",
+		},
 		{
 			name: "nodejs",
 			args: args{
 				securityChecks: "vuln",
 				input:          "testdata/fixtures/fs/nodejs",
+				listAllPkgs:    true,
 			},
 			golden: "testdata/nodejs.json.golden",
 		},
+		{
+			name: "yarn",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/yarn",
+				listAllPkgs:    true,
+			},
+			golden: "testdata/yarn.json.golden",
+		},
 		{
 			name: "pnpm",
 			args: args{
@@ -73,6 +103,23 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/pom.json.golden",
 		},
+		{
+			name: "gradle",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/gradle",
+			},
+			golden: "testdata/gradle.json.golden",
+		},
+		{
+			name: "conan",
+			args: args{
+				securityChecks: "vuln",
+				listAllPkgs:    true,
+				input:          "testdata/fixtures/fs/conan",
+			},
+			golden: "testdata/conan.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{
@@ -227,6 +274,18 @@ func TestFilesystem(t *testing.T) {
 				}
 			}

+			if len(tt.args.skipFiles) != 0 {
+				for _, skipFile := range tt.args.skipFiles {
+					osArgs = append(osArgs, "--skip-files", skipFile)
+				}
+			}
+
+			if len(tt.args.skipDirs) != 0 {
+				for _, skipDir := range tt.args.skipDirs {
+					osArgs = append(osArgs, "--skip-dirs", skipDir)
+				}
+			}
+
 			// Setup the output file
 			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
--- a/integration/integration_test.go
+++ b/integration/integration_test.go
@@ -103,7 +103,6 @@ func readReport(t *testing.T, filePath string) types.Report {

 	// We don't compare repo tags because the archive doesn't support it
 	report.Metadata.RepoTags = nil
-
 	report.Metadata.RepoDigests = nil

 	for i, result := range report.Results {
--- a/integration/sbom_test.go
+++ b/integration/sbom_test.go
@@ -8,23 +8,28 @@ import (
 	"testing"

 	cdx "github.com/CycloneDX/cyclonedx-go"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/types"
 )

-func TestCycloneDX(t *testing.T) {
+func TestSBOM(t *testing.T) {
 	type args struct {
 		input        string
 		format       string
 		artifactType string
 	}
 	tests := []struct {
-		name   string
-		args   args
-		golden string
+		name     string
+		args     args
+		golden   string
+		override types.Report
 	}{
 		{
-			name: "centos7-bom by trivy",
+			name: "centos7 cyclonedx",
 			args: args{
 				input:        "testdata/fixtures/sbom/centos-7-cyclonedx.json",
 				format:       "cyclonedx",
@@ -33,7 +38,7 @@ func TestCycloneDX(t *testing.T) {
 			golden: "testdata/centos-7-cyclonedx.json.golden",
 		},
 		{
-			name: "fluentd-multiple-lockfiles-bom by trivy",
+			name: "fluentd-multiple-lockfiles cyclonedx",
 			args: args{
 				input:        "testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json",
 				format:       "cyclonedx",
@@ -42,7 +47,7 @@ func TestCycloneDX(t *testing.T) {
 			golden: "testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden",
 		},
 		{
-			name: "centos7-bom in in-toto attestation",
+			name: "centos7 in in-toto attestation",
 			args: args{
 				input:        "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl",
 				format:       "cyclonedx",
@@ -50,6 +55,52 @@ func TestCycloneDX(t *testing.T) {
 			},
 			golden: "testdata/centos-7-cyclonedx.json.golden",
 		},
+		{
+			name: "centos7 spdx tag-value",
+			args: args{
+				input:        "testdata/fixtures/sbom/centos-7-spdx.txt",
+				format:       "json",
+				artifactType: "spdx",
+			},
+			golden: "testdata/centos-7.json.golden",
+			override: types.Report{
+				ArtifactName: "testdata/fixtures/sbom/centos-7-spdx.txt",
+				ArtifactType: ftypes.ArtifactType("spdx"),
+				Results: types.Results{
+					{
+						Target: "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)",
+						Vulnerabilities: []types.DetectedVulnerability{
+							{Ref: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
+							{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
+							{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "centos7 spdx json",
+			args: args{
+				input:        "testdata/fixtures/sbom/centos-7-spdx.json",
+				format:       "json",
+				artifactType: "spdx",
+			},
+			golden: "testdata/centos-7.json.golden",
+			override: types.Report{
+				ArtifactName: "testdata/fixtures/sbom/centos-7-spdx.json",
+				ArtifactType: ftypes.ArtifactType("spdx"),
+				Results: types.Results{
+					{
+						Target: "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)",
+						Vulnerabilities: []types.DetectedVulnerability{
+							{Ref: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
+							{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
+							{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
+						},
+					},
+				},
+			},
+		},
 	}

 	// Set up testing DB
@@ -61,7 +112,7 @@ func TestCycloneDX(t *testing.T) {
 				"--cache-dir", cacheDir, "sbom", "-q", "--skip-db-update", "--format", tt.args.format,
 			}

-			// Setup the output file
+			// Set up the output file
 			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
 				outputFile = tt.golden
@@ -75,13 +126,46 @@ func TestCycloneDX(t *testing.T) {
 			assert.NoError(t, err)

 			// Compare want and got
-			want := decodeCycloneDX(t, tt.golden)
-			got := decodeCycloneDX(t, outputFile)
-			assert.Equal(t, want, got)
+			switch tt.args.format {
+			case "cyclonedx":
+				want := decodeCycloneDX(t, tt.golden)
+				got := decodeCycloneDX(t, outputFile)
+				assert.Equal(t, want, got)
+			case "json":
+				compareSBOMReports(t, tt.golden, outputFile, tt.override)
+			default:
+				require.Fail(t, "invalid format", "format: %s", tt.args.format)
+			}
 		})
 	}
 }

+// TODO(teppei): merge into compareReports
+func compareSBOMReports(t *testing.T, wantFile, gotFile string, overrideWant types.Report) {
+	want := readReport(t, wantFile)
+
+	want.ArtifactName = overrideWant.ArtifactName
+	want.ArtifactType = overrideWant.ArtifactType
+	want.Metadata.ImageID = ""
+	want.Metadata.ImageConfig = v1.ConfigFile{}
+	want.Metadata.DiffIDs = nil
+	for i, result := range want.Results {
+		for j := range result.Vulnerabilities {
+			want.Results[i].Vulnerabilities[j].Layer.DiffID = ""
+		}
+	}
+
+	for i, result := range overrideWant.Results {
+		want.Results[i].Target = result.Target
+		for j, vuln := range result.Vulnerabilities {
+			want.Results[i].Vulnerabilities[j].Ref = vuln.Ref
+		}
+	}
+
+	got := readReport(t, gotFile)
+	assert.Equal(t, want, got)
+}
+
 func decodeCycloneDX(t *testing.T, filePath string) *cdx.BOM {
 	f, err := os.Open(filePath)
 	require.NoError(t, err)
--- a/integration/standalone_tar_test.go
+++ b/integration/standalone_tar_test.go
@@ -35,6 +35,101 @@ func TestTar(t *testing.T) {
 			},
 			golden: "testdata/alpine-39.json.golden",
 		},
+		{
+			name: "alpine 3.9 with skip dirs",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/alpine-39.tar.gz",
+				SkipDirs: []string{
+					"/etc",
+				},
+			},
+			golden: "testdata/alpine-39-skip.json.golden",
+		},
+		{
+			name: "alpine 3.9 with skip files",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/alpine-39.tar.gz",
+				SkipFiles: []string{
+					"/etc",
+					"/etc/TZ",
+					"/etc/alpine-release",
+					"/etc/apk",
+					"/etc/apk/arch",
+					"/etc/apk/keys",
+					"/etc/apk/keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub",
+					"/etc/apk/keys/alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub",
+					"/etc/apk/keys/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub",
+					"/etc/apk/protected_paths.d",
+					"/etc/apk/repositories",
+					"/etc/apk/world",
+					"/etc/conf.d",
+					"/etc/crontabs",
+					"/etc/crontabs/root",
+					"/etc/fstab",
+					"/etc/group",
+					"/etc/hostname",
+					"/etc/hosts",
+					"/etc/init.d",
+					"/etc/inittab",
+					"/etc/issue",
+					"/etc/logrotate.d",
+					"/etc/logrotate.d/acpid",
+					"/etc/modprobe.d",
+					"/etc/modprobe.d/aliases.conf",
+					"/etc/modprobe.d/blacklist.conf",
+					"/etc/modprobe.d/i386.conf",
+					"/etc/modprobe.d/kms.conf",
+					"/etc/modules",
+					"/etc/modules-load.d",
+					"/etc/motd",
+					"/etc/mtab",
+					"/etc/network",
+					"/etc/network/if-down.d",
+					"/etc/network/if-post-down.d",
+					"/etc/network/if-post-up.d",
+					"/etc/network/if-pre-down.d",
+					"/etc/network/if-pre-up.d",
+					"/etc/network/if-up.d",
+					"/etc/network/if-up.d/dad",
+					"/etc/opt",
+					"/etc/os-release",
+					"/etc/passwd",
+					"/etc/periodic",
+					"/etc/periodic/15min",
+					"/etc/periodic/daily",
+					"/etc/periodic/hourly",
+					"/etc/periodic/monthly",
+					"/etc/periodic/weekly",
+					"/etc/profile",
+					"/etc/profile.d",
+					"/etc/profile.d/color_prompt",
+					"/etc/protocols",
+					"/etc/securetty",
+					"/etc/services",
+					"/etc/shadow",
+					"/etc/shells",
+					"/etc/ssl",
+					"/etc/ssl/cert.pem",
+					"/etc/ssl/certs",
+					"/etc/ssl/ct_log_list.cnf",
+					"/etc/ssl/ct_log_list.cnf.dist",
+					"/etc/ssl/misc",
+					"/etc/ssl/misc/CA.pl",
+					"/etc/ssl/misc/tsget",
+					"/etc/ssl/misc/tsget.pl",
+					"/etc/ssl/openssl.cnf",
+					"/etc/ssl/openssl.cnf.dist",
+					"/etc/ssl/private",
+					"/etc/sysctl.conf",
+					"/etc/sysctl.d",
+					"/etc/sysctl.d/00-alpine.conf",
+					"/etc/udhcpd.conf",
+				},
+			},
+			golden: "testdata/alpine-39-skip.json.golden",
+		},
 		{
 			name: "alpine 3.9 with high and critical severity",
 			testArgs: args{
@@ -281,7 +376,6 @@ func TestTar(t *testing.T) {
 				osArgs = append(osArgs, "--input", tt.testArgs.Input)
 			}

-			// TODO: test skip files/dirs
 			if len(tt.testArgs.SkipFiles) != 0 {
 				for _, skipFile := range tt.testArgs.SkipFiles {
 					osArgs = append(osArgs, "--skip-files", skipFile)
--- a/integration/testdata/alpine-310.sarif.golden
+++ b/integration/testdata/alpine-310.sarif.golden
@@ -13,7 +13,7 @@
              "id": "CVE-2019-1549",
              "name": "OsPackageVulnerability",
              "shortDescription": {
-                "text": "CVE-2019-1549"
+                "text": "openssl: information disclosure in fork()"
              },
              "fullDescription": {
                "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
@@ -40,7 +40,7 @@
              "id": "CVE-2019-1551",
              "name": "OsPackageVulnerability",
              "shortDescription": {
-                "text": "CVE-2019-1551"
+                "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64"
              },
              "fullDescription": {
                "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t)."
@@ -88,6 +88,9 @@
                  "endLine": 1,
                  "endColumn": 1
                }
+              },
+              "message": {
+                "text": "testdata/fixtures/images/alpine-310.tar.gz: libcrypto1.1@1.1.1c-r0"
              }
            }
          ]
@@ -112,6 +115,9 @@
                  "endLine": 1,
                  "endColumn": 1
                }
+              },
+              "message": {
+                "text": "testdata/fixtures/images/alpine-310.tar.gz: libcrypto1.1@1.1.1c-r0"
              }
            }
          ]
@@ -136,6 +142,9 @@
                  "endLine": 1,
                  "endColumn": 1
                }
+              },
+              "message": {
+                "text": "testdata/fixtures/images/alpine-310.tar.gz: libssl1.1@1.1.1c-r0"
              }
            }
          ]
@@ -160,6 +169,9 @@
                  "endLine": 1,
                  "endColumn": 1
                }
+              },
+              "message": {
+                "text": "testdata/fixtures/images/alpine-310.tar.gz: libssl1.1@1.1.1c-r0"
              }
            }
          ]
--- a/integration/testdata/alpine-39-skip.json.golden
+++ b/integration/testdata/alpine-39-skip.json.golden
@@ -0,0 +1,49 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-39.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "none",
+      "Name": ""
+    },
+    "ImageID": "sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1",
+    "DiffIDs": [
+      "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "c10d36fa368a7ea673683682666758adf35efe98e10989505f4f566b5b18538f",
+      "created": "2019-05-11T00:07:03.510395965Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-05-11T00:07:03.358250803Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / "
+        },
+        {
+          "created": "2019-05-11T00:07:03.510395965Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:09f2bbe58e774849d74dc1391c2e01731896c745c4aba1ecf69a283bdb4b537a",
+        "ArgsEscaped": true
+      }
+    }
+  }
+}
--- a/integration/testdata/conan.json.golden
+++ b/integration/testdata/conan.json.golden
@@ -0,0 +1,76 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/conan",
+  "ArtifactType": "filesystem",
+  "Results": [
+    {
+      "Target": "conan.lock",
+      "Class": "lang-pkgs",
+      "Type": "conan",
+      "Packages": [
+        {
+          "ID": "bzip2/1.0.8",
+          "Name": "bzip2",
+          "Version": "1.0.8",
+          "Indirect": true
+        },
+        {
+          "ID": "expat/2.4.8",
+          "Name": "expat",
+          "Version": "2.4.8",
+          "Indirect": true
+        },
+        {
+          "ID": "openssl/1.1.1q",
+          "Name": "openssl",
+          "Version": "1.1.1q",
+          "Indirect": true
+        },
+        {
+          "ID": "pcre/8.43",
+          "Name": "pcre",
+          "Version": "8.43",
+          "Indirect": true,
+          "DependsOn": [
+            "bzip2/1.0.8",
+            "zlib/1.2.12"
+          ]
+        },
+        {
+          "ID": "poco/1.9.4",
+          "Name": "poco",
+          "Version": "1.9.4",
+          "DependsOn": [
+            "pcre/8.43",
+            "zlib/1.2.12",
+            "expat/2.4.8",
+            "sqlite3/3.39.2",
+            "openssl/1.1.1q"
+          ]
+        },
+        {
+          "ID": "sqlite3/3.39.2",
+          "Name": "sqlite3",
+          "Version": "3.39.2",
+          "Indirect": true
+        },
+        {
+          "ID": "zlib/1.2.12",
+          "Name": "zlib",
+          "Version": "1.2.12",
+          "Indirect": true
+        }
+      ],
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2020-14155",
+          "PkgID": "pcre/8.43",
+          "PkgName": "pcre",
+          "InstalledVersion": "8.43",
+          "FixedVersion": "8.45",
+          "Severity": "UNKNOWN"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/dockerfile-rule-exception.json.golden
+++ b/integration/testdata/dockerfile-rule-exception.json.golden
@@ -28,6 +28,7 @@
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS002",
+          "AVDID": "AVD-DS-0002",
          "Title": "Image user should not be 'root'",
          "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
          "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Teppei Fukuda	af89249dea	refactor(k8s): custom reports (#3076 )	2022-10-26 00:02:33 +03:00
Aibek	f4e970f374	fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-10-25 23:41:27 +03:00
Shubham Palriwala	8ae4627941	feat(image): add support for passing architecture and OS (#3012 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-10-25 22:03:50 +03:00
DmitriyLewen	0501e70375	test: disable containerd integration tests for non-amd64 arch (#3073 )	2022-10-25 21:05:54 +03:00
bgoareguer	a377c8d04f	feat(server): Add support for client/server mode to rootfs command (#3021 )	2022-10-25 21:04:29 +03:00
Teppei Fukuda	02a73f0138	feat(vuln): support non-packaged binaries (#3019 )	2022-10-25 20:02:53 +03:00
chenk	18581f345b	feat: compliance reports (#2951 )	2022-10-25 19:42:01 +03:00
saso	63b8e4d6a0	fix(flag): disable flag parsing for each plugin command (#3074 )	2022-10-25 19:02:42 +03:00
DmitriyLewen	cbedd712db	feat(nodejs): add support dependency location for yarn.lock files (#3016 )	2022-10-25 11:19:21 +03:00
Liam Galvin	b22e37e0c6	chore: Switch github.com/liamg dependencies to github.com/aquasecurity (#3069 )	2022-10-25 11:17:47 +03:00
Jose Donizetti	9b0e9794cb	feat: add k8s components (#2589 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-10-24 14:51:02 +03:00
behara	5e25182c98	fix(secret): update the regex for secrets scanning (#2964 ) Co-authored-by: jyothikumar <behara.jyothi-kumar@aquasec.com>	2022-10-24 14:42:54 +03:00
dependabot[bot]	9947e5111c	chore(deps): bump github.com/samber/lo from 1.27.1 to 1.28.2 (#2979 ) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>	2022-10-24 11:30:39 +03:00
Jose Donizetti	d2a15a7377	fix: bump trivy-kubernetes (#3064 )	2022-10-23 21:07:41 +03:00
Shahar Naveh	f2efc9c554	docs: fix missing 'image' subcommand (#3051 )	2022-10-21 12:44:12 +03:00
tspearconquest	34653c711b	chore: Patch golang x/text vulnerability (#3046 ) Signed-off-by: Thomas Spear <tspear@conquestcyber.com>	2022-10-21 12:43:50 +03:00
Itay Shakury	e252ea83e0	chore: add licensed project logo (#3058 )	2022-10-21 07:22:00 +03:00
MaineK00n	439d216634	feat(ubuntu): set Ubuntu 22.10 EOL (#3054 )	2022-10-20 21:52:44 +03:00
Matias Insaurralde	9f5113a920	refactor(analyzer): use strings.TrimSuffix instead of strings.HasSuffix (#3028 )	2022-10-20 14:45:33 +03:00
Craig Andrews	c1e24d5344	feat(report): Use understandable value for shortDescription in SARIF reports (#3009 ) Signed-off-by: Craig Andrews <candrews@integralblue.com> Co-authored-by: AMF <work@afdesk.com>	2022-10-20 12:54:59 +03:00
Sen	212af07e27	docs(misconf): fix typo (#3043 )	2022-10-20 08:51:37 +03:00
Owen Rumney	68f374ac9a	feat: add support for scanning azure ARM (#3011 ) Signed-off-by: Owen Rumney <owen.rumney@aquasec.com>	2022-10-13 20:24:14 +03:00
Craig Andrews	d35c668f5c	feat(report): add location.message to SARIF output (#3002 ) (#3003 ) Signed-off-by: Craig Andrews <candrews@integralblue.com> Co-authored-by: AMF <work@afdesk.com>	2022-10-12 16:07:58 +03:00
dependabot[bot]	2150ffc701	chore(deps): bump github.com/aws/aws-sdk-go from 1.44.95 to 1.44.109 (#2980 ) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>	2022-10-12 15:47:31 +03:00
DmitriyLewen	ca434f7f26	feat(nodejs): add dependency line numbers for npm lock files (#2932 )	2022-10-12 15:22:34 +03:00
Hirotaka Tagawa / wafuwafu13	a8ff5f06b5	test(fs): add `--skip-files`, `--skip-dirs` (#2984 )	2022-10-12 15:20:56 +03:00
6543	561b2e7566	docs: add Woodpecker CI integrations example (#2823 ) Co-authored-by: Sebastian Crane <seabass-labrax@gmx.com>	2022-10-12 15:01:59 +03:00
dependabot[bot]	4a3583da95	chore(deps): bump github.com/sigstore/rekor from 0.12.0 to 0.12.2 (#2981 ) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>	2022-10-12 13:45:56 +03:00
dependabot[bot]	4be9eebf07	chore(deps): bump github.com/liamg/memoryfs from 1.4.2 to 1.4.3 (#2976 ) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>	2022-10-12 13:44:35 +03:00
dependabot[bot]	a260d35dc1	chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#2975 ) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>	2022-10-12 13:37:20 +03:00
dependabot[bot]	558189f763	chore(deps): bump github.com/caarlos0/env/v6 from 6.10.0 to 6.10.1 (#2982 ) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>	2022-10-12 13:36:30 +03:00
DmitriyLewen	c2eb6ee301	fix(sbom): ref generation if serialNumber is empty when input is cyclonedx file (#3000 )	2022-10-11 21:25:46 +03:00
DmitriyLewen	68f79526bb	fix(java): don't stop parsing jar file when wrong inner jar is found (#2989 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-10-11 12:45:44 +03:00
DmitriyLewen	be78da6c40	fix(sbom): use nuget purl type for dotnet-core (#2990 ) * use nuget prefix for dotnet-core * refactor	2022-10-11 12:23:43 +03:00
saso	92b5a1931e	perf: retrieve rekor entries in bulk (#2987 )	2022-10-09 10:53:00 +03:00
Liam Galvin	babd7e7526	feat(aws): Custom rego policies for AWS scanning (#2994 )	2022-10-06 12:51:45 +03:00
AndrewCharlesHay	8ad9b8a939	docs: jq cli formatting (#2881 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-10-02 10:11:03 +03:00
Kyriakos Georgiou	a78684c340	docs(repo): troubleshooting $TMPDIR customization (#2985 )	2022-10-02 10:05:09 +03:00
dependabot[bot]	7309ed0a5b	chore(deps): bump actions/cache from 3.0.8 to 3.0.9 (#2969 )	2022-10-02 10:03:49 +03:00
dependabot[bot]	9515a5ce8b	chore(deps): bump actions/stale from 5 to 6 (#2970 )	2022-10-02 10:03:26 +03:00
dependabot[bot]	955aff66df	chore(deps): bump sigstore/cosign-installer from 2.5.1 to 2.7.0 (#2971 )	2022-10-02 10:02:42 +03:00
dependabot[bot]	db56d238fd	chore(deps): bump helm/chart-testing-action from 2.3.0 to 2.3.1 (#2972 )	2022-10-02 10:02:22 +03:00
dependabot[bot]	05a723246e	chore(deps): bump helm/kind-action from 1.3.0 to 1.4.0 (#2973 )	2022-10-02 10:01:49 +03:00
afdesk	2c39d4729a	chore: run `go fmt` (#2897 )	2022-10-02 09:33:21 +03:00
Crypt Keeper	16a7dc10e0	chore(go): updates wazero to 1.0.0-pre.2 (#2955 ) Signed-off-by: Adrian Cole <adrian@tetrate.io>	2022-10-02 09:29:15 +03:00
chavacava	ce4ba7c99c	fix(aws): Less function for slice sorting always returns false #2967 Signed-off-by: Salvador Cavadini <salvadorcavadini+github@gmail.com>	2022-10-02 09:28:27 +03:00
DmitriyLewen	4ffe74643e	fix(java): fix unmarshal pom exclusions (#2936 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-28 19:44:53 +03:00
DmitriyLewen	8b1cee845b	fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943 )	2022-09-28 15:32:01 +03:00
chenk	f5cbbb3fde	chore: expat lib and go binary deps vulns (#2940 ) Signed-off-by: chenk <hen.keinan@gmail.com>	2022-09-28 12:14:29 +03:00
Crypt Keeper	6882bdf561	wasm: Removes accidentally exported memory (#2950 ) Signed-off-by: Adrian Cole <adrian@tetrate.io>	2022-09-28 11:12:46 +03:00
DmitriyLewen	6ea9a61cf3	fix(sbom): fix package name separation for gradle (#2906 )	2022-09-28 11:11:23 +03:00
DmitriyLewen	3ee4c96f13	docs(readme.md): fix broken integrations link (#2931 )	2022-09-28 11:03:20 +03:00
Moniseeta	5745961194	fix(image): handle images with single layer in rescan mergedLayers cache (#2927 ) For images with single layer, the layer key was directly being used as merged cache key. This was posing an issue of data override and any other image having the same layer could get incorrect data. So, fixed: 1. Even for 1 layer - merged layer key hash will be calculated 2. We will not go with assumption that merged data will have only 1 pkgInfo 3. We are setting a SchemaVersion in blob being generated in ToBlobInfo	2022-09-22 14:46:28 +03:00
DmitriyLewen	e01253d54d	fix(cli): split env values with ',' for slice flags (#2926 )	2022-09-22 10:11:37 +03:00
Juan Antonio Osorio	0c1a42d4f3	fix(cli): config/helm: also take into account files with `.yml` (#2928 ) YAML files can also have the `.yml` file extension. So the helm config should take that into account. Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>	2022-09-21 17:08:13 +01:00
DmitriyLewen	237b8dcd06	fix(flag): add file-patterns flag for config subcommand (#2925 )	2022-09-21 10:02:58 +03:00
dependabot[bot]	047a0b3d88	chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.43.1 (#2902 ) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>	2022-09-19 14:55:16 +03:00
Teppei Fukuda	585985edb3	docs: add Rekor SBOM attestation scanning (#2893 ) Signed-off-by: knqyf263 <knqyf263@gmail.com>	2022-09-16 15:43:01 +03:00
Teppei Fukuda	d30fa00adc	chore: narrow the owner scope (#2894 )	2022-09-16 15:42:31 +03:00
afdesk	38c1513af6	fix: remove a patch number from the recommendation link (#2891 )	2022-09-16 12:23:58 +03:00
saso	ba29ce648c	fix: enable parsing of UUID-only rekor entry ID (#2887 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-16 11:16:41 +03:00
Teppei Fukuda	018eda618b	docs(sbom): add SPDX scanning (#2885 )	2022-09-16 10:20:40 +03:00
Anais Urlichs	20f1e5991a	docs: restructure docs and add tutorials (#2883 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-15 21:27:58 +03:00
saso	192fd78ca2	feat(sbom): scan sbom attestation in the rekor record (#2699 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-15 20:16:39 +03:00
chenk	597836c3a2	feat(k8s): support outdated-api (#2877 )	2022-09-15 13:02:16 +03:00
dependabot[bot]	6c7bd67c04	chore(deps): bump github.com/moby/buildkit from 0.10.3 to 0.10.4 (#2815 )	2022-09-15 11:40:54 +03:00
François Poirotte	41270434fe	fix(c): support revisions in Conan parser (#2878 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-15 11:35:44 +03:00
chenk	b677d7e2e8	feat: dynamic links support for scan results (#2838 )	2022-09-15 10:42:33 +03:00
dependabot[bot]	8e03bbb422	chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 (#2818 )	2022-09-15 10:16:47 +03:00
George Rodrigues	27005c7d6a	docs: update archlinux commands (#2876 )	2022-09-15 10:14:53 +03:00
DmitriyLewen	b6e394dc80	feat(secret): add line from dockerfile where secret was added to secret result (#2780 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-15 10:13:20 +03:00
Masahiro331	9f6680a1fa	feat(sbom): Add unmarshal for spdx (#2868 ) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-15 08:39:59 +03:00
dependabot[bot]	db0aaf18e6	chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#2827 )	2022-09-14 17:28:14 +03:00
AndrewCharlesHay	bb3220c3de	fix: revert asff arn and add documentation (#2852 )	2022-09-14 17:27:46 +03:00
AndrewCharlesHay	c51f2b82e4	docs: batch-import-findings limit (#2851 )	2022-09-14 17:26:32 +03:00
dependabot[bot]	552732b5d7	chore(deps): bump golang from 1.19.0 to 1.19.1 (#2872 )	2022-09-14 17:23:51 +03:00
Masahiro331	3165c376e2	feat(sbom): Add marshal for spdx (#2867 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-14 13:36:10 +03:00
Teppei Fukuda	dac2b4a281	build: checkout before setting up Go (#2873 )	2022-09-14 13:27:27 +03:00
Teppei Fukuda	39f83afefe	chore: bump Go to 1.19 (#2861 ) Signed-off-by: knqyf263 <knqyf263@gmail.com>	2022-09-14 11:41:55 +03:00
Carol Valencia	0ce95830c8	docs: azure doc and trivy (#2869 ) Co-authored-by: carolina valencia <krol3@users.noreply.github.com>	2022-09-14 09:20:57 +03:00
Owen Rumney	2f37961661	fix: Scan tarr'd dependencies (#2857 ) Signed-off-by: Owen Rumney <owen.rumney@aquasec.com>	2022-09-12 14:55:38 +03:00
Carol Valencia	db14ef3cb5	chore(helm): helm test with ingress (#2630 ) Co-authored-by: carolina valencia <krol3@users.noreply.github.com>	2022-09-12 12:13:08 +03:00
DmitriyLewen	acb65d565a	feat(report): add secrets to sarif format (#2820 ) Co-authored-by: AMF <work@afdesk.com>	2022-09-12 12:12:13 +03:00
dependabot[bot]	a18cd7c00a	chore(deps): bump azure/setup-helm from 1.1 to 3.3 (#2807 )	2022-09-12 12:11:02 +03:00
Teppei Fukuda	2de903ca35	refactor: add a new interface for initializing analyzers (#2835 ) Signed-off-by: knqyf263 <knqyf263@gmail.com>	2022-09-12 11:46:53 +03:00
dependabot[bot]	63c3b8ed19	chore(deps): bump github.com/aws/aws-sdk-go from 1.44.77 to 1.44.92 (#2840 )	2022-09-08 09:21:40 +03:00
AndrewCharlesHay	6717665ab0	fix: update ProductArn with account id (#2782 )	2022-09-08 09:21:05 +03:00
Helge Eichelberg	41a8496716	feat(helm): make cache TTL configurable (#2798 ) Signed-off-by: elchenberg <elchenberg@users.noreply.github.com>	2022-09-08 09:12:18 +03:00
Juan Antonio Osorio	0f1f2c1b29	build(): Sign releaser artifacts, not only container manifests (#2789 )	2022-09-07 16:56:10 +03:00
Carol Valencia	b389a6f4fc	chore: improve doc about azure devops (#2795 ) Co-authored-by: carolina valencia <krol3@users.noreply.github.com>	2022-09-07 16:52:53 +03:00
dependabot[bot]	9ef9fce589	chore(deps): bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#2804 )	2022-09-07 16:48:15 +03:00
dependabot[bot]	7b3225d0d8	chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.16.11 to 1.16.14 (#2828 )	2022-09-07 16:47:38 +03:00
dependabot[bot]	37733edc4b	chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#2825 )	2022-09-07 16:46:01 +03:00
Itay Shakury	44d7e8dde1	docs: don't push patch versions (#2824 )	2022-09-07 16:40:28 +03:00
DmitriyLewen	4839075c28	feat: add support for conan.lock file (#2779 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2022-09-06 21:59:13 +03:00
Teppei Fukuda	6b4ddaaef2	feat: cache merged layers igned-off-by: knqyf263 <knqyf263@gmail.com>	2022-09-06 11:04:00 +03:00
dependabot[bot]	a18f398ac0	chore(deps): bump helm/chart-testing-action from 2.2.1 to 2.3.0 (#2805 )	2022-09-04 12:32:45 +03:00
dependabot[bot]	4dcce14051	chore(deps): bump actions/cache from 3.0.5 to 3.0.8 (#2806 )	2022-09-04 12:32:04 +03:00
dependabot[bot]	db4544711a	chore(deps): bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2811 )	2022-09-04 12:15:53 +03:00
dependabot[bot]	a246d0f280	chore(deps): bump github.com/aquasecurity/table from 1.7.2 to 1.8.0 (#2810 )	2022-09-04 12:11:31 +03:00
dependabot[bot]	1800017a9a	chore(deps): bump github.com/samber/lo from 1.27.0 to 1.27.1 (#2808 )	2022-09-04 12:08:54 +03:00
dependabot[bot]	218e41a435	chore(deps): bump github.com/alicebob/miniredis/v2 from 2.22.0 to 2.23.0 (#2814 )	2022-09-04 12:08:13 +03:00
DmitriyLewen	a000adeed0	feat: add support for gradle.lockfile (#2759 )	2022-09-01 11:27:36 +03:00
Crypt Keeper	43113bc01f	chore(mod): updates wazero to 1.0.0-pre.1 #2791 Signed-off-by: Adrian Cole <adrian@tetrate.io>	2022-09-01 11:09:48 +03:00
jerbob92	5f0bf1445a	feat: move file patterns to a global level to be able to use it on any analyzer (#2539 )	2022-09-01 11:01:57 +03:00
Alex Samorukov	2580ea1583	Fix url validaton failures (#2783 ) While analyzing failure of the report schema validation i found URL looks like that: `https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)`. This causing gitlab to mark report as invalid. Patch provided just using first word of the url word.	2022-08-30 15:57:40 +03:00
DmitriyLewen	2473b2c881	fix(image): add logic to detect empty layers (#2790 ) * add logic to detect empty layers * add test for createdBy from buildkit	2022-08-30 15:56:14 +03:00
afdesk	9d018d44b9	feat(rust): add dependency graph from Rust binaries (#2771 )	2022-08-30 15:46:38 +03:00
Teppei Fukuda	db67f16ac6	fix: handle empty OS family (#2768 )	2022-08-29 08:53:13 +03:00
Jose Donizetti	77616bebae	fix: fix k8s summary report (#2777 ) Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>	2022-08-25 10:43:39 +03:00
DmitriyLewen	fcccfced23	fix: don't skip packages that don't contain vulns, when using --list-all-pkgs flag (#2767 )	2022-08-25 10:40:03 +03:00
Jose Donizetti	8bc215ccf6	chore: bump trivy-kubernetes (#2770 ) Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>	2022-08-25 09:37:47 +03:00
Ankush K	d8d8e62793	fix(secret): Consider secrets in rpc calls (#2753 )	2022-08-25 09:36:51 +03:00
DmitriyLewen	b0e89d4c57	fix(java): check depManagement from upper pom's (#2747 )	2022-08-24 11:22:22 +03:00
afdesk	da6f1b6f25	fix(php): skip `composer.lock` inside `vendor` folder (#2718 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2022-08-23 13:17:09 +03:00
Jose Donizetti	2f2952c658	fix: fix k8s rbac filter (#2765 )	2022-08-23 11:56:06 +03:00
afdesk	8bc56bf2fc	feat(misconf): skipping misconfigurations by AVD ID (#2743 )	2022-08-22 11:06:04 +03:00
Alexander Lauster	9c1ce5afe8	chore(deps): Upgrade Alpine to 3.16.2 to fix zlib issue (#2741 )	2022-08-18 17:05:39 +03:00
Herby Gillot	3cd10b2358	docs: add MacPorts install instructions (#2727 )	2022-08-17 13:41:55 +03:00
will Farrell	f369bd3e3d	docs: typo (#2730 )	2022-08-17 10:58:44 +01:00
Liam Galvin	fefe7c4a7b	fix: Correctly handle recoverable AWS scanning errors (#2726 )	2022-08-16 18:00:44 +03:00
Liam Galvin	9c92e3d185	docs: Remove reference to SecurityAudit policy for AWS scanning (#2721 )	2022-08-16 16:31:49 +03:00
Liam Galvin	d343d13ac6	fix: upgrade defsec to v0.71.7 for elb scan panic (#2720 )	2022-08-16 15:00:18 +03:00
				`@@ -88,4 +88,3 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)`

				`</details>`