fix(sbom): download the Java DB when generating SBOM (#3539)

* fix: use cgo free sqlite driver

* chore: add CGO_ENABLED=0

* chore(deps): bump go-rpmdb

.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf 

.github/CODEOWNERS

@@ -1,17 +1,23 @@
 # Global
 *   @knqyf263
 
+# Docs
+/docs/** @knqyf263 @AnaisUrlichs @itaysk
+/mkdocs.yml @knqyf263 @AnaisUrlichs @itaysk
+/README.md @knqyf263 @AnaisUrlichs @itaysk
+
 # Helm chart
-helm/trivy/ @krol3
+helm/trivy/ @chen-keinan
 
 # Misconfiguration scanning
-examples/misconf/           @owenrumney @liamg @knqyf263
-docs/docs/misconfiguration  @owenrumney @liamg @knqyf263
-docs/docs/cloud             @owenrumney @liamg @knqyf263
-pkg/fanal/analyzer/config   @owenrumney @liamg @knqyf263
-pkg/fanal/handler/misconf   @owenrumney @liamg @knqyf263
-pkg/cloud                   @owenrumney @liamg @knqyf263
-pkg/flag                    @owenrumney @liamg @knqyf263
+examples/misconf/           @knqyf263
+docs/docs/misconfiguration  @knqyf263
+docs/docs/cloud             @knqyf263
+pkg/fanal/analyzer/config   @knqyf263
+pkg/fanal/handler/misconf   @knqyf263
+pkg/cloud                   @knqyf263
+pkg/flag/aws_flags.go       @knqyf263
+pkg/flag/misconf_flags.go   @knqyf263
 
 # Kubernetes scanning
 pkg/k8s/                @josedonizetti @chen-keinan @knqyf263

.github/DISCUSSION_TEMPLATE/show-and-tell.yml

@@ -0,0 +1,53 @@
+title: "<company name> "
+labels: ["adopters"]
+body:
+  - type: textarea
+    id: links
+    attributes:
+      label: "Share Links"
+      description: "If you would like to share a link to your project or company, please paste it below 🌐"
+      value: |
+        ...
+    validations:
+      required: false
+  - type: textarea
+    id: logo
+    attributes:
+      label: "Share Logo"
+      description: "If you have a link to your logo, please provide it in the following text-box 🌐"
+      value: |
+        ...
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: Please select all the scan targets that you are using
+      options:
+        - label: Container Images
+        - label: Filesystem
+        - label: Git Repository
+        - label: Virtual Machine Images
+        - label: Kubernetes
+        - label: AWS
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: Which scanners are you using on those scan targets?
+      options:
+        - label: OS packages and software dependencies in use (SBOM)
+        - label: Known vulnerabilities (CVEs)
+        - label: IaC issues and misconfigurations
+        - label: Sensitive information and secrets
+        - label: Software licenses
+    validations:
+      required: false
+  - type: textarea
+    id: info
+    attributes:
+      label: "Additional Information"
+      description: "Please tell us more about your use case of Trivy -- anything that you would like to share 🎉"
+      value: |
+        ...
+    validations:
+      required: false

.github/workflows/canary.yaml

@@ -5,6 +5,7 @@ on:
       - 'main'
     paths:
       - '**.go'
+      - 'go.mod'
       - 'Dockerfile.canary'
       - '.github/workflows/canary.yaml'
   workflow_dispatch:
@@ -24,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.0.5
+        uses: actions/cache@v3.2.2
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/mkdocs-dev.yaml

@@ -9,7 +9,7 @@ on:
 jobs:
   deploy:
     name: Deploy the dev documentation
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout main
         uses: actions/checkout@v3

.github/workflows/mkdocs-latest.yaml

@@ -11,7 +11,7 @@ on:
 jobs:
   deploy:
     name: Deploy the latest documentation
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout main
         uses: actions/checkout@v3
@@ -35,7 +35,7 @@ jobs:
         if: ${{ github.event.inputs.version == '' }}
         run: |
           VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
-          mike deploy --push --update-aliases $VERSION latest
+          mike deploy --push --update-aliases ${VERSION%.*} latest
       - name: Deploy the latest documents from manual trigger
         if: ${{ github.event.inputs.version != '' }}
         run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest

.github/workflows/publish-chart.yaml

@@ -15,8 +15,8 @@ env:
   HELM_REP: helm-charts
   GH_OWNER: aquasecurity
   CHART_DIR: helm/trivy
-  KIND_VERSION: "v0.11.1"
-  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
+  KIND_VERSION: "v0.14.0"
+  KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
 jobs:
   test-chart:
     runs-on: ubuntu-20.04
@@ -26,7 +26,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
         with:
           version: v3.5.0
       - name: Set up python
@@ -35,9 +35,9 @@ jobs:
           python-version: 3.7
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a
+        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec
       - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d
+        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}
@@ -45,7 +45,7 @@ jobs:
         run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
       - name: Run chart-testing (Ingress enabled)
         run: |
-          sed -i -e '117s,false,'true',g' ./helm/trivy/values.yaml
+          sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
           ct lint-and-install --validate-maintainers=false --charts helm/trivy
 
   publish-chart:

.github/workflows/release.yaml

@@ -10,13 +10,13 @@ jobs:
     uses: ./.github/workflows/reusable-release.yaml
     with:
       goreleaser_config: goreleaser.yml
-      goreleaser_options: '--rm-dist --timeout 60m'
+      goreleaser_options: '--rm-dist --timeout 90m'
     secrets: inherit
 
   deploy-packages:
     name: Deploy rpm/dep packages
     needs: release # run this job after 'release' job completes
-    runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -24,7 +24,7 @@ jobs:
           fetch-depth: 0
 
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.0.5
+        uses: actions/cache@v3.2.2
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -32,7 +32,7 @@ jobs:
       - name: Install dependencies
         run: |
           sudo apt-get -y update
-          sudo apt-get -y install rpm reprepro createrepo distro-info
+          sudo apt-get -y install rpm reprepro createrepo-c distro-info
 
       - name: Checkout trivy-repo
         uses: actions/checkout@v3
@@ -54,4 +54,4 @@ jobs:
         run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import
 
       - name: Create deb repository
-        run: ci/deploy-deb.sh
+        run: ci/deploy-deb.sh

.github/workflows/reusable-release.yaml

@@ -13,7 +13,6 @@ on:
         type: string
 
 env:
-  GO_VERSION: "1.18"
   GH_USER: "aqua-bot"
 
 jobs:
@@ -28,7 +27,7 @@ jobs:
       contents: read  # Not required for public repositories, but for clarity
     steps:
       - name: Cosign install
-        uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
@@ -60,16 +59,16 @@ jobs:
           username: ${{ secrets.ECR_ACCESS_KEY_ID }}
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
 
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
       - name: Checkout code
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
       - name: Generate SBOM
         uses: CycloneDX/gh-gomod-generate-sbom@v1
         with:
@@ -77,7 +76,7 @@ jobs:
           version: ^v1
 
       - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@v4
         with:
           version: v1.4.1
           args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
@@ -100,10 +99,10 @@ jobs:
             public.ecr.aws/aquasecurity/trivy:canary
 
       - name: Cache Trivy binaries
-        uses: actions/cache@v3.0.5
+        uses: actions/cache@v3.2.2
         with:
           path: dist/
           # use 'github.sha' to create a unique cache folder for each run.
           # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
           # e.g. build and release runs
-          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/roadmap.yaml

@@ -0,0 +1,79 @@
+name: Add issues to the roadmap project
+
+on:
+  issues:
+    types:
+      - labeled
+
+jobs:
+  add-issue-to-roadmap-project:
+    name: Add issue to the roadmap project
+    runs-on: ubuntu-latest
+    steps:
+      # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/backlog
+          label-operator: AND
+        id: add-backlog-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-backlog-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-backlog-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Backlog
+
+      # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/important-longterm
+          label-operator: AND
+        id: add-longterm-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-longterm-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-longterm-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Important (long-term)
+
+      # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/important-soon
+          label-operator: AND
+        id: add-soon-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-soon-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-soon-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Important (soon)
+
+      # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
+      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          labeled: kind/feature, priority/critical-urgent
+          label-operator: AND
+        id: add-urgent-issue
+      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+        if: ${{ steps.add-urgent-issue.outputs.itemId }}
+        with:
+          project-url: https://github.com/orgs/aquasecurity/projects/25
+          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
+          item-id: ${{ steps.add-urgent-issue.outputs.itemId }} # Use the item-id output of the previous step
+          field-keys: Priority
+          field-values: Urgent

.github/workflows/semantic-pr.yaml

@@ -12,11 +12,11 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v4
+      - uses: amannn/action-semantic-pull-request@v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          types:
+          types: |
             feat
             fix
             docs
@@ -30,7 +30,7 @@ jobs:
             revert
             BREAKING
 
-          scopes:
+          scopes: |
             vuln
             misconf
             secret
@@ -42,8 +42,11 @@ jobs:
             sbom
             server
             k8s
+            aws
+            vm
 
             alpine
+            wolfi
             redhat
             alma
             rocky
@@ -55,6 +58,7 @@ jobs:
             suse
             photon
             distroless
+            windows
 
             ruby
             php
@@ -64,7 +68,11 @@ jobs:
             dotnet
             java
             go
-            
+            c
+            c++
+            elixir
+            dart
+
             os
             lang
 
@@ -80,11 +88,12 @@ jobs:
 
             cli
             flag
-            
+
             cyclonedx
             spdx
+            purl
 
             helm
             report
             db
-            deps
+            deps

.github/workflows/stale-issues.yaml

@@ -7,7 +7,7 @@ jobs:
     timeout-minutes: 1
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v5
+    - uses: actions/stale@v7
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'

.github/workflows/test-docs.yaml

@@ -0,0 +1,28 @@
+name: Test docs
+on:
+  pull_request:
+    paths:
+      - 'docs/**'
+      - 'mkdocs.yml'
+jobs:
+  build-documents:
+    name: Documentation Test
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        persist-credentials: true
+    - uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+    - name: Install dependencies
+      run: |
+        pip install -r docs/build/requirements.txt
+    - name: Configure the git user
+      run: |
+        git config user.name "knqyf263"
+        git config user.email "knqyf263@gmail.com"
+    - name: Deploy the dev documents
+      run: mike deploy test

.github/workflows/test.yaml

@@ -4,25 +4,31 @@ on:
     branches:
       - main
     paths-ignore:
-      - '*.md'
+      - '**.md'
       - 'docs/**'
       - 'mkdocs.yml'
       - 'LICENSE'
   pull_request:
-env:
-  GO_VERSION: "1.18"
-  TINYGO_VERSION: "0.24.0"
+      paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'LICENSE'
 jobs:
   test:
     name: Test
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      matrix:
+        operating-system: [ubuntu-latest, windows-latest, macos-latest]
+        go-version: [stable, oldstable]
     steps:
       - uses: actions/checkout@v3
 
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: ${{ matrix.go-version }}
 
       - name: go mod tidy
         run: |
@@ -31,18 +37,20 @@ jobs:
             echo "Run 'go mod tidy' and push it"
             exit 1
           fi
+        if: matrix.operating-system == 'ubuntu-latest'
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v3.2.0
+        uses: golangci/golangci-lint-action@v3.3.0
         with:
-          version: v1.45
+          version: v1.49
           args: --deadline=30m
           skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
+        if: matrix.operating-system == 'ubuntu-latest'
 
-      - name: Install TinyGo
-        run: |
-          wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
-          sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb
+      # Install tools
+      - uses: aquaproj/aqua-installer@v1.2.0
+        with:
+          aqua_version: v1.25.0
 
       - name: Run unit tests
         run: make test
@@ -51,37 +59,36 @@ jobs:
     name: Integration Test
     runs-on: ubuntu-latest
     steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: ${{ env.GO_VERSION }}
-      id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
 
-    - name: Run integration tests
-      run: make test-integration
+      - name: Run integration tests
+        run: make test-integration
 
   module-test:
     name: Module Integration Test
     runs-on: ubuntu-latest
     steps:
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
-      - name: Install TinyGo
-        run: |
-          wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
-          sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb
-
       - name: Checkout
         uses: actions/checkout@v3
 
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      # Install tools
+      - uses: aquaproj/aqua-installer@v1.1.2
+        with:
+          aqua_version: v1.25.0
+
       - name: Run module integration tests
+        shell: bash
         run: |
           make test-module-integration
 
@@ -107,32 +114,11 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: ${{ env.GO_VERSION }}
+        go-version-file: go.mod
 
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v3
+      uses: goreleaser/goreleaser-action@v4
       with:
         version: v1.4.1
-        args: release --snapshot --rm-dist --skip-publish --timeout 60m
+        args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m
 
-  build-documents:
-    name: Documentation Test
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        persist-credentials: true
-    - uses: actions/setup-python@v4
-      with:
-        python-version: 3.x
-    - name: Install dependencies
-      run: |
-        pip install -r docs/build/requirements.txt
-    - name: Configure the git user
-      run: |
-        git config user.name "knqyf263"
-        git config user.email "knqyf263@gmail.com"
-    - name: Deploy the dev documents
-      run: mike deploy test

.github/workflows/vm-test.yaml

@@ -0,0 +1,32 @@
+name: VM Test
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'pkg/fanal/vm/**'
+      - 'pkg/fanal/walker/vm.go'
+      - 'pkg/fanal/artifact/vm/**'
+      - 'integration/vm_test.go'
+  pull_request:
+    paths:
+      - 'pkg/fanal/vm/**'
+      - 'pkg/fanal/walker/vm.go'
+      - 'pkg/fanal/artifact/vm/**'
+      - 'integration/vm_test.go'
+
+jobs:
+  vm-test:
+    name: VM Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+      - name: Run vm integration tests
+        run: |
+          make test-vm-integration

.gitignore

@@ -25,6 +25,7 @@ thumbs.db
 # test fixtures
 coverage.txt
 integration/testdata/fixtures/images
+integration/testdata/fixtures/vm-images
 
 # SBOMs generated during CI
 /bom.json
@@ -33,4 +34,4 @@ integration/testdata/fixtures/images
 dist
 
 # WebAssembly
-*.wasm
+*.wasm

.golangci.yaml

@@ -21,18 +21,18 @@ linters-settings:
     local-prefixes: github.com/aquasecurity
   gosec:
     excludes:
+      - G101
+      - G114
       - G204
       - G402
 
 linters:
   disable-all: true
   enable:
-    - structcheck
+    - unused
     - ineffassign
     - typecheck
     - govet
-    - varcheck
-    - deadcode
     - revive
     - gosec
     - unconvert
@@ -43,7 +43,7 @@ linters:
     - misspell
 
 run:
-  go: 1.18
+  go: 1.19
   skip-files:
     - ".*._mock.go$"
     - ".*._test.go$"

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.16.1
+FROM alpine:3.17.0
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.canary

@@ -1,4 +1,4 @@
-FROM alpine:3.16.1
+FROM alpine:3.17.0
 RUN apk --no-cache add ca-certificates git
 
 # binaries were created with GoReleaser

Dockerfile.protoc

@@ -1,4 +1,4 @@
-FROM golang:1.18.4
+FROM golang:1.19
 
 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

Makefile

@@ -1,7 +1,7 @@
 VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
 LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"
 
-GOPATH := $(shell go env GOPATH)
+GOPATH := $(firstword $(subst :, ,$(shell go env GOPATH)))
 GOBIN := $(GOPATH)/bin
 GOSRC := $(GOPATH)/src
 
@@ -16,6 +16,8 @@ EXAMPLE_MODULES := $(patsubst %.go,%.wasm,$(EXAMPLE_MODULE_SRCS))
 MKDOCS_IMAGE := aquasec/mkdocs-material:dev
 MKDOCS_PORT := 8000
 
+export CGO_ENABLED := 0 
+
 u := $(if $(update),-u)
 
 # Tools
@@ -26,7 +28,7 @@ $(GOBIN)/crane:
 	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0
 
 $(GOBIN)/golangci-lint:
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.45.2
+	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
 
 $(GOBIN)/labeler:
 	go install github.com/knqyf263/labeler@latest
@@ -77,6 +79,15 @@ test-integration: integration/testdata/fixtures/images/*.tar.gz
 test-module-integration: integration/testdata/fixtures/images/*.tar.gz $(EXAMPLE_MODULES)
 	go test -v -tags=module_integration ./integration/...
 
+# Run VM integration tests
+.PHONY: test-vm-integration
+test-vm-integration: integration/testdata/fixtures/vm-images/*.img.gz
+	go test -v -tags=vm_integration ./integration/...
+
+integration/testdata/fixtures/vm-images/*.img.gz:
+	integration/scripts/download-vm-images.sh
+
+
 .PHONY: lint
 lint: $(GOBIN)/golangci-lint
 	$(GOBIN)/golangci-lint run --timeout 5m

README.md

@@ -5,54 +5,62 @@
 [![Test][test-img]][test]
 [![Go Report Card][go-report-img]][go-report]
 [![License: Apache-2.0][license-img]][license]
-[![GitHub All Releases][github-all-releases-img]][release]
+[![GitHub Downloads][github-downloads-img]][release]
 ![Docker Pulls][docker-pulls]
 
 [📖 Documentation][docs]
 </div>
 
-Trivy (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.
+Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner.
+Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.
 
-Trivy has different *scanners* that look for different security issues, and different *targets* where it can find those issues.
+Targets (what Trivy can scan):
 
-Targets:
 - Container Image
 - Filesystem
-- Git repository (remote)
-- Kubernetes cluster or resource
+- Git Repository (remote)
+- Virtual Machine Image
+- Kubernetes
+- AWS
+
+Scanners (what Trivy can find there):
 
-Scanners:
 - OS packages and software dependencies in use (SBOM)
 - Known vulnerabilities (CVEs)
-- IaC misconfigurations
+- IaC issues and misconfigurations
 - Sensitive information and secrets
+- Software licenses
 
-Much more scanners and targets are coming up. Missing something? Let us know!
-
-Read more in the [Trivy Documentation][docs]
+To learn more, go to the [Trivy homepage][homepage] for feature highlights, or to the [Documentation site][docs] for detailed information.
 
 ## Quick Start
 
 ### Get Trivy
 
-Get Trivy by your favorite installation method. See [installation] section in the documentation for details. For example:
+Trivy is available in most common distribution channels. The full list of installation options is available in the [Installation] page. Here are a few popular examples:
 
-- `apt-get install trivy`
-- `yum install trivy`
-- `brew install aquasecurity/trivy/trivy`
+- `brew install trivy`
 - `docker run aquasec/trivy`
-- Download binary from https://github.com/aquasecurity/trivy/releases/latest/
+- Download binary from <https://github.com/aquasecurity/trivy/releases/latest/>
+- See [Installation] for more
+
+Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem] page. Here are a few popular examples:
+
+- [GitHub Actions](https://github.com/aquasecurity/trivy-action)
+- [Kubernetes operator](https://github.com/aquasecurity/trivy-operator)
+- [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)
+- See [Ecosystem] for more
 
 ### General usage
 
 ```bash
-trivy <target> [--security-checks <scanner1,scanner2>] TARGET_NAME
+trivy <target> [--scanners <scanner1,scanner2>] <subject>
 ```
 
 Examples:
 
 ```bash
-$ trivy image python:3.4-alpine
+trivy image python:3.4-alpine
 ```
 
 <details>
@@ -63,7 +71,7 @@ https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-a
 </details>
 
 ```bash
-$ trivy fs --security-checks vuln,secret,config myproject/
+trivy fs --scanners vuln,secret,config myproject/
 ```
 
 <details>
@@ -74,7 +82,7 @@ https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b
 </details>
 
 ```bash
-$ trivy k8s --report summary cluster
+trivy k8s --report summary cluster
 ```
 
 <details>
@@ -84,37 +92,11 @@ $ trivy k8s --report summary cluster
 
 </details>
 
-Note that you can also receive a detailed scan, scan only a specific namespace, resource and more.
+## FAQ
 
-Find out more in the [Trivy Documentation][docs] - [Getting Started][getting-started]
+### How to pronounce the name "Trivy"?
 
-
-## Highlights
-
-- Comprehensive vulnerability detection
-  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-  - **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
-  - High accuracy, especially [Alpine Linux][alpine] and RHEL/CentOS
-- Supply chain security (SBOM support)
-  - Support CycloneDX
-  - Support SPDX
-- Misconfiguration detection (IaC scanning) 
-  - Wide variety of security checks are provided **out of the box**
-  - Kubernetes, Docker, Terraform, and more
-  - User-defined policies using [OPA Rego][rego]
-- Secret detection
-  - A wide variety of built-in rules are provided **out of the box**
-  - User-defined patterns
-  - Efficient scanning of container images
-- Simple
-  - Available in apt, yum, brew, dockerhub
-  - **No pre-requisites** such as a database, system libraries, or eny environmental requirements. The binary runs anywhere.
-  - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish instantaneously.
-- Fits your workflow
-  - **Great for CI** such as GitHub Actions, Jenkins, GitLab CI, etc.
-  - Available as extension for IDEs such as vscode, jetbrains, vim
-  - Available as extension for Docker Desktop, Rancher Desktop
-  - See [integrations] section in the documentation.
+`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.
 
 ---
 
@@ -128,19 +110,21 @@ Contact us about any matter by opening a GitHub Discussion [here][discussions]
 [go-report-img]: https://goreportcard.com/badge/github.com/aquasecurity/trivy
 [release]: https://github.com/aquasecurity/trivy/releases
 [release-img]: https://img.shields.io/github/release/aquasecurity/trivy.svg?logo=github
-[github-all-releases-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
+[github-downloads-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
 [docker-pulls]: https://img.shields.io/docker/pulls/aquasec/trivy?logo=docker&label=docker%20pulls%20%2F%20trivy
 [license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
 [license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
-
-
-[getting-started]: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
+[homepage]: https://trivy.dev
 [docs]: https://aquasecurity.github.io/trivy
-[integrations]:https://aquasecurity.github.io/trivy/latest/docs/integrations/
-[installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
-[releases]: https://github.com/aquasecurity/trivy/releases
+[pronunciation]: #how-to-pronounce-the-name-trivy
+
+[Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
+[Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
+
 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
 [rego]: https://www.openpolicyagent.org/docs/latest/#rego
+[sigstore]: https://www.sigstore.dev/
+
 [aquasec]: https://aquasec.com
 [oss]: https://www.aquasec.com/products/open-source-projects/
 [discussions]: https://github.com/aquasecurity/trivy/discussions

aqua.yaml

@@ -0,0 +1,8 @@
+---
+# aqua - Declarative CLI Version Manager
+# https://aquaproj.github.io/
+registries:
+- type: standard
+  ref: v3.106.0 # renovate: depName=aquaproj/aqua-registry
+packages:
+- name: tinygo-org/tinygo@v0.26.0

brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g>
+	<path fill="#07242D" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#07242D" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#07242D" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#07242D" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#07242D" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.106-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.151,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#07242D" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#07242D" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#07242D" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>

brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg

@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g display="none">
+	<g display="inline">
+		<path fill="#07242D" d="M-483.763,450.803h-11.559l-22.557-22.807c-0.919,0.114-1.853,0.174-2.802,0.174v22.632h-8.238v-63.931
+			h8.239c0,0-0.016,33.158,0,33.158c4.013,0,7.684-1.656,10.29-4.32l9.86-10.073h11.814l-16.032,15.918
+			c-1.42,1.421-3.031,2.655-4.787,3.659L-483.763,450.803z"/>
+		<path fill="#07242D" d="M-438.316,405.517v22.819c0,0,0,0.033,0,0.049c0,12.39-10.039,22.418-22.429,22.418
+			c-12.389,0-22.421-10.059-22.421-22.448c0-0.017,0-22.837,0-22.837h7.989v22.819c0,7.967,6.466,14.457,14.433,14.457
+			c7.966,0,14.424-6.491,14.424-14.457v-22.819H-438.316z"/>
+		<path fill="#07242D" d="M-385.244,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.217l-0.004,23.854c3.918-3.246,8.947-5.196,14.432-5.196
+			C-395.377,405.529-385.242,415.664-385.244,428.166z M-393.437,428.166c0-7.976-6.466-14.441-14.442-14.441
+			c-7.793,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-399.903,442.607-393.437,436.142-393.437,428.166z"/>
+		<path fill="#07242D" d="M-335.539,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-344.426,405.411-333.664,417.688-335.539,431.11z M-344.611,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-344.611z"/>
+		<path fill="#07242D" d="M-306.194,420.895v7.548h-23.302v-7.548H-306.194z"/>
+		<path fill="#07242D" d="M-252.987,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
+			c0.005-0.516,0.005-63.931,0.005-63.931h8.218l-0.004,23.854c3.918-3.246,8.946-5.196,14.431-5.196
+			C-263.12,405.529-252.985,415.664-252.987,428.166z M-261.181,428.166c0-7.976-6.467-14.441-14.442-14.441
+			c-7.794,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-267.647,442.607-261.181,436.142-261.181,428.166z"/>
+		<path fill="#07242D" d="M-203.283,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
+			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
+			C-212.17,405.411-201.408,417.688-203.283,431.11z M-212.355,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
+			c-6.076,0-11.275,3.746-13.382,9.06H-212.355z"/>
+		<path fill="#07242D" d="M-151.113,428.114c0,15.871,0,22.688,0,22.688h-8.262c0,0,0-14.878,0-22.688
+			c0-8.095-6.591-14.327-14.363-14.327c-7.772,0-14.393,6.163-14.393,14.327c0,7.814,0,22.688,0,22.688h-8.26v-45.285
+			c0,0,3.539,0,8.26,0v5.101c0,0,5.421-5.101,14.393-5.101C-163.095,405.517-151.113,413.789-151.113,428.114z"/>
+		<path fill="#07242D" d="M-112.598,438.373l5.799,5.798c-4.098,4.097-9.758,6.632-16.01,6.632c-6.252,0-11.912-2.534-16.01-6.632
+			c-4.097-4.098-6.632-9.758-6.632-16.01s2.534-11.912,6.632-16.01c4.098-4.097,9.758-6.632,16.01-6.632
+			c6.252,0,11.912,2.534,16.01,6.632l-5.799,5.799c-2.613-2.615-6.224-4.231-10.212-4.231c-3.988,0-7.599,1.617-10.212,4.231
+			c-2.614,2.613-4.23,6.224-4.23,10.212s1.616,7.599,4.23,10.213c2.613,2.613,6.224,4.229,10.212,4.229
+			C-118.821,442.602-115.211,440.986-112.598,438.373z"/>
+		<path fill="#07242D" d="M-55.678,428.174c0,15.827,0,22.626,0,22.626h-8.239c0,0,0-14.838,0-22.626
+			c0-8.072-6.575-14.287-14.324-14.287c-7.751,0-14.353,6.146-14.353,14.287c0,7.793,0,22.626,0,22.626h-8.238v-63.929h8.238v23.856
+			c0,0,5.405-5.086,14.353-5.086C-67.626,405.641-55.678,413.889-55.678,428.174z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M186.582,442.579v8.203c-5.588,0-10.623-2.012-14.594-5.346c-4.989-4.186-8.157-10.469-8.157-17.489
+			v-41.085h8.157v18.642h14.594v8.257h-14.594v14.386C172.1,436.134,178.571,442.579,186.582,442.579z"/>
+		<path fill="#07242D" d="M215.674,405.503v8.149c-7.739,0.015-14.037,6.152-14.317,13.818v23.312h-8.176v-45.279h8.176v5.169
+			C205.243,407.446,210.232,405.51,215.674,405.503z"/>
+		<path fill="#07242D" d="M220.928,395.003v-8.165h8.161v8.165H220.928z M220.928,450.782v-45.279h8.161v45.279H220.928z"/>
+		<path fill="#07242D" d="M279.137,405.503l-22.624,45.279l-22.647-45.279h9.271l13.376,26.737l13.349-26.737H279.137z"/>
+		<path fill="#07242D" d="M328.08,405.503c0,0,0,49.504,0,52.776c0,12.643-10.369,22.736-22.655,22.728
+			c-5.753,0-11.084-2.181-15.131-5.807l5.868-5.868c2.504,2.12,5.734,3.41,9.263,3.403c7.95,0,14.386-6.498,14.386-14.456v-12.651
+			c-3.944,3.264-8.979,5.154-14.386,5.154c-12.309,0.008-22.674-9.924-22.674-22.659c0-0.269,0-22.62,0-22.62h8.265
+			c0,0,0.004,22.014,0.004,22.62c0,7.919,6.448,14.463,14.406,14.456c7.95,0,14.386-6.506,14.386-14.456v-22.62H328.08z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1186.898,438.384c-0.411,4.687-4.656,12.67-15.302,12.67c-10.092,0-16.135-6.761-16.135-6.761
+			l5.797-5.801c4.906,4.664,10.338,4.372,10.338,4.372c3.473-0.238,6.258-2.643,6.469-5.471c0.242-3.235-2.009-5.486-6.469-6.124
+			c-2.098-0.307-7.184-0.791-11.36-4.533c-1.36-1.222-6.489-6.577-2.217-14.191c0.834-1.491,4.556-6.769,13.577-6.769
+			c0,0,7.434-0.53,14.311,5.086l-5.866,5.863c-1.16-0.96-4.46-2.904-8.444-2.881c-7.207,0.046-7.007,4.011-7.007,4.011
+			c0.061,3.166,2.874,4.864,7.007,5.409C1185.672,425.114,1187.309,433.743,1186.898,438.384z"/>
+		<path fill="#07242D" d="M1215.419,442.848v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495v-41.099
+			h8.16v18.648h14.599v8.26h-14.599v14.391C1200.932,436.401,1207.405,442.848,1215.419,442.848z"/>
+		<path fill="#07242D" d="M1263.522,428.372v22.682h-22.705c-0.5,0-0.999-0.015-1.495-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1263.068,423.132,1263.522,425.76,1263.522,428.372z M1255.131,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1255.131,432.352,1255.131,428.372z"/>
+		<path fill="#07242D" d="M1293.898,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1283.464,407.704,1288.454,405.767,1293.898,405.76z"/>
+		<path fill="#07242D" d="M1344.448,428.411c0,12.509-10.135,22.643-22.639,22.643c-5.486,0-10.515-1.952-14.433-5.194v5.194h-8.221
+			c0.008-0.515,0.008-63.942,0.008-63.942h8.217l-0.004,23.857c3.919-3.25,8.947-5.202,14.433-5.202
+			C1334.313,405.767,1344.452,415.91,1344.448,428.411z M1336.254,428.411c0-7.975-6.466-14.445-14.445-14.445
+			c-7.795,0-14.445,6.331-14.445,14.422c0,8.091,6.65,14.468,14.445,14.468C1329.788,442.856,1336.254,436.394,1336.254,428.411z"/>
+		<path fill="#07242D" d="M1394.394,428.411c0,12.509-10.15,22.643-22.643,22.643s-22.651-10.135-22.651-22.643
+			s10.157-22.651,22.651-22.651S1394.394,415.91,1394.394,428.411z M1386.127,428.411c0-7.937-6.431-14.376-14.376-14.376
+			c-7.941,0-14.387,6.431-14.387,14.376s6.446,14.383,14.387,14.383C1379.696,442.794,1386.127,436.355,1386.127,428.411z"/>
+		<path fill="#07242D" d="M1444.414,428.372v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054
+			c-6.431-0.423-12.128-3.527-15.985-8.214c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
+			C1443.961,423.132,1444.414,425.76,1444.414,428.372z M1436.024,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
+			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
+			S1436.024,432.352,1436.024,428.372z"/>
+		<path fill="#07242D" d="M1474.791,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
+			C1464.356,407.704,1469.347,405.767,1474.791,405.76z"/>
+		<path fill="#07242D" d="M1521.556,451.031h-8.214v-5.194c-3.919,3.242-8.951,5.194-14.43,5.194
+			c-12.501,0-22.635-10.127-22.635-22.628s10.135-22.636,22.635-22.636c5.478,0,10.511,1.952,14.43,5.194l0.008-23.85h8.221
+			C1521.572,387.112,1521.556,450.516,1521.556,451.031z M1513.35,428.38c0-8.091-6.646-14.422-14.437-14.422
+			c-7.975,0-14.445,6.469-14.445,14.445s6.469,14.437,14.445,14.437C1506.704,442.84,1513.35,436.471,1513.35,428.38z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M1711.171,438.276l5.802,5.802c-4.1,4.096-9.763,6.632-16.014,6.632c-6.255,0-11.918-2.536-16.018-6.632
+			c-4.1-4.103-6.635-9.759-6.635-16.014s2.536-11.918,6.635-16.022c4.1-4.096,9.763-6.632,16.018-6.632
+			c6.251,0,11.915,2.536,16.014,6.632l-5.802,5.802c-2.613-2.613-6.224-4.234-10.213-4.234c-3.992,0-7.604,1.621-10.216,4.234
+			c-2.617,2.613-4.234,6.224-4.234,10.22c0,3.988,1.618,7.6,4.234,10.213c2.613,2.613,6.224,4.234,10.216,4.234
+			C1704.947,442.511,1708.559,440.889,1711.171,438.276z"/>
+		<path fill="#07242D" d="M1722.967,450.71v-63.95h8.241v63.95H1722.967z"/>
+		<path fill="#07242D" d="M1783.282,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C1773.131,405.41,1783.282,415.561,1783.282,428.064z M1775.013,428.064
+			c0-7.938-6.432-14.378-14.378-14.378c-7.942,0-14.389,6.432-14.389,14.378c0,7.946,6.447,14.385,14.389,14.385
+			C1768.581,442.449,1775.013,436.01,1775.013,428.064z"/>
+		<path fill="#07242D" d="M1833.833,405.41v22.823c0,0,0,0.038,0,0.054c0,12.395-10.04,22.423-22.435,22.423
+			c-12.395,0-22.427-10.059-22.427-22.454c0-0.015,0-22.846,0-22.846h7.992v22.823c0,7.976,6.466,14.462,14.435,14.462
+			c7.969,0,14.431-6.486,14.431-14.462V405.41H1833.833z"/>
+		<path fill="#07242D" d="M1884.777,450.687h-8.218v-5.195c-3.915,3.243-8.945,5.195-14.431,5.195
+			c-12.503,0-22.634-10.128-22.634-22.631c0-12.503,10.132-22.638,22.634-22.638c5.487,0,10.516,1.952,14.431,5.195l0.011-23.852
+			h8.219C1884.789,386.76,1884.773,450.172,1884.777,450.687z M1876.574,428.033c0-8.092-6.651-14.424-14.447-14.424
+			c-7.973,0-14.443,6.47-14.443,14.447c0,7.976,6.466,14.439,14.443,14.439C1869.923,442.495,1876.574,436.125,1876.574,428.033z"/>
+		<path fill="#07242D" d="M1922.865,438.038c-0.411,4.687-4.657,12.672-15.303,12.672c-10.094,0-16.137-6.762-16.137-6.762
+			l5.798-5.802c4.906,4.664,10.339,4.372,10.339,4.372c3.473-0.238,6.259-2.643,6.47-5.471c0.242-3.235-2.009-5.487-6.47-6.124
+			c-2.098-0.307-7.185-0.792-11.361-4.534c-1.36-1.222-6.489-6.578-2.217-14.193c0.834-1.491,4.557-6.77,13.578-6.77
+			c0,0,7.435-0.53,14.312,5.087l-5.867,5.863c-1.16-0.961-4.461-2.905-8.445-2.882c-7.208,0.046-7.008,4.011-7.008,4.011
+			c0.062,3.166,2.874,4.864,7.008,5.41C1921.639,424.767,1923.276,433.397,1922.865,438.038z"/>
+		<path fill="#07242D" d="M1975.107,428.041c0,12.526-10.151,22.73-22.661,22.73c-5.471,0-10.493-1.952-14.416-5.195v35.371h-8.276
+			V405.41h8.276v5.156c3.923-3.22,8.945-5.156,14.416-5.156C1964.956,405.41,1975.107,415.523,1975.107,428.041z M1966.831,428.041
+			c0-7.953-6.432-14.347-14.385-14.347s-14.416,6.393-14.416,14.347s6.463,14.462,14.416,14.462S1966.831,435.994,1966.831,428.041z
+			"/>
+		<path fill="#07242D" d="M1981.877,450.71v-63.95h8.245v63.95H1981.877z"/>
+		<path fill="#07242D" d="M2042.192,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
+			s10.159-22.654,22.654-22.654C2032.041,405.41,2042.192,415.561,2042.192,428.064z M2033.916,428.064
+			c0-7.938-6.432-14.378-14.37-14.378c-7.946,0-14.393,6.432-14.393,14.378c0,7.946,6.447,14.385,14.393,14.385
+			C2027.484,442.449,2033.916,436.01,2033.916,428.064z"/>
+		<path fill="#07242D" d="M2049.016,394.906v-8.168h8.168v8.168H2049.016z M2049.016,450.71v-45.3h8.168v45.3H2049.016z"/>
+		<path fill="#07242D" d="M2087.737,442.503v8.207c-5.594,0-10.627-2.013-14.6-5.348c-4.987-4.188-8.161-10.474-8.161-17.497V386.76
+			h8.161v18.65h14.6v8.261h-14.6v14.393C2073.252,436.056,2079.722,442.503,2087.737,442.503z"/>
+	</g>
+	<g display="inline">
+		<path fill="#07242D" d="M690.837,442.596v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495V386.86
+			h8.16v18.648h14.599v8.26h-14.599v14.391C676.35,436.15,682.823,442.596,690.837,442.596z"/>
+		<path fill="#07242D" d="M719.939,405.508v8.152c-7.737,0.015-14.042,6.154-14.322,13.823v23.319h-8.179v-45.294h8.179v5.171
+			C709.504,407.452,714.495,405.516,719.939,405.508z"/>
+		<path fill="#07242D" d="M766.789,428.12v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
+			c-3.289-4.003-5.171-8.928-5.183-14.414c0.523-25.548,35.102-31.264,44.026-7.699C766.335,422.88,766.789,425.508,766.789,428.12z
+			 M758.398,428.12c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008c-2.609,2.605-4.226,6.17-4.226,10.142
+			c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0S758.398,432.101,758.398,428.12z"/>
+		<path fill="#07242D" d="M805.36,438.37l5.801,5.801c-4.099,4.095-9.762,6.631-16.016,6.631c-6.254,0-11.913-2.536-16.012-6.631
+			c-4.099-4.103-6.631-9.766-6.631-16.02c0-6.247,2.532-11.909,6.631-16.012c4.099-4.095,9.758-6.631,16.012-6.631
+			c6.254,0,11.917,2.536,16.016,6.631l-5.801,5.801c-2.612-2.612-6.224-4.234-10.215-4.234c-3.988,0-7.599,1.621-10.211,4.234
+			c-2.616,2.612-4.234,6.224-4.234,10.211c0,3.995,1.617,7.607,4.234,10.219c2.612,2.612,6.224,4.234,10.211,4.234
+			C799.136,442.604,802.747,440.983,805.36,438.37z"/>
+		<path fill="#07242D" d="M858.664,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C849.774,405.4,860.539,417.679,858.664,431.109z M849.59,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H849.59z"/>
+		<path fill="#07242D" d="M908.514,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
+			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
+			C899.625,405.4,910.389,417.679,908.514,431.109z M899.44,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
+			s-11.276,3.742-13.385,9.059H899.44z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#07242D" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#07242D" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#07242D" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#07242D" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#07242D" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#07242D" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#07242D" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#07242D" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>

brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg

@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
+<g display="none">
+	<polygon display="inline" fill="#FFFFFF" points="65.469,9.61 12.669,40.117 12.669,101.621 65.463,132.371 118.268,101.639 
+		118.268,40.115 	"/>
+	<g display="inline">
+		<path fill="#08B1D5" d="M64.511,80.035c-5.972-2.687-9.502-8.433-9.313-14.534l-12.765-7.371c-0.952,7.062,0.569,14.449,4.4,20.85
+			c4.078,6.813,9.966,11.887,17.678,14.825V80.035L64.511,80.035z"/>
+		<path fill="#08B1D5" d="M64.511,111.257V95.432c-8.26-3.017-14.588-8.448-18.931-15.703c-4.108-6.864-5.671-14.819-4.507-22.384
+			l-11.864-6.851C22.412,75.299,37.662,101.72,64.511,111.257z"/>
+		<path fill="#0D819B" d="M66.259,95.288v15.969c26.352-9.758,42.17-36.132,35.489-60.682l-11.8,6.874
+			c1.473,8.16,0.189,16.115-3.759,22.77C82.134,87.057,75.052,92.189,66.259,95.288z"/>
+		<path fill="#0D819B" d="M75.879,65.569c0.053,5.924-3.429,11.136-9.62,14.466v13.769c8.227-2.999,14.873-7.918,18.675-14.329
+			c3.681-6.207,4.934-13.613,3.671-21.243L75.879,65.569z"/>
+		<path fill="#F69421" d="M77.717,44.4c4.977,2.427,9.031,6.315,11.724,11.244c0.035,0.065,0.069,0.132,0.104,0.198l11.574-6.684
+			c-0.184-0.232-0.361-0.466-0.506-0.701c-4.246-6.868-9.855-12.036-16.673-15.361c-19.245-9.385-42.827-2.309-54.094,16.087
+			l11.546,6.665C49.232,43.242,65.013,38.204,77.717,44.4z"/>
+		<path fill="#F69421" d="M70.489,59.089c2.06,1.005,3.731,2.627,4.832,4.692c0.037,0.07,0.07,0.143,0.105,0.214l12.854-7.423
+			c-0.04-0.076-0.079-0.153-0.12-0.228c-2.546-4.662-6.379-8.339-11.082-10.632c-12.018-5.861-26.965-1.08-34.421,10.866
+			l12.783,7.379C58.771,58.613,65.217,56.518,70.489,59.089z"/>
+		<path fill="#0D819B" d="M116.672,41.881l-13.621,7.936c7.185,25.544-9.291,53.076-36.791,62.992v17.294l50.413-29.381V41.881z"/>
+		<path fill="#08B1D5" d="M14.265,41.864v58.842l50.245,29.397v-17.294C36.51,103.127,20.607,75.545,27.905,49.74l-13.001-7.508
+			L14.265,41.864z"/>
+		<path fill="#F69421" d="M14.987,40.606l1.484,0.857l12.109,6.989C40.23,29.398,64.649,22.066,84.579,31.784
+			c7.069,3.448,12.881,8.799,17.274,15.904c0.139,0.225,0.333,0.472,0.543,0.731l13.542-7.82l-50.47-29.146L14.987,40.606z"/>
+		<path fill="#F0DF36" d="M66.202,78.433c4.968-2.778,7.95-7.226,8.141-12.159c0,0,0.022-0.489-0.015-1.283
+			c-0.007-0.163-1.102-2.766-4.435-4.583c-4.476-2.441-10.828-0.093-13.372,4.583c0,0-0.061,0.574-0.033,1.283
+			c0.182,4.483,2.945,9.749,7.836,12.159l0.991,0.473L66.202,78.433z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
+		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
+	<path fill="#FFFFFF" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
+		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
+	<path fill="#FFFFFF" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
+	<path fill="#FFFFFF" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
+	<path fill="#FFFFFF" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
+		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
+		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
+		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
+	<g>
+		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
+			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
+		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
+			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
+		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
+			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
+		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
+			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
+		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.105-0.146-0.211-0.211-0.316
+			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
+			C48.47,40.15,65.268,34.975,78.53,41.442z"/>
+		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
+			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
+			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
+		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
+		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
+		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
+			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
+		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
+			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
+			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
+	<path fill="#FFFFFF" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
+		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
+		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
+	<path fill="#FFFFFF" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
+		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
+	<path fill="#FFFFFF" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
+		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
+		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
+</g>
+</svg>

brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
+<g>
+	<path fill="#FFFFFF" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
+		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
+	<path fill="#FFFFFF" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
+		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
+	<path fill="#FFFFFF" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
+	<path fill="#FFFFFF" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
+	<path fill="#FFFFFF" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
+		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
+		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
+		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
+</g>
+<g>
+	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
+		"/>
+	<g>
+		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
+			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
+		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
+			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
+		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
+			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
+		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
+			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
+		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
+			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
+			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
+		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
+			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
+			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
+		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
+			V347.086z"/>
+		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
+			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
+		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
+			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
+		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
+			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
+			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
+	</g>
+</g>
+<g>
+	<path fill="#FFFFFF" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
+		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
+	<path fill="#FFFFFF" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
+		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
+		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
+	<path fill="#FFFFFF" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
+		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
+	<path fill="#FFFFFF" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
+		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
+		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
+</g>
+</svg>

brand/readme.md

@@ -0,0 +1,2 @@
+This directory contains media assets, such as the Trivy logo.
+Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>

ci/deploy-rpm.sh

@@ -1,18 +1,21 @@
 #!/bin/bash
 
+TRIVY_VERSION=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -nre 's/^[^0-9]*(([0-9]+\.)*[0-9]+).*/\1/p')
+
 function create_rpm_repo () {
         version=$1
         rpm_path=rpm/releases/${version}/x86_64
 
-        RPM_EL=$(find ../dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -e "s/_/-/g" -e "s/-Linux/.el$version/" -e "s/-64bit/.x86_64/")
-        echo $RPM_EL
-
         mkdir -p $rpm_path
-        cp ../dist/*64bit.rpm ${rpm_path}/${RPM_EL}
+        cp ../dist/*64bit.rpm ${rpm_path}/
 
-        createrepo --update $rpm_path
+        createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
+
+        rm ${rpm_path}/*64bit.rpm
 }
 
+echo "Create RPM releases for Trivy v$TRIVY_VERSION"
+
 cd trivy-repo
 
 VERSIONS=(5 6 7 8 9)
@@ -22,6 +25,5 @@ for version in ${VERSIONS[@]}; do
 done
 
 git add .
-git commit -m "Update rpm packages"
+git commit -m "Update rpm packages for Trivy v$TRIVY_VERSION"
 git push origin main
-

contrib/asff.tpl

@@ -33,7 +33,7 @@
             "Severity": {
                 "Label": "{{ $severity }}"
             },
-            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
+            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}, related to {{ .PkgName }}",
             "Description": {{ escapeString $description | printf "%q" }},
             {{ if not (empty .PrimaryURL) -}}
             "Remediation": {
@@ -119,6 +119,43 @@
             "RecordState": "ACTIVE"
         }
         {{- end -}}
+        {{- range .Secrets -}}
+            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
+            {{- $severity := .Severity -}}
+            {{- if eq $severity "UNKNOWN" -}}
+                {{- $severity = "INFORMATIONAL" -}}
+            {{- end -}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_DEFAULT_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Sensitive Data Identifications" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a secret in {{ $target }}: {{ .Title }}",
+            "Description": "Trivy found a secret in {{ $target }}: {{ .Title }}",
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Other",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_DEFAULT_REGION" }}",
+                    "Details": {
+                        "Other": {
+                            "Filename": "{{ $target }}"
+                        }
+                    }
+                }
+            ],
+            "RecordState": "ACTIVE"
+        }
+        {{- end -}}
       {{- end }}
     ]
 }

contrib/gitlab.tpl

@@ -70,7 +70,7 @@
           ,
         {{- end -}}
         {
-          "url": "{{ . }}"
+          "url": "{{ regexFind "[^ ]+" . }}"
         }
         {{- end }}
       ]

docs/community/contribute/pr.md

@@ -50,7 +50,10 @@ mode:
 - fs
 - repo
 - sbom
+- k8s
 - server
+- aws
+- vm
 
 os:
 
@@ -77,6 +80,8 @@ language:
 - dotnet
 - java
 - go
+- elixir
+- dart
 
 vuln:
 
@@ -102,6 +107,12 @@ cli:
 - cli
 - flag
 
+SBOM:
+
+- cyclonedx
+- spdx
+- purl
+
 others:
 
 - helm

docs/community/credit.md

@@ -1,10 +0,0 @@
-# Author
-
-[Teppei Fukuda][knqyf263] (knqyf263)
-
-# Contributors
-
-Thanks to all [contributors][contributors]
-
-[knqyf263]: https://github.com/knqyf263
-[contributors]: https://github.com/aquasecurity/trivy/graphs/contributors

docs/community/references.md

@@ -1,48 +0,0 @@
-# Additional References
-There are external blogs and evaluations.
-
-## Blogs
-- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join]
-- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license]
-- [DevSecOps with Trivy and GitHub Actions][actions]
-- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
-- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
-- [the vulnerability remediation lifecycle of Alpine containers][alpine]
-- [Continuous Container Vulnerability Testing with Trivy][semaphore]
-- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
-- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
-
-## Links
-- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
-- [Istio evaluates scanners][istio]
-
-## Presentations
-- Aqua Security YouTube Channel
-    - [Trivy - container image scanning][intro]
-    - [Using Trivy in client server mode][server]
-    - [Tweaking Trivy output to fit your workflow][tweaking]
-    - [How does a vulnerability scanner identify packages?][identify]
-- CNCF Webinar 2020
-    - [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf]
-- KubeCon + CloudNativeCon Europe 2020 Virtual
-    - [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon]
-
-[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
-[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
-[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
-
-[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
-[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
-[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
-[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4
-[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M
-[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU
-
-[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family
-[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license
-[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
-[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
-[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code

docs/community/tools.md

@@ -1,37 +0,0 @@
-# Community Tools
-The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
-
-Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
-
-## GitHub Actions
-
-| Actions                                    | Description                                                                      |
-| ------------------------------------------ | -------------------------------------------------------------------------------- |
-| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
-| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
-
-## Semaphore
-
-| Name                                                   | Description                               |
-| -------------------------------------------------------| ----------------------------------------- |
-| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
-
-
-## CircleCI
-
-| Orb                                      | Description                               |
-| -----------------------------------------| ----------------------------------------- |
-| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
-
-## Others
-
-| Name                                     | Description                               |
-| -----------------------------------------| ----------------------------------------- |
-| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
-
-
-[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
-[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
-[gitrivy]: https://github.com/marketplace/actions/trivy-action
-[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
-[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy

docs/docs/advanced/air-gap.md

@@ -5,6 +5,8 @@ Trivy can be used in air-gapped environments. Note that an allowlist is [here][a
 ## Air-Gapped Environment for vulnerabilities
 
 ### Download the vulnerability database
+At first, you need to download the vulnerability database for use in air-gapped environments.
+
 === "Trivy"
 
     ```
@@ -15,7 +17,6 @@ Trivy can be used in air-gapped environments. Note that an allowlist is [here][a
     ```
 
 === "oras >= v0.13.0"
-    At first, you need to download the vulnerability database for use in air-gapped environments.
     Please follow [oras installation instruction][oras].
 
     Download `db.tar.gz`:
@@ -25,7 +26,6 @@ Trivy can be used in air-gapped environments. Note that an allowlist is [here][a
     ```
 
 === "oras < v0.13.0"
-    At first, you need to download the vulnerability database for use in air-gapped environments.
     Please follow [oras installation instruction][oras].
 
     Download `db.tar.gz`:
@@ -34,41 +34,95 @@ Trivy can be used in air-gapped environments. Note that an allowlist is [here][a
     $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
     ```
 
-### Transfer the DB file into the air-gapped environment
+### Download the Java index database[^1]
+Java users also need to download the Java index database for use in air-gapped environments.
+
+!!! note
+    You container image may contain JAR files even though you don't use Java directly.
+    In that case, you also need to download the Java index database.
+
+=== "Trivy"
+
+    ```
+    TRIVY_TEMP_DIR=$(mktemp -d)
+    trivy --cache-dir $TRIVY_TEMP_DIR image --download-java-db-only
+    tar -cf ./javadb.tar.gz -C $TRIVY_TEMP_DIR/java-db metadata.json trivy-java.db
+    rm -rf $TRIVY_TEMP_DIR
+    ```
+=== "oras >= v0.13.0"
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull ghcr.io/aquasecurity/trivy-java-db:1
+    ```
+
+=== "oras < v0.13.0"
+    Please follow [oras installation instruction][oras].
+
+    Download `db.tar.gz`:
+
+    ```
+    $ oras pull -a ghcr.io/aquasecurity/trivy-java-db:1
+    ```
+
+
+### Transfer the DB files into the air-gapped environment
 The way of transfer depends on the environment.
 
-```
-$ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
-```
+=== "Vulnerability db"
+    ```
+    $ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
+    ```
 
-### Put the DB file in Trivy's cache directory
-You have to know where to put the DB file. The following command shows the default cache directory.
+=== "Java index db[^1]"
+    ```
+    $ rsync -av -e ssh /path/to/javadb.tar.gz [user]@[host]:dst
+    ```
+
+### Put the DB files in Trivy's cache directory
+You have to know where to put the DB files. The following command shows the default cache directory.
 
 ```
 $ ssh user@host
 $ trivy -h | grep cache
    --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
 ```
+=== "Vulnerability db"
+    Put the DB file in the cache directory + `/db`.
+    
+    ```
+    $ mkdir -p /home/myuser/.cache/trivy/db
+    $ cd /home/myuser/.cache/trivy/db
+    $ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
+    x trivy.db
+    x metadata.json
+    $ rm /path/to/db.tar.gz
+    ```
 
-Put the DB file in the cache directory + `/db`.
+=== "Java index db[^1]"
+    Put the DB file in the cache directory + `/java-db`.
+
+    ```
+    $ mkdir -p /home/myuser/.cache/trivy/java-db
+    $ cd /home/myuser/.cache/trivy/java-db
+    $ tar xvf /path/to/javadb.tar.gz -C /home/myuser/.cache/trivy/java-db
+    x trivy-java.db
+    x metadata.json
+    $ rm /path/to/javadb.tar.gz
+    ```
+
+
+
+In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
+
+### Run Trivy with the specific flags.
+In an air-gapped environment, you have to specify `--skip-db-update` and `--skip-java-db-update`[^1] so that Trivy doesn't attempt to download the latest database files.
+In addition, if you want to scan `pom.xml` dependencies, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
 
 ```
-$ mkdir -p /home/myuser/.cache/trivy/db
-$ cd /home/myuser/.cache/trivy/db
-$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
-x trivy.db
-x metadata.json
-$ rm /path/to/db.tar.gz
-```
-
-In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
-
-### Run Trivy with `--skip-update` and `--offline-scan` option
-In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
-In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
-
-```
-$ trivy image --skip-update --offline-scan alpine:3.12
+$ trivy image --skip-update --skip-java-db-update --offline-scan alpine:3.12
 ```
 
 ## Air-Gapped Environment for misconfigurations
@@ -84,3 +138,5 @@ $ trivy conf --skip-policy-update /path/to/conf
 
 [allowlist]: ../references/troubleshooting.md
 [oras]: https://oras.land/cli/
+
+[^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../vulnerability/languages/java.md)

docs/docs/advanced/container/containerd.md

@@ -1,22 +0,0 @@
-# containerd
-
-!!! warning "EXPERIMENTAL"
-    This feature might change without preserving backwards compatibility.
-
-Scan your image in [containerd][containerd] running locally.
-
-```bash
-$ nerdctl images
-REPOSITORY        TAG       IMAGE ID        CREATED         PLATFORM       SIZE         BLOB SIZE
-aquasec/nginx    latest    2bcabc23b454    3 hours ago     linux/amd64    149.1 MiB    54.1 MiB
-$ trivy image aquasec/nginx
-```
-
-If your containerd socket is not the default path (`//run/containerd/containerd.sock`), you can override it via `CONTAINERD_ADDRESS`.
-
-```bash
-$ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock
-$ trivy image aquasec/nginx
-```
-
-[containerd]: https://containerd.io/

docs/docs/advanced/container/oci.md

@@ -1,17 +0,0 @@
-# OCI Image Layout
-
-An image directory compliant with [Open Container Image Layout Specification](https://github.com/opencontainers/image-spec/blob/master/spec.md).
-
-Buildah:
-
-```
-$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
-$ trivy image --input /path/to/alpine
-```
-
-Skopeo:
-
-```
-$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
-$ trivy image --input /path/to/alpine
-```

docs/docs/advanced/container/podman.md

@@ -1,28 +0,0 @@
-# Podman
-
-!!! warning "EXPERIMENTAL"
-    This feature might change without preserving backwards compatibility.
-
-Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported.
-Before performing Trivy commands, you must enable the podman.sock systemd service on your machine.
-For more details, see [here][sock].
-
-
-```bash
-$ systemctl --user enable --now podman.socket
-```
-
-Then, you can scan your image in Podman.
-
-```bash
-$ cat Dockerfile
-FROM alpine:3.12
-RUN apk add --no-cache bash
-$ podman build -t test .
-$ podman images
-REPOSITORY                TAG     IMAGE ID      CREATED      SIZE
-localhost/test            latest  efc372d4e0de  About a minute ago  7.94 MB
-$ trivy image test
-```
-
-[sock]: https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md#enable-the-podman-service-on-the-server-machine

docs/docs/advanced/private-registries/ecr.md

@@ -2,3 +2,34 @@ Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
 You can use [AWS CLI's ENV Vars][env-var].
 
 [env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
+
+### AWS private registry permissions
+
+You may need to grant permissions to allow Trivy to pull images from private ECR.
+
+It depends on how you want to provide AWS Role to trivy.
+
+- [IAM Role Service account](https://github.com/aws/amazon-eks-pod-identity-webhook)
+- [Kube2iam](https://github.com/jtblin/kube2iam) or [Kiam](https://github.com/uswitch/kiam)
+
+#### IAM Role Service account
+
+Add the AWS role in trivy's service account annotations:
+
+```yaml
+trivy:
+
+  serviceAccount:
+    annotations: {}
+      # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
+```
+
+#### Kube2iam or Kiam
+
+Add the AWS role to pod's annotations:
+
+```yaml
+podAnnotations: {}
+  ## kube2iam/kiam annotation
+  # iam.amazonaws.com/role: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
+```

docs/docs/attestation/rekor.md

@@ -0,0 +1,147 @@
+# Scan SBOM attestation in Rekor
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+## Container images
+Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+ 
+
+### Scanning
+You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor.
+
+!!! note
+    `--sbom-sources` can be used only with `trivy image` at the moment.
+
+```bash
+$ trivy image --sbom-sources rekor otms61/alpine:3.7.3                                                                            [~/src/github.com/aquasecurity/trivy]
+2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
+2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
+2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
+2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
+2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
+2022-09-16T17:37:14.903+0900	INFO	Detecting Alpine vulnerabilities...
+2022-09-16T17:37:14.907+0900	INFO	Number of language-specific files: 0
+2022-09-16T17:37:14.908+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
+2022-09-16T17:37:14.908+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided
+
+otms61/alpine:3.7.3 (alpine 3.7.3)
+==================================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+
+```
+
+If you have your own Rekor instance, you can specify the URL via `--rekor-url`.
+
+```bash
+$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3
+```
+
+## Non-packaged binaries
+Trivy can retrieve SBOM attestation of non-packaged binaries in the [Rekor][rekor] instance and scan it for vulnerabilities.
+
+### Prerequisites
+1. SBOM attestation stored in Rekor
+    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
+
+Cosign currently does not support keyless signing for blob attestation, so use our plugin at the moment.
+This example uses a cat clone [bat][bat] written in Rust.
+You need to generate SBOM from lock files like `Cargo.lock` at first.
+
+```bash
+$ git clone -b v0.20.0 https://github.com/sharkdp/bat
+$ trivy fs --format cyclonedx --output bat.cdx ./bat/Cargo.lock
+```
+
+Then [our attestation plugin][plugin-attest] allows you to store the SBOM attestation linking to a `bat` binary in the Rekor instance.
+
+```bash
+$ wget https://github.com/sharkdp/bat/releases/download/v0.20.0/bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ tar xvf bat-v0.20.0-x86_64-apple-darwin.tar.gz
+$ trivy plugin install github.com/aquasecurity/trivy-plugin-attest
+$ trivy attest --predicate ./bat.cdx --type cyclonedx ./bat-v0.20.0-x86_64-apple-darwin/bat
+```
+
+!!! note
+    The public instance of the Rekor maintained by the Sigstore team limits the attestation size.
+    If you are using the public instance, please make sure that your SBOM is small enough.
+    To get more detail, please refer to the Rekor project's [documentation](https://github.com/sigstore/rekor#public-instance).
+
+### Scan a non-packaged binary
+Trivy calculates the digest of the `bat` binary and searches for the SBOM attestation by the digest in Rekor.
+If it is found, Trivy uses that for vulnerability scanning.
+
+```bash
+$ trivy fs --sbom-sources rekor ./bat-v0.20.0-x86_64-apple-darwin/bat
+2022-10-25T13:27:25.950+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:27:25.993+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:27:25.993+0300    INFO    Detecting cargo vulnerabilities...
+
+bat (cargo)
+===========
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+Also, it is applied to non-packaged binaries even in container images.
+
+```bash
+$ trivy image --sbom-sources rekor --scanners vuln alpine-with-bat
+2022-10-25T13:40:14.920+0300    INFO    Vulnerability scanning is enabled
+2022-10-25T13:40:18.047+0300    INFO    Found SBOM attestation in Rekor: bat
+2022-10-25T13:40:18.186+0300    INFO    Detected OS: alpine
+2022-10-25T13:40:18.186+0300    INFO    Detecting Alpine vulnerabilities...
+2022-10-25T13:40:18.199+0300    INFO    Number of language-specific files: 1
+2022-10-25T13:40:18.199+0300    INFO    Detecting cargo vulnerabilities...
+
+alpine-with-bat (alpine 3.15.6)
+===============================
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+
+bat (cargo)
+===========
+Total: 4 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
+│           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
+└───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+
+!!! note
+    The `--sbom-sources rekor` flag slows down the scanning as it queries Rekor on the Internet for all non-packaged binaries.
+
+[rekor]: https://github.com/sigstore/rekor
+[sbom-attest]: sbom.md#keyless-signing
+
+[plugin-attest]: https://github.com/aquasecurity/trivy-plugin-attest
+
+[bat]: https://github.com/sharkdp/bat

docs/docs/attestation/sbom.md

@@ -48,6 +48,7 @@ You can use Cosign to sign without keys by authenticating with an OpenID Connect
 ```bash
 # The cyclonedx type is supported in Cosign v1.10.0 or later.
 $ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
+# The following command uploads SBOM attestation to the public Rekor instance.
 $ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
 ```
 
@@ -60,7 +61,9 @@ $ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>
 
 Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
 
-In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
+In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it.
+You must create CycloneDX-type attestation before trying the example.
+To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
 
 ```bash
 $ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl

docs/docs/cloud/aws/scanning.md

@@ -1,55 +0,0 @@
-# Amazon Web Services
-
-!!! warning "EXPERIMENTAL"
-    This feature might change without preserving backwards compatibility.
-
-The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. 
-
-Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
-
-The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
-
-Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
-
-You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
-
-Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - results are cached locally per AWS account/region.
-
-## CLI Commands
-
-Scan a full AWS account (all supported services):
-
-```shell
-trivy aws --region us-east-1
-```
-
-You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
-
-![AWS Summary Report](../../../imgs/trivy-aws.png)
-
-The summary view is the default when scanning multiple services.
-
-Scan a specific service:
-
-```shell
-trivy aws --service s3
-```
-
-Scan multiple services:
-
-```shell
-# --service s3,ec2 works too
-trivy aws --service s3 --service ec2
-```
-
-Show results for a specific AWS resource:
-
-```shell
-trivy aws --service s3 --arn arn:aws:s3:::example-bucket
-```
-
-All ARNs with detected issues will be displayed when showing results for their associated service.
-
-## Cached Results
-
-By default, Trivy will cache results for each service for 24 hours. This means you can filter and view results for a service without having to wait for the scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.)

docs/docs/compliance/compliance.md

@@ -0,0 +1,70 @@
+# Compliance Reports
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy’s compliance flag lets you curate a specific set of checks into a report. In a typical Trivy scan, there are hundreds of different checks for many different components and configurations, but sometimes you already know which specific checks you are interested in. Often this would be an industry accepted set of checks such as CIS, or some vendor specific guideline, or your own organization policy that you want to comply with. These are all possible using the flexible compliance infrastructure that's built into Trivy. Compliance reports are defined as simple YAML documents that select checks to include in the report.
+
+## Usage
+
+Compliance report is currently supported in the following targets (trivy sub-commands):
+
+- `trivy image`
+- `trivy aws`
+- `trivy k8s`
+
+Add the `--compliance` flag to the command line, and set it's value to desired report.
+For example: `trivy k8s cluster --compliance k8s-nsa` (see below for built-in and custom reports)
+
+### Options
+
+The following flags are compatible with `--compliance` flag and allows customizing it's output:
+
+| flag               | effect                                                                               |
+|--------------------|--------------------------------------------------------------------------------------|
+| `--report summary` | shows a summary of the results. for every control shows the number of failed checks. |
+| `--report all`     | shows fully detailed results. for every control shows where it failed and why.       |
+| `--format table`   | shows results in textual table format (good for human readability).                  |
+| `--format json`    | shows results in json format (good for machine readability).                         |
+
+## Built-in compliance
+
+Trivy has a number of built-in compliance reports that you can asses right out of the box.
+to specify a built-in compliance report, select it by ID like `trivy --compliance <compliance_id>`.
+
+For the list of built-in compliance reports, please see the relevant section:
+
+- [Docker compliance](../target/container_image.md#compliance)
+- [Kubernetes compliance](../target/kubernetes.md#compliance) 
+- [AWS compliance](../target/aws.md#compliance)
+
+## Custom compliance
+
+You can create your own custom compliance report. A compliance report is a simple YAML document in the following format:
+
+```yaml
+spec:
+  id: "k8s-myreport" # report unique identifier. this should not container spaces.
+  title: "My custom Kubernetes report" # report title. Any one-line title.
+  description: "Describe your report" # description of the report. Any text.
+  relatedResources :
+    - https://some.url # useful references. URLs only.
+  version: "1.0" # spec version (string)
+  controls:
+    - name: "Non-root containers" # Name for the control (appears in the report as is). Any one-line name.
+      description: 'Check that container is not running as root' # Description (appears in the report as is). Any text.
+      id: "1.0" # control identifier (string)
+      checks:   # list of existing Trivy checks that define the control
+        - id: AVD-KSV-0012 # check ID. Must start with `AVD-` or `CVE-` 
+      severity: "MEDIUM" # Severity for the control (note that checks severity isn't used)
+    - name: "Immutable container file systems"
+      description: 'Check that container root file system is immutable'
+      id: "1.1"
+      checks:
+        - id: AVD-KSV-0014
+      severity: "LOW"
+```
+
+The check id field (`controls[].checks[].id`) is referring to existing check by it's "AVD ID". This AVD ID is easily located in the check's source code metadata header, or by browsing [Aqua vulnerability DB](https://avd.aquasec.com/), specifically in the [Misconfigurations](https://avd.aquasec.com/misconfig/) and [Vulnerabilities](https://avd.aquasec.com/nvd) sections.
+
+Once you have a compliance spec, you can select it by file path: `trivy --compliance @</path/to/compliance.yaml>` (note the `@` indicating file path instead of report id).

docs/docs/index.md

@@ -1,94 +1,5 @@
 # Docs
 
-Trivy detects two types of security issues:
+In this section you can find the complete reference documentation for all of the different features and settings that Trivy has to offer.
 
-- [Vulnerabilities][vuln]
-- [Misconfigurations][misconf]
-
-Trivy can scan four different artifacts:
-
-- [Container Images][container]
-- [Filesystem][filesystem] and [Rootfs][rootfs]
-- [Git Repositories][repo]
-- [Kubernetes][kubernetes]
-
-Trivy can be run in two different modes:
-
-- [Standalone][standalone]
-- [Client/Server][client-server]
-
-Trivy can be run as a Kubernetes Operator:
-
-- [Kubernetes Operator][kubernetesoperator]
-
-It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
-See [Integrations][integrations] for details.
-
-## Features
-
-- Comprehensive vulnerability detection
-    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
-    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
-- Detect IaC misconfigurations
-    - A wide variety of [built-in policies][builtin] are provided **out of the box**:
-        - Kubernetes
-        - Docker
-        - Terraform
-        - more coming soon
-    - Support custom policies
-- Simple
-    - Specify only an image name, a directory containing IaC configs, or an artifact name
-    - See [Quick Start][quickstart]
-- Fast
-    - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
-    - Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
-- Easy installation
-    - `apt-get install`, `yum install` and `brew install` is possible (See [Installation][installation])
-    - **No pre-requisites** such as installation of DB, libraries, etc.
-- High accuracy
-    - **Especially Alpine Linux and RHEL/CentOS**
-    - Other OSes are also high
-- DevSecOps
-    - **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
-    - See [CI Example][integrations]
-- Support multiple formats
-    - container image
-        - A local image in Docker Engine which is running as a daemon
-        - A local image in [Podman][podman] (>=2.0) which is exposing a socket
-        - A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
-        - A tar archive stored in the `docker save` / `podman save` formatted file
-        - An image directory compliant with [OCI Image Format][oci]
-    - local filesystem and rootfs
-    - remote git repository
-- [SBOM][sbom] (Software Bill of Materials) support
-    - CycloneDX
-    - SPDX
-    - GitHub Dependency Snapshots
-
-Please see [LICENSE][license] for Trivy licensing information.
-
-[installation]: ../getting-started/installation.md
-[vuln]: ../docs/vulnerability/scanning/index.md
-[misconf]: ../docs/misconfiguration/scanning.md
-[kubernetesoperator]: ../docs/kubernetes/operator/index.md
-[container]: ../docs/vulnerability/scanning/image.md
-[rootfs]: ../docs/vulnerability/scanning/rootfs.md
-[filesystem]: ../docs/vulnerability/scanning/filesystem.md
-[repo]: ../docs/vulnerability/scanning/git-repository.md
-[kubernetes]: ../docs/kubernetes/cli/scanning.md
-
-[standalone]: ../docs/references/modes/standalone.md
-[client-server]: ../docs/references/modes/client-server.md
-[integrations]: ../docs/integrations/index.md
-
-[os]: ../docs/vulnerability/detection/os.md
-[lang]: ../docs/vulnerability/detection/language.md
-
-[builtin]: ../docs/misconfiguration/policy/builtin.md
-[quickstart]: ../getting-started/quickstart.md
-[podman]: ../docs/advanced/container/podman.md
-
-[sbom]: ../docs/sbom/index.md
-
-[oci]: https://github.com/opencontainers/image-spec
-[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
+👈 Please use the side-navigation on the left in order to browse the different topics.

docs/docs/integrations/aws-security-hub.md

@@ -1,29 +0,0 @@
-# AWS Security Hub
-
-## Upload findings to Security Hub
-
-In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
-
-```
-$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
-```
-
-ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
-
-Then, you can upload it with AWS CLI.
-
-```
-$ aws securityhub batch-import-findings --findings file://report.asff
-```
-
-## Customize
-You can customize [asff.tpl](https://github.com/aquasecurity/trivy/blob/main/contrib/asff.tpl)
-
-```
-$ export AWS_REGION=us-west-1
-$ export AWS_ACCOUNT_ID=123456789012
-$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
-```
-
-## Reference
-https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/

docs/docs/kubernetes/operator/index.md

@@ -1,14 +0,0 @@
-# Trivy Operator  
-
-Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
-
-
-> Kubernetes-native security toolkit. ([Documentation][trivy-operator]).
-
-<figure>
-  <figcaption>Workload reconcilers discover K8s controllers, manage scan jobs, and create VulnerabilityReport and ConfigAuditReport objects.</figcaption>
-</figure>
-
-[operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/
-[crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
-[trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest

docs/docs/licenses/scanning.md

@@ -25,7 +25,7 @@ In addition to package licenses, Trivy scans source code files, Markdown documen
 
 Currently, the standard license scanning doesn't support filesystem and repository scanning.
 
-|   License scnanning   | Image | Rootfs    | Filesystem | Repository |
+|   License scanning    | Image | Rootfs    | Filesystem | Repository |
 |:---------------------:|:-----:|:---------:|:----------:|:----------:|
 |       Standard        |  ✅   |     ✅    |   -        |      -     |
 | Full (--license-full) |  ✅   |     ✅    |     ✅     |     ✅     |
@@ -47,10 +47,10 @@ License checking classifies the identified licenses and map the classification t
 This section shows how to scan license in container image and filesystem.
 
 ### Standard scanning
-Specify an image name with `--security-cheks license`.
+Specify an image name with `--scanners license`.
 
 ``` shell
-$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
+$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
 2022-07-13T17:28:39.526+0300    INFO    License scanning is enabled
 
 OS Packages (license)
@@ -78,7 +78,7 @@ Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
 Specify `--license-full`
 
 ``` shell
-$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
+$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
 2022-07-13T17:48:40.905+0300    INFO    Full license scanning is enabled
 
 OS Packages (license)
@@ -141,7 +141,7 @@ Trivy has number of configuration flags for use with license scanning;
 Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the `--ignored-licenses` flag;
 
 ```shell
-$ trivy image --security-checks license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
+$ trivy image --scanners license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
 2022-07-13T18:15:28.605Z        INFO    License scanning is enabled
 
 OS Packages (license)
@@ -317,4 +317,4 @@ license:
 ```
 
 
-[google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses
+[google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses

docs/docs/misconfiguration/comparison/cfsec.md

@@ -1,24 +0,0 @@
-# vs cfsec
-[cfsec][cfsec] uses static analysis of your CloudFormation templates to spot potential security issues.
-Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec.
-This section describes the differences between Trivy and cfsec.
-
-| Feature               | Trivy                                                  | cfsec                        |
-|-----------------------|--------------------------------------------------------|------------------------------|
-| Built-in Policies     | :material-check:                                       | :material-check:             |
-| Custom Policies       | :material-check:                                       | :material-close:             |
-| Policy Metadata[^1]   | :material-check:                                       | :material-check:             |
-| Show Successes        | :material-check:                                       | :material-check:             |
-| Disable Policies      | :material-check:                                       | :material-check:             |
-| Show Issue Lines      | :material-check:                                       | :material-check:             |
-| View Statistics       | :material-close:                                       | :material-check:             |
-| Filtering by Severity | :material-check:                                       | :material-close:             |
-| Supported Formats     | Dockerfile, JSON, YAML, Terraform, CloudFormation etc. | CloudFormation JSON and YAML |
-
-[^1]: To enrich the results such as ID, Title, Description, Severity, etc.
-
-cfsec is designed for CloudFormation.
-People who use only want to scan their CloudFormation templates should use cfsec.
-People who want to scan a wide range of configuration files should use Trivy.
-
-[cfsec]: https://github.com/aquasecurity/cfsec

docs/docs/misconfiguration/comparison/conftest.md

@@ -1,43 +0,0 @@
-# vs Conftest
-[Conftest][conftest] is a really nice tool to help you write tests against structured configuration data.
-Misconfiguration detection in Trivy is heavily inspired by Conftest and provides similar features Conftest has.
-This section describes the differences between Trivy and Conftest.
-
-| Feature                     | Trivy                | Conftest             |
-| --------------------------- | -------------------- | -------------------- |
-| Support Rego Language       | :material-check:     | :material-check:     |
-| Built-in Policies           | :material-check:     | :material-close:     |
-| Custom Policies             | :material-check:     | :material-check:     |
-| Custom Data                 | :material-check:     | :material-check:     |
-| Combine                     | :material-check:     | :material-check:     |
-| Combine per Policy          | :material-check:     | :material-close:     |
-| Policy Input Selector[^1]   | :material-check:     | :material-close:     |
-| Policy Metadata[^2]         | :material-check:     | :material-close:[^3] |
-| Filtering by Severity       | :material-check:     | :material-close:     |
-| Rule-based Exceptions       | :material-check:     | :material-check:     |
-| Namespace-based Exceptions  | :material-check:     | :material-close:     |
-| Sharing Policies            | :material-close:     | :material-check:     |
-| Show Successes              | :material-check:     | :material-close:     |
-| Flexible Exit Code          | :material-check:     | :material-close:     |
-| Rego Unit Tests             | :material-close:[^4] | :material-check:     |
-| Go Testing                  | :material-check:     | :material-close:     |
-| Verbose Trace               | :material-check:     | :material-check:     |
-| Supported Formats           | 6 formats[^5]        | 14 formats[^6]       |
-
-Trivy offers built-in policies and a variety of options, while Conftest only supports custom policies.
-In other words, Conftest is simpler and lighter.
-
-Conftest is a general testing tool for configuration files, and Trivy is more security-focused.
-People who need an out-of-the-box misconfiguration scanner should use Trivy.
-People who don't need built-in policies and write your policies should use Conftest.
-
-[^1]: Pass only the types of configuration file as input, specified in selector
-[^2]: To enrich the results such as ID, Title, Description, etc.
-[^3]: Conftest supports [structured errors in rules][conftest-structured], but they are free format and not natively supported by Conftest.
-[^4]: Trivy is not able to run `*_test.rego` like `conftest verify`.
-[^5]: Dockerfile, HCL, HCL2, JSON, TOML, and YAML
-[^6]: CUE, Dockerfile, EDN, HCL, HCL2, HOCON, Ignore files, INI, JSON, Jsonnet, TOML, VCL, XML, and YAML
-
-
-[conftest-structured]: https://github.com/open-policy-agent/conftest/pull/243
-[conftest]: https://github.com/open-policy-agent/conftest

docs/docs/misconfiguration/comparison/tfsec.md

@@ -1,25 +0,0 @@
-# vs tfsec
-[tfsec][tfsec] uses static analysis of your Terraform templates to spot potential security issues.
-Trivy uses tfsec internally to scan Terraform HCL files, but Trivy doesn't support some features provided by tfsec.
-This section describes the differences between Trivy and tfsec.
-
-| Feature               | Trivy                                                  | tfsec                |
-|-----------------------|--------------------------------------------------------|----------------------|
-| Built-in Policies     | :material-check:                                       | :material-check:     |
-| Custom Policies       | Rego                                                   | Rego, JSON, and YAML |
-| Policy Metadata[^1]   | :material-check:                                       | :material-check:     |
-| Show Successes        | :material-check:                                       | :material-check:     |
-| Disable Policies      | :material-check:                                       | :material-check:     |
-| Show Issue Lines      | :material-check:                                       | :material-check:     |
-| Support .tfvars       | :material-close:                                       | :material-check:     |
-| View Statistics       | :material-close:                                       | :material-check:     |
-| Filtering by Severity | :material-check:                                       | :material-check:     |
-| Supported Formats     | Dockerfile, JSON, YAML, Terraform, CloudFormation etc. | Terraform            |
-
-[^1]: To enrich the results such as ID, Title, Description, Severity, etc.
-
-tfsec is designed for Terraform.
-People who use only Terraform should use tfsec.
-People who want to scan a wide range of configuration files should use Trivy.
-
-[tfsec]: https://github.com/aquasecurity/tfsec

docs/docs/misconfiguration/custom/index.md

@@ -36,27 +36,23 @@ A single package must contain only one policy.
 
 !!!example
     ``` rego
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # schemas:
+    #   - input: schema.input
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector: 
+    #     - type: kubernetes
     package user.kubernetes.ID001
     
-    import lib.result
-
-    __rego_metadata__ := {
-    	"id": "ID001",
-    	"title": "Deployment not allowed",
-    	"severity": "LOW",
-    	"description": "Deployments are not allowed because of some reasons.",
-    }
-
-    __rego_input__ := {
-        "selector": [
-            {"type": "kubernetes"},
-        ],
-    }
-    
     deny[res] {
         input.kind == "Deployment"
         msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name])
-        res := result.new(msg, input)
+        res := result.new(msg, input.kind)
     }
     ```
 
@@ -65,6 +61,10 @@ If you add a new custom policy, it must be defined under a new package like `use
 
 ### Policy structure
 
+`# METADATA` (optional)
+:   - SHOULD be defined for clarity since these values will be displayed in the scan results
+    - `custom.input` SHOULD be set to indicate the input type the policy should be applied to. See [list of available types](https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
+
 `package` (required)
 :   - MUST follow the Rego's [specification][package]
     - MUST be unique per policy
@@ -72,15 +72,6 @@ If you add a new custom policy, it must be defined under a new package like `use
     - MAY include the group name such as `kubernetes` for clarity
         - Group name has no effect on policy evaluation
 
-`import data.lib.result` (optional)
-:   - MAY be defined if you would like to embellish your result(s) with line numbers and code highlighting
-
-`__rego_metadata__` (optional)
-:   - SHOULD be defined for clarity since these values will be displayed in the scan results
-
-`__rego_input__` (optional)
-:   - MAY be defined when you want to specify input format
-
 `deny` (required)
 :   - SHOULD be `deny` or start with `deny_`
         - Although `warn`, `warn_*`, `violation`, `violation_` also work for compatibility, `deny` is recommended as severity can be defined in `__rego_metadata__`.
@@ -112,28 +103,38 @@ Any package prefixes such as `main` and `user` are allowed.
 ### Metadata
 Metadata helps enrich Trivy's scan results with useful information.
 
+The annotation format is described in the [OPA documentation](https://www.openpolicyagent.org/docs/latest/annotations/).
+
+Trivy supports extra fields in the `custom` section as described below.
+
 !!!example
     ``` rego
-    __rego_metadata__ := {
-    	"id": "ID001",
-    	"title": "Deployment not allowed",
-    	"severity": "LOW",
-    	"description": "Deployments are not allowed because of some reasons.",
-    	"recommended_actions": "Remove Deployment",
-    	"url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits",
-    }
+    # METADATA
+    # title: Deployment not allowed
+    # description: Deployments are not allowed because of some reasons.
+    # custom:
+    #   id: ID001
+    #   severity: LOW
+    #   input:
+    #     selector:
+    #     - type: kubernetes
     ```
   
-All fields under `__rego_metadata__` are optional.
+All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The 
+schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are 
+correct and do not reference incorrect properties/values.
+
+| Field name                 | Allowed values                           |        Default value         |     In table     |     In JSON      |
+|----------------------------|------------------------------------------|:----------------------------:|:----------------:|:----------------:|
+| title                      | Any characters                           |             N/A              | :material-check: | :material-check: |
+| description                | Any characters                           |                              | :material-close: | :material-check: |
+| schemas.input              | `schema.input`                           | (applied to all input types) | :material-close: | :material-close: |
+| custom.id                  | Any characters                           |             N/A              | :material-check: | :material-check: |
+| custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`      |           UNKNOWN            | :material-check: | :material-check: |
+| custom.recommended_actions | Any characters                           |                              | :material-close: | :material-check: | 
+| custom.input.selector.type | Any item(s) in [this list][source-types] |                              | :material-close: | :material-check: | 
+| url                        | Any characters                           |                              | :material-close: | :material-check: |
 
-| Field name          | Allowed values                      | Default value |     In table     |     In JSON      |
-|---------------------|-------------------------------------|:-------------:|:----------------:|:----------------:|
-| id                  | Any characters                      |      N/A      | :material-check: | :material-check: |
-| title               | Any characters                      |      N/A      | :material-check: | :material-check: |
-| severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` |    UNKNOWN    | :material-check: | :material-check: |
-| description         | Any characters                      |               | :material-close: | :material-check: |
-| recommended_actions | Any characters                      |               | :material-close: | :material-check: | 
-| url                 | Any characters                      |               | :material-close: | :material-check: |
 
 Some fields are displayed in scan results.
 
@@ -156,17 +157,16 @@ Deployments are not allowed because of some reasons.
 ```
 
 ### Input
-You can specify input format via `__rego_input__`.
-All fields under `__rego_input` are optional.
+You can specify input format via the `custom.input` annotation.
 
 !!!example
     ``` rego
-    __rego_input__ := {
-        "combine": false,
-        "selector": [
-            {"type": "kubernetes"},
-        ],
-    }
+    # METADATA
+    # custom:
+    #   input:
+    #     combine: false
+    #     selector:
+    #     - type: kubernetes
     ```
 
 `combine` (boolean)
@@ -177,6 +177,15 @@ All fields under `__rego_input` are optional.
     In the above example, Trivy passes only Kubernetes files to this policy.
     Even if a Dockerfile exists in the specified directory, it will not be passed to the policy as input.
 
+    Possible values for input types are:
+    - `dockerfile` (Dockerfile)
+    - `kubernetes` (Kubernetes YAML/JSON)
+    - `rbac` (Kubernetes RBAC YAML/JSON)
+    - `cloud` (Cloud format, as defined by defsec - this is used for Terraform, CloudFormation, and Cloud/AWS scanning)
+    - `yaml` (Generic YAML)
+    - `json` (Generic JSON)
+    - `toml` (Generic TOML)
+
     When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as `type`.
     When a configuration language is identified, it will overwrite `type`.
     
@@ -186,5 +195,15 @@ All fields under `__rego_input` are optional.
 
     `type` accepts `kubernetes`, `dockerfile`, `cloudformation`, `terraform`, `terraformplan`, `json`, or `yaml`.
 
+### Schemas
+
+You can explore the format of input documents by browsing the schema for the relevant input type:
+
+- [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
+- [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
+- [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
+- [RBAC](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/rbac.json)
+
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [package]: https://www.openpolicyagent.org/docs/latest/policy-language/#packages
+[source-types]: https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)

docs/docs/misconfiguration/options/others.md

@@ -2,21 +2,3 @@
 
 !!! hint
     See also [Others](../../vulnerability/examples/others.md) in Vulnerability section.
-
-## File patterns
-When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
-The default file patterns are [here](../custom/index.md).
-
-In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
-For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
-
-This can be repeated for specifying multiple file patterns.
-Allowed values are here:
-
-- dockerfile
-- yaml
-- json
-- toml
-- hcl
-
-For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)

docs/docs/misconfiguration/options/values.md

@@ -40,7 +40,7 @@ the `--helm-set-string` is the same as `--helm-set` but explicitly retains the v
 trivy config --helm-set-string name=false ./infrastructure/tf
 ```
 
-### Setting sepecific values from files
+### Setting specific values from files
 Specific override values can come from specific files
 
 ```bash

docs/docs/misconfiguration/policy/builtin.md

@@ -11,6 +11,7 @@ Those policies are managed under [defsec repository][defsec].
 | Dockerfile, Containerfile | [defsec][docker]     |
 | Terraform                 | [defsec][defsec]     |
 | CloudFormation            | [defsec][defsec]     |
+| Azure ARM Template        | [defsec][defsec]     |
 | Helm Chart                | [defsec][kubernetes] |      
 | RBAC                      | [defsec][rbac]       |      
 
@@ -20,8 +21,18 @@ Helm Chart scanning will resolve the chart to Kubernetes manifests then run the
 
 Ansible scanning is coming soon.
 
+## Policy Distribution
+defsec policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
+When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
+Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.
+If Trivy is unable to pull down newer policies, it will use the embedded set of policies as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
+
+## Update Interval
+Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
+
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [defsec]: https://github.com/aquasecurity/defsec
 [kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/kubernetes
 [kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/rbac
 [docker]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/docker
+[ghcr]: https://github.com/aquasecurity/defsec/pkgs/container/defsec

docs/docs/misconfiguration/scanning.md

@@ -1,12 +1,12 @@
 # Misconfiguration Scanning
-Trivy provides built-in policies to detect configuration issues in Docker, Kubernetes, Terraform and CloudFormation.
-Also, you can write your own policies in [Rego][rego] to scan JSON, YAML, etc, like [Conftest][conftest].
+Trivy provides built-in policies to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. 
+In addition to built-in policies, you can write your own custom policies, as you can see [here][custom].
 
 ![misconf](../../imgs/misconf.png)
 
 ## Quick start
 
-Simply specify a directory containing IaC files such as Terraform, CloudFormation and Dockerfile.
+Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.
 
 ``` bash
 $ trivy config [YOUR_IaC_DIRECTORY]
@@ -37,28 +37,28 @@ $ trivy config [YOUR_IaC_DIRECTORY]
     ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     ```
 
-You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--security-checks config`.
+You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--scanners config`.
 
 ```bash
-$ trivy image --security-checks config IMAGE_NAME
+$ trivy image --scanners config IMAGE_NAME
 ```
 
 ```bash
-$ trivy fs --security-checks config /path/to/dir
+$ trivy fs --scanners config /path/to/dir
 ```
 
 !!! note
     Misconfiguration detection is not enabled by default in `image`, `fs` and `repo` subcommands.
 
 Unlike the `config` subcommand, `image`, `fs` and `repo` subcommands can also scan for vulnerabilities and secrets at the same time. 
-You can specify `--security-checks vuln,config,secret` to enable vulnerability and secret detection as well as misconfiguration detection.
+You can specify `--scanners vuln,config,secret` to enable vulnerability and secret detection as well as misconfiguration detection.
 
 
 !!! example
     ``` bash
     $ ls myapp/
     Dockerfile Pipfile.lock
-    $ trivy fs --security-checks vuln,config,secret --severity HIGH,CRITICAL myapp/
+    $ trivy fs --scanners vuln,config,secret --severity HIGH,CRITICAL myapp/
     2022-05-16T13:42:21.440+0100	INFO	Number of language-specific files: 1
     2022-05-16T13:42:21.440+0100	INFO	Detecting pipenv vulnerabilities...
     2022-05-16T13:42:21.440+0100	INFO	Detected config files: 1
@@ -316,6 +316,4 @@ Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 ## Examples
 See [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/misconf/mixed)
 
-[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
-[conftest]: https://github.com/open-policy-agent/conftest/
-
+[custom]: ./custom/index.md

docs/docs/references/cli/client.md

@@ -9,7 +9,7 @@ Aliases:
 
 Scan Flags
       --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
       --skip-dirs strings        specify the directories where the traversal is skipped
       --skip-files strings       specify the file paths to skip traversal
 
@@ -36,9 +36,11 @@ Cache Flags
 DB Flags
       --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
       --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
       --no-progress            suppress progress bar
       --reset                  remove all caches and database
       --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
 
 Vulnerability Flags
       --ignore-unfixed     display only fixed vulnerabilities
@@ -47,8 +49,8 @@ Vulnerability Flags
 Misconfiguration Flags
       --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
       --policy-namespaces strings   Rego namespaces
       --trace                       enable more verbose trace output for custom queries
 

docs/docs/references/cli/config.md

@@ -32,8 +32,8 @@ Cache Flags
 Misconfiguration Flags
       --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
       --policy-namespaces strings   Rego namespaces
       --trace                       enable more verbose trace output for custom queries
 

docs/docs/references/cli/fs.md

@@ -18,7 +18,7 @@ Examples:
 
 Scan Flags
       --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
       --skip-dirs strings        specify the directories where the traversal is skipped
       --skip-files strings       specify the file paths to skip traversal
 
@@ -44,9 +44,11 @@ Cache Flags
 DB Flags
       --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
       --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
       --no-progress            suppress progress bar
       --reset                  remove all caches and database
       --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
 
 Vulnerability Flags
       --ignore-unfixed     display only fixed vulnerabilities
@@ -55,8 +57,8 @@ Vulnerability Flags
 Misconfiguration Flags
       --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
       --policy-namespaces strings   Rego namespaces
       --trace                       enable more verbose trace output for custom queries
 

docs/docs/references/cli/image.md

@@ -33,7 +33,7 @@ Examples:
 
 Scan Flags
       --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
       --skip-dirs strings        specify the directories where the traversal is skipped
       --skip-files strings       specify the file paths to skip traversal
 
@@ -58,9 +58,11 @@ Cache Flags
 DB Flags
       --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
       --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
       --no-progress            suppress progress bar
       --reset                  remove all caches and database
       --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
 
 Image Flags
       --input string   input file path instead of image name
@@ -73,8 +75,8 @@ Vulnerability Flags
 Misconfiguration Flags
       --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
       --policy-namespaces strings   Rego namespaces
       --trace                       enable more verbose trace output for custom queries
 

docs/docs/references/cli/repo.md

@@ -15,7 +15,7 @@ Examples:
 
 Scan Flags
       --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
       --skip-dirs strings        specify the directories where the traversal is skipped
       --skip-files strings       specify the file paths to skip traversal
 
@@ -41,9 +41,11 @@ Cache Flags
 DB Flags
       --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
       --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
       --no-progress            suppress progress bar
       --reset                  remove all caches and database
       --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
 
 Vulnerability Flags
       --ignore-unfixed     display only fixed vulnerabilities
@@ -52,8 +54,8 @@ Vulnerability Flags
 Misconfiguration Flags
       --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
       --policy-namespaces strings   Rego namespaces
       --trace                       enable more verbose trace output for custom queries
 

docs/docs/references/cli/rootfs.md

@@ -17,10 +17,13 @@ Examples:
   / # trivy rootfs /
 
 Scan Flags
-      --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs strings        specify the directories where the traversal is skipped
-      --skip-files strings       specify the file paths to skip traversal
+      --file-patterns strings     specify config file patterns
+      --offline-scan              do not issue API requests to identify dependencies
+      --rekor-url string          [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --sbom-sources strings      [EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)
+      --scanners strings          comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --skip-dirs strings         specify the directories where the traversal is skipped
+      --skip-files strings        specify the file paths to skip traversal
 
 Report Flags
       --dependency-tree        show dependency origin tree (EXPERIMENTAL)
@@ -44,21 +47,23 @@ Cache Flags
 DB Flags
       --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
       --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
       --no-progress            suppress progress bar
       --reset                  remove all caches and database
       --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
 
 Vulnerability Flags
       --ignore-unfixed     display only fixed vulnerabilities
       --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
 
 Misconfiguration Flags
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
-      --policy-namespaces strings   Rego namespaces
-      --trace                       enable more verbose trace output for custom queries
+      --helm-set strings          specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings     specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings   specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings       specify paths to override the Helm values.yaml files
+      --include-non-failures      include successes and exceptions, available with '--scanners config'
+      --tf-vars strings           specify paths to override the Terraform tfvars files
 
 Secret Flags
       --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -67,6 +72,18 @@ License Flags
       --ignored-licenses strings   specify a list of license to ignore
       --license-full               eagerly look for licenses in source code headers and license files
 
+Rego Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
 Global Flags:
       --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
   -c, --config string             config path (default "trivy.yaml")
@@ -76,4 +93,4 @@ Global Flags:
   -q, --quiet                     suppress progress bar and log output
       --timeout duration          timeout (default 5m0s)
   -v, --version                   show version
-```
+```

docs/docs/references/cli/sbom.md

@@ -19,7 +19,7 @@ Examples:
 
 Scan Flags
       --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
       --skip-dirs strings        specify the directories where the traversal is skipped
       --skip-files strings       specify the file paths to skip traversal
 
@@ -44,9 +44,11 @@ Cache Flags
 DB Flags
       --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
       --download-db-only       download/update vulnerability database but don't run a scan
+      --download-java-db-only  download/update java indexes database but don't run a scan
       --no-progress            suppress progress bar
       --reset                  remove all caches and database
       --skip-db-update         skip updating vulnerability database
+      --skip-java-db-update    skip updating java indexes database
 
 Vulnerability Flags
       --ignore-unfixed     display only fixed vulnerabilities

docs/docs/references/customization/config-file.md

@@ -82,6 +82,11 @@ Available in client/server mode
 
 ```yaml
 scan:
+  # Same as '--file-patterns'
+  # Default is empty
+  file-patterns:
+    -
+
   # Same as '--skip-dirs'
   # Default is empty
   skip-dirs:
@@ -97,9 +102,9 @@ scan:
   # Default is false
   offline-scan: false
   
-  # Same as '--security-checks'
+  # Same as '--scanners'
   # Default depends on subcommand
-  security-checks:
+  scanners:
     - vuln
     - config
     - secret
@@ -189,41 +194,40 @@ secret:
   config: config/trivy/secret.yaml
 ```
 
+## Rego Options
+
+```yaml
+rego
+  # Same as '--trace'
+  # Default is false
+  trace: false
+
+  # Same as '--config-policy'
+  # Default is empty
+  policy:
+    - policy/repository
+    - policy/custom
+
+  # Same as '--config-data'
+  # Default is empty
+  data:
+    - data/
+
+  # Same as '--policy-namespaces'
+  # Default is empty
+  namespaces:
+    - opa.examples
+    - users
+```
 
 ## Misconfiguration Options
 Available with misconfiguration scanning
 
 ```yaml
 misconfiguration:
-  # Same as '--file-patterns'
-  # Default is empty
-  file-patterns:
-    -
-  
   # Same as '--include-non-failures'
   # Default is false
   include-non-failures: false
-  
-  # Same as '--trace'
-  # Default is false
-  trace: false
-  
-  # Same as '--config-policy'
-  # Default is empty
-  policy:
-    - policy/repository
-    - policy/custom
-    
-  # Same as '--config-data'
-  # Default is empty
-  data:
-    - data/
-    
-  # Same as '--policy-namespaces'
-  # Default is empty
-  namespaces:
-    - opa.examples
-    - users
 
   # helm value override configurations
   # set individual values

docs/docs/references/modes/client-server.md

@@ -52,6 +52,8 @@ $ trivy fs --server http://localhost:8080 --severity CRITICAL ./integration/test
 **Note**: It's important to specify the protocol (http or https).
 <details>
 <summary>Result</summary>
+
+```
 pom.xml (pom)
 =============
 Total: 24 (CRITICAL: 24)
@@ -173,6 +175,107 @@ Total: 24 (CRITICAL: 24)
 |                                             |                  |          |                   |                                | gadgets in anteros-core               |
 |                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9548  |
 +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+```
+</details>
+
+## Remote scan of root filesystem
+Also, there is a way to scan root file system:
+```shell
+$ trivy rootfs --server http://localhost:8080 --severity CRITICAL /tmp/rootfs
+```
+**Note**: It's important to specify the protocol (http or https).
+<details>
+<summary>Result</summary>
+
+```
+/tmp/rootfs (alpine 3.10.2)
+
+Total: 1 (CRITICAL: 1)
+
+┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.4-r2         │ 2.10.7-r0     │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │
+│           │                │          │                   │               │ other products, mishandles...                               │
+│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36159                  │
+└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+```
+</details>
+
+## Remote scan of git repository
+Also, there is a way to scan remote git repository:
+```shell
+$ trivy repo https://github.com/knqyf263/trivy-ci-test --server http://localhost:8080 
+```
+**Note**: It's important to specify the protocol (http or https).
+<details>
+<summary>Result</summary>
+
+```
+Cargo.lock (cargo)
+==================
+Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
+
+┌───────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library  │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├───────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ ammonia   │ CVE-2019-15542      │ HIGH     │ 1.9.0             │ 2.1.0         │ Uncontrolled recursion in ammonia                           │
+│           │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-15542                  │
+│           ├─────────────────────┼──────────┤                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│           │ CVE-2021-38193      │ MEDIUM   │                   │ 2.1.3, 3.1.0  │ An issue was discovered in the ammonia crate before 3.1.0   │
+│           │                     │          │                   │               │ for Rust....                                                │
+│           │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-38193                  │
+├───────────┼─────────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ smallvec  │ CVE-2019-15551      │          │ 0.6.9             │ 0.6.10        │ An issue was discovered in the smallvec crate before 0.6.10 │
+│           │                     │          │                   │               │ for Rust....                                                │
+│           │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-15551                  │
+│           ├─────────────────────┼──────────┤                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│           │ CVE-2018-25023      │ HIGH     │                   │ 0.6.13        │ An issue was discovered in the smallvec crate before 0.6.13 │
+│           │                     │          │                   │               │ for Rust....                                                │
+│           │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-25023                  │
+│           ├─────────────────────┼──────────┤                   │               ├─────────────────────────────────────────────────────────────┤
+│           │ GHSA-66p5-j55p-32r9 │ MEDIUM   │                   │               │ smallvec creates uninitialized value of any type            │
+│           │                     │          │                   │               │ https://github.com/advisories/GHSA-66p5-j55p-32r9           │
+└───────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+
+Pipfile.lock (pipenv)
+=====================
+Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
+
+┌─────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
+│       Library       │ Vulnerability  │ Severity │ Installed Version │     Fixed Version      │                            Title                             │
+├─────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ celery              │ CVE-2021-23727 │ HIGH     │ 4.3.0             │ 5.2.2                  │ celery: stored command injection vulnerability may allow     │
+│                     │                │          │                   │                        │ privileges escalation                                        │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-23727                   │
+├─────────────────────┼────────────────┤          ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ django              │ CVE-2019-6975  │          │ 2.0.9             │ 1.11.19, 2.0.12, 2.1.7 │ python-django: memory exhaustion in                          │
+│                     │                │          │                   │                        │ django.utils.numberformat.format()                           │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2019-6975                    │
+│                     ├────────────────┼──────────┤                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                     │ CVE-2019-3498  │ MEDIUM   │                   │ 1.11.18, 2.0.10, 2.1.5 │ python-django: Content spoofing via URL path in default 404  │
+│                     │                │          │                   │                        │ page                                                         │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2019-3498                    │
+│                     ├────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                     │ CVE-2021-33203 │          │                   │ 2.2.24, 3.1.12, 3.2.4  │ django: Potential directory traversal via ``admindocs``      │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-33203                   │
+├─────────────────────┼────────────────┤          ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ urllib3             │ CVE-2019-11324 │          │ 1.24.1            │ 1.24.2                 │ python-urllib3: Certification mishandle when error should be │
+│                     │                │          │                   │                        │ thrown                                                       │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2019-11324                   │
+│                     ├────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                     │ CVE-2021-33503 │          │                   │ 1.26.5                 │ python-urllib3: ReDoS in the parsing of authority part of    │
+│                     │                │          │                   │                        │ URL                                                          │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-33503                   │
+│                     ├────────────────┼──────────┤                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                     │ CVE-2019-11236 │ MEDIUM   │                   │ 1.24.3                 │ python-urllib3: CRLF injection due to not encoding the       │
+│                     │                │          │                   │                        │ '\r\n' sequence leading to...                                │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2019-11236                   │
+│                     ├────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                     │ CVE-2020-26137 │          │                   │ 1.25.9                 │ python-urllib3: CRLF injection via HTTP request method       │
+│                     │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2020-26137                   │
+└─────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘
+```
 </details>
 
 ## Authentication

docs/docs/references/troubleshooting.md

@@ -39,49 +39,23 @@ https://developer.github.com/v3/#rate-limiting
 $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
 ```
 
-### Maven rate limiting / inconsistent jar vulnerability reporting
+### Unable to open JAR files
 
 !!! error
     ``` bash
     $ trivy image ...
     ...
-    status 403 Forbidden from http://search.maven.org/solrsearch/select
+    failed to analyze file: failed to analyze usr/lib/jvm/java-1.8-openjdk/lib/tools.jar: unable to open usr/lib/jvm/java-1.8-openjdk/lib/tools.jar: failed to open: unable to read the file: stream error: stream ID 9; PROTOCOL_ERROR; received from peer
     ```
 
-Trivy calls Maven API for better detection of JAR files, but many requests may exceed rate limiting.
-This can easily happen if you are running more than one instance of Trivy which is concurrently scanning multiple images.
-Once this starts happening Trivy's vulnerability reporting on jar files may become inconsistent.
-There are two options to resolve this issue:
+Currently, we're investigating this issue. As a temporary mitigation, you may be able to avoid this issue by downloading the Java DB in advance.
 
-The first is to enable offline scanning using the `--offline-scan` option to stop Trivy from making API requests.
-This option affects only vulnerability scanning. The vulnerability database and builtin policies are downloaded as usual.
-If you want to skip them as well, you can try `--skip-update` and `--skip-policy-update`.
-**Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.**
-
-The second, more scalable, option is the place Trivy behind a rate-limiting forward-proxy to the Maven Central API.
-One way to achieve this is to use nginx. You can use the following nginx config to enable both rate-limiting and caching (the caching greatly reduces the number of calls to the Maven Central API, especially if you are scanning a lot of similar images):
-
-```nginx
-limit_req_zone global zone=maven:1m rate=10r/s;
-proxy_cache_path /tmp/cache keys_zone=mavencache:10m;
-
-server {
-  listen 80;
-  proxy_cache mavencache;
-
-  location / {
-    limit_req zone=maven burst=1000;
-    proxy_cache_valid any 1h;
-    proxy_pass https://search.maven.org:443;
-  }
-}
+```shell
+$ trivy image --download-java-db-only
+2023-02-01T16:57:04.322+0900    INFO    Downloading the Java DB...
+$ trivy image [YOUR_JAVA_IMAGE]
 ```
 
-This config file will allow a maximum of 10 requests per second to the Maven API, this number was determined experimentally so you might want to use something else if it doesn't fit your needs.
-
-Once nginx is up and running, you need to tell all your Trivy deployments to proxy their Maven API calls through nginx. You can do this by setting the `MAVEN_CENTRAL_URL` environment variable. For example, if your nginx proxy is running at `127.0.0.1`, you can set `MAVEN_CENTRAL_URL=http://127.0.0.1/solrsearch/select`.
-
-
 ### Running in parallel takes same time as series run
 When running trivy on multiple images simultaneously, it will take same time as running trivy in series.
 This is because of a limitation of boltdb.
@@ -91,23 +65,6 @@ Reference : [boltdb: Opening a database][boltdb].
 
 [boltdb]: https://github.com/boltdb/bolt#opening-a-database
 
-### Error downloading vulnerability DB
-
-!!! error
-    FATAL failed to download vulnerability DB
-
-If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.
-
-- ghcr.io
-- pkg-containers.githubusercontent.com
-
-### Old DB schema
-
-!!! error
-    --skip-update cannot be specified with the old DB schema.
-
-Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
-
 ### Multiple Trivy servers
 
 !!! error
@@ -120,6 +77,67 @@ To run multiple Trivy servers, you need to use Redis as the cache backend so tha
 Follow [this instruction][redis-cache] to do so.
 
 
+### Problems with `/tmp` on remote Git repository scans
+
+!!! error
+    FATAL repository scan error: scan error: unable to initialize a scanner: unable to initialize a filesystem scanner: git clone error: write /tmp/fanal-remote...
+
+Trivy clones remote Git repositories under the `/tmp` directory before scanning them. If `/tmp` doesn't work for you, you can change it by setting the `TMPDIR` environment variable.
+
+Try:
+
+```
+$ TMPDIR=/my/custom/path trivy repo ...
+```
+
+### Running out of space during image scans
+
+!!! error
+    ``` bash
+    image scan failed:
+    failed to copy the image:
+    write /tmp/fanal-3323732142: no space left on device
+    ```
+
+Trivy uses the `/tmp` directory during image scan, if the image is large or `/tmp` is of insufficient size then the scan fails You can set the `TMPDIR` environment variable to use redirect trivy to use a directory with adequate storage.
+
+Try:
+
+```
+$ TMPDIR=/my/custom/path trivy image ...
+```
+
+## DB
+### Old DB schema
+
+!!! error
+    --skip-update cannot be specified with the old DB schema.
+
+Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
+
+### Error downloading vulnerability DB
+
+!!! error
+    FATAL failed to download vulnerability DB
+
+If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.
+
+- ghcr.io
+- pkg-containers.githubusercontent.com
+
+### Denied
+
+!!! error
+    GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-db%3Apull&service=ghcr.io: DENIED: denied
+
+Your local GHCR (GitHub Container Registry) token might be expired.
+Please remove the token and try downloading the DB again.
+
+```shell
+docker logout ghcr.io
+```
+
+
 ## Homebrew
 ### Scope error
 !!! error
@@ -170,4 +188,4 @@ $ trivy image --reset
 ```
 
 [air-gapped]: ../advanced/air-gap.md
-[redis-cache]: ../../vulnerability/examples/cache/#cache-backend
+[redis-cache]: ../../vulnerability/examples/cache/#cache-backend

docs/docs/sbom/cyclonedx.md

@@ -1,7 +1,5 @@
-# CycloneDX
-
-## Reporting
-Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
+# CycloneDX generation
+Trivy can generate SBOM in the [CycloneDX][cyclonedx] format.
 Note that XML format is not supported at the moment.
 
 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.
@@ -15,7 +13,7 @@ By default, `--format cyclonedx` represents SBOM and doesn't include vulnerabili
 
 ```
 $ trivy image --format cyclonedx --output result.json alpine:3.15
-2022-07-19T07:47:27.624Z        INFO    "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
+2022-07-19T07:47:27.624Z        INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
 ```
 
 <details>
@@ -239,40 +237,12 @@ $ cat result.json | jq .
 
 </details>
 
-If you want to include vulnerabilities, you can enable vulnerability scanning via `--security-checks vuln`.
+If you want to include vulnerabilities, you can enable vulnerability scanning via `--scanners vuln`.
 
 ```
-$ trivy image --security-checks vuln --format cyclonedx --output result.json alpine:3.15
+$ trivy image --scanners vuln --format cyclonedx --output result.json alpine:3.15
 ```
 
-## Scanning
-Trivy can take CycloneDX as an input and scan for vulnerabilities.
-To scan SBOM, you can use the `sbom` subcommand and pass the path to your CycloneDX report. 
-
-```bash
-$ trivy sbom /path/to/cyclonedx.json
-
-cyclonedx.json (alpine 3.7.1)
-=========================
-Total: 3 (CRITICAL: 3)
-
-┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
-│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ curl        │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ libbz2      │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
-└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
-```
-
-!!! note
-    If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
-    The report is called [BOV][bov].
 
 [cyclonedx]: https://cyclonedx.org/
 [sbom]: https://cyclonedx.org/capabilities/sbom/

docs/docs/sbom/index.md

@@ -1,12 +1,12 @@
-# SBOM
+# SBOM generation
 
-## Reporting
 Trivy can generate the following SBOM formats.
 
 - [CycloneDX][cyclonedx]
 - [SPDX][spdx]
 
-To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.
+## CLI commands
+To generate SBOM, you can use the `--format` option for each subcommand such as `image`, `fs` and `vm`.
 
 ```
 $ trivy image --format spdx-json --output result.json alpine:3.15
@@ -177,63 +177,27 @@ $ trivy fs --format cyclonedx --output result.json /app/myproject
 
 </details>
 
-## Scanning
-Trivy also can take the following SBOM formats as an input and scan for vulnerabilities.
+## Supported packages
+Trivy supports the following packages.
 
-- CycloneDX
-- CycloneDX-type attestation
-
-To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
-
-```bash
-$ trivy sbom /path/to/cyclonedx.json
-
-cyclonedx.json (alpine 3.7.1)
-=========================
-Total: 3 (CRITICAL: 3)
-
-┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
-│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ curl        │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ libbz2      │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
-├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
-│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
-└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
-```
+- [OS packages][os_packages]
+- [Language-specific packages][language_packages]
 
+In addition to the above packages, Trivy also supports the following packages for generating SBOM.
 
 !!! note
-    CycloneDX XML and SPDX are not supported at the moment.
+    These packages are not supported for vulnerability scanning.
 
-You can also scan an SBOM attestation.
-In the following example, [Cosign][Cosign] can get an attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page][sbom_attestation].
-```bash
-$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
-$ trivy sbom ./sbom.cdx.intoto.jsonl
+| Language | File              | Dependency location[^1] |
+|----------|-------------------|:-----------------------:|
+| Python   | conda package[^2] |            -            |
+| Swift    | Podfile.lock      |            -            |
 
-sbom.cdx.intoto.jsonl (alpine 3.7.3)
-=========================
-Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
-
-┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
-│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
-├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
-│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
-│            │                │          │                   │               │ adjustment im ......                                     │
-│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
-├────────────┤                │          │                   │               │                                                          │
-│ musl-utils │                │          │                   │               │                                                          │
-│            │                │          │                   │               │                                                          │
-│            │                │          │                   │               │                                                          │
-└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
-```
+[^1]: Use `startline == 1 and endline == 1` for unsupported file types
+[^2]: `envs/*/conda-meta/*.json`
 
 [cyclonedx]: cyclonedx.md
 [spdx]: spdx.md
-[Cosign]: https://github.com/sigstore/cosign
-[sbom_attestation]: ../attestation/sbom.md#sign-with-a-local-key-pair
+
+[os_packages]: ../vulnerability/detection/os.md
+[language_packages]: ../vulnerability/detection/language.md

docs/docs/sbom/spdx.md

@@ -1,6 +1,6 @@
-# SPDX
+# SPDX generation
 
-Trivy generates reports in the [SPDX][spdx] format.
+Trivy can generate SBOM in the [SPDX][spdx] format.
 
 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `spdx` with the `--format` option.
 
@@ -294,4 +294,5 @@ $ cat result.spdx.json | jq .
 
 </details>
 
+
 [spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf

docs/docs/secret/configuration.md

@@ -98,9 +98,9 @@ allow-rules:
 
 ## Enable Rules
 Trivy provides plenty of out-of-box rules and allow rules, but you may not need all of them.
-In that case, `enable-builin-rules` will be helpful.
+In that case, `enable-builtin-rules` will be helpful.
 If you just need AWS secret detection, you can enable only relevant rules as shown below.
-It specifies AWS-related rule IDs in `enable-builin-rules`.
+It specifies AWS-related rule IDs in `enable-builtin-rules`.
 All other rules are disabled, so the scanning will be much faster.
 We would strongly recommend using this option if you don't need all rules.
 
@@ -118,9 +118,9 @@ Trivy offers built-in rules and allow rules, but you may want to disable some of
 For example, you don't use Slack, so Slack doesn't have to be scanned.
 You can specify the Slack rule IDs, `slack-access-token` and `slack-web-hook` in `disable-rules` so that those rules will be disabled for less false positives.
 
-You should specify either `enable-builin-rules` or `disable-rules`.
+You should specify either `enable-builtin-rules` or `disable-rules`.
 If they both are specified, `disable-rules` takes precedence.
-In case `github-pat` is specified in `enable-builin-rules` and `disable-rules`, it will be disabled.
+In case `github-pat` is specified in `enable-builtin-rules` and `disable-rules`, it will be disabled.
 
 In addition, there are some allow rules.
 Markdown files are ignored by default, but you may want to scan markdown files as well.

docs/docs/secret/examples.md

@@ -15,7 +15,7 @@ $ trivy image --skip-dirs /var/lib --skip-dirs /var/log YOUR_IMAGE
 $ trivy fs --skip-dirs ./my-test-dir --skip-dirs ./my-testing-cert/ /path/to/your_project
 ```
 
-`--skip-fles` also works similarly.
+`--skip-files` also works similarly.
 
 ## Filter by severity
 
@@ -35,11 +35,23 @@ Total: 1 (CRITICAL: 1)
 +----------+-------------------+----------+---------+--------------------------------+
 ```
 
+## Filter by RuleID
+
+Use `.trivyignore`.
+
+```bash
+$ cat .trivyignore
+
+# Ignore these rules
+generic-unwanted-rule
+aws-account-id
+```
+
 ## Disable secret scanning
-If you need vulnerability scanning only, you can disable secret scanning via the `--security-checks` flag.
+If you need vulnerability scanning only, you can disable secret scanning via the `--scanners` flag.
 
 ``` shell
-$ trivy image --security-checks vuln alpine:3.15
+$ trivy image --scanners vuln alpine:3.15
 ```
 
 ## With configuration file
@@ -95,4 +107,4 @@ disable-allow-rules:
 $ trivy fs --secret-config ./secret-config/trivy.yaml /path/to/your_project
 ```
 
-[quick-start]: ./scanning.md#quick-start
+[quick-start]: ./scanning.md#quick-start

docs/docs/secret/scanning.md

@@ -101,15 +101,15 @@ The usage examples are [here][examples].
 
 In addition, all the built-in rules are enabled by default, so it takes some time to scan all of them.
 If you don't need all those rules, you can use `enable-builtin-rules` or `disable-rules` in the configuration file.
-You should use `enable-builin-rules` if you need only AWS secret detection, for example.
+You should use `enable-builtin-rules` if you need only AWS secret detection, for example.
 All rules are disabled except for the ones you specify, so it runs very fast.
 On the other hand, you should use `disable-rules` if you just want to disable some built-in rules.
 See the [enable-rules][enable-rules] and [disable-rules][disable-rules] sections for the detail.
 
-If you don't need secret scanning, you can disable it via the `--security-checks` flag.
+If you don't need secret scanning, you can disable it via the `--scanners` flag.
 
 ```shell
-$ trivy image --security-checks vuln alpine:3.15
+$ trivy image --scanners vuln alpine:3.15
 ```
 
 

docs/docs/target/aws.md

@@ -0,0 +1,107 @@
+# Amazon Web Services
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. 
+You can either run the CLI locally or integrate it into your CI/CD pipeline. 
+
+Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
+
+The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
+
+Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
+
+You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
+
+Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region.
+
+Trivy currently supports the following scanning for AWS accounts.
+
+- Misconfigurations
+
+## CLI Commands
+
+Scan a full AWS account (all supported services):
+
+```shell
+trivy aws --region us-east-1
+```
+
+You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
+
+![AWS Summary Report](../../imgs/trivy-aws.png)
+
+The summary view is the default when scanning multiple services.
+
+Scan a specific service:
+
+```shell
+trivy aws --service s3
+```
+
+Scan multiple services:
+
+```shell
+# --service s3,ec2 works too
+trivy aws --service s3 --service ec2
+```
+
+Show results for a specific AWS resource:
+
+```shell
+trivy aws --service s3 --arn arn:aws:s3:::example-bucket
+```
+
+All ARNs with detected issues will be displayed when showing results for their associated service.
+
+## Compliance
+This section describes AWS specific compliance reports.
+For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
+
+### Built in reports
+
+the following reports are available out of the box:
+
+| Compliance                         | Name for command | More info                                                                                            |
+|------------------------------------|------------------|------------------------------------------------------------------------------------------------------|
+| AWS CIS Foundations Benchmark v1.2 | `aws-cis-1.2`    | [link](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)            |
+| AWS CIS Foundations Benchmark v1.4 | `aws-cis-1.4`    | [link](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html) |
+
+### Examples
+
+Scan a cloud account and generate a compliance summary report:
+
+```
+$ trivy aws --compliance=<compliance_id> --report=summary
+```
+
+***Note*** : The `Issues` column represent the total number of failed checks for this control.
+
+
+Get all of the detailed output for checks:
+
+```
+$ trivy aws --compliance=<compliance_id> --report all
+```
+
+Report result in JSON format:
+
+```
+$ trivy aws --compliance=<compliance_id> --report all --format json
+```
+
+## Cached Results
+
+By default, Trivy will cache a representation of each AWS service for 24 hours.
+This means you can filter and view results for a service without having to wait for the entire scan to run again.
+If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`.
+Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.).
+Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`.
+
+## Custom Policies
+
+You can write custom policies for Trivy to evaluate against your AWS account.
+These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/).
+See the [Custom Policies](../misconfiguration/custom/index.md) page for more information.
+

docs/docs/target/container_image.md

@@ -0,0 +1,450 @@
+# Container Image
+
+Trivy supports two targets for container images.
+
+- Files inside container images
+- Container image metadata
+
+## Files inside container images
+Container images consist of files.
+For instance, new files will be installed if you install a package.
+
+Trivy scans the files inside container images for
+
+- Vulnerabilities
+- Misconfigurations
+- Secrets
+- Licenses
+
+By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`.
+
+### Vulnerabilities
+It is enabled by default.
+You can simply specify your image name (and a tag).
+It detects known vulnerabilities in your container image.
+See [here](../vulnerability/scanning.md) for the detail.
+
+```
+$ trivy image [YOUR_IMAGE_NAME]
+```
+
+For example:
+
+```
+$ trivy image python:3.4-alpine
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
+2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...
+
+python:3.4-alpine3.9 (alpine 3.9.2)
+===================================
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+
++---------+------------------+----------+-------------------+---------------+--------------------------------+
+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
++---------+------------------+----------+-------------------+---------------+--------------------------------+
+| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
+|         |                  |          |                   |               | with long nonces               |
++---------+------------------+----------+-------------------+---------------+--------------------------------+
+```
+
+</details>
+
+To enable only vulnerability scanning, you can specify `--scanners vuln`.
+
+```shell
+$ trivy image --scanners vuln [YOUR_IMAGE_NAME]
+```
+
+### Misconfigurations
+It is supported, but it is not useful in most cases.
+As mentioned [here](../misconfiguration/scanning.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations.
+If your container image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners config`.
+
+```
+$ trivy image --scanners config [YOUR_IMAGE_NAME]
+```
+
+### Secrets
+It is enabled by default.
+See [here](../secret/scanning.md) for the detail.
+
+```shell
+$ trivy image [YOUR_IMAGE_NAME]
+```
+
+### Licenses
+It is disabled by default.
+See [here](../licenses/scanning.md) for the detail.
+
+```shell
+$ trivy image --scanners license [YOUR_IMAGE_NAME]
+```
+
+## Container image metadata
+Container images have [configuration](https://github.com/opencontainers/image-spec/blob/2fb996805b3734779bf9a3a84dc9a9691ad7efdd/config.md).
+`docker inspect` and `docker history` show the information according to the configuration.
+
+Trivy scans the configuration of container images for
+
+- Misconfigurations
+- Secrets
+
+They are disabled by default.
+You can enable them with `--image-config-scanners`.
+ 
+!!! tips
+    The configuration can be exported as the JSON file by `docker save`.
+
+### Misconfigurations
+Trivy detects misconfigurations on the configuration of container images.
+The image config is converted into Dockerfile and Trivy handles it as Dockerfile.
+See [here](../misconfiguration/scanning.md) for the detail of Dockerfile scanning.
+
+It is disabled by default.
+You can enable it with `--image-config-scanners config`.
+
+```
+$ trivy image --image-config-scanners config [YOUR_IMAGE_NAME]
+```
+
+If you just want to scan the image config, you can disable scanners with `--scanners none`.
+For example:
+
+```
+$ trivy image --scanners none --image-config-scanners config alpine:3.17.0
+```
+
+<details>
+<summary>Result</summary>
+
+```
+alpine:3.17 (dockerfile)
+========================
+Tests: 24 (SUCCESSES: 21, FAILURES: 3, EXCEPTIONS: 0)
+Failures: 3 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
+HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
+════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
+
+See https://avd.aquasec.com/misconfig/ds002
+────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+LOW: Consider using 'COPY file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /' command instead of 'ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /'
+════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.
+
+See https://avd.aquasec.com/misconfig/ds005
+────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ alpine:3.17:1
+────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   1 [ ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /
+────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+LOW: Add HEALTHCHECK instruction in your Dockerfile
+════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
+
+See https://avd.aquasec.com/misconfig/ds026
+────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+```
+</details>
+
+!!! tip
+    You can see how each layer is created with `docker history`.
+
+### Secrets
+Trivy detects secrets on the configuration of container images.
+The image config is converted into JSON and Trivy scans the file for secrets.
+It is especially useful for environment variables that are likely to have credentials by accident.
+See [here](../secret/scanning.md) for the detail.
+
+```shell
+$ trivy image --image-config-scanners secret [YOUR_IMAGE_NAME]
+```
+
+If you just want to scan the image config, you can disable scanners with `--scanners none`.
+For example:
+
+```shell
+$ trivy image --scanners none --image-config-scanners secret vuln-image
+```
+
+<details>
+<summary>Result</summary>
+
+```
+vuln-image (alpine 3.17.1)
+==========================
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+
+vuln-image (secrets)
+====================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+CRITICAL: GitHub (github-pat)
+════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+GitHub Personal Access Token
+────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ test:16
+────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  14     {
+  15     "created": "2023-01-09T17:05:20Z",
+  16 [   "created_by": "ENV secret=****************************************",
+  17     "comment": "buildkit.dockerfile.v0",
+────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+CRITICAL: GitHub (github-pat)
+════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+GitHub Personal Access Token
+────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ test:34
+────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+  32     "Env": [
+  33     "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+  34 [   "secret=****************************************"
+  35     ]
+────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+```
+
+</details>
+
+!!! tip
+    You can see environment variables with `docker inspect`.
+
+## Supported
+### Docker Engine
+Trivy tries to looks for the specified image in your local Docker Engine.
+It will be skipped if Docker Engine is not running locally.
+
+If your docker socket is not the default path, you can override it via `DOCKER_HOST`.
+
+### containerd
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+    
+Trivy tries to looks for the specified image in your local [containerd](https://containerd.io/).
+It will be skipped if containerd is not running locally.
+
+Specify your image name in containerd running locally.
+
+```bash
+$ nerdctl images
+REPOSITORY        TAG       IMAGE ID        CREATED         PLATFORM       SIZE         BLOB SIZE
+aquasec/nginx    latest    2bcabc23b454    3 hours ago     linux/amd64    149.1 MiB    54.1 MiB
+$ trivy image aquasec/nginx
+```
+
+If your containerd socket is not the default path (`//run/containerd/containerd.sock`), you can override it via `CONTAINERD_ADDRESS`.
+
+```bash
+$ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock
+$ trivy image aquasec/nginx
+```
+
+If your scan targets are images in a namespace other than containerd's default namespace (`default`), you can override it via `CONTAINERD_NAMESPACE`.
+
+```bash
+$ export CONTAINERD_NAMESPACE=k8s.io
+$ trivy image aquasec/nginx
+```
+
+### Podman
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported.
+Before performing Trivy commands, you must enable the podman.sock systemd service on your machine.
+For more details, see [here](https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md#enable-the-podman-service-on-the-server-machine).
+
+
+```bash
+$ systemctl --user enable --now podman.socket
+```
+
+Then, you can scan your image in Podman.
+
+```bash
+$ cat Dockerfile
+FROM alpine:3.12
+RUN apk add --no-cache bash
+$ podman build -t test .
+$ podman images
+REPOSITORY                TAG     IMAGE ID      CREATED      SIZE
+localhost/test            latest  efc372d4e0de  About a minute ago  7.94 MB
+$ trivy image test
+```
+
+### Container Registry
+Trivy supports registries that comply with the following specifications.
+
+- [Docker Registry HTTP API V2](https://docs.docker.com/registry/spec/api/)
+- [OCI Distribution Specification](https://github.com/opencontainers/distribution-spec)
+
+You can configure credentials with `docker login`.
+See [here](../advanced/private-registries/index.md) for the detail.
+
+### Tar Files
+Trivy supports image tar files generated by the following tools.
+
+- [Docker Image Specification](https://github.com/moby/moby/tree/master/image/spec)
+    - [Moby Project](https://github.com/moby/moby/)
+    - [Buildah](https://github.com/containers/buildah)
+    - [Podman](https://github.com/containers/podman)
+    - [img](https://github.com/genuinetools/img)
+- [Kaniko](https://github.com/GoogleContainerTools/kaniko)
+
+```
+$ docker pull ruby:3.1-alpine3.15
+$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar
+$ trivy image --input ruby-3.1.tar
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2022-02-03T10:08:19.127Z        INFO    Detected OS: alpine
+2022-02-03T10:08:19.127Z        WARN    This OS version is not on the EOL list: alpine 3.15
+2022-02-03T10:08:19.127Z        INFO    Detecting Alpine vulnerabilities...
+2022-02-03T10:08:19.127Z        INFO    Number of language-specific files: 2
+2022-02-03T10:08:19.127Z        INFO    Detecting gemspec vulnerabilities...
+2022-02-03T10:08:19.128Z        INFO    Detecting node-pkg vulnerabilities...
+2022-02-03T10:08:19.128Z        WARN    This OS version is no longer supported by the distribution: alpine 3.15.0
+2022-02-03T10:08:19.128Z        WARN    The vulnerability detection may be insufficient because security updates are not provided
+
+ruby-3.1.tar (alpine 3.15.0)
+============================
+Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)
+
++----------+------------------+----------+-------------------+---------------+---------------------------------------+
+| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
++----------+------------------+----------+-------------------+---------------+---------------------------------------+
+| gmp      | CVE-2021-43618   | HIGH     | 6.2.1-r0          | 6.2.1-r1      | gmp: Integer overflow and resultant   |
+|          |                  |          |                   |               | buffer overflow via crafted input     |
+|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-43618 |
++----------+                  +          +                   +               +                                       +
+| gmp-dev  |                  |          |                   |               |                                       |
+|          |                  |          |                   |               |                                       |
+|          |                  |          |                   |               |                                       |
++----------+                  +          +                   +               +                                       +
+| libgmpxx |                  |          |                   |               |                                       |
+|          |                  |          |                   |               |                                       |
+|          |                  |          |                   |               |                                       |
++----------+------------------+----------+-------------------+---------------+---------------------------------------+
+
+Node.js (node-pkg)
+==================
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+
+Ruby (gemspec)
+==============
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+```
+
+</details>
+
+### OCI Layout
+Trivy supports image directories compliant with [Open Container Image Layout Specification](https://github.com/opencontainers/image-spec/blob/master/spec.md).
+
+Buildah:
+
+```
+$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
+$ trivy image --input /path/to/alpine
+```
+
+Skopeo:
+
+```
+$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
+$ trivy image --input /path/to/alpine
+```
+
+## SBOM generation
+Trivy can generate SBOM for container images.
+See [here](../sbom/index.md) for the detail.
+
+## Compliance
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+This section describes container image specific compliance reports.
+For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
+
+### Built in reports
+
+The following reports are available out of the box:
+
+| Compliance                             | Version | Name for command | More info                                                                                   |
+|----------------------------------------|---------|------------------|---------------------------------------------------------------------------------------------|
+| CIS Docker Community Edition Benchmark | 1.1.0   | `docker-cis`     | [Link](https://www.aquasec.com/cloud-native-academy/docker-container/docker-cis-benchmark/) |
+
+### Examples
+
+Scan a container image configuration and generate a compliance summary report:
+
+```
+$ trivy image --compliance docker-cis [YOUR_IMAGE_NAME]
+```
+
+!!! note
+    The `Issues` column represent the total number of failed checks for this control.
+
+## Options
+### Scan Image on a specific Architecture and OS
+By default, Trivy loads an image on a "linux/amd64" machine.
+To customise this, pass a `--platform` argument in the format OS/Architecture for the image:
+
+```
+$ trivy image --platform=os/architecture [YOUR_IMAGE_NAME]
+```
+
+For example:
+
+```
+$ trivy image --platform=linux/arm alpine:3.16.1
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2022-10-25T21:00:50.972+0300    INFO    Vulnerability scanning is enabled
+2022-10-25T21:00:50.972+0300    INFO    Secret scanning is enabled
+2022-10-25T21:00:50.972+0300    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
+2022-10-25T21:00:50.972+0300    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-10-25T21:00:56.190+0300    INFO    Detected OS: alpine
+2022-10-25T21:00:56.190+0300    INFO    Detecting Alpine vulnerabilities...
+2022-10-25T21:00:56.191+0300    INFO    Number of language-specific files: 0
+
+alpine:3.16.1 (alpine 3.16.1)
+=============================
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
+
+┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ zlib    │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1         │ 1.2.12-r2     │ zlib: heap-based buffer over-read and overflow in inflate() │
+│         │                │          │                   │               │ in inflate.c via a...                                       │
+│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                  │
+└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+```
+
+</details>
+

docs/docs/target/filesystem.md

@@ -0,0 +1,93 @@
+# Filesystem
+
+Scan your local projects for
+
+- Vulnerabilities
+- Misconfigurations
+- Secrets
+- Licenses
+ 
+By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`.
+
+```bash
+$ trivy fs /path/to/project
+```
+
+It's also possible to scan a single file.
+
+```
+$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock
+```
+
+## Scanners
+### Vulnerabilities
+It is enabled by default.
+Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
+See [here](../vulnerability/scanning.md) for the detail.
+
+```
+$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2020-06-01T17:06:58.652+0300    WARN    OS is not detected and vulnerabilities in OS packages are not detected.
+2020-06-01T17:06:58.652+0300    INFO    Detecting pipenv vulnerabilities...
+2020-06-01T17:06:58.691+0300    INFO    Detecting cargo vulnerabilities...
+
+Pipfile.lock
+============
+Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
+
++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
+|       LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |               TITLE                |
++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
+| django              | CVE-2020-7471    | HIGH     | 2.0.9             | 3.0.3, 2.2.10, 1.11.28 | django: potential                  |
+|                     |                  |          |                   |                        | SQL injection via                  |
+|                     |                  |          |                   |                        | StringAgg(delimiter)               |
++                     +------------------+----------+                   +------------------------+------------------------------------+
+|                     | CVE-2019-19844   | MEDIUM   |                   | 3.0.1, 2.2.9, 1.11.27  | Django: crafted email address      |
+|                     |                  |          |                   |                        | allows account takeover            |
++                     +------------------+          +                   +------------------------+------------------------------------+
+|                     | CVE-2019-3498    |          |                   | 2.1.5, 2.0.10, 1.11.18 | python-django: Content             |
+|                     |                  |          |                   |                        | spoofing via URL path in           |
+|                     |                  |          |                   |                        | default 404 page                   |
++                     +------------------+          +                   +------------------------+------------------------------------+
+|                     | CVE-2019-6975    |          |                   | 2.1.6, 2.0.11, 1.11.19 | python-django:                     |
+|                     |                  |          |                   |                        | memory exhaustion in               |
+|                     |                  |          |                   |                        | django.utils.numberformat.format() |
++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
+...
+```
+
+</details>
+
+### Misconfigurations
+It is disabled by default and can be enabled with `--scanners config`.
+See [here](../misconfiguration/scanning.md) for the detail.
+
+```shell
+$ trivy fs --scanners config /path/to/project
+```
+
+### Secrets
+It is enabled by default.
+See [here](../secret/scanning.md) for the detail.
+
+```shell
+$ trivy fs /path/to/project
+```
+
+### Licenses
+It is disabled by default.
+See [here](../licenses/scanning.md) for the detail.
+
+```shell
+$ trivy fs --scanners license /path/to/project
+```
+
+## SBOM generation
+Trivy can generate SBOM for local projects.
+See [here](../sbom/index.md) for the detail.

docs/docs/target/git-repository.md

@@ -1,6 +1,23 @@
 # Git Repository
 
-Scan your remote git repository
+Scan your remote git repositories for
+
+- Vulnerabilities
+- Misconfigurations
+- Secrets
+- Licenses
+ 
+By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`.
+
+```bash
+$ trivy repo [YOUR_REPO_URL]
+```
+
+## Scanners
+### Vulnerabilities
+It is enabled by default.
+Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
+See [here](../vulnerability/scanning.md) for the detail.
 
 ```
 $ trivy repo https://github.com/knqyf263/trivy-ci-test
@@ -147,32 +164,60 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
 
 </details>
 
-## Scanning a Branch
+### Misconfigurations
+It is disabled by default and can be enabled with `--scanners config`.
+See [here](../misconfiguration/scanning.md) for the detail.
 
-Pass a `--branch` agrument with a valid branch name on the remote repository provided:
+```shell
+$ trivy repo --scanners config [YOUR_REPO_URL]
+```
+
+### Secrets
+It is enabled by default.
+See [here](../secret/scanning.md) for the detail.
+
+```shell
+$ trivy repo [YOUR_REPO_URL]
+```
+
+### Licenses
+It is disabled by default.
+See [here](../licenses/scanning.md) for the detail.
+
+```shell
+$ trivy repo --scanners license [YOUR_REPO_URL]
+```
+
+## SBOM generation
+Trivy can generate SBOM for git repositories.
+See [here](../sbom/index.md) for the detail.
+
+## References
+### Scanning a Branch
+
+Pass a `--branch` argument with a valid branch name on the remote repository provided:
 
 ```
 $ trivy repo --branch <branch-name> <repo-name>
 ```
 
-## Scanning upto a Commit
+### Scanning upto a Commit
 
-Pass a `--commit` agrument with a valid commit hash on the remote repository provided:
+Pass a `--commit` argument with a valid commit hash on the remote repository provided:
 
 ```
 $ trivy repo --commit <commit-hash> <repo-name>
 ```
 
-## Scanning a Tag
+### Scanning a Tag
 
-Pass a `--tag` agrument with a valid tag on the remote repository provided:
+Pass a `--tag` argument with a valid tag on the remote repository provided:
 
 ```
 $ trivy repo --tag <tag-name> <repo-name>
 ```
 
-## Scanning Private Repositories
-
+### Scanning Private Repositories
 In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
 
 The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.

docs/docs/target/kubernetes.md

@@ -3,13 +3,21 @@
 !!! warning "EXPERIMENTAL"
     This feature might change without preserving backwards compatibility.
 
-The Trivy K8s CLI allows you to scan your Kubernetes cluster for Vulnerabilities, Secrets and Misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.
+## CLI
+The Trivy K8s CLI allows you to scan your Kubernetes cluster for 
 
-If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/getting-started.md)
+- Vulnerabilities
+- Misconfigurations
+- Secrets
+ 
+You can either run the CLI locally or integrate it into your CI/CD pipeline.
+The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.
+
+If you are looking for continuous cluster audit scanning, have a look at the Trivy K8s operator below.
 
 Trivy uses your local kubectl configuration to access the API server to list artifacts.
 
-## CLI Commands
+### Commands
 
 Scan a full cluster and generate a simple summary report:
 
@@ -17,7 +25,7 @@ Scan a full cluster and generate a simple summary report:
 $ trivy k8s --report=summary cluster
 ```
 
-![k8s Summary Report](../../../imgs/trivy-k8s.png)
+![k8s Summary Report](../../imgs/trivy-k8s.png)
 
 The summary report is the default. To get all of the detail the output contains, use `--report all`.
 
@@ -27,12 +35,12 @@ Filter by severity:
 $ trivy k8s --severity=CRITICAL --report=all cluster
 ```
 
-Filter by security check (Vulnerabilities, Secrets or Misconfigurations):
+Filter by scanners (Vulnerabilities, Secrets or Misconfigurations):
 
 ```
-$ trivy k8s --security-checks=secret --report=summary cluster
+$ trivy k8s --scanners=secret --report=summary cluster
 # or
-$ trivy k8s --security-checks=config --report=summary cluster
+$ trivy k8s --scanners=config --report=summary cluster
 ```
 
 Scan a specific namespace:
@@ -231,3 +239,99 @@ $ trivy k8s --format json -o results.json cluster
 
 </details>
 
+
+
+### Infra checks
+
+Trivy by default scans kubernetes infra components (apiserver, controller-manager, scheduler and etcd)
+if they exist under the `kube-system` namespace. For example, if you run a full cluster scan, or scan all
+components under `kube-system` with commands:
+
+```
+$ trivy k8s cluster --report summary # full cluster scan
+$ trivy k8s all -n kube-system --report summary # scan all components under kube-system
+```
+
+A table will be printed about misconfigurations found on kubernetes core components:
+
+```
+Summary Report for minikube
+┌─────────────┬──────────────────────────────────────┬─────────────────────────────┐
+│  Namespace  │               Resource               │ Kubernetes Infra Assessment │
+│             │                                      ├────┬────┬────┬─────┬────────┤
+│             │                                      │ C  │ H  │ M  │ L   │   U    │
+├─────────────┼──────────────────────────────────────┼────┼────┼────┼─────┼────────┤
+│ kube-system │ Pod/kube-apiserver-minikube          │    │    │ 1  │ 10  │        │
+│ kube-system │ Pod/kube-controller-manager-minikube │    │    │    │ 3   │        │
+│ kube-system │ Pod/kube-scheduler-minikube          │    │    │    │ 1   │        │
+└─────────────┴──────────────────────────────────────┴────┴────┴────┴─────┴────────┘
+Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
+```
+
+The infra checks are based on CIS Benchmarks recommendations for kubernetes.
+
+
+If you want filter only for the infra checks, you can use the flag `--components` along with the `--scanners=config`
+
+```
+$ trivy k8s cluster --report summary --components=infra --scanners=config # scan only infra
+```
+
+Or, to filter for all other checks besides the infra checks, you can:
+
+```
+$ trivy k8s cluster --report summary --components=workload --scanners=config # scan all components besides infra
+```
+
+### Compliance
+This section describes Kubernetes specific compliance reports.
+For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
+
+#### Built in reports
+
+The following reports are available out of the box:
+
+| Compliance | Name for command | More info
+--- | --- | ---
+NSA, CISA Kubernetes Hardening Guidance v1.2 | `k8s-nsa` | [Link](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF)
+CIS Benchmark for Kubernetes v1.23 | `k8s-cis` | [Link](https://www.cisecurity.org/benchmark/kubernetes)
+
+#### Examples
+
+Scan a full cluster and generate a compliance summary report:
+
+```
+$ trivy k8s cluster --compliance=<compliance_id> --report summary
+```
+
+***Note*** : The `Issues` column represent the total number of failed checks for this control.
+
+
+Get all of the detailed output for checks:
+
+```
+trivy k8s cluster --compliance=<compliance_id> --report all
+```
+
+Report result in JSON format:
+
+```
+trivy k8s cluster --compliance=<compliance_id> --report summary --format json
+```
+
+```
+trivy k8s cluster --compliance=<compliance_id> --report all --format json
+```
+
+## Operator
+Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
+
+> Kubernetes-native security toolkit. ([Documentation][trivy-operator]).
+
+<figure>
+  <figcaption>Workload reconcilers discover K8s controllers, manage scan jobs, and create VulnerabilityReport and ConfigAuditReport objects.</figcaption>
+</figure>
+
+[operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/
+[crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
+[trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest

docs/docs/target/rootfs.md

@@ -0,0 +1,15 @@
+# Rootfs
+Rootfs scanning is for special use cases such as
+
+- Host machine
+- [Root filesystem](../advanced/container/embed-in-dockerfile.md)
+- [Unpacked filesystem](../advanced/container/unpacked-filesystem.md)
+ 
+```bash
+$ trivy rootfs /path/to/rootfs
+```
+
+!!! note
+    Rootfs scanning works differently from the Filesystem scanning.
+    You should use `trivy fs` to scan your local projects in CI/CD.
+    See [here](../vulnerability/detection/language.md) for the differences.

docs/docs/target/sbom.md

@@ -0,0 +1,113 @@
+# SBOM scanning
+Trivy can take the following SBOM formats as an input and scan for vulnerabilities.
+
+- CycloneDX
+- SPDX
+- SPDX JSON
+- CycloneDX-type attestation
+
+To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
+The input format is automatically detected.
+
+```bash
+$ trivy sbom /path/to/sbom_file
+```
+
+!!! note
+    Passing SBOMs generated by tool other than Trivy may result in inaccurate detection 
+    because Trivy relies on custom properties in SBOM for accurate scanning.
+
+## CycloneDX
+Trivy supports CycloneDX as an input.
+
+!!! note
+    CycloneDX XML is not supported at the moment.
+
+
+```bash
+$ trivy sbom /path/to/cyclonedx.json
+```
+
+!!! note
+    If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
+    The report is called [BOV](https://cyclonedx.org/capabilities/sbom/).
+
+## SPDX
+Trivy supports the SPDX SBOM as an input.
+
+The following SPDX formats are supported:
+
+- Tag-value (`--format spdx`)
+- JSON (`--format spdx-json`)
+
+```bash
+$ trivy image --format spdx-json --output spdx.json alpine:3.16.0
+$ trivy sbom spdx.json
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2022-09-15T21:32:27.168+0300    INFO    Vulnerability scanning is enabled
+2022-09-15T21:32:27.169+0300    INFO    Detected SBOM format: spdx-json
+2022-09-15T21:32:27.210+0300    INFO    Detected OS: alpine
+2022-09-15T21:32:27.210+0300    INFO    Detecting Alpine vulnerabilities...
+2022-09-15T21:32:27.211+0300    INFO    Number of language-specific files: 0
+
+spdx.json (alpine 3.16.0)
+=========================
+Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)
+
+┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
+│   Library    │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ busybox      │ CVE-2022-30065 │ HIGH     │ 1.35.0-r13        │ 1.35.0-r15    │ busybox: A use-after-free in Busybox's awk applet leads to │
+│              │                │          │                   │               │ denial of service...                                       │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ libcrypto1.1 │ CVE-2022-2097  │ MEDIUM   │ 1.1.1o-r0         │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes               │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                  │
+├──────────────┤                │          │                   │               │                                                            │
+│ libssl1.1    │                │          │                   │               │                                                            │
+│              │                │          │                   │               │                                                            │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ ssl_client   │ CVE-2022-30065 │ HIGH     │ 1.35.0-r13        │ 1.35.0-r15    │ busybox: A use-after-free in Busybox's awk applet leads to │
+│              │                │          │                   │               │ denial of service...                                       │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
+├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
+│ zlib         │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1         │ 1.2.12-r2     │ zlib: a heap-based buffer over-read or buffer overflow in  │
+│              │                │          │                   │               │ inflate in inflate.c...                                    │
+│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                 │
+└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
+```
+
+</details>
+
+## SBOM attestation
+
+You can also scan an SBOM attestation.
+In the following example, [Cosign](https://github.com/sigstore/cosign) gets an attestation and Trivy scans it.
+You must create CycloneDX-type attestation before trying the example.
+To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page](../attestation/sbom.md#sign-with-a-local-key-pair).
+
+```bash
+$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
+$ trivy sbom ./sbom.cdx.intoto.jsonl
+
+sbom.cdx.intoto.jsonl (alpine 3.7.3)
+=========================
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
+
+┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
+├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
+│            │                │          │                   │               │ adjustment im ......                                     │
+│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
+├────────────┤                │          │                   │               │                                                          │
+│ musl-utils │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+│            │                │          │                   │               │                                                          │
+└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
+```

docs/docs/target/vm.md

@@ -0,0 +1,241 @@
+# Virtual Machine Image
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+To scan virtual machine (VM) images, you can use the `vm` subcommand.
+
+## Targets
+The following targets are currently supported:
+
+- Local file
+- AWS EC2
+    - Amazon Machine Image (AMI)
+    - Amazon Elastic Block Store (EBS) Snapshot
+ 
+### Local file
+Pass the path to your local VM image file.
+
+```bash
+$ trivy vm --scanners vuln disk.vmdk
+```
+
+<details>
+<summary>Result</summary>
+
+```
+disk.vmdk (amazon 2 (Karoo))
+===========================================================================================
+Total: 802 (UNKNOWN: 0, LOW: 17, MEDIUM: 554, HIGH: 221, CRITICAL: 10)
+
+┌────────────────────────────┬────────────────┬──────────┬───────────────────────────────┬───────────────────────────────┬──────────────────────────────────────────────────────────────┐
+│          Library           │ Vulnerability  │ Severity │       Installed Version       │         Fixed Version         │                            Title                             │
+├────────────────────────────┼────────────────┼──────────┼───────────────────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ amazon-ssm-agent           │ CVE-2022-24675 │ HIGH     │ 3.0.529.0-1.amzn2             │ 3.1.1575.0-1.amzn2            │ golang: encoding/pem: fix stack overflow in Decode           │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2022-24675                   │
+├────────────────────────────┼────────────────┤          ├───────────────────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ bind-export-libs           │ CVE-2021-25215 │          │ 32:9.11.4-26.P2.amzn2.4       │ 32:9.11.4-26.P2.amzn2.5       │ bind: An assertion check can fail while answering queries    │
+│                            │                │          │                               │                               │ for DNAME records...                                         │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25215                   │
+│                            ├────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                            │ CVE-2021-25214 │ MEDIUM   │                               │ 32:9.11.4-26.P2.amzn2.5.2     │ bind: Broken inbound incremental zone update (IXFR) can      │
+│                            │                │          │                               │                               │ cause named to terminate...                                  │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25214                   │
+├────────────────────────────┼────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ bind-libs                  │ CVE-2021-25215 │ HIGH     │                               │ 32:9.11.4-26.P2.amzn2.5       │ bind: An assertion check can fail while answering queries    │
+│                            │                │          │                               │                               │ for DNAME records...                                         │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25215                   │
+│                            ├────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                            │ CVE-2021-25214 │ MEDIUM   │                               │ 32:9.11.4-26.P2.amzn2.5.2     │ bind: Broken inbound incremental zone update (IXFR) can      │
+│                            │                │          │                               │                               │ cause named to terminate...                                  │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25214                   │
+├────────────────────────────┼────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ bind-libs-lite             │ CVE-2021-25215 │ HIGH     │                               │ 32:9.11.4-26.P2.amzn2.5       │ bind: An assertion check can fail while answering queries    │
+│                            │                │          │                               │                               │ for DNAME records...                                         │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25215                   │
+│                            ├────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                            │ CVE-2021-25214 │ MEDIUM   │                               │ 32:9.11.4-26.P2.amzn2.5.2     │ bind: Broken inbound incremental zone update (IXFR) can      │
+│                            │                │          │                               │                               │ cause named to terminate...                                  │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25214                   │
+├────────────────────────────┼────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+... 
+```
+
+</details>
+
+### Amazon Machine Image (AMI)
+You can specify your AMI ID with the `ami:` prefix.
+
+```shell
+$ trivy vm ami:${your_ami_id}
+```
+
+!!! note
+    AMIs in the marketplace are not supported because the EBS direct APIs don't support that.
+    See [the AWS documentation][ebsapi-elements] for the detail.
+
+#### Example
+
+```shell
+$ trivy vm --scanners vuln ami:ami-0123456789abcdefg
+```
+
+If you want to scan a AMI of non-default setting region, you can set any region via `--aws-region` option.
+
+```shell
+$ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg
+```
+
+
+#### Required Actions
+Some actions on EBS are also necessary since Trivy scans an EBS snapshot tied to the specified AMI under the hood.
+
+- ec2:DescribeImages
+- ebs:ListSnapshotBlocks
+- ebs:GetSnapshotBlock
+
+### Amazon Elastic Block Store (EBS) Snapshot
+You can specify your EBS snapshot ID with the `ebs:` prefix.
+
+```shell
+$ trivy vm ebs:${your_ebs_snapshot_id}
+```
+
+!!! note
+    Public snapshots are not supported because the EBS direct APIs don't support that.
+    See [the AWS documentation][ebsapi-elements] for the detail.
+
+#### Example
+
+```shell
+$ trivy vm --scanners vuln ebs:snap-0123456789abcdefg
+```
+
+
+If you want to scan an EBS Snapshot of non-default setting region, you can set any region via `--aws-region` option.
+
+```shell
+$ trivy vm --aws-region ap-northeast-1 ebs:ebs-0123456789abcdefg
+```
+
+The above command takes a while as it calls EBS API and fetches the EBS blocks.
+If you want to scan the same snapshot several times, you can download the snapshot locally by using [coldsnap][coldsnap] maintained by AWS.
+Then, Trivy can scan the local VM image file.
+
+```shell
+$ coldsnap download snap-0123456789abcdefg disk.img
+$ trivy vm ./disk.img
+```
+
+#### Required Actions
+
+- ebs:ListSnapshotBlocks
+- ebs:GetSnapshotBlock
+
+## Scanners
+Trivy supports VM image scanning for
+
+- Vulnerabilities
+- Misconfigurations
+- Secrets
+- Licenses
+
+### Vulnerabilities
+It is enabled by default.
+You can simply specify your VM image location.
+It detects known vulnerabilities in your VM image.
+See [here](../vulnerability/scanning.md) for the detail.
+
+```
+$ trivy vm [YOUR_VM_IMAGE]
+```
+
+### Misconfigurations
+It is supported, but it is not useful in most cases.
+As mentioned [here](../misconfiguration/scanning.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations.
+If your VM image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners config`.
+
+```
+$ trivy vm --scanners config [YOUR_VM_IMAGE]
+```
+
+### Secrets
+It is enabled by default.
+See [here](../secret/scanning.md) for the detail.
+
+```shell
+$ trivy vm [YOUR_VM_IMAGE]
+```
+
+!!! tip
+    The scanning could be faster if you enable only vulnerability scanning (`--scanners vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
+
+### Licenses
+It is disabled by default.
+See [here](../licenses/scanning.md) for the detail.
+
+```shell
+$ trivy vm --scanners license [YOUR_VM_IMAGE]
+```
+
+## SBOM generation
+Trivy can generate SBOM for VM images.
+See [here](../sbom/index.md) for the detail.
+
+## Supported Architectures
+
+### Virtual machine images
+
+| Image format | Support |
+|--------------|:-------:|
+| VMDK         |    ✔    |
+| OVA          |         |
+| VHD          |         |
+| VHDX         |         |
+| QCOW2        |         |
+
+
+#### VMDK disk types
+
+| VMDK disk type              | Support |
+|-----------------------------|:-------:|
+| streamOptimized             |    ✔    |
+| monolithicSparse            |         |
+| vmfs                        |         |
+| vmfsSparse                  |         |
+| twoGbMaxExtentSparse        |         |
+| monolithicFlat              |         |
+| twoGbMaxExtentFlat          |         |
+| vmfsRaw                     |         |
+| fullDevice                  |         |
+| partitionedDevice           |         |
+| vmfsRawDeviceMap            |         |
+| vmfsPassthroughRawDeviceMap |         |
+
+Reference: [VMware Virtual Disk Format 1.1.pdf][vmdk]
+
+
+### Disk partitions
+
+| Disk format                  | Support |
+|------------------------------|:-------:|
+| Master boot record (MBR)     |    ✔    |
+| Extended master boot record  |         |
+| GUID partition table (GPT)   |    ✔    |
+| Logical volume manager (LVM) |         |
+
+### Filesystems
+
+| Filesystem format | Support |
+|-------------------|:-------:|
+| XFS               |    ✔    |
+| EXT4              |    ✔    |
+| EXT2/3            |         |
+| ZFS               |         |
+
+
+[aws]: ../vm/aws.md
+[vmdk]: https://www.vmware.com/app/vmdk/?src=vmdk
+[ebsapi-elements]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html#ebsapi-elements
+[coldsnap]: https://github.com/awslabs/coldsnap
+

docs/docs/vulnerability/detection/data-source.md

@@ -1,40 +1,44 @@
 # OS
 
-| OS                 | Source                                      |
-|--------------------|---------------------------------------------|
-| Arch Linux         | [Vulnerable Issues][arch]                   |
-| Alpine Linux       | [secdb][alpine]                             |
-| Amazon Linux       | [Amazon Linux Security Center][amazon]      |
-| Debian             | [Security Bug Tracker][debian-tracker]      |
-|                    | [OVAL][debian-oval]                         |
-| Ubuntu             | [Ubuntu CVE Tracker][ubuntu]                |
-| RHEL/CentOS        | [OVAL][rhel-oval]                           |
-|                    | [Security Data][rhel-api]                   |
-| AlmaLinux          | [AlmaLinux Product Errata][alma]            |
-| Rocky Linux        | [Rocky Linux UpdateInfo][rocky]             |
-| Oracle Linux       | [OVAL][oracle]                              |
-| CBL-Mariner        | [OVAL][mariner]                             |
-| OpenSUSE/SLES      | [CVRF][suse]                                |
-| Photon OS          | [Photon Security Advisory][photon]          |
+| OS            | Source                                 |
+|---------------|----------------------------------------|
+| Arch Linux    | [Vulnerable Issues][arch]              |
+| Alpine Linux  | [secdb][alpine]                        |
+| Wolfi Linux   | [secdb][wolfi]                         |
+| Amazon Linux  | [Amazon Linux Security Center][amazon] |
+| Debian        | [Security Bug Tracker][debian-tracker] |
+|               | [OVAL][debian-oval]                    |
+| Ubuntu        | [Ubuntu CVE Tracker][ubuntu]           |
+| RHEL/CentOS   | [OVAL][rhel-oval]                      |
+|               | [Security Data][rhel-api]              |
+| AlmaLinux     | [AlmaLinux Product Errata][alma]       |
+| Rocky Linux   | [Rocky Linux UpdateInfo][rocky]        |
+| Oracle Linux  | [OVAL][oracle]                         |
+| CBL-Mariner   | [OVAL][mariner]                        |
+| OpenSUSE/SLES | [CVRF][suse]                           |
+| Photon OS     | [Photon Security Advisory][photon]     |
 
 # Programming Language
 
-| Language                     | Source                                              | Commercial Use  | Delay[^1]|
-| ---------------------------- | ----------------------------------------------------|:---------------:|:--------:|
-| PHP                          | [PHP Security Advisories Database][php]             | ✅              | -        |
-|                              | [GitHub Advisory Database (Composer)][php-ghsa]     | ✅              | -        |
-| Python                       | [GitHub Advisory Database (pip)][python-ghsa]       | ✅              | -        |
-|                              | [Open Source Vulnerabilities (PyPI)][python-osv]    | ✅              | -        |
-| Ruby                         | [Ruby Advisory Database][ruby]                      | ✅              | -        |
-|                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    | ✅              | -        |
-| Node.js                      | [Ecosystem Security Working Group][nodejs]          | ✅              | -        |
-|                              | [GitHub Advisory Database (npm)][nodejs-ghsa]       | ✅              | -        |
-| Java                         | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
-|                              | [GitHub Advisory Database (Maven)][java-ghsa]       | ✅              | -        |
-| Go                           | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
-|                              | [The Go Vulnerability Database][go]                 | ✅              | -        |
-| Rust                         | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅              | -        |
-| .NET                         | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     | ✅              | -        |
+| Language | Source                                              | Commercial Use | Delay[^1] |
+|----------|-----------------------------------------------------|:--------------:|:---------:|
+| PHP      | [PHP Security Advisories Database][php]             |       ✅        |     -     |
+|          | [GitHub Advisory Database (Composer)][php-ghsa]     |       ✅        |     -     |
+| Python   | [GitHub Advisory Database (pip)][python-ghsa]       |       ✅        |     -     |
+|          | [Open Source Vulnerabilities (PyPI)][python-osv]    |       ✅        |     -     |
+| Ruby     | [Ruby Advisory Database][ruby]                      |       ✅        |     -     |
+|          | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    |       ✅        |     -     |
+| Node.js  | [Ecosystem Security Working Group][nodejs]          |       ✅        |     -     |
+|          | [GitHub Advisory Database (npm)][nodejs-ghsa]       |       ✅        |     -     |
+| Java     | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
+|          | [GitHub Advisory Database (Maven)][java-ghsa]       |       ✅        |     -     |
+| Go       | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
+|          | [The Go Vulnerability Database][go]                 |       ✅        |     -     |
+| Rust     | [Open Source Vulnerabilities (crates.io)][rust-osv] |       ✅        |     -     |
+| .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     |       ✅        |     -     |
+| C/C++    | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
+| Dart     | [GitHub Advisory Database (Pub)][pub-ghsa]          |       ✅        |     -     |
+| Elixir   | [GitHub Advisory Database (Erlang)][erlang-ghsa]    |       ✅        |           |
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
@@ -56,6 +60,7 @@ The severity is from the selected data source. If the data source does not provi
 
 [arch]: https://security.archlinux.org/
 [alpine]: https://secdb.alpinelinux.org/
+[wolfi]: https://packages.wolfi.dev/os/security.json
 [amazon]: https://alas.aws.amazon.com/
 [debian-tracker]: https://security-tracker.debian.org/tracker/
 [debian-oval]: https://www.debian.org/security/oval/
@@ -75,6 +80,8 @@ The severity is from the selected data source. If the data source does not provi
 [nodejs-ghsa]: https://github.com/advisories?query=ecosystem%3Anpm
 [java-ghsa]: https://github.com/advisories?query=ecosystem%3Amaven
 [dotnet-ghsa]: https://github.com/advisories?query=ecosystem%3Anuget
+[pub-ghsa]: https://github.com/advisories?query=ecosystem%3Apub
+[erlang-ghsa]: https://github.com/advisories?query=ecosystem%3Aerlang
 
 [php]: https://github.com/FriendsOfPHP/security-advisories
 [ruby]: https://github.com/rubysec/ruby-advisory-db

docs/docs/vulnerability/detection/language.md

@@ -2,29 +2,33 @@
 
 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
 
-| Language | File                    | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies |
-| -------- |-------------------------| :-------: | :--------: | :-------------: | :-------------: | ---------------- |
-| Ruby     | Gemfile.lock            |     -     |     -      |        ✅        |        ✅        | included         |
-|          | gemspec                 |     ✅     |     ✅      |        -        |        -        | included         |
-| Python   | Pipfile.lock            |     -     |     -      |        ✅        |        ✅        | excluded         |
-|          | poetry.lock             |     -     |     -      |        ✅        |        ✅        | included         |
-|          | requirements.txt        |     -     |     -      |        ✅        |        ✅        | included         |
-|          | egg package[^1]         |     ✅     |     ✅      |        -        |        -        | excluded         |
-|          | wheel package[^2]       |     ✅     |     ✅      |        -        |        -        | excluded         |
-| PHP      | composer.lock           |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
-| Node.js  | package-lock.json       |     -     |     -      |        ✅        |        ✅        | excluded         |
-|          | yarn.lock               |     -     |     -      |        ✅        |        ✅        | included         |
-|          | pnpm-lock.yaml          |     -     |     -      |        ✅        |        ✅        | excluded         |
-|          | package.json            |     ✅     |     ✅      |        -        |        -        | excluded         |
-| .NET     | packages.lock.json      |     ✅     |     ✅      |        ✅        |        ✅        | included         |
-|          | packages.config         |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
-|          | .deps.json              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |
-| Java     | JAR/WAR/PAR/EAR[^3][^4] |     ✅     |     ✅      |        -        |        -        | included         |
-|          | pom.xml[^5]             |     -     |     -      |        ✅        |        ✅        | excluded         |
-| Go       | Binaries built by Go[^6] |     ✅     |     ✅      |        -        |        -        | excluded         |
-|          | go.mod[^7]              |     -     |     -      |        ✅        |        ✅        | included         |
-| Rust     | Cargo.lock              |     ✅     |     ✅      |        ✅        |        ✅        | included         |
-|          | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |        -        |        -        | excluded   
+| Language | File                                                                                       | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies | Dependency location[^12] |
+|----------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:---------------:|:---------------:|------------------|:------------------------:|
+| Ruby     | Gemfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | included         |            -             |
+|          | gemspec                                                                                    |     ✅     |     ✅      |        -        |        -        | included         |            -             |
+| Python   | Pipfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
+|          | poetry.lock                                                                                |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
+|          | requirements.txt                                                                           |     -     |     -      |        ✅        |        ✅        | included         |            -             |
+|          | egg package[^1]                                                                            |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
+|          | wheel package[^2]                                                                          |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
+| PHP      | composer.lock                                                                              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |            -             |
+| Node.js  | package-lock.json                                                                          |     -     |     -      |        ✅        |        ✅        | excluded         |            ✅             |
+|          | yarn.lock                                                                                  |     -     |     -      |        ✅        |        ✅        | included         |            ✅             |
+|          | pnpm-lock.yaml                                                                             |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
+|          | package.json                                                                               |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
+| .NET     | packages.lock.json                                                                         |     ✅     |     ✅      |        ✅        |        ✅        | included         |            ✅             |
+|          | packages.config                                                                            |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |            -             |
+|          | .deps.json                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |            ✅             |
+| Java     | JAR/WAR/PAR/EAR[^3][^4]                                                                    |     ✅     |     ✅      |        -        |        -        | included         |            -             |
+|          | pom.xml[^5]                                                                                |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
+|          | *gradle.lockfile                                                                           |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
+| Go       | Binaries built by Go[^6]                                                                   |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
+|          | go.mod[^7]                                                                                 |     -     |     -      |        ✅        |        ✅        | included         |            -             |
+| Rust     | Cargo.lock                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | included         |            -             |
+|          | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
+| C/C++    | conan.lock[^13]                                                                            |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |   
+| Elixir   | mix.lock[^13]                                                                              |     -     |     -      |        ✅        |        ✅        | excluded         |            ✅             |
+| Dart     | pubspec.lock                                                                               |     ✅     |     ✅      |        -        |        -        | included         |            -             |
 
 The path of these files does not matter.
 
@@ -41,3 +45,5 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [^9]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
 [^10]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
 [^11]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^12]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../examples/report.md#json) and [sarif](../examples/report.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
+[^13]: To scan a filename other than the default filename use [file-patterns](../examples/others.md#file-patterns)

docs/docs/vulnerability/detection/os.md

@@ -3,13 +3,14 @@
 The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. Trivy doesn't support self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.
 
 | OS                               | Supported Versions                        | Target Packages               | Detection of unfixed vulnerabilities |
-| -------------------------------- |-------------------------------------------| ----------------------------- | :----------------------------------: |
-| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.16, edge               | Installed by apk              |                  NO                  |
+|----------------------------------|-------------------------------------------|-------------------------------|:------------------------------------:|
+| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.17, edge               | Installed by apk              |                  NO                  |
+| Wolfi Linux                      | (n/a)                                     | Installed by apk              |                  NO                  |
 | Red Hat Universal Base Image[^1] | 7, 8, 9                                   | Installed by yum/rpm          |                 YES                  |
 | Red Hat Enterprise Linux         | 6, 7, 8                                   | Installed by yum/rpm          |                 YES                  |
 | CentOS                           | 6, 7, 8                                   | Installed by yum/rpm          |                 YES                  |
-| AlmaLinux                        | 8                                         | Installed by yum/rpm          |                  NO                  |
-| Rocky Linux                      | 8                                         | Installed by yum/rpm          |                  NO                  |
+| AlmaLinux                        | 8, 9                                      | Installed by yum/rpm          |                  NO                  |
+| Rocky Linux                      | 8, 9                                      | Installed by yum/rpm          |                  NO                  |
 | Oracle Linux                     | 5, 6, 7, 8                                | Installed by yum/rpm          |                  NO                  |
 | CBL-Mariner                      | 1.0, 2.0                                  | Installed by yum/rpm          |                 YES                  |
 | Amazon Linux                     | 1, 2, 2022                                | Installed by yum/rpm          |                  NO                  |
@@ -20,5 +21,60 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 | Ubuntu                           | All versions supported by Canonical       | Installed by apt/apt-get/dpkg |                 YES                  |
 | Distroless[^2]                   | Any                                       | Installed by apt/apt-get/dpkg |                 YES                  |
 
+## Distributions
+### CBL-Mariner
+Trivy scans [CBL-Mariner][mariner].
+
+#### Support
+The following table provides an outline of the features Trivy offers.
+
+| Version | Container image | Virtual machine | Distroless |  Multi-arch  | Unfixed support |
+|---------|:---------------:|:---------------:|:----------:|:------------:|:---------------:|
+| 1.0     |        ✔        |        ✔        |      ✔     | amd64, arm64 |        ✔        |
+| 2.0     |        ✔        |        ✔        |      ✔     | amd64, arm64 |        ✔        |
+
+### Examples
+
+=== "image"
+    ```
+    ➜ trivy image mcr.microsoft.com/cbl-mariner/base/core:2.0
+    2022-07-27T14:48:20.355+0600	INFO	Detected OS: cbl-mariner
+    2022-07-27T14:48:20.355+0600	INFO	Detecting CBL-Mariner vulnerabilities...
+    2022-07-27T14:48:20.356+0600	INFO	Number of language-specific files: 0
+    
+        mcr.microsoft.com/cbl-mariner/base/core:2.0 (cbl-mariner 2.0.20220527)
+        
+        Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
+    ```
+
+=== "rootfs"
+    ```
+    ➜ docker run  -it --rm --entrypoint bin/bash mcr.microsoft.com/cbl-mariner/base/core:2.0
+    root [ / ]# tdnf -y install ca-certificates
+    root [ / ]# # Install the latest Trivy
+    root [ / ]# trivy rootfs /
+    2022-07-27T09:30:06.815Z	INFO	Need to update DB
+    2022-07-27T09:30:06.815Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
+    2022-07-27T09:30:06.815Z	INFO	Downloading DB...
+    33.25 MiB / 33.25 MiB [------------------------------] 100.00% 4.20 MiB p/s 8.1s
+    2022-07-27T09:30:21.756Z	INFO	Vulnerability scanning is enabled
+    2022-07-27T09:30:21.756Z	INFO	Secret scanning is enabled
+    2022-07-27T09:30:21.756Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
+    2022-07-27T09:30:21.756Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection
+    2022-07-27T09:30:22.205Z	INFO	Detected OS: cbl-mariner
+    2022-07-27T09:30:22.205Z	INFO	Detecting CBL-Mariner vulnerabilities...
+    2022-07-27T09:30:22.205Z	INFO	Number of language-specific files: 0
+    
+    40ba9a55397c (cbl-mariner 2.0.20220527)
+    =======================================
+    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
+    ```
+
 [^1]: https://developers.redhat.com/products/rhel/ubi
 [^2]: https://github.com/GoogleContainerTools/distroless
+
+### Data source
+See [here][source].
+
+[mariner]: https://github.com/microsoft/CBL-Mariner
+[source]: data-source.md

docs/docs/vulnerability/detection/supported.md

@@ -1,23 +0,0 @@
-# Supported
-
-## Container Runtime
-- [Docker Engine](https://docs.docker.com/engine/)
-- [Podman](../../advanced/container/podman.md)
-- [containerd](../../advanced/container/containerd.md)
-
-## Container Registry
-- [Docker Registry HTTP API V2](https://docs.docker.com/registry/spec/api/)
-- [OCI Distribution Specification](https://github.com/opencontainers/distribution-spec)
-
-## Image Tar Formats
-Trivy scans a tar image with the following format.
-
-- [Docker Image Specification](https://github.com/moby/moby/tree/master/image/spec)
-    - [Moby Project](https://github.com/moby/moby/)
-    - [Buildah](https://github.com/containers/buildah)
-    - [Podman](https://github.com/containers/podman)
-    - [img](https://github.com/genuinetools/img)
-- [Kaniko](https://github.com/GoogleContainerTools/kaniko)
-
-## Image Layout
-- [OCI Image Format Specification](https://github.com/opencontainers/image-spec)

docs/docs/vulnerability/distributions.md

@@ -1,58 +0,0 @@
-## CBL-Mariner
-Trivy scans [CBL-Mariner][mariner].
-
-### Support
-The following table provides an outline of the features Trivy offers.
-
-| Version | Container image | Virtual machine | Distroless |  Multi-arch  | Unfixed support |
-|---------|:---------------:|:---------------:|:----------:|:------------:|:---------------:|
-| 1.0     |        ✔        |        ✔        |      ✔     | amd64, arm64 |        ✔        |
-| 2.0     |        ✔        |        ✔        |      ✔     | amd64, arm64 |        ✔        |
-
-### Examples
-
-=== "image"
-    ```
-    ➜ trivy image mcr.microsoft.com/cbl-mariner/base/core:2.0
-    2022-07-27T14:48:20.355+0600	INFO	Detected OS: cbl-mariner
-    2022-07-27T14:48:20.355+0600	INFO	Detecting CBL-Mariner vulnerabilities...
-    2022-07-27T14:48:20.356+0600	INFO	Number of language-specific files: 0
-    
-    mcr.microsoft.com/cbl-mariner/base/core:2.0 (cbl-mariner 2.0.20220527)
-    
-    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
-    ```
-
-=== "fs"
-    ```
-    ➜ docker run  -it --rm --entrypoint bin/bash mcr.microsoft.com/cbl-mariner/base/core:2.0 
-    
-    root [ / ]# tdnf -y install ca-certificates
-    ...
-
-    root [ / ]# rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.30.4/trivy_0.30.4_Linux-64bit.rpm
-    ...
-    
-    root [ / ]# trivy fs /
-    2022-07-27T09:30:06.815Z	INFO	Need to update DB
-    2022-07-27T09:30:06.815Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
-    2022-07-27T09:30:06.815Z	INFO	Downloading DB...
-    33.25 MiB / 33.25 MiB [------------------------------] 100.00% 4.20 MiB p/s 8.1s
-    2022-07-27T09:30:21.756Z	INFO	Vulnerability scanning is enabled
-    2022-07-27T09:30:21.756Z	INFO	Secret scanning is enabled
-    2022-07-27T09:30:21.756Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
-    2022-07-27T09:30:21.756Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection
-    2022-07-27T09:30:22.205Z	INFO	Detected OS: cbl-mariner
-    2022-07-27T09:30:22.205Z	INFO	Detecting CBL-Mariner vulnerabilities...
-    2022-07-27T09:30:22.205Z	INFO	Number of language-specific files: 0
-    
-    40ba9a55397c (cbl-mariner 2.0.20220527)
-    
-    Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
-    ```
-
-### Data source
-See [here][source].
-
-[mariner]: https://github.com/microsoft/CBL-Mariner
-[source]: detection/data-source.md

docs/docs/vulnerability/examples/others.md

@@ -16,6 +16,22 @@ If your image contains lock files which are not maintained by you, you can skip
 $ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
 ```
 
+## File patterns
+When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
+The default file patterns are [here](../../misconfiguration/custom/index.md).
+
+In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
+For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
+
+This can be repeated for specifying multiple file patterns.
+
+A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
+```
+--file-patterns "dockerfile:.*.docker" --file-patterns "yaml:deployment" --file-patterns "pip:requirements-.*\.txt"
+```
+
+For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)
+
 ## Exit Code
 By default, `Trivy` exits with code 0 even when vulnerabilities are detected.
 Use the `--exit-code` option if you want to exit with a non-zero exit code.

docs/docs/vulnerability/examples/report.md

@@ -15,7 +15,14 @@ Modern software development relies on the use of third-party libraries.
 Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph.
 In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree.
 To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
-This flag is only available with the `fs` or `repo` commands and the `--format table` flag.
+This flag is only available with the `--format table` flag.
+
+The following packages/languages are currently supported:
+
+- OS packages (apk, dpkg and rpm)
+- Node.js (package-lock.json and yarn.lock) 
+- Nuget lock files (packages.lock.json)
+- Rust Binaries built with [cargo-auditable][cargo-auditable]
 
 This tree is the reverse of the npm list command.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -60,9 +67,6 @@ Also, **glob-parent@3.1.0** with some vulnerabilities is included through chain
 
 Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to resolve vulnerabilities in **follow-redirects@1.14.6** and **glob-parent@3.1.0**.
 
-!!! note
-    Only Node.js (package-lock.json) is supported at the moment.
-
 ## JSON
 
 ```
@@ -273,9 +277,9 @@ The following example shows use of default HTML template when Trivy is installed
 $ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine
 ```
 
-
+[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
-[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/docs/integrations/aws-security-hub.md
+[asff]: ../../../tutorials/integrations/aws-security-hub.md
 [sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
 [sprig]: http://masterminds.github.io/sprig/

docs/docs/vulnerability/languages/java.md

@@ -0,0 +1,60 @@
+# Java
+
+Trivy supports three types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml` and `*gradle.lockfile` files.
+The following table provides an outline of the features Trivy offers.
+
+
+| Artifact         |    Internet access    | Dev dependencies |
+|------------------|:---------------------:|:-----------------|
+| JAR/WAR/PAR/EAR  |     Trivy Java DB     | Include          |
+| pom.xml          | Maven repository [^1] | Exclude          |
+| *gradle.lockfile |           -           | Exclude          |
+
+These may be enabled or disabled depending on the target.
+See [here](../detection/language.md) for the detail.
+
+## JAR/WAR/PAR/EAR
+To find information about your JAR[^2] file, Trivy parses `pom.properties` and `MANIFEST.MF` files in your JAR[^2] file and takes required properties[^3].
+
+If those files don't exist or don't contain enough information - Trivy will try to find this JAR[^2] file in [trivy-java-db](https://github.com/aquasecurity/trivy-java-db).
+The Java DB will be automatically downloaded/updated when any JAR[^2] file is found.
+It is stored in [the cache directory](../examples/cache.md#cache-directory).
+
+!!! warning "EXPERIMENTAL"
+    Finding JARs in `trivy-java-db` is an experimental function.
+
+Base JAR[^2] may contain inner JARs[^2] within itself.
+To find information about these JARs[^2], the same logic is used as for the base JAR[^2].
+
+## pom.xml
+Trivy parses your `pom.xml` file and tries to find files with dependencies from these local locations.
+
+- project directory[^4]
+- relativePath field[^5]
+- local repository directory[^6].
+
+If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the [maven repository](https://repo.maven.apache.org/maven2/).
+
+!!! Note
+    Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
+    Information about data sources for Java you can see [here](../detection/data-source.md).
+
+You can disable connecting to the maven repository with the `--offline-scan` flag.
+The `--offline-scan` flag does not affect the Trivy database.
+The vulnerability database will be downloaded anyway.
+
+!!! Warning
+    Trivy may skip some dependencies (that were not found on your local machine) when the `--offline-scan` flag is passed.
+
+## Gradle.lock
+`gradle.lock` files contain all necessary information about used dependencies.
+Trivy simply parses the file, extract dependencies, and finds vulnerabilities for them.
+It doesn't require the internet access.
+
+[^1]: https://github.com/aquasecurity/trivy-java-db
+[^1]: Uses maven repository to get information about dependencies. Internet access required.
+[^2]: It means `*.jar`, `*.war`, `*.par` and `*.ear` file
+[^3]: `ArtifactID`, `GroupID` and `Version`
+[^4]: e.g. when parent pom.xml file has `../pom.xml` path
+[^5]: When you use dependency path in `relativePath` field in pom.xml file
+[^6]: `/Users/<username>/.m2/repository` (for Linux and Mac) and `C:/Users/<username>/.m2/repository` (for Windows) by default

docs/docs/vulnerability/scanning.md

@@ -0,0 +1,12 @@
+# Vulnerability Scanning
+
+This section describes the details of vulnerability scanning.
+Trivy detects known vulnerabilities according to the versions of installed packages.
+
+The following packages are supported.
+
+- [OS packages](detection/os.md)
+- [Language-specific packages](detection/language.md)
+
+Trivy downloads [the vulnerabillity database](https://github.com/aquasecurity/trivy-db) every 6 hours.
+The data source is listed [here](detection/data-source.md).

docs/docs/vulnerability/scanning/filesystem.md

@@ -1,103 +0,0 @@
-# Filesystem
-
-Scan a local project including language-specific files.
-
-```bash
-$ trivy fs /path/to/project
-```
-
-## Standalone mode
-### Local Project
-Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
-
-```
-$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test
-```
-
-<details>
-<summary>Result</summary>
-
-```
-2020-06-01T17:06:58.652+0300    WARN    OS is not detected and vulnerabilities in OS packages are not detected.
-2020-06-01T17:06:58.652+0300    INFO    Detecting pipenv vulnerabilities...
-2020-06-01T17:06:58.691+0300    INFO    Detecting cargo vulnerabilities...
-
-Pipfile.lock
-============
-Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
-
-+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
-|       LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |               TITLE                |
-+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
-| django              | CVE-2020-7471    | HIGH     | 2.0.9             | 3.0.3, 2.2.10, 1.11.28 | django: potential                  |
-|                     |                  |          |                   |                        | SQL injection via                  |
-|                     |                  |          |                   |                        | StringAgg(delimiter)               |
-+                     +------------------+----------+                   +------------------------+------------------------------------+
-|                     | CVE-2019-19844   | MEDIUM   |                   | 3.0.1, 2.2.9, 1.11.27  | Django: crafted email address      |
-|                     |                  |          |                   |                        | allows account takeover            |
-+                     +------------------+          +                   +------------------------+------------------------------------+
-|                     | CVE-2019-3498    |          |                   | 2.1.5, 2.0.10, 1.11.18 | python-django: Content             |
-|                     |                  |          |                   |                        | spoofing via URL path in           |
-|                     |                  |          |                   |                        | default 404 page                   |
-+                     +------------------+          +                   +------------------------+------------------------------------+
-|                     | CVE-2019-6975    |          |                   | 2.1.6, 2.0.11, 1.11.19 | python-django:                     |
-|                     |                  |          |                   |                        | memory exhaustion in               |
-|                     |                  |          |                   |                        | django.utils.numberformat.format() |
-+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
-...
-```
-
-</details>
-
-### Single file
-It's also possible to scan a single file.
-
-```
-$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock
-```
-
-## Client/Server mode
-You must launch Trivy server in advance. 
-
-```sh
-$ trivy server
-```
-
-Then, Trivy works as a client if you specify the `--server` option.
-
-```sh
-$ trivy fs --server http://localhost:4954 --severity CRITICAL ./integration/testdata/fixtures/fs/pom/
-```
-
-<details>
-<summary>Result</summary>
-
-```
-pom.xml (pom)
-=============
-Total: 4 (CRITICAL: 4)
-
-+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
-|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                 TITLE                 |
-+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
-| com.fasterxml.jackson.core:jackson-databind | CVE-2017-17485   | CRITICAL | 2.9.1             | 2.8.11, 2.9.4                  | jackson-databind: Unsafe              |
-|                                             |                  |          |                   |                                | deserialization due to                |
-|                                             |                  |          |                   |                                | incomplete black list (incomplete     |
-|                                             |                  |          |                   |                                | fix for CVE-2017-15095)...            |
-|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-17485 |
-+                                             +------------------+          +                   +--------------------------------+---------------------------------------+
-|                                             | CVE-2020-9546    |          |                   | 2.7.9.7, 2.8.11.6, 2.9.10.4    | jackson-databind: Serialization       |
-|                                             |                  |          |                   |                                | gadgets in shaded-hikari-config       |
-|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9546  |
-+                                             +------------------+          +                   +                                +---------------------------------------+
-|                                             | CVE-2020-9547    |          |                   |                                | jackson-databind: Serialization       |
-|                                             |                  |          |                   |                                | gadgets in ibatis-sqlmap              |
-|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9547  |
-+                                             +------------------+          +                   +                                +---------------------------------------+
-|                                             | CVE-2020-9548    |          |                   |                                | jackson-databind: Serialization       |
-|                                             |                  |          |                   |                                | gadgets in anteros-core               |
-|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9548  |
-+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
-```
-</details>
-

docs/docs/vulnerability/scanning/image.md

@@ -1,91 +0,0 @@
-# Image
-
-## Container Images
-
-Simply specify an image name (and a tag).
-
-```
-$ trivy image [YOUR_IMAGE_NAME]
-```
-
-For example:
-
-```
-$ trivy image python:3.4-alpine
-```
-
-<details>
-<summary>Result</summary>
-
-```
-2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
-2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...
-
-python:3.4-alpine3.9 (alpine 3.9.2)
-===================================
-Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
-
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
-|         |                  |          |                   |               | with long nonces               |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-```
-
-</details>
-
-## Tar Files
-
-```
-$ docker pull ruby:3.1-alpine3.15
-$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar
-$ trivy image --input ruby-3.1.tar
-```
-
-<details>
-<summary>Result</summary>
-
-```
-2022-02-03T10:08:19.127Z        INFO    Detected OS: alpine
-2022-02-03T10:08:19.127Z        WARN    This OS version is not on the EOL list: alpine 3.15
-2022-02-03T10:08:19.127Z        INFO    Detecting Alpine vulnerabilities...
-2022-02-03T10:08:19.127Z        INFO    Number of language-specific files: 2
-2022-02-03T10:08:19.127Z        INFO    Detecting gemspec vulnerabilities...
-2022-02-03T10:08:19.128Z        INFO    Detecting node-pkg vulnerabilities...
-2022-02-03T10:08:19.128Z        WARN    This OS version is no longer supported by the distribution: alpine 3.15.0
-2022-02-03T10:08:19.128Z        WARN    The vulnerability detection may be insufficient because security updates are not provided
-
-ruby-3.1.tar (alpine 3.15.0)
-============================
-Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)
-
-+----------+------------------+----------+-------------------+---------------+---------------------------------------+
-| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
-+----------+------------------+----------+-------------------+---------------+---------------------------------------+
-| gmp      | CVE-2021-43618   | HIGH     | 6.2.1-r0          | 6.2.1-r1      | gmp: Integer overflow and resultant   |
-|          |                  |          |                   |               | buffer overflow via crafted input     |
-|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-43618 |
-+----------+                  +          +                   +               +                                       +
-| gmp-dev  |                  |          |                   |               |                                       |
-|          |                  |          |                   |               |                                       |
-|          |                  |          |                   |               |                                       |
-+----------+                  +          +                   +               +                                       +
-| libgmpxx |                  |          |                   |               |                                       |
-|          |                  |          |                   |               |                                       |
-|          |                  |          |                   |               |                                       |
-+----------+------------------+----------+-------------------+---------------+---------------------------------------+
-
-Node.js (node-pkg)
-==================
-Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
-
-
-Ruby (gemspec)
-==============
-Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
-```
-
-</details>
-
-

docs/docs/vulnerability/scanning/index.md

@@ -1,11 +0,0 @@
-# Vulnerability Scanning
-
-Trivy scans [Container Images][image], [Rootfs][rootfs], [Filesystem][fs], and [Git Repositories][repo] to detect vulnerabilities.
-
-![vulnerability][vuln]
-
-[image]: image.md
-[rootfs]: rootfs.md
-[fs]: filesystem.md
-[repo]: git-repository.md
-[vuln]: ../../../imgs/vulnerability.png

docs/docs/vulnerability/scanning/rootfs.md

@@ -1,68 +0,0 @@
-# Rootfs
-
-Scan a root filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
-
-```bash
-$ trivy rootfs /path/to/rootfs
-```
-
-## From Inside Containers
-Scan your container from inside the container.
-
-```bash
-$ docker run --rm -it alpine:3.11
-/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
-/ # trivy rootfs /
-```
-
-<details>
-<summary>Result</summary>
-
-```
-2021-03-08T05:22:26.378Z        INFO    Need to update DB
-2021-03-08T05:22:26.380Z        INFO    Downloading DB...
-20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
-2021-03-08T05:22:30.134Z        INFO    Detecting Alpine vulnerabilities...
-2021-03-08T05:22:30.138Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected
-
-313430f09696 (alpine 3.11.7)
-============================
-Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)
-
-+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
-|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
-+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
-| libcrypto1.1 | CVE-2021-23839   | HIGH     | 1.1.1i-r0         | 1.1.1j-r0     | openssl: incorrect SSLv2              |
-|              |                  |          |                   |               | rollback protection                   |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
-|              |                  |          |                   |               | overflow in CipherUpdate              |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
-|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
-+--------------+------------------+          +                   +               +---------------------------------------+
-| libssl1.1    | CVE-2021-23839   |          |                   |               | openssl: incorrect SSLv2              |
-|              |                  |          |                   |               | rollback protection                   |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
-|              |                  |          |                   |               | overflow in CipherUpdate              |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
-|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
-+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
-```
-
-</details>
-
-## Other Examples
-- [Embed in Dockerfile][embedding]
-- [Unpacked container image filesystem][unpacked]
-
-[embedding]: ../../advanced/container/embed-in-dockerfile.md
-[unpacked]: ../../advanced/container/unpacked-filesystem.md

docs/ecosystem/cicd.md

@@ -0,0 +1,67 @@
+# CI/CD Integrations
+
+## GitHub Actions
+[GitHub Actions](https://github.com/features/actions) is GitHub's native CI/CD and job orchestration service.
+
+### trivy-action (Official)
+
+GitHub Action for integrating Trivy into your GitHub pipeline
+
+👉 Get it at: <https://github.com/aquasecurity/trivy-action>
+
+### trivy-action (Community)
+
+GitHub Action to scan vulnerability using Trivy. If vulnerabilities are found by Trivy, it creates a GitHub Issue.
+
+👉 Get it at: <https://github.com/marketplace/actions/trivy-action>
+
+### trivy-github-issues (Community)
+
+In this action, Trivy scans the dependency files such as package-lock.json and go.sum in your repository, then create GitHub issues according to the result.
+
+👉 Get it at: <https://github.com/marketplace/actions/trivy-github-issues>
+
+## Azure DevOps (Official)
+[Azure Devops](https://azure.microsoft.com/en-us/products/devops/#overview) is Microsoft Azure cloud native CI/CD service.
+
+Trivy has a "Azure Devops Pipelines Task" for Trivy, that lets you easily introduce security scanning into your workflow, with an integrated Azure Devops UI.
+
+👉 Get it at: <https://github.com/aquasecurity/trivy-azure-pipelines-task>
+
+## Semaphore (Community)
+[Semaphore](https://semaphoreci.com/) is a CI/CD service.
+
+You can use Trivy in Semaphore for scanning code, containers, infrastructure, and Kubernetes in Semaphore workflow.
+
+👉 Get it at: <https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy>
+
+## CircleCI (Community)
+[CircleCI](https://circleci.com/) is a CI/CD service.
+
+You can use the Trivy Orb for Circle CI to introduce security scanning into your workflow.
+
+👉 Get it at: <https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb>
+Source: <https://github.com/15five/trivy-orb>
+
+## Woodpecker CI (Community)
+
+Example Trivy step in pipeline
+
+```yml
+pipeline:
+  securitycheck:
+    image: aquasec/trivy:latest
+    commands:
+      # use any trivy command, if exit code is 0 woodpecker marks it as passed, else it assumes it failed
+      - trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL .
+```
+
+Woodpecker does use Trivy itself so you can [see it in use there](https://github.com/woodpecker-ci/woodpecker/pull/1163).
+
+## Concourse CI (Community)
+[Concourse CI](https://concourse-ci.org/) is a CI/CD service.
+
+You can use Trivy Resource in Concourse for scanning containers and introducing security scanning into your workflow.
+It has capabilities to fail the pipeline, create issues, alert communication channels (using respective resources) based on Trivy scan output.
+
+👉 Get it at: <https://github.com/Comcast/trivy-resource/>

docs/ecosystem/ide.md

@@ -0,0 +1,56 @@
+# IDE and developer tools Integrations
+
+## VSCode (Official)
+[Visual Studio Code](https://code.visualstudio.com/) is an open source versatile code editor and development environment.
+
+👉 Get it at: <https://github.com/aquasecurity/trivy-vscode-extension>
+
+## JetBrains (Official)
+[JetBrains](https://jetbrains.com) makes IDEs such as Goland, Pycharm, IntelliJ, Webstorm, and more.
+
+The Trivy plugin for JetBrains IDEs lets you use Trivy right from your development environment.
+
+👉 Get it at: <https://plugins.jetbrains.com/plugin/18690-trivy-findings-explorer>
+
+## Kubernetes Lens (Official)
+[Kubernetes Lens](https://k8slens.dev/) is a management application for Kubernetes clusters.
+
+Trivy has an extension for Kubernetes Lens that lets you scan Kubernetes workloads and view the results in the Lens UI.
+
+👉 Get it at: <https://github.com/aquasecurity/trivy-operator-lens-extension>
+
+## Vim (Community)
+[Vim](https://www.vim.org/) is a terminal based text editor.
+
+Vim plugin for Trivy to install and run Trivy.
+
+👉 Get it at: <https://github.com/aquasecurity/vim-trivy>
+
+## Docker Desktop (Community)
+[Docker Desktop](https://www.docker.com/products/docker-desktop/) is an easy way to install [Docker]() container engine on your development machine, and manage it in a GUI .
+
+Trivy Docker Desktop extension for scanning container images for vulnerabilities and generating SBOMs
+
+👉 Get it at: <https://github.com/aquasecurity/trivy-docker-extension>
+
+## Rancher Desktop (Community)
+[Rancher Desktop](https://rancherdesktop.io/) is an easy way to use containers and Kubernetes on your development machine, and mange it in a GUI.
+
+Trivy is natively integrated with Rancher, no installation is needed. More info in Rancher documentation: <https://docs.rancherdesktop.io/getting-started/features#scanning-images>
+
+## LazyTrivy (Community)
+A terminal native UI for Trivy
+
+👉 Get it at: <https://github.com/owenrumney/lazytrivy>
+
+## Trivy Vulnerability explorer (Community)
+
+Web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table
+
+👉 Get it at: <https://github.com/dbsystel/trivy-vulnerability-explorer>
+
+## Trivy pre-commit (Community)
+
+A trivy pre-commit hook that runs a `trivy fs` in your git repo before commiting, preventing you from commiting secrets in the first place.
+
+👉 Get it at: <https://github.com/mxab/pre-commit-trivy>

docs/ecosystem/index.md

@@ -0,0 +1,10 @@
+#  Ecosystem
+Trivy is integrated into many popular tools and applications, so that you can easily add security to your workflow.
+
+In this section you will find an aggregation of the different integrations. Integrations are listed as either "official" or "community". Official integrations are developed by the core Trivy team and supported by it. Community integrations are integrations developed by the community, and collected here for your convenience. For support or questions about community integrations, please contact the original developers.
+
+👈 Please use the side-navigation on the left in order to browse the different topics.
+
+## Add missing integration
+
+We are happy to showcase community integrations in this section. To suggest an addition simply make a Pull Request to add the missing integration.