* feat: filter artifacts on --exclude-owned flag
- filter artifacts using trivy-kubernetes library
- upgrade dependencies
- generate docs
* chore: remove shorthand flag for --exclude-owned flag
* return nil for advisories, if len of refs == 0
add marshal test
* add integration test for cyclonedx with vulns
* use existing testcase
* test(pom): add ID for cyclondedx integration golden file
* test(integration): add sorting cyclonedx vulns
* adding a terraform tutorial to the docs
* modifying Terraform tutorial
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
* changes to the terraform tutorial in accoradance with the feedback
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
* updates to the terraform tutorial based on PR feedback
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
---------
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
* add Package.resolved files analyzer
* add Swift detector and integration test
* refactor after go-dep-parser changes
* bump go-dep-parser
* remove replaces
* use filePath for Required func
* add ID field
* docs: add coverage
* add more pages
* add dart, dotnet, elixir languages.
* add C, ruby, cocoapods. Update links
* rename headers for dart and elixir
* docs: add Google Distroless and Photon OS
* docs: add IaC
* docs: put vulnerability into a single page
* fixed broken links
* docs: add coverage overview
* update some links
* add note about arch for Rocky linux
* docs: fix typo
* fix typo
* docs: add footnotes
* docs: add a link to coverage in the license section
* docs: add a conversion table
* docs: get aligned
---------
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
* adding blog post on ec2
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
* update title of section
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
* changing the location of the article to be under Vulnerabilities
---------
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
* docs(cli): update help string for file and dir skipping
- Update the contextual help messages
- Add some additional examples (and clarify YAML file configuration) for
globbing
- Update docs
- Fix broken link in skipping docs
See also #3754
Signed-off-by: William Yardley <wyardley@users.noreply.github.com>
* docs: revert
---------
Signed-off-by: William Yardley <wyardley@users.noreply.github.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* feat(repo): support local repositories
* fix tests
* test: fix client/server tests
* docs: update
* test: add fs tests
* test: do not update golden files if overridden
* docs: remove a comment about fs deprecation
* feat: support vulnerability status
* feat: show status in table
* don't add `fixed` status in debian/redhat
* update test golden files
* add Status in rpc
* update docs
* update ignore-status example
* add ignore-status in integration test
* docs: add the explanation for statuses
---------
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
* feat(misconf): Support custom URLs for policy bundle
This PR adds support for custom policy bundles to be specified
with a flag `--policy-bundle-url` as an option to Trivy.
Fixes: https://github.com/aquasecurity/trivy/issues/4672
Signed-off-by: Simar <simar@linux.com>
* update docs
Signed-off-by: Simar <simar@linux.com>
* rename flag to `--policy-bundle-repository`
Signed-off-by: Simar <simar@linux.com>
* fix field
* rebase and update docs
Signed-off-by: Simar <simar@linux.com>
* set policyBundleRepo on client
Signed-off-by: Simar <simar@linux.com>
---------
Signed-off-by: Simar <simar@linux.com>
* fix(report): close the file
* refactor: add the format type
* fix: return errors in version printing
* fix: lint issues
* fix: do not fail on bogus cache dir
---------
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
* fix(license): using common way for splitting licenses
* add test cases
* TEST new regex
* extract function
* fix version detection
---------
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
* match with img platform instead of host platform
* client matching pull spec
* use default platform
* pull with platforms default strict
* use withplatform to pull and add debug log
* looks like we are trying to scan a i386 image
* revert changes on test, use the right platform match
* try with Config.Platform
* use spect.platform
* fix function usage
* try another way to retrieve the platform
* fix compilation
* read platforms from config manifest
* use platform from RegistryOptions if available, otherwise get the actual platform
* goimport
* put platform in containerd client
* fix panic
* use DefaultStrict as default
* feat(misconf): enable --policy flag to accept directory and files both
* fix test
* Revert "clarifying a dir path is required for custom policies (#4716)"
This reverts commit 8a1aa448a1.
* update doc
* update the flag description
* Update tar.go
The comment before the following w.processFile(filePath, tr, hdr.FileInfo(), analyzeFn) call says: // A symbolic/hard link or regular file will reach here.
But defualt's processing causes the symbolic/hard link to not reach the processFile function location
* Update tar.go
update tar.go comment
---------
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script #4747
* feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script #4747
* add multi-arch support for rocky linux advisories
* feat: comply with the new signagure
* bump trivy-db
* fix tests
* chore(deps): remove fork replace
---------
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* add Dev field for Package
* fix integration test
* update docs
* feat(cli): add include-dev flag
* bump go-dep-parser
* update docs
* add integration test
* refactor
* refactor
* fix integration test
* refactor: rename flag to include-dev-deps
* update docs
* update docs
* filter dev deps when scanning packages
* add flag support for server mode
* refactor: remove comment that might confuse
* refactor: move --include-dev-deps to the scanner flag group
* refactor: not return apps
* docs: update
---------
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* feat: add support for mTLS authentication when connecting to registry
* feat: add support for mTLS authentication when connecting to registry - added error handling
* feat: add support for mTLS authentication when connecting to registry
- code quality improvements
* feat: add support for mTLS authentication when connecting to registry
- code quality improvements
* wrap errors
---------
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* chore(deps): update ext4-filesystem parser for parse multi block extents
* test(vm): update integration-vm test fixtures
* test(vm): add gzip decompresser for sparse file
* test(vm): add mage command update golden file for vm integration test
* chore(magefile): [WIP] change test repository
* Revert "chore(magefile): [WIP] change test repository"
This reverts commit c015c8892f.
* fix(test): update fixtures and golden file
* fix(test): revert fixVersion and PkgID
* fix(debian): update EOL for Debian 12
Debian 12 was released on 2023-06-10 and will be supported for five
years - see https://www.debian.org/News/2023/20230610.
* Update docs
Downloaded file name is `javadb.tar.gz` rather than `db.tar.gz`.
Also `--skip-update` is deprecated in favor of `--skip-db-update` and `--skip-java-db-update`.
* adding a fix for update-cache that was not applied on AWS scans.
* removing unneeded code
---------
Co-authored-by: Gio Rodriguez <giovanni.rodriguez@aquasec.com>
* Add test for filter with both duplicates and different package paths
* Add package path in key of uniqVulns map
* Add package path to the sorting logic
This commit bumps the go-dep-parser version. This revents Trivy from detecting vulnerabilities in Poetry dev-dependency, so the document is also updated.
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
label:"[Optional] Can you provide us with a quote on your favourite part of Trivy? This may be used on the trivy.dev website, posted on Twitter (@AquaTrivy) or similar marketing material."
validations:
required:false
- type:checkboxes
attributes:
label:"[Optional] Which targets are you scanning with Trivy?"
options:
- label:"Container Image"
- label:"Filesystem"
- label:"Git Repository"
- label:"Virtual Machine Image"
- label:"Kubernetes"
- label:"AWS"
- label:"SBOM"
validations:
required:false
- type:checkboxes
attributes:
label:"[Optional] What kind of issues are scanning with Trivy?"
options:
- label:"Software Bill of Materials (SBOM)"
- label:"Known vulnerabilities (CVEs)"
- label:"IaC issues and misconfigurations"
- label:"Sensitive information and secrets"
- label:"Software licenses"
- type:markdown
attributes:
value:|
## Get in touch
We are always looking for
* User feedback
* Collaboration with other companies and organisations
* Or just to have a chat with you about trivy.
If any of this interests you or your marketing team, please reach out at: oss@aquasec.com
Feel free to raise a bug report if something doesn't work as expected.
Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
If you see any false positives or false negatives, please file a ticket [here](https://github.com/aquasecurity/trivy/discussions/new?category=false-detection).
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type:textarea
attributes:
label:Description
description:Briefly describe the problem you are having in a few paragraphs.
validations:
required:true
- type:textarea
attributes:
label:Desired Behavior
description:What did you expect to happen?
validations:
required:true
- type:textarea
attributes:
label:Actual Behavior
description:What happened instead?
validations:
required:true
- type:textarea
attributes:
label:Reproduction Steps
description:How do you trigger this bug? Please walk us through it step by step.
value:|
1.
2.
3.
...
render:bash
validations:
required:true
- type:dropdown
attributes:
label:Target
description:Which target are you scanning? It is equal to which subcommand you are using.
options:
- Container Image
- Filesystem
- Git Repository
- Virtual Machine Image
- Kubernetes
- AWS
- SBOM
validations:
required:false
- type:dropdown
attributes:
label:Scanner
description:Which scanner are you using?
options:
- Vulnerability
- Misconfiguration
- Secret
- License
validations:
required:false
- type:dropdown
attributes:
label:Output Format
description:Which output format are you using?
options:
- Table
- JSON
- Template
- SARIF
- CycloneDX
- SPDX
validations:
required:false
- type:dropdown
attributes:
label:Mode
description:Which mode are you using? Specify "Standalone" if you are not using `trivy server`.
options:
- Standalone
- Client/Server
validations:
required:false
- type:textarea
attributes:
label:Debug Output
description:Output of run with `--debug`
placeholder:"$ trivy <target> <subject> --debug"
render:bash
validations:
required:true
- type:input
attributes:
label:Operating System
description:Onwhat operating system are you running Trivy?
Feel free to create a docs report if something doesn't work as expected or is unclear in the documentation.
Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type:textarea
attributes:
label:Description
description:Briefly describe the what has been unclear in the existing documentation
validations:
required:true
- type:textarea
attributes:
label:Link
description:Please provide a link to the current documentation or where you thought to find the information you were looking for
validations:
required:false
- type:textarea
attributes:
label:Suggestions
description:What would you like to have added or changed in the documentation?
Feel free to raise a bug report if something doesn't work as expected.
Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type:input
attributes:
label:IDs
description:List the IDs of vulnerabilities, misconfigurations, secrets, or licenses that are either not detected or mistakenly detected.
placeholder:"e.g. CVE-2021-44228, CVE-2022-22965"
validations:
required:true
- type:textarea
attributes:
label:Description
description:Describe the false detection.
validations:
required:true
- type:textarea
attributes:
label:Reproduction Steps
description:How do you trigger this bug? Please walk us through it step by step.
value:|
1.
2.
3.
...
render:bash
validations:
required:true
- type:dropdown
attributes:
label:Target
description:Which target are you scanning? It is equal to which subcommand you are using.
options:
- Container Image
- Filesystem
- Git Repository
- Virtual Machine Image
- Kubernetes
- AWS
- SBOM
validations:
required:true
- type:dropdown
attributes:
label:Scanner
description:Which scanner are you using?
options:
- Vulnerability
- Misconfiguration
- Secret
- License
validations:
required:true
- type:input
attributes:
label:Target OS
description:What operating system are you scanning? Fill in this field if the scanning target is an operating system.
Please ensure that you're not creating a duplicate ticket by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type:textarea
attributes:
label:Description
description:Describe your idea.
validations:
required:true
- type:dropdown
attributes:
label:Target
description:Which target is your idea related to?
options:
- Container Image
- Filesystem
- Git Repository
- Virtual Machine Image
- Kubernetes
- AWS
- SBOM
validations:
required:false
- type:dropdown
attributes:
label:Scanner
description:Which scanner is your idea related to?
options:
- Vulnerability
- Misconfiguration
- Secret
- License
validations:
required:false
- type:markdown
attributes:
value:|
We would be happy if you could share how you are using Trivy [here](https://github.com/aquasecurity/trivy/discussions/new?category=adopters).
If you have any troubles/questions, feel free to ask.
Please ensure that you're not asking a duplicate question by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type:textarea
attributes:
label:Question
description:What kind of problem are you facing? Or, what questions do you have?
validations:
required:true
- type:dropdown
attributes:
label:Target
description:Which target are you scanning? It is equal to which subcommand you are using.
options:
- Container Image
- Filesystem
- Git Repository
- Virtual Machine Image
- Kubernetes
- AWS
- SBOM
validations:
required:false
- type:dropdown
attributes:
label:Scanner
description:Which scanner are you using?
options:
- Vulnerability
- Misconfiguration
- Secret
- License
validations:
required:false
- type:dropdown
attributes:
label:Output Format
description:Which output format are you using?
options:
- Table
- JSON
- Template
- SARIF
- CycloneDX
- SPDX
validations:
required:false
- type:dropdown
attributes:
label:Mode
description:Which mode are you using? Specify "Standalone" if you are not using `trivy server`.
options:
- Standalone
- Client/Server
validations:
required:false
- type:input
attributes:
label:Operating System
description:What operating system are you using?
placeholder:"Example: macOS Big Sur"
validations:
required:false
- type:textarea
attributes:
label:Version
description:Output of `trivy --version`
placeholder:"$ trivy --version"
render:bash
validations:
required:false
- type:markdown
attributes:
value:|
We would be happy if you could share how you are using Trivy [here](https://github.com/aquasecurity/trivy/discussions/new?category=adopters.
* **debian:** take installed files from the origin layer [backport: release/v0.52] ([#6892](https://github.com/aquasecurity/trivy/issues/6892)) ([8f8c76a](https://github.com/aquasecurity/trivy/commit/8f8c76a2abd3987ad0dad03be29be479fc8308be))
* **nodejs:** fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] ([#6888](https://github.com/aquasecurity/trivy/issues/6888)) ([01dbb42](https://github.com/aquasecurity/trivy/commit/01dbb42ae9ecff21d1c71f095a27f47a6ac9adaa))
* **nodejs:** fix infinity loops for `pnpm` with cyclic imports ([#6857](https://github.com/aquasecurity/trivy/issues/6857)) ([a614b69](https://github.com/aquasecurity/trivy/commit/a614b693d7b948df7d4ed3516e79573cb8424406))
* **python:** compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] ([#6878](https://github.com/aquasecurity/trivy/issues/6878)) ([093c0ae](https://github.com/aquasecurity/trivy/commit/093c0ae020548bf6f3d1896d4d55210eb42c7b0e))
* Add Julia language analyzer support ([#5635](https://github.com/aquasecurity/trivy/issues/5635)) ([fecafb1](https://github.com/aquasecurity/trivy/commit/fecafb1fc5bb129c7485342a0775f0dd8bedd28e))
* add support for plugin index ([#6674](https://github.com/aquasecurity/trivy/issues/6674)) ([26faf8f](https://github.com/aquasecurity/trivy/commit/26faf8f3f04b1c5f9f81c03ffc6b2008732207e2))
* **misconf:** Add support for deprecating a check ([#6664](https://github.com/aquasecurity/trivy/issues/6664)) ([88702cf](https://github.com/aquasecurity/trivy/commit/88702cfd5918b093defc5b5580f7cbf16f5f2417))
* **misconf:** add Terraform 'removed' block to schema ([#6640](https://github.com/aquasecurity/trivy/issues/6640)) ([b7a0a13](https://github.com/aquasecurity/trivy/commit/b7a0a131a03ed49c08d3b0d481bc9284934fd6e1))
* **misconf:** register builtin Rego funcs from trivy-checks ([#6616](https://github.com/aquasecurity/trivy/issues/6616)) ([7c22ee3](https://github.com/aquasecurity/trivy/commit/7c22ee3df5ee51beb90e44428a99541b3d19ab98))
* **misconf:** support for VPC resources for inbound/outbound rules ([#6779](https://github.com/aquasecurity/trivy/issues/6779)) ([349caf9](https://github.com/aquasecurity/trivy/commit/349caf96bc3dd81551d488044f1adfdb947f39fb))
* **misconf:** support symlinks inside of Helm archives ([#6621](https://github.com/aquasecurity/trivy/issues/6621)) ([4eae37c](https://github.com/aquasecurity/trivy/commit/4eae37c52b035b3576361c12f70d3d9517d0a73c))
* **nodejs:** add v9 pnpm lock file support ([#6617](https://github.com/aquasecurity/trivy/issues/6617)) ([1e08648](https://github.com/aquasecurity/trivy/commit/1e0864842e32a709941d4b4e8f521602bcee684d))
* **plugin:** specify plugin version ([#6683](https://github.com/aquasecurity/trivy/issues/6683)) ([d6dc567](https://github.com/aquasecurity/trivy/commit/d6dc56732babbc9d7f788c280a768d8648aa093d))
* **python:** add license support for `requirement.txt` files ([#6782](https://github.com/aquasecurity/trivy/issues/6782)) ([29615be](https://github.com/aquasecurity/trivy/commit/29615be85e8bfeaf5a0cd51829b1898c55fa4274))
* **python:** add line number support for `requirement.txt` files ([#6729](https://github.com/aquasecurity/trivy/issues/6729)) ([2bc54ad](https://github.com/aquasecurity/trivy/commit/2bc54ad2752aba5de4380cb92c13b09c0abefd73))
* **report:** Include licenses and secrets filtered by rego to ModifiedFindings ([#6483](https://github.com/aquasecurity/trivy/issues/6483)) ([fa3cf99](https://github.com/aquasecurity/trivy/commit/fa3cf993eace4be793f85907b42365269c597b91))
* **vex:** improve relationship support in CSAF VEX ([#6735](https://github.com/aquasecurity/trivy/issues/6735)) ([a447f6b](https://github.com/aquasecurity/trivy/commit/a447f6ba94b6f8b14177dc5e4369a788e2020d90))
* **vex:** support non-root components for products in OpenVEX ([#6728](https://github.com/aquasecurity/trivy/issues/6728)) ([9515695](https://github.com/aquasecurity/trivy/commit/9515695d45e9b5c20890e27e21e3ab45bfd4ce5f))
### Bug Fixes
* clean up golangci lint configuration ([#6797](https://github.com/aquasecurity/trivy/issues/6797)) ([62de6f3](https://github.com/aquasecurity/trivy/commit/62de6f3feba6e4c56ad3922441d5b0f150c3d6b7))
* **cli:** always output fatal errors to stderr ([#6827](https://github.com/aquasecurity/trivy/issues/6827)) ([c2b9132](https://github.com/aquasecurity/trivy/commit/c2b9132a7e933a68df4cc0eb86aab23719ded1b5))
* close APKINDEX archive file ([#6672](https://github.com/aquasecurity/trivy/issues/6672)) ([5caf437](https://github.com/aquasecurity/trivy/commit/5caf4377f3a7fcb1f6e1a84c67136ae62d100be3))
* close settings.xml ([#6768](https://github.com/aquasecurity/trivy/issues/6768)) ([9c3e895](https://github.com/aquasecurity/trivy/commit/9c3e895fcb0852c00ac03ed21338768f76b5273b))
* close testfile ([#6830](https://github.com/aquasecurity/trivy/issues/6830)) ([aa0c413](https://github.com/aquasecurity/trivy/commit/aa0c413814e8915b38d2285c6a8ba5bc3f0705b4))
* **conda:** add support `pip` deps for `environment.yml` files ([#6675](https://github.com/aquasecurity/trivy/issues/6675)) ([150a773](https://github.com/aquasecurity/trivy/commit/150a77313e980cd63797a89a03afcbc97b285f38))
* **go:** add only non-empty root modules for `gobinaries` ([#6710](https://github.com/aquasecurity/trivy/issues/6710)) ([c96f2a5](https://github.com/aquasecurity/trivy/commit/c96f2a5b3de820da37e14594dd537c3b0949ae9c))
* **go:** include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` ([#6705](https://github.com/aquasecurity/trivy/issues/6705)) ([afb4f9d](https://github.com/aquasecurity/trivy/commit/afb4f9dc4730671ba004e1734fa66422c4c86dad))
* Golang version parsing from binaries w/GOEXPERIMENT ([#6696](https://github.com/aquasecurity/trivy/issues/6696)) ([696f2ae](https://github.com/aquasecurity/trivy/commit/696f2ae0ecdd4f90303f41249924a09ace70dd78))
* include packages unless it is not needed ([#6765](https://github.com/aquasecurity/trivy/issues/6765)) ([56dbe1f](https://github.com/aquasecurity/trivy/commit/56dbe1f6768fe67fbc1153b74fde0f83eaa1b281))
* **misconf:** don't shift ignore rule related to code ([#6708](https://github.com/aquasecurity/trivy/issues/6708)) ([39a746c](https://github.com/aquasecurity/trivy/commit/39a746c77837f873e87b81be40676818030f44c5))
* **misconf:** skip Rego errors with a nil location ([#6638](https://github.com/aquasecurity/trivy/issues/6638)) ([a2c522d](https://github.com/aquasecurity/trivy/commit/a2c522ddb229f049999c4ce74ef75a0e0f9fdc62))
* **misconf:** skip Rego errors with a nil location ([#6666](https://github.com/aquasecurity/trivy/issues/6666)) ([a126e10](https://github.com/aquasecurity/trivy/commit/a126e1075a44ef0e40c0dc1e214d1c5955f80242))
* node-collector high and critical cves ([#6707](https://github.com/aquasecurity/trivy/issues/6707)) ([ff32deb](https://github.com/aquasecurity/trivy/commit/ff32deb7bf9163c06963f557228260b3b8c161ed))
* **python:** add package name and version validation for `requirements.txt` files. ([#6804](https://github.com/aquasecurity/trivy/issues/6804)) ([ea3a124](https://github.com/aquasecurity/trivy/commit/ea3a124fc7162c30c7f1a59bdb28db0b3c8bb86d))
* **report:** hide empty tables if all vulns has been filtered ([#6352](https://github.com/aquasecurity/trivy/issues/6352)) ([3d388d8](https://github.com/aquasecurity/trivy/commit/3d388d8552ef42d4d54176309a38c1879008527b))
* **sbom:** fix panic for `convert` mode when scanning json file derived from sbom file ([#6808](https://github.com/aquasecurity/trivy/issues/6808)) ([f92ea09](https://github.com/aquasecurity/trivy/commit/f92ea096856c7c262b05bd4d31c62689ebafac82))
* use of specified context to obtain cluster name ([#6645](https://github.com/aquasecurity/trivy/issues/6645)) ([39ebed4](https://github.com/aquasecurity/trivy/commit/39ebed45f8c218509d264bd3f3ca548fc33d2b3a))
### Performance Improvements
* **misconf:** parse rego input once ([#6615](https://github.com/aquasecurity/trivy/issues/6615)) ([67c6b1d](https://github.com/aquasecurity/trivy/commit/67c6b1d473999003d682bdb42657bbf3a4a69a9c))
Trivy (`tri`pronounced like **tri**gger, `vy` pronounced like en**vy**) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.
Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner.
Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.
Trivy has different *scanners* that look for different security issues, and different *targets* where it can find those issues.
Targets (what Trivy can scan):
Targets:
- Container Image
- Filesystem
- Git repository (remote)
-Kubernetes cluster or resource
- Git Repository (remote)
-Virtual Machine Image
- Kubernetes
- AWS
Scanners (what Trivy can find there):
Scanners:
- OS packages and software dependencies in use (SBOM)
- Known vulnerabilities (CVEs)
- IaC misconfigurations
- IaC issues and misconfigurations
- Sensitive information and secrets
- Software licenses
Much more scanners and targets are coming up. Missing something? Let us know!
Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the [Scanning Coverage] page.
Read more in the [Trivy Documentation][docs]
To learn more, go to the [Trivy homepage][homepage] for feature highlights, or to the [Documentation site][docs] for detailed information.
## Quick Start
### Get Trivy
Get Trivy by your favorite installation method. See [installation] section in the documentation for details. For example:
Trivy is available in most common distribution channels. The full list of installation options is available in the [Installation] page. Here are a few popular examples:
-`apt-get install trivy`
-`yum install trivy`
-`pacman -S trivy`
-`brew install aquasecurity/trivy/trivy`
-`sudo port install trivy`
-`brew install trivy`
-`docker run aquasec/trivy`
- Download binary from https://github.com/aquasecurity/trivy/releases/latest/
- Download binary from <https://github.com/aquasecurity/trivy/releases/latest/>
- See [Installation] for more
Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem] page. Here are a few popular examples:
There are canary builds ([Docker Hub](https://hub.docker.com/r/aquasec/trivy/tags?page=1&name=canary), [GitHub](https://github.com/aquasecurity/trivy/pkgs/container/trivy/75776514?tag=canary), [ECR](https://gallery.ecr.aws/aquasecurity/trivy#canary) images and [binaries](https://github.com/aquasecurity/trivy/actions/workflows/canary.yaml)) as generated every push to main branch.
Please be aware: canary builds might have critical bugs, it's not recommended for use in production.
Note that you can also receive a detailed scan, scan only a specific namespace, resource and more.
## FAQ
Find out more in the [Trivy Documentation][docs] - [Getting Started][getting-started]
### How to pronounce the name "Trivy"?
`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.
## Highlights
## Want more? Check out Aqua
- Comprehensive vulnerability detection
- OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- High accuracy, especially [Alpine Linux][alpine] and RHEL/CentOS
- Supply chain security (SBOM support)
- Support CycloneDX
- Support SPDX
- Misconfiguration detection (IaC scanning)
- Wide variety of security checks are provided **out of the box**
- Kubernetes, Docker, Terraform, and more
- User-defined policies using [OPA Rego][rego]
- Secret detection
- A wide variety of built-in rules are provided **out of the box**
- User-defined patterns
- Efficient scanning of container images
- Simple
- Available in apt, yum, brew, dockerhub
- **No pre-requisites** such as a database, system libraries, or eny environmental requirements. The binary runs anywhere.
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish instantaneously.
- Fits your workflow
- **Great for CI** such as GitHub Actions, Jenkins, GitLab CI, etc.
- Available as extension for IDEs such as vscode, jetbrains, vim
- Available as extension for Docker Desktop, Rancher Desktop
- See [integrations] section in the documentation.
If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).
In addition check out the <https://aquasec.com> website for more information about our products and services.
If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>
---
## Community
Trivy is an [Aqua Security][aquasec] open source project.
Learn about our open source work and portfolio [here][oss].
Contact us about any matter by opening a GitHub Discussion [here][discussions]
Join our [Slack community][slack] to stay up to date with community efforts.
Please ensure to abide by our [Code of Conduct][code-of-conduct] during all interactions.
This directory contains media assets, such as the Trivy logo.
Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>
The following guide provides an overview of contributing checks to the default checks in Trivy.
All of the checks in Trivy can be found in the [trivy-checks](https://github.com/aquasecurity/trivy-checks/tree/main) repository on GitHub. Before you begin writing a check, ensure:
1. The check does not already exist as part of the default checks in the [trivy-checks](https://github.com/aquasecurity/trivy-checks/tree/main) repository.
2. The pull requests in the [trivy-checks](https://github.com/aquasecurity/trivy-checks/pulls) repository to see whether someone else is already contributing the check that you wanted to add.
3. The [issues in Trivy](https://github.com/aquasecurity/trivy/issues) to see whether any specific checks are missing in Trivy that you can contribute.
If anything is unclear, please [start a discussion](https://github.com/aquasecurity/trivy/discussions/new) and we will do our best to help.
## Check structure
Checks are written in Rego and follow a particular structure in Trivy. Below is an example check for AWS:
```rego
# METADATA
# title: "RDS IAM Database Authentication Disabled"
# description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access"
# recommended_action: "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication."
# input:
# selector:
# - type: cloud
# subtypes:
# - service: rds
# provider: aws
packagebuiltin.aws.rds.aws0176
deny[res]{
instance:=input.aws.rds.instances[_]
instance.engine.value==["postgres","mysql"][_]
notinstance.iamauthenabled.value
res:=result.new("Instance does not have IAM Authentication enabled",instance.iamauthenabled)
}
```
## Verify the provider and service exists
Every check for a cloud service references a cloud provider. The list of providers are found in the [Trivy](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/providers) repository.
Before writing a new check for a cloud provider, you need to verify if the cloud provider or resource type that your check targets is supported by Trivy. If it's not, you'll need to add support for it. Additionally, if the provider that you want to target exists, you need to check whether the service your policy will target is supported. As a reference you can take a look at the AWS provider [here](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/providers/aws/aws.go).
???+ note
New Kubernetes and Dockerfile checks do not require any additional provider definitions. You can find an example of a Dockerfile check [here](https://github.com/aquasecurity/trivy-checks/blob/main/checks/docker/add_instead_of_copy.rego) and a Kubernetes check [here](https://github.com/aquasecurity/trivy-checks/blob/main/checks/kubernetes/general/CPU_not_limited.rego).
### Add Support for a New Service in an existing Provider
[Please reference the documentation on adding Support for a New Service](./service-support.md).
This guide also showcases how to add new properties for an existing Service.
## Create a new .rego file
The following directory in the trivy-checks repository contains all of our custom checks. Depending on what type of check you want to create, you will need to nest a new `.rego` file in either of the [subdirectories](https://github.com/aquasecurity/trivy-checks/tree/main/checks):
* cloud: All checks related to cloud providers and their services
* docker: Docker specific checks
* kubernetes: Kubernetes specific checks
## Check Package name
Have a look at the existing package names in the [built in checks](https://github.com/aquasecurity/trivy-checks/tree/main/checks).
The package name should be in the format `builtin.PROVIDER.SERVICE.ID`, e.g. `builtin.aws.rds.aws0176`.
## Generating an ID
Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribue your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID.
Running `make id` in the root of the trivy-checks repository will provide you with the next available _ID_ for your rule.
## Check Schemas
Rego Checks for Trivy can utilise Schemas to map the input to specific objects. The schemas available are listed [here.](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas).
More information on using the builtin schemas is provided in the [main documentation.](../../../docs/scanner/misconfiguration/custom/schema.md)
## Check Metadata
The metadata is the top section that starts with `# METADATA`, and has to be placed on top of the check. You can copy and paste from another check as a starting point. This format is effectively _yaml_ within a Rego comment, and is [defined as part of Rego itself](https://www.openpolicyagent.org/docs/latest/policy-language/#metadata).
For detailed information on each component of the Check Metadata, please refer to the [main documentation.](../../../docs/scanner/misconfiguration/custom/index.md)
Note that while the Metadata is optional in your own custom checks for Trivy, if you are contributing your check to the Trivy builtin checks, the Metadata section will be required.
## Writing Rego Rules
Rules are defined using _OPA Rego_. You can find a number of examples in the `checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). The [OPA documentation](https://www.openpolicyagent.org/docs/latest/policy-language/) is a great place to start learning Rego. You can also check out the [Rego Playground](https://play.openpolicyagent.org/) to experiment with Rego, and [join the OPA Slack](https://slack.openpolicyagent.org/).
```rego
deny[res]{
instance:=input.aws.rds.instances[_]
instance.engine.value==["postgres","mysql"][_]
notinstance.iamauthenabled.value
res:=result.new("Instance does not have IAM Authentication enabled",instance.iamauthenabled)
}
```
The rule should return a result, which can be created using `result.new`. This function does not need to be imported, it is defined internally and provided at runtime. The first argument is the message to display and the second argument is the resource that the issue was detected on.
It is possible to pass any rego variable that references a field of the input document.
## Generate docs
Finally, you'll want to generate documentation for your newly added rule. Please run `make docs` in the [trivy-checks](https://github.com/aquasecurity/trivy-checks) directory to generate the documentation for your new policy and submit a PR for us to take a look at.
## Adding Tests
All Rego checks need to have tests. There are many examples of these in the `checks` directory for each check ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). More information on how to write tests for Rego checks is provided in the [custom misconfiguration](../../../docs/scanner/misconfiguration/custom/testing.md) section of the docs.
## Example PR
You can see a full example PR for a new rule being added here: [https://github.com/aquasecurity/defsec/pull/1000](https://github.com/aquasecurity/defsec/pull/1000).
A service refers to a service by a cloud provider. This section details how to add a new service to an existing provider. All contributions need to be made to the [trivy repository](https://github.com/aquasecurity/trivy/).
## Prerequisites
Before you begin, verify that the [provider](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/providers) does not already have the service that you plan to add.
## Adding a new service to an existing provider
Adding a new service involves two steps. The service will need a data structure to store information about the required resources that will be scanned. Additionally, the service will require one or more adapters to convert the scan targetes as input(s) into the aforementioned data structure.
### Create a new file in the provider directory
In this example, we are adding the CodeBuild service to the AWS provider.
First, create a new directory and file for your new service under the provider directory: e.g. [aws/codebuild/codebuild.go](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/providers/aws/codebuild/codebuild.go)
The CodeBuild service will require a structure `struct` to hold the information on the input that is scanned. The input is the CodeBuild resource that a user configured and wants to scan for misconfiguration.
```
type CodeBuild struct {
Projects []Project
}
```
The CodeBuild service manages `Project` resources. The `Project` struct has been added to hold information about each Project resources; `Project` Resources in turn manage `ArtifactSettings`:
```
type Project struct {
Metadata iacTypes.Metadata
ArtifactSettings ArtifactSettings
SecondaryArtifactSettings []ArtifactSettings
}
type ArtifactSettings struct {
Metadata iacTypes.Metadata
EncryptionEnabled iacTypes.BoolValue
}
```
The `iacTypes.Metadata` struct is embedded in all of the Trivy types and provides a common set of metadata for all resources. This includes the file and line number where the resource was defined and the name of the resource.
A resource in this example `Project` can have a name and can optionally be encrypted. Instead of using raw string and bool types respectively, we use the trivy types `iacTypes.Metadata` and `iacTypes.BoolValue`. These types wrap the raw values and provide additional metadata about the value. For instance, whether it was set by the user and the file and line number where the resource was defined.
Have a look at the other providers and services in the [`iac/providers`](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/providers) directory in Trivy.
Next you'll need to add a reference to your new service struct in the [provider struct](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/providers/aws/aws.go) at `pkg/iac/providers/aws/aws.go`:
```
type AWS struct {
...
CodeBuild codebuild.CodeBuild
...
}
```
### Update Adapters
Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adatper as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
Another example for updating the adapters is provided in the [following PR.](https://github.com/aquasecurity/defsec/pull/1000/files) Additionally, please refer to the respective Terraform documentation on the provider to which you are adding the service. For instance, the Terraform documentation for AWS CodeBuild is provided [here.](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project)
## Create a new Schema for your provider
Once the new service has been added to the provider, you need to create the schema for the service as part of the provider schema.
This process has been automated with mage commands. In the Trivy root directory run `mage schema:generate` to generate the schema for your new service and `mage schema:verify`.
Thank you for taking interest in contributing to Trivy!
Trivy uses [GitHub Discussion](https://github.com/aquasecurity/trivy/discussions) for bug reports, feature requests, and questions.
If maintainers decide to accept a new feature or confirm that it is a bug, they will close the discussion and create a [GitHub Issue](https://github.com/aquasecurity/trivy/issues) associated with that discussion.
- Feel free to open discussions for any reason. When you open a new discussion, you'll have to select a discussion category as described below.
- Please spend a small amount of time giving due diligence to the issue/discussion tracker. Your discussion might be a duplicate. If it is, please add your comment to the existing issue/discussion.
- Remember that users might search for your issue/discussion in the future, so please give it a meaningful title to help others.
- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
If you find any false positives or false negatives, please make sure to report them under the "False Detection" category, not "Bugs".
## False detection
Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#data-sources).
Sometime these databases contain mistakes.
If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
1. Run Trivy with `-f json` that shows data sources.
2. According to the shown data source, make sure that the security advisory in the data source is correct.
If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
### GitHub Advisory Database
Visit [here](https://github.com/advisories) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
### GitLab Advisory Database
Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
### Red Hat CVE Database
Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
Thank you for taking interest in contributing to Trivy!
- Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
- Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
## Wrong detection
Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
Sometime these databases contain mistakes.
If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
1. Run Trivy with `-f json` that shows data sources.
2. According to the shown data source, make sure that the security advisory in the data source is correct.
If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
### GitHub Advisory Database
Visit [here](https://github.com/advisories) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
### GitLab Advisory Database
Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
### Red Hat CVE Database
Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
Trivy uses [GitHub Discussion](./discussion.md) for bug reports, feature requests, and questions.
!!! warning
Issues created by non-maintainers will be immediately closed.
@@ -9,11 +9,71 @@ Thank you for taking interest in contributing to Trivy!
1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
### Title
## Development
Install the necessary tools for development by following their respective installation instructions.
- [Go](https://go.dev/doc/install)
- [Mage](https://magefile.org/)
### Build
After making changes to the Go source code, build the project with the following command:
```shell
$ mage build
$ ./trivy -h
```
### Lint
You must pass the linter checks:
```shell
$ mage lint:run
```
Additionally, you need to have run `go mod tidy`, so execute the following command as well:
```shell
$ mage tidy
```
To autofix linters use the following command:
```shell
$ mage lint:fix
```
### Unit tests
Your PR must pass all the unit tests. You can test it as below.
```
$ mage test:unit
```
### Integration tests
Your PR must pass all the integration tests. You can test it as below.
```
$ mage test:integration
```
### Documentation
If you update CLI flags, you need to generate the CLI references.
The test will fail if they are not up-to-date.
```shell
$ mage docs:generate
```
You can build the documents as below and view it at http://localhost:8000.
```
$ mage docs:serve
```
## Title
It is not that strict, but we use the title conventions in this repository.
Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
#### Format of the title
### Format of the title
```
<type>(<scope>): <subject>
@@ -50,7 +110,11 @@ mode:
- fs
- repo
- sbom
- k8s
- server
- aws
- vm
- plugin
os:
@@ -77,6 +141,9 @@ language:
- dotnet
- java
- go
- elixir
- dart
- julia
vuln:
@@ -102,16 +169,23 @@ cli:
- cli
- flag
SBOM:
- cyclonedx
- spdx
- purl
others:
- helm
- report
- db
- parser
- deps
The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
#### Example titles
### Example titles
```
feat(alma): add support for AlmaLinux
@@ -132,33 +206,15 @@ chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
### Unit tests
Your PR must pass all the unit tests. You can test it as below.
## Commits
```
$ make test
```
### Integration tests
Your PR must pass all the integration tests. You can test it as below.
```
$ make test-integration
```
### Documentation
You can build the documents as below and view it at http://localhost:8000.
```
$ make mkdocs-serve
```
## Understand where your pull request belongs
Trivy is composed of several repositories that work together:
- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerability database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
- [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.
Trivy adopts [conventional commit messages][conventional-commits], and [Release Please][release-please] automatically creates a [release PR](https://github.com/googleapis/release-please?tab=readme-ov-file#whats-a-release-pr) based on the messages of the merged commits.
This release PR is automatically updated every time a new commit is added to the release branch.
If a commit has the prefix `feat:`, a PR is automatically created to increment the minor version, and if a commit has the prefix `fix:`, a PR is created to increment the patch version.
When the PR is merged, GitHub Actions automatically creates a version tag and the release is performed.
For detailed behavior, please refer to [the GitHub Actions configuration][workflows].
!!! note
Commits with prefixes like `chore` or `build` are not considered releasable, and no release PR is created.
To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release).
## Flow
The release flow consists of the following main steps:
1. Creating the release PR (automatically or manually)
1. Drafting the release notes
1. Merging the release PR
1. Updating the release notes
### Automatic Release PR Creation
When a releasable commit (a commit with `feat` or `fix` prefix) is merged, a release PR is automatically created.
These Release PRs are kept up-to-date as additional work is merged.
When it's ready to tag a release, simply merge the release PR.
See the [Release Please documentation][release-please] for more information.
The title of the PR will be in the format `release: v${version} [${branch}]` (e.g., `release: v0.51.0 [main]`).
The format of the PR title is important for identifying the release commit, so it should not be changed.
The `release/vX.Y` release branches are also subject to automatic release PR creation for patch releases.
The PR title will be like `release: v0.51.1 [release/v0.51]`.
### Manual Release PR Creation
If you want to release commits like `chore`, a release PR is not automatically created, so you need to manually trigger the creation of a release PR.
The [Release Please workflow](https://github.com/aquasecurity/trivy/actions/workflows/release-please.yaml) supports `workflow_dispatch` and can be triggered manually.
Click "Run workflow" in the top right corner and specify the release branch.
In Trivy, the following branches are the release branches.
-`main`
-`release/vX.Y` (e.g. `release/v0.51`)
Specify the release version (without the `v` prefix) and click "Run workflow" to create a release PR for the specified version.
### Drafting the Release Notes
Next, create release notes for this version.
Draft a new post in GitHub Discussions, and maintainers edit these release notes (e.g., https://github.com/aquasecurity/trivy/discussions/6605).
Currently, the creation of this draft is done manually.
For patch version updates, this step can be skipped since they only involve bug fixes.
### Merging the Release PR
Once the draft of the release notes is complete, merge the release PR.
When the PR is merged, a tag is automatically created, and [GoReleaser][goreleaser] releases binaries, container images, etc.
### Updating the Release Notes
If the release completes without errors, a page for the release notes is created in GitHub Discussions (e.g., https://github.com/aquasecurity/trivy/discussions/6622).
Copy the draft release notes, adjust the formatting, and finalize the release notes.
This document outlines the guiding principles and governance framework for the Trivy project.
## Core Principles
Trivy is a security scanner focused on static analysis and designed with simplicity and security at its core.
All new proposals to the project must adhere to the following principles.
### Static Analysis (No Runtime Required)
Trivy operates without requiring container or VM image startups, eliminating the need for Docker or similar runtimes, except for scanning images stored within a container runtime.
This approach enhances security and efficiency by minimizing dependencies.
### External Dependency Free (Single Binary)
Operating as a single binary, Trivy is independent of external environments and avoids executing external OS commands or processes.
If specific functionality, like Maven's, is needed, Trivy opts for internal reimplementations or processing outputs of the tool without direct execution of external tools.
This approach obviously requires more effort but significantly reduces security risks associated with executing OS commands and dependency errors due to external environment versions.
Simplifying the scanner's use by making it operational immediately upon binary download facilitates easier initiation of scans.
### No Setup Required
Trivy must be ready to use immediately after installation.
It's unacceptable for Trivy not to function without setting up a database or writing configuration files by default.
Such setups should only be necessary for users requiring specific customizations.
Security often isn't a top priority for many organizations and can be easily deferred.
Trivy aims to lower the barrier to entry by simplifying the setup process, making it easier for users to start securing their projects.
### Security Focus
Trivy prioritizes the identification of security issues, excluding features unrelated to security, such as performance metrics or content listings of container images.
It can, however, produce and output intermediate representations like SBOMs for comprehensive security assessments.
Trivy serves as a tool with opinions on security, used to warn users about potential issues.
### Detecting Unintended States
Trivy is designed to detect unintended vulnerable states in projects, such as the use of vulnerable versions of dependencies or misconfigurations in Infrastructure as Code (IaC) that may unintentionally expose servers to the internet.
The focus is on identifying developer mistakes or undesirable states, not on detecting intentional attacks, such as malicious images and malware.
## Out of Scope Features
Aqua Security offers a premium version with several features not available in the open-source Trivy project.
While detailed information can be found [here][trivy-aqua], it's beneficial to highlight specific functionalities frequently inquired about:
### Runtime Security
As mentioned in [the Core Principles](#static-analysis-no-runtime-required), Trivy is a static analysis security scanner, making runtime security outside its scope.
Runtime security needs are addressed by [Tracee][tracee] or [the commercial version of Aqua Security]().
### Intentional Attacks
As mentioned in [the Core Principles](#detecting-unintended-states), detection of intentional attacks, such as malware or malicious container images, is not covered by Trivy and is supported in [the commercial version][aqua].
### User Interface
Trivy primarily operates via CLI for displaying results, with a richer UI available in [the commercial version][aqua].
You have to know where to put the DB files. The following command shows the default cache directory.
```
$ ssh user@host
$ trivy -h | grep cache
--cache-dir value cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
```
=== "Vulnerability db"
Put the DB file in the cache directory + `/db`.
```
$ mkdir -p /home/myuser/.cache/trivy/db
$ cd /home/myuser/.cache/trivy/db
$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
x trivy.db
x metadata.json
$ rm /path/to/db.tar.gz
```
Put the DB file in the cache directory + `/db`.
=== "Java index db[^1]"
Put the DB file in the cache directory + `/java-db`.
```
$ mkdir -p /home/myuser/.cache/trivy/java-db
$ cd /home/myuser/.cache/trivy/java-db
$ tar xvf /path/to/javadb.tar.gz -C /home/myuser/.cache/trivy/java-db
x trivy-java.db
x metadata.json
$ rm /path/to/javadb.tar.gz
```
In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis, so that the scanner can detect recently-identified vulnerabilities.
### Run Trivy with the specific flags.
In an air-gapped environment, you have to specify `--skip-db-update` and `--skip-java-db-update`[^1] so that Trivy doesn't attempt to download the latest database files.
In addition, if you want to scan `pom.xml` dependencies, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
```
$ mkdir -p /home/myuser/.cache/trivy/db
$ cd /home/myuser/.cache/trivy/db
$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
x trivy.db
x metadata.json
$ rm /path/to/db.tar.gz
```
In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities.
### Run Trivy with `--skip-update` and `--offline-scan` option
In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
The `plugin.yaml` field should contain the following information:
- name: The name of the plugin. This also determines how the plugin will be made available in the Trivy CLI. For example, if the plugin is named kubectl, you can call the plugin with `trivy kubectl`. (required)
- version: The version of the plugin. (required)
- usage: A short usage description. (required)
- description: A long description of the plugin. This is where you could provide a helpful documentation of your plugin. (required)
- platforms: (required)
- selector: The OS/Architecture specific variations of a execution file. (optional)
- os: OS information based on GOOS (linux, darwin, etc.) (optional)
- arch: The architecture information based on GOARCH (amd64, arm64, etc.) (optional)
- uri: Where the executable file is. Relative path from the root directory of the plugin or remote URL such as HTTP and S3. (required)
- bin: Which file to call when the plugin is executed. Relative path from the root directory of the plugin. (required)
The following rules will apply in deciding which platform to select:
- If both `os` and `arch` under `selector` match the current platform, search will stop and the platform will be used.
- If `selector` is not present, the platform will be used.
- If `os` matches and there is no more specific `arch` match, the platform will be used.
- If no `platform` match is found, Trivy will exit with an error.
After determining platform, Trivy will download the execution file from `uri` and store it in the plugin cache.
When the plugin is called via Trivy CLI, `bin` command will be executed.
The plugin is responsible for handling flags and arguments. Any arguments are passed to the plugin from the `trivy` command.
2022-09-16T17:37:13.258+0900 INFO Vulnerability scanning is enabled
2022-09-16T17:37:13.258+0900 INFO Secret scanning is enabled
2022-09-16T17:37:13.258+0900 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-16T17:37:13.258+0900 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-16T17:37:14.827+0900 INFO Detected SBOM format: cyclonedx-json
2022-09-16T17:37:14.901+0900 INFO Found SBOM (cyclonedx) attestation in Rekor
2022-09-16T17:37:14.903+0900 INFO Detected OS: alpine
2022-09-16T17:37:14.903+0900 INFO Detecting Alpine vulnerabilities...
2022-09-16T17:37:14.907+0900 INFO Number of language-specific files: 0
2022-09-16T17:37:14.908+0900 WARN This OS version is no longer supported by the distribution: alpine 3.7.3
2022-09-16T17:37:14.908+0900 WARN The vulnerability detection may be insufficient because security updates are not provided
This feature might change without preserving backwards compatibility.
The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline.
Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - results are cached locally per AWS account/region.
## CLI Commands
Scan a full AWS account (all supported services):
```shell
trivy aws --region us-east-1
```
You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
All ARNs with detected issues will be displayed when showing results for their associated service.
## Cached Results
By default, Trivy will cache results for each service for 24 hours. This means you can filter and view results for a service without having to wait for the scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.)
This feature might change without preserving backwards compatibility.
Trivy’s compliance flag lets you curate a specific set of checks into a report. In a typical Trivy scan, there are hundreds of different checks for many different components and configurations, but sometimes you already know which specific checks you are interested in. Often this would be an industry accepted set of checks such as CIS, or some vendor specific guideline, or your own organization policy that you want to comply with. These are all possible using the flexible compliance infrastructure that's built into Trivy. Compliance reports are defined as simple YAML documents that select checks to include in the report.
## Usage
Compliance report is currently supported in the following targets (trivy sub-commands):
-`trivy image`
-`trivy aws`
-`trivy k8s`
Add the `--compliance` flag to the command line, and set it's value to desired report.
For example: `trivy k8s cluster --compliance k8s-nsa` (see below for built-in and custom reports)
### Options
The following flags are compatible with `--compliance` flag and allows customizing it's output:
You can create your own custom compliance report. A compliance report is a simple YAML document in the following format:
```yaml
spec:
id:"k8s-myreport"# report unique identifier. this should not container spaces.
title:"My custom Kubernetes report"# report title. Any one-line title.
description:"Describe your report"# description of the report. Any text.
relatedResources :
- https://some.url# useful references. URLs only.
version:"1.0"# spec version (string)
controls:
- name:"Non-root containers"# Name for the control (appears in the report as is). Any one-line name.
description:'Check that container is not running as root'# Description (appears in the report as is). Any text.
id:"1.0"# control identifier (string)
checks:# list of existing Trivy checks that define the control
- id:AVD-KSV-0012# check ID. Must start with `AVD-` or `CVE-`
severity:"MEDIUM"# Severity for the control (note that checks severity isn't used)
- name:"Immutable container file systems"
description:'Check that container root file system is immutable'
id:"1.1"
checks:
- id:AVD-KSV-0014
severity:"LOW"
```
The check id field (`controls[].checks[].id`) is referring to existing check by it's "AVD ID". This AVD ID is easily located in the check's source code metadata header, or by browsing [Aqua vulnerability DB](https://avd.aquasec.com/), specifically in the [Misconfigurations](https://avd.aquasec.com/misconfig/) and [Vulnerabilities](https://avd.aquasec.com/nvd) sections.
Once you have a compliance spec, you can select it by file path: `trivy --compliance @</path/to/compliance.yaml>` (note the `@` indicating file path instead of report id).
Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md).
All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance)).
New checks are based on the custom compliance report detailed in the [main documentation.](../../docs/compliance/compliance/#custom-compliance)
If you would like to create your custom compliance report, please reference the information in the main documentation. This section details how community members can contribute new Compliance Specs to Trivy.
All compliance specs in Trivy are based on formal compliance reports such as CIS Benchmarks.
## Contributing new Compliance Specs
Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access.
### Create a new Compliance Spec
The existing compliance specs in Trivy are located under the `trivy-checks/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance)).
Create a new file under `trivy-checks/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. Note that if the compliance spec is not specific to a provider, the `provider` field can be ignored.
### Minimum spec structure
The structure of the compliance spec is detailed in the [main documentation](./compliance/#custom-compliance).
The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report e.g. the CIS Benchmark report.
### Populating the `control` section
Compliance specs detail a set of checks that should pass so that the resource is compliant with the official benchmark specifications. There are two ways in which Trivy compliance checks can enforce the compliance specification:
1. The check is available in Trivy, as part of the `trivy-checks` and can be referenced in the Compliance Spec
2. The check is not available in Trivy and a manual check has to be added to the Compliance Spec
Additional information is provided below.
#### 1. Referencing a check that is already part of Trivy
Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-policies/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.
Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance) available.
For example, the following check is detailed in the AWS EKS CIS v1.4 Benchmark:
`3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)`
This check can be found in the general K8s CIS Compliance Benchmark: `k8s-cis-1.23.yaml` ([Link](https://github.com/aquasecurity/trivy-checks/blob/31e779916f3863dd74a28cee869ea24fdc4ca8c2/specs/compliance/k8s-cis-1.23.yaml#L480))
Thus, we can use the information already present:
```
- id: 3.1.2
name: Ensure that the kubelet service file ownership is set to root:root (Manual)
description: Ensure that the kubelet service file ownership is set to root:root
checks:
- id: AVD-KCV-0070
severity: HIGH
```
- The `ID`, `name`, and `description` is taken directly from the AWS EKS CIS Benchmarks
- The `check` and `severity` are taken from the existing complaince check in the `k8s-cis-1.23.yaml`
#### 2. Referencing a check manually that is not part of the Trivy default checks
If the check does not already exist in the [Aqua Vulnerability Database](https://avd.aquasec.com/) (AVD) and is not part of the trivy-checks, the fields in the compliance spec for the check have to be populated manually. This is done by referencing the information in the official compliance specification.
Below is the beginning of the information of the EKS CIS Benchmarks v1.4.0:
The corresponding check in the `control` section will look like this:
```
- id: 2.1.1
name: Enable audit Logs (Manual)
description: |
Control plane logs provide visibility into operation of the EKS Control plane components systems.
The API server audit logs record all accepted and rejected requests in the cluster.
When enabled via EKS configuration the control plane logs for a cluster are exported to a CloudWatch
Log Group for persistence.
checks: null
severity: MEDIUM
```
- Again, the `id`, `name` and `description` are taken directly from the EKS CIS Benchmarks v1.4.0
- The `checks` is in this case `null` as the check is not currently present in the AVD and does not have a check in the [trivy policies](https://github.com/aquasecurity/trivy-checks/tree/main/checks) repository
- Since the check does not exist in Trivy, the `severity` will be `MEDIUM`. However, in some cases, the compliance report e.g. the CIS Benchmark report will specify the severity
#### Contributing new checks to trivy-checks
All of the checks in trivy-policies can be referenced in the compliance specs.
To write new Rego checks for Trivy, please take a look at the contributing documentation for checks.
### Test the Compliance Spec
To test the compliance check, pass the new path into the Trivy scan through the `--compliance` flag. For instance, to pass the check to the Trivy Kubernetes scan use the following command structure:
Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used:
`trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`.
## Java Index Database
The same options are also available for the Java index DB, which is used for scanning Java applications.
Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
!!! Note
In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side.
Downloading the Java index DB from an external OCI registry can be done by using the `--java-db-repository` option.
Trivy provides various methods for filtering the results.
```mermaid
flowchart LR
Issues("Detected\nIssues") --> Severity
subgraph Filtering
subgraph Prioritization
direction TB
Severity("By Severity") --> Status("By Status")
end
subgraph Suppression
Status --> Ignore("By Finding IDs")
Ignore --> Rego("By Rego")
Rego --> VEX("By VEX")
end
end
VEX --> Results
```
Similar to the functionality of filtering results, you can also limit the sub-targets for each scanner.
For information on these settings, please refer to the scanner-specific documentation ([vulnerability](../scanner/vulnerability.md) , [misconfiguration](../scanner/misconfiguration/index.md), etc.).
## Prioritization
You can filter the results by
- [Severity](#by-severity)
- [Status](#by-status)
### By Severity
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | ✓ |
Use `--severity` option.
```bash
$ trivy image --severity HIGH,CRITICAL ruby:2.4.0
```
<details>
<summary>Result</summary>
```bash
2019-05-16T01:51:46.255+0900 INFO Updating vulnerability database...
2019-05-16T01:51:49.213+0900 INFO Detecting Debian vulnerabilities...
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
Trivy supports the following vulnerability statuses:
-`unknown`
-`not_affected`: this package is not affected by this vulnerability on this platform
-`affected`: this package is affected by this vulnerability on this platform, but there is no patch released yet
-`fixed`: this vulnerability is fixed on this platform
-`under_investigation`: it is currently unknown whether or not this vulnerability affects this package on this platform, and it is under investigation
-`will_not_fix`: this package is affected by this vulnerability on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)
-`fix_deferred`: this package is affected by this vulnerability on this platform, and may be fixed in the future
-`end_of_life`: this package has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed
Note that vulnerabilities with the `unknown`, `not_affected` or `under_investigation` status are not detected.
These are only defined for comprehensiveness, and you will not have the opportunity to specify these statuses.
Some statuses are supported in limited distributions.
| OS | Fixed | Affected | Under Investigation | Will Not Fix | Fix Deferred | End of Life |
| id | ✓ | string | The identifier of the vulnerability, misconfiguration, secret, or license[^1]. |
| paths[^2] | | string array | The list of file paths to ignore. If `paths` is not set, the ignore finding is applied to all files. |
| purls | | string array | The list of PURLs to ignore packages. If `purls` is not set, the ignore finding is applied to all packages. This field is currently available only for vulnerabilities. |
| expired_at | | date (`yyyy-mm-dd`) | The expiration date of the ignore finding. If `expired_at` is not set, the ignore finding is always valid. |
| statement | | string | The reason for ignoring the finding. (This field is not used for filtering.) |
2023-08-31T11:10:27.155+0600 INFO Vulnerability scanning is enabled
2023-08-31T11:10:27.155+0600 INFO Secret scanning is enabled
2023-08-31T11:10:27.155+0600 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-31T11:10:27.155+0600 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-08-31T11:10:29.164+0600 INFO Detected OS: alpine
2023-08-31T11:10:29.164+0600 INFO Detecting Alpine vulnerabilities...
2023-08-31T11:10:29.169+0600 INFO Number of language-specific files: 1
2023-08-31T11:10:29.170+0600 INFO Detecting python-pkg vulnerabilities...
This feature might change without preserving backwards compatibility.
[Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) is a policy language that allows you to express decision logic in a concise syntax.
Rego is part of the popular [Open Policy Agent (OPA)](https://www.openpolicyagent.org) CNCF project.
For advanced filtering, Trivy allows you to use Rego language to filter vulnerabilities.
Use the `--ignore-policy` flag which takes a path to a Rego file that defines the filtering policy.
The Rego package name must be `trivy` and it must include a "rule" named `ignore` which determines if each individual scan result should be excluded (ignore=true) or not (ignore=false).
The `input` for the evaluation is each [DetectedVulnerability](https://github.com/aquasecurity/trivy/blob/00f2059e5d7bc2ca2e3e8b1562bdfede1ed570e3/pkg/types/vulnerability.go#L9) and [DetectedMisconfiguration](https://github.com/aquasecurity/trivy/blob/00f2059e5d7bc2ca2e3e8b1562bdfede1ed570e3/pkg/types/misconfiguration.go#L6).
A practical way to observe the filtering policy input in your case, is to run a scan with the `--format json` option and look at the resulting structure:
For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`.
More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go).
You can find more example checks [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)
### By Vulnerability Exploitability Exchange (VEX)
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | |
| Secret | |
| License | |
Please refer to the [VEX documentation](../supply-chain/vex.md) for the details.
[^1]: license name is used as id for `.trivyignore.yaml` files.
[^2]: This doesn't work for os package licenses (e.g. apk, dpkg, rpm). For projects which manage dependencies through a dependency file (e.g. go.mod, yarn.lock) `path` should point to that particular file.
However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -63,15 +109,19 @@ Also, **glob-parent@3.1.0** with some vulnerabilities is included through chain
Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to resolve vulnerabilities in **follow-redirects@1.14.6** and **glob-parent@3.1.0**.
It's possible to specify globs as part of the value.
```bash
$ trivy image --skip-dirs "./testdata/*" .
```
This will skip all subdirectories of the testdata directory.
```bash
$ trivy config --skip-dirs "**/.terraform" .
```
This will skip subdirectories at any depth named `.terraform/`. (Note: this will match `./foo/.terraform` or
`./foo/bar/.terraform`, but not `./.terraform`.)
!!! tip
Glob patterns work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with `--skip-dirs`) and files (with `--skip-files`).
### Advanced globbing
Trivy also supports bash style [extended](https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Pattern-Matching) glob pattern matching.
```bash
$ trivy image --skip-files "**/foo" image:tag
```
This will skip the file `foo` that happens to be nested under any parent(s).
## File patterns
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | |
| License | ✓[^1] |
When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
The default file patterns are [here](../scanner/misconfiguration/custom/index.md).
In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
This can be repeated for specifying multiple file patterns.
A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
Trivy supports two types of Helm scanning, templates and packaged charts.
The following scanners are supported.
| Format | [Misconfiguration] | [Secret] |
| -------- | :----------------: | :------: |
| Template | ✓ | ✓ |
| Chart | ✓ | - |
## Misconfiguration
Trivy recursively searches directories and scans all found Helm files.
It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks.
See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in checks.
### Value overrides
There are a number of options for overriding values in Helm charts.
When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
Whenever Trivy scans either of these Kubernetes resources, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
Container image is scanned for:
- Vulnerabilities
- Misconfigurations
- Exposed secrets
Kubernetes resource definition is scanned for:
- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
- Misconfigurations
- Exposed secrets
To learn more, please see the [documentation for Kubernetes scanning](../target/kubernetes.md).
[^1]: The local cache should contain the dependencies used. See [licenses](#licenses).
[^2]: `conan.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns).
[^3]: For `conan.lock` in version 2, indirect dependencies are included in analysis but not flagged explicitly in dependency tree
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
