feat(flag): Support globstar for --skip-files and --skip-directories (#4026 )

Signed-off-by: Simar <simar@linux.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
chore(deps): bump actions/stale from 7 to 8 (#3955 )
2025-12-06 21:01:09 -08:00 · 2023-04-16 13:48:20 +03:00 · 2023-04-16 13:40:12 +03:00 · 2023-04-15 08:26:50 +03:00 · 2023-04-14 07:35:51 +03:00 · 2023-04-14 07:28:44 +03:00
422 changed files with 21858 additions and 5953 deletions
--- a/.github/workflows/canary.yaml
+++ b/.github/workflows/canary.yaml
@@ -16,7 +16,7 @@ jobs:
    uses: ./.github/workflows/reusable-release.yaml
    with:
      goreleaser_config: goreleaser-canary.yml
-      goreleaser_options: '--snapshot --rm-dist --timeout 60m' # will not release
+      goreleaser_options: '--snapshot --clean --timeout 60m' # will not release
    secrets: inherit

  upload-binaries:
@@ -25,7 +25,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.2.4
+        uses: actions/cache@v3.3.1
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -35,7 +35,7 @@ jobs:
          python-version: 3.7
      - name: Setup Chart Linting
        id: lint
-        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec
+        uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76
      - name: Setup Kubernetes cluster (KIND)
        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00
        with:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,7 +10,7 @@ jobs:
    uses: ./.github/workflows/reusable-release.yaml
    with:
      goreleaser_config: goreleaser.yml
-      goreleaser_options: '--rm-dist --timeout 90m'
+      goreleaser_options: '--clean --timeout 90m'
    secrets: inherit

  deploy-packages:
@@ -24,7 +24,7 @@ jobs:
          fetch-depth: 0

      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.2.4
+        uses: actions/cache@v3.3.1
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -65,7 +65,7 @@ jobs:
          fetch-depth: 0

      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
        with:
          go-version-file: go.mod

@@ -75,16 +75,29 @@ jobs:
          args: mod -licenses -json -output bom.json
          version: ^v1

+      - name: "save gpg key"
+        env:
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+        run: |
+          echo "$GPG_KEY" > gpg.key
+
      - name: GoReleaser
        uses: goreleaser/goreleaser-action@v4
        with:
-          version: v1.4.1
+          version: v1.16.2
          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
        env:
          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_FILE: "gpg.key"

-      ## push images to registries
-      ## only for canary build
+      - name: "remove gpg key"
+        run: |
+          rm gpg.key
+
+      # Push images to registries (only for canary build)
+      # The custom Dockerfile.canary is necessary
+      # because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
      - name: Build and push
        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
        uses: docker/build-push-action@v4
@@ -99,7 +112,7 @@ jobs:
            public.ecr.aws/aquasecurity/trivy:canary

      - name: Cache Trivy binaries
-        uses: actions/cache@v3.2.4
+        uses: actions/cache@v3.3.1
        with:
          path: dist/
          # use 'github.sha' to create a unique cache folder for each run.
--- a/.github/workflows/roadmap.yaml
+++ b/.github/workflows/roadmap.yaml
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
-      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+      - uses: actions/add-to-project@v0.4.1 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -28,7 +28,7 @@ jobs:
          field-values: Backlog

      # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
-      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+      - uses: actions/add-to-project@v0.4.1 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -45,7 +45,7 @@ jobs:
          field-values: Important (long-term)

      # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
-      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+      - uses: actions/add-to-project@v0.4.1 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -62,7 +62,7 @@ jobs:
          field-values: Important (soon)

      # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
-      - uses: actions/add-to-project@v0.4.0 # add new issue to project
+      - uses: actions/add-to-project@v0.4.1 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -13,11 +13,11 @@ jobs:
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner and create GitHub issues
-        uses: knqyf263/trivy-issue-action@v0.0.4
+        uses: knqyf263/trivy-issue-action@v0.0.5
        with:
          assignee: knqyf263
          severity: CRITICAL
-          skip-dirs: integration,examples
+          skip-dirs: integration,examples,pkg
          label: kind/security
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/semantic-pr.yaml
+++ b/.github/workflows/semantic-pr.yaml
@@ -47,6 +47,7 @@ jobs:

            alpine
            wolfi
+            chainguard
            redhat
            alma
            rocky
--- a/.github/workflows/stale-issues.yaml
+++ b/.github/workflows/stale-issues.yaml
@@ -7,7 +7,7 @@ jobs:
    timeout-minutes: 1
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/stale@v7
+    - uses: actions/stale@v8
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -25,7 +25,7 @@ jobs:
      - uses: actions/checkout@v3

      - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
        with:
          go-version: oldstable

@@ -41,18 +41,27 @@ jobs:
      - name: Lint
        uses: golangci/golangci-lint-action@v3.4.0
        with:
-          version: v1.49
+          version: v1.52
          args: --deadline=30m
          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
        if: matrix.operating-system == 'ubuntu-latest'

-      # Install tools
-      - uses: aquaproj/aqua-installer@v2.0.2
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v2.0.2
        with:
          aqua_version: v1.25.0

+      - name: Check if CLI references are up-to-date
+        run: |
+          mage docs:generate
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'mage docs:generate' and push it"
+            exit 1
+          fi
+        if: matrix.operating-system == 'ubuntu-latest'
+
      - name: Run unit tests
-        run: make test
+        run: mage test:unit

  integration:
    name: Integration Test
@@ -62,12 +71,17 @@ jobs:
        uses: actions/checkout@v3

      - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
        with:
          go-version-file: go.mod

+      - name: Install tools
+        uses: aquaproj/aqua-installer@v2.0.2
+        with:
+          aqua_version: v1.25.0
+
      - name: Run integration tests
-        run: make test-integration
+        run: mage test:integration

  module-test:
    name: Module Integration Test
@@ -77,19 +91,19 @@ jobs:
        uses: actions/checkout@v3

      - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
        with:
          go-version-file: go.mod

-      # Install tools
-      - uses: aquaproj/aqua-installer@v2.0.2
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v2.0.2
        with:
          aqua_version: v1.25.0

      - name: Run module integration tests
        shell: bash
        run: |
-          make test-module-integration
+          mage test:module

  build-test:
    name: Build Test
@@ -111,13 +125,14 @@ jobs:
      uses: actions/checkout@v3

    - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
      with:
        go-version-file: go.mod

    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@v4
      with:
-        version: v1.4.1
-        args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m
-
+        version: v1.16.2
+        args: release --skip-sign --snapshot --clean --skip-publish --timeout 90m
+      env:
+        GPG_FILE: "nogpg.key"
--- a/.github/workflows/vm-test.yaml
+++ b/.github/workflows/vm-test.yaml
@@ -24,9 +24,13 @@ jobs:
        uses: actions/checkout@v3

      - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
        with:
          go-version-file: go.mod
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v2.0.2
+        with:
+          aqua_version: v1.25.0
      - name: Run vm integration tests
        run: |
-          make test-vm-integration
+          mage test:vm
--- a/.gitignore
+++ b/.gitignore
@@ -34,4 +34,7 @@ integration/testdata/fixtures/vm-images
 dist

 # WebAssembly
-*.wasm
+*.wasm
+
+# Signing
+gpg.key
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.17.1
+FROM alpine:3.17.3
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -1,10 +1,11 @@
-FROM alpine:3.17.1
+FROM alpine:3.17.3
 RUN apk --no-cache add ca-certificates git

 # binaries were created with GoReleaser
 # need to copy binaries from folder with correct architecture
 # example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
+# GoReleaser adds _v* to the folder name, but only when GOARCH is amd64 
 ARG TARGETARCH
-COPY "dist/trivy_canary_build_linux_${TARGETARCH}/trivy" /usr/local/bin/trivy
+COPY "dist/trivy_canary_build_linux_${TARGETARCH}*/trivy" /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
 ENTRYPOINT ["trivy"]
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -10,3 +10,6 @@ RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/down

 RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
 RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1
+RUN go install github.com/magefile/mage@v1.14.0
+
+ENV TRIVY_PROTOC_CONTAINER=true
--- a/135
+++ b/135
@@ -1,135 +0,0 @@
-VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
-LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"
-
-GOPATH := $(firstword $(subst :, ,$(shell go env GOPATH)))
-GOBIN := $(GOPATH)/bin
-GOSRC := $(GOPATH)/src
-
-TEST_MODULE_DIR := pkg/module/testdata
-TEST_MODULE_SRCS := $(wildcard $(TEST_MODULE_DIR)/*/*.go)
-TEST_MODULES := $(patsubst %.go,%.wasm,$(TEST_MODULE_SRCS))
-
-EXAMPLE_MODULE_DIR := examples/module
-EXAMPLE_MODULE_SRCS := $(wildcard $(EXAMPLE_MODULE_DIR)/*/*.go)
-EXAMPLE_MODULES := $(patsubst %.go,%.wasm,$(EXAMPLE_MODULE_SRCS))
-
-MKDOCS_IMAGE := aquasec/mkdocs-material:dev
-MKDOCS_PORT := 8000
-
-export CGO_ENABLED := 0 
-
-u := $(if $(update),-u)
-
-# Tools
-$(GOBIN)/wire:
-	go install github.com/google/wire/cmd/wire@v0.5.0
-
-$(GOBIN)/crane:
-	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0
-
-$(GOBIN)/golangci-lint:
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
-
-$(GOBIN)/labeler:
-	go install github.com/knqyf263/labeler@latest
-
-$(GOBIN)/easyjson:
-	go install github.com/mailru/easyjson/...@v0.7.7
-
-.PHONY: wire
-wire: $(GOBIN)/wire
-	wire gen ./pkg/commands/... ./pkg/rpc/...
-
-.PHONY: mock
-mock: $(GOBIN)/mockery
-	mockery -all -inpkg -case=snake -dir $(DIR)
-
-.PHONY: deps
-deps:
-	go get ${u} -d
-	go mod tidy
-
-.PHONY: generate-test-modules
-generate-test-modules: $(TEST_MODULES)
-
-# Compile WASM modules for unit and integration tests
-%.wasm:%.go
-	@if !(type "tinygo" > /dev/null 2>&1); then \
-		echo "Need to install TinyGo. Follow https://tinygo.org/getting-started/install/"; \
-		exit 1; \
-	fi
-	go generate $<
-
-# Run unit tests
-.PHONY: test
-test: $(TEST_MODULES)
-	go test -v -short -coverprofile=coverage.txt -covermode=atomic ./...
-
-integration/testdata/fixtures/images/*.tar.gz: $(GOBIN)/crane
-	mkdir -p integration/testdata/fixtures/images/
-	integration/scripts/download-images.sh
-
-# Run integration tests
-.PHONY: test-integration
-test-integration: integration/testdata/fixtures/images/*.tar.gz
-	go test -v -tags=integration ./integration/... ./pkg/fanal/test/integration/...
-
-# Run WASM integration tests
-.PHONY: test-module-integration
-test-module-integration: integration/testdata/fixtures/images/*.tar.gz $(EXAMPLE_MODULES)
-	go test -v -tags=module_integration ./integration/...
-
-# Run VM integration tests
-.PHONY: test-vm-integration
-test-vm-integration: integration/testdata/fixtures/vm-images/*.img.gz
-	go test -v -tags=vm_integration ./integration/...
-
-integration/testdata/fixtures/vm-images/*.img.gz:
-	integration/scripts/download-vm-images.sh
-
-
-.PHONY: lint
-lint: $(GOBIN)/golangci-lint
-	$(GOBIN)/golangci-lint run --timeout 5m
-
-.PHONY: fmt
-fmt:
-	find ./ -name "*.proto" | xargs clang-format -i
-
-.PHONY: build
-build:
-	go build $(LDFLAGS) ./cmd/trivy
-
-.PHONY: protoc
-protoc:
-	docker build -t trivy-protoc - < Dockerfile.protoc
-	docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@
-
-_protoc:
-	for path in `find ./rpc/ -name "*.proto" -type f`; do \
-		protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative $${path} || exit; \
-	done
-
-.PHONY: install
-install:
-	go install $(LDFLAGS) ./cmd/trivy
-
-.PHONY: clean
-clean:
-	rm -rf integration/testdata/fixtures/images
-
-# Create labels on GitHub
-.PHONY: label
-label: $(GOBIN)/labeler
-	labeler apply misc/triage/labels.yaml -r aquasecurity/trivy -l 5
-
-# Run MkDocs development server to preview the documentation page
-.PHONY: mkdocs-serve
-mkdocs-serve:
-	docker build -t $(MKDOCS_IMAGE) -f docs/build/Dockerfile docs/build
-	docker run --name mkdocs-serve --rm -v $(PWD):/docs -p $(MKDOCS_PORT):8000 $(MKDOCS_IMAGE)
-
-# Generate JSON marshaler/unmarshaler for TinyGo/WebAssembly as TinyGo doesn't support encoding/json.
-.PHONY: easyjson
-easyjson: $(GOBIN)/easyjson
-	easyjson pkg/module/serialize/types.go
--- a/README.md
+++ b/README.md
@@ -51,6 +51,11 @@ Trivy is integrated with many popular platforms and applications. The complete l
 - [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)
 - See [Ecosystem] for more

+### Canary builds
+There are canary builds ([Docker Hub](https://hub.docker.com/r/aquasec/trivy/tags?page=1&name=canary), [GitHub](https://github.com/aquasecurity/trivy/pkgs/container/trivy/75776514?tag=canary), [ECR](https://gallery.ecr.aws/aquasecurity/trivy#canary) images and [binaries](https://github.com/aquasecurity/trivy/actions/workflows/canary.yaml)) as generated every push to main branch.
+
+Please be aware: canary builds might have critical bugs, it's not recommended for use in production.
+
 ### General usage

 ```bash
--- a/aqua.yaml
+++ b/aqua.yaml
@@ -6,3 +6,4 @@ registries:
  ref: v3.106.0 # renovate: depName=aquaproj/aqua-registry
 packages:
 - name: tinygo-org/tinygo@v0.26.0
+- name: magefile/mage@v1.14.0
--- a/contrib/install.sh
+++ b/contrib/install.sh
@@ -127,6 +127,7 @@ adjust_arch() {
    386) ARCH=32bit ;;
    amd64) ARCH=64bit ;;
    arm) ARCH=ARM ;;
+    armv7) ARCH=ARM ;;
    arm64) ARCH=ARM64 ;;
    ppc64le) OS=PPC64LE ;;
    darwin) ARCH=macOS ;;
--- a/docs/community/contribute/pr.md
+++ b/docs/community/contribute/pr.md
@@ -9,11 +9,66 @@ Thank you for taking interest in contributing to Trivy!
 1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
 1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.

-### Title
+## Development
+Install the necessary tools for development by following their respective installation instructions.
+
+- [Go](https://go.dev/doc/install)
+- [Mage](https://magefile.org/)
+
+### Build
+After making changes to the Go source code, build the project with the following command:
+
+```shell
+$ mage build
+$ ./trivy -h
+```
+
+### Lint
+You must pass the linter checks:
+
+```shell
+$ mage lint
+```
+
+Additionally, you need to have run `go mod tidy`, so execute the following command as well:
+
+```shell
+$ mage tidy
+```
+
+### Unit tests
+Your PR must pass all the unit tests. You can test it as below.
+
+```
+$ mage test:unit
+```
+
+### Integration tests
+Your PR must pass all the integration tests. You can test it as below.
+
+```
+$ mage test:integration
+```
+
+### Documentation
+If you update CLI flags, you need to generate the CLI references.
+The test will fail if they are not up-to-date.
+
+```shell
+$ mage docs:generate
+```
+
+You can build the documents as below and view it at http://localhost:8000.
+
+```
+$ mage docs:serve
+```
+
+## Title
 It is not that strict, but we use the title conventions in this repository.
 Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.

-#### Format of the title
+### Format of the title

 ```
 <type>(<scope>): <subject>
@@ -122,7 +177,7 @@ others:

 The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.

-#### Example titles
+### Example titles

 ```
 feat(alma): add support for AlmaLinux
@@ -143,33 +198,15 @@ chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
 **NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
 The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.

-### Unit tests
-Your PR must pass all the unit tests. You can test it as below.
+## Commits

-```
-$ make test
-```
-
-### Integration tests
-Your PR must pass all the integration tests. You can test it as below.
-
-```
-$ make test-integration
-```
-
-### Documentation
-You can build the documents as below and view it at http://localhost:8000.
-
-```
-$ make mkdocs-serve
-```

 ## Understand where your pull request belongs

 Trivy is composed of several repositories that work together:

 - [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
+- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerability database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
 - [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
 - [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
 - [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.
--- a/docs/docs/advanced/air-gap.md
+++ b/docs/docs/advanced/air-gap.md
@@ -52,7 +52,7 @@ Java users also need to download the Java index database for use in air-gapped e
 === "oras >= v0.13.0"
    Please follow [oras installation instruction][oras].

-    Download `db.tar.gz`:
+    Download `javadb.tar.gz`:

    ```
    $ oras pull ghcr.io/aquasecurity/trivy-java-db:1
@@ -61,7 +61,7 @@ Java users also need to download the Java index database for use in air-gapped e
 === "oras < v0.13.0"
    Please follow [oras installation instruction][oras].

-    Download `db.tar.gz`:
+    Download `javadb.tar.gz`:

    ```
    $ oras pull -a ghcr.io/aquasecurity/trivy-java-db:1
@@ -122,7 +122,7 @@ In an air-gapped environment, you have to specify `--skip-db-update` and `--skip
 In addition, if you want to scan `pom.xml` dependencies, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.

 ```
-$ trivy image --skip-update --skip-java-db-update --offline-scan alpine:3.12
+$ trivy image --skip-db-update --skip-java-db-update --offline-scan alpine:3.12
 ```

 ## Air-Gapped Environment for misconfigurations
@@ -139,4 +139,4 @@ $ trivy conf --skip-policy-update /path/to/conf
 [allowlist]: ../references/troubleshooting.md
 [oras]: https://oras.land/cli/

-[^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../vulnerability/languages/java.md)
+[^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../vulnerability/languages/java.md)
--- a/docs/docs/advanced/plugins.md
+++ b/docs/docs/advanced/plugins.md
@@ -42,6 +42,11 @@ For example, to download the Kubernetes Trivy plugin you can execute the followi
 ```bash
 $ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
 ```
+Also, Trivy plugin can be installed from a local archive:
+```bash
+$ trivy plugin install myplugin.tar.gz
+```
+
 ## Using Plugins
 Once the plugin is installed, Trivy will load all available plugins in the cache on the start of the next Trivy execution.
 A plugin will be made in the Trivy CLI based on the plugin name.
@@ -162,6 +167,21 @@ When the plugin is called via Trivy CLI, `bin` command will be executed.

 The plugin is responsible for handling flags and arguments. Any arguments are passed to the plugin from the `trivy` command.

+A plugin should be archived `*.tar.gz`.
+
+```bash
+$ tar -czvf myplugin.tar.gz plugin.yaml script.py
+plugin.yaml
+script.py
+
+$ trivy plugin install myplugin.tar.gz
+2023-03-03T19:04:42.026+0600	INFO	Installing the plugin from myplugin.tar.gz...
+2023-03-03T19:04:42.026+0600	INFO	Loading the plugin metadata...
+
+$ trivy myplugin
+Hello from Trivy demo plugin!
+```
+
 ## Example
 https://github.com/aquasecurity/trivy-plugin-kubectl

--- a/docs/docs/advanced/private-registries/docker-hub.md
+++ b/docs/docs/advanced/private-registries/docker-hub.md
@@ -1,7 +1,2 @@
-Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
-You don't need to set ENV vars when download from public repository.
-
-```bash
-export TRIVY_USERNAME={DOCKERHUB_USERNAME}
-export TRIVY_PASSWORD={DOCKERHUB_PASSWORD}
-```
+See [here](./index.md) for the detail.
+You don't need to provide a credential when download from public repository.
--- a/docs/docs/advanced/private-registries/index.md
+++ b/docs/docs/advanced/private-registries/index.md
@@ -1,4 +1,49 @@
-Trivy can download images from a private registry, without installing `Docker` or any other 3rd party tools.
-That's because it's easy to run in a CI process.
+Trivy can download images from a private registry without the need for installing Docker or any other 3rd party tools.
+This makes it easy to run within a CI process.

-All you have to do is install `Trivy` and set ENV vars.
+## Credential
+To use Trivy with private images, simply install it and provide your credentials:
+
+```shell
+$ TRIVY_USERNAME=YOUR_USERNAME TRIVY_PASSWORD=YOUR_PASSWORD trivy image YOUR_PRIVATE_IMAGE
+```
+
+Trivy also supports providing credentials through CLI flags:
+
+```shell
+$ TRIVY_PASSWORD=YOUR_PASSWORD trivy image --username YOUR_USERNAME YOUR_PRIVATE_IMAGE
+```
+
+!!! warning
+    The CLI flag `--password` is available, but its use is not recommended for security reasons.
+
+You can also store your credentials in `trivy.yaml`.
+For more information, please refer to [the documentation](../../references/customization/config-file.md).
+
+It can handle multiple sets of credentials as well:
+
+```shell
+$ export TRIVY_USERNAME=USERNAME1,USERNAME2
+$ export TRIVY_PASSWORD=PASSWORD1,PASSWORD2
+$ trivy image YOUR_PRIVATE_IMAGE
+```
+
+In the example above, Trivy attempts to use two pairs of credentials:
+
+- USERNAME1/PASSWORD1
+- USERNAME2/PASSWORD2
+
+Please note that the number of usernames and passwords must be the same.
+
+## docker login
+If you have Docker configured locally and have set up the credentials, Trivy can access them.
+
+```shell
+$ docker login ghcr.io
+Username: 
+Password:
+$ trivy image ghcr.io/your/private_image
+```
+
+!!! note
+    `docker login` can be used with any container runtime, such as Podman.
--- a/docs/docs/misconfiguration/custom/index.md
+++ b/docs/docs/misconfiguration/custom/index.md
@@ -40,7 +40,7 @@ A single package must contain only one policy.
    # title: Deployment not allowed
    # description: Deployments are not allowed because of some reasons.
    # schemas:
-    #   - input: schema.input
+    #   - input: schema["kubernetes"]
    # custom:
    #   id: ID001
    #   severity: LOW
@@ -124,16 +124,16 @@ All fields are optional. The `schemas` field should be used to enable policy val
 schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are 
 correct and do not reference incorrect properties/values.

-| Field name                 | Allowed values                           |        Default value         |     In table     |     In JSON      |
-|----------------------------|------------------------------------------|:----------------------------:|:----------------:|:----------------:|
-| title                      | Any characters                           |             N/A              | :material-check: | :material-check: |
-| description                | Any characters                           |                              | :material-close: | :material-check: |
-| schemas.input              | `schema.input`                           | (applied to all input types) | :material-close: | :material-close: |
-| custom.id                  | Any characters                           |             N/A              | :material-check: | :material-check: |
-| custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`      |           UNKNOWN            | :material-check: | :material-check: |
-| custom.recommended_actions | Any characters                           |                              | :material-close: | :material-check: | 
-| custom.input.selector.type | Any item(s) in [this list][source-types] |                              | :material-close: | :material-check: | 
-| url                        | Any characters                           |                              | :material-close: | :material-check: |
+| Field name                 | Allowed values                                                    |        Default value         |     In table     |     In JSON      |
+|----------------------------|-------------------------------------------------------------------|:----------------------------:|:----------------:|:----------------:|
+| title                      | Any characters                                                    |             N/A              | :material-check: | :material-check: |
+| description                | Any characters                                                    |                              | :material-close: | :material-check: |
+| schemas.input              | `schema["kubernetes"]`, `schema["dockerfile"]`, `schema["cloud"]` | (applied to all input types) | :material-close: | :material-close: |
+| custom.id                  | Any characters                                                    |             N/A              | :material-check: | :material-check: |
+| custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`                               |           UNKNOWN            | :material-check: | :material-check: |
+| custom.recommended_actions | Any characters                                                    |                              | :material-close: | :material-check: | 
+| custom.input.selector.type | Any item(s) in [this list][source-types]                          |                              | :material-close: | :material-check: | 
+| url                        | Any characters                                                    |                              | :material-close: | :material-check: |


 Some fields are displayed in scan results.
@@ -196,13 +196,7 @@ You can specify input format via the `custom.input` annotation.
    `type` accepts `kubernetes`, `dockerfile`, `cloudformation`, `terraform`, `terraformplan`, `json`, or `yaml`.

 ### Schemas
-
-You can explore the format of input documents by browsing the schema for the relevant input type:
-
- [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
- [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
- [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
- [RBAC](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/rbac.json)
+See [here](./schema.md) for the detail.

 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [package]: https://www.openpolicyagent.org/docs/latest/policy-language/#packages
--- a/docs/docs/misconfiguration/custom/schema.md
+++ b/docs/docs/misconfiguration/custom/schema.md
@@ -0,0 +1,93 @@
+# Input Schema
+
+## Overview
+Policies can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
+enables Trivy to show more detailed error messages when an invalid input is encountered.
+
+In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json).
+Without input schemas, a policy would be as follows:
+
+!!! example
+    ```
+    # METADATA
+    package mypackage
+
+    deny {
+        input.evil == "foo bar"
+    }
+    ```
+
+If this policy is run against offending Dockerfile(s), there will not be any issues as the policy will fail to evaluate.
+Although the policy's failure to evaluate is legitimate, this should not result in a positive result for the scan.
+
+For instance if we have a policy that checks for misconfigurations in a `Dockerfile`, we could define the
+schema as such
+
+!!! example
+    ```
+    # METADATA
+    # schemas:
+    # - input: schema["dockerfile"]
+    package mypackage
+    
+    deny {
+        input.evil == "foo bar"
+    }
+    ```
+
+Here `input: schema["dockerfile"]` points to a schema that expects a valid `Dockerfile` as input. An example of this
+can be found [here](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
+
+Now if this policy is evaluated against, a more descriptive error will be available to help fix the problem.
+
+```bash
+1 error occurred: testpolicy.rego:8: rego_type_error: undefined ref: input.evil
+        input.evil
+              ^
+              have: "evil"
+              want (one of): ["Stages"]
+```
+
+Currently, out of the box the following schemas are supported natively:
+
+1. [Docker](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
+2. [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
+3. [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
+
+
+## Custom Policies with Custom Schemas
+
+You can also bring a custom policy that defines one or more custom schema. 
+
+!!! example
+    ```
+    # METADATA
+    # schemas:
+    # - input: schema["fooschema"]
+    # - input: schema["barschema"]
+    package mypackage
+    
+    deny {
+        input.evil == "foo bar"
+    }
+    ```
+
+The policies can be placed in a structure as follows
+
+!!! example
+    ```
+    /Users/user/my-custom-policies
+    ├── my_policy.rego
+    └── schemas
+        └── fooschema.json
+        └── barschema.json
+    ```
+
+To use such a policy with Trivy, use the `--config-policy` flag that points to the directory where the schemas and policies
+are contained.
+
+```bash
+$ trivy --config-policy=/Users/user/my-custom-policies <path/to/iac>
+```
+
+For more details on how to define schemas within Rego policies, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/schemas/#schema-annotations) that describes it in more detail.
--- a/docs/docs/misconfiguration/custom/selectors.md
+++ b/docs/docs/misconfiguration/custom/selectors.md
@@ -0,0 +1,51 @@
+# Input Selectors
+
+## Overview
+Sometimes you might want to limit a certain policy to only be run on certain resources. This can be
+achieved with input selectors.
+
+## Use case
+For instance, if you have a custom policy that you only want to be evaluated if a certain resource type is being scanned.
+In such a case you could utilize input selectors to limit its evaluation on only those resources.
+
+!!! example
+    ```
+        # METADATA
+        # title: "RDS Publicly Accessible"
+        # description: "Ensures RDS instances are not launched into the public cloud."
+        # custom:
+        #   input:
+        #     selector:
+        #     - type: cloud
+        #       subtypes:
+        #         - provider: aws
+        #           service: rds
+        package builtin.aws.rds.aws0999
+
+        deny[res] {
+        instance := input.aws.rds.instances[_]
+        instance.publicaccess.value
+        res := result.new("Instance has Public Access enabled", instance.publicaccess)
+    ```
+
+Observe the following `subtypes` defined:
+```yaml
+        #       subtypes:
+        #         - provider: aws
+        #           service: rds
+```
+
+They will ensure that the policy is only run when the input to such a policy contains an `RDS` instance. 
+
+## Enabling selectors and subtypes
+Currently, the following are supported:
+
+| Selector                 | Subtype fields required | Example                         |
+|--------------------------|-------------------------|---------------------------------|
+| Cloud (AWS, Azure, etc.) | `provider`, `service`   | `provider: aws`, `service: rds` |
+| Kubernetes               |                         | `type: kubernetes`              |
+| Dockerfile               |                         | `type: dockerfile`              |
+
+
+## Default behaviour
+If no subtypes or selectors are specified, the policy will be evaluated regardless of input.
--- a/docs/docs/misconfiguration/policy/builtin.md
+++ b/docs/docs/misconfiguration/policy/builtin.md
@@ -13,14 +13,11 @@ Those policies are managed under [defsec repository][defsec].
 | CloudFormation            | [defsec][defsec]     |
 | Azure ARM Template        | [defsec][defsec]     |
 | Helm Chart                | [defsec][kubernetes] |      
-| RBAC                      | [defsec][rbac]       |      

 For suggestions or issues regarding policy content, please open an issue under the [defsec][defsec] repository.

 Helm Chart scanning will resolve the chart to Kubernetes manifests then run the [kubernetes][kubernetes] checks.

-Ansible scanning is coming soon.
-
 ## Policy Distribution
 defsec policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
 When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
@@ -32,7 +29,6 @@ Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if th

 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [defsec]: https://github.com/aquasecurity/defsec
-[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/kubernetes
-[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/rbac
-[docker]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/docker
+[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/rules/kubernetes/policies
+[docker]: https://github.com/aquasecurity/defsec/tree/master/rules/docker/policies
 [ghcr]: https://github.com/aquasecurity/defsec/pkgs/container/defsec
--- a/docs/docs/references/cli/client.md
+++ b/docs/docs/references/cli/client.md
@@ -1,72 +0,0 @@
-# Client
-
-```bash
-Usage:
-  trivy client [flags] IMAGE_NAME
-
-Aliases:
-  client, c
-
-Scan Flags
-      --offline-scan             do not issue API requests to identify dependencies
-      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs strings        specify the directories where the traversal is skipped
-      --skip-files strings       specify the file paths to skip traversal
-
-Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
-      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
-      --ignorefile string      specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
-  -o, --output string          output file name
-      --report string          specify a report format for the output. (all,summary) (default "all")
-  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-  -t, --template string        output template
-
-Cache Flags
-      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration     cache TTL when using redis as cache backend
-      --clear-cache            clear image caches without scanning
-      --redis-ca string        redis ca file location, if using redis as cache backend
-      --redis-cert string      redis certificate file location, if using redis as cache backend
-      --redis-key string       redis key file location, if using redis as cache backend
-
-DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --download-db-only       download/update vulnerability database but don't run a scan
-      --download-java-db-only  download/update java indexes database but don't run a scan
-      --no-progress            suppress progress bar
-      --reset                  remove all caches and database
-      --skip-db-update         skip updating vulnerability database
-      --skip-java-db-update    skip updating java indexes database
-
-Vulnerability Flags
-      --ignore-unfixed     display only fixed vulnerabilities
-      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
-
-Misconfiguration Flags
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--scanners config'
-      --include-non-failures        include successes and exceptions, available with '--scanners config'
-      --policy-namespaces strings   Rego namespaces
-      --trace                       enable more verbose trace output for custom queries
-
-Client/Server Flags
-      --custom-headers strings   custom headers in client mode
-      --remote string            server address (default "http://localhost:4954")
-      --token string             for authentication in client/server mode
-      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
-
-Global Flags:
-      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string             config path (default "trivy.yaml")
-  -d, --debug                     debug mode
-      --generate-default-config   write the default config to trivy-default.yaml
-      --insecure                  allow insecure server connections when using TLS
-  -q, --quiet                     suppress progress bar and log output
-      --timeout duration          timeout (default 5m0s)
-  -v, --version                   show version
-```
--- a/docs/docs/references/cli/config.md
+++ b/docs/docs/references/cli/config.md
@@ -1,49 +0,0 @@
-# Config
-
-``` bash
-Scan config files for misconfigurations
-
-Usage:
-  trivy config [flags] DIR
-
-Aliases:
-  config, conf
-
-Scan Flags
-      --skip-dirs strings    specify the directories where the traversal is skipped
-      --skip-files strings   specify the file paths to skip traversal
-
-Report Flags
-      --exit-code int       specify exit code when any security issues are found
-  -f, --format string       format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --ignorefile string   specify .trivyignore file (default ".trivyignore")
-  -o, --output string       output file name
-  -s, --severity string     severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-  -t, --template string     output template
-
-Cache Flags
-      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration     cache TTL when using redis as cache backend
-      --clear-cache            clear image caches without scanning
-      --redis-ca string        redis ca file location, if using redis as cache backend
-      --redis-cert string      redis certificate file location, if using redis as cache backend
-      --redis-key string       redis key file location, if using redis as cache backend
-
-Misconfiguration Flags
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--scanners config'
-      --include-non-failures        include successes and exceptions, available with '--scanners config'
-      --policy-namespaces strings   Rego namespaces
-      --trace                       enable more verbose trace output for custom queries
-
-Global Flags:
-      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string             config path (default "trivy.yaml")
-  -d, --debug                     debug mode
-      --generate-default-config   write the default config to trivy-default.yaml
-      --insecure                  allow insecure server connections when using TLS
-  -q, --quiet                     suppress progress bar and log output
-      --timeout duration          timeout (default 5m0s)
-  -v, --version                   show version
-```
--- a/docs/docs/references/cli/fs.md
+++ b/docs/docs/references/cli/fs.md
@@ -1,87 +0,0 @@
-# Filesystem
-
-```bash
-Scan local filesystem
-
-Usage:
-  trivy filesystem [flags] PATH
-
-Aliases:
-  filesystem, fs
-
-Examples:
-  # Scan a local project including language-specific files
-  $ trivy fs /path/to/your_project
-
-  # Scan a single file
-  $ trivy fs ./trivy-ci-test/Pipfile.lock
-
-Scan Flags
-      --offline-scan             do not issue API requests to identify dependencies
-      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs strings        specify the directories where the traversal is skipped
-      --skip-files strings       specify the file paths to skip traversal
-
-Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
-      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
-      --ignorefile string      specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
-  -o, --output string          output file name
-  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-  -t, --template string        output template
-
-Cache Flags
-      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration     cache TTL when using redis as cache backend
-      --clear-cache            clear image caches without scanning
-      --redis-ca string        redis ca file location, if using redis as cache backend
-      --redis-cert string      redis certificate file location, if using redis as cache backend
-      --redis-key string       redis key file location, if using redis as cache backend
-
-DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --download-db-only       download/update vulnerability database but don't run a scan
-      --download-java-db-only  download/update java indexes database but don't run a scan
-      --no-progress            suppress progress bar
-      --reset                  remove all caches and database
-      --skip-db-update         skip updating vulnerability database
-      --skip-java-db-update    skip updating java indexes database
-
-Vulnerability Flags
-      --ignore-unfixed     display only fixed vulnerabilities
-      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
-
-Misconfiguration Flags
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--scanners config'
-      --include-non-failures        include successes and exceptions, available with '--scanners config'
-      --policy-namespaces strings   Rego namespaces
-      --trace                       enable more verbose trace output for custom queries
-
-Secret Flags
-      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
-
-License Flags
-      --ignored-licenses strings   specify a list of license to ignore
-      --license-full               eagerly look for licenses in source code headers and license files
-
-Client/Server Flags
-      --custom-headers strings   custom headers in client mode
-      --server string            server address in client mode
-      --token string             for authentication in client/server mode
-      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
-
-Global Flags:
-      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string             config path (default "trivy.yaml")
-  -d, --debug                     debug mode
-      --generate-default-config   write the default config to trivy-default.yaml
-      --insecure                  allow insecure server connections when using TLS
-  -q, --quiet                     suppress progress bar and log output
-      --timeout duration          timeout (default 5m0s)
-  -v, --version                   show version
-```
--- a/docs/docs/references/cli/image.md
+++ b/docs/docs/references/cli/image.md
@@ -1,105 +0,0 @@
-# Image
-
-```bash
-Scan a container image
-
-Usage:
-  trivy image [flags] IMAGE_NAME
-
-Aliases:
-  image, i
-
-Examples:
-  # Scan a container image
-  $ trivy image python:3.4-alpine
-
-  # Scan a container image from a tar archive
-  $ trivy image --input ruby-3.1.tar
-
-  # Filter by severities
-  $ trivy image --severity HIGH,CRITICAL alpine:3.15
-
-  # Ignore unfixed/unpatched vulnerabilities
-  $ trivy image --ignore-unfixed alpine:3.15
-
-  # Scan a container image in client mode
-  $ trivy image --server http://127.0.0.1:4954 alpine:latest
-
-  # Generate json result
-  $ trivy image --format json --output result.json alpine:3.15
-
-  # Generate a report in the CycloneDX format
-  $ trivy image --format cyclonedx --output result.cdx alpine:3.15
-
-Scan Flags
-      --offline-scan             do not issue API requests to identify dependencies
-      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs strings        specify the directories where the traversal is skipped
-      --skip-files strings       specify the file paths to skip traversal
-
-Report Flags
-      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
-      --ignorefile string      specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
-  -o, --output string          output file name
-  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-  -t, --template string        output template
-
-Cache Flags
-      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration     cache TTL when using redis as cache backend
-      --clear-cache            clear image caches without scanning
-      --redis-ca string        redis ca file location, if using redis as cache backend
-      --redis-cert string      redis certificate file location, if using redis as cache backend
-      --redis-key string       redis key file location, if using redis as cache backend
-
-DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --download-db-only       download/update vulnerability database but don't run a scan
-      --download-java-db-only  download/update java indexes database but don't run a scan
-      --no-progress            suppress progress bar
-      --reset                  remove all caches and database
-      --skip-db-update         skip updating vulnerability database
-      --skip-java-db-update    skip updating java indexes database
-
-Image Flags
-      --input string   input file path instead of image name
-      --removed-pkgs   detect vulnerabilities of removed packages (only for Alpine)
-
-Vulnerability Flags
-      --ignore-unfixed     display only fixed vulnerabilities
-      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
-
-Misconfiguration Flags
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--scanners config'
-      --include-non-failures        include successes and exceptions, available with '--scanners config'
-      --policy-namespaces strings   Rego namespaces
-      --trace                       enable more verbose trace output for custom queries
-
-Secret Flags
-      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
-
-License Flags
-      --ignored-licenses strings   specify a list of license to ignore
-      --license-full               eagerly look for licenses in source code headers and license files
-
-Client/Server Flags
-      --custom-headers strings   custom headers in client mode
-      --server string            server address in client mode
-      --token string             for authentication in client/server mode
-      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
-
-Global Flags:
-      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string             config path (default "trivy.yaml")
-  -d, --debug                     debug mode
-      --generate-default-config   write the default config to trivy-default.yaml
-      --insecure                  allow insecure server connections when using TLS
-  -q, --quiet                     suppress progress bar and log output
-      --timeout duration          timeout (default 5m0s)
-  -v, --version                   show version
-```
--- a/docs/docs/references/cli/index.md
+++ b/docs/docs/references/cli/index.md
@@ -1,50 +0,0 @@
-Trivy has several sub commands, image, fs, repo, client and server.
-
-``` bash
-Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
-
-Usage:
-  trivy [global flags] command [flags] target
-  trivy [command]
-
-Examples:
-  # Scan a container image
-  $ trivy image python:3.4-alpine
-
-  # Scan a container image from a tar archive
-  $ trivy image --input ruby-3.1.tar
-
-  # Scan local filesystem
-  $ trivy fs .
-
-  # Run in server mode
-  $ trivy server
-
-Available Commands:
-  config      Scan config files for misconfigurations
-  filesystem  Scan local filesystem
-  help        Help about any command
-  image       Scan a container image
-  kubernetes  scan kubernetes cluster
-  module      Manage modules
-  plugin      Manage plugins
-  repository  Scan a remote repository
-  rootfs      Scan rootfs
-  sbom        Scan SBOM for vulnerabilities
-  server      Server mode
-  version     Print the version
-
-Flags:
-      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string             config path (default "trivy.yaml")
-  -d, --debug                     debug mode
-  -f, --format string             version format (json)
-      --generate-default-config   write the default config to trivy-default.yaml
-  -h, --help                      help for trivy
-      --insecure                  allow insecure server connections when using TLS
-  -q, --quiet                     suppress progress bar and log output
-      --timeout duration          timeout (default 5m0s)
-  -v, --version                   show version
-
-Use "trivy [command] --help" for more information about a command.
-```
--- a/docs/docs/references/cli/plugin.md
+++ b/docs/docs/references/cli/plugin.md
@@ -1,34 +0,0 @@
-# Plugin
-
-```bash
-Manage plugins
-
-Usage:
-  trivy plugin [command]
-
-Aliases:
-  plugin, p
-
-Available Commands:
-  info        Show information about the specified plugin
-  install     Install a plugin
-  list        List installed plugin
-  run         Run a plugin on the fly
-  uninstall   Uninstall a plugin
-  update      Update an existing plugin
-
-Flags:
-  -h, --help   help for plugin
-
-Global Flags:
-      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string             config path (default "trivy.yaml")
-  -d, --debug                     debug mode
-      --generate-default-config   write the default config to trivy-default.yaml
-      --insecure                  allow insecure server connections when using TLS
-  -q, --quiet                     suppress progress bar and log output
-      --timeout duration          timeout (default 5m0s)
-  -v, --version                   show version
-
-Use "trivy plugin [command] --help" for more information about a command.
-```
--- a/docs/docs/references/cli/repo.md
+++ b/docs/docs/references/cli/repo.md
@@ -1,89 +0,0 @@
-# Repository
-
-```bash
-Scan a remote repository
-
-Usage:
-  trivy repository [flags] REPO_URL
-
-Aliases:
-  repository, repo
-
-Examples:
-  # Scan your remote git repository
-  $ trivy repo https://github.com/knqyf263/trivy-ci-test
-
-Scan Flags
-      --offline-scan             do not issue API requests to identify dependencies
-      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs strings        specify the directories where the traversal is skipped
-      --skip-files strings       specify the file paths to skip traversal
-
-Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
-      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
-      --ignorefile string      specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
-  -o, --output string          output file name
-  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-  -t, --template string        output template
-
-Cache Flags
-      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration     cache TTL when using redis as cache backend
-      --clear-cache            clear image caches without scanning
-      --redis-ca string        redis ca file location, if using redis as cache backend
-      --redis-cert string      redis certificate file location, if using redis as cache backend
-      --redis-key string       redis key file location, if using redis as cache backend
-
-DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --download-db-only       download/update vulnerability database but don't run a scan
-      --download-java-db-only  download/update java indexes database but don't run a scan
-      --no-progress            suppress progress bar
-      --reset                  remove all caches and database
-      --skip-db-update         skip updating vulnerability database
-      --skip-java-db-update    skip updating java indexes database
-
-Vulnerability Flags
-      --ignore-unfixed     display only fixed vulnerabilities
-      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
-
-Misconfiguration Flags
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--scanners config'
-      --include-non-failures        include successes and exceptions, available with '--scanners config'
-      --policy-namespaces strings   Rego namespaces
-      --trace                       enable more verbose trace output for custom queries
-
-Secret Flags
-      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
-
-License Flags
-      --ignored-licenses strings   specify a list of license to ignore
-      --license-full               eagerly look for licenses in source code headers and license files
-
-Client/Server Flags
-      --custom-headers strings   custom headers in client mode
-      --server string            server address in client mode
-      --token string             for authentication in client/server mode
-      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
-
-Repository Flags
-      --branch string   pass the branch name to be scanned
-      --commit string   pass the commit hash to be scanned
-      --tag string      pass the tag name to be scanned
-
-Global Flags:
-      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string             config path (default "trivy.yaml")
-  -d, --debug                     debug mode
-      --generate-default-config   write the default config to trivy-default.yaml
-      --insecure                  allow insecure server connections when using TLS
-  -q, --quiet                     suppress progress bar and log output
-      --timeout duration          timeout (default 5m0s)
-  -v, --version                   show version
-```
--- a/docs/docs/references/cli/rootfs.md
+++ b/docs/docs/references/cli/rootfs.md
@@ -1,96 +0,0 @@
-# Rootfs
-
-```bash
-Scan rootfs
-
-Usage:
-  trivy rootfs [flags] ROOTDIR
-
-Examples:
-  # Scan unpacked filesystem
-  $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
-  $ trivy rootfs /tmp/rootfs
-
-  # Scan from inside a container
-  $ docker run --rm -it alpine:3.11
-  / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
-  / # trivy rootfs /
-
-Scan Flags
-      --file-patterns strings     specify config file patterns
-      --offline-scan              do not issue API requests to identify dependencies
-      --rekor-url string          [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --sbom-sources strings      [EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)
-      --scanners strings          comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
-      --skip-dirs strings         specify the directories where the traversal is skipped
-      --skip-files strings        specify the file paths to skip traversal
-
-Report Flags
-      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
-      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
-      --ignorefile string      specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
-  -o, --output string          output file name
-  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-  -t, --template string        output template
-
-Cache Flags
-      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration     cache TTL when using redis as cache backend
-      --clear-cache            clear image caches without scanning
-      --redis-ca string        redis ca file location, if using redis as cache backend
-      --redis-cert string      redis certificate file location, if using redis as cache backend
-      --redis-key string       redis key file location, if using redis as cache backend
-
-DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --download-db-only       download/update vulnerability database but don't run a scan
-      --download-java-db-only  download/update java indexes database but don't run a scan
-      --no-progress            suppress progress bar
-      --reset                  remove all caches and database
-      --skip-db-update         skip updating vulnerability database
-      --skip-java-db-update    skip updating java indexes database
-
-Vulnerability Flags
-      --ignore-unfixed     display only fixed vulnerabilities
-      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
-
-Misconfiguration Flags
-      --helm-set strings          specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-set-file strings     specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
-      --helm-set-string strings   specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-values strings       specify paths to override the Helm values.yaml files
-      --include-non-failures      include successes and exceptions, available with '--scanners config'
-      --tf-vars strings           specify paths to override the Terraform tfvars files
-
-Secret Flags
-      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
-
-License Flags
-      --ignored-licenses strings   specify a list of license to ignore
-      --license-full               eagerly look for licenses in source code headers and license files
-
-Rego Flags
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --policy-namespaces strings   Rego namespaces
-      --trace                       enable more verbose trace output for custom queries
-
-Client/Server Flags
-      --custom-headers strings   custom headers in client mode
-      --server string            server address in client mode
-      --token string             for authentication in client/server mode
-      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
-
-Global Flags:
-      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string             config path (default "trivy.yaml")
-  -d, --debug                     debug mode
-      --generate-default-config   write the default config to trivy-default.yaml
-      --insecure                  allow insecure server connections when using TLS
-  -q, --quiet                     suppress progress bar and log output
-      --timeout duration          timeout (default 5m0s)
-  -v, --version                   show version
-```
--- a/docs/docs/references/cli/sbom.md
+++ b/docs/docs/references/cli/sbom.md
@@ -1,72 +0,0 @@
-# SBOM
-
-```bash
-Scan SBOM for vulnerabilities
-
-Usage:
-  trivy sbom [flags] SBOM_PATH
-
-Examples:
-  # Scan CycloneDX and show the result in tables
-  $ trivy sbom /path/to/report.cdx
-
-  # Scan CycloneDX and generate a CycloneDX report
-  $ trivy sbom --format cyclonedx /path/to/report.cdx
-
-  # Scan CycloneDX-type attestation and show the result in tables
-  $ trivy sbom /path/to/report.cdx.intoto.jsonl
-
-
-Scan Flags
-      --offline-scan             do not issue API requests to identify dependencies
-      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
-      --skip-dirs strings        specify the directories where the traversal is skipped
-      --skip-files strings       specify the file paths to skip traversal
-
-Report Flags
-      --exit-code int          specify exit code when any security issues are found
-  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
-      --ignorefile string      specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
-  -o, --output string          output file name
-  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-  -t, --template string        output template
-
-Cache Flags
-      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration     cache TTL when using redis as cache backend
-      --clear-cache            clear image caches without scanning
-      --redis-ca string        redis ca file location, if using redis as cache backend
-      --redis-cert string      redis certificate file location, if using redis as cache backend
-      --redis-key string       redis key file location, if using redis as cache backend
-
-DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --download-db-only       download/update vulnerability database but don't run a scan
-      --download-java-db-only  download/update java indexes database but don't run a scan
-      --no-progress            suppress progress bar
-      --reset                  remove all caches and database
-      --skip-db-update         skip updating vulnerability database
-      --skip-java-db-update    skip updating java indexes database
-
-Vulnerability Flags
-      --ignore-unfixed     display only fixed vulnerabilities
-      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
-
-Client/Server Flags
-      --custom-headers strings   custom headers in client mode
-      --server string            server address in client mode
-      --token string             for authentication in client/server mode
-      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
-
-Global Flags:
-      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string             config path (default "trivy.yaml")
-  -d, --debug                     debug mode
-      --generate-default-config   write the default config to trivy-default.yaml
-      --insecure                  allow insecure server connections when using TLS
-  -q, --quiet                     suppress progress bar and log output
-      --timeout duration          timeout (default 5m0s)
-  -v, --version                   show version
-```
--- a/docs/docs/references/cli/server.md
+++ b/docs/docs/references/cli/server.md
@@ -1,49 +0,0 @@
-# Server
-
-```bash
-Server mode
-
-Usage:
-  trivy server [flags]
-
-Aliases:
-  server, s
-
-Examples:
-  # Run a server
-  $ trivy server
-
-  # Listen on 0.0.0.0:10000
-  $ trivy server --listen 0.0.0.0:10000
-
-
-Cache Flags
-      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration     cache TTL when using redis as cache backend
-      --clear-cache            clear image caches without scanning
-      --redis-ca string        redis ca file location, if using redis as cache backend
-      --redis-cert string      redis certificate file location, if using redis as cache backend
-      --redis-key string       redis key file location, if using redis as cache backend
-
-DB Flags
-      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --download-db-only       download/update vulnerability database but don't run a scan
-      --no-progress            suppress progress bar
-      --reset                  remove all caches and database
-      --skip-db-update         skip updating vulnerability database
-
-Client/Server Flags
-      --listen string         listen address in server mode (default "localhost:4954")
-      --token string          for authentication in client/server mode
-      --token-header string   specify a header name for token in client/server mode (default "Trivy-Token")
-
-Global Flags:
-      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
-  -c, --config string             config path (default "trivy.yaml")
-  -d, --debug                     debug mode
-      --generate-default-config   write the default config to trivy-default.yaml
-      --insecure                  allow insecure server connections when using TLS
-  -q, --quiet                     suppress progress bar and log output
-      --timeout duration          timeout (default 5m0s)
-  -v, --version                   show version
-```
--- a/docs/docs/references/cli/trivy.md
+++ b/docs/docs/references/cli/trivy.md
@@ -0,0 +1,59 @@
+## trivy
+
+Unified security scanner
+
+### Synopsis
+
+Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
+
+```
+trivy [global flags] command [flags] target
+```
+
+### Examples
+
+```
+  # Scan a container image
+  $ trivy image python:3.4-alpine
+
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
+
+  # Scan local filesystem
+  $ trivy fs .
+
+  # Run in server mode
+  $ trivy server
+```
+
+### Options
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+  -f, --format string             version format (json)
+      --generate-default-config   write the default config to trivy-default.yaml
+  -h, --help                      help for trivy
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy aws](trivy_aws.md)	 - [EXPERIMENTAL] Scan AWS account
+* [trivy config](trivy_config.md)	 - Scan config files for misconfigurations
+* [trivy filesystem](trivy_filesystem.md)	 - Scan local filesystem
+* [trivy image](trivy_image.md)	 - Scan a container image
+* [trivy kubernetes](trivy_kubernetes.md)	 - [EXPERIMENTAL] Scan kubernetes cluster
+* [trivy module](trivy_module.md)	 - Manage modules
+* [trivy plugin](trivy_plugin.md)	 - Manage plugins
+* [trivy repository](trivy_repository.md)	 - Scan a remote repository
+* [trivy rootfs](trivy_rootfs.md)	 - Scan rootfs
+* [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities
+* [trivy server](trivy_server.md)	 - Server mode
+* [trivy version](trivy_version.md)	 - Print the version
+* [trivy vm](trivy_vm.md)	 - [EXPERIMENTAL] Scan a virtual machine image
+
--- a/docs/docs/references/cli/trivy_aws.md
+++ b/docs/docs/references/cli/trivy_aws.md
@@ -0,0 +1,116 @@
+## trivy aws
+
+[EXPERIMENTAL] Scan AWS account
+
+### Synopsis
+
+Scan an AWS account for misconfigurations. Trivy uses the same authentication methods as the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
+
+The following services are supported:
+- accessanalyzer
+- api-gateway
+- athena
+- cloudfront
+- cloudtrail
+- cloudwatch
+- codebuild
+- documentdb
+- dynamodb
+- ec2
+- ecr
+- ecs
+- efs
+- eks
+- elasticache
+- elasticsearch
+- elb
+- emr
+- iam
+- kinesis
+- kms
+- lambda
+- mq
+- msk
+- neptune
+- rds
+- redshift
+- s3
+- sns
+- sqs
+- ssm
+- workspaces
+
+
+```
+trivy aws [flags]
+```
+
+### Examples
+
+```
+  # basic scanning
+  $ trivy aws --region us-east-1
+
+  # limit scan to a single service:
+  $ trivy aws --region us-east-1 --service s3
+
+  # limit scan to multiple services:
+  $ trivy aws --region us-east-1 --service s3 --service ec2
+
+  # force refresh of cache for fresh results
+  $ trivy aws --region us-east-1 --update-cache
+
+```
+
+### Options
+
+```
+      --account string              The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
+      --arn string                  The AWS ARN to show results for. Useful to filter results once a scan is cached.
+      --compliance string           compliance report to generate (aws-cis-1.2, aws-cis-1.4)
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --dependency-tree             [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --endpoint string             AWS Endpoint override
+      --exit-code int               specify exit code when any security issues are found
+  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings         specify paths to override the Helm values.yaml files
+  -h, --help                        help for aws
+      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
+      --ignorefile string           specify .trivyignore file (default ".trivyignore")
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
+      --max-cache-age duration      The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
+  -o, --output string               output file name
+      --policy-namespaces strings   Rego namespaces
+      --region string               AWS Region to scan
+      --report string               specify a report format for the output. (all,summary) (default "all")
+      --service strings             Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
+  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+      --skip-policy-update          skip fetching rego policy updates
+  -t, --template string             output template
+      --tf-vars strings             specify paths to override the Terraform tfvars files
+      --trace                       enable more verbose trace output for custom queries
+      --update-cache                Update the cache for the applicable cloud provider instead of using cached results.
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/cli/trivy_config.md
+++ b/docs/docs/references/cli/trivy_config.md
@@ -0,0 +1,64 @@
+## trivy config
+
+Scan config files for misconfigurations
+
+```
+trivy config [flags] DIR
+```
+
+### Options
+
+```
+      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration          cache TTL when using redis as cache backend
+      --clear-cache                 clear image caches without scanning
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --enable-modules strings      [EXPERIMENTAL] module names to enable
+      --exit-code int               specify exit code when any security issues are found
+      --file-patterns strings       specify config file patterns
+  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings         specify paths to override the Helm values.yaml files
+  -h, --help                        help for config
+      --ignorefile string           specify .trivyignore file (default ".trivyignore")
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --k8s-version string          specify k8s version to validate outdated api by it (example: 1.21.0)
+      --module-dir string           specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+  -o, --output string               output file name
+      --password strings            password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --policy-namespaces strings   Rego namespaces
+      --redis-ca string             redis ca file location, if using redis as cache backend
+      --redis-cert string           redis certificate file location, if using redis as cache backend
+      --redis-key string            redis key file location, if using redis as cache backend
+      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string       registry token
+  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+      --skip-dirs strings           specify the directories where the traversal is skipped
+      --skip-files strings          specify the file paths to skip traversal
+      --skip-policy-update          skip fetching rego policy updates
+  -t, --template string             output template
+      --tf-vars strings             specify paths to override the Terraform tfvars files
+      --trace                       enable more verbose trace output for custom queries
+      --username strings            username. Comma-separated usernames allowed.
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/cli/trivy_filesystem.md
+++ b/docs/docs/references/cli/trivy_filesystem.md
@@ -0,0 +1,98 @@
+## trivy filesystem
+
+Scan local filesystem
+
+```
+trivy filesystem [flags] PATH
+```
+
+### Examples
+
+```
+  # Scan a local project including language-specific files
+  $ trivy fs /path/to/your_project
+
+  # Scan a single file
+  $ trivy fs ./trivy-ci-test/Pipfile.lock
+```
+
+### Options
+
+```
+      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration          cache TTL when using redis as cache backend
+      --clear-cache                 clear image caches without scanning
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --custom-headers strings      custom headers in client mode
+      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --dependency-tree             [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --download-db-only            download/update vulnerability database but don't run a scan
+      --download-java-db-only       download/update Java index database but don't run a scan
+      --enable-modules strings      [EXPERIMENTAL] module names to enable
+      --exit-code int               specify exit code when any security issues are found
+      --file-patterns strings       specify config file patterns
+  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings         specify paths to override the Helm values.yaml files
+  -h, --help                        help for filesystem
+      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
+      --ignore-unfixed              display only fixed vulnerabilities
+      --ignored-licenses strings    specify a list of license to ignore
+      --ignorefile string           specify .trivyignore file (default ".trivyignore")
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --license-full                eagerly look for licenses in source code headers and license files
+      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
+      --module-dir string           specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+      --no-progress                 suppress progress bar
+      --offline-scan                do not issue API requests to identify dependencies
+  -o, --output string               output file name
+      --password strings            password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --policy-namespaces strings   Rego namespaces
+      --redis-ca string             redis ca file location, if using redis as cache backend
+      --redis-cert string           redis certificate file location, if using redis as cache backend
+      --redis-key string            redis key file location, if using redis as cache backend
+      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string       registry token
+      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --reset                       remove all caches and database
+      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings            comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --secret-config string        specify a path to config file for secret scanning (default "trivy-secret.yaml")
+      --server string               server address in client mode
+  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+      --skip-db-update              skip updating vulnerability database
+      --skip-dirs strings           specify the directories where the traversal is skipped
+      --skip-files strings          specify the file paths to skip traversal
+      --skip-java-db-update         skip updating Java index database
+      --skip-policy-update          skip fetching rego policy updates
+      --slow                        scan over time with lower CPU and memory utilization
+  -t, --template string             output template
+      --tf-vars strings             specify paths to override the Terraform tfvars files
+      --token string                for authentication in client/server mode
+      --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")
+      --trace                       enable more verbose trace output for custom queries
+      --username strings            username. Comma-separated usernames allowed.
+      --vuln-type string            comma-separated list of vulnerability types (os,library) (default "os,library")
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/cli/trivy_image.md
+++ b/docs/docs/references/cli/trivy_image.md
@@ -0,0 +1,120 @@
+## trivy image
+
+Scan a container image
+
+```
+trivy image [flags] IMAGE_NAME
+```
+
+### Examples
+
+```
+  # Scan a container image
+  $ trivy image python:3.4-alpine
+
+  # Scan a container image from a tar archive
+  $ trivy image --input ruby-3.1.tar
+
+  # Filter by severities
+  $ trivy image --severity HIGH,CRITICAL alpine:3.15
+
+  # Ignore unfixed/unpatched vulnerabilities
+  $ trivy image --ignore-unfixed alpine:3.15
+
+  # Scan a container image in client mode
+  $ trivy image --server http://127.0.0.1:4954 alpine:latest
+
+  # Generate json result
+  $ trivy image --format json --output result.json alpine:3.15
+
+  # Generate a report in the CycloneDX format
+  $ trivy image --format cyclonedx --output result.cdx alpine:3.15
+```
+
+### Options
+
+```
+      --cache-backend string           cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration             cache TTL when using redis as cache backend
+      --clear-cache                    clear image caches without scanning
+      --compliance string              compliance report to generate (docker-cis)
+      --config-data strings            specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings          specify paths to the Rego policy files directory, applying config files
+      --custom-headers strings         custom headers in client mode
+      --db-repository string           OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --dependency-tree                [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --download-db-only               download/update vulnerability database but don't run a scan
+      --download-java-db-only          download/update Java index database but don't run a scan
+      --enable-modules strings         [EXPERIMENTAL] module names to enable
+      --exit-code int                  specify exit code when any security issues are found
+      --exit-on-eol int                exit with the specified code when the OS reaches end of service/life
+      --file-patterns strings          specify config file patterns
+  -f, --format string                  format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --helm-set strings               specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings          specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings        specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings            specify paths to override the Helm values.yaml files
+  -h, --help                           help for image
+      --ignore-policy string           specify the Rego file path to evaluate each vulnerability
+      --ignore-unfixed                 display only fixed vulnerabilities
+      --ignored-licenses strings       specify a list of license to ignore
+      --ignorefile string              specify .trivyignore file (default ".trivyignore")
+      --image-config-scanners string   comma-separated list of what security issues to detect on container image configurations (config,secret)
+      --include-non-failures           include successes and exceptions, available with '--scanners config'
+      --input string                   input file path instead of image name
+      --java-db-repository string      OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --license-full                   eagerly look for licenses in source code headers and license files
+      --list-all-pkgs                  enabling the option will output all packages regardless of vulnerability
+      --module-dir string              specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+      --no-progress                    suppress progress bar
+      --offline-scan                   do not issue API requests to identify dependencies
+  -o, --output string                  output file name
+      --password strings               password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --platform string                set platform in the form os/arch if image is multi-platform capable
+      --policy-namespaces strings      Rego namespaces
+      --redis-ca string                redis ca file location, if using redis as cache backend
+      --redis-cert string              redis certificate file location, if using redis as cache backend
+      --redis-key string               redis key file location, if using redis as cache backend
+      --redis-tls                      enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string          registry token
+      --rekor-url string               [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --removed-pkgs                   detect vulnerabilities of removed packages (only for Alpine)
+      --report string                  specify a format for the compliance report. (default "summary")
+      --reset                          remove all caches and database
+      --sbom-sources strings           [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings               comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --secret-config string           specify a path to config file for secret scanning (default "trivy-secret.yaml")
+      --server string                  server address in client mode
+  -s, --severity string                severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+      --skip-db-update                 skip updating vulnerability database
+      --skip-dirs strings              specify the directories where the traversal is skipped
+      --skip-files strings             specify the file paths to skip traversal
+      --skip-java-db-update            skip updating Java index database
+      --skip-policy-update             skip fetching rego policy updates
+      --slow                           scan over time with lower CPU and memory utilization
+  -t, --template string                output template
+      --tf-vars strings                specify paths to override the Terraform tfvars files
+      --token string                   for authentication in client/server mode
+      --token-header string            specify a header name for token in client/server mode (default "Trivy-Token")
+      --trace                          enable more verbose trace output for custom queries
+      --username strings               username. Comma-separated usernames allowed.
+      --vuln-type string               comma-separated list of vulnerability types (os,library) (default "os,library")
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/cli/trivy_kubernetes.md
+++ b/docs/docs/references/cli/trivy_kubernetes.md
@@ -0,0 +1,106 @@
+## trivy kubernetes
+
+[EXPERIMENTAL] Scan kubernetes cluster
+
+```
+trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: pods, pod/NAME }
+```
+
+### Examples
+
+```
+  # cluster scanning
+  $ trivy k8s --report summary cluster
+
+  # namespace scanning:
+  $ trivy k8s -n kube-system --report summary all
+
+  # resources scanning:
+  $ trivy k8s --report=summary deploy
+  $ trivy k8s --namespace=kube-system --report=summary deploy,configmaps
+
+  # resource scanning:
+  $ trivy k8s deployment/orion
+
+```
+
+### Options
+
+```
+      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration          cache TTL when using redis as cache backend
+      --clear-cache                 clear image caches without scanning
+      --compliance string           compliance report to generate (k8s-nsa,k8s-cis, k8s-pss-baseline, k8s-pss-restricted)
+      --components strings          specify which components to scan (default [workload,infra])
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --context string              specify a context to scan
+      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --dependency-tree             [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --download-db-only            download/update vulnerability database but don't run a scan
+      --download-java-db-only       download/update Java index database but don't run a scan
+      --exit-code int               specify exit code when any security issues are found
+      --file-patterns strings       specify config file patterns
+  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings         specify paths to override the Helm values.yaml files
+  -h, --help                        help for kubernetes
+      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
+      --ignore-unfixed              display only fixed vulnerabilities
+      --ignored-licenses strings    specify a list of license to ignore
+      --ignorefile string           specify .trivyignore file (default ".trivyignore")
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --k8s-version string          specify k8s version to validate outdated api by it (example: 1.21.0)
+      --kubeconfig string           specify the kubeconfig file path to use
+      --license-full                eagerly look for licenses in source code headers and license files
+      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
+  -n, --namespace string            specify a namespace to scan
+      --no-progress                 suppress progress bar
+      --offline-scan                do not issue API requests to identify dependencies
+  -o, --output string               output file name
+      --parallel int                number (between 1-20) of goroutines enabled for parallel scanning (default 5)
+      --policy-namespaces strings   Rego namespaces
+      --redis-ca string             redis ca file location, if using redis as cache backend
+      --redis-cert string           redis certificate file location, if using redis as cache backend
+      --redis-key string            redis key file location, if using redis as cache backend
+      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
+      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --report string               specify a report format for the output. (all,summary) (default "all")
+      --reset                       remove all caches and database
+      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners string             comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac")
+      --secret-config string        specify a path to config file for secret scanning (default "trivy-secret.yaml")
+  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+      --skip-db-update              skip updating vulnerability database
+      --skip-dirs strings           specify the directories where the traversal is skipped
+      --skip-files strings          specify the file paths to skip traversal
+      --skip-java-db-update         skip updating Java index database
+      --skip-policy-update          skip fetching rego policy updates
+      --slow                        scan over time with lower CPU and memory utilization
+  -t, --template string             output template
+      --tf-vars strings             specify paths to override the Terraform tfvars files
+      --tolerations strings         specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
+      --trace                       enable more verbose trace output for custom queries
+      --vuln-type string            comma-separated list of vulnerability types (os,library) (default "os,library")
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/cli/trivy_module.md
+++ b/docs/docs/references/cli/trivy_module.md
@@ -0,0 +1,31 @@
+## trivy module
+
+Manage modules
+
+### Options
+
+```
+      --enable-modules strings   [EXPERIMENTAL] module names to enable
+  -h, --help                     help for module
+      --module-dir string        specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+* [trivy module install](trivy_module_install.md)	 - Install a module
+* [trivy module uninstall](trivy_module_uninstall.md)	 - Uninstall a module
+
--- a/docs/docs/references/cli/trivy_module_install.md
+++ b/docs/docs/references/cli/trivy_module_install.md
@@ -0,0 +1,33 @@
+## trivy module install
+
+Install a module
+
+```
+trivy module install [flags] REPOSITORY
+```
+
+### Options
+
+```
+  -h, --help   help for install
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --enable-modules strings    [EXPERIMENTAL] module names to enable
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+      --module-dir string         specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy module](trivy_module.md)	 - Manage modules
+
--- a/docs/docs/references/cli/trivy_module_uninstall.md
+++ b/docs/docs/references/cli/trivy_module_uninstall.md
@@ -0,0 +1,33 @@
+## trivy module uninstall
+
+Uninstall a module
+
+```
+trivy module uninstall [flags] REPOSITORY
+```
+
+### Options
+
+```
+  -h, --help   help for uninstall
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --enable-modules strings    [EXPERIMENTAL] module names to enable
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+      --module-dir string         specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy module](trivy_module.md)	 - Manage modules
+
--- a/docs/docs/references/cli/trivy_plugin.md
+++ b/docs/docs/references/cli/trivy_plugin.md
@@ -0,0 +1,33 @@
+## trivy plugin
+
+Manage plugins
+
+### Options
+
+```
+  -h, --help   help for plugin
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+* [trivy plugin info](trivy_plugin_info.md)	 - Show information about the specified plugin
+* [trivy plugin install](trivy_plugin_install.md)	 - Install a plugin
+* [trivy plugin list](trivy_plugin_list.md)	 - List installed plugin
+* [trivy plugin run](trivy_plugin_run.md)	 - Run a plugin on the fly
+* [trivy plugin uninstall](trivy_plugin_uninstall.md)	 - Uninstall a plugin
+* [trivy plugin update](trivy_plugin_update.md)	 - Update an existing plugin
+
--- a/docs/docs/references/cli/trivy_plugin_info.md
+++ b/docs/docs/references/cli/trivy_plugin_info.md
@@ -1,30 +1,31 @@
-# Module
+## trivy plugin info

-```bash
-Manage modules
+Show information about the specified plugin

-Usage:
-  trivy module [command]
+```
+trivy plugin info PLUGIN_NAME
+```

-Aliases:
-  module, m
+### Options

-Available Commands:
-  install     Install a module
-  uninstall   Uninstall a module
+```
+  -h, --help   help for info
+```

-Flags:
-  -h, --help   help for module
+### Options inherited from parent commands

-Global Flags:
-      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
      --generate-default-config   write the default config to trivy-default.yaml
-      --insecure                  allow insecure server connections when using TLS
+      --insecure                  allow insecure server connections
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy plugin](trivy_plugin.md)	 - Manage plugins

-Use "trivy module [command] --help" for more information about a command.
-```
--- a/docs/docs/references/cli/trivy_plugin_install.md
+++ b/docs/docs/references/cli/trivy_plugin_install.md
@@ -0,0 +1,31 @@
+## trivy plugin install
+
+Install a plugin
+
+```
+trivy plugin install URL | FILE_PATH
+```
+
+### Options
+
+```
+  -h, --help   help for install
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy plugin](trivy_plugin.md)	 - Manage plugins
+
--- a/docs/docs/references/cli/trivy_plugin_list.md
+++ b/docs/docs/references/cli/trivy_plugin_list.md
@@ -0,0 +1,31 @@
+## trivy plugin list
+
+List installed plugin
+
+```
+trivy plugin list
+```
+
+### Options
+
+```
+  -h, --help   help for list
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy plugin](trivy_plugin.md)	 - Manage plugins
+
--- a/docs/docs/references/cli/trivy_plugin_run.md
+++ b/docs/docs/references/cli/trivy_plugin_run.md
@@ -0,0 +1,31 @@
+## trivy plugin run
+
+Run a plugin on the fly
+
+```
+trivy plugin run URL | FILE_PATH
+```
+
+### Options
+
+```
+  -h, --help   help for run
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy plugin](trivy_plugin.md)	 - Manage plugins
+
--- a/docs/docs/references/cli/trivy_plugin_uninstall.md
+++ b/docs/docs/references/cli/trivy_plugin_uninstall.md
@@ -0,0 +1,31 @@
+## trivy plugin uninstall
+
+Uninstall a plugin
+
+```
+trivy plugin uninstall PLUGIN_NAME
+```
+
+### Options
+
+```
+  -h, --help   help for uninstall
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy plugin](trivy_plugin.md)	 - Manage plugins
+
--- a/docs/docs/references/cli/trivy_plugin_update.md
+++ b/docs/docs/references/cli/trivy_plugin_update.md
@@ -0,0 +1,31 @@
+## trivy plugin update
+
+Update an existing plugin
+
+```
+trivy plugin update PLUGIN_NAME
+```
+
+### Options
+
+```
+  -h, --help   help for update
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy plugin](trivy_plugin.md)	 - Manage plugins
+
--- a/docs/docs/references/cli/trivy_repository.md
+++ b/docs/docs/references/cli/trivy_repository.md
@@ -0,0 +1,98 @@
+## trivy repository
+
+Scan a remote repository
+
+```
+trivy repository [flags] REPO_URL
+```
+
+### Examples
+
+```
+  # Scan your remote git repository
+  $ trivy repo https://github.com/knqyf263/trivy-ci-test
+```
+
+### Options
+
+```
+      --branch string               pass the branch name to be scanned
+      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration          cache TTL when using redis as cache backend
+      --clear-cache                 clear image caches without scanning
+      --commit string               pass the commit hash to be scanned
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --custom-headers strings      custom headers in client mode
+      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --dependency-tree             [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --download-db-only            download/update vulnerability database but don't run a scan
+      --download-java-db-only       download/update Java index database but don't run a scan
+      --enable-modules strings      [EXPERIMENTAL] module names to enable
+      --exit-code int               specify exit code when any security issues are found
+      --file-patterns strings       specify config file patterns
+  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings         specify paths to override the Helm values.yaml files
+  -h, --help                        help for repository
+      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
+      --ignore-unfixed              display only fixed vulnerabilities
+      --ignored-licenses strings    specify a list of license to ignore
+      --ignorefile string           specify .trivyignore file (default ".trivyignore")
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --license-full                eagerly look for licenses in source code headers and license files
+      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
+      --module-dir string           specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+      --no-progress                 suppress progress bar
+      --offline-scan                do not issue API requests to identify dependencies
+  -o, --output string               output file name
+      --password strings            password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --policy-namespaces strings   Rego namespaces
+      --redis-ca string             redis ca file location, if using redis as cache backend
+      --redis-cert string           redis certificate file location, if using redis as cache backend
+      --redis-key string            redis key file location, if using redis as cache backend
+      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string       registry token
+      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --reset                       remove all caches and database
+      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings            comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --secret-config string        specify a path to config file for secret scanning (default "trivy-secret.yaml")
+      --server string               server address in client mode
+  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+      --skip-db-update              skip updating vulnerability database
+      --skip-dirs strings           specify the directories where the traversal is skipped
+      --skip-files strings          specify the file paths to skip traversal
+      --skip-java-db-update         skip updating Java index database
+      --skip-policy-update          skip fetching rego policy updates
+      --slow                        scan over time with lower CPU and memory utilization
+      --tag string                  pass the tag name to be scanned
+  -t, --template string             output template
+      --tf-vars strings             specify paths to override the Terraform tfvars files
+      --token string                for authentication in client/server mode
+      --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")
+      --trace                       enable more verbose trace output for custom queries
+      --username strings            username. Comma-separated usernames allowed.
+      --vuln-type string            comma-separated list of vulnerability types (os,library) (default "os,library")
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/cli/trivy_rootfs.md
+++ b/docs/docs/references/cli/trivy_rootfs.md
@@ -0,0 +1,102 @@
+## trivy rootfs
+
+Scan rootfs
+
+```
+trivy rootfs [flags] ROOTDIR
+```
+
+### Examples
+
+```
+  # Scan unpacked filesystem
+  $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
+  $ trivy rootfs /tmp/rootfs
+
+  # Scan from inside a container
+  $ docker run --rm -it alpine:3.11
+  / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+  / # trivy rootfs /
+```
+
+### Options
+
+```
+      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration          cache TTL when using redis as cache backend
+      --clear-cache                 clear image caches without scanning
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --custom-headers strings      custom headers in client mode
+      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --dependency-tree             [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --download-db-only            download/update vulnerability database but don't run a scan
+      --download-java-db-only       download/update Java index database but don't run a scan
+      --enable-modules strings      [EXPERIMENTAL] module names to enable
+      --exit-code int               specify exit code when any security issues are found
+      --exit-on-eol int             exit with the specified code when the OS reaches end of service/life
+      --file-patterns strings       specify config file patterns
+  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings         specify paths to override the Helm values.yaml files
+  -h, --help                        help for rootfs
+      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
+      --ignore-unfixed              display only fixed vulnerabilities
+      --ignored-licenses strings    specify a list of license to ignore
+      --ignorefile string           specify .trivyignore file (default ".trivyignore")
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --license-full                eagerly look for licenses in source code headers and license files
+      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
+      --module-dir string           specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+      --no-progress                 suppress progress bar
+      --offline-scan                do not issue API requests to identify dependencies
+  -o, --output string               output file name
+      --password strings            password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --policy-namespaces strings   Rego namespaces
+      --redis-ca string             redis ca file location, if using redis as cache backend
+      --redis-cert string           redis certificate file location, if using redis as cache backend
+      --redis-key string            redis key file location, if using redis as cache backend
+      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string       registry token
+      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --reset                       remove all caches and database
+      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings            comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --secret-config string        specify a path to config file for secret scanning (default "trivy-secret.yaml")
+      --server string               server address in client mode
+  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+      --skip-db-update              skip updating vulnerability database
+      --skip-dirs strings           specify the directories where the traversal is skipped
+      --skip-files strings          specify the file paths to skip traversal
+      --skip-java-db-update         skip updating Java index database
+      --skip-policy-update          skip fetching rego policy updates
+      --slow                        scan over time with lower CPU and memory utilization
+  -t, --template string             output template
+      --tf-vars strings             specify paths to override the Terraform tfvars files
+      --token string                for authentication in client/server mode
+      --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")
+      --trace                       enable more verbose trace output for custom queries
+      --username strings            username. Comma-separated usernames allowed.
+      --vuln-type string            comma-separated list of vulnerability types (os,library) (default "os,library")
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/cli/trivy_sbom.md
+++ b/docs/docs/references/cli/trivy_sbom.md
@@ -0,0 +1,84 @@
+## trivy sbom
+
+Scan SBOM for vulnerabilities
+
+```
+trivy sbom [flags] SBOM_PATH
+```
+
+### Examples
+
+```
+  # Scan CycloneDX and show the result in tables
+  $ trivy sbom /path/to/report.cdx
+
+  # Scan CycloneDX and generate a CycloneDX report
+  $ trivy sbom --format cyclonedx /path/to/report.cdx
+
+  # Scan CycloneDX-type attestation and show the result in tables
+  $ trivy sbom /path/to/report.cdx.intoto.jsonl
+
+```
+
+### Options
+
+```
+      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration          cache TTL when using redis as cache backend
+      --clear-cache                 clear image caches without scanning
+      --compliance string           compliance report to generate
+      --custom-headers strings      custom headers in client mode
+      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only            download/update vulnerability database but don't run a scan
+      --download-java-db-only       download/update Java index database but don't run a scan
+      --exit-code int               specify exit code when any security issues are found
+      --exit-on-eol int             exit with the specified code when the OS reaches end of service/life
+      --file-patterns strings       specify config file patterns
+  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+  -h, --help                        help for sbom
+      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
+      --ignore-unfixed              display only fixed vulnerabilities
+      --ignorefile string           specify .trivyignore file (default ".trivyignore")
+      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
+      --no-progress                 suppress progress bar
+      --offline-scan                do not issue API requests to identify dependencies
+  -o, --output string               output file name
+      --redis-ca string             redis ca file location, if using redis as cache backend
+      --redis-cert string           redis certificate file location, if using redis as cache backend
+      --redis-key string            redis key file location, if using redis as cache backend
+      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
+      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --reset                       remove all caches and database
+      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings            comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --server string               server address in client mode
+  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+      --skip-db-update              skip updating vulnerability database
+      --skip-dirs strings           specify the directories where the traversal is skipped
+      --skip-files strings          specify the file paths to skip traversal
+      --skip-java-db-update         skip updating Java index database
+      --slow                        scan over time with lower CPU and memory utilization
+  -t, --template string             output template
+      --token string                for authentication in client/server mode
+      --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")
+      --vuln-type string            comma-separated list of vulnerability types (os,library) (default "os,library")
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/cli/trivy_server.md
+++ b/docs/docs/references/cli/trivy_server.md
@@ -0,0 +1,65 @@
+## trivy server
+
+Server mode
+
+```
+trivy server [flags]
+```
+
+### Examples
+
+```
+  # Run a server
+  $ trivy server
+
+  # Listen on 0.0.0.0:10000
+  $ trivy server --listen 0.0.0.0:10000
+
+```
+
+### Options
+
+```
+      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration          cache TTL when using redis as cache backend
+      --clear-cache                 clear image caches without scanning
+      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only            download/update vulnerability database but don't run a scan
+      --download-java-db-only       download/update Java index database but don't run a scan
+      --enable-modules strings      [EXPERIMENTAL] module names to enable
+  -h, --help                        help for server
+      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --listen string               listen address in server mode (default "localhost:4954")
+      --module-dir string           specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+      --no-progress                 suppress progress bar
+      --password strings            password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --redis-ca string             redis ca file location, if using redis as cache backend
+      --redis-cert string           redis certificate file location, if using redis as cache backend
+      --redis-key string            redis key file location, if using redis as cache backend
+      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string       registry token
+      --reset                       remove all caches and database
+      --skip-db-update              skip updating vulnerability database
+      --skip-java-db-update         skip updating Java index database
+      --token string                for authentication in client/server mode
+      --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")
+      --username strings            username. Comma-separated usernames allowed.
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/cli/trivy_version.md
+++ b/docs/docs/references/cli/trivy_version.md
@@ -0,0 +1,32 @@
+## trivy version
+
+Print the version
+
+```
+trivy version [flags]
+```
+
+### Options
+
+```
+  -f, --format string   version format (json)
+  -h, --help            help for version
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/cli/trivy_vm.md
+++ b/docs/docs/references/cli/trivy_vm.md
@@ -0,0 +1,94 @@
+## trivy vm
+
+[EXPERIMENTAL] Scan a virtual machine image
+
+```
+trivy vm [flags] VM_IMAGE
+```
+
+### Examples
+
+```
+  # Scan your AWS AMI
+  $ trivy vm --scanners vuln ami:${your_ami_id}
+
+  # Scan your AWS EBS snapshot
+  $ trivy vm ebs:${your_ebs_snapshot_id}
+
+```
+
+### Options
+
+```
+      --aws-region string           AWS region to scan
+      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration          cache TTL when using redis as cache backend
+      --clear-cache                 clear image caches without scanning
+      --compliance string           compliance report to generate
+      --custom-headers strings      custom headers in client mode
+      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --dependency-tree             [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --download-db-only            download/update vulnerability database but don't run a scan
+      --download-java-db-only       download/update Java index database but don't run a scan
+      --enable-modules strings      [EXPERIMENTAL] module names to enable
+      --exit-code int               specify exit code when any security issues are found
+      --exit-on-eol int             exit with the specified code when the OS reaches end of service/life
+      --file-patterns strings       specify config file patterns
+  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings         specify paths to override the Helm values.yaml files
+  -h, --help                        help for vm
+      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
+      --ignore-unfixed              display only fixed vulnerabilities
+      --ignored-licenses strings    specify a list of license to ignore
+      --ignorefile string           specify .trivyignore file (default ".trivyignore")
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
+      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --license-full                eagerly look for licenses in source code headers and license files
+      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
+      --module-dir string           specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+      --no-progress                 suppress progress bar
+      --offline-scan                do not issue API requests to identify dependencies
+  -o, --output string               output file name
+      --redis-ca string             redis ca file location, if using redis as cache backend
+      --redis-cert string           redis certificate file location, if using redis as cache backend
+      --redis-key string            redis key file location, if using redis as cache backend
+      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
+      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --reset                       remove all caches and database
+      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings            comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --secret-config string        specify a path to config file for secret scanning (default "trivy-secret.yaml")
+      --server string               server address in client mode
+  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+      --skip-db-update              skip updating vulnerability database
+      --skip-dirs strings           specify the directories where the traversal is skipped
+      --skip-files strings          specify the file paths to skip traversal
+      --skip-java-db-update         skip updating Java index database
+      --slow                        scan over time with lower CPU and memory utilization
+  -t, --template string             output template
+      --tf-vars strings             specify paths to override the Terraform tfvars files
+      --token string                for authentication in client/server mode
+      --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")
+      --vuln-type string            comma-separated list of vulnerability types (os,library) (default "os,library")
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/customization/config-file.md
+++ b/docs/docs/references/customization/config-file.md
@@ -25,7 +25,8 @@ timeout: 10m

 # Same as '--cache-dir'
 # Default is your system cache dir
-cache-dir: $HOME/.cache/trivy
+cache:
+  dir: $HOME/.cache/trivy
 ```

 ## Report Options
@@ -41,7 +42,7 @@ report: all

 # Same as '--template'
 # Default is empty
-template: 
+template:

 # Same as '--dependency-tree'
 # Default is false
@@ -63,6 +64,10 @@ ignore-policy:
 # Default is 0
 exit-code: 0

+# Same as '--exit-on-eol'
+# Default is 0
+exit-on-eol: 0
+
 # Same as '--output'
 # Default is empty (stdout)
 output:
@@ -92,16 +97,16 @@ scan:
  skip-dirs:
    - usr/local/
    - etc/
-  
+
  # Same as '--skip-files'
  # Default is empty
  skip-files:
    - package-dev.json
-  
+
  # Same as '--offline-scan'
  # Default is false
  offline-scan: false
-  
+
  # Same as '--scanners'
  # Default depends on subcommand
  scanners:
@@ -115,23 +120,23 @@ scan:
 ```yaml
 cache:
  # Same as '--cache-backend'
-  # Default is 'fs' 
+  # Default is 'fs'
  backend: 'fs'
-  
+
  # Same as '--cache-ttl'
-  # Default is 0 (no ttl) 
+  # Default is 0 (no ttl)
  ttl: 0
-  
+
  # Redis options
  redis:
    # Same as '--redis-ca'
    # Default is empty
    ca:
-    
+
    # Same as '--redis-cert'
    # Default is empty
    cert:
-    
+
    # Same as '--redis-key'
    # Default is empty
    key:
@@ -144,14 +149,35 @@ db:
  # Same as '--skip-db-update'
  # Default is false
  skip-update: false
-  
+
  # Same as '--no-progress'
  # Default is false
  no-progress: false
-  
+
  # Same as '--db-repository'
-  # Default is 'github.com/aquasecurity-trivy-repo'
-  repository: github.com/aquasecurity-trivy-repo
+  # Default is 'ghcr.io/aquasecurity/trivy-db'
+  repository: ghcr.io/aquasecurity/trivy-db
+
+  # Same as '--java-db-repository'
+  # Default is 'ghcr.io/aquasecurity/trivy-java-db'
+  java-repository: ghcr.io/aquasecurity/trivy-java-db
+```
+
+## Registry Options
+
+```yaml
+registry:
+  # Same as '--username'
+  # Default is empty
+  username:
+
+  # Same as '--password'
+  # Default is empty
+  password:
+    
+  # Same as '--registry-token'
+  # Default is empty
+  registry-token:
 ```

 ## Image Options
@@ -162,7 +188,7 @@ image:
  # Same as '--input' (available with 'trivy image')
  # Default is empty
  input:
-  
+
  # Same as '--removed-pkgs'
  # Default is false
  removed-pkgs: false
@@ -178,7 +204,7 @@ vulnerability:
  type:
    - os
    - library
-  
+
  # Same as '--ignore-unfixed'
  # Default is false
  ignore-unfixed: false
@@ -265,25 +291,25 @@ kubernetes:
  # Same as '--context'
  # Default is empty
  context:
-  
+
  # Same as '--namespace'
  # Default is empty
  namespace:
 ```

 ## Repository Options
-Available with git repository scanning (`trivy repo`) 
+Available with git repository scanning (`trivy repo`)

 ```yaml
 repository:
  # Same as '--branch'
  # Default is empty
  branch:
-  
+
  # Same as '--commit'
  # Default is empty
  commit:
-  
+
  # Same as '--tag'
  # Default is empty
  tag:
@@ -297,21 +323,21 @@ server:
  # Same as '--server' (available in client mode)
  # Default is empty
  addr: http://localhost:4954
-  
+
  # Same as '--token'
  # Default is empty
  token: "something-secret"
-  
+
  # Same as '--token-header'
  # Default is 'Trivy-Token'
  token-header: 'My-Token-Header'
-  
+
  # Same as '--custom-headers'
  # Default is empty
  custom-headers:
    - scanner: trivy
    - x-api-token: xxx
-    
+
  # Same as '--listen' (available in server mode)
  # Default is 'localhost:4954'
  listen: 0.0.0.0:10000
@@ -325,18 +351,18 @@ Available for cloud scanning (currently only `trivy aws`)
 cloud:
  # whether to force a cache update for every scan
  update-cache: false
-  
+
  # how old cached results can be before being invalidated
  max-cache-age: 24h
-  
+
  # aws-specific cloud settings
  aws:
    # the aws region to use
    region: us-east-1
-    
+
    # the aws endpoint to use (not required for general use)
    endpoint: https://my.custom.aws.endpoint
-    
+
    # the aws account to use (this will be determined from your environment when not set)
    account: 123456789012
 ```
--- a/docs/docs/sbom/spdx.md
+++ b/docs/docs/sbom/spdx.md
@@ -19,7 +19,7 @@ SPDXID: SPDXRef-DOCUMENT
 DocumentName: alpine:3.15
 DocumentNamespace: http://aquasecurity.github.io/trivy/container_image/alpine:3.15-bebf6b19-a94c-4e2c-af44-065f63923f48
 Creator: Organization: aquasecurity
-Creator: Tool: trivy
+Creator: Tool: trivy-0.38.1
 Created: 2022-04-28T07:32:57.142806Z

 ##### Package: zlib
@@ -167,7 +167,7 @@ $ cat result.spdx.json | jq .
 	"creationInfo": {
 		"created": "2022-04-28T08:16:55.328255Z",
 		"creators": [
-			"Tool: trivy",
+			"Tool: trivy-0.38.1",
 			"Organization: aquasecurity"
 		]
 	},
--- a/docs/docs/target/container_image.md
+++ b/docs/docs/target/container_image.md
@@ -375,10 +375,41 @@ $ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
 $ trivy image --input /path/to/alpine
 ```

-## SBOM generation
+## SBOM
+Trivy supports the generation of Software Bill of Materials (SBOM) for container images and the search for SBOMs during vulnerability scanning.
+
+### Generation
 Trivy can generate SBOM for container images.
 See [here](../sbom/index.md) for the detail.

+### Discovery
+Trivy can search for Software Bill of Materials (SBOMs) that reference container images.
+If an SBOM is found, the vulnerability scan is performed using the SBOM instead of the container image.
+By using the SBOM, you can perform a vulnerability scan more quickly, as it allows you to skip pulling the container image and analyzing its layers.
+
+To enable this functionality, you need to specify the `--sbom-sources` flag.
+The following two sources are supported:
+
+- OCI Registry (`oci`)
+- Rekor (`rekor`)
+
+Example:
+
+```bash
+$ trivy image --sbom-sources oci ghcr.io/knqyf263/oci-referrers
+2023-03-05T17:36:55.278+0200    INFO    Vulnerability scanning is enabled
+2023-03-05T17:36:58.103+0200    INFO    Detected SBOM format: cyclonedx-json
+2023-03-05T17:36:58.129+0200    INFO    Found SBOM (cyclonedx) in the OCI referrers
+...
+
+ghcr.io/knqyf263/oci-referrers (alpine 3.16.2)
+==============================================
+Total: 17 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 9, CRITICAL: 3)
+```
+
+The OCI Registry utilizes the [Referrers API](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers).
+For more information about Rekor, please refer to [its documentation](../attestation/rekor.md).
+
 ## Compliance

 !!! warning "EXPERIMENTAL"
@@ -406,6 +437,9 @@ $ trivy image --compliance docker-cis [YOUR_IMAGE_NAME]
 !!! note
    The `Issues` column represent the total number of failed checks for this control.

+## Authentication
+Please reference [this page](../advanced/private-registries/index.md).
+
 ## Options
 ### Scan Image on a specific Architecture and OS
 By default, Trivy loads an image on a "linux/amd64" machine.
--- a/docs/docs/target/git-repository.md
+++ b/docs/docs/target/git-repository.md
@@ -222,6 +222,8 @@ In order to scan private GitHub or GitLab repositories, the environment variable

 The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.

+You can find how to generate your GitHub Token in the following [GitHub documentation.](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
+
 For example:

 ```
--- a/docs/docs/target/kubernetes.md
+++ b/docs/docs/target/kubernetes.md
@@ -291,10 +291,12 @@ For an overview of Trivy's Compliance feature, including working with custom com

 The following reports are available out of the box:

-| Compliance | Name for command | More info
--- | --- | ---
-NSA, CISA Kubernetes Hardening Guidance v1.2 | `k8s-nsa` | [Link](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF)
-CIS Benchmark for Kubernetes v1.23 | `k8s-cis` | [Link](https://www.cisecurity.org/benchmark/kubernetes)
+| Compliance                                   | Name for command     | More info                                                                                                           |
+|----------------------------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------|
+| NSA, CISA Kubernetes Hardening Guidance v1.2 | `k8s-nsa`            | [Link](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) |
+| CIS Benchmark for Kubernetes v1.23           | `k8s-cis`            | [Link](https://www.cisecurity.org/benchmark/kubernetes)                                                             |
+| Pod Security Standards, Baseline             | `k8s-pss-baseline`   | [Link](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline)                               |
+| Pod  Security Standards, Restricted          | `k8s-pss-restricted` | [Link](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)                             |

 #### Examples

--- a/docs/docs/vulnerability/db.md
+++ b/docs/docs/vulnerability/db.md
@@ -0,0 +1,38 @@
+# Database
+Trivy uses two types of databases for vulnerability detection:
+
+- Vulnerability Database
+- Java Index Database
+
+This page provides detailed information about these databases.
+
+## Vulnerability Database
+Trivy utilizes a database containing vulnerability information.
+This database is built every six hours on [GitHub](https://github.com/aquasecurity/trivy-db) and is distributed via [GitHub Container registry (GHCR)](https://ghcr.io/aquasecurity/trivy-db).
+The database is cached and updated as needed.
+As Trivy updates the database automatically during execution, users don't need to be concerned about it.
+
+For CLI flags related to the database, please refer to [this page](./examples/db.md).
+
+### Private Hosting
+If you host the database on your own OCI registry, you can specify a different repository with the `--db-repository` flag.
+The default is `ghcr.io/aquasecurity/trivy-db`.
+
+```shell
+$ trivy image --db-repository YOUR_REPO YOUR_IMAGE
+```
+
+If authentication is required, it can be configured in the same way as for private images.
+Please refer to [the documentation](../advanced/private-registries/index.md) for more details.
+
+## Java Index Database
+This database is only downloaded when scanning JAR files so that Trivy can identify the groupId, artifactId, and version of JAR files.
+It is built once a day on [GitHub](https://github.com/aquasecurity/trivy-java-db) and distributed via [GitHub Container registry (GHCR)](https://ghcr.io/aquasecurity/trivy-java-db).
+Like the vulnerability database, it is automatically downloaded and updated when needed, so users don't need to worry about it.
+
+### Private Hosting
+If you host the database on your own OCI registry, you can specify a different repository with the `--java-db-repository` flag.
+The default is `ghcr.io/aquasecurity/trivy-java-db`.
+
+If authentication is required, you need to run `docker login YOUR_REGISTRY`.
+Currently, specifying a username and password is not supported.
--- a/docs/docs/vulnerability/detection/data-source.md
+++ b/docs/docs/vulnerability/detection/data-source.md
@@ -5,6 +5,7 @@
 | Arch Linux    | [Vulnerable Issues][arch]              |
 | Alpine Linux  | [secdb][alpine]                        |
 | Wolfi Linux   | [secdb][wolfi]                         |
+| Chainguard    | [secdb][chainguard]                    |
 | Amazon Linux  | [Amazon Linux Security Center][amazon] |
 | Debian        | [Security Bug Tracker][debian-tracker] |
 |               | [OVAL][debian-oval]                    |
@@ -61,6 +62,7 @@ The severity is from the selected data source. If the data source does not provi
 [arch]: https://security.archlinux.org/
 [alpine]: https://secdb.alpinelinux.org/
 [wolfi]: https://packages.wolfi.dev/os/security.json
+[chainguard]: https://packages.cgr.dev/chainguard/security.json
 [amazon]: https://alas.aws.amazon.com/
 [debian-tracker]: https://security-tracker.debian.org/tracker/
 [debian-oval]: https://www.debian.org/security/oval/
--- a/docs/docs/vulnerability/detection/language.md
+++ b/docs/docs/vulnerability/detection/language.md
@@ -6,12 +6,12 @@
 |----------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:---------------:|:---------------:|------------------|:------------------------:|
 | Ruby     | Gemfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | included         |            -             |
 |          | gemspec                                                                                    |     ✅     |     ✅      |        -        |        -        | included         |            -             |
-| Python   | Pipfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
+| Python   | Pipfile.lock                                                                               |     -     |     -      |        ✅        |        ✅        | excluded         |            ✅             |
 |          | poetry.lock                                                                                |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
 |          | requirements.txt                                                                           |     -     |     -      |        ✅        |        ✅        | included         |            -             |
 |          | egg package[^1]                                                                            |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
 |          | wheel package[^2]                                                                          |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
-| PHP      | composer.lock                                                                              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |            -             |
+| PHP      | composer.lock                                                                              |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |            ✅             |
 | Node.js  | package-lock.json                                                                          |     -     |     -      |        ✅        |        ✅        | excluded         |            ✅             |
 |          | yarn.lock                                                                                  |     -     |     -      |        ✅        |        ✅        | included         |            ✅             |
 |          | pnpm-lock.yaml                                                                             |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
@@ -24,7 +24,7 @@
 |          | *gradle.lockfile                                                                           |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |
 | Go       | Binaries built by Go[^6]                                                                   |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
 |          | go.mod[^7]                                                                                 |     -     |     -      |        ✅        |        ✅        | included         |            -             |
-| Rust     | Cargo.lock                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | included         |            -             |
+| Rust     | Cargo.lock                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | excluded         |            ✅             |
 |          | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |        -        |        -        | excluded         |            -             |
 | C/C++    | conan.lock[^13]                                                                            |     -     |     -      |        ✅        |        ✅        | excluded         |            -             |   
 | Elixir   | mix.lock[^13]                                                                              |     -     |     -      |        ✅        |        ✅        | excluded         |            ✅             |
@@ -47,3 +47,4 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [^11]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
 [^12]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../examples/report.md#json) and [sarif](../examples/report.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
 [^13]: To scan a filename other than the default filename use [file-patterns](../examples/others.md#file-patterns)
+[^14]: When you scan `Cargo.lock` and `Cargo.toml` together. See about it [here](../languages/rust.md#cargo).
--- a/docs/docs/vulnerability/detection/os.md
+++ b/docs/docs/vulnerability/detection/os.md
@@ -6,6 +6,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 |----------------------------------|-------------------------------------------|-------------------------------|:------------------------------------:|
 | Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.17, edge               | Installed by apk              |                  NO                  |
 | Wolfi Linux                      | (n/a)                                     | Installed by apk              |                  NO                  |
+| Chainguard                       | (n/a)                                     | Installed by apk              |                  NO                  |
 | Red Hat Universal Base Image[^1] | 7, 8, 9                                   | Installed by yum/rpm          |                 YES                  |
 | Red Hat Enterprise Linux         | 6, 7, 8                                   | Installed by yum/rpm          |                 YES                  |
 | CentOS                           | 6, 7, 8                                   | Installed by yum/rpm          |                 YES                  |
@@ -13,7 +14,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 | Rocky Linux                      | 8, 9                                      | Installed by yum/rpm          |                  NO                  |
 | Oracle Linux                     | 5, 6, 7, 8                                | Installed by yum/rpm          |                  NO                  |
 | CBL-Mariner                      | 1.0, 2.0                                  | Installed by yum/rpm          |                 YES                  |
-| Amazon Linux                     | 1, 2, 2022                                | Installed by yum/rpm          |                  NO                  |
+| Amazon Linux                     | 1, 2, 2023                                | Installed by yum/rpm          |                  NO                  |
 | openSUSE Leap                    | 42, 15                                    | Installed by zypper/rpm       |                  NO                  |
 | SUSE Enterprise Linux            | 11, 12, 15                                | Installed by zypper/rpm       |                  NO                  |
 | Photon OS                        | 1.0, 2.0, 3.0, 4.0                        | Installed by tdnf/yum/rpm     |                  NO                  |
--- a/docs/docs/vulnerability/examples/cache.md
+++ b/docs/docs/vulnerability/examples/cache.md
@@ -1,4 +1,5 @@
 # Cache
+The cache directory includes [the vulnerability database][trivy-db], [the Java index database][trivy-java-db][^1], [misconfiguration policies][misconf-policies][^2] and cache of previous scans.

 ## Clear Caches
 The `--clear-cache` option removes caches.
@@ -44,7 +45,14 @@ Two options:
 $ trivy server --cache-backend redis://localhost:6379
 ```

-Trivy also support for connecting to Redis using TLS, you only need to specify `--redis-ca` , `--redis-cert` , and `--redis-key` option.
+If you want to use TLS with Redis, you can enable it by specifying the `--redis-tls` flag.
+
+```shell
+$ trivy server --cache-backend redis://localhost:6379 --redis-tls
+```
+
+Trivy also supports for connecting to Redis with your certificates.
+You need to specify `--redis-ca` , `--redis-cert` , and `--redis-key` options.

 ```
 $ trivy server --cache-backend redis://localhost:6379 \
@@ -53,4 +61,9 @@ $ trivy server --cache-backend redis://localhost:6379 \
  --redis-key /path/to/key.pem
 ```

-TLS option for redis is hidden from Trivy command-line flag, but you still can use it.
+[trivy-db]: ../db.md#vulnerability-database
+[trivy-java-db]: ../db.md#java-index-database
+[misconf-policies]: ../../misconfiguration/policy/builtin.md
+
+[^1]: The Java Index Database is downloaded for scanning `jar/war/par/ear` files.
+[^2]: Misconfiguration policies are downloaded for misconfiguration scanning.
--- a/docs/docs/vulnerability/examples/db.md
+++ b/docs/docs/vulnerability/examples/db.md
@@ -1,9 +1,7 @@
 # Vulnerability DB

 ## Skip update of vulnerability DB
-`Trivy` downloads its vulnerability database every 12 hours when it starts operating.
-This is usually fast, as the size of the DB is only 10~30MB.
-But if you want to skip even that, use the `--skip-db-update` option.
+If you want to skip downloading the vulnerability database, use the `--skip-db-update` option.

 ```
 $ trivy image --skip-db-update python:3.4-alpine3.9
@@ -43,3 +41,13 @@ $ trivy image --download-db-only
 ```
 $ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
 ```
+
+## Java Vulnerability DB
+The same options are also available for the Java index DB, which is used for scanning Java applications.
+Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
+
+Downloading the Java index DB from an external OCI registry can be done by using the `--java-db-repository` option.
+
+```
+$ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db --download-java-db-only
+```
--- a/docs/docs/vulnerability/examples/others.md
+++ b/docs/docs/vulnerability/examples/others.md
@@ -8,6 +8,14 @@ If your image contains lock files which are not maintained by you, you can skip
 $ trivy image --skip-files "/Gemfile.lock" --skip-files "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
 ```

+It's possible to specify globs as part of the value.
+
+```bash
+$ trivy image --skip-files "./testdata/*/bar" .
+```
+
+Will skip any file named `bar` in the subdirectories of testdata.
+
 ## Skip Directories
 Trivy traversals directories and look for all lock files by default.
 If your image contains lock files which are not maintained by you, you can skip traversal in the specific directory.
@@ -16,6 +24,27 @@ If your image contains lock files which are not maintained by you, you can skip
 $ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
 ```

+It's possible to specify globs as part of the value.
+
+```bash
+$ trivy image --skip-dirs "./testdata/*" .
+```
+
+Will skip all subdirectories of the testdata directory.
+
+!!! tip
+    Glob patterns work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with `--skip-dirs`) and files (with `--skip-files`).
+
+
+### Advanced globbing
+Trivy also supports the [globstar](https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Pattern-Matching) pattern matching. 
+
+```bash
+$ trivy image --skip-files "**/foo"``` image:tag
+```
+
+Will skip the file `foo` that happens to be nested under any parent(s). 
+
 ## File patterns
 When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
 The default file patterns are [here](../../misconfiguration/custom/index.md).
@@ -68,6 +97,57 @@ $ trivy image --exit-code 0 --severity MEDIUM,HIGH ruby:2.4.0
 $ trivy image --exit-code 1 --severity CRITICAL ruby:2.4.0
 ```

+## Exit on EOL
+Sometimes you may surprisingly get 0 vulnerabilities in an old image:
+
+- Enabling `--ignore-unfixed` option while all packages have no fixed versions.
+- Scanning a rather outdated OS (e.g. Ubuntu 10.04).
+
+An OS at the end of service/life (EOL) usually gets into this situation, which is definitely full of vulnerabilities.
+`--exit-on-eol` can fail scanning on EOL OS with a non-zero code.
+This flag is available with the following targets.
+
+- Container images (`trivy image`)
+- Virtual machine images (`trivy vm`)
+- SBOM (`trivy sbom`)
+- Root filesystem (`trivy rootfs`)
+
+```
+$ trivy image --exit-on-eol 1 alpine:3.10
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2023-03-01T11:07:15.455+0200    INFO    Vulnerability scanning is enabled
+...
+2023-03-01T11:07:17.938+0200    WARN    This OS version is no longer supported by the distribution: alpine 3.10.9
+2023-03-01T11:07:17.938+0200    WARN    The vulnerability detection may be insufficient because security updates are not provided
+
+alpine:3.10 (alpine 3.10.9)
+===========================
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
+
+┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.6-r0         │ 2.10.7-r0     │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │
+│           │                │          │                   │               │ other products, mishandles...                               │
+│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36159                  │
+└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+2023-03-01T11:07:17.941+0200    ERROR   Detected EOL OS: alpine 3.10.9
+```
+
+</details>
+
+This option is useful for CI/CD.
+The following example will fail when a critical vulnerability is found or the OS is EOSL:
+
+```
+$ trivy image --exit-code 1 --exit-on-eol 1 --severity CRITICAL alpine:3.16.3
+```
+
 ## Reset
 The `--reset` option removes all caches and database.
 After this, it takes a long time as the vulnerability database needs to be rebuilt locally.
--- a/docs/docs/vulnerability/examples/report.md
+++ b/docs/docs/vulnerability/examples/report.md
@@ -19,10 +19,26 @@ This flag is only available with the `--format table` flag.

 The following packages/languages are currently supported:

- OS packages (apk, dpkg and rpm)
- Node.js (package-lock.json and yarn.lock) 
- Nuget lock files (packages.lock.json)
- Rust Binaries built with [cargo-auditable][cargo-auditable]
+- OS packages 
+    - apk
+    - dpkg
+    - rpm
+- Node.js 
+    - npm: package-lock.json
+    - pnpm: pnpm-lock.yaml
+    - yarn: yarn.lock
+- .NET
+    - NuGet: packages.lock.json
+- Python 
+    - Poetry: poetry.lock
+- Ruby
+    - Bundler: Gemfile.lock
+- Rust
+    - Binaries built with [cargo-auditable][cargo-auditable]
+- Go
+    - Modules: go.mod
+- PHP
+    - Composer

 This tree is the reverse of the npm list command.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -47,8 +63,8 @@ Total: 2 (HIGH: 1, CRITICAL: 1)
 │                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-28469                 │
 └──────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

-Dependency Origin Tree
-======================
+Dependency Origin Tree (Reversed)
+=================================
 package-lock.json
 ├── follow-redirects@1.14.6, (HIGH: 1, CRITICAL: 0)
 │   └── axios@0.21.4
--- a/docs/docs/vulnerability/languages/golang.md
+++ b/docs/docs/vulnerability/languages/golang.md
@@ -4,10 +4,10 @@
 Trivy supports two types of Go scanning, Go Modules and binaries built by Go.
 The following table provides an outline of the features Trivy offers.

-| Artifact | Offline[^1] | Dev dependencies |
-|----------|:-----------:|:-----------------|
-| Modules  |      ✓      | Include          |
-| Binaries |      ✓      | Exclude          |
+| Artifact | Offline[^1] | Dev dependencies | License | Dependency graph |
+|----------|:-----------:|:-----------------|:-------:|:----------------:|
+| Modules  |      ✅      | Include          |  ✅[^2]  |      ✅[^2]       |
+| Binaries |      ✅      | Exclude          |    -    |        -         |

 !!! note
    Trivy scans only dependencies of the Go project.
@@ -17,10 +17,10 @@ The following table provides an outline of the features Trivy offers.
 ### Go Modules
 Depending on Go versions, the required files are different.

-| Version | Required files | Offline | License |
-|---------|:--------------:|:-------:|:-------:|
-| \>=1.17 |     go.mod     |    ✓    |    -    |
-| <1.17   | go.mod, go.sum |    ✓    |    -    |
+| Version | Required files | Offline |
+|---------|:--------------:|:-------:|
+| \>=1.17 |     go.mod     |    ✅    |
+| <1.17   | go.mod, go.sum |    ✅    |

 In Go 1.17+ projects, Trivy uses `go.mod` for direct/indirect dependencies.
 On the other hand, it uses `go.mod` for direct dependencies and `go.sum` for indirect dependencies in Go 1.16 or less.
@@ -49,6 +49,10 @@ If you want to have better detection, please consider updating the Go version in
    $ go mod tidy -go=1.18
    ```

+To identify licenses and dependency relationships, you need to download modules to local cache beforehand,
+such as `go mod download`, `go mod tidy`, etc.
+Trivy traverses `$GOPATH/pkg/mod` and collects those extra information.
+
 ### Go binaries
 Trivy scans binaries built by Go.
 If there is a Go binary in your container image, Trivy automatically finds and scans it.
@@ -59,4 +63,5 @@ Also, you can scan your local binaries.
 $ trivy fs ./your_binary
 ```

-[^1]: It doesn't require the Internet access.
+[^1]: It doesn't require the Internet access.
+[^2]: Need to download modules to local cache beforehand
--- a/docs/docs/vulnerability/languages/nodejs.md
+++ b/docs/docs/vulnerability/languages/nodejs.md
@@ -0,0 +1,47 @@
+# Node.js
+
+Trivy supports three types of Node.js package managers: `npm`, `Yarn` and `pnpm`.
+The following table provides an outline of the features Trivy offers.
+
+| Package manager | File              | Transitive dependencies | Dev dependencies | Dependency graph | Position | License |
+|:---------------:|-------------------|:-----------------------:|:----------------:|:----------------:|:--------:|:-------:|
+|       npm       | package-lock.json |            ✅            |     Excluded     |        ✅         |    ✅     |    ✅    |
+|      Yarn       | yarn.lock         |            ✅            |     Excluded     |        ✅         |    ✅     |    -    |
+|      pnpm       | pnpm-lock.yaml    |            ✅            |     Excluded     |        ✅         |    -     |    -    |
+
+In addition, Trivy scans installed packages with `package.json`.
+
+| File         | Dependency graph | Position | License |
+|--------------|:----------------:|:--------:|:-------:|
+| package.json |        -         |    -     |    ✅    |
+
+These may be enabled or disabled depending on the target.
+See [here](../detection/language.md) for the detail.
+
+## Package managers
+Trivy parses your files generated by package managers in filesystem/repository scanning.
+
+!!! tip
+    Please make sure your lock file is up-to-date after modifying `package.json`.
+
+### npm
+Trivy parses `package-lock.json`.
+To identify licenses, you need to download dependencies to `node_modules` beforehand.
+Trivy analyzes `node_modules` for licenses.
+
+### Yarn
+Trivy parses `yarn.lock`, which doesn't contain information about development dependencies.
+To exclude devDependencies, `package.json` also needs to be present next to `yarn.lock`.
+
+### pnpm
+Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree] of dependencies with vulnerabilities.
+
+## Packages
+Trivy parses the manifest files of installed packages in container image scanning and so on.
+
+### package.json
+Trivy searches for `package.json` files under `node_modules` and identifies installed packages.
+It only extracts package names, versions and licenses for those packages.
+
+
+[tree]: ../examples/report.md#show-origins-of-vulnerable-dependencies 
--- a/docs/docs/vulnerability/languages/php.md
+++ b/docs/docs/vulnerability/languages/php.md
@@ -0,0 +1,18 @@
+# PHP
+
+Trivy supports [Composer][composer], which is a tool for dependency management in PHP.
+The following table provides an outline of the features Trivy offers.
+
+
+| Package Manager | File          | Transitive dependencies | Dev dependencies | Dependency graph | Position | License |
+|-----------------|---------------|:-----------------------:|:----------------:|:----------------:|:--------:|:-------:|
+| Composer        | composer.lock |            ✅            |     Excluded     |        ✅         |    ✅     |    ✅    |
+
+## Composer
+In order to detect dependencies, Trivy searches for `composer.lock`.
+
+Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
+Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`.
+If you want to see the dependency tree, please ensure that `composer.json` is present.
+
+[composer]: https://getcomposer.org/
--- a/docs/docs/vulnerability/languages/python.md
+++ b/docs/docs/vulnerability/languages/python.md
@@ -0,0 +1,55 @@
+# Python
+
+Trivy supports three types of Python package managers: `pip`, `Pipenv` and `Poetry`.
+The following table provides an outline of the features Trivy offers.
+
+| Package manager | File             | Transitive dependencies | Dev dependencies | Dependency graph | Position | License |
+|-----------------|------------------|:-----------------------:|:----------------:|:----------------:|:--------:|:-------:|
+| pip             | requirements.txt |            -            |     Include      |        -         |    -     |    -    |
+| Pipenv          | Pipfile.lock     |            ✅            |     Include      |        -         |    ✅     |    -    |
+| Poetry          | poetry.lock      |            ✅            |     Exclude      |        ✅         |          |    -    |
+
+In addition, Trivy supports two formats of Python packages: `egg` and `wheel`.
+
+| Packaging | License |
+|-----------|:-------:|
+| Egg       |    ✅    |
+| Wheel     |    ✅    |
+
+These may be enabled or disabled depending on the target.
+See [here](../detection/language.md) for the detail.
+
+## Package managers
+Trivy parses your files generated by package managers in filesystem/repository scanning.
+
+### pip
+`requirements.txt` files contain only the direct dependencies and not contain the transitive dependencies.
+Therefore, Trivy scans only for the direct dependencies with `requirements.txt`.
+
+Also, `requirements.txt` files don't contain information about dependencies used for development.
+Trivy could detect vulnerabilities on the development packages, which not affect your production environment.
+
+License detection is not supported for `pip`.
+
+### Pipenv
+Trivy parses `Pipfile.lock`.
+`Pipfile.lock` files don't contain information about dependencies used for development.
+Trivy could detect vulnerabilities on the development packages, which not affect your production environment.
+
+License detection is not supported for `Pipenv`.
+
+### Poetry
+Trivy uses `poetry.lock` to identify dependencies and find vulnerabilities.
+To build the correct dependency graph, `pyproject.toml` also needs to be present next to `poetry.lock`.
+
+License detection is not supported for `Poetry`.
+
+## Packaging
+Trivy parses the manifest files of installed packages in container image scanning and so on.
+See [here](https://packaging.python.org/en/latest/discussions/wheel-vs-egg/) for the detail.
+
+### Egg
+Trivy looks for `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO` to identify Python packages.
+
+### Wheel
+Trivy looks for `.dist-info/META-DATA` to identify Python packages.
--- a/docs/docs/vulnerability/languages/rust.md
+++ b/docs/docs/vulnerability/languages/rust.md
@@ -0,0 +1,31 @@
+# Rust
+
+## Features
+Trivy supports [Cargo](https://doc.rust-lang.org/stable/cargo/), which is the Rust package manager.
+The following table provides an outline of the features Trivy offers.
+
+| Package manager | File       | Transitive dependencies | Dev dependencies | License | Dependency graph | Position |
+|-----------------|------------|:-----------------------:|:-----------------|:-------:|:----------------:|:--------:|
+| Cargo           | Cargo.lock |            ✅            | Excluded[^1]     |    -    |        ✅         |    ✅     |
+
+In addition, it supports binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable).
+
+| Artifact | Transitive dependencies | Dev dependencies | License | Dependency graph | Position |
+|----------|:-----------------------:|:-----------------|:-------:|:----------------:|:--------:|
+| Binaries |            ✅            | Excluded         |    -    |        -         |    -     |
+
+
+### Cargo
+Trivy searches for `Cargo.lock` to detect dependencies.
+
+Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
+Since this information is not included in `Cargo.lock`, Trivy parses `Cargo.toml`, which should be located next to `Cargo.lock`.
+If you want to see the dependency tree, please ensure that `Cargo.toml` is present.
+
+Scan `Cargo.lock` and `Cargo.toml` together also removes developer dependencies.
+
+### Binaries
+Trivy scans binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable).
+If such a binary exists, Trivy will identify it as being built with cargo-audit and scan it.
+
+[^1]: When you scan Cargo.lock and Cargo.toml together.
--- a/docs/ecosystem/security.md
+++ b/docs/ecosystem/security.md
@@ -4,3 +4,8 @@
 A Trivy plugin that converts JSON report to SonarQube [generic issues format](https://docs.sonarqube.org/9.6/analyzing-source-code/importing-external-issues/generic-issue-import-format/).

 👉 Get it at: <https://github.com/umax/trivy-plugin-sonarqube>
+
+## DefectDojo (Community)
+DefectDojo can parse Trivy JSON reports. The parser supports deduplication and auto-close features.
+
+👉 Get it at: <https://github.com/DefectDojo/django-DefectDojo>
--- a/docs/getting-started/faq.md
+++ b/docs/getting-started/faq.md
@@ -0,0 +1,5 @@
+## FAQ
+
+### How to pronounce the name "Trivy"?
+
+`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.
--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@@ -15,8 +15,9 @@ In this section you will find an aggregation of the different ways to install Tr
    [trivy]
    name=Trivy repository
    baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
-    gpgcheck=0
+    gpgcheck=1
    enabled=1
+    gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key
    EOF
    sudo yum -y update
    sudo yum -y install trivy
@@ -139,7 +140,7 @@ go install
 ## Use container image

 1. Pull Trivy image (`docker pull aquasec/trivy:{{ git.tag[1:] }}`)
-2. It is advisable to mount a consistent [cache dir](https://aquasecurity.github.io/trivy/{{ git.tag }}/docs/vulnerability/examples/cache/) on the host into the Trivy container.
+   2. It is advisable to mount a consistent [cache dir](../docs/vulnerability/examples/cache.md) on the host into the Trivy container.
 3. For scanning container images with Trivy, mount `docker.sock` from the host into the Trivy container.

 Example:
--- a/docs/index.md
+++ b/docs/index.md
@@ -108,13 +108,6 @@ trivy k8s --report summary cluster
 </figure>

 </details>
-
-## FAQ
-
-### How to pronounce the name "Trivy"?
-
-`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.
-
 ---

 Trivy is an [Aqua Security][aquasec] open source project.  
--- a/docs/tutorials/kubernetes/cluster-scanning.md
+++ b/docs/tutorials/kubernetes/cluster-scanning.md
@@ -70,50 +70,11 @@ This has several benefits:
 
 There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator)

-Make sure that you have the [Helm CLI installed.](https://helm.sh/docs/intro/install/)
-Next, run the following commands.
+Please follow the Trivy Operator documentation for further information on:

-First, we are going to add the Aqua Security Helm repository to our Helm repository list:
-```
-helm repo add aqua https://aquasecurity.github.io/helm-charts/
-```
+- [Installation of the Trivy Operator](https://aquasecurity.github.io/trivy-operator/latest/getting-started/installation/)
+- [Getting started guide](https://aquasecurity.github.io/trivy-operator/latest/getting-started/quick-start/)

-Then, we will update all of our Helm repositories. Even if you have just added a new repository to your existing charts, this is generally good practice to have access to the latest changes:
-```
-helm repo update
-```
-
-Lastly, we can install the Trivy operator Helm Chart to our cluster:
-```
-helm install trivy-operator aqua/trivy-operator \
-   --namespace trivy-system \
-   --create-namespace \
-   --set="trivy.ignoreUnfixed=true" \
-   --version v0.0.3
-```
-
-You can make sure that the operator is installed correctly via the following command: 
-```
-kubectl get deployment -n trivy-system 
-```
-
-Trivy will automatically start scanning your Kubernetes resources. 
-For instance, you can view vulnerability reports with the following command: 
-
-```
-kubectl get vulnerabilityreports --all-namespaces -o wide 
-```
-
-And then you can access the details of a security scan: 
-```
-kubectl describe  vulnerabilityreports <name of one of the above reports> 
-```
-
-The same process can be applied to access Configauditreports: 
-
-```
-kubectl get configauditreports --all-namespaces -o wide 
-```


 
--- a/docs/tutorials/shell/shell-completion.md
+++ b/docs/tutorials/shell/shell-completion.md
@@ -0,0 +1,66 @@
+# Enable shell completion
+
+Below is example steps to enable shell completion feature for `trivy` cli:
+
+### 1. Know your current shell
+
+```bash
+$ echo $SHELL
+/bin/zsh # For this example it is zsh, but will be vary depend on your $SHELL, maybe /bin/bash or /bin/fish
+```
+
+### 2. Run `completion` command to get sub-commands
+
+``` bash
+$ trivy completion zsh -h
+Generate the autocompletion script for the zsh shell.
+
+If shell completion is not already enabled in your environment you will need
+to enable it.  You can execute the following once:
+
+	echo "autoload -U compinit; compinit" >> ~/.zshrc
+
+To load completions in your current shell session:
+
+	source <(trivy completion zsh); compdef _trivy trivy
+
+To load completions for every new session, execute once:
+
+#### Linux:
+
+	trivy completion zsh > "${fpath[1]}/_trivy"
+
+#### macOS:
+
+	trivy completion zsh > $(brew --prefix)/share/zsh/site-functions/_trivy
+
+You will need to start a new shell for this setup to take effect.
+```
+
+### 3. Run the sub-commands following the instruction
+
+```bash
+echo "autoload -U compinit; compinit" >> ~/.zshrc
+source <(trivy completion zsh); compdef _trivy trivy
+trivy completion zsh > "${fpath[1]}/_trivy"
+```
+
+### 4. Start a new shell and you can see the shell completion
+
+```bash
+$ trivy [tab]
+aws         -- scan aws account
+completion  -- Generate the autocompletion script for the specified shell
+config      -- Scan config files for misconfigurations
+filesystem  -- Scan local filesystem
+help        -- Help about any command
+image       -- Scan a container image
+kubernetes  -- scan kubernetes cluster
+module      -- Manage modules
+plugin      -- Manage plugins
+repository  -- Scan a remote repository
+rootfs      -- Scan rootfs
+sbom        -- Scan SBOM for vulnerabilities
+server      -- Server mode
+version     -- Print the version
+```
--- a/go.mod
+++ b/go.mod
@@ -3,13 +3,19 @@ module github.com/aquasecurity/trivy
 go 1.19

 require (
+	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
+	github.com/Azure/go-autorest/autorest v0.11.28
+	github.com/Azure/go-autorest/autorest/adal v0.9.23
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12
+	github.com/BurntSushi/toml v1.2.1
 	github.com/CycloneDX/cyclonedx-go v0.7.0
+	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/NYTimes/gziphandler v1.1.1
-	github.com/alicebob/miniredis/v2 v2.23.0
+	github.com/alicebob/miniredis/v2 v2.30.1
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/defsec v0.82.9
-	github.com/aquasecurity/go-dep-parser v0.0.0-20230130190635-5e31092b0621
+	github.com/aquasecurity/defsec v0.85.0
+	github.com/aquasecurity/go-dep-parser v0.0.0-20230413091456-df0396537e15
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -19,37 +25,42 @@ require (
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-db v0.0.0-20230116084806-4bcdf1c414d0
+	github.com/aquasecurity/trivy-db v0.0.0-20230411140759-3c2ee2168575
 	github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
-	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20230124152305-a266786d8ded
-	github.com/aws/aws-sdk-go v1.44.171
-	github.com/aws/aws-sdk-go-v2 v1.17.3
-	github.com/aws/aws-sdk-go-v2/config v1.18.3
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.1
-	github.com/aws/aws-sdk-go-v2/service/sts v1.18.0
-	github.com/caarlos0/env/v6 v6.10.1
+	github.com/aquasecurity/trivy-kubernetes v0.4.1-0.20230413111230-522e0fca9814
+	github.com/aws/aws-sdk-go v1.44.234
+	github.com/aws/aws-sdk-go-v2 v1.17.7
+	github.com/aws/aws-sdk-go-v2/config v1.18.15
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.89.1
+	github.com/aws/aws-sdk-go-v2/service/sts v1.18.7
+	github.com/bmatcuk/doublestar v1.3.4
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/cheggaaa/pb/v3 v3.1.0
-	github.com/containerd/containerd v1.6.15
-	github.com/docker/docker v23.0.0-rc.1+incompatible
+	github.com/cheggaaa/pb/v3 v3.1.2
+	github.com/containerd/containerd v1.7.0
+	github.com/docker/docker v23.0.3+incompatible
 	github.com/docker/go-connections v0.4.0
-	github.com/fatih/color v1.13.0
-	github.com/go-openapi/runtime v0.24.2
-	github.com/go-openapi/strfmt v0.21.3
+	github.com/fatih/color v1.14.1
+	github.com/go-git/go-git/v5 v5.6.1
+	github.com/go-openapi/runtime v0.25.0
+	github.com/go-openapi/strfmt v0.21.7
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/golang-jwt/jwt v3.2.2+incompatible
-	github.com/golang/protobuf v1.5.2
-	github.com/google/go-containerregistry v0.12.0
+	github.com/golang/protobuf v1.5.3
+	github.com/google/go-containerregistry v0.14.0
 	github.com/google/licenseclassifier/v2 v2.0.0
 	github.com/google/uuid v1.3.0
 	github.com/google/wire v0.5.0
-	github.com/hashicorp/go-getter v1.6.2
+	github.com/hashicorp/go-getter v1.7.0
+	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/golang-lru/v2 v2.0.1
-	github.com/in-toto/in-toto-golang v0.5.0
+	github.com/in-toto/in-toto-golang v0.7.0
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
-	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
+	github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
+	github.com/knqyf263/go-rpmdb v0.0.0-20230301153543-ba94b245509b
+	github.com/knqyf263/nested v0.0.1
 	github.com/kylelemons/godebug v1.1.0
+	github.com/magefile/mage v1.14.0
 	github.com/mailru/easyjson v0.7.7
 	github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
 	github.com/masahiro331/go-ebs-file v0.0.0-20221225061409-5ef263bb2cc3
@@ -58,85 +69,94 @@ require (
 	github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
 	github.com/masahiro331/go-xfs-filesystem v0.0.0-20221225060805-c02764233454
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/open-policy-agent/opa v0.44.1-0.20220927105354-00e835a7cc15
+	github.com/moby/buildkit v0.11.5
+	github.com/open-policy-agent/opa v0.45.0
+	github.com/opencontainers/go-digest v1.0.0
+	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221020182949-4df8887994e8
 	github.com/owenrumney/go-sarif/v2 v2.1.2
 	github.com/package-url/packageurl-go v0.1.1-0.20220428063043-89078438f170
-	github.com/samber/lo v1.36.0
-	github.com/secure-systems-lab/go-securesystemslib v0.4.0
-	github.com/sigstore/rekor v1.0.1
+	github.com/samber/lo v1.37.0
+	github.com/saracen/walker v0.1.3
+	github.com/secure-systems-lab/go-securesystemslib v0.5.0
+	github.com/sigstore/rekor v1.1.0
 	github.com/sosedoff/gitkit v0.3.0
+	github.com/spdx/tools-golang v0.3.1-0.20230104082527-d6f58551be3f
+	github.com/spf13/cast v1.5.0
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.15.0
-	github.com/stretchr/testify v1.8.1
+	github.com/stretchr/testify v1.8.2
 	github.com/testcontainers/testcontainers-go v0.17.0
-	github.com/tetratelabs/wazero v1.0.0-pre.8
+	github.com/tetratelabs/wazero v1.0.0
 	github.com/twitchtv/twirp v8.1.2+incompatible
 	github.com/xlab/treeprint v1.1.0
-	go.etcd.io/bbolt v1.3.6
+	go.etcd.io/bbolt v1.3.7
 	go.uber.org/zap v1.24.0
-	golang.org/x/exp v0.0.0-20220823124025-807a23277127
+	golang.org/x/crypto v0.7.0
+	golang.org/x/exp v0.0.0-20230124195608-d38c7dcee874
+	golang.org/x/mod v0.9.0
+	golang.org/x/sync v0.1.0
+	golang.org/x/term v0.6.0
+	golang.org/x/text v0.9.0
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
-	google.golang.org/protobuf v1.28.1
+	google.golang.org/protobuf v1.30.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/utils v0.0.0-20230115233650-391b47cb4029
+	gotest.tools v2.2.0+incompatible
+	k8s.io/api v0.26.3
+	k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5
 	modernc.org/sqlite v1.20.3
 )

 require (
-	cloud.google.com/go v0.105.0 // indirect
-	cloud.google.com/go/compute v1.14.0 // indirect
+	cloud.google.com/go v0.110.0 // indirect
+	cloud.google.com/go/compute v1.18.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v0.8.0 // indirect
-	cloud.google.com/go/storage v1.27.0 // indirect
-	github.com/Azure/azure-sdk-for-go v67.1.0+incompatible
+	cloud.google.com/go/iam v0.12.0 // indirect
+	cloud.google.com/go/storage v1.29.0 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect
+	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.28
-	github.com/Azure/go-autorest/autorest/adal v0.9.21
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/BurntSushi/toml v1.2.1 // indirect
-	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/Masterminds/squirrel v1.5.3 // indirect
 	github.com/Microsoft/go-winio v0.6.0 // indirect
-	github.com/Microsoft/hcsshim v0.9.6 // indirect
+	github.com/Microsoft/hcsshim v0.10.0-rc.7 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
-	github.com/VividCortex/ewma v1.1.1 // indirect
-	github.com/acomagu/bufpipe v1.0.3 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
+	github.com/VividCortex/ewma v1.2.0 // indirect
+	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/alecthomas/chroma v0.10.0 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.8 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.15 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.23 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.30 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 // indirect
 	github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.16.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.24 // indirect
 	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.12.18 // indirect
 	github.com/aws/aws-sdk-go-v2/service/athena v1.18.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.20.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.18.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.24.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.21.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.20 // indirect
 	github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/docdb v1.19.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ebs v1.15.19 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26 // indirect
@@ -145,94 +165,95 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/elasticache v1.22.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.18.20 // indirect
 	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/emr v1.20.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/emr v1.23.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/iam v1.18.23 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.19 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.25 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kafka v1.17.19 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kafka v1.19.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.19 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.18.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.20.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/lambda v1.24.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/mq v1.13.15 // indirect
 	github.com/aws/aws-sdk-go-v2/service/neptune v1.17.12 // indirect
 	github.com/aws/aws-sdk-go-v2/service/rds v1.26.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/redshift v1.26.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/redshift v1.27.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.27.11 // indirect
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sns v1.18.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sqs v1.19.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.12.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sqs v1.20.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.12.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/workspaces v1.23.0 // indirect
 	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
-	github.com/bmatcuk/doublestar v1.3.4 // indirect
-	github.com/briandowns/spinner v1.12.0 // indirect
+	github.com/briandowns/spinner v1.23.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/containerd/cgroups v1.0.4 // indirect
+	github.com/cloudflare/circl v1.1.0 // indirect
+	github.com/containerd/cgroups v1.1.0 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
-	github.com/containerd/fifo v1.0.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.13.0 // indirect
-	github.com/containerd/ttrpc v1.1.1-0.20220420014843-944ef4a40df3 // indirect
+	github.com/containerd/fifo v1.1.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/containerd/ttrpc v1.2.1 // indirect
 	github.com/containerd/typeurl v1.0.2 // indirect
+	github.com/containerd/typeurl/v2 v2.1.0 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/docker/cli v23.0.0-rc.1+incompatible // indirect
+	github.com/docker/cli v23.0.1+incompatible // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
-	github.com/emirpasic/gods v1.12.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
-	github.com/go-git/go-billy/v5 v5.3.1 // indirect
-	github.com/go-git/go-git/v5 v5.4.2
+	github.com/go-git/go-billy/v5 v5.4.1 // indirect
 	github.com/go-gorp/gorp/v3 v3.0.2 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
 	github.com/go-openapi/errors v0.20.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/spec v0.20.7 // indirect
+	github.com/go-openapi/spec v0.20.8 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/go-openapi/validate v0.22.0 // indirect
+	github.com/go-openapi/validate v0.22.1 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/goccy/go-yaml v1.8.2 // indirect
-	github.com/gofrs/uuid v4.0.0+incompatible // indirect
-	github.com/gogo/googleapis v1.4.1 // indirect
+	github.com/goccy/go-yaml v1.8.1 // indirect
+	github.com/gofrs/uuid v4.3.1+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/google/btree v1.0.1 // indirect
+	github.com/google/btree v1.1.2 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.1 // indirect
-	github.com/googleapis/gax-go/v2 v2.7.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
+	github.com/googleapis/gax-go/v2 v2.8.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.6.0 // indirect
@@ -240,17 +261,15 @@ require (
 	github.com/hashicorp/hcl/v2 v2.14.1 // indirect
 	github.com/huandu/xstrings v1.3.3 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
-	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
-	github.com/klauspost/compress v1.15.12 // indirect
-	github.com/knqyf263/go-rpmdb v0.0.0-20230201142403-697bc51b3948
-	github.com/knqyf263/nested v0.0.1
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/klauspost/compress v1.16.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/liamg/iamgo v0.0.9 // indirect
@@ -260,19 +279,18 @@ require (
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/mattn/go-sqlite3 v1.14.16 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
+	github.com/miekg/dns v1.1.50 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
+	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/moby/buildkit v0.11.0
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.5.0 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
@@ -287,85 +305,77 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.1.0-rc2
-	github.com/opencontainers/runc v1.1.3 // indirect
-	github.com/opencontainers/runtime-spec v1.0.3-0.20220311020903-6969a0a09ab1 // indirect
-	github.com/opencontainers/selinux v1.10.2 // indirect
+	github.com/opencontainers/runc v1.1.5 // indirect
+	github.com/opencontainers/runtime-spec v1.1.0-rc.1 // indirect
+	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/owenrumney/squealer v1.0.1-0.20220510063705-c0be93f0edea // indirect
+	github.com/owenrumney/squealer v1.1.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.14.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.37.0 // indirect
+	github.com/prometheus/common v0.39.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
-	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230126093431-47fa9a501578 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rubenv/sql-migrate v1.2.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e
-	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/spdx/tools-golang v0.3.1-0.20230104082527-d6f58551be3f
+	github.com/skeema/knownhosts v1.1.0 // indirect
 	github.com/spf13/afero v1.9.3 // indirect
-	github.com/spf13/cast v1.5.0
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/ulikunitz/xz v0.5.10 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
-	github.com/xanzy/ssh-agent v0.3.0 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/yashtewari/glob-intersection v0.1.0 // indirect
-	github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9 // indirect
+	github.com/yuin/gopher-lua v1.1.0 // indirect
 	github.com/zclconf/go-cty v1.10.0 // indirect
 	github.com/zclconf/go-cty-yaml v1.0.2 // indirect
-	go.mongodb.org/mongo-driver v1.10.0 // indirect
+	go.mongodb.org/mongo-driver v1.11.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/otel v1.14.0 // indirect
+	go.opentelemetry.io/otel/trace v1.14.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/multierr v1.8.0 // indirect
-	golang.org/x/crypto v0.5.0
-	golang.org/x/mod v0.8.0
-	golang.org/x/net v0.5.0 // indirect
-	golang.org/x/oauth2 v0.1.0 // indirect
-	golang.org/x/sync v0.1.0
-	golang.org/x/sys v0.4.0 // indirect
-	golang.org/x/term v0.4.0
-	golang.org/x/text v0.6.0
-	golang.org/x/time v0.1.0 // indirect
-	golang.org/x/tools v0.2.0 // indirect
-	google.golang.org/api v0.107.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
+	golang.org/x/net v0.8.0 // indirect
+	golang.org/x/oauth2 v0.6.0 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.7.0 // indirect
+	google.golang.org/api v0.114.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect
-	google.golang.org/grpc v1.52.0 // indirect
+	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
+	google.golang.org/grpc v1.54.0 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
-	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gotest.tools v2.2.0+incompatible
+	gotest.tools/v3 v3.1.0 // indirect
 	helm.sh/helm/v3 v3.11.1 // indirect
-	k8s.io/api v0.26.1 // indirect
 	k8s.io/apiextensions-apiserver v0.26.0 // indirect
-	k8s.io/apimachinery v0.26.1 // indirect
-	k8s.io/apiserver v0.26.0 // indirect
-	k8s.io/cli-runtime v0.26.1 // indirect
-	k8s.io/client-go v0.26.1 // indirect
-	k8s.io/component-base v0.26.1 // indirect
-	k8s.io/klog/v2 v2.80.1 // indirect
+	k8s.io/apimachinery v0.26.3 // indirect
+	k8s.io/apiserver v0.26.2 // indirect
+	k8s.io/cli-runtime v0.26.3 // indirect
+	k8s.io/client-go v0.26.3 // indirect
+	k8s.io/component-base v0.26.3 // indirect
+	k8s.io/klog/v2 v2.90.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
-	k8s.io/kubectl v0.26.1 // indirect
+	k8s.io/kubectl v0.26.3 // indirect
 	lukechampine.com/uint128 v1.2.0 // indirect
 	modernc.org/cc/v3 v3.40.0 // indirect
 	modernc.org/ccgo/v3 v3.16.13 // indirect
--- a/go.sum
+++ b/go.sum
--- a/goreleaser-canary.yml
+++ b/goreleaser-canary.yml
@@ -23,13 +23,13 @@ builds:
 archives:
  -
    format: tar.gz
-    name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}"
-    replacements:
-      amd64: 64bit
-      arm64: ARM64
-      darwin: macOS
-      linux: Linux
-      windows: Windows
+    name_template: >-
+      {{ .ProjectName }}_{{ .Version }}_
+      {{- if eq .Os "darwin" }}macOS
+      {{- else}}{{- title .Os }}{{ end }}-
+      {{- if eq .Arch "amd64" }}64bit
+      {{- else if eq .Arch "arm64" }}ARM64
+      {{- else }}{{ .Arch }}{{ end }}
    files:
      - README.md
      - LICENSE
--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -57,40 +57,45 @@ nfpms:
    maintainer: "Teppei Fukuda <knqyf263@gmail.com>"
    description: "A Fast Vulnerability Scanner for Containers"
    license: "Apache-2.0"
-    file_name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}"
-    replacements:
-      amd64: 64bit
-      386: 32bit
-      arm: ARM
-      arm64: ARM64
-      ppc64le: PPC64LE
-      darwin: macOS
-      linux: Linux
-      openbsd: OpenBSD
-      netbsd: NetBSD
-      freebsd: FreeBSD
-      dragonfly: DragonFlyBSD
-      windows: Windows
+    file_name_template: >-
+      {{ .ProjectName }}_{{ .Version }}_
+      {{- if eq .Os "darwin" }}macOS
+      {{- else if eq .Os "openbsd" }}OpenBSD
+      {{- else if eq .Os "netbsd" }}NetBSD
+      {{- else if eq .Os "freebsd" }}FreeBSD
+      {{- else if eq .Os "dragonfly" }}DragonFlyBSD
+      {{- else}}{{- title .Os }}{{ end }}-
+      {{- if eq .Arch "amd64" }}64bit
+      {{- else if eq .Arch "386" }}32bit
+      {{- else if eq .Arch "arm" }}ARM
+      {{- else if eq .Arch "arm64" }}ARM64
+      {{- else if eq .Arch "ppc64le" }}PPC64LE
+      {{- else }}{{ .Arch }}{{ end }}
    contents:
     - src: contrib/*.tpl
       dst: /usr/local/share/trivy/templates
+    rpm:
+      signature:
+         key_file: '{{ .Env.GPG_FILE }}'

 archives:
  -
    format: tar.gz
-    name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}"
-    replacements:
-      amd64: 64bit
-      386: 32bit
-      arm: ARM
-      arm64: ARM64
-      ppc64le: PPC64LE
-      darwin: macOS
-      linux: Linux
-      openbsd: OpenBSD
-      netbsd: NetBSD
-      freebsd: FreeBSD
-      dragonfly: DragonFlyBSD
+    name_template: >-
+      {{ .ProjectName }}_{{ .Version }}_
+      {{- if eq .Os "darwin" }}macOS
+      {{- else if eq .Os "linux" }}Linux
+      {{- else if eq .Os "openbsd" }}OpenBSD
+      {{- else if eq .Os "netbsd" }}NetBSD
+      {{- else if eq .Os "freebsd" }}FreeBSD
+      {{- else if eq .Os "dragonfly" }}DragonFlyBSD
+      {{- else}}{{- .Os }}{{ end }}-
+      {{- if eq .Arch "amd64" }}64bit
+      {{- else if eq .Arch "386" }}32bit
+      {{- else if eq .Arch "arm" }}ARM
+      {{- else if eq .Arch "arm64" }}ARM64
+      {{- else if eq .Arch "ppc64le" }}PPC64LE
+      {{- else }}{{ .Arch }}{{ end }}
    files:
      - README.md
      - LICENSE
--- a/helm/trivy/Chart.yaml
+++ b/helm/trivy/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: trivy
-version: 0.6.0
+version: 0.7.0
 appVersion: 0.37.2
 description: Trivy helm chart
 keywords:
--- a/helm/trivy/README.md
+++ b/helm/trivy/README.md
@@ -68,11 +68,12 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `trivy.registryPassword`              | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ |      |
 | `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set.                    |      |
 | `trivy.serviceAccount.annotations`        | Additional annotations to add to the Kubernetes service account resource |     |
-| `trivy.skipUpdate`                    | The flag to enable or disable Trivy DB downloads from GitHub            | `false`        |
+| `trivy.skipDBUpdate`                    | The flag to enable or disable Trivy DB downloads from GitHub            | `false`        |
 | `trivy.dbRepository`                  | OCI repository to retrieve the trivy vulnerability database from        | `ghcr.io/aquasecurity/trivy-db`        |
 | `trivy.cache.redis.enabled`           | Enable Redis as caching backend                                         | `false` |
 | `trivy.cache.redis.url`               | Specify redis connection url, e.g. redis://redis.redis.svc:6379         | `` |
 | `trivy.cache.redis.ttl`               | Specify redis TTL, e.g. 3600s or 24h                                    | `` |
+| `trivy.cache.redis.tls`               | Enable Redis TLS with public certificates                               | `` |
 | `trivy.serverToken`                   | The token to authenticate Trivy client with Trivy server                | `` |
 | `trivy.existingSecret`                | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
 | `trivy.podAnnotations`                | Annotations for pods created by statefulset                             | `{}` |
--- a/helm/trivy/templates/configmap.yaml
+++ b/helm/trivy/templates/configmap.yaml
@@ -10,9 +10,10 @@ data:
 {{- if .Values.trivy.cache.redis.enabled }}
  TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
  TRIVY_CACHE_TTL: {{ .Values.trivy.cache.redis.ttl | quote }}
+  TRIVY_REDIS_TLS: {{ .Values.trivy.cache.redis.tls | quote }}
 {{- end }}
  TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
-  TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}
+  TRIVY_SKIP_DB_UPDATE: {{ .Values.trivy.skipDBUpdate | quote }}
  TRIVY_DB_REPOSITORY: {{ .Values.trivy.dbRepository | quote }}
 {{- if .Values.httpProxy }}
  HTTP_PROXY: {{ .Values.httpProxy | quote }}
--- a/helm/trivy/templates/podsecuritypolicy.yaml
+++ b/helm/trivy/templates/podsecuritypolicy.yaml
@@ -4,6 +4,10 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ include "trivy.fullname" . }}
+  {{- with .Values.rbac.pspAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
  labels:
 {{ include "trivy.labels" . | indent 4 }}
 spec:
--- a/helm/trivy/values.yaml
+++ b/helm/trivy/values.yaml
@@ -29,6 +29,7 @@ resources:
 rbac:
  create: true
  pspEnabled: false
+  pspAnnotations: {}

 podSecurityContext:
  runAsUser: 65534
@@ -93,12 +94,12 @@ trivy:
  # NOTE: When this is set the previous parameters are ignored.
  #
  # registryCredentialsExistingSecret: name-of-existing-secret
-  # skipUpdate the flag to enable or disable Trivy DB downloads from GitHub
+  # skipDBUpdate the flag to enable or disable Trivy DB downloads from GitHub
  #
  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
  # If the flag is enabled you have to manually download the `trivy.db` file and mount it in the
  # `/home/scanner/.cache/trivy/db/trivy.db` path (see `cacheDir`).
-  skipUpdate: false
+  skipDBUpdate: false
  # OCI repository to retrieve the trivy vulnerability database from
  dbRepository: ghcr.io/aquasecurity/trivy-db
  # Trivy supports filesystem and redis as caching backend
@@ -114,6 +115,7 @@ trivy:
      enabled: false
      url: ""  # e.g. redis://redis.redis.svc:6379
      ttl: ""  # e.g 3600s, 24h
+      tls: false
  serviceAccount:
    annotations: {}
      # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -57,8 +57,11 @@ func TestClientServer(t *testing.T) {
 			name: "alpine 3.9 with high and critical severity",
 			args: csArgs{
 				IgnoreUnfixed: true,
-				Severity:      []string{"HIGH", "CRITICAL"},
-				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+				Severity: []string{
+					"HIGH",
+					"CRITICAL",
+				},
+				Input: "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39-high-critical.json.golden",
 		},
@@ -66,8 +69,11 @@ func TestClientServer(t *testing.T) {
 			name: "alpine 3.9 with .trivyignore",
 			args: csArgs{
 				IgnoreUnfixed: false,
-				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-14697"},
-				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+				IgnoreIDs: []string{
+					"CVE-2019-1549",
+					"CVE-2019-14697",
+				},
+				Input: "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39-ignore-cveids.json.golden",
 		},
@@ -401,7 +407,6 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 		args                  csArgs
 		wantComponentsCount   int
 		wantDependenciesCount int
-		wantDependsOnCount    []int
 	}{
 		{
 			name: "fluentd with RubyGems with CycloneDX format",
@@ -410,11 +415,7 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 				Input:  "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
 			},
 			wantComponentsCount:   161,
-			wantDependenciesCount: 2,
-			wantDependsOnCount: []int{
-				105,
-				56,
-			},
+			wantDependenciesCount: 80,
 		},
 	}

@@ -437,9 +438,6 @@ func TestClientServerWithCycloneDX(t *testing.T) {

 			assert.EqualValues(t, tt.wantComponentsCount, len(lo.FromPtr(got.Components)))
 			assert.EqualValues(t, tt.wantDependenciesCount, len(lo.FromPtr(got.Dependencies)))
-			for i, dep := range *got.Dependencies {
-				assert.EqualValues(t, tt.wantDependsOnCount[i], len(lo.FromPtr(dep.Dependencies)))
-			}
 		})
 	}
 }
@@ -577,9 +575,21 @@ func setup(t *testing.T, options setupOptions) (string, string) {
 }

 func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []string {
-	osArgs := []string{"--cache-dir", cacheDir, "server", "--skip-update", "--listen", addr}
+	osArgs := []string{
+		"--cache-dir",
+		cacheDir,
+		"server",
+		"--skip-update",
+		"--listen",
+		addr,
+	}
 	if token != "" {
-		osArgs = append(osArgs, []string{"--token", token, "--token-header", tokenHeader}...)
+		osArgs = append(osArgs, []string{
+			"--token",
+			token,
+			"--token-header",
+			tokenHeader,
+		}...)
 	}
 	if cacheBackend != "" {
 		osArgs = append(osArgs, "--cache-backend", cacheBackend)
@@ -595,7 +605,13 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
 		c.RemoteAddrOption = "--server"
 	}
 	t.Helper()
-	osArgs := []string{"--cache-dir", cacheDir, c.Command, c.RemoteAddrOption, "http://" + addr}
+	osArgs := []string{
+		"--cache-dir",
+		cacheDir,
+		c.Command,
+		c.RemoteAddrOption,
+		"http://" + addr,
+	}

 	if c.Format != "" {
 		osArgs = append(osArgs, "--format", c.Format)
--- a/integration/fs_test.go
+++ b/integration/fs_test.go
@@ -65,13 +65,13 @@ func TestFilesystem(t *testing.T) {
 			golden: "testdata/gomod-skip.json.golden",
 		},
 		{
-			name: "nodejs",
+			name: "npm",
 			args: args{
 				scanner:     types.VulnerabilityScanner,
-				input:       "testdata/fixtures/fs/nodejs",
+				input:       "testdata/fixtures/fs/npm",
 				listAllPkgs: true,
 			},
-			golden: "testdata/nodejs.json.golden",
+			golden: "testdata/npm.json.golden",
 		},
 		{
 			name: "yarn",
@@ -99,6 +99,24 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/pip.json.golden",
 		},
+		{
+			name: "pipenv",
+			args: args{
+				scanner:     types.VulnerabilityScanner,
+				listAllPkgs: true,
+				input:       "testdata/fixtures/fs/pipenv",
+			},
+			golden: "testdata/pipenv.json.golden",
+		},
+		{
+			name: "poetry",
+			args: args{
+				scanner:     types.VulnerabilityScanner,
+				listAllPkgs: true,
+				input:       "testdata/fixtures/fs/poetry",
+			},
+			golden: "testdata/poetry.json.golden",
+		},
 		{
 			name: "pom",
 			args: args{
@@ -169,6 +187,15 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/mix.lock.json.golden",
 		},
+		{
+			name: "composer.lock",
+			args: args{
+				scanner:     types.VulnerabilityScanner,
+				listAllPkgs: true,
+				input:       "testdata/fixtures/fs/composer",
+			},
+			golden: "testdata/composer.lock.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{
--- a/integration/module_test.go
+++ b/integration/module_test.go
@@ -1,17 +1,14 @@
 //go:build module_integration
-
 package integration

 import (
-	"os"
 	"path/filepath"
 	"testing"

-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/aquasecurity/trivy/pkg/module"
-	"github.com/aquasecurity/trivy/pkg/utils"
+	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
+	"github.com/aquasecurity/trivy/pkg/scanner/post"
 )

 func TestModule(t *testing.T) {
@@ -35,21 +32,23 @@ func TestModule(t *testing.T) {
 	// Set up testing DB
 	cacheDir := initDB(t)

-	// Set up module dir
-	moduleDir := filepath.Join(cacheDir, module.RelativeDir)
-	err := os.MkdirAll(moduleDir, 0700)
-	require.NoError(t, err)
-
-	// Set up Spring4Shell module
-	t.Setenv("XDG_DATA_HOME", cacheDir)
-	_, err = utils.CopyFile(filepath.Join("../", "examples", "module", "spring4shell", "spring4shell.wasm"),
-		filepath.Join(moduleDir, "spring4shell.wasm"))
-	require.NoError(t, err)
-
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			osArgs := []string{"--cache-dir", cacheDir, "image", "--ignore-unfixed", "--format", "json",
-				"--skip-update", "--offline-scan", "--input", tt.input}
+			osArgs := []string{
+				"--cache-dir",
+				cacheDir,
+				"image",
+				"--ignore-unfixed",
+				"--format",
+				"json",
+				"--skip-db-update",
+				"--offline-scan",
+				"--quiet",
+				"--module-dir",
+				filepath.Join("../", "examples", "module", "spring4shell"),
+				"--input",
+				tt.input,
+			}

 			// Set up the output file
 			outputFile := filepath.Join(t.TempDir(), "output.json")
@@ -57,11 +56,18 @@ func TestModule(t *testing.T) {
 				outputFile = tt.golden
 			}

-			osArgs = append(osArgs, []string{"--output", outputFile}...)
+			osArgs = append(osArgs, []string{
+				"--output",
+				outputFile,
+			}...)

 			// Run Trivy
-			err = execute(osArgs)
-			assert.NoError(t, err)
+			err := execute(osArgs)
+			require.NoError(t, err)
+			defer func() {
+				analyzer.DeregisterAnalyzer("spring4shell")
+				post.DeregisterPostScanner("spring4shell")
+			}()

 			// Compare want and got
 			compareReports(t, tt.golden, outputFile)
--- a/integration/sbom_test.go
+++ b/integration/sbom_test.go
@@ -69,8 +69,8 @@ func TestSBOM(t *testing.T) {
 						Target: "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)",
 						Vulnerabilities: []types.DetectedVulnerability{
 							{Ref: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
-							{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
-							{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
+							{Ref: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
+							{Ref: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
 						},
 					},
 				},
@@ -92,8 +92,8 @@ func TestSBOM(t *testing.T) {
 						Target: "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)",
 						Vulnerabilities: []types.DetectedVulnerability{
 							{Ref: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
-							{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
-							{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
+							{Ref: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
+							{Ref: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
 						},
 					},
 				},
--- a/integration/scripts/download-images.sh
+++ b/integration/scripts/download-images.sh
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-TEST_IMAGE=ghcr.io/aquasecurity/trivy-test-images
-
-CURRENT=$(cd $(dirname $0);pwd)
-
-mkdir -p ${CURRENT}/../testdata/fixtures/images/
-
-# List the tags
-TAGS=$(crane ls ${TEST_IMAGE})
-
-# Download missing images
-for tag in $TAGS
-do
-  dir=${CURRENT}/../testdata/fixtures/images/
-  if [ ! -e "${dir}/${tag}.tar.gz" ]; then
-    echo "Downloading $tag..."
-    crane pull "${TEST_IMAGE}:${tag}" "${dir}/${tag}.tar"
-    gzip "${dir}/${tag}.tar"
-  fi
-done
--- a/integration/scripts/download-vm-images.sh
+++ b/integration/scripts/download-vm-images.sh
@@ -1,24 +0,0 @@
-#!/bin/bash
-
-TEST_VM=ghcr.io/aquasecurity/trivy-test-vm-images
-
-CRANE_IMG=gcr.io/go-containerregistry/crane:v0.12.1
-ORAS_IMG=ghcr.io/oras-project/oras:v0.16.0
-
-CURRENT=$(cd $(dirname $0);pwd)
-
-mkdir -p ${CURRENT}/../testdata/fixtures/vm-images/
-
-# List the tags
-TAGS=$(docker run --rm ${CRANE_IMG} ls ${TEST_VM})
-
-# Download missing images
-for tag in $TAGS
-do
-  dir=${CURRENT}/../testdata/fixtures/vm-images/
-  if [ ! -e "${dir}/${tag}.img.gz" ] || [ ! -e "${dir}/${tag}.vmdk.gz" ]; then
-    echo "Downloading $tag..."
-    echo "oras pull ${TEST_VM}:${tag}"
-    docker run --rm -v ${dir}:/workspace ${ORAS_IMG} pull "${TEST_VM}:${tag}"
-  fi
-done
--- a/integration/testdata/alpine-310.sarif.golden
+++ b/integration/testdata/alpine-310.sarif.golden
@@ -182,6 +182,11 @@
        "ROOTPATH": {
          "uri": "file:///"
        }
+      },
+      "properties": {
+        "imageName": "testdata/fixtures/images/alpine-310.tar.gz",
+        "repoDigests": null,
+        "repoTags": null
      }
    }
  ]
--- a/integration/testdata/centos-7-cyclonedx.json.golden
+++ b/integration/testdata/centos-7-cyclonedx.json.golden
@@ -321,7 +321,7 @@
      "updated": "2021-01-20T15:15:00+00:00",
      "affects": [
        {
-          "ref": "urn:cdx:1455c02d-64ca-453e-a5df-ddfb70a7c804/1#pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810",
+          "ref": "urn:cdx:1455c02d-64ca-453e-a5df-ddfb70a7c804/1#pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026epoch=1\u0026distro=centos-7.6.1810",
          "versions": [
            {
              "version": "1:1.0.2k-16.el7",
@@ -514,7 +514,7 @@
      "updated": "2020-08-24T17:37:00+00:00",
      "affects": [
        {
-          "ref": "urn:cdx:1455c02d-64ca-453e-a5df-ddfb70a7c804/1#pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810",
+          "ref": "urn:cdx:1455c02d-64ca-453e-a5df-ddfb70a7c804/1#pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026epoch=1\u0026distro=centos-7.6.1810",
          "versions": [
            {
              "version": "1:1.0.2k-16.el7",
--- a/Show More
+++ b/Show More