gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-09 22:30:46 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:v0.38.2
Branches Tags
gitea-mirror:main gitea-mirror:release-please--branches--main gitea-mirror:gh-pages gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
..
compare: gitea-mirror:v0.40.0
Branches Tags
gitea-mirror:release-please--branches--main gitea-mirror:gh-pages gitea-mirror:main gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

104 Commits
v0.38.2 ... v0.40.0

Author SHA1 Message Date
simar7
b43b19ba54 feat(flag): Support globstar for --skip-files and --skip-directories (#4026) 
Signed-off-by: Simar <simar@linux.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-04-16 13:48:20 +03:00
dependabot[bot]
14805002d3 chore(deps): bump actions/stale from 7 to 8 (#3955) 2023-04-16 13:40:12 +03:00
DmitriyLewen
83bb97ab13 fix: return insecure option to download javadb (#4064) 2023-04-15 08:26:50 +03:00
DmitriyLewen
79a1ba32d5 fix(nodejs): don't stop parsing when unsupported yarn.lock protocols are found (#4052) 2023-04-14 07:35:51 +03:00
afdesk
ff1c43a791 ci: add gpg signing for RPM packages (#4056) 2023-04-14 07:28:44 +03:00
chenk
b608b116cc fix(k8s): current context title (#4055) 
Signed-off-by: chenk <hen.keinan@gmail.com>
 2023-04-13 17:56:22 +03:00
chenk
2c3b60f4c9 fix(k8s): quit support on k8s progress bar (#4021) 
Signed-off-by: chenk <hen.keinan@gmail.com>
 2023-04-13 17:30:54 +03:00
afdesk
a6b8642134 chore: add a note about Dockerfile.canary (#4050) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-04-13 17:27:28 +03:00
afdesk
90b80662c6 ci: fix path to canary binaries (#4045) 2023-04-13 10:27:06 +03:00
AliDatadog
dcefc6bf3c fix(vuln): report architecture for debian packages (#4032) 2023-04-12 15:51:12 +03:00
Dan Luhring
601e25fb2f feat: add support for Chainguard's commercial distro (#3641) 2023-04-12 15:20:52 +03:00
afdesk
0bebec19f0 ci: bump goreleaser for Github Action from 1.4.1 to 1.16.2 (#3979) 2023-04-12 15:15:16 +03:00
AliDatadog
707ea94234 fix(vuln): fix error message for remote scanners (#4031) 2023-04-11 16:50:45 +03:00
Teppei Fukuda
8e1fe769e4 feat(report): add image metadata to SARIF (#4020) 
* feat(report): add image metadata to SARIF

* test: fix sarif golden
 2023-04-11 16:33:25 +03:00
DmitriyLewen
4b36e97dce docs: fix broken cache link on Installation page (#3999) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-04-10 15:38:03 +03:00
Teppei Fukuda
f0df725c5a fix: lock downloading policies and database (#4017) 2023-04-10 15:37:13 +03:00
Teppei Fukuda
009675c825 fix: avoid concurrent access to the global map (#4014) 2023-04-10 12:30:08 +03:00
DmitriyLewen
3ed86aa3d0 feat(rust): add Cargo.lock v3 support (#4012) 2023-04-10 11:46:43 +03:00
chenk
f31dea4bd6 feat: auth support oci download server subcommand (#4008) 2023-04-10 08:26:17 +03:00
dependabot[bot]
d37c50a2b3 chore(deps): bump github.com/docker/docker (#4009) 2023-04-09 22:29:13 +03:00
Yousaf Nabi
693d20516b chore: install.sh support for armv7 (#3985) 2023-04-09 22:18:13 +03:00
dependabot[bot]
65d89b99d1 chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#3961) 2023-04-09 15:58:06 +03:00
DmitriyLewen
a119ef86ea fix(rust): fix panic when 'dependencies' field is not used in cargo.toml (#3997) 2023-04-09 11:06:57 +03:00
DmitriyLewen
c8283cebde fix(sbom): fix infinite loop for cyclonedx (#3998) 2023-04-09 09:10:02 +03:00
dependabot[bot]
6c8b042548 chore(deps): bump helm/chart-testing-action from 2.3.1 to 2.4.0 (#3954) 2023-04-04 16:15:26 +03:00
DmitriyLewen
c42f360f57 fix: use warning for errors from enrichment files for post-analyzers (#3972) 2023-04-04 16:11:07 +03:00
dependabot[bot]
20c21caccf chore(deps): bump github.com/docker/docker (#3963) 2023-04-04 14:06:41 +03:00
Rewanth Tammana
54388ffd16 fix(helm): added annotation to psp configurable from values (#3893) 
Signed-off-by: Rewanth Tammana <22347290+rewanthtammana@users.noreply.github.com>
 2023-04-03 11:24:43 +03:00
dependabot[bot]
99a2519816 chore(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.1 (#3962) 2023-04-03 11:23:30 +03:00
afdesk
d113b93139 fix(secret): update built-in rule tests (#3855) 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2023-04-03 10:37:08 +03:00
dependabot[bot]
5ab6d25880 chore(deps): bump github.com/alicebob/miniredis/v2 from 2.23.0 to 2.30.1 (#3957) 2023-04-03 10:32:13 +03:00
Teppei Fukuda
0767cb8443 test: rewrite scripts in Go (#3968) 2023-04-03 10:31:10 +03:00
simar7
428ee19cae docs(cli): Improve glob documentation (#3945) 
Signed-off-by: Simar <simar@linux.com>
 2023-04-03 07:59:02 +03:00
dependabot[bot]
3e00dc346f chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#3959) 2023-04-03 07:57:54 +03:00
Teppei Fukuda
cf2f0b2d1c ci: check CLI references (#3967) 2023-04-03 07:57:08 +03:00
dependabot[bot]
70f507e1af chore(deps): bump alpine from 3.17.2 to 3.17.3 (#3951) 2023-04-03 06:37:49 +03:00
dependabot[bot]
befabc6b99 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.212 to 1.44.234 (#3956) 2023-04-03 06:36:35 +03:00
dependabot[bot]
ee69abb78f chore(deps): bump github.com/moby/buildkit from 0.11.4 to 0.11.5 (#3958) 2023-04-02 19:29:28 +03:00
dependabot[bot]
8901f7be62 chore(deps): bump actions/setup-go from 3 to 4 (#3953) 2023-04-02 19:28:40 +03:00
dependabot[bot]
4e6bbbc8cc chore(deps): bump actions/cache from 3.2.6 to 3.3.1 (#3950) 2023-04-02 19:28:10 +03:00
dependabot[bot]
d70f346f53 chore(deps): bump github.com/containerd/containerd from 1.6.19 to 1.7.0 (#3965) 2023-04-02 16:27:22 +03:00
dependabot[bot]
3efb2fdeda chore(deps): bump github.com/sigstore/rekor from 1.0.1 to 1.1.0 (#3964) 2023-04-02 10:49:41 +03:00
Krishna Dutt Panchagnula
ed590966a3 docs(cli): added makefile and go file to create docs (#3930) 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2023-04-01 08:43:21 +03:00
Teppei Fukuda
a2f39a34c5 chore: Revert "ci: add gpg signing for RPM packages (#3612)" (#3946) 
This reverts commit 67572dff6d.
 2023-04-01 08:39:22 +03:00
Teppei Fukuda
5a10631023 chore: ignore gpg key (#3943) 2023-04-01 06:39:31 +03:00
afdesk
4072115e5a feat(cyclonedx): support dependency graph (#3177) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-04-01 00:46:30 +03:00
simar7
7cad265b7a chore(deps): Bump defsec to v0.85.0 (#3940) 
Signed-off-by: Simar <simar@linux.com>
 2023-03-31 16:58:01 +03:00
DmitriyLewen
f8b5733112 feat(rust): remove dev deps and find direct deps for Cargo.lock (#3919) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-30 22:05:34 +03:00
Rо́man
10796a2910 feat(server): redis with public TLS certs support (#3783) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-30 15:53:21 +03:00
simar7
abff1398c2 feat(flag): Add glob support to --skip-dirs and --skip-files (#3866) 2023-03-30 10:48:56 +03:00
Teppei Fukuda
b40f60c405 chore: replace make with mage (#3932) 2023-03-30 10:40:24 +03:00
DmitriyLewen
67236f6aac fix(sbom): add checksum to files (#3888) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-30 09:24:27 +03:00
dependabot[bot]
00de24b16e chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#3928) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-30 09:23:39 +03:00
chenk
5976d1fa07 chore: remove unused mount volumes (#3927) 
Signed-off-by: chenk <hen.keinan@gmail.com>
 2023-03-30 07:33:03 +03:00
Teppei Fukuda
f14bed4532 feat: add auth support for downloading OCI artifacts (#3915) 2023-03-30 05:53:24 +03:00
DmitriyLewen
1ee05189f0 refactor(purl): use epoch in qualifier (#3913) 2023-03-28 13:26:56 +03:00
dependabot[bot]
0000252ce4 chore(deps): bump github.com/in-toto/in-toto-golang from 0.5.0 to 0.7.0 (#3727) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-28 13:22:47 +03:00
Teppei Fukuda
ca0d972cdb feat(image): add registry options (#3906) 2023-03-28 07:00:04 +03:00
AndreyLevchenko
0336555773 feat(rust): dependency tree and line numbers support for cargo lock file (#3746) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-26 14:43:45 +03:00
dependabot[bot]
dd9cd9528f chore(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1 (#3905) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-26 13:20:02 +03:00
DmitriyLewen
edb06826b4 feat(php): add support for location, licenses and graph for composer.lock files (#3873) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-26 12:02:53 +03:00
Crypt Keeper
c02b15b371 chore(deps): updates wazero to 1.0.0 (#3904) 
Signed-off-by: Adrian Cole <adrian@tetrate.io>
 2023-03-26 08:50:38 +03:00
Teppei Fukuda
63ef760c69 feat(image): discover SBOM in OCI referrers (#3768) 
Co-authored-by: saso <sasoakira6114@gmail.com>
 2023-03-26 08:27:10 +03:00
DmitriyLewen
3fa703c034 docs: change cache-dir key in config file (#3897) 2023-03-24 19:12:14 +03:00
DmitriyLewen
4d78747c40 fix(sbom): use release and epoch for SPDX package version (#3896) 2023-03-24 19:11:06 +03:00
afdesk
67572dff6d ci: add gpg signing for RPM packages (#3612) 2023-03-24 06:46:18 +03:00
adamcohen2
e76d5ff98a docs: Update incorrect comment for skip-update flag (#3878) 2023-03-23 07:25:01 +02:00
Teppei Fukuda
011ea60db4 refactor(misconf): simplify policy filesystem (#3875) 2023-03-23 06:27:29 +02:00
DmitriyLewen
6445309de4 feat(nodejs): parse package.json alongside yarn.lock (#3757) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-21 19:13:02 +02:00
DmitriyLewen
6e9c2c36da fix(spdx): add PkgDownloadLocation field (#3879) 2023-03-21 16:11:38 +02:00
DmitriyLewen
18eeea2f62 fix(report): try to guess direct deps for dependency tree (#3852) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-21 12:55:07 +02:00
DmitriyLewen
02b6914212 chore(amazon): update EOL (#3876) 2023-03-21 07:11:56 +02:00
DmitriyLewen
79096e1161 fix(nodejs): improvement logic for package-lock.json v2-v3 (#3877) 2023-03-21 07:06:34 +02:00
DmitriyLewen
fc2e80cfe0 feat(amazon): add al2023 support (#3854) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-20 15:56:16 +02:00
dependabot[bot]
5f8d69d72e chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.0 to 3.1.2 (#3736) 2023-03-20 14:13:30 +02:00
simar7
7916aafffb docs(misconf): Add information about selectors (#3703) 
Signed-off-by: Simar <simar@linux.com>
 2023-03-20 14:12:35 +02:00
Shubham Palriwala
1b1ed39c7d docs(cli): update CLI docs with cobra (#3815) 2023-03-20 13:48:58 +02:00
chenk
234a360a7a feat: k8s parallel processing (#3693) 
Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-20 13:34:38 +02:00
bgoareguer
b864b3b926 docs: add DefectDojo in the Security Management section (#3871) 2023-03-20 11:38:26 +02:00
Crypt Keeper
ad34c989de chore(deps): updates wazero to 1.0.0-rc.2 (#3853) 
Signed-off-by: Adrian Cole <adrian@tetrate.io>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-19 19:56:01 +02:00
Teppei Fukuda
7148de3252 refactor: add pipeline (#3868) 2023-03-19 19:55:36 +02:00
DmitriyLewen
927acf9579 feat(cli): add javadb metadata to version info (#3835) 2023-03-19 15:51:14 +02:00
simar7
33074cfab3 chore(deps): Move compliance types to defsec (#3842) 
Signed-off-by: Simar <simar@linux.com>
 2023-03-19 15:46:06 +02:00
saso
ba9b0410c9 feat(sbom): add support for CycloneDX JSON Attestation of the correct specification (#3849) 2023-03-19 15:40:58 +02:00
chenk
a754a04e2b feat: add node toleration option (#3823) 2023-03-19 14:05:57 +02:00
Teppei Fukuda
9e4b57fb43 fix: allow mapfs to open dirs (#3867) 2023-03-19 13:33:50 +02:00
DmitriyLewen
09fd299f96 fix(report): update uri only for os class targets (#3846) 2023-03-17 10:15:24 +02:00
DmitriyLewen
09e13022c2 feat(nodejs): Add v3 npm lock file support (#3826) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-15 21:54:59 +02:00
DmitriyLewen
52cbfebcdd feat(nodejs): parse package.json files alongside package-lock.json (#2916) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-15 21:54:01 +02:00
simar7
d6a2d6369a docs(misconf): Fix links to built in policies (#3841) 
Signed-off-by: Simar <simar@linux.com>
 2023-03-15 11:47:44 +02:00
dependabot[bot]
a12f58be57 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.86.1 to 1.89.1 (#3827) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-14 11:17:36 +02:00
DmitriyLewen
ee518350c5 fix(java): skip empty files for jar post analyzer (#3832) 2023-03-14 11:15:31 +02:00
DmitriyLewen
3987a679f9 fix(docker): build healthcheck command for line without /bin/sh prefix (#3831) 2023-03-14 09:28:36 +02:00
Teppei Fukuda
2bb25e766b refactor(license): use goyacc for license parser (#3824) 2023-03-14 09:27:17 +02:00
dependabot[bot]
00c763bc10 chore(deps): bump github.com/docker/docker from 23.0.0-rc.1+incompatible to 23.0.1+incompatible (#3586) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-13 17:33:07 +02:00
chenk
cac5881bbb fix: populate timeout context to node-collector (#3766) 2023-03-13 13:10:37 +02:00
chenk
bd9c6e613e fix: exclude node collector scanning (#3771) 2023-03-13 11:40:23 +02:00
Ari Yonaty
20f10673b9 fix: display correct flag in error message when skipping java db update #3808 2023-03-13 00:39:17 +02:00
DmitriyLewen
1fac7bf1ba fix: disable jar analyzer for scanners other than vuln (#3810) 2023-03-13 00:11:25 +02:00
Masahiro331
aaf265881e fix(sbom): fix incompliant license format for spdx (#3335) 2023-03-12 17:21:25 +02:00
DmitriyLewen
f8307635ad fix(java): the project props take precedence over the parent's props (#3320) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-03-09 19:25:52 +02:00
DmitriyLewen
1aa3b7dc28 docs: add canary build info to README.md (#3799) 2023-03-09 13:36:04 +02:00
Anais Urlichs
57904c0f97 docs: adding link to gh token generation (#3784) 2023-03-08 14:24:02 +02:00
Anais Urlichs
bdccf72338 docs: changing docs in accordance with #3460 (#3787) 2023-03-08 14:23:17 +02:00
344 changed files with 13359 additions and 3807 deletions
Expand all files Collapse all files

4
.github/workflows/canary.yaml vendored
View File

@@ -16,7 +16,7 @@ jobs:
uses: ./.github/workflows/reusable-release.yaml
with:
goreleaser_config: goreleaser-canary.yml
goreleaser_options: '--snapshot --rm-dist --timeout 60m' # will not release
goreleaser_options: '--snapshot --clean --timeout 60m' # will not release
secrets: inherit
upload-binaries:
@@ -25,7 +25,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Restore Trivy binaries from cache
uses: actions/cache@v3.2.6
uses: actions/cache@v3.3.1
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

2
.github/workflows/publish-chart.yaml vendored
View File

@@ -35,7 +35,7 @@ jobs:
python-version: 3.7
- name: Setup Chart Linting
id: lint
uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec
uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76
- name: Setup Kubernetes cluster (KIND)
uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00
with:

4
.github/workflows/release.yaml vendored
View File

@@ -10,7 +10,7 @@ jobs:
uses: ./.github/workflows/reusable-release.yaml
with:
goreleaser_config: goreleaser.yml
goreleaser_options: '--rm-dist --timeout 90m'
goreleaser_options: '--clean --timeout 90m'
secrets: inherit
deploy-packages:
@@ -24,7 +24,7 @@ jobs:
fetch-depth: 0
- name: Restore Trivy binaries from cache
uses: actions/cache@v3.2.6
uses: actions/cache@v3.3.1
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

23
.github/workflows/reusable-release.yaml vendored
View File

@@ -65,7 +65,7 @@ jobs:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@v3
uses: actions/setup-go@v4
with:
go-version-file: go.mod
@@ -75,16 +75,29 @@ jobs:
args: mod -licenses -json -output bom.json
version: ^v1
- name: "save gpg key"
env:
GPG_KEY: ${{ secrets.GPG_KEY }}
run: |
echo "$GPG_KEY" > gpg.key
- name: GoReleaser
uses: goreleaser/goreleaser-action@v4
with:
version: v1.4.1
version: v1.16.2
args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
env:
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
GPG_FILE: "gpg.key"
## push images to registries
## only for canary build
- name: "remove gpg key"
run: |
rm gpg.key
# Push images to registries (only for canary build)
# The custom Dockerfile.canary is necessary
# because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
- name: Build and push
if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
uses: docker/build-push-action@v4
@@ -99,7 +112,7 @@ jobs:
public.ecr.aws/aquasecurity/trivy:canary
- name: Cache Trivy binaries
uses: actions/cache@v3.2.6
uses: actions/cache@v3.3.1
with:
path: dist/
# use 'github.sha' to create a unique cache folder for each run.

1
.github/workflows/semantic-pr.yaml vendored
View File

@@ -47,6 +47,7 @@ jobs:
alpine
wolfi
chainguard
redhat
alma
rocky

2
.github/workflows/stale-issues.yaml vendored
View File

@@ -7,7 +7,7 @@ jobs:
timeout-minutes: 1
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v7
- uses: actions/stale@v8
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'

45
.github/workflows/test.yaml vendored
View File

@@ -25,7 +25,7 @@ jobs:
- uses: actions/checkout@v3
- name: Set up Go
uses: actions/setup-go@v3
uses: actions/setup-go@v4
with:
go-version: oldstable
@@ -41,18 +41,27 @@ jobs:
- name: Lint
uses: golangci/golangci-lint-action@v3.4.0
with:
version: v1.49
version: v1.52
args: --deadline=30m
skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
if: matrix.operating-system == 'ubuntu-latest'
# Install tools
- uses: aquaproj/aqua-installer@v2.0.2
- name: Install tools
uses: aquaproj/aqua-installer@v2.0.2
with:
aqua_version: v1.25.0
- name: Check if CLI references are up-to-date
run: |
mage docs:generate
if [ -n "$(git status --porcelain)" ]; then
echo "Run 'mage docs:generate' and push it"
exit 1
fi
if: matrix.operating-system == 'ubuntu-latest'
- name: Run unit tests
run: make test
run: mage test:unit
integration:
name: Integration Test
@@ -62,12 +71,17 @@ jobs:
uses: actions/checkout@v3
- name: Set up Go
uses: actions/setup-go@v3
uses: actions/setup-go@v4
with:
go-version-file: go.mod
- name: Install tools
uses: aquaproj/aqua-installer@v2.0.2
with:
aqua_version: v1.25.0
- name: Run integration tests
run: make test-integration
run: mage test:integration
module-test:
name: Module Integration Test
@@ -77,19 +91,19 @@ jobs:
uses: actions/checkout@v3
- name: Set up Go
uses: actions/setup-go@v3
uses: actions/setup-go@v4
with:
go-version-file: go.mod
# Install tools
- uses: aquaproj/aqua-installer@v2.0.2
- name: Install tools
uses: aquaproj/aqua-installer@v2.0.2
with:
aqua_version: v1.25.0
- name: Run module integration tests
shell: bash
run: |
make test-module-integration
mage test:module
build-test:
name: Build Test
@@ -111,13 +125,14 @@ jobs:
uses: actions/checkout@v3
- name: Set up Go
uses: actions/setup-go@v3
uses: actions/setup-go@v4
with:
go-version-file: go.mod
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v4
with:
version: v1.4.1
args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m
version: v1.16.2
args: release --skip-sign --snapshot --clean --skip-publish --timeout 90m
env:
GPG_FILE: "nogpg.key"

8
.github/workflows/vm-test.yaml vendored
View File

@@ -24,9 +24,13 @@ jobs:
uses: actions/checkout@v3
- name: Set up Go
uses: actions/setup-go@v3
uses: actions/setup-go@v4
with:
go-version-file: go.mod
- name: Install tools
uses: aquaproj/aqua-installer@v2.0.2
with:
aqua_version: v1.25.0
- name: Run vm integration tests
run: |
make test-vm-integration
mage test:vm

5
.gitignore vendored
View File

@@ -34,4 +34,7 @@ integration/testdata/fixtures/vm-images
dist
# WebAssembly
*.wasm
*.wasm
# Signing
gpg.key

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM alpine:3.17.2
FROM alpine:3.17.3
RUN apk --no-cache add ca-certificates git
COPY trivy /usr/local/bin/trivy
COPY contrib/*.tpl contrib/

5
Dockerfile.canary
View File

@@ -1,10 +1,11 @@
FROM alpine:3.17.2
FROM alpine:3.17.3
RUN apk --no-cache add ca-certificates git
# binaries were created with GoReleaser
# need to copy binaries from folder with correct architecture
# example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
# GoReleaser adds _v* to the folder name, but only when GOARCH is amd64
ARG TARGETARCH
COPY "dist/trivy_canary_build_linux_${TARGETARCH}/trivy" /usr/local/bin/trivy
COPY "dist/trivy_canary_build_linux_${TARGETARCH}*/trivy" /usr/local/bin/trivy
COPY contrib/*.tpl contrib/
ENTRYPOINT ["trivy"]

3
Dockerfile.protoc
View File

@@ -10,3 +10,6 @@ RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/down
RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1
RUN go install github.com/magefile/mage@v1.14.0
ENV TRIVY_PROTOC_CONTAINER=true

135
Makefile
View File

@@ -1,135 +0,0 @@
VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"
GOPATH := $(firstword $(subst :, ,$(shell go env GOPATH)))
GOBIN := $(GOPATH)/bin
GOSRC := $(GOPATH)/src
TEST_MODULE_DIR := pkg/module/testdata
TEST_MODULE_SRCS := $(wildcard $(TEST_MODULE_DIR)/*/*.go)
TEST_MODULES := $(patsubst %.go,%.wasm,$(TEST_MODULE_SRCS))
EXAMPLE_MODULE_DIR := examples/module
EXAMPLE_MODULE_SRCS := $(wildcard $(EXAMPLE_MODULE_DIR)/*/*.go)
EXAMPLE_MODULES := $(patsubst %.go,%.wasm,$(EXAMPLE_MODULE_SRCS))
MKDOCS_IMAGE := aquasec/mkdocs-material:dev
MKDOCS_PORT := 8000
export CGO_ENABLED := 0
u := $(if $(update),-u)
# Tools
$(GOBIN)/wire:
go install github.com/google/wire/cmd/wire@v0.5.0
$(GOBIN)/crane:
go install github.com/google/go-containerregistry/cmd/crane@v0.9.0
$(GOBIN)/golangci-lint:
curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
$(GOBIN)/labeler:
go install github.com/knqyf263/labeler@latest
$(GOBIN)/easyjson:
go install github.com/mailru/easyjson/...@v0.7.7
.PHONY: wire
wire: $(GOBIN)/wire
wire gen ./pkg/commands/... ./pkg/rpc/...
.PHONY: mock
mock: $(GOBIN)/mockery
mockery -all -inpkg -case=snake -dir $(DIR)
.PHONY: deps
deps:
go get ${u} -d
go mod tidy
.PHONY: generate-test-modules
generate-test-modules: $(TEST_MODULES)
# Compile WASM modules for unit and integration tests
%.wasm:%.go
@if !(type "tinygo" > /dev/null 2>&1); then \
echo "Need to install TinyGo. Follow https://tinygo.org/getting-started/install/"; \
exit 1; \
fi
go generate $<
# Run unit tests
.PHONY: test
test: $(TEST_MODULES)
go test -v -short -coverprofile=coverage.txt -covermode=atomic ./...
integration/testdata/fixtures/images/*.tar.gz: $(GOBIN)/crane
mkdir -p integration/testdata/fixtures/images/
integration/scripts/download-images.sh
# Run integration tests
.PHONY: test-integration
test-integration: integration/testdata/fixtures/images/*.tar.gz
go test -v -tags=integration ./integration/... ./pkg/fanal/test/integration/...
# Run WASM integration tests
.PHONY: test-module-integration
test-module-integration: integration/testdata/fixtures/images/*.tar.gz $(EXAMPLE_MODULES)
go test -v -tags=module_integration ./integration/...
# Run VM integration tests
.PHONY: test-vm-integration
test-vm-integration: integration/testdata/fixtures/vm-images/*.img.gz
go test -v -tags=vm_integration ./integration/...
integration/testdata/fixtures/vm-images/*.img.gz:
integration/scripts/download-vm-images.sh
.PHONY: lint
lint: $(GOBIN)/golangci-lint
$(GOBIN)/golangci-lint run --timeout 5m
.PHONY: fmt
fmt:
find ./ -name "*.proto" | xargs clang-format -i
.PHONY: build
build:
go build $(LDFLAGS) ./cmd/trivy
.PHONY: protoc
protoc:
docker build -t trivy-protoc - < Dockerfile.protoc
docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@
_protoc:
for path in `find ./rpc/ -name "*.proto" -type f`; do \
protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative $${path} || exit; \
done
.PHONY: install
install:
go install $(LDFLAGS) ./cmd/trivy
.PHONY: clean
clean:
rm -rf integration/testdata/fixtures/images
# Create labels on GitHub
.PHONY: label
label: $(GOBIN)/labeler
labeler apply misc/triage/labels.yaml -r aquasecurity/trivy -l 5
# Run MkDocs development server to preview the documentation page
.PHONY: mkdocs-serve
mkdocs-serve:
docker build -t $(MKDOCS_IMAGE) -f docs/build/Dockerfile docs/build
docker run --name mkdocs-serve --rm -v $(PWD):/docs -p $(MKDOCS_PORT):8000 $(MKDOCS_IMAGE)
# Generate JSON marshaler/unmarshaler for TinyGo/WebAssembly as TinyGo doesn't support encoding/json.
.PHONY: easyjson
easyjson: $(GOBIN)/easyjson
easyjson pkg/module/serialize/types.go

5
README.md
View File

@@ -51,6 +51,11 @@ Trivy is integrated with many popular platforms and applications. The complete l
- [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)
- See [Ecosystem] for more
### Canary builds
There are canary builds ([Docker Hub](https://hub.docker.com/r/aquasec/trivy/tags?page=1&name=canary), [GitHub](https://github.com/aquasecurity/trivy/pkgs/container/trivy/75776514?tag=canary), [ECR](https://gallery.ecr.aws/aquasecurity/trivy#canary) images and [binaries](https://github.com/aquasecurity/trivy/actions/workflows/canary.yaml)) as generated every push to main branch.
Please be aware: canary builds might have critical bugs, it's not recommended for use in production.
### General usage
```bash

1
aqua.yaml
View File

@@ -6,3 +6,4 @@ registries:
ref: v3.106.0 # renovate: depName=aquaproj/aqua-registry
packages:
- name: tinygo-org/tinygo@v0.26.0
- name: magefile/mage@v1.14.0

1
contrib/install.sh
View File

@@ -127,6 +127,7 @@ adjust_arch() {
386) ARCH=32bit ;;
amd64) ARCH=64bit ;;
arm) ARCH=ARM ;;
armv7) ARCH=ARM ;;
arm64) ARCH=ARM64 ;;
ppc64le) OS=PPC64LE ;;
darwin) ARCH=macOS ;;

83
docs/community/contribute/pr.md
View File

@@ -9,11 +9,66 @@ Thank you for taking interest in contributing to Trivy!
1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
### Title
## Development
Install the necessary tools for development by following their respective installation instructions.
- [Go](https://go.dev/doc/install)
- [Mage](https://magefile.org/)
### Build
After making changes to the Go source code, build the project with the following command:
```shell
$ mage build
$ ./trivy -h
```
### Lint
You must pass the linter checks:
```shell
$ mage lint
```
Additionally, you need to have run `go mod tidy`, so execute the following command as well:
```shell
$ mage tidy
```
### Unit tests
Your PR must pass all the unit tests. You can test it as below.
```
$ mage test:unit
```
### Integration tests
Your PR must pass all the integration tests. You can test it as below.
```
$ mage test:integration
```
### Documentation
If you update CLI flags, you need to generate the CLI references.
The test will fail if they are not up-to-date.
```shell
$ mage docs:generate
```
You can build the documents as below and view it at http://localhost:8000.
```
$ mage docs:serve
```
## Title
It is not that strict, but we use the title conventions in this repository.
Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
#### Format of the title
### Format of the title
```
<type>(<scope>): <subject>
@@ -122,7 +177,7 @@ others:
The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
#### Example titles
### Example titles
```
feat(alma): add support for AlmaLinux
@@ -143,33 +198,15 @@ chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
### Unit tests
Your PR must pass all the unit tests. You can test it as below.
## Commits
```
$ make test
```
### Integration tests
Your PR must pass all the integration tests. You can test it as below.
```
$ make test-integration
```
### Documentation
You can build the documents as below and view it at http://localhost:8000.
```
$ make mkdocs-serve
```
## Understand where your pull request belongs
Trivy is composed of several repositories that work together:
- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerability database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
- [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.

9
docs/docs/advanced/private-registries/docker-hub.md
View File

@@ -1,7 +1,2 @@
Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
You don't need to set ENV vars when download from public repository.
```bash
export TRIVY_USERNAME={DOCKERHUB_USERNAME}
export TRIVY_PASSWORD={DOCKERHUB_PASSWORD}
```
See [here](./index.md) for the detail.
You don't need to provide a credential when download from public repository.

51
docs/docs/advanced/private-registries/index.md
View File

@@ -1,4 +1,49 @@
Trivy can download images from a private registry, without installing `Docker` or any other 3rd party tools.
That's because it's easy to run in a CI process.
Trivy can download images from a private registry without the need for installing Docker or any other 3rd party tools.
This makes it easy to run within a CI process.
All you have to do is install `Trivy` and set ENV vars.
## Credential
To use Trivy with private images, simply install it and provide your credentials:
```shell
$ TRIVY_USERNAME=YOUR_USERNAME TRIVY_PASSWORD=YOUR_PASSWORD trivy image YOUR_PRIVATE_IMAGE
```
Trivy also supports providing credentials through CLI flags:
```shell
$ TRIVY_PASSWORD=YOUR_PASSWORD trivy image --username YOUR_USERNAME YOUR_PRIVATE_IMAGE
```
!!! warning
The CLI flag `--password` is available, but its use is not recommended for security reasons.
You can also store your credentials in `trivy.yaml`.
For more information, please refer to [the documentation](../../references/customization/config-file.md).
It can handle multiple sets of credentials as well:
```shell
$ export TRIVY_USERNAME=USERNAME1,USERNAME2
$ export TRIVY_PASSWORD=PASSWORD1,PASSWORD2
$ trivy image YOUR_PRIVATE_IMAGE
```
In the example above, Trivy attempts to use two pairs of credentials:
- USERNAME1/PASSWORD1
- USERNAME2/PASSWORD2
Please note that the number of usernames and passwords must be the same.
## docker login
If you have Docker configured locally and have set up the credentials, Trivy can access them.
```shell
$ docker login ghcr.io
Username:
Password:
$ trivy image ghcr.io/your/private_image
```
!!! note
`docker login` can be used with any container runtime, such as Podman.

51
docs/docs/misconfiguration/custom/selectors.md Normal file
View File

@@ -0,0 +1,51 @@
# Input Selectors
## Overview
Sometimes you might want to limit a certain policy to only be run on certain resources. This can be
achieved with input selectors.
## Use case
For instance, if you have a custom policy that you only want to be evaluated if a certain resource type is being scanned.
In such a case you could utilize input selectors to limit its evaluation on only those resources.
!!! example
```
# METADATA
# title: "RDS Publicly Accessible"
# description: "Ensures RDS instances are not launched into the public cloud."
# custom:
# input:
# selector:
# - type: cloud
# subtypes:
# - provider: aws
# service: rds
package builtin.aws.rds.aws0999
deny[res] {
instance := input.aws.rds.instances[_]
instance.publicaccess.value
res := result.new("Instance has Public Access enabled", instance.publicaccess)
```
Observe the following `subtypes` defined:
```yaml
# subtypes:
# - provider: aws
# service: rds
```
They will ensure that the policy is only run when the input to such a policy contains an `RDS` instance.
## Enabling selectors and subtypes
Currently, the following are supported:
| Selector | Subtype fields required | Example |
|--------------------------|-------------------------|---------------------------------|
| Cloud (AWS, Azure, etc.) | `provider`, `service` | `provider: aws`, `service: rds` |
| Kubernetes | | `type: kubernetes` |
| Dockerfile | | `type: dockerfile` |
## Default behaviour
If no subtypes or selectors are specified, the policy will be evaluated regardless of input.

6
docs/docs/misconfiguration/policy/builtin.md
View File

@@ -13,7 +13,6 @@ Those policies are managed under [defsec repository][defsec].
| CloudFormation | [defsec][defsec] |
| Azure ARM Template | [defsec][defsec] |
| Helm Chart | [defsec][kubernetes] |
| RBAC | [defsec][rbac] |
For suggestions or issues regarding policy content, please open an issue under the [defsec][defsec] repository.
@@ -30,7 +29,6 @@ Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if th
[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
[defsec]: https://github.com/aquasecurity/defsec
[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/kubernetes
[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/rbac
[docker]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/policies/docker
[kubernetes]: https://github.com/aquasecurity/defsec/tree/master/rules/kubernetes/policies
[docker]: https://github.com/aquasecurity/defsec/tree/master/rules/docker/policies
[ghcr]: https://github.com/aquasecurity/defsec/pkgs/container/defsec

74
docs/docs/references/cli/client.md
View File

@@ -1,74 +0,0 @@
# Client
```bash
Usage:
trivy client [flags] IMAGE_NAME
Aliases:
client, c
Scan Flags
--offline-scan do not issue API requests to identify dependencies
--scanners string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the os of image ends of service/life
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
--report string specify a report format for the output. (all,summary) (default "all")
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update java indexes database but don't run a scan
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
--skip-java-db-update skip updating java indexes database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Client/Server Flags
--custom-headers strings custom headers in client mode
--remote string server address (default "http://localhost:4954")
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

28
docs/docs/references/cli/completion.md
View File

@@ -1,28 +0,0 @@
# Completion
```bash
Generate the autocompletion script for trivy for the specified shell.
See each sub-command's help for details on how to use the generated script.
Usage:
trivy completion [command]
Available Commands:
bash Generate the autocompletion script for bash
fish Generate the autocompletion script for fish
powershell Generate the autocompletion script for powershell
zsh Generate the autocompletion script for zsh
Flags:
-h, --help help for completion
Global Flags:
--cache-dir string cache directory (default "/Users/didier/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

49
docs/docs/references/cli/config.md
View File

@@ -1,49 +0,0 @@
# Config
``` bash
Scan config files for misconfigurations
Usage:
trivy config [flags] DIR
Aliases:
config, conf
Scan Flags
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
Report Flags
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--ignorefile string specify .trivyignore file (default ".trivyignore")
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

88
docs/docs/references/cli/fs.md
View File

@@ -1,88 +0,0 @@
# Filesystem
```bash
Scan local filesystem
Usage:
trivy filesystem [flags] PATH
Aliases:
filesystem, fs
Examples:
# Scan a local project including language-specific files
$ trivy fs /path/to/your_project
# Scan a single file
$ trivy fs ./trivy-ci-test/Pipfile.lock
Scan Flags
--offline-scan do not issue API requests to identify dependencies
--scanners string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update java indexes database but don't run a scan
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
--skip-java-db-update skip updating java indexes database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Secret Flags
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
License Flags
--ignored-licenses strings specify a list of license to ignore
--license-full eagerly look for licenses in source code headers and license files
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

107
docs/docs/references/cli/image.md
View File

@@ -1,107 +0,0 @@
# Image
```bash
Scan a container image
Usage:
trivy image [flags] IMAGE_NAME
Aliases:
image, i
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Filter by severities
$ trivy image --severity HIGH,CRITICAL alpine:3.15
# Ignore unfixed/unpatched vulnerabilities
$ trivy image --ignore-unfixed alpine:3.15
# Scan a container image in client mode
$ trivy image --server http://127.0.0.1:4954 alpine:latest
# Generate json result
$ trivy image --format json --output result.json alpine:3.15
# Generate a report in the CycloneDX format
$ trivy image --format cyclonedx --output result.cdx alpine:3.15
Scan Flags
--offline-scan do not issue API requests to identify dependencies
--scanners string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
Report Flags
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the os of image ends of service/life
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update java indexes database but don't run a scan
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
--skip-java-db-update skip updating java indexes database
Image Flags
--input string input file path instead of image name
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Secret Flags
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
License Flags
--ignored-licenses strings specify a list of license to ignore
--license-full eagerly look for licenses in source code headers and license files
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

51
docs/docs/references/cli/index.md
View File

@@ -1,51 +0,0 @@
Trivy has several sub commands, image, fs, repo, client and server.
``` bash
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
Usage:
trivy [global flags] command [flags] target
trivy [command]
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
Available Commands:
completion Generate the autocompletion script for the specified shell
config Scan config files for misconfigurations
filesystem Scan local filesystem
help Help about any command
image Scan a container image
kubernetes scan kubernetes cluster
module Manage modules
plugin Manage plugins
repository Scan a remote repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities
server Server mode
version Print the version
Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
-f, --format string version format (json)
--generate-default-config write the default config to trivy-default.yaml
-h, --help help for trivy
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
Use "trivy [command] --help" for more information about a command.
```

34
docs/docs/references/cli/plugin.md
View File

@@ -1,34 +0,0 @@
# Plugin
```bash
Manage plugins
Usage:
trivy plugin [command]
Aliases:
plugin, p
Available Commands:
info Show information about the specified plugin
install Install a plugin
list List installed plugin
run Run a plugin on the fly
uninstall Uninstall a plugin
update Update an existing plugin
Flags:
-h, --help help for plugin
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
Use "trivy plugin [command] --help" for more information about a command.
```

90
docs/docs/references/cli/repo.md
View File

@@ -1,90 +0,0 @@
# Repository
```bash
Scan a remote repository
Usage:
trivy repository [flags] REPO_URL
Aliases:
repository, repo
Examples:
# Scan your remote git repository
$ trivy repo https://github.com/knqyf263/trivy-ci-test
Scan Flags
--offline-scan do not issue API requests to identify dependencies
--scanners string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update java indexes database but don't run a scan
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
--skip-java-db-update skip updating java indexes database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Secret Flags
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
License Flags
--ignored-licenses strings specify a list of license to ignore
--license-full eagerly look for licenses in source code headers and license files
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Repository Flags
--branch string pass the branch name to be scanned
--commit string pass the commit hash to be scanned
--tag string pass the tag name to be scanned
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

97
docs/docs/references/cli/rootfs.md
View File

@@ -1,97 +0,0 @@
# Rootfs
```bash
Scan rootfs
Usage:
trivy rootfs [flags] ROOTDIR
Examples:
# Scan unpacked filesystem
$ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
$ trivy rootfs /tmp/rootfs
# Scan from inside a container
$ docker run --rm -it alpine:3.11
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy rootfs /
Scan Flags
--file-patterns strings specify config file patterns
--offline-scan do not issue API requests to identify dependencies
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update java indexes database but don't run a scan
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
--skip-java-db-update skip updating java indexes database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-values strings specify paths to override the Helm values.yaml files
--include-non-failures include successes and exceptions, available with '--scanners config'
--tf-vars strings specify paths to override the Terraform tfvars files
Secret Flags
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
License Flags
--ignored-licenses strings specify a list of license to ignore
--license-full eagerly look for licenses in source code headers and license files
Rego Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

73
docs/docs/references/cli/sbom.md
View File

@@ -1,73 +0,0 @@
# SBOM
```bash
Scan SBOM for vulnerabilities
Usage:
trivy sbom [flags] SBOM_PATH
Examples:
# Scan CycloneDX and show the result in tables
$ trivy sbom /path/to/report.cdx
# Scan CycloneDX and generate a CycloneDX report
$ trivy sbom --format cyclonedx /path/to/report.cdx
# Scan CycloneDX-type attestation and show the result in tables
$ trivy sbom /path/to/report.cdx.intoto.jsonl
Scan Flags
--offline-scan do not issue API requests to identify dependencies
--scanners string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
Report Flags
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update java indexes database but don't run a scan
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
--skip-java-db-update skip updating java indexes database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

49
docs/docs/references/cli/server.md
View File

@@ -1,49 +0,0 @@
# Server
```bash
Server mode
Usage:
trivy server [flags]
Aliases:
server, s
Examples:
# Run a server
$ trivy server
# Listen on 0.0.0.0:10000
$ trivy server --listen 0.0.0.0:10000
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Client/Server Flags
--listen string listen address in server mode (default "localhost:4954")
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

59
docs/docs/references/cli/trivy.md Normal file
View File

@@ -0,0 +1,59 @@
## trivy
Unified security scanner
### Synopsis
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
```
trivy [global flags] command [flags] target
```
### Examples
```
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
```
### Options
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
-f, --format string version format (json)
--generate-default-config write the default config to trivy-default.yaml
-h, --help help for trivy
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy aws](trivy_aws.md) - [EXPERIMENTAL] Scan AWS account
* [trivy config](trivy_config.md) - Scan config files for misconfigurations
* [trivy filesystem](trivy_filesystem.md) - Scan local filesystem
* [trivy image](trivy_image.md) - Scan a container image
* [trivy kubernetes](trivy_kubernetes.md) - [EXPERIMENTAL] Scan kubernetes cluster
* [trivy module](trivy_module.md) - Manage modules
* [trivy plugin](trivy_plugin.md) - Manage plugins
* [trivy repository](trivy_repository.md) - Scan a remote repository
* [trivy rootfs](trivy_rootfs.md) - Scan rootfs
* [trivy sbom](trivy_sbom.md) - Scan SBOM for vulnerabilities
* [trivy server](trivy_server.md) - Server mode
* [trivy version](trivy_version.md) - Print the version
* [trivy vm](trivy_vm.md) - [EXPERIMENTAL] Scan a virtual machine image

116
docs/docs/references/cli/trivy_aws.md Normal file
View File

@@ -0,0 +1,116 @@
## trivy aws
[EXPERIMENTAL] Scan AWS account
### Synopsis
Scan an AWS account for misconfigurations. Trivy uses the same authentication methods as the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
The following services are supported:
- accessanalyzer
- api-gateway
- athena
- cloudfront
- cloudtrail
- cloudwatch
- codebuild
- documentdb
- dynamodb
- ec2
- ecr
- ecs
- efs
- eks
- elasticache
- elasticsearch
- elb
- emr
- iam
- kinesis
- kms
- lambda
- mq
- msk
- neptune
- rds
- redshift
- s3
- sns
- sqs
- ssm
- workspaces
```
trivy aws [flags]
```
### Examples
```
# basic scanning
$ trivy aws --region us-east-1
# limit scan to a single service:
$ trivy aws --region us-east-1 --service s3
# limit scan to multiple services:
$ trivy aws --region us-east-1 --service s3 --service ec2
# force refresh of cache for fresh results
$ trivy aws --region us-east-1 --update-cache
```
### Options
```
--account string The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
--arn string The AWS ARN to show results for. Useful to filter results once a scan is cached.
--compliance string compliance report to generate (aws-cis-1.2, aws-cis-1.4)
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--endpoint string AWS Endpoint override
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for aws
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners config'
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--max-cache-age duration The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
-o, --output string output file name
--policy-namespaces strings Rego namespaces
--region string AWS Region to scan
--report string specify a report format for the output. (all,summary) (default "all")
--service strings Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-policy-update skip fetching rego policy updates
-t, --template string output template
--tf-vars strings specify paths to override the Terraform tfvars files
--trace enable more verbose trace output for custom queries
--update-cache Update the cache for the applicable cloud provider instead of using cached results.
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

64
docs/docs/references/cli/trivy_config.md Normal file
View File

@@ -0,0 +1,64 @@
## trivy config
Scan config files for misconfigurations
```
trivy config [flags] DIR
```
### Options
```
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for config
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners config'
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-o, --output string output file name
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
--skip-policy-update skip fetching rego policy updates
-t, --template string output template
--tf-vars strings specify paths to override the Terraform tfvars files
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

98
docs/docs/references/cli/trivy_filesystem.md Normal file
View File

@@ -0,0 +1,98 @@
## trivy filesystem
Scan local filesystem
```
trivy filesystem [flags] PATH
```
### Examples
```
# Scan a local project including language-specific files
$ trivy fs /path/to/your_project
# Scan a single file
$ trivy fs ./trivy-ci-test/Pipfile.lock
```
### Options
```
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for filesystem
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners config'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
--skip-java-db-update skip updating Java index database
--skip-policy-update skip fetching rego policy updates
--slow scan over time with lower CPU and memory utilization
-t, --template string output template
--tf-vars strings specify paths to override the Terraform tfvars files
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

120
docs/docs/references/cli/trivy_image.md Normal file
View File

@@ -0,0 +1,120 @@
## trivy image
Scan a container image
```
trivy image [flags] IMAGE_NAME
```
### Examples
```
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Filter by severities
$ trivy image --severity HIGH,CRITICAL alpine:3.15
# Ignore unfixed/unpatched vulnerabilities
$ trivy image --ignore-unfixed alpine:3.15
# Scan a container image in client mode
$ trivy image --server http://127.0.0.1:4954 alpine:latest
# Generate json result
$ trivy image --format json --output result.json alpine:3.15
# Generate a report in the CycloneDX format
$ trivy image --format cyclonedx --output result.cdx alpine:3.15
```
### Options
```
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--compliance string compliance report to generate (docker-cis)
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for image
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--image-config-scanners string comma-separated list of what security issues to detect on container image configurations (config,secret)
--include-non-failures include successes and exceptions, available with '--scanners config'
--input string input file path instead of image name
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--platform string set platform in the form os/arch if image is multi-platform capable
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
--report string specify a format for the compliance report. (default "summary")
--reset remove all caches and database
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
--skip-java-db-update skip updating Java index database
--skip-policy-update skip fetching rego policy updates
--slow scan over time with lower CPU and memory utilization
-t, --template string output template
--tf-vars strings specify paths to override the Terraform tfvars files
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

106
docs/docs/references/cli/trivy_kubernetes.md Normal file
View File

@@ -0,0 +1,106 @@
## trivy kubernetes
[EXPERIMENTAL] Scan kubernetes cluster
```
trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: pods, pod/NAME }
```
### Examples
```
# cluster scanning
$ trivy k8s --report summary cluster
# namespace scanning:
$ trivy k8s -n kube-system --report summary all
# resources scanning:
$ trivy k8s --report=summary deploy
$ trivy k8s --namespace=kube-system --report=summary deploy,configmaps
# resource scanning:
$ trivy k8s deployment/orion
```
### Options
```
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--compliance string compliance report to generate (k8s-nsa,k8s-cis, k8s-pss-baseline, k8s-pss-restricted)
--components strings specify which components to scan (default [workload,infra])
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--context string specify a context to scan
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for kubernetes
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners config'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--kubeconfig string specify the kubeconfig file path to use
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-n, --namespace string specify a namespace to scan
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--parallel int number (between 1-20) of goroutines enabled for parallel scanning (default 5)
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a report format for the output. (all,summary) (default "all")
--reset remove all caches and database
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners string comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac")
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
--skip-java-db-update skip updating Java index database
--skip-policy-update skip fetching rego policy updates
--slow scan over time with lower CPU and memory utilization
-t, --template string output template
--tf-vars strings specify paths to override the Terraform tfvars files
--tolerations strings specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
--trace enable more verbose trace output for custom queries
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

31
docs/docs/references/cli/trivy_module.md Normal file
View File

@@ -0,0 +1,31 @@
## trivy module
Manage modules
### Options
```
--enable-modules strings [EXPERIMENTAL] module names to enable
-h, --help help for module
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner
* [trivy module install](trivy_module_install.md) - Install a module
* [trivy module uninstall](trivy_module_uninstall.md) - Uninstall a module

33
docs/docs/references/cli/trivy_module_install.md Normal file
View File

@@ -0,0 +1,33 @@
## trivy module install
Install a module
```
trivy module install [flags] REPOSITORY
```
### Options
```
-h, --help help for install
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--enable-modules strings [EXPERIMENTAL] module names to enable
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy module](trivy_module.md) - Manage modules

33
docs/docs/references/cli/trivy_module_uninstall.md Normal file
View File

@@ -0,0 +1,33 @@
## trivy module uninstall
Uninstall a module
```
trivy module uninstall [flags] REPOSITORY
```
### Options
```
-h, --help help for uninstall
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--enable-modules strings [EXPERIMENTAL] module names to enable
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy module](trivy_module.md) - Manage modules

33
docs/docs/references/cli/trivy_plugin.md Normal file
View File

@@ -0,0 +1,33 @@
## trivy plugin
Manage plugins
### Options
```
-h, --help help for plugin
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner
* [trivy plugin info](trivy_plugin_info.md) - Show information about the specified plugin
* [trivy plugin install](trivy_plugin_install.md) - Install a plugin
* [trivy plugin list](trivy_plugin_list.md) - List installed plugin
* [trivy plugin run](trivy_plugin_run.md) - Run a plugin on the fly
* [trivy plugin uninstall](trivy_plugin_uninstall.md) - Uninstall a plugin
* [trivy plugin update](trivy_plugin_update.md) - Update an existing plugin

35
docs/docs/references/cli/module.md → docs/docs/references/cli/trivy_plugin_info.md
View File

@@ -1,30 +1,31 @@
# Module
## trivy plugin info
```bash
Manage modules
Show information about the specified plugin
Usage:
trivy module [command]
```
trivy plugin info PLUGIN_NAME
```
Aliases:
module, m
### Options
Available Commands:
install Install a module
uninstall Uninstall a module
```
-h, --help help for info
```
Flags:
-h, --help help for module
### Options inherited from parent commands
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections when using TLS
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy plugin](trivy_plugin.md) - Manage plugins
Use "trivy module [command] --help" for more information about a command.
```

31
docs/docs/references/cli/trivy_plugin_install.md Normal file
View File

@@ -0,0 +1,31 @@
## trivy plugin install
Install a plugin
```
trivy plugin install URL | FILE_PATH
```
### Options
```
-h, --help help for install
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy plugin](trivy_plugin.md) - Manage plugins

31
docs/docs/references/cli/trivy_plugin_list.md Normal file
View File

@@ -0,0 +1,31 @@
## trivy plugin list
List installed plugin
```
trivy plugin list
```
### Options
```
-h, --help help for list
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy plugin](trivy_plugin.md) - Manage plugins

31
docs/docs/references/cli/trivy_plugin_run.md Normal file
View File

@@ -0,0 +1,31 @@
## trivy plugin run
Run a plugin on the fly
```
trivy plugin run URL | FILE_PATH
```
### Options
```
-h, --help help for run
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy plugin](trivy_plugin.md) - Manage plugins

31
docs/docs/references/cli/trivy_plugin_uninstall.md Normal file
View File

@@ -0,0 +1,31 @@
## trivy plugin uninstall
Uninstall a plugin
```
trivy plugin uninstall PLUGIN_NAME
```
### Options
```
-h, --help help for uninstall
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy plugin](trivy_plugin.md) - Manage plugins

31
docs/docs/references/cli/trivy_plugin_update.md Normal file
View File

@@ -0,0 +1,31 @@
## trivy plugin update
Update an existing plugin
```
trivy plugin update PLUGIN_NAME
```
### Options
```
-h, --help help for update
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy plugin](trivy_plugin.md) - Manage plugins

98
docs/docs/references/cli/trivy_repository.md Normal file
View File

@@ -0,0 +1,98 @@
## trivy repository
Scan a remote repository
```
trivy repository [flags] REPO_URL
```
### Examples
```
# Scan your remote git repository
$ trivy repo https://github.com/knqyf263/trivy-ci-test
```
### Options
```
--branch string pass the branch name to be scanned
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--commit string pass the commit hash to be scanned
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for repository
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners config'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
--skip-java-db-update skip updating Java index database
--skip-policy-update skip fetching rego policy updates
--slow scan over time with lower CPU and memory utilization
--tag string pass the tag name to be scanned
-t, --template string output template
--tf-vars strings specify paths to override the Terraform tfvars files
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

102
docs/docs/references/cli/trivy_rootfs.md Normal file
View File

@@ -0,0 +1,102 @@
## trivy rootfs
Scan rootfs
```
trivy rootfs [flags] ROOTDIR
```
### Examples
```
# Scan unpacked filesystem
$ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
$ trivy rootfs /tmp/rootfs
# Scan from inside a container
$ docker run --rm -it alpine:3.11
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy rootfs /
```
### Options
```
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for rootfs
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners config'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
--skip-java-db-update skip updating Java index database
--skip-policy-update skip fetching rego policy updates
--slow scan over time with lower CPU and memory utilization
-t, --template string output template
--tf-vars strings specify paths to override the Terraform tfvars files
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

84
docs/docs/references/cli/trivy_sbom.md Normal file
View File

@@ -0,0 +1,84 @@
## trivy sbom
Scan SBOM for vulnerabilities
```
trivy sbom [flags] SBOM_PATH
```
### Examples
```
# Scan CycloneDX and show the result in tables
$ trivy sbom /path/to/report.cdx
# Scan CycloneDX and generate a CycloneDX report
$ trivy sbom --format cyclonedx /path/to/report.cdx
# Scan CycloneDX-type attestation and show the result in tables
$ trivy sbom /path/to/report.cdx.intoto.jsonl
```
### Options
```
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-h, --help help for sbom
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore")
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--server string server address in client mode
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
--skip-java-db-update skip updating Java index database
--slow scan over time with lower CPU and memory utilization
-t, --template string output template
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

65
docs/docs/references/cli/trivy_server.md Normal file
View File

@@ -0,0 +1,65 @@
## trivy server
Server mode
```
trivy server [flags]
```
### Examples
```
# Run a server
$ trivy server
# Listen on 0.0.0.0:10000
$ trivy server --listen 0.0.0.0:10000
```
### Options
```
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
-h, --help help for server
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--listen string listen address in server mode (default "localhost:4954")
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
--skip-java-db-update skip updating Java index database
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--username strings username. Comma-separated usernames allowed.
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

32
docs/docs/references/cli/trivy_version.md Normal file
View File

@@ -0,0 +1,32 @@
## trivy version
Print the version
```
trivy version [flags]
```
### Options
```
-f, --format string version format (json)
-h, --help help for version
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

94
docs/docs/references/cli/trivy_vm.md Normal file
View File

@@ -0,0 +1,94 @@
## trivy vm
[EXPERIMENTAL] Scan a virtual machine image
```
trivy vm [flags] VM_IMAGE
```
### Examples
```
# Scan your AWS AMI
$ trivy vm --scanners vuln ami:${your_ami_id}
# Scan your AWS EBS snapshot
$ trivy vm ebs:${your_ebs_snapshot_id}
```
### Options
```
--aws-region string AWS region to scan
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for vm
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners config'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal
--skip-java-db-update skip updating Java index database
--slow scan over time with lower CPU and memory utilization
-t, --template string output template
--tf-vars strings specify paths to override the Terraform tfvars files
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

20
docs/docs/references/customization/config-file.md
View File

@@ -25,7 +25,8 @@ timeout: 10m
# Same as '--cache-dir'
# Default is your system cache dir
cache-dir: $HOME/.cache/trivy
cache:
dir: $HOME/.cache/trivy
```
## Report Options
@@ -162,6 +163,23 @@ db:
java-repository: ghcr.io/aquasecurity/trivy-java-db
```
## Registry Options
```yaml
registry:
# Same as '--username'
# Default is empty
username:
# Same as '--password'
# Default is empty
password:
# Same as '--registry-token'
# Default is empty
registry-token:
```
## Image Options
Available with container image scanning

36
docs/docs/target/container_image.md
View File

@@ -375,10 +375,41 @@ $ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
$ trivy image --input /path/to/alpine
```
## SBOM generation
## SBOM
Trivy supports the generation of Software Bill of Materials (SBOM) for container images and the search for SBOMs during vulnerability scanning.
### Generation
Trivy can generate SBOM for container images.
See [here](../sbom/index.md) for the detail.
### Discovery
Trivy can search for Software Bill of Materials (SBOMs) that reference container images.
If an SBOM is found, the vulnerability scan is performed using the SBOM instead of the container image.
By using the SBOM, you can perform a vulnerability scan more quickly, as it allows you to skip pulling the container image and analyzing its layers.
To enable this functionality, you need to specify the `--sbom-sources` flag.
The following two sources are supported:
- OCI Registry (`oci`)
- Rekor (`rekor`)
Example:
```bash
$ trivy image --sbom-sources oci ghcr.io/knqyf263/oci-referrers
2023-03-05T17:36:55.278+0200 INFO Vulnerability scanning is enabled
2023-03-05T17:36:58.103+0200 INFO Detected SBOM format: cyclonedx-json
2023-03-05T17:36:58.129+0200 INFO Found SBOM (cyclonedx) in the OCI referrers
...
ghcr.io/knqyf263/oci-referrers (alpine 3.16.2)
==============================================
Total: 17 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 9, CRITICAL: 3)
```
The OCI Registry utilizes the [Referrers API](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers).
For more information about Rekor, please refer to [its documentation](../attestation/rekor.md).
## Compliance
!!! warning "EXPERIMENTAL"
@@ -406,6 +437,9 @@ $ trivy image --compliance docker-cis [YOUR_IMAGE_NAME]
!!! note
The `Issues` column represent the total number of failed checks for this control.
## Authentication
Please reference [this page](../advanced/private-registries/index.md).
## Options
### Scan Image on a specific Architecture and OS
By default, Trivy loads an image on a "linux/amd64" machine.

2
docs/docs/target/git-repository.md
View File

@@ -222,6 +222,8 @@ In order to scan private GitHub or GitLab repositories, the environment variable
The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
You can find how to generate your GitHub Token in the following [GitHub documentation.](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
For example:
```

38
docs/docs/vulnerability/db.md Normal file
View File

@@ -0,0 +1,38 @@
# Database
Trivy uses two types of databases for vulnerability detection:
- Vulnerability Database
- Java Index Database
This page provides detailed information about these databases.
## Vulnerability Database
Trivy utilizes a database containing vulnerability information.
This database is built every six hours on [GitHub](https://github.com/aquasecurity/trivy-db) and is distributed via [GitHub Container registry (GHCR)](https://ghcr.io/aquasecurity/trivy-db).
The database is cached and updated as needed.
As Trivy updates the database automatically during execution, users don't need to be concerned about it.
For CLI flags related to the database, please refer to [this page](./examples/db.md).
### Private Hosting
If you host the database on your own OCI registry, you can specify a different repository with the `--db-repository` flag.
The default is `ghcr.io/aquasecurity/trivy-db`.
```shell
$ trivy image --db-repository YOUR_REPO YOUR_IMAGE
```
If authentication is required, it can be configured in the same way as for private images.
Please refer to [the documentation](../advanced/private-registries/index.md) for more details.
## Java Index Database
This database is only downloaded when scanning JAR files so that Trivy can identify the groupId, artifactId, and version of JAR files.
It is built once a day on [GitHub](https://github.com/aquasecurity/trivy-java-db) and distributed via [GitHub Container registry (GHCR)](https://ghcr.io/aquasecurity/trivy-java-db).
Like the vulnerability database, it is automatically downloaded and updated when needed, so users don't need to worry about it.
### Private Hosting
If you host the database on your own OCI registry, you can specify a different repository with the `--java-db-repository` flag.
The default is `ghcr.io/aquasecurity/trivy-java-db`.
If authentication is required, you need to run `docker login YOUR_REGISTRY`.
Currently, specifying a username and password is not supported.

2
docs/docs/vulnerability/detection/data-source.md
View File

@@ -5,6 +5,7 @@
| Arch Linux | [Vulnerable Issues][arch] |
| Alpine Linux | [secdb][alpine] |
| Wolfi Linux | [secdb][wolfi] |
| Chainguard | [secdb][chainguard] |
| Amazon Linux | [Amazon Linux Security Center][amazon] |
| Debian | [Security Bug Tracker][debian-tracker] |
| | [OVAL][debian-oval] |
@@ -61,6 +62,7 @@ The severity is from the selected data source. If the data source does not provi
[arch]: https://security.archlinux.org/
[alpine]: https://secdb.alpinelinux.org/
[wolfi]: https://packages.wolfi.dev/os/security.json
[chainguard]: https://packages.cgr.dev/chainguard/security.json
[amazon]: https://alas.aws.amazon.com/
[debian-tracker]: https://security-tracker.debian.org/tracker/
[debian-oval]: https://www.debian.org/security/oval/

5
docs/docs/vulnerability/detection/language.md
View File

@@ -11,7 +11,7 @@
| | requirements.txt | - | - | ✅ | ✅ | included | - |
| | egg package[^1] | ✅ | ✅ | - | - | excluded | - |
| | wheel package[^2] | ✅ | ✅ | - | - | excluded | - |
| PHP | composer.lock | ✅ | ✅ | ✅ | ✅ | excluded | - |
| PHP | composer.lock | ✅ | ✅ | ✅ | ✅ | excluded | |
| Node.js | package-lock.json | - | - | ✅ | ✅ | excluded | ✅ |
| | yarn.lock | - | - | ✅ | ✅ | included | ✅ |
| | pnpm-lock.yaml | - | - | ✅ | ✅ | excluded | - |
@@ -24,7 +24,7 @@
| | *gradle.lockfile | - | - | ✅ | ✅ | excluded | - |
| Go | Binaries built by Go[^6] | ✅ | ✅ | - | - | excluded | - |
| | go.mod[^7] | - | - | ✅ | ✅ | included | - |
| Rust | Cargo.lock | ✅ | ✅ | ✅ | ✅ | included | - |
| Rust | Cargo.lock | ✅ | ✅ | ✅ | ✅ | excluded | |
| | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) | ✅ | ✅ | - | - | excluded | - |
| C/C++ | conan.lock[^13] | - | - | ✅ | ✅ | excluded | - |
| Elixir | mix.lock[^13] | - | - | ✅ | ✅ | excluded | ✅ |
@@ -47,3 +47,4 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
[^11]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
[^12]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../examples/report.md#json) and [sarif](../examples/report.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
[^13]: To scan a filename other than the default filename use [file-patterns](../examples/others.md#file-patterns)
[^14]: When you scan `Cargo.lock` and `Cargo.toml` together. See about it [here](../languages/rust.md#cargo).

3
docs/docs/vulnerability/detection/os.md
View File

@@ -6,6 +6,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
|----------------------------------|-------------------------------------------|-------------------------------|:------------------------------------:|
| Alpine Linux | 2.2 - 2.7, 3.0 - 3.17, edge | Installed by apk | NO |
| Wolfi Linux | (n/a) | Installed by apk | NO |
| Chainguard | (n/a) | Installed by apk | NO |
| Red Hat Universal Base Image[^1] | 7, 8, 9 | Installed by yum/rpm | YES |
| Red Hat Enterprise Linux | 6, 7, 8 | Installed by yum/rpm | YES |
| CentOS | 6, 7, 8 | Installed by yum/rpm | YES |
@@ -13,7 +14,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
| Rocky Linux | 8, 9 | Installed by yum/rpm | NO |
| Oracle Linux | 5, 6, 7, 8 | Installed by yum/rpm | NO |
| CBL-Mariner | 1.0, 2.0 | Installed by yum/rpm | YES |
| Amazon Linux | 1, 2, 2022 | Installed by yum/rpm | NO |
| Amazon Linux | 1, 2, 2023 | Installed by yum/rpm | NO |
| openSUSE Leap | 42, 15 | Installed by zypper/rpm | NO |
| SUSE Enterprise Linux | 11, 12, 15 | Installed by zypper/rpm | NO |
| Photon OS | 1.0, 2.0, 3.0, 4.0 | Installed by tdnf/yum/rpm | NO |

17
docs/docs/vulnerability/examples/cache.md
View File

@@ -1,4 +1,5 @@
# Cache
The cache directory includes [the vulnerability database][trivy-db], [the Java index database][trivy-java-db][^1], [misconfiguration policies][misconf-policies][^2] and cache of previous scans.
## Clear Caches
The `--clear-cache` option removes caches.
@@ -44,7 +45,14 @@ Two options:
$ trivy server --cache-backend redis://localhost:6379
```
Trivy also support for connecting to Redis using TLS, you only need to specify `--redis-ca` , `--redis-cert` , and `--redis-key` option.
If you want to use TLS with Redis, you can enable it by specifying the `--redis-tls` flag.
```shell
$ trivy server --cache-backend redis://localhost:6379 --redis-tls
```
Trivy also supports for connecting to Redis with your certificates.
You need to specify `--redis-ca` , `--redis-cert` , and `--redis-key` options.
```
$ trivy server --cache-backend redis://localhost:6379 \
@@ -53,4 +61,9 @@ $ trivy server --cache-backend redis://localhost:6379 \
--redis-key /path/to/key.pem
```
TLS option for redis is hidden from Trivy command-line flag, but you still can use it.
[trivy-db]: ../db.md#vulnerability-database
[trivy-java-db]: ../db.md#java-index-database
[misconf-policies]: ../../misconfiguration/policy/builtin.md
[^1]: The Java Index Database is downloaded for scanning `jar/war/par/ear` files.
[^2]: Misconfiguration policies are downloaded for misconfiguration scanning.

4
docs/docs/vulnerability/examples/db.md
View File

@@ -1,9 +1,7 @@
# Vulnerability DB
## Skip update of vulnerability DB
`Trivy` downloads its vulnerability database every 12 hours when it starts operating.
This is usually fast, as the size of the DB is only 10~30MB.
But if you want to skip even that, use the `--skip-db-update` option.
If you want to skip downloading the vulnerability database, use the `--skip-db-update` option.
```
$ trivy image --skip-db-update python:3.4-alpine3.9

29
docs/docs/vulnerability/examples/others.md
View File

@@ -8,6 +8,14 @@ If your image contains lock files which are not maintained by you, you can skip
$ trivy image --skip-files "/Gemfile.lock" --skip-files "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
It's possible to specify globs as part of the value.
```bash
$ trivy image --skip-files "./testdata/*/bar" .
```
Will skip any file named `bar` in the subdirectories of testdata.
## Skip Directories
Trivy traversals directories and look for all lock files by default.
If your image contains lock files which are not maintained by you, you can skip traversal in the specific directory.
@@ -16,6 +24,27 @@ If your image contains lock files which are not maintained by you, you can skip
$ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
It's possible to specify globs as part of the value.
```bash
$ trivy image --skip-dirs "./testdata/*" .
```
Will skip all subdirectories of the testdata directory.
!!! tip
Glob patterns work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with `--skip-dirs`) and files (with `--skip-files`).
### Advanced globbing
Trivy also supports the [globstar](https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Pattern-Matching) pattern matching.
```bash
$ trivy image --skip-files "**/foo"``` image:tag
```
Will skip the file `foo` that happens to be nested under any parent(s).
## File patterns
When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
The default file patterns are [here](../../misconfiguration/custom/index.md).

5
docs/docs/vulnerability/examples/report.md
View File

@@ -25,6 +25,7 @@ The following packages/languages are currently supported:
- rpm
- Node.js
- npm: package-lock.json
- pnpm: pnpm-lock.yaml
- yarn: yarn.lock
- .NET
- NuGet: packages.lock.json
@@ -34,8 +35,10 @@ The following packages/languages are currently supported:
- Bundler: Gemfile.lock
- Rust
- Binaries built with [cargo-auditable][cargo-auditable]
- Go
- Go
- Modules: go.mod
- PHP
- Composer
This tree is the reverse of the npm list command.
However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.

10
docs/docs/vulnerability/languages/golang.md
View File

@@ -6,8 +6,8 @@ The following table provides an outline of the features Trivy offers.
| Artifact | Offline[^1] | Dev dependencies | License | Dependency graph |
|----------|:-----------:|:-----------------|:-------:|:----------------:|
| Modules | | Include | [^2] | [^2] |
| Binaries | | Exclude | - | - |
| Modules | | Include | [^2] | [^2] |
| Binaries | | Exclude | - | - |
!!! note
Trivy scans only dependencies of the Go project.
@@ -19,8 +19,8 @@ Depending on Go versions, the required files are different.
| Version | Required files | Offline |
|---------|:--------------:|:-------:|
| \>=1.17 | go.mod | |
| <1.17 | go.mod, go.sum | |
| \>=1.17 | go.mod | |
| <1.17 | go.mod, go.sum | |
In Go 1.17+ projects, Trivy uses `go.mod` for direct/indirect dependencies.
On the other hand, it uses `go.mod` for direct dependencies and `go.sum` for indirect dependencies in Go 1.16 or less.
@@ -51,7 +51,7 @@ If you want to have better detection, please consider updating the Go version in
To identify licenses and dependency relationships, you need to download modules to local cache beforehand,
such as `go mod download`, `go mod tidy`, etc.
Trivy traverses `$GOPATH/pkg/mod` and collect those extra information.
Trivy traverses `$GOPATH/pkg/mod` and collects those extra information.
### Go binaries
Trivy scans binaries built by Go.

47
docs/docs/vulnerability/languages/nodejs.md Normal file
View File

@@ -0,0 +1,47 @@
# Node.js
Trivy supports three types of Node.js package managers: `npm`, `Yarn` and `pnpm`.
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position | License |
|:---------------:|-------------------|:-----------------------:|:----------------:|:----------------:|:--------:|:-------:|
| npm | package-lock.json | ✅ | Excluded | ✅ | ✅ | ✅ |
| Yarn | yarn.lock | ✅ | Excluded | ✅ | ✅ | - |
| pnpm | pnpm-lock.yaml | ✅ | Excluded | ✅ | - | - |
In addition, Trivy scans installed packages with `package.json`.
| File | Dependency graph | Position | License |
|--------------|:----------------:|:--------:|:-------:|
| package.json | - | - | ✅ |
These may be enabled or disabled depending on the target.
See [here](../detection/language.md) for the detail.
## Package managers
Trivy parses your files generated by package managers in filesystem/repository scanning.
!!! tip
Please make sure your lock file is up-to-date after modifying `package.json`.
### npm
Trivy parses `package-lock.json`.
To identify licenses, you need to download dependencies to `node_modules` beforehand.
Trivy analyzes `node_modules` for licenses.
### Yarn
Trivy parses `yarn.lock`, which doesn't contain information about development dependencies.
To exclude devDependencies, `package.json` also needs to be present next to `yarn.lock`.
### pnpm
Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree] of dependencies with vulnerabilities.
## Packages
Trivy parses the manifest files of installed packages in container image scanning and so on.
### package.json
Trivy searches for `package.json` files under `node_modules` and identifies installed packages.
It only extracts package names, versions and licenses for those packages.
[tree]: ../examples/report.md#show-origins-of-vulnerable-dependencies

18
docs/docs/vulnerability/languages/php.md Normal file
View File

@@ -0,0 +1,18 @@
# PHP
Trivy supports [Composer][composer], which is a tool for dependency management in PHP.
The following table provides an outline of the features Trivy offers.
| Package Manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position | License |
|-----------------|---------------|:-----------------------:|:----------------:|:----------------:|:--------:|:-------:|
| Composer | composer.lock | ✅ | Excluded | ✅ | ✅ | ✅ |
## Composer
In order to detect dependencies, Trivy searches for `composer.lock`.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`.
If you want to see the dependency tree, please ensure that `composer.json` is present.
[composer]: https://getcomposer.org/

2
docs/docs/vulnerability/languages/python.md
View File

@@ -3,7 +3,7 @@
Trivy supports three types of Python package managers: `pip`, `Pipenv` and `Poetry`.
The following table provides an outline of the features Trivy offers.
| Package Manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position | License |
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position | License |
|-----------------|------------------|:-----------------------:|:----------------:|:----------------:|:--------:|:-------:|
| pip | requirements.txt | - | Include | - | - | - |
| Pipenv | Pipfile.lock | ✅ | Include | - | ✅ | - |

31
docs/docs/vulnerability/languages/rust.md Normal file
View File

@@ -0,0 +1,31 @@
# Rust
## Features
Trivy supports [Cargo](https://doc.rust-lang.org/stable/cargo/), which is the Rust package manager.
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | License | Dependency graph | Position |
|-----------------|------------|:-----------------------:|:-----------------|:-------:|:----------------:|:--------:|
| Cargo | Cargo.lock | ✅ | Excluded[^1] | - | ✅ | ✅ |
In addition, it supports binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable).
| Artifact | Transitive dependencies | Dev dependencies | License | Dependency graph | Position |
|----------|:-----------------------:|:-----------------|:-------:|:----------------:|:--------:|
| Binaries | ✅ | Excluded | - | - | - |
### Cargo
Trivy searches for `Cargo.lock` to detect dependencies.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
Since this information is not included in `Cargo.lock`, Trivy parses `Cargo.toml`, which should be located next to `Cargo.lock`.
If you want to see the dependency tree, please ensure that `Cargo.toml` is present.
Scan `Cargo.lock` and `Cargo.toml` together also removes developer dependencies.
### Binaries
Trivy scans binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable).
If such a binary exists, Trivy will identify it as being built with cargo-audit and scan it.
[^1]: When you scan Cargo.lock and Cargo.toml together.

5
docs/ecosystem/security.md
View File

@@ -4,3 +4,8 @@
A Trivy plugin that converts JSON report to SonarQube [generic issues format](https://docs.sonarqube.org/9.6/analyzing-source-code/importing-external-issues/generic-issue-import-format/).
👉 Get it at: <https://github.com/umax/trivy-plugin-sonarqube>
## DefectDojo (Community)
DefectDojo can parse Trivy JSON reports. The parser supports deduplication and auto-close features.
👉 Get it at: <https://github.com/DefectDojo/django-DefectDojo>

5
docs/getting-started/faq.md Normal file
View File

@@ -0,0 +1,5 @@
## FAQ
### How to pronounce the name "Trivy"?
`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.

5
docs/getting-started/installation.md
View File

@@ -15,8 +15,9 @@ In this section you will find an aggregation of the different ways to install Tr
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
gpgcheck=0
gpgcheck=1
enabled=1
gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key
EOF
sudo yum -y update
sudo yum -y install trivy
@@ -139,7 +140,7 @@ go install
## Use container image
1. Pull Trivy image (`docker pull aquasec/trivy:{{ git.tag[1:] }}`)
2. It is advisable to mount a consistent [cache dir](https://aquasecurity.github.io/trivy/{{ git.tag }}/docs/vulnerability/examples/cache/) on the host into the Trivy container.
2. It is advisable to mount a consistent [cache dir](../docs/vulnerability/examples/cache.md) on the host into the Trivy container.
3. For scanning container images with Trivy, mount `docker.sock` from the host into the Trivy container.
Example:

7
docs/index.md
View File

@@ -108,13 +108,6 @@ trivy k8s --report summary cluster
</figure>
</details>
## FAQ
### How to pronounce the name "Trivy"?
`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.
---
Trivy is an [Aqua Security][aquasec] open source project.

45
docs/tutorials/kubernetes/cluster-scanning.md
View File

@@ -70,50 +70,11 @@ This has several benefits:
There are several ways that you can install the Trivy Operator in your cluster. In this guide, were going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator)
Make sure that you have the [Helm CLI installed.](https://helm.sh/docs/intro/install/)
Next, run the following commands.
Please follow the Trivy Operator documentation for further information on:
First, we are going to add the Aqua Security Helm repository to our Helm repository list:
```
helm repo add aqua https://aquasecurity.github.io/helm-charts/
```
- [Installation of the Trivy Operator](https://aquasecurity.github.io/trivy-operator/latest/getting-started/installation/)
- [Getting started guide](https://aquasecurity.github.io/trivy-operator/latest/getting-started/quick-start/)
Then, we will update all of our Helm repositories. Even if you have just added a new repository to your existing charts, this is generally good practice to have access to the latest changes:
```
helm repo update
```
Lastly, we can install the Trivy operator Helm Chart to our cluster:
```
helm install trivy-operator aqua/trivy-operator \
--namespace trivy-system \
--create-namespace \
--set="trivy.ignoreUnfixed=true" \
--version v0.0.3
```
You can make sure that the operator is installed correctly via the following command:
```
kubectl get deployment -n trivy-system
```
Trivy will automatically start scanning your Kubernetes resources.
For instance, you can view vulnerability reports with the following command:
```
kubectl get vulnerabilityreports --all-namespaces -o wide
```
And then you can access the details of a security scan:
```
kubectl describe vulnerabilityreports <name of one of the above reports>
```
The same process can be applied to access Configauditreports:
```
kubectl get configauditreports --all-namespaces -o wide
```

251
go.mod
View File

@@ -3,13 +3,19 @@ module github.com/aquasecurity/trivy
go 1.19
require (
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
github.com/Azure/go-autorest/autorest v0.11.28
github.com/Azure/go-autorest/autorest/adal v0.9.23
github.com/Azure/go-autorest/autorest/azure/auth v0.5.12
github.com/BurntSushi/toml v1.2.1
github.com/CycloneDX/cyclonedx-go v0.7.0
github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
github.com/Masterminds/sprig/v3 v3.2.3
github.com/NYTimes/gziphandler v1.1.1
github.com/alicebob/miniredis/v2 v2.23.0
github.com/alicebob/miniredis/v2 v2.30.1
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/defsec v0.84.0
github.com/aquasecurity/go-dep-parser v0.0.0-20230302111817-e4068021315b
github.com/aquasecurity/defsec v0.85.0
github.com/aquasecurity/go-dep-parser v0.0.0-20230413091456-df0396537e15
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -19,37 +25,42 @@ require (
github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-db v0.0.0-20230116084806-4bcdf1c414d0
github.com/aquasecurity/trivy-db v0.0.0-20230411140759-3c2ee2168575
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20230223104408-c772810be7c3
github.com/aws/aws-sdk-go v1.44.212
github.com/aws/aws-sdk-go-v2 v1.17.5
github.com/aquasecurity/trivy-kubernetes v0.4.1-0.20230413111230-522e0fca9814
github.com/aws/aws-sdk-go v1.44.234
github.com/aws/aws-sdk-go-v2 v1.17.7
github.com/aws/aws-sdk-go-v2/config v1.18.15
github.com/aws/aws-sdk-go-v2/service/ec2 v1.86.1
github.com/aws/aws-sdk-go-v2/service/sts v1.18.5
github.com/caarlos0/env/v6 v6.10.1
github.com/aws/aws-sdk-go-v2/service/ec2 v1.89.1
github.com/aws/aws-sdk-go-v2/service/sts v1.18.7
github.com/bmatcuk/doublestar v1.3.4
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/cheggaaa/pb/v3 v3.1.0
github.com/containerd/containerd v1.6.19
github.com/docker/docker v23.0.0-rc.1+incompatible
github.com/cheggaaa/pb/v3 v3.1.2
github.com/containerd/containerd v1.7.0
github.com/docker/docker v23.0.3+incompatible
github.com/docker/go-connections v0.4.0
github.com/fatih/color v1.13.0
github.com/fatih/color v1.14.1
github.com/go-git/go-git/v5 v5.6.1
github.com/go-openapi/runtime v0.25.0
github.com/go-openapi/strfmt v0.21.3
github.com/go-openapi/strfmt v0.21.7
github.com/go-redis/redis/v8 v8.11.5
github.com/golang-jwt/jwt v3.2.2+incompatible
github.com/golang/protobuf v1.5.2
github.com/google/go-containerregistry v0.13.0
github.com/golang/protobuf v1.5.3
github.com/google/go-containerregistry v0.14.0
github.com/google/licenseclassifier/v2 v2.0.0
github.com/google/uuid v1.3.0
github.com/google/wire v0.5.0
github.com/hashicorp/go-getter v1.7.0
github.com/hashicorp/go-multierror v1.1.1
github.com/hashicorp/golang-lru/v2 v2.0.1
github.com/in-toto/in-toto-golang v0.5.0
github.com/in-toto/in-toto-golang v0.7.0
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422
github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
github.com/knqyf263/go-rpmdb v0.0.0-20230301153543-ba94b245509b
github.com/knqyf263/nested v0.0.1
github.com/kylelemons/godebug v1.1.0
github.com/magefile/mage v1.14.0
github.com/mailru/easyjson v0.7.7
github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
github.com/masahiro331/go-ebs-file v0.0.0-20221225061409-5ef263bb2cc3
@@ -58,81 +69,81 @@ require (
github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
github.com/masahiro331/go-xfs-filesystem v0.0.0-20221225060805-c02764233454
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/open-policy-agent/opa v0.44.1-0.20220927105354-00e835a7cc15
github.com/moby/buildkit v0.11.5
github.com/open-policy-agent/opa v0.45.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0-rc2.0.20221020182949-4df8887994e8
github.com/owenrumney/go-sarif/v2 v2.1.2
github.com/package-url/packageurl-go v0.1.1-0.20220428063043-89078438f170
github.com/samber/lo v1.37.0
github.com/secure-systems-lab/go-securesystemslib v0.4.0
github.com/sigstore/rekor v1.0.1
github.com/saracen/walker v0.1.3
github.com/secure-systems-lab/go-securesystemslib v0.5.0
github.com/sigstore/rekor v1.1.0
github.com/sosedoff/gitkit v0.3.0
github.com/spdx/tools-golang v0.3.1-0.20230104082527-d6f58551be3f
github.com/spf13/cast v1.5.0
github.com/spf13/cobra v1.6.1
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.15.0
github.com/stretchr/testify v1.8.1
github.com/stretchr/testify v1.8.2
github.com/testcontainers/testcontainers-go v0.17.0
github.com/tetratelabs/wazero v1.0.0-pre.9
github.com/tetratelabs/wazero v1.0.0
github.com/twitchtv/twirp v8.1.2+incompatible
github.com/xlab/treeprint v1.1.0
go.etcd.io/bbolt v1.3.7
go.uber.org/zap v1.24.0
golang.org/x/exp v0.0.0-20220823124025-807a23277127
golang.org/x/crypto v0.7.0
golang.org/x/exp v0.0.0-20230124195608-d38c7dcee874
golang.org/x/mod v0.9.0
golang.org/x/sync v0.1.0
golang.org/x/term v0.6.0
golang.org/x/text v0.9.0
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
google.golang.org/protobuf v1.28.1
google.golang.org/protobuf v1.30.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/utils v0.0.0-20230115233650-391b47cb4029
gotest.tools v2.2.0+incompatible
k8s.io/api v0.26.3
k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5
modernc.org/sqlite v1.20.3
)
require (
github.com/cloudflare/circl v1.1.0 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/pjbgf/sha1cd v0.2.3 // indirect
github.com/skeema/knownhosts v1.1.0 // indirect
go.opentelemetry.io/otel v1.11.1 // indirect
go.opentelemetry.io/otel/trace v1.11.1 // indirect
)
require (
cloud.google.com/go v0.105.0 // indirect
cloud.google.com/go/compute v1.14.0 // indirect
cloud.google.com/go v0.110.0 // indirect
cloud.google.com/go/compute v1.18.0 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
cloud.google.com/go/iam v0.8.0 // indirect
cloud.google.com/go/storage v1.27.0 // indirect
github.com/Azure/azure-sdk-for-go v67.1.0+incompatible
cloud.google.com/go/iam v0.12.0 // indirect
cloud.google.com/go/storage v1.29.0 // indirect
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652 // indirect
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.11.28
github.com/Azure/go-autorest/autorest/adal v0.9.21
github.com/Azure/go-autorest/autorest/azure/auth v0.5.11
github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/BurntSushi/toml v1.2.1 // indirect
github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
github.com/MakeNowJust/heredoc v1.0.0 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver v1.5.0 // indirect
github.com/Masterminds/semver/v3 v3.2.0 // indirect
github.com/Masterminds/squirrel v1.5.3 // indirect
github.com/Microsoft/go-winio v0.6.0 // indirect
github.com/Microsoft/hcsshim v0.9.7 // indirect
github.com/Microsoft/hcsshim v0.10.0-rc.7 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4 // indirect
github.com/VividCortex/ewma v1.1.1 // indirect
github.com/acomagu/bufpipe v1.0.3 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
github.com/VividCortex/ewma v1.2.0 // indirect
github.com/acomagu/bufpipe v1.0.4 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
github.com/agnivade/levenshtein v1.1.1 // indirect
github.com/alecthomas/chroma v0.10.0 // indirect
github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
github.com/apparentlymart/go-cidr v1.1.0 // indirect
github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.13.15 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.23 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.29 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.23 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.30 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 // indirect
github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.16.0 // indirect
@@ -140,12 +151,12 @@ require (
github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.12.18 // indirect
github.com/aws/aws-sdk-go-v2/service/athena v1.18.10 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudfront v1.20.5 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.18.2 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.24.4 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.21.10 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.20 // indirect
github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.17 // indirect
github.com/aws/aws-sdk-go-v2/service/docdb v1.19.11 // indirect
github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.6 // indirect
github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.7 // indirect
github.com/aws/aws-sdk-go-v2/service/ebs v1.15.19 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 // indirect
github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26 // indirect
@@ -154,55 +165,58 @@ require (
github.com/aws/aws-sdk-go-v2/service/elasticache v1.22.10 // indirect
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.18.20 // indirect
github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.10 // indirect
github.com/aws/aws-sdk-go-v2/service/emr v1.20.11 // indirect
github.com/aws/aws-sdk-go-v2/service/emr v1.23.4 // indirect
github.com/aws/aws-sdk-go-v2/service/iam v1.18.23 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.19 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.23 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.25 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.17 // indirect
github.com/aws/aws-sdk-go-v2/service/kafka v1.19.4 // indirect
github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.19 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.18.15 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.20.8 // indirect
github.com/aws/aws-sdk-go-v2/service/lambda v1.24.6 // indirect
github.com/aws/aws-sdk-go-v2/service/mq v1.13.15 // indirect
github.com/aws/aws-sdk-go-v2/service/neptune v1.17.12 // indirect
github.com/aws/aws-sdk-go-v2/service/rds v1.26.1 // indirect
github.com/aws/aws-sdk-go-v2/service/redshift v1.26.10 // indirect
github.com/aws/aws-sdk-go-v2/service/redshift v1.27.7 // indirect
github.com/aws/aws-sdk-go-v2/service/s3 v1.27.11 // indirect
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.2 // indirect
github.com/aws/aws-sdk-go-v2/service/sns v1.18.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sqs v1.19.10 // indirect
github.com/aws/aws-sdk-go-v2/service/sqs v1.20.6 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.12.4 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.4 // indirect
github.com/aws/aws-sdk-go-v2/service/workspaces v1.23.0 // indirect
github.com/aws/smithy-go v1.13.5 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/bmatcuk/doublestar v1.3.4 // indirect
github.com/briandowns/spinner v1.12.0 // indirect
github.com/briandowns/spinner v1.23.0 // indirect
github.com/cenkalti/backoff/v4 v4.2.0 // indirect
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/containerd/cgroups v1.0.4 // indirect
github.com/cloudflare/circl v1.1.0 // indirect
github.com/containerd/cgroups v1.1.0 // indirect
github.com/containerd/continuity v0.3.0 // indirect
github.com/containerd/fifo v1.0.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.13.0 // indirect
github.com/containerd/ttrpc v1.1.1-0.20220420014843-944ef4a40df3 // indirect
github.com/containerd/fifo v1.1.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
github.com/containerd/ttrpc v1.2.1 // indirect
github.com/containerd/typeurl v1.0.2 // indirect
github.com/containerd/typeurl/v2 v2.1.0 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
github.com/cyphar/filepath-securejoin v0.2.3 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
github.com/dimchansky/utfbom v1.1.1 // indirect
github.com/dlclark/regexp2 v1.4.0 // indirect
github.com/docker/cli v23.0.0-rc.1+incompatible // indirect
github.com/docker/cli v23.0.1+incompatible // indirect
github.com/docker/distribution v2.8.1+incompatible // indirect
github.com/docker/docker-credential-helpers v0.7.0 // indirect
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
github.com/docker/go-metrics v0.0.1 // indirect
github.com/docker/go-units v0.5.0 // indirect
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/emicklei/go-restful/v3 v3.9.0 // indirect
github.com/emicklei/go-restful/v3 v3.10.1 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
github.com/evanphx/json-patch v5.6.0+incompatible // indirect
github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
@@ -210,38 +224,36 @@ require (
github.com/ghodss/yaml v1.0.0 // indirect
github.com/go-errors/errors v1.0.1 // indirect
github.com/go-git/gcfg v1.5.0 // indirect
github.com/go-git/go-billy/v5 v5.4.0 // indirect
github.com/go-git/go-git/v5 v5.5.2
github.com/go-git/go-billy/v5 v5.4.1 // indirect
github.com/go-gorp/gorp/v3 v3.0.2 // indirect
github.com/go-logr/logr v1.2.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.21.4 // indirect
github.com/go-openapi/errors v0.20.3 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.20.0 // indirect
github.com/go-openapi/loads v0.21.2 // indirect
github.com/go-openapi/spec v0.20.7 // indirect
github.com/go-openapi/spec v0.20.8 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
github.com/go-openapi/validate v0.22.0 // indirect
github.com/go-openapi/validate v0.22.1 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/goccy/go-yaml v1.8.2 // indirect
github.com/gofrs/uuid v4.0.0+incompatible // indirect
github.com/gogo/googleapis v1.4.1 // indirect
github.com/goccy/go-yaml v1.8.1 // indirect
github.com/gofrs/uuid v4.3.1+incompatible // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/google/btree v1.0.1 // indirect
github.com/google/btree v1.1.2 // indirect
github.com/google/gnostic v0.5.7-v3refs // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.2.1 // indirect
github.com/googleapis/gax-go/v2 v2.7.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
github.com/googleapis/gax-go/v2 v2.8.0 // indirect
github.com/gorilla/mux v1.8.0 // indirect
github.com/gosuri/uitable v0.0.4 // indirect
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-multierror v1.1.1
github.com/hashicorp/go-safetemp v1.0.0 // indirect
github.com/hashicorp/go-uuid v1.0.3 // indirect
github.com/hashicorp/go-version v1.6.0 // indirect
@@ -249,7 +261,7 @@ require (
github.com/hashicorp/hcl/v2 v2.14.1 // indirect
github.com/huandu/xstrings v1.3.3 // indirect
github.com/imdario/mergo v0.3.13 // indirect
github.com/inconshreveable/mousetrap v1.0.1 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/jmoiron/sqlx v1.3.5 // indirect
@@ -257,9 +269,7 @@ require (
github.com/json-iterator/go v1.1.12 // indirect
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/klauspost/compress v1.15.12 // indirect
github.com/knqyf263/go-rpmdb v0.0.0-20230201142403-697bc51b3948
github.com/knqyf263/nested v0.0.1
github.com/klauspost/compress v1.16.0 // indirect
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
github.com/liamg/iamgo v0.0.9 // indirect
@@ -269,19 +279,18 @@ require (
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect
github.com/magiconair/properties v1.8.7 // indirect
github.com/mattn/go-colorable v0.1.12 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.17 // indirect
github.com/mattn/go-runewidth v0.0.13 // indirect
github.com/mattn/go-sqlite3 v1.14.16 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
github.com/miekg/dns v1.1.50 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/buildkit v0.11.4
github.com/moby/locker v1.0.1 // indirect
github.com/moby/patternmatcher v0.5.0 // indirect
github.com/moby/spdystream v0.2.0 // indirect
@@ -296,34 +305,31 @@ require (
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/olekukonko/tablewriter v0.0.5 // indirect
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0-rc2
github.com/opencontainers/runc v1.1.3 // indirect
github.com/opencontainers/runtime-spec v1.0.3-0.20220311020903-6969a0a09ab1 // indirect
github.com/opencontainers/selinux v1.10.2 // indirect
github.com/opencontainers/runc v1.1.5 // indirect
github.com/opencontainers/runtime-spec v1.1.0-rc.1 // indirect
github.com/opencontainers/selinux v1.11.0 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/owenrumney/squealer v1.1.1 // indirect
github.com/pelletier/go-toml/v2 v2.0.6 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pjbgf/sha1cd v0.3.0 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v1.14.0 // indirect
github.com/prometheus/client_model v0.3.0 // indirect
github.com/prometheus/common v0.37.0 // indirect
github.com/prometheus/common v0.39.0 // indirect
github.com/prometheus/procfs v0.8.0 // indirect
github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20230126093431-47fa9a501578 // indirect
github.com/rivo/uniseg v0.2.0 // indirect
github.com/rubenv/sql-migrate v1.2.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e
github.com/sergi/go-diff v1.1.0 // indirect
github.com/sergi/go-diff v1.2.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/shopspring/decimal v1.2.0 // indirect
github.com/sirupsen/logrus v1.9.0 // indirect
github.com/spdx/tools-golang v0.3.1-0.20230104082527-d6f58551be3f
github.com/skeema/knownhosts v1.1.0 // indirect
github.com/spf13/afero v1.9.3 // indirect
github.com/spf13/cast v1.5.0
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/stretchr/objx v0.5.0 // indirect
github.com/subosito/gotenv v1.4.2 // indirect
@@ -335,46 +341,41 @@ require (
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
github.com/yashtewari/glob-intersection v0.1.0 // indirect
github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9 // indirect
github.com/yuin/gopher-lua v1.1.0 // indirect
github.com/zclconf/go-cty v1.10.0 // indirect
github.com/zclconf/go-cty-yaml v1.0.2 // indirect
go.mongodb.org/mongo-driver v1.10.0 // indirect
go.mongodb.org/mongo-driver v1.11.3 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/otel v1.14.0 // indirect
go.opentelemetry.io/otel/trace v1.14.0 // indirect
go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
go.uber.org/atomic v1.10.0 // indirect
go.uber.org/multierr v1.8.0 // indirect
golang.org/x/crypto v0.5.0
golang.org/x/mod v0.8.0
golang.org/x/net v0.7.0 // indirect
golang.org/x/oauth2 v0.1.0 // indirect
golang.org/x/sync v0.1.0
golang.org/x/sys v0.5.0 // indirect
golang.org/x/term v0.5.0
golang.org/x/text v0.7.0
golang.org/x/time v0.1.0 // indirect
golang.org/x/tools v0.2.0 // indirect
google.golang.org/api v0.107.0 // indirect
go.uber.org/multierr v1.9.0 // indirect
golang.org/x/net v0.8.0 // indirect
golang.org/x/oauth2 v0.6.0 // indirect
golang.org/x/sys v0.6.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.7.0 // indirect
google.golang.org/api v0.114.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect
google.golang.org/grpc v1.52.0 // indirect
google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
google.golang.org/grpc v1.54.0 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gotest.tools v2.2.0+incompatible
gotest.tools/v3 v3.1.0 // indirect
helm.sh/helm/v3 v3.11.1 // indirect
k8s.io/api v0.26.1 // indirect
k8s.io/apiextensions-apiserver v0.26.0 // indirect
k8s.io/apimachinery v0.26.1 // indirect
k8s.io/apiserver v0.26.0 // indirect
k8s.io/cli-runtime v0.26.1 // indirect
k8s.io/client-go v0.26.1 // indirect
k8s.io/component-base v0.26.1 // indirect
k8s.io/klog/v2 v2.90.0 // indirect
k8s.io/apimachinery v0.26.3 // indirect
k8s.io/apiserver v0.26.2 // indirect
k8s.io/cli-runtime v0.26.3 // indirect
k8s.io/client-go v0.26.3 // indirect
k8s.io/component-base v0.26.3 // indirect
k8s.io/klog/v2 v2.90.1 // indirect
k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
k8s.io/kubectl v0.26.1 // indirect
k8s.io/kubectl v0.26.3 // indirect
lukechampine.com/uint128 v1.2.0 // indirect
modernc.org/cc/v3 v3.40.0 // indirect
modernc.org/ccgo/v3 v3.16.13 // indirect

527
go.sum
View File

File diff suppressed because it is too large Load Diff

14
goreleaser-canary.yml
View File

@@ -23,13 +23,13 @@ builds:
archives:
-
format: tar.gz
name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}"
replacements:
amd64: 64bit
arm64: ARM64
darwin: macOS
linux: Linux
windows: Windows
name_template: >-
{{ .ProjectName }}_{{ .Version }}_
{{- if eq .Os "darwin" }}macOS
{{- else}}{{- title .Os }}{{ end }}-
{{- if eq .Arch "amd64" }}64bit
{{- else if eq .Arch "arm64" }}ARM64
{{- else }}{{ .Arch }}{{ end }}
files:
- README.md
- LICENSE

59
goreleaser.yml
View File

@@ -57,40 +57,45 @@ nfpms:
maintainer: "Teppei Fukuda <knqyf263@gmail.com>"
description: "A Fast Vulnerability Scanner for Containers"
license: "Apache-2.0"
file_name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}"
replacements:
amd64: 64bit
386: 32bit
arm: ARM
arm64: ARM64
ppc64le: PPC64LE
darwin: macOS
linux: Linux
openbsd: OpenBSD
netbsd: NetBSD
freebsd: FreeBSD
dragonfly: DragonFlyBSD
windows: Windows
file_name_template: >-
{{ .ProjectName }}_{{ .Version }}_
{{- if eq .Os "darwin" }}macOS
{{- else if eq .Os "openbsd" }}OpenBSD
{{- else if eq .Os "netbsd" }}NetBSD
{{- else if eq .Os "freebsd" }}FreeBSD
{{- else if eq .Os "dragonfly" }}DragonFlyBSD
{{- else}}{{- title .Os }}{{ end }}-
{{- if eq .Arch "amd64" }}64bit
{{- else if eq .Arch "386" }}32bit
{{- else if eq .Arch "arm" }}ARM
{{- else if eq .Arch "arm64" }}ARM64
{{- else if eq .Arch "ppc64le" }}PPC64LE
{{- else }}{{ .Arch }}{{ end }}
contents:
- src: contrib/*.tpl
dst: /usr/local/share/trivy/templates
rpm:
signature:
key_file: '{{ .Env.GPG_FILE }}'
archives:
-
format: tar.gz
name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}"
replacements:
amd64: 64bit
386: 32bit
arm: ARM
arm64: ARM64
ppc64le: PPC64LE
darwin: macOS
linux: Linux
openbsd: OpenBSD
netbsd: NetBSD
freebsd: FreeBSD
dragonfly: DragonFlyBSD
name_template: >-
{{ .ProjectName }}_{{ .Version }}_
{{- if eq .Os "darwin" }}macOS
{{- else if eq .Os "linux" }}Linux
{{- else if eq .Os "openbsd" }}OpenBSD
{{- else if eq .Os "netbsd" }}NetBSD
{{- else if eq .Os "freebsd" }}FreeBSD
{{- else if eq .Os "dragonfly" }}DragonFlyBSD
{{- else}}{{- .Os }}{{ end }}-
{{- if eq .Arch "amd64" }}64bit
{{- else if eq .Arch "386" }}32bit
{{- else if eq .Arch "arm" }}ARM
{{- else if eq .Arch "arm64" }}ARM64
{{- else if eq .Arch "ppc64le" }}PPC64LE
{{- else }}{{ .Arch }}{{ end }}
files:
- README.md
- LICENSE

1
helm/trivy/README.md
View File

@@ -73,6 +73,7 @@ The following table lists the configurable parameters of the Trivy chart and the
| `trivy.cache.redis.enabled` | Enable Redis as caching backend | `false` |
| `trivy.cache.redis.url` | Specify redis connection url, e.g. redis://redis.redis.svc:6379 | `` |
| `trivy.cache.redis.ttl` | Specify redis TTL, e.g. 3600s or 24h | `` |
| `trivy.cache.redis.tls` | Enable Redis TLS with public certificates | `` |
| `trivy.serverToken` | The token to authenticate Trivy client with Trivy server | `` |
| `trivy.existingSecret` | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
| `trivy.podAnnotations` | Annotations for pods created by statefulset | `{}` |

1
helm/trivy/templates/configmap.yaml
View File

@@ -10,6 +10,7 @@ data:
{{- if .Values.trivy.cache.redis.enabled }}
TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
TRIVY_CACHE_TTL: {{ .Values.trivy.cache.redis.ttl | quote }}
TRIVY_REDIS_TLS: {{ .Values.trivy.cache.redis.tls | quote }}
{{- end }}
TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
TRIVY_SKIP_DB_UPDATE: {{ .Values.trivy.skipDBUpdate | quote }}

4
helm/trivy/templates/podsecuritypolicy.yaml
View File

@@ -4,6 +4,10 @@ apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "trivy.fullname" . }}
{{- with .Values.rbac.pspAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{ include "trivy.labels" . | indent 4 }}
spec:

2
helm/trivy/values.yaml
View File

@@ -29,6 +29,7 @@ resources:
rbac:
create: true
pspEnabled: false
pspAnnotations: {}
podSecurityContext:
runAsUser: 65534
@@ -114,6 +115,7 @@ trivy:
enabled: false
url: "" # e.g. redis://redis.redis.svc:6379
ttl: "" # e.g 3600s, 24h
tls: false
serviceAccount:
annotations: {}
# eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME

48
integration/client_server_test.go
View File

@@ -57,8 +57,11 @@ func TestClientServer(t *testing.T) {
name: "alpine 3.9 with high and critical severity",
args: csArgs{
IgnoreUnfixed: true,
Severity: []string{"HIGH", "CRITICAL"},
Input: "testdata/fixtures/images/alpine-39.tar.gz",
Severity: []string{
"HIGH",
"CRITICAL",
},
Input: "testdata/fixtures/images/alpine-39.tar.gz",
},
golden: "testdata/alpine-39-high-critical.json.golden",
},
@@ -66,8 +69,11 @@ func TestClientServer(t *testing.T) {
name: "alpine 3.9 with .trivyignore",
args: csArgs{
IgnoreUnfixed: false,
IgnoreIDs: []string{"CVE-2019-1549", "CVE-2019-14697"},
Input: "testdata/fixtures/images/alpine-39.tar.gz",
IgnoreIDs: []string{
"CVE-2019-1549",
"CVE-2019-14697",
},
Input: "testdata/fixtures/images/alpine-39.tar.gz",
},
golden: "testdata/alpine-39-ignore-cveids.json.golden",
},
@@ -401,7 +407,6 @@ func TestClientServerWithCycloneDX(t *testing.T) {
args csArgs
wantComponentsCount int
wantDependenciesCount int
wantDependsOnCount []int
}{
{
name: "fluentd with RubyGems with CycloneDX format",
@@ -410,11 +415,7 @@ func TestClientServerWithCycloneDX(t *testing.T) {
Input: "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
},
wantComponentsCount: 161,
wantDependenciesCount: 2,
wantDependsOnCount: []int{
105,
56,
},
wantDependenciesCount: 80,
},
}
@@ -437,9 +438,6 @@ func TestClientServerWithCycloneDX(t *testing.T) {
assert.EqualValues(t, tt.wantComponentsCount, len(lo.FromPtr(got.Components)))
assert.EqualValues(t, tt.wantDependenciesCount, len(lo.FromPtr(got.Dependencies)))
for i, dep := range *got.Dependencies {
assert.EqualValues(t, tt.wantDependsOnCount[i], len(lo.FromPtr(dep.Dependencies)))
}
})
}
}
@@ -577,9 +575,21 @@ func setup(t *testing.T, options setupOptions) (string, string) {
}
func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []string {
osArgs := []string{"--cache-dir", cacheDir, "server", "--skip-update", "--listen", addr}
osArgs := []string{
"--cache-dir",
cacheDir,
"server",
"--skip-update",
"--listen",
addr,
}
if token != "" {
osArgs = append(osArgs, []string{"--token", token, "--token-header", tokenHeader}...)
osArgs = append(osArgs, []string{
"--token",
token,
"--token-header",
tokenHeader,
}...)
}
if cacheBackend != "" {
osArgs = append(osArgs, "--cache-backend", cacheBackend)
@@ -595,7 +605,13 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
c.RemoteAddrOption = "--server"
}
t.Helper()
osArgs := []string{"--cache-dir", cacheDir, c.Command, c.RemoteAddrOption, "http://" + addr}
osArgs := []string{
"--cache-dir",
cacheDir,
c.Command,
c.RemoteAddrOption,
"http://" + addr,
}
if c.Format != "" {
osArgs = append(osArgs, "--format", c.Format)

15
integration/fs_test.go
View File

@@ -65,13 +65,13 @@ func TestFilesystem(t *testing.T) {
golden: "testdata/gomod-skip.json.golden",
},
{
name: "nodejs",
name: "npm",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/fs/nodejs",
input: "testdata/fixtures/fs/npm",
listAllPkgs: true,
},
golden: "testdata/nodejs.json.golden",
golden: "testdata/npm.json.golden",
},
{
name: "yarn",
@@ -187,6 +187,15 @@ func TestFilesystem(t *testing.T) {
},
golden: "testdata/mix.lock.json.golden",
},
{
name: "composer.lock",
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/fs/composer",
},
golden: "testdata/composer.lock.json.golden",
},
{
name: "dockerfile",
args: args{

8
integration/sbom_test.go
View File

@@ -69,8 +69,8 @@ func TestSBOM(t *testing.T) {
Target: "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)",
Vulnerabilities: []types.DetectedVulnerability{
{Ref: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
{Ref: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
{Ref: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
},
},
},
@@ -92,8 +92,8 @@ func TestSBOM(t *testing.T) {
Target: "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)",
Vulnerabilities: []types.DetectedVulnerability{
{Ref: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
{Ref: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
{Ref: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
},
},
},

21
integration/scripts/download-images.sh
View File

@@ -1,21 +0,0 @@
#!/bin/bash
TEST_IMAGE=ghcr.io/aquasecurity/trivy-test-images
CURRENT=$(cd $(dirname $0);pwd)
mkdir -p ${CURRENT}/../testdata/fixtures/images/
# List the tags
TAGS=$(crane ls ${TEST_IMAGE})
# Download missing images
for tag in $TAGS
do
dir=${CURRENT}/../testdata/fixtures/images/
if [ ! -e "${dir}/${tag}.tar.gz" ]; then
echo "Downloading $tag..."
crane pull "${TEST_IMAGE}:${tag}" "${dir}/${tag}.tar"
gzip "${dir}/${tag}.tar"
fi
done

24
integration/scripts/download-vm-images.sh
View File

@@ -1,24 +0,0 @@
#!/bin/bash
TEST_VM=ghcr.io/aquasecurity/trivy-test-vm-images
CRANE_IMG=gcr.io/go-containerregistry/crane:v0.12.1
ORAS_IMG=ghcr.io/oras-project/oras:v0.16.0
CURRENT=$(cd $(dirname $0);pwd)
mkdir -p ${CURRENT}/../testdata/fixtures/vm-images/
# List the tags
TAGS=$(docker run --rm ${CRANE_IMG} ls ${TEST_VM})
# Download missing images
for tag in $TAGS
do
dir=${CURRENT}/../testdata/fixtures/vm-images/
if [ ! -e "${dir}/${tag}.img.gz" ] || [ ! -e "${dir}/${tag}.vmdk.gz" ]; then
echo "Downloading $tag..."
echo "oras pull ${TEST_VM}:${tag}"
docker run --rm -v ${dir}:/workspace ${ORAS_IMG} pull "${TEST_VM}:${tag}"
fi
done

5
integration/testdata/alpine-310.sarif.golden vendored
View File

@@ -182,6 +182,11 @@
"ROOTPATH": {
"uri": "file:///"
}
},
"properties": {
"imageName": "testdata/fixtures/images/alpine-310.tar.gz",
"repoDigests": null,
"repoTags": null
}
}
]

4
integration/testdata/centos-7-cyclonedx.json.golden vendored
View File

@@ -321,7 +321,7 @@
"updated": "2021-01-20T15:15:00+00:00",
"affects": [
{
"ref": "urn:cdx:1455c02d-64ca-453e-a5df-ddfb70a7c804/1#pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810",
"ref": "urn:cdx:1455c02d-64ca-453e-a5df-ddfb70a7c804/1#pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026epoch=1\u0026distro=centos-7.6.1810",
"versions": [
{
"version": "1:1.0.2k-16.el7",
@@ -514,7 +514,7 @@
"updated": "2020-08-24T17:37:00+00:00",
"affects": [
{
"ref": "urn:cdx:1455c02d-64ca-453e-a5df-ddfb70a7c804/1#pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810",
"ref": "urn:cdx:1455c02d-64ca-453e-a5df-ddfb70a7c804/1#pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026epoch=1\u0026distro=centos-7.6.1810",
"versions": [
{
"version": "1:1.0.2k-16.el7",

96
integration/testdata/composer.lock.json.golden vendored Normal file
View File

@@ -0,0 +1,96 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/composer",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "composer.lock",
"Class": "lang-pkgs",
"Type": "composer",
"Packages": [
{
"ID": "guzzlehttp/guzzle@7.4.4",
"Name": "guzzlehttp/guzzle",
"Version": "7.4.4",
"Indirect": false,
"Layer": {},
"Licenses": [
"MIT"
],
"DependsOn": [
"guzzlehttp/psr7@1.8.3"
],
"Locations": [
{
"StartLine": 9,
"EndLine": 129
}
]
},
{
"ID": "guzzlehttp/psr7@1.8.3",
"Name": "guzzlehttp/psr7",
"Version": "1.8.3",
"Indirect": true,
"Layer": {},
"Licenses": [
"MIT"
],
"Locations": [
{
"StartLine": 130,
"EndLine": 245
}
]
}
],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-24775",
"PkgID": "guzzlehttp/psr7@1.8.3",
"PkgName": "guzzlehttp/psr7",
"InstalledVersion": "1.8.3",
"FixedVersion": "1.8.4",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24775",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Composer",
"URL": "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer"
},
"Title": "Improper Input Validation in guzzlehttp/psr7",
"Description": "### Impact\nIn proper header parsing. An attacker could sneak in a new line character and pass untrusted values. \n\n### Patches\nThe issue is patched in 1.8.4 and 2.1.1.\n\n### Workarounds\nThere are no known workarounds.\n",
"Severity": "HIGH",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"V3Score": 7.5
}
},
"References": [
"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96",
"https://nvd.nist.gov/vuln/detail/CVE-2022-24775"
],
"PublishedDate": "2022-03-25T19:26:33Z",
"LastModifiedDate": "2022-06-14T20:02:29Z"
}
]
}
]
}

2
integration/testdata/conda-cyclonedx.json.golden vendored
View File

@@ -80,4 +80,4 @@
}
],
"vulnerabilities": []
}
}

62
integration/testdata/conda-spdx.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": {
"created": "2023-01-08T23:58:16.700785648Z",
"created": "2023-03-29T19:07:18Z",
"creators": [
"Tool: trivy-dev",
"Organization: aquasecurity"
@@ -11,14 +11,26 @@
"documentDescribes": [
"SPDXRef-Filesystem-6e0ac6a0fab50ab4"
],
"documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/fs/conda-3be0d21e-5711-451e-8b1b-2ac8775a3abb",
"documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/fs/conda-d872c7e3-4c6c-4fa1-a9b6-3e69dc71ff3b",
"files": [
{
"SPDXID": "SPDXRef-File-600e5e0110a84891",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "237db0da53131e4548cb1181337fa0f420299e1f"
}
],
"fileName": "miniconda3/envs/testenv/conda-meta/openssl-1.1.1q-h7f8727e_0.json"
},
{
"SPDXID": "SPDXRef-File-7eb62e2a3edddc0a",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "a6a2db7668f1ad541d704369fc66c96a4415aa24"
}
],
"fileName": "miniconda3/envs/testenv/conda-meta/pip-22.2.2-py38h06a4308_0.json"
}
],
@@ -26,6 +38,7 @@
"packages": [
{
"SPDXID": "SPDXRef-Application-ee5ef1aa4ac89125",
"downloadLocation": "NONE",
"filesAnalyzed": false,
"name": "conda-pkg",
"sourceInfo": "Conda"
@@ -35,29 +48,13 @@
"attributionTexts": [
"SchemaVersion: 2"
],
"downloadLocation": "NONE",
"filesAnalyzed": false,
"name": "testdata/fixtures/fs/conda"
},
{
"SPDXID": "SPDXRef-Package-2984084f02572600",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:conda/openssl@1.1.1q",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"hasFiles": [
"SPDXRef-File-600e5e0110a84891"
],
"licenseConcluded": "OpenSSL",
"licenseDeclared": "OpenSSL",
"name": "openssl",
"versionInfo": "1.1.1q"
},
{
"SPDXID": "SPDXRef-Package-ac33eb699b3aa81d",
"SPDXID": "SPDXRef-Package-6b677e82217fb5bd",
"downloadLocation": "NONE",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
@@ -73,6 +70,25 @@
"licenseDeclared": "MIT",
"name": "pip",
"versionInfo": "22.2.2"
},
{
"SPDXID": "SPDXRef-Package-b1088cb4090e3a55",
"downloadLocation": "NONE",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:conda/openssl@1.1.1q",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"hasFiles": [
"SPDXRef-File-600e5e0110a84891"
],
"licenseConcluded": "OpenSSL",
"licenseDeclared": "OpenSSL",
"name": "openssl",
"versionInfo": "1.1.1q"
}
],
"relationships": [
@@ -87,12 +103,12 @@
"spdxElementId": "SPDXRef-Filesystem-6e0ac6a0fab50ab4"
},
{
"relatedSpdxElement": "SPDXRef-Package-2984084f02572600",
"relatedSpdxElement": "SPDXRef-Package-b1088cb4090e3a55",
"relationshipType": "CONTAINS",
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125"
},
{
"relatedSpdxElement": "SPDXRef-Package-ac33eb699b3aa81d",
"relatedSpdxElement": "SPDXRef-Package-6b677e82217fb5bd",
"relationshipType": "CONTAINS",
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125"
}

2
integration/testdata/dockerfile-custom-policies.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 24,
"Successes": 25,
"Failures": 2,
"Exceptions": 0
},

2
integration/testdata/dockerfile-namespace-exception.json.golden vendored
View File

@@ -22,7 +22,7 @@
"MisconfSummary": {
"Successes": 0,
"Failures": 0,
"Exceptions": 24
"Exceptions": 25
}
}
]

2
integration/testdata/dockerfile-rule-exception.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 23,
"Successes": 24,
"Failures": 1,
"Exceptions": 0
},

2
integration/testdata/dockerfile.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 23,
"Successes": 24,
"Failures": 1,
"Exceptions": 0
},

2
integration/testdata/dockerfile_file_pattern.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 23,
"Successes": 24,
"Failures": 1,
"Exceptions": 0
},

10
integration/testdata/fixtures/db/composer.yaml vendored Normal file
View File

@@ -0,0 +1,10 @@
- bucket: "composer::GitHub Security Advisory Composer"
pairs:
- bucket: guzzlehttp/psr7
pairs:
- key: CVE-2022-24775
value:
PatchedVersions:
- 1.8.4
VulnerableVersions:
- < 1.8.4

18
integration/testdata/fixtures/db/vulnerability.yaml vendored
View File

@@ -1294,6 +1294,24 @@
- https://github.com/advisories/GHSA-4rgh-jx4f-qfcq
PublishedDate: "2022-05-24T17:37:16Z"
LastModifiedDate: "2022-10-06T20:26:08Z"
- key: CVE-2022-24775
value:
Title: "Improper Input Validation in guzzlehttp/psr7"
Description: "### Impact\nIn proper header parsing. An attacker could sneak in a new line character and pass untrusted values. \n\n### Patches\nThe issue is patched in 1.8.4 and 2.1.1.\n\n### Workarounds\nThere are no known workarounds.\n"
Severity: HIGH
VendorSeverity:
ghsa: 3
CweIDs:
- CWE-20
CVSS:
ghsa:
V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
V3Score: 7.5
References:
- https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
- https://nvd.nist.gov/vuln/detail/CVE-2022-24775
PublishedDate: "2022-03-25T19:26:33Z"
LastModifiedDate: "2022-06-14T20:02:29Z"
- key: CVE-2022-22965
value:
Title: "spring-framework: RCE via Data Binding on JDK 9+"

Some files were not shown because too many files have changed in this diff Show More