feat(vuln): support dependency graph for RHEL/CentOS (#3094 )

Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
feat(vuln): support dependency graph for dpkg and apk (#3093 )
2025-12-09 06:10:47 -08:00 · 2022-10-31 11:07:41 +02:00 · 2022-10-31 08:54:42 +02:00 · 2022-10-28 20:16:16 +03:00 · 2022-10-28 08:27:10 +03:00 · 2022-10-27 16:43:55 +03:00
1310 changed files with 300131 additions and 61707 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,81 +0,0 @@
 version: 2.1
 defaults: &defaults
  docker :
    - image: aquasec/trivy-ci:latest
  environment:
    CGO_ENABLED: "0"
 jobs:
  unit-test:
    <<: *defaults
    steps:
      - checkout
      - run:
          name: Check if there's anything to fix with gofmt
          command: |
            if test -z "$(gofmt -l .)"; then
              echo "Congrats! There is nothing to fix."
            else
              echo "The following lines should be fixed."
              gofmt -s -d .
              exit 1
            fi
      - run:
          name: Test
          command: make test
  integration-test:
    <<: *defaults
    parameters:
      docker_version:
        type: string
    steps:
      - checkout
      - setup_remote_docker:
          version: << parameters.docker_version >>
      - run:
          name: Integration Test
          command: make test-integration
  release:
    <<: *defaults
    steps:
      - checkout
      - setup_remote_docker:
          version: 18.06.0-ce
      - run:
          name: setup docker
          command: docker login -u $DOCKER_USER -p $DOCKER_PASS
      - run:
          name: Release
          command: goreleaser --rm-dist
      - run:
          name: Clone trivy repository
          command: git clone git@github.com:aquasecurity/trivy-repo.git
      - run:
          name: Setup git settings
          command: |
            git config --global user.email "knqyf263@gmail.com"
            git config --global user.name "Teppei Fukuda"
      - run:
          name: Create rpm repository
          command: ci/deploy-rpm.sh
      - run:
          name: Import GPG key
          command: echo -e "$GPG_KEY" | gpg --import
      - run:
          name: Create deb repository
          command: ci/deploy-deb.sh
 workflows:
  version: 2
  release:
    jobs:
      - unit-test
      - integration-test:
            docker_version: 18.09.3
      - release:
          filters:
            branches:
              ignore: /.*/
            tags:
              only: /.*/
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,2 +1,6 @@
 .git
 .github
 .cache
 .circleci
 integration
 imgs
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -0,0 +1,19 @@
 # Global
 *   @knqyf263
 # Helm chart
 helm/trivy/ @krol3
 # Misconfiguration scanning
 examples/misconf/           @owenrumney @liamg @knqyf263
 docs/docs/misconfiguration  @owenrumney @liamg @knqyf263
 docs/docs/cloud             @owenrumney @liamg @knqyf263
 pkg/fanal/analyzer/config   @owenrumney @liamg @knqyf263
 pkg/fanal/handler/misconf   @owenrumney @liamg @knqyf263
 pkg/cloud                   @owenrumney @liamg @knqyf263
 pkg/flag/aws_flags.go       @owenrumney @liamg @knqyf263
 pkg/flag/misconf_flags.go   @owenrumney @liamg @knqyf263
 # Kubernetes scanning
 pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
 docs/docs/kubernetes/   @josedonizetti @chen-keinan @knqyf263
--- a/.github/ISSUE_TEMPLATE/BUG_REPORT.md
+++ b/.github/ISSUE_TEMPLATE/BUG_REPORT.md
@@ -1,31 +1,31 @@
 ---
 name: Bug Report
-labels: bug
+labels: kind/bug
 about: If something isn't working as expected.
 ---
-**Description**
+## Description
 <!--
 Briefly describe the problem you are having in a few paragraphs.
 -->
-**What did you expect to happen?**
+## What did you expect to happen?
-**What happened instead?**
+## What happened instead?
-**Output of run with `-debug`:**
+## Output of run with `-debug`:
 ```
 (paste your output here)
 ```
-**Output of `trivy -v`:**
+## Output of `trivy -v`:
 ```
 (paste your output here)
 ```
-**Additional details (base image name, container registry info...):**
+## Additional details (base image name, container registry info...):
--- a/.github/ISSUE_TEMPLATE/FEATURE_REQUEST.md
+++ b/.github/ISSUE_TEMPLATE/FEATURE_REQUEST.md
@@ -1,6 +1,6 @@
 ---
 name: Feature Request
-labels: enhancement
+labels: kind/feature
 about: I have a suggestion (and might want to implement myself)!
 ---
--- a/.github/ISSUE_TEMPLATE/SUPPORT_QUESTION.md
+++ b/.github/ISSUE_TEMPLATE/SUPPORT_QUESTION.md
@@ -1,6 +1,6 @@
 ---
 name: Support Question
-labels: question
+labels: triage/support
 about: If you have a question about Trivy.
 ---
--- a/.github/ISSUE_TEMPLATE/WRONG_DETECTION.md
+++ b/.github/ISSUE_TEMPLATE/WRONG_DETECTION.md
@@ -0,0 +1,33 @@
 ---
 name: Wrong Detection
 labels: ["kind/bug"]
 about: If Trivy doesn't detect something, or shows false positive detection
 ---
 ## Checklist
 - [ ] I've read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/#wrong-detection).
 - [ ] I've confirmed that a security advisory in data sources was correct.
    - Run Trivy with `-f json` that shows data sources and make sure that the security advisory is correct.
 ## Description
 <!--
 Briefly describe the CVE that aren't detected and information about artifacts with this CVE.
 -->
 ## JSON Output of run with `-debug`:
 ```
 (paste your output here)
 ```
 ## Output of `trivy -v`:
 ```
 (paste your output here)
 ```
 ## Additional details (base image name, container registry info...):
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
 version: 2
 updates:
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: monthly
  - package-ecosystem: docker
    directory: /
    schedule:
      interval: monthly
  - package-ecosystem: gomod
    open-pull-requests-limit: 10
    directory: /
    schedule:
      interval: monthly
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -0,0 +1,18 @@
 ## Description
 ## Related issues
 - Close #XXX
 ## Related PRs
 - [ ] #XXX
 - [ ] #YYY
 Remove this section if you don't have related PRs.
 ## Checklist
 - [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
 - [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
 - [ ] I've added tests that prove my fix is effective or that my feature works.
 - [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
 - [ ] I've added usage information (if the PR introduces new options)
 - [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
--- a/.github/workflows/canary.yaml
+++ b/.github/workflows/canary.yaml
@@ -0,0 +1,59 @@
 name: Canary build
 on:
  push:
    branches:
      - 'main'
    paths:
      - '**.go'
      - 'Dockerfile.canary'
      - '.github/workflows/canary.yaml'
  workflow_dispatch:
 jobs:
  build-binaries:
    name: Build binaries
    uses: ./.github/workflows/reusable-release.yaml
    with:
      goreleaser_config: goreleaser-canary.yml
      goreleaser_options: '--snapshot --rm-dist --timeout 60m' # will not release
    secrets: inherit
  upload-binaries:
    name: Upload binaries
    needs: build-binaries # run this job after 'build-binaries' job completes
    runs-on: ubuntu-latest
    steps:
      - name: Restore Trivy binaries from cache
        uses: actions/cache@v3.0.9
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
        # Upload artifacts
      - name: Upload artifacts (trivy_Linux-64bit)
        uses: actions/upload-artifact@v3
        with:
          name: trivy_Linux-64bit
          path: dist/trivy_*_Linux-64bit.tar.gz
          if-no-files-found: error
      - name: Upload artifacts (trivy_Linux-ARM64)
        uses: actions/upload-artifact@v3
        with:
          name: trivy_Linux-ARM64
          path: dist/trivy_*_Linux-ARM64.tar.gz
          if-no-files-found: error
      - name: Upload artifacts (trivy_macOS-64bit)
        uses: actions/upload-artifact@v3
        with:
          name: trivy_macOS-64bit
          path: dist/trivy_*_macOS-64bit.tar.gz
          if-no-files-found: error
      - name: Upload artifacts (trivy_macOS-ARM64)
        uses: actions/upload-artifact@v3
        with:
          name: trivy_macOS-ARM64
          path: dist/trivy_*_macOS-ARM64.tar.gz
          if-no-files-found: error
--- a/.github/workflows/mkdocs-dev.yaml
+++ b/.github/workflows/mkdocs-dev.yaml
@@ -0,0 +1,33 @@
 name: Deploy the dev documentation
 on:
  push:
    paths:
      - 'docs/**'
      - mkdocs.yml
    branches:
      - main
 jobs:
  deploy:
    name: Deploy the dev documentation
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout main
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          persist-credentials: true
      - uses: actions/setup-python@v4
        with:
          python-version: 3.x
      - name: Install dependencies
        run: |
          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
          pip install -r docs/build/requirements.txt
        env:
          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
      - name: Configure the git user
        run: |
          git config user.name "knqyf263"
          git config user.email "knqyf263@gmail.com"
      - name: Deploy the dev documents
        run: mike deploy --push dev
--- a/.github/workflows/mkdocs-latest.yaml
+++ b/.github/workflows/mkdocs-latest.yaml
@@ -0,0 +1,41 @@
 name: Deploy the latest documentation
 on:
  workflow_dispatch:
    inputs:
      version:
        description: Version to be deployed
        required: true
  push:
    tags:
      - "v*"
 jobs:
  deploy:
    name: Deploy the latest documentation
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout main
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          persist-credentials: true
      - uses: actions/setup-python@v4
        with:
          python-version: 3.x
      - name: Install dependencies
        run: |
          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
          pip install -r docs/build/requirements.txt
        env:
          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
      - name: Configure the git user
        run: |
          git config user.name "knqyf263"
          git config user.email "knqyf263@gmail.com"
      - name: Deploy the latest documents from new tag push
        if: ${{ github.event.inputs.version == '' }}
        run: |
          VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
          mike deploy --push --update-aliases ${VERSION%.*} latest
      - name: Deploy the latest documents from manual trigger
        if: ${{ github.event.inputs.version != '' }}
        run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -0,0 +1,87 @@
 name: Publish Helm chart
 on:
  workflow_dispatch:
  pull_request:
    branches:
      - main
    paths:
      - 'helm/trivy/**'
  push:
    tags:
      - "v*"
 env:
  HELM_REP: helm-charts
  GH_OWNER: aquasecurity
  CHART_DIR: helm/trivy
  KIND_VERSION: "v0.14.0"
  KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
 jobs:
  test-chart:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
        with:
          fetch-depth: 0
      - name: Install Helm
        uses: azure/setup-helm@b5b231a831f96336bbfeccc1329990f0005c5bb1
        with:
          version: v3.5.0
      - name: Set up python
        uses: actions/setup-python@v4
        with:
          python-version: 3.7
      - name: Setup Chart Linting
        id: lint
        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec
      - name: Setup Kubernetes cluster (KIND)
        uses: helm/kind-action@9e8295d178de23cbfbd8fa16cf844eec1d773a07
        with:
          version: ${{ env.KIND_VERSION }}
          image: ${{ env.KIND_IMAGE }}
      - name: Run chart-testing
        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
      - name: Run chart-testing (Ingress enabled)
        run: |
          sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
          ct lint-and-install --validate-maintainers=false --charts helm/trivy
  publish-chart:
    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
    needs:
      - test-chart
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
        with:
          fetch-depth: 0
      - name: Install chart-releaser
        run: |
          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
      - name: Package helm chart
        run: |
          ./cr package ${{ env.CHART_DIR }}
      - name: Upload helm chart
        # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
        continue-on-error: true
        run: |
          ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
      - name: Index helm chart
        run: |
          ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
      - name: Push index file
        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
        env:
          API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
        with:
          source_file: 'index.yaml'
          destination_repo: '${{ env.GH_OWNER }}/${{ env.HELM_REP }}'
          destination_folder: '.'
          destination_branch: 'gh-pages'
          user_email: aqua-bot@users.noreply.github.com
          user_name: 'aqua-bot'
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,57 @@
 name: Release
 on:
  push:
    tags:
      - "v*"
 jobs:
  release:
    name: Release
    uses: ./.github/workflows/reusable-release.yaml
    with:
      goreleaser_config: goreleaser.yml
      goreleaser_options: '--rm-dist --timeout 90m'
    secrets: inherit
  deploy-packages:
    name: Deploy rpm/dep packages
    needs: release # run this job after 'release' job completes
    runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Restore Trivy binaries from cache
        uses: actions/cache@v3.0.9
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
      - name: Install dependencies
        run: |
          sudo apt-get -y update
          sudo apt-get -y install rpm reprepro createrepo distro-info
      - name: Checkout trivy-repo
        uses: actions/checkout@v3
        with:
          repository: ${{ github.repository_owner }}/trivy-repo
          path: trivy-repo
          fetch-depth: 0
          token: ${{ secrets.ORG_REPO_TOKEN }}
      - name: Setup git settings
        run: |
          git config --global user.email "knqyf263@gmail.com"
          git config --global user.name "Teppei Fukuda"
      - name: Create rpm repository
        run: ci/deploy-rpm.sh
      - name: Import GPG key
        run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import
      - name: Create deb repository
        run: ci/deploy-deb.sh
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -0,0 +1,108 @@
 name: Reusable release
 on:
  workflow_call:
    inputs:
      goreleaser_config:
        description: 'file path to GoReleaser config'
        required: true
        type: string
      goreleaser_options:
        description: 'GoReleaser options separated by spaces'
        default: ''
        required: false
        type: string
 env:
  GH_USER: "aqua-bot"
 jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    permissions:
      id-token: write # For cosign
      packages: write # For GHCR
      contents: read  # Not required for public repositories, but for clarity
    steps:
      - name: Cosign install
        uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v2
      - name: Show available Docker Buildx platforms
        run: echo ${{ steps.buildx.outputs.platforms }}
      - name: Login to docker.io registry
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to ghcr.io registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ env.GH_USER }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to ECR
        uses: docker/login-action@v2
        with:
          registry: public.ecr.aws
          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v3
        with:
          go-version-file: go.mod
      - name: Generate SBOM
        uses: CycloneDX/gh-gomod-generate-sbom@v1
        with:
          args: mod -licenses -json -output bom.json
          version: ^v1
      - name: GoReleaser
        uses: goreleaser/goreleaser-action@v3
        with:
          version: v1.4.1
          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
        env:
          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
      ## push images to registries
      ## only for canary build
      - name: Build and push
        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
        uses: docker/build-push-action@v3
        with:
          platforms: linux/amd64, linux/arm64
          file: ./Dockerfile.canary # path to Dockerfile
          context: .
          push: true
          tags: |
            aquasec/trivy:canary
            ghcr.io/aquasecurity/trivy:canary
            public.ecr.aws/aquasecurity/trivy:canary
      - name: Cache Trivy binaries
        uses: actions/cache@v3.0.9
        with:
          path: dist/
          # use 'github.sha' to create a unique cache folder for each run.
          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
          # e.g. build and release runs
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -0,0 +1,23 @@
 name: Scan vulnerabilities
 on:
  schedule:
    - cron: '0 0 * * *'
  workflow_dispatch:
 jobs:
  build:
    name: Scan Go vulnerabilities
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Run Trivy vulnerability scanner and create GitHub issues
        uses: knqyf263/trivy-issue-action@v0.0.4
        with:
          assignee: knqyf263
          severity: CRITICAL
          skip-dirs: integration,examples
          label: kind/security
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/semantic-pr.yaml
+++ b/.github/workflows/semantic-pr.yaml
@@ -0,0 +1,92 @@
 name: "Lint PR title"
 on:
  pull_request_target:
    types:
      - opened
      - edited
      - synchronize
 jobs:
  main:
    name: Validate PR title
    runs-on: ubuntu-latest
    steps:
      - uses: amannn/action-semantic-pull-request@v4
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          types:
            feat
            fix
            docs
            style
            refactor
            perf
            test
            build
            ci
            chore
            revert
            BREAKING
          scopes:
            vuln
            misconf
            secret
            license
            image
            fs
            repo
            sbom
            server
            k8s
            alpine
            redhat
            alma
            rocky
            mariner
            oracle
            debian
            ubuntu
            amazon
            suse
            photon
            distroless
            ruby
            php
            python
            nodejs
            rust
            dotnet
            java
            go
            c
            c++
            os
            lang
            kubernetes
            dockerfile
            terraform
            cloudformation
            docker
            podman
            containerd
            oci
            cli
            flag
            cyclonedx
            spdx
            helm
            report
            db
            deps
--- a/.github/workflows/stale-issues.yaml
+++ b/.github/workflows/stale-issues.yaml
@@ -0,0 +1,20 @@
 name: "Stale issues"
 on:
  schedule:
    - cron: '0 0 * * *'
 jobs:
  stale:
    timeout-minutes: 1
    runs-on: ubuntu-latest
    steps:
    - uses: actions/stale@v6
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'
        stale-pr-message: 'This PR is stale because it has been labeled with inactivity.'
        exempt-issue-labels: 'lifecycle/frozen,lifecycle/active,priority/critical-urgent,priority/important-soon,priority/important-longterm,priority/backlog,priority/awaiting-more-evidence'
        exempt-pr-labels: 'lifecycle/active'
        stale-pr-label: 'lifecycle/stale'
        stale-issue-label: 'lifecycle/stale'
        days-before-stale: 60
        days-before-close: 20
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,135 @@
 name: Test
 on:
  push:
    branches:
      - main
    paths-ignore:
      - '*.md'
      - 'docs/**'
      - 'mkdocs.yml'
      - 'LICENSE'
  pull_request:
 env:
  TINYGO_VERSION: "0.25.0"
 jobs:
  test:
    name: Test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version-file: go.mod
      - name: go mod tidy
        run: |
          go mod tidy
          if [ -n "$(git status --porcelain)" ]; then
            echo "Run 'go mod tidy' and push it"
            exit 1
          fi
      - name: Lint
        uses: golangci/golangci-lint-action@v3.2.0
        with:
          version: v1.49
          args: --deadline=30m
          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
      - name: Install TinyGo
        run: |
          wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
          sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb
      - name: Run unit tests
        run: make test
  integration:
    name: Integration Test
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v3
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version-file: go.mod
      - name: Run integration tests
        run: make test-integration
  module-test:
    name: Module Integration Test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version-file: go.mod
      - name: Install TinyGo
        run: |
          wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
          sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb
      - name: Run module integration tests
        run: |
          make test-module-integration
  build-test:
    name: Build Test
    runs-on: ubuntu-latest
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    steps:
    - name: Set up QEMU
      uses: docker/setup-qemu-action@v2
    - name: Set up Docker Buildx
      id: buildx
      uses: docker/setup-buildx-action@v2
    - name: Show available Docker Buildx platforms
      run: echo ${{ steps.buildx.outputs.platforms }}
    - name: Checkout
      uses: actions/checkout@v3
    - name: Set up Go
      uses: actions/setup-go@v3
      with:
        go-version-file: go.mod
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@v3
      with:
        version: v1.4.1
        args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m
  build-documents:
    name: Documentation Test
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v3
      with:
        fetch-depth: 0
        persist-credentials: true
    - uses: actions/setup-python@v4
      with:
        python-version: 3.x
    - name: Install dependencies
      run: |
        pip install -r docs/build/requirements.txt
    - name: Configure the git user
      run: |
        git config user.name "knqyf263"
        git config user.email "knqyf263@gmail.com"
    - name: Deploy the dev documents
      run: mike deploy test
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,10 @@
 *.dll
 *.so
 *.dylib
 /trivy
 ## chart release
 .cr-release-packages
 # Test binary, build with `go test -c`
 *.test
@@ -12,10 +16,21 @@
 *.out
 .idea
 .vscode
 # Directory Cache Files
 .DS_Store
 thumbs.db
 # test fixtures
-integration/testdata/fixtures/
+coverage.txt
 integration/testdata/fixtures/images
 # SBOMs generated during CI
 /bom.json
 # goreleaser output
 dist
 # WebAssembly
 *.wasm
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -0,0 +1,72 @@
 linters-settings:
  errcheck:
    check-type-assertions: true
    check-blank: true
  govet:
    check-shadowing: false
  gofmt:
    simplify: false
  revive:
    ignore-generated-header: true
  gocyclo:
    min-complexity: 20
  dupl:
    threshold: 100
  goconst:
    min-len: 3
    min-occurrences: 3
  misspell:
    locale: US
  goimports:
    local-prefixes: github.com/aquasecurity
  gosec:
    excludes:
      - G114
      - G204
      - G402
 linters:
  disable-all: true
  enable:
    - unused
    - ineffassign
    - typecheck
    - govet
    - revive
    - gosec
    - unconvert
    - goconst
    - gocyclo
    - gofmt
    - goimports
    - misspell
 run:
  go: 1.19
  skip-files:
    - ".*._mock.go$"
    - ".*._test.go$"
    - "integration/*"
    - "examples/*"
 issues:
  exclude-rules:
    - linters:
        - gosec
      text: "G304: Potential file inclusion"
    - linters:
        - gosec
      text: "Deferring unsafe method"
    - linters:
        - errcheck
      text: "Close` is not checked"
    - linters:
        - errcheck
      text: "os.*` is not checked"
    - linters:
        - golint
      text: "a blank import should be only in a main or test package"
  exclude:
    - "should have a package comment, unless it's in another file for this package"
  exclude-use-default: false
  max-same-issues: 0
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,28 +1 @@
-Thank you for taking interest in contributing to Trivy !
+See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)
 ## Issues
 - Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
 - Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
 - Remember users might be searching for your issue in the future, so please give it a meaningful title to help others.
 - The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
 ## Pull Requests
 1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
 1. Your PR is more likely to be accepted if it focuses on just one change.
 1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that starts with "fix"/"add"/"improve"/"remove" are good examples.
 1. Please add the associated Issue in the PR description.
 1. There's no need to add or tag reviewers.
 1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
 1. Please include a comment with the results before and after your change.
 1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
 1. If your PR affects the user experience in some way, please update the Readme and the CLI help accordingly.
 ## Understand where your pull request belongs
 Trivy is composed of several different repositories that work together:
 - [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
 - [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. This of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
 - [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
 - [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information containers. It is being used by Trivy to find testable subjects in the container image.
--- a/6
+++ b/6
@@ -1,5 +1,5 @@
-FROM alpine:3.10
+FROM alpine:3.16.2
-RUN apk --no-cache add ca-certificates git rpm
+RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
-
+COPY contrib/*.tpl contrib/
 ENTRYPOINT ["trivy"]
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -0,0 +1,10 @@
 FROM alpine:3.16.2
 RUN apk --no-cache add ca-certificates git
 # binaries were created with GoReleaser
 # need to copy binaries from folder with correct architecture
 # example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
 ARG TARGETARCH
 COPY "dist/trivy_canary_build_linux_${TARGETARCH}/trivy" /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
 ENTRYPOINT ["trivy"]
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -0,0 +1,12 @@
 FROM golang:1.19.1
 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
 RUN apt-get update && apt-get install -y unzip
 RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
    && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
    && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \ 
    && rm -f $PROTOC_ZIP
 RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
 RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1
--- a/862
+++ b/862
@@ -1,661 +1,201 @@
-                    GNU AFFERO GENERAL PUBLIC LICENSE
+                                 Apache License
-                       Version 3, 19 November 2007
+                           Version 2.0, January 2004
-
+                        http://www.apache.org/licenses/
- Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+
- Everyone is permitted to copy and distribute verbatim copies
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
- of this license document, but changing it is not allowed.
+
-
+   1. Definitions.
-                            Preamble
+
-
+      "License" shall mean the terms and conditions for use, reproduction,
-  The GNU Affero General Public License is a free, copyleft license for
+      and distribution as defined by Sections 1 through 9 of this document.
-software and other kinds of works, specifically designed to ensure
+
-cooperation with the community in the case of network server software.
+      "Licensor" shall mean the copyright owner or entity authorized by
-
+      the copyright owner that is granting the License.
-  The licenses for most software and other practical works are designed
+
-to take away your freedom to share and change the works.  By contrast,
+      "Legal Entity" shall mean the union of the acting entity and all
-our General Public Licenses are intended to guarantee your freedom to
+      other entities that control, are controlled by, or are under common
-share and change all versions of a program--to make sure it remains free
+      control with that entity. For the purposes of this definition,
-software for all its users.
+      "control" means (i) the power, direct or indirect, to cause the
-
+      direction or management of such entity, whether by contract or
-  When we speak of free software, we are referring to freedom, not
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-price.  Our General Public Licenses are designed to make sure that you
+      outstanding shares, or (iii) beneficial ownership of such entity.
-have the freedom to distribute copies of free software (and charge for
+
-them if you wish), that you receive source code or can get it if you
+      "You" (or "Your") shall mean an individual or Legal Entity
-want it, that you can change the software or use pieces of it in new
+      exercising permissions granted by this License.
-free programs, and that you know you can do these things.
+
-
+      "Source" form shall mean the preferred form for making modifications,
-  Developers that use our General Public Licenses protect your rights
+      including but not limited to software source code, documentation
-with two steps: (1) assert copyright on the software, and (2) offer
+      source, and configuration files.
-you this License which gives you legal permission to copy, distribute
+
-and/or modify the software.
+      "Object" form shall mean any form resulting from mechanical
-
+      transformation or translation of a Source form, including but
-  A secondary benefit of defending all users' freedom is that
+      not limited to compiled object code, generated documentation,
-improvements made in alternate versions of the program, if they
+      and conversions to other media types.
-receive widespread use, become available for other developers to
+
-incorporate.  Many developers of free software are heartened and
+      "Work" shall mean the work of authorship, whether in Source or
-encouraged by the resulting cooperation.  However, in the case of
+      Object form, made available under the License, as indicated by a
-software used on network servers, this result may fail to come about.
+      copyright notice that is included in or attached to the work
-The GNU General Public License permits making a modified version and
+      (an example is provided in the Appendix below).
-letting the public access it on a server without ever releasing its
+
-source code to the public.
+      "Derivative Works" shall mean any work, whether in Source or Object
-
+      form, that is based on (or derived from) the Work and for which the
-  The GNU Affero General Public License is designed specifically to
+      editorial revisions, annotations, elaborations, or other modifications
-ensure that, in such cases, the modified source code becomes available
+      represent, as a whole, an original work of authorship. For the purposes
-to the community.  It requires the operator of a network server to
+      of this License, Derivative Works shall not include works that remain
-provide the source code of the modified version running there to the
+      separable from, or merely link (or bind by name) to the interfaces of,
-users of that server.  Therefore, public use of a modified version, on
+      the Work and Derivative Works thereof.
-a publicly accessible server, gives the public access to the source
+
-code of the modified version.
+      "Contribution" shall mean any work of authorship, including
-
+      the original version of the Work and any modifications or additions
-  An older license, called the Affero General Public License and
+      to that Work or Derivative Works thereof, that is intentionally
-published by Affero, was designed to accomplish similar goals.  This is
+      submitted to Licensor for inclusion in the Work by the copyright owner
-a different license, not a version of the Affero GPL, but Affero has
+      or by an individual or Legal Entity authorized to submit on behalf of
-released a new version of the Affero GPL which permits relicensing under
+      the copyright owner. For the purposes of this definition, "submitted"
-this license.
+      means any form of electronic, verbal, or written communication sent
-
+      to the Licensor or its representatives, including but not limited to
-  The precise terms and conditions for copying, distribution and
+      communication on electronic mailing lists, source code control systems,
-modification follow.
+      and issue tracking systems that are managed by, or on behalf of, the
-
+      Licensor for the purpose of discussing and improving the Work, but
-                       TERMS AND CONDITIONS
+      excluding communication that is conspicuously marked or otherwise
-
+      designated in writing by the copyright owner as "Not a Contribution."
-  0. Definitions.
+
-
+      "Contributor" shall mean Licensor and any individual or Legal Entity
-  "This License" refers to version 3 of the GNU Affero General Public License.
+      on behalf of whom a Contribution has been received by Licensor and
-
+      subsequently incorporated within the Work.
-  "Copyright" also means copyright-like laws that apply to other kinds of
+
-works, such as semiconductor masks.
+   2. Grant of Copyright License. Subject to the terms and conditions of
-
+      this License, each Contributor hereby grants to You a perpetual,
-  "The Program" refers to any copyrightable work licensed under this
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-License.  Each licensee is addressed as "you".  "Licensees" and
+      copyright license to reproduce, prepare Derivative Works of,
-"recipients" may be individuals or organizations.
+      publicly display, publicly perform, sublicense, and distribute the
-
+      Work and such Derivative Works in Source or Object form.
-  To "modify" a work means to copy from or adapt all or part of the work
+
-in a fashion requiring copyright permission, other than the making of an
+   3. Grant of Patent License. Subject to the terms and conditions of
-exact copy.  The resulting work is called a "modified version" of the
+      this License, each Contributor hereby grants to You a perpetual,
-earlier work or a work "based on" the earlier work.
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-
+      (except as stated in this section) patent license to make, have made,
-  A "covered work" means either the unmodified Program or a work based
+      use, offer to sell, sell, import, and otherwise transfer the Work,
-on the Program.
+      where such license applies only to those patent claims licensable
-
+      by such Contributor that are necessarily infringed by their
-  To "propagate" a work means to do anything with it that, without
+      Contribution(s) alone or by combination of their Contribution(s)
-permission, would make you directly or secondarily liable for
+      with the Work to which such Contribution(s) was submitted. If You
-infringement under applicable copyright law, except executing it on a
+      institute patent litigation against any entity (including a
-computer or modifying a private copy.  Propagation includes copying,
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
-distribution (with or without modification), making available to the
+      or a Contribution incorporated within the Work constitutes direct
-public, and in some countries other activities as well.
+      or contributory patent infringement, then any patent licenses
-
+      granted to You under this License for that Work shall terminate
-  To "convey" a work means any kind of propagation that enables other
+      as of the date such litigation is filed.
-parties to make or receive copies.  Mere interaction with a user through
+
-a computer network, with no transfer of a copy, is not conveying.
+   4. Redistribution. You may reproduce and distribute copies of the
-
+      Work or Derivative Works thereof in any medium, with or without
-  An interactive user interface displays "Appropriate Legal Notices"
+      modifications, and in Source or Object form, provided that You
-to the extent that it includes a convenient and prominently visible
+      meet the following conditions:
-feature that (1) displays an appropriate copyright notice, and (2)
+
-tells the user that there is no warranty for the work (except to the
+      (a) You must give any other recipients of the Work or
-extent that warranties are provided), that licensees may convey the
+          Derivative Works a copy of this License; and
-work under this License, and how to view a copy of this License.  If
+
-the interface presents a list of user commands or options, such as a
+      (b) You must cause any modified files to carry prominent notices
-menu, a prominent item in the list meets this criterion.
+          stating that You changed the files; and
-
+
-  1. Source Code.
+      (c) You must retain, in the Source form of any Derivative Works
-
+          that You distribute, all copyright, patent, trademark, and
-  The "source code" for a work means the preferred form of the work
+          attribution notices from the Source form of the Work,
-for making modifications to it.  "Object code" means any non-source
+          excluding those notices that do not pertain to any part of
-form of a work.
+          the Derivative Works; and
-
+
-  A "Standard Interface" means an interface that either is an official
+      (d) If the Work includes a "NOTICE" text file as part of its
-standard defined by a recognized standards body, or, in the case of
+          distribution, then any Derivative Works that You distribute must
-interfaces specified for a particular programming language, one that
+          include a readable copy of the attribution notices contained
-is widely used among developers working in that language.
+          within such NOTICE file, excluding those notices that do not
-
+          pertain to any part of the Derivative Works, in at least one
-  The "System Libraries" of an executable work include anything, other
+          of the following places: within a NOTICE text file distributed
-than the work as a whole, that (a) is included in the normal form of
+          as part of the Derivative Works; within the Source form or
-packaging a Major Component, but which is not part of that Major
+          documentation, if provided along with the Derivative Works; or,
-Component, and (b) serves only to enable use of the work with that
+          within a display generated by the Derivative Works, if and
-Major Component, or to implement a Standard Interface for which an
+          wherever such third-party notices normally appear. The contents
-implementation is available to the public in source code form.  A
+          of the NOTICE file are for informational purposes only and
-"Major Component", in this context, means a major essential component
+          do not modify the License. You may add Your own attribution
-(kernel, window system, and so on) of the specific operating system
+          notices within Derivative Works that You distribute, alongside
-(if any) on which the executable work runs, or a compiler used to
+          or as an addendum to the NOTICE text from the Work, provided
-produce the work, or an object code interpreter used to run it.
+          that such additional attribution notices cannot be construed
-
+          as modifying the License.
-  The "Corresponding Source" for a work in object code form means all
+
-the source code needed to generate, install, and (for an executable
+      You may add Your own copyright statement to Your modifications and
-work) run the object code and to modify the work, including scripts to
+      may provide additional or different license terms and conditions
-control those activities.  However, it does not include the work's
+      for use, reproduction, or distribution of Your modifications, or
-System Libraries, or general-purpose tools or generally available free
+      for any such Derivative Works as a whole, provided Your use,
-programs which are used unmodified in performing those activities but
+      reproduction, and distribution of the Work otherwise complies with
-which are not part of the work.  For example, Corresponding Source
+      the conditions stated in this License.
-includes interface definition files associated with source files for
+
-the work, and the source code for shared libraries and dynamically
+   5. Submission of Contributions. Unless You explicitly state otherwise,
-linked subprograms that the work is specifically designed to require,
+      any Contribution intentionally submitted for inclusion in the Work
-such as by intimate data communication or control flow between those
+      by You to the Licensor shall be under the terms and conditions of
-subprograms and other parts of the work.
+      this License, without any additional terms or conditions.
-
+      Notwithstanding the above, nothing herein shall supersede or modify
-  The Corresponding Source need not include anything that users
+      the terms of any separate license agreement you may have executed
-can regenerate automatically from other parts of the Corresponding
+      with Licensor regarding such Contributions.
-Source.
+
-
+   6. Trademarks. This License does not grant permission to use the trade
-  The Corresponding Source for a work in source code form is that
+      names, trademarks, service marks, or product names of the Licensor,
-same work.
+      except as required for reasonable and customary use in describing the
-
+      origin of the Work and reproducing the content of the NOTICE file.
-  2. Basic Permissions.
+
-
+   7. Disclaimer of Warranty. Unless required by applicable law or
-  All rights granted under this License are granted for the term of
+      agreed to in writing, Licensor provides the Work (and each
-copyright on the Program, and are irrevocable provided the stated
+      Contributor provides its Contributions) on an "AS IS" BASIS,
-conditions are met.  This License explicitly affirms your unlimited
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-permission to run the unmodified Program.  The output from running a
+      implied, including, without limitation, any warranties or conditions
-covered work is covered by this License only if the output, given its
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-content, constitutes a covered work.  This License acknowledges your
+      PARTICULAR PURPOSE. You are solely responsible for determining the
-rights of fair use or other equivalent, as provided by copyright law.
+      appropriateness of using or redistributing the Work and assume any
-
+      risks associated with Your exercise of permissions under this License.
-  You may make, run and propagate covered works that you do not
+
-convey, without conditions so long as your license otherwise remains
+   8. Limitation of Liability. In no event and under no legal theory,
-in force.  You may convey covered works to others for the sole purpose
+      whether in tort (including negligence), contract, or otherwise,
-of having them make modifications exclusively for you, or provide you
+      unless required by applicable law (such as deliberate and grossly
-with facilities for running those works, provided that you comply with
+      negligent acts) or agreed to in writing, shall any Contributor be
-the terms of this License in conveying all material for which you do
+      liable to You for damages, including any direct, indirect, special,
-not control copyright.  Those thus making or running the covered works
+      incidental, or consequential damages of any character arising as a
-for you must do so exclusively on your behalf, under your direction
+      result of this License or out of the use or inability to use the
-and control, on terms that prohibit them from making any copies of
+      Work (including but not limited to damages for loss of goodwill,
-your copyrighted material outside their relationship with you.
+      work stoppage, computer failure or malfunction, or any and all
-
+      other commercial damages or losses), even if such Contributor
-  Conveying under any other circumstances is permitted solely under
+      has been advised of the possibility of such damages.
-the conditions stated below.  Sublicensing is not allowed; section 10
+
-makes it unnecessary.
+   9. Accepting Warranty or Additional Liability. While redistributing
-
+      the Work or Derivative Works thereof, You may choose to offer,
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+      and charge a fee for, acceptance of support, warranty, indemnity,
-
+      or other liability obligations and/or rights consistent with this
-  No covered work shall be deemed part of an effective technological
+      License. However, in accepting such obligations, You may act only
-measure under any applicable law fulfilling obligations under article
+      on Your own behalf and on Your sole responsibility, not on behalf
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
+      of any other Contributor, and only if You agree to indemnify,
-similar laws prohibiting or restricting circumvention of such
+      defend, and hold each Contributor harmless for any liability
-measures.
+      incurred by, or claims asserted against, such Contributor by reason
-
+      of your accepting any such warranty or additional liability.
-  When you convey a covered work, you waive any legal power to forbid
+
-circumvention of technological measures to the extent such circumvention
+   END OF TERMS AND CONDITIONS
-is effected by exercising rights under this License with respect to
+
-the covered work, and you disclaim any intention to limit operation or
+   APPENDIX: How to apply the Apache License to your work.
-modification of the work as a means of enforcing, against the work's
+
-users, your or third parties' legal rights to forbid circumvention of
+      To apply the Apache License to your work, attach the following
-technological measures.
+      boilerplate notice, with the fields enclosed by brackets "[]"
-
+      replaced with your own identifying information. (Don't include
-  4. Conveying Verbatim Copies.
+      the brackets!)  The text should be enclosed in the appropriate
-
+      comment syntax for the file format. We also recommend that a
-  You may convey verbatim copies of the Program's source code as you
+      file or class name and description of purpose be included on the
-receive it, in any medium, provided that you conspicuously and
+      same "printed page" as the copyright notice for easier
-appropriately publish on each copy an appropriate copyright notice;
+      identification within third-party archives.
-keep intact all notices stating that this License and any
+
-non-permissive terms added in accord with section 7 apply to the code;
+   Copyright [yyyy] [name of copyright owner]
-keep intact all notices of the absence of any warranty; and give all
+
-recipients a copy of this License along with the Program.
+   Licensed under the Apache License, Version 2.0 (the "License");
-
+   you may not use this file except in compliance with the License.
-  You may charge any price or no price for each copy that you convey,
+   You may obtain a copy of the License at
-and you may offer support or warranty protection for a fee.
+
-
+       http://www.apache.org/licenses/LICENSE-2.0
-  5. Conveying Modified Source Versions.
+
-
+   Unless required by applicable law or agreed to in writing, software
-  You may convey a work based on the Program, or the modifications to
+   distributed under the License is distributed on an "AS IS" BASIS,
-produce it from the Program, in the form of source code under the
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-terms of section 4, provided that you also meet all of these conditions:
+   See the License for the specific language governing permissions and
-
+   limitations under the License.
    a) The work must carry prominent notices stating that you modified
    it, and giving a relevant date.
    b) The work must carry prominent notices stating that it is
    released under this License and any conditions added under section
    7.  This requirement modifies the requirement in section 4 to
    "keep intact all notices".
    c) You must license the entire work, as a whole, under this
    License to anyone who comes into possession of a copy.  This
    License will therefore apply, along with any applicable section 7
    additional terms, to the whole of the work, and all its parts,
    regardless of how they are packaged.  This License gives no
    permission to license the work in any other way, but it does not
    invalidate such permission if you have separately received it.
    d) If the work has interactive user interfaces, each must display
    Appropriate Legal Notices; however, if the Program has interactive
    interfaces that do not display Appropriate Legal Notices, your
    work need not make them do so.
  A compilation of a covered work with other separate and independent
 works, which are not by their nature extensions of the covered work,
 and which are not combined with it such as to form a larger program,
 in or on a volume of a storage or distribution medium, is called an
 "aggregate" if the compilation and its resulting copyright are not
 used to limit the access or legal rights of the compilation's users
 beyond what the individual works permit.  Inclusion of a covered work
 in an aggregate does not cause this License to apply to the other
 parts of the aggregate.
  6. Conveying Non-Source Forms.
  You may convey a covered work in object code form under the terms
 of sections 4 and 5, provided that you also convey the
 machine-readable Corresponding Source under the terms of this License,
 in one of these ways:
    a) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by the
    Corresponding Source fixed on a durable physical medium
    customarily used for software interchange.
    b) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by a
    written offer, valid for at least three years and valid for as
    long as you offer spare parts or customer support for that product
    model, to give anyone who possesses the object code either (1) a
    copy of the Corresponding Source for all the software in the
    product that is covered by this License, on a durable physical
    medium customarily used for software interchange, for a price no
    more than your reasonable cost of physically performing this
    conveying of source, or (2) access to copy the
    Corresponding Source from a network server at no charge.
    c) Convey individual copies of the object code with a copy of the
    written offer to provide the Corresponding Source.  This
    alternative is allowed only occasionally and noncommercially, and
    only if you received the object code with such an offer, in accord
    with subsection 6b.
    d) Convey the object code by offering access from a designated
    place (gratis or for a charge), and offer equivalent access to the
    Corresponding Source in the same way through the same place at no
    further charge.  You need not require recipients to copy the
    Corresponding Source along with the object code.  If the place to
    copy the object code is a network server, the Corresponding Source
    may be on a different server (operated by you or a third party)
    that supports equivalent copying facilities, provided you maintain
    clear directions next to the object code saying where to find the
    Corresponding Source.  Regardless of what server hosts the
    Corresponding Source, you remain obligated to ensure that it is
    available for as long as needed to satisfy these requirements.
    e) Convey the object code using peer-to-peer transmission, provided
    you inform other peers where the object code and Corresponding
    Source of the work are being offered to the general public at no
    charge under subsection 6d.
  A separable portion of the object code, whose source code is excluded
 from the Corresponding Source as a System Library, need not be
 included in conveying the object code work.
  A "User Product" is either (1) a "consumer product", which means any
 tangible personal property which is normally used for personal, family,
 or household purposes, or (2) anything designed or sold for incorporation
 into a dwelling.  In determining whether a product is a consumer product,
 doubtful cases shall be resolved in favor of coverage.  For a particular
 product received by a particular user, "normally used" refers to a
 typical or common use of that class of product, regardless of the status
 of the particular user or of the way in which the particular user
 actually uses, or expects or is expected to use, the product.  A product
 is a consumer product regardless of whether the product has substantial
 commercial, industrial or non-consumer uses, unless such uses represent
 the only significant mode of use of the product.
  "Installation Information" for a User Product means any methods,
 procedures, authorization keys, or other information required to install
 and execute modified versions of a covered work in that User Product from
 a modified version of its Corresponding Source.  The information must
 suffice to ensure that the continued functioning of the modified object
 code is in no case prevented or interfered with solely because
 modification has been made.
  If you convey an object code work under this section in, or with, or
 specifically for use in, a User Product, and the conveying occurs as
 part of a transaction in which the right of possession and use of the
 User Product is transferred to the recipient in perpetuity or for a
 fixed term (regardless of how the transaction is characterized), the
 Corresponding Source conveyed under this section must be accompanied
 by the Installation Information.  But this requirement does not apply
 if neither you nor any third party retains the ability to install
 modified object code on the User Product (for example, the work has
 been installed in ROM).
  The requirement to provide Installation Information does not include a
 requirement to continue to provide support service, warranty, or updates
 for a work that has been modified or installed by the recipient, or for
 the User Product in which it has been modified or installed.  Access to a
 network may be denied when the modification itself materially and
 adversely affects the operation of the network or violates the rules and
 protocols for communication across the network.
  Corresponding Source conveyed, and Installation Information provided,
 in accord with this section must be in a format that is publicly
 documented (and with an implementation available to the public in
 source code form), and must require no special password or key for
 unpacking, reading or copying.
  7. Additional Terms.
  "Additional permissions" are terms that supplement the terms of this
 License by making exceptions from one or more of its conditions.
 Additional permissions that are applicable to the entire Program shall
 be treated as though they were included in this License, to the extent
 that they are valid under applicable law.  If additional permissions
 apply only to part of the Program, that part may be used separately
 under those permissions, but the entire Program remains governed by
 this License without regard to the additional permissions.
  When you convey a copy of a covered work, you may at your option
 remove any additional permissions from that copy, or from any part of
 it.  (Additional permissions may be written to require their own
 removal in certain cases when you modify the work.)  You may place
 additional permissions on material, added by you to a covered work,
 for which you have or can give appropriate copyright permission.
  Notwithstanding any other provision of this License, for material you
 add to a covered work, you may (if authorized by the copyright holders of
 that material) supplement the terms of this License with terms:
    a) Disclaiming warranty or limiting liability differently from the
    terms of sections 15 and 16 of this License; or
    b) Requiring preservation of specified reasonable legal notices or
    author attributions in that material or in the Appropriate Legal
    Notices displayed by works containing it; or
    c) Prohibiting misrepresentation of the origin of that material, or
    requiring that modified versions of such material be marked in
    reasonable ways as different from the original version; or
    d) Limiting the use for publicity purposes of names of licensors or
    authors of the material; or
    e) Declining to grant rights under trademark law for use of some
    trade names, trademarks, or service marks; or
    f) Requiring indemnification of licensors and authors of that
    material by anyone who conveys the material (or modified versions of
    it) with contractual assumptions of liability to the recipient, for
    any liability that these contractual assumptions directly impose on
    those licensors and authors.
  All other non-permissive additional terms are considered "further
 restrictions" within the meaning of section 10.  If the Program as you
 received it, or any part of it, contains a notice stating that it is
 governed by this License along with a term that is a further
 restriction, you may remove that term.  If a license document contains
 a further restriction but permits relicensing or conveying under this
 License, you may add to a covered work material governed by the terms
 of that license document, provided that the further restriction does
 not survive such relicensing or conveying.
  If you add terms to a covered work in accord with this section, you
 must place, in the relevant source files, a statement of the
 additional terms that apply to those files, or a notice indicating
 where to find the applicable terms.
  Additional terms, permissive or non-permissive, may be stated in the
 form of a separately written license, or stated as exceptions;
 the above requirements apply either way.
  8. Termination.
  You may not propagate or modify a covered work except as expressly
 provided under this License.  Any attempt otherwise to propagate or
 modify it is void, and will automatically terminate your rights under
 this License (including any patent licenses granted under the third
 paragraph of section 11).
  However, if you cease all violation of this License, then your
 license from a particular copyright holder is reinstated (a)
 provisionally, unless and until the copyright holder explicitly and
 finally terminates your license, and (b) permanently, if the copyright
 holder fails to notify you of the violation by some reasonable means
 prior to 60 days after the cessation.
  Moreover, your license from a particular copyright holder is
 reinstated permanently if the copyright holder notifies you of the
 violation by some reasonable means, this is the first time you have
 received notice of violation of this License (for any work) from that
 copyright holder, and you cure the violation prior to 30 days after
 your receipt of the notice.
  Termination of your rights under this section does not terminate the
 licenses of parties who have received copies or rights from you under
 this License.  If your rights have been terminated and not permanently
 reinstated, you do not qualify to receive new licenses for the same
 material under section 10.
  9. Acceptance Not Required for Having Copies.
  You are not required to accept this License in order to receive or
 run a copy of the Program.  Ancillary propagation of a covered work
 occurring solely as a consequence of using peer-to-peer transmission
 to receive a copy likewise does not require acceptance.  However,
 nothing other than this License grants you permission to propagate or
 modify any covered work.  These actions infringe copyright if you do
 not accept this License.  Therefore, by modifying or propagating a
 covered work, you indicate your acceptance of this License to do so.
  10. Automatic Licensing of Downstream Recipients.
  Each time you convey a covered work, the recipient automatically
 receives a license from the original licensors, to run, modify and
 propagate that work, subject to this License.  You are not responsible
 for enforcing compliance by third parties with this License.
  An "entity transaction" is a transaction transferring control of an
 organization, or substantially all assets of one, or subdividing an
 organization, or merging organizations.  If propagation of a covered
 work results from an entity transaction, each party to that
 transaction who receives a copy of the work also receives whatever
 licenses to the work the party's predecessor in interest had or could
 give under the previous paragraph, plus a right to possession of the
 Corresponding Source of the work from the predecessor in interest, if
 the predecessor has it or can get it with reasonable efforts.
  You may not impose any further restrictions on the exercise of the
 rights granted or affirmed under this License.  For example, you may
 not impose a license fee, royalty, or other charge for exercise of
 rights granted under this License, and you may not initiate litigation
 (including a cross-claim or counterclaim in a lawsuit) alleging that
 any patent claim is infringed by making, using, selling, offering for
 sale, or importing the Program or any portion of it.
  11. Patents.
  A "contributor" is a copyright holder who authorizes use under this
 License of the Program or a work on which the Program is based.  The
 work thus licensed is called the contributor's "contributor version".
  A contributor's "essential patent claims" are all patent claims
 owned or controlled by the contributor, whether already acquired or
 hereafter acquired, that would be infringed by some manner, permitted
 by this License, of making, using, or selling its contributor version,
 but do not include claims that would be infringed only as a
 consequence of further modification of the contributor version.  For
 purposes of this definition, "control" includes the right to grant
 patent sublicenses in a manner consistent with the requirements of
 this License.
  Each contributor grants you a non-exclusive, worldwide, royalty-free
 patent license under the contributor's essential patent claims, to
 make, use, sell, offer for sale, import and otherwise run, modify and
 propagate the contents of its contributor version.
  In the following three paragraphs, a "patent license" is any express
 agreement or commitment, however denominated, not to enforce a patent
 (such as an express permission to practice a patent or covenant not to
 sue for patent infringement).  To "grant" such a patent license to a
 party means to make such an agreement or commitment not to enforce a
 patent against the party.
  If you convey a covered work, knowingly relying on a patent license,
 and the Corresponding Source of the work is not available for anyone
 to copy, free of charge and under the terms of this License, through a
 publicly available network server or other readily accessible means,
 then you must either (1) cause the Corresponding Source to be so
 available, or (2) arrange to deprive yourself of the benefit of the
 patent license for this particular work, or (3) arrange, in a manner
 consistent with the requirements of this License, to extend the patent
 license to downstream recipients.  "Knowingly relying" means you have
 actual knowledge that, but for the patent license, your conveying the
 covered work in a country, or your recipient's use of the covered work
 in a country, would infringe one or more identifiable patents in that
 country that you have reason to believe are valid.
  If, pursuant to or in connection with a single transaction or
 arrangement, you convey, or propagate by procuring conveyance of, a
 covered work, and grant a patent license to some of the parties
 receiving the covered work authorizing them to use, propagate, modify
 or convey a specific copy of the covered work, then the patent license
 you grant is automatically extended to all recipients of the covered
 work and works based on it.
  A patent license is "discriminatory" if it does not include within
 the scope of its coverage, prohibits the exercise of, or is
 conditioned on the non-exercise of one or more of the rights that are
 specifically granted under this License.  You may not convey a covered
 work if you are a party to an arrangement with a third party that is
 in the business of distributing software, under which you make payment
 to the third party based on the extent of your activity of conveying
 the work, and under which the third party grants, to any of the
 parties who would receive the covered work from you, a discriminatory
 patent license (a) in connection with copies of the covered work
 conveyed by you (or copies made from those copies), or (b) primarily
 for and in connection with specific products or compilations that
 contain the covered work, unless you entered into that arrangement,
 or that patent license was granted, prior to 28 March 2007.
  Nothing in this License shall be construed as excluding or limiting
 any implied license or other defenses to infringement that may
 otherwise be available to you under applicable patent law.
  12. No Surrender of Others' Freedom.
  If conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
 excuse you from the conditions of this License.  If you cannot convey a
 covered work so as to satisfy simultaneously your obligations under this
 License and any other pertinent obligations, then as a consequence you may
 not convey it at all.  For example, if you agree to terms that obligate you
 to collect a royalty for further conveying from those to whom you convey
 the Program, the only way you could satisfy both those terms and this
 License would be to refrain entirely from conveying the Program.
  13. Remote Network Interaction; Use with the GNU General Public License.
  Notwithstanding any other provision of this License, if you modify the
 Program, your modified version must prominently offer all users
 interacting with it remotely through a computer network (if your version
 supports such interaction) an opportunity to receive the Corresponding
 Source of your version by providing access to the Corresponding Source
 from a network server at no charge, through some standard or customary
 means of facilitating copying of software.  This Corresponding Source
 shall include the Corresponding Source for any work covered by version 3
 of the GNU General Public License that is incorporated pursuant to the
 following paragraph.
  Notwithstanding any other provision of this License, you have
 permission to link or combine any covered work with a work licensed
 under version 3 of the GNU General Public License into a single
 combined work, and to convey the resulting work.  The terms of this
 License will continue to apply to the part which is the covered work,
 but the work with which it is combined will remain governed by version
 3 of the GNU General Public License.
  14. Revised Versions of this License.
  The Free Software Foundation may publish revised and/or new versions of
 the GNU Affero General Public License from time to time.  Such new versions
 will be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.
  Each version is given a distinguishing version number.  If the
 Program specifies that a certain numbered version of the GNU Affero General
 Public License "or any later version" applies to it, you have the
 option of following the terms and conditions either of that numbered
 version or of any later version published by the Free Software
 Foundation.  If the Program does not specify a version number of the
 GNU Affero General Public License, you may choose any version ever published
 by the Free Software Foundation.
  If the Program specifies that a proxy can decide which future
 versions of the GNU Affero General Public License can be used, that proxy's
 public statement of acceptance of a version permanently authorizes you
 to choose that version for the Program.
  Later license versions may give you additional or different
 permissions.  However, no additional obligations are imposed on any
 author or copyright holder as a result of your choosing to follow a
 later version.
  15. Disclaimer of Warranty.
  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
 APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
 HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
 OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
 THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
 IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
 ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
  16. Limitation of Liability.
  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
 THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
 GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
 USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
 DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
 PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
 EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGES.
  17. Interpretation of Sections 15 and 16.
  If the disclaimer of warranty and limitation of liability provided
 above cannot be given local legal effect according to their terms,
 reviewing courts shall apply local law that most closely approximates
 an absolute waiver of all civil liability in connection with the
 Program, unless a warranty or assumption of liability accompanies a
 copy of the Program in return for a fee.
                     END OF TERMS AND CONDITIONS
            How to Apply These Terms to Your New Programs
  If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
 free software which everyone can redistribute and change under these terms.
  To do so, attach the following notices to the program.  It is safest
 to attach them to the start of each source file to most effectively
 state the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published
    by the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.
    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see <https://www.gnu.org/licenses/>.
 Also add information on how to contact you by electronic and paper mail.
  If your software can interact with users remotely through a computer
 network, you should also make sure that it provides a way for users to
 get its source.  For example, if your program is a web application, its
 interface could display a "Source" link that leads users to an archive
 of the code.  There are many ways you could offer source, and different
 solutions will be better for different programs; see section 13 for the
 specific requirements.
  You should also get your employer (if you work as a programmer) or school,
 if any, to sign a "copyright disclaimer" for the program, if necessary.
 For more information on this, and how to apply and follow the GNU AGPL, see
 <https://www.gnu.org/licenses/>.
--- a/102
+++ b/102
@@ -1,41 +1,85 @@
-VERSION := $(shell git describe --tags)
+VERSION := $(patsubst v%,%,$(shell git describe --tags --always)) #Strips the v prefix from the tag
-LDFLAGS=-ldflags "-s -w -X=main.version=$(VERSION)"
+LDFLAGS := -ldflags "-s -w -X=main.version=$(VERSION)"
-GOPATH=$(shell go env GOPATH)
+GOPATH := $(shell go env GOPATH)
-GOBIN=$(GOPATH)/bin
+GOBIN := $(GOPATH)/bin
-GOSRC=$(GOPATH)/src
+GOSRC := $(GOPATH)/src
 TEST_MODULE_DIR := pkg/module/testdata
 TEST_MODULE_SRCS := $(wildcard $(TEST_MODULE_DIR)/*/*.go)
 TEST_MODULES := $(patsubst %.go,%.wasm,$(TEST_MODULE_SRCS))
 EXAMPLE_MODULE_DIR := examples/module
 EXAMPLE_MODULE_SRCS := $(wildcard $(EXAMPLE_MODULE_DIR)/*/*.go)
 EXAMPLE_MODULES := $(patsubst %.go,%.wasm,$(EXAMPLE_MODULE_SRCS))
 MKDOCS_IMAGE := aquasec/mkdocs-material:dev
 MKDOCS_PORT := 8000
 u := $(if $(update),-u)
 # Tools
 $(GOBIN)/wire:
-	GO111MODULE=off go get github.com/google/wire/cmd/wire
+	go install github.com/google/wire/cmd/wire@v0.5.0
 $(GOBIN)/crane:
 	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0
 $(GOBIN)/golangci-lint:
 	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
 $(GOBIN)/labeler:
 	go install github.com/knqyf263/labeler@latest
 $(GOBIN)/easyjson:
 	go install github.com/mailru/easyjson/...@v0.7.7
 .PHONY: wire
 wire: $(GOBIN)/wire
-	wire gen ./...
+	wire gen ./pkg/commands/... ./pkg/rpc/...
 .PHONY: mock
 mock: $(GOBIN)/mockery
 	mockery -all -inpkg -case=snake -dir $(DIR)
 .PHONY: deps
 deps:
 	go get ${u} -d
 	go mod tidy
-$(GOBIN)/golangci-lint:
+.PHONY: generate-test-modules
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.21.0
+generate-test-modules: $(TEST_MODULES)
 # Compile WASM modules for unit and integration tests
 %.wasm:%.go
 	@if !(type "tinygo" > /dev/null 2>&1); then \
 		echo "Need to install TinyGo. Follow https://tinygo.org/getting-started/install/"; \
 		exit 1; \
 	fi
 	go generate $<
 # Run unit tests
 .PHONY: test
-test:
+test: $(TEST_MODULES)
-	go test -v -short ./...
+	go test -v -short -coverprofile=coverage.txt -covermode=atomic ./...
-integration/testdata/fixtures/*.tar.gz:
+integration/testdata/fixtures/images/*.tar.gz: $(GOBIN)/crane
-	git clone https://github.com/aquasecurity/trivy-test-images.git integration/testdata/fixtures
+	mkdir -p integration/testdata/fixtures/images/
 	integration/scripts/download-images.sh
 # Run integration tests
 .PHONY: test-integration
-test-integration: integration/testdata/fixtures/*.tar.gz
+test-integration: integration/testdata/fixtures/images/*.tar.gz
-	go test -v -tags=integration ./integration/...
+	go test -v -tags=integration ./integration/... ./pkg/fanal/test/integration/...
 # Run WASM integration tests
 .PHONY: test-module-integration
 test-module-integration: integration/testdata/fixtures/images/*.tar.gz $(EXAMPLE_MODULES)
 	go test -v -tags=module_integration ./integration/...
 .PHONY: lint
 lint: $(GOBIN)/golangci-lint
-	$(GOBIN)/golangci-lint run
+	$(GOBIN)/golangci-lint run --timeout 5m
 .PHONY: fmt
 fmt:
@@ -47,7 +91,13 @@ build:
 .PHONY: protoc
 protoc:
-	protoc --proto_path=$(GOSRC):. --twirp_out=. --go_out=. ./rpc/detector/service.proto
+	docker build -t trivy-protoc - < Dockerfile.protoc
 	docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@
 _protoc:
 	for path in `find ./rpc/ -name "*.proto" -type f`; do \
 		protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative $${path} || exit; \
 	done
 .PHONY: install
 install:
@@ -55,4 +105,20 @@ install:
 .PHONY: clean
 clean:
-	rm -rf integration/testdata/fixtures/
+	rm -rf integration/testdata/fixtures/images
 # Create labels on GitHub
 .PHONY: label
 label: $(GOBIN)/labeler
 	labeler apply misc/triage/labels.yaml -r aquasecurity/trivy -l 5
 # Run MkDocs development server to preview the documentation page
 .PHONY: mkdocs-serve
 mkdocs-serve:
 	docker build -t $(MKDOCS_IMAGE) -f docs/build/Dockerfile docs/build
 	docker run --name mkdocs-serve --rm -v $(PWD):/docs -p $(MKDOCS_PORT):8000 $(MKDOCS_IMAGE)
 # Generate JSON marshaler/unmarshaler for TinyGo/WebAssembly as TinyGo doesn't support encoding/json.
 .PHONY: easyjson
 easyjson: $(GOBIN)/easyjson
 	easyjson pkg/module/serialize/types.go
--- a/4
+++ b/4
@@ -0,0 +1,4 @@
 Trivy
 Copyright 2019-2020 Aqua Security Software Ltd. 
 This product includes software developed by Aqua Security (https://aquasec.com).
--- a/README.md
+++ b/README.md
--- a/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg
@@ -0,0 +1,56 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
 <!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 <svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
 	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
 <g>
 	<path fill="#07242D" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
 		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
 	<path fill="#07242D" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
 		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
 	<path fill="#07242D" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
 	<path fill="#07242D" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
 	<path fill="#07242D" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
 		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
 		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
 		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
 </g>
 <g>
 	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
 	<g>
 		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
 			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
 		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
 			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
 		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
 			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
 		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
 			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
 		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.106-0.146-0.211-0.211-0.316
 			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
 			C48.47,40.151,65.268,34.975,78.53,41.442z"/>
 		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
 			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
 			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
 		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
 		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
 		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
 			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
 		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
 			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
 			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
 	</g>
 </g>
 <g>
 	<path fill="#07242D" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
 		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
 		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
 	<path fill="#07242D" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
 		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
 		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
 	<path fill="#07242D" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
 		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
 	<path fill="#07242D" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
 		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
 		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
 </g>
 </svg>
--- a/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg
@@ -0,0 +1,202 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
 <!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 <svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
 	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
 <g display="none">
 	<g display="inline">
 		<path fill="#07242D" d="M-483.763,450.803h-11.559l-22.557-22.807c-0.919,0.114-1.853,0.174-2.802,0.174v22.632h-8.238v-63.931
 			h8.239c0,0-0.016,33.158,0,33.158c4.013,0,7.684-1.656,10.29-4.32l9.86-10.073h11.814l-16.032,15.918
 			c-1.42,1.421-3.031,2.655-4.787,3.659L-483.763,450.803z"/>
 		<path fill="#07242D" d="M-438.316,405.517v22.819c0,0,0,0.033,0,0.049c0,12.39-10.039,22.418-22.429,22.418
 			c-12.389,0-22.421-10.059-22.421-22.448c0-0.017,0-22.837,0-22.837h7.989v22.819c0,7.967,6.466,14.457,14.433,14.457
 			c7.966,0,14.424-6.491,14.424-14.457v-22.819H-438.316z"/>
 		<path fill="#07242D" d="M-385.244,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
 			c0.005-0.516,0.005-63.931,0.005-63.931h8.217l-0.004,23.854c3.918-3.246,8.947-5.196,14.432-5.196
 			C-395.377,405.529-385.242,415.664-385.244,428.166z M-393.437,428.166c0-7.976-6.466-14.441-14.442-14.441
 			c-7.793,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-399.903,442.607-393.437,436.142-393.437,428.166z"/>
 		<path fill="#07242D" d="M-335.539,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
 			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
 			C-344.426,405.411-333.664,417.688-335.539,431.11z M-344.611,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
 			c-6.076,0-11.275,3.746-13.382,9.06H-344.611z"/>
 		<path fill="#07242D" d="M-306.194,420.895v7.548h-23.302v-7.548H-306.194z"/>
 		<path fill="#07242D" d="M-252.987,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
 			c0.005-0.516,0.005-63.931,0.005-63.931h8.218l-0.004,23.854c3.918-3.246,8.946-5.196,14.431-5.196
 			C-263.12,405.529-252.985,415.664-252.987,428.166z M-261.181,428.166c0-7.976-6.467-14.441-14.442-14.441
 			c-7.794,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-267.647,442.607-261.181,436.142-261.181,428.166z"/>
 		<path fill="#07242D" d="M-203.283,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
 			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
 			C-212.17,405.411-201.408,417.688-203.283,431.11z M-212.355,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
 			c-6.076,0-11.275,3.746-13.382,9.06H-212.355z"/>
 		<path fill="#07242D" d="M-151.113,428.114c0,15.871,0,22.688,0,22.688h-8.262c0,0,0-14.878,0-22.688
 			c0-8.095-6.591-14.327-14.363-14.327c-7.772,0-14.393,6.163-14.393,14.327c0,7.814,0,22.688,0,22.688h-8.26v-45.285
 			c0,0,3.539,0,8.26,0v5.101c0,0,5.421-5.101,14.393-5.101C-163.095,405.517-151.113,413.789-151.113,428.114z"/>
 		<path fill="#07242D" d="M-112.598,438.373l5.799,5.798c-4.098,4.097-9.758,6.632-16.01,6.632c-6.252,0-11.912-2.534-16.01-6.632
 			c-4.097-4.098-6.632-9.758-6.632-16.01s2.534-11.912,6.632-16.01c4.098-4.097,9.758-6.632,16.01-6.632
 			c6.252,0,11.912,2.534,16.01,6.632l-5.799,5.799c-2.613-2.615-6.224-4.231-10.212-4.231c-3.988,0-7.599,1.617-10.212,4.231
 			c-2.614,2.613-4.23,6.224-4.23,10.212s1.616,7.599,4.23,10.213c2.613,2.613,6.224,4.229,10.212,4.229
 			C-118.821,442.602-115.211,440.986-112.598,438.373z"/>
 		<path fill="#07242D" d="M-55.678,428.174c0,15.827,0,22.626,0,22.626h-8.239c0,0,0-14.838,0-22.626
 			c0-8.072-6.575-14.287-14.324-14.287c-7.751,0-14.353,6.146-14.353,14.287c0,7.793,0,22.626,0,22.626h-8.238v-63.929h8.238v23.856
 			c0,0,5.405-5.086,14.353-5.086C-67.626,405.641-55.678,413.889-55.678,428.174z"/>
 	</g>
 	<g display="inline">
 		<path fill="#07242D" d="M186.582,442.579v8.203c-5.588,0-10.623-2.012-14.594-5.346c-4.989-4.186-8.157-10.469-8.157-17.489
 			v-41.085h8.157v18.642h14.594v8.257h-14.594v14.386C172.1,436.134,178.571,442.579,186.582,442.579z"/>
 		<path fill="#07242D" d="M215.674,405.503v8.149c-7.739,0.015-14.037,6.152-14.317,13.818v23.312h-8.176v-45.279h8.176v5.169
 			C205.243,407.446,210.232,405.51,215.674,405.503z"/>
 		<path fill="#07242D" d="M220.928,395.003v-8.165h8.161v8.165H220.928z M220.928,450.782v-45.279h8.161v45.279H220.928z"/>
 		<path fill="#07242D" d="M279.137,405.503l-22.624,45.279l-22.647-45.279h9.271l13.376,26.737l13.349-26.737H279.137z"/>
 		<path fill="#07242D" d="M328.08,405.503c0,0,0,49.504,0,52.776c0,12.643-10.369,22.736-22.655,22.728
 			c-5.753,0-11.084-2.181-15.131-5.807l5.868-5.868c2.504,2.12,5.734,3.41,9.263,3.403c7.95,0,14.386-6.498,14.386-14.456v-12.651
 			c-3.944,3.264-8.979,5.154-14.386,5.154c-12.309,0.008-22.674-9.924-22.674-22.659c0-0.269,0-22.62,0-22.62h8.265
 			c0,0,0.004,22.014,0.004,22.62c0,7.919,6.448,14.463,14.406,14.456c7.95,0,14.386-6.506,14.386-14.456v-22.62H328.08z"/>
 	</g>
 	<g display="inline">
 		<path fill="#07242D" d="M1186.898,438.384c-0.411,4.687-4.656,12.67-15.302,12.67c-10.092,0-16.135-6.761-16.135-6.761
 			l5.797-5.801c4.906,4.664,10.338,4.372,10.338,4.372c3.473-0.238,6.258-2.643,6.469-5.471c0.242-3.235-2.009-5.486-6.469-6.124
 			c-2.098-0.307-7.184-0.791-11.36-4.533c-1.36-1.222-6.489-6.577-2.217-14.191c0.834-1.491,4.556-6.769,13.577-6.769
 			c0,0,7.434-0.53,14.311,5.086l-5.866,5.863c-1.16-0.96-4.46-2.904-8.444-2.881c-7.207,0.046-7.007,4.011-7.007,4.011
 			c0.061,3.166,2.874,4.864,7.007,5.409C1185.672,425.114,1187.309,433.743,1186.898,438.384z"/>
 		<path fill="#07242D" d="M1215.419,442.848v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495v-41.099
 			h8.16v18.648h14.599v8.26h-14.599v14.391C1200.932,436.401,1207.405,442.848,1215.419,442.848z"/>
 		<path fill="#07242D" d="M1263.522,428.372v22.682h-22.705c-0.5,0-0.999-0.015-1.495-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
 			c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
 			C1263.068,423.132,1263.522,425.76,1263.522,428.372z M1255.131,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
 			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
 			S1255.131,432.352,1255.131,428.372z"/>
 		<path fill="#07242D" d="M1293.898,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
 			C1283.464,407.704,1288.454,405.767,1293.898,405.76z"/>
 		<path fill="#07242D" d="M1344.448,428.411c0,12.509-10.135,22.643-22.639,22.643c-5.486,0-10.515-1.952-14.433-5.194v5.194h-8.221
 			c0.008-0.515,0.008-63.942,0.008-63.942h8.217l-0.004,23.857c3.919-3.25,8.947-5.202,14.433-5.202
 			C1334.313,405.767,1344.452,415.91,1344.448,428.411z M1336.254,428.411c0-7.975-6.466-14.445-14.445-14.445
 			c-7.795,0-14.445,6.331-14.445,14.422c0,8.091,6.65,14.468,14.445,14.468C1329.788,442.856,1336.254,436.394,1336.254,428.411z"/>
 		<path fill="#07242D" d="M1394.394,428.411c0,12.509-10.15,22.643-22.643,22.643s-22.651-10.135-22.651-22.643
 			s10.157-22.651,22.651-22.651S1394.394,415.91,1394.394,428.411z M1386.127,428.411c0-7.937-6.431-14.376-14.376-14.376
 			c-7.941,0-14.387,6.431-14.387,14.376s6.446,14.383,14.387,14.383C1379.696,442.794,1386.127,436.355,1386.127,428.411z"/>
 		<path fill="#07242D" d="M1444.414,428.372v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054
 			c-6.431-0.423-12.128-3.527-15.985-8.214c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
 			C1443.961,423.132,1444.414,425.76,1444.414,428.372z M1436.024,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
 			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
 			S1436.024,432.352,1436.024,428.372z"/>
 		<path fill="#07242D" d="M1474.791,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
 			C1464.356,407.704,1469.347,405.767,1474.791,405.76z"/>
 		<path fill="#07242D" d="M1521.556,451.031h-8.214v-5.194c-3.919,3.242-8.951,5.194-14.43,5.194
 			c-12.501,0-22.635-10.127-22.635-22.628s10.135-22.636,22.635-22.636c5.478,0,10.511,1.952,14.43,5.194l0.008-23.85h8.221
 			C1521.572,387.112,1521.556,450.516,1521.556,451.031z M1513.35,428.38c0-8.091-6.646-14.422-14.437-14.422
 			c-7.975,0-14.445,6.469-14.445,14.445s6.469,14.437,14.445,14.437C1506.704,442.84,1513.35,436.471,1513.35,428.38z"/>
 	</g>
 	<g display="inline">
 		<path fill="#07242D" d="M1711.171,438.276l5.802,5.802c-4.1,4.096-9.763,6.632-16.014,6.632c-6.255,0-11.918-2.536-16.018-6.632
 			c-4.1-4.103-6.635-9.759-6.635-16.014s2.536-11.918,6.635-16.022c4.1-4.096,9.763-6.632,16.018-6.632
 			c6.251,0,11.915,2.536,16.014,6.632l-5.802,5.802c-2.613-2.613-6.224-4.234-10.213-4.234c-3.992,0-7.604,1.621-10.216,4.234
 			c-2.617,2.613-4.234,6.224-4.234,10.22c0,3.988,1.618,7.6,4.234,10.213c2.613,2.613,6.224,4.234,10.216,4.234
 			C1704.947,442.511,1708.559,440.889,1711.171,438.276z"/>
 		<path fill="#07242D" d="M1722.967,450.71v-63.95h8.241v63.95H1722.967z"/>
 		<path fill="#07242D" d="M1783.282,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
 			s10.159-22.654,22.654-22.654C1773.131,405.41,1783.282,415.561,1783.282,428.064z M1775.013,428.064
 			c0-7.938-6.432-14.378-14.378-14.378c-7.942,0-14.389,6.432-14.389,14.378c0,7.946,6.447,14.385,14.389,14.385
 			C1768.581,442.449,1775.013,436.01,1775.013,428.064z"/>
 		<path fill="#07242D" d="M1833.833,405.41v22.823c0,0,0,0.038,0,0.054c0,12.395-10.04,22.423-22.435,22.423
 			c-12.395,0-22.427-10.059-22.427-22.454c0-0.015,0-22.846,0-22.846h7.992v22.823c0,7.976,6.466,14.462,14.435,14.462
 			c7.969,0,14.431-6.486,14.431-14.462V405.41H1833.833z"/>
 		<path fill="#07242D" d="M1884.777,450.687h-8.218v-5.195c-3.915,3.243-8.945,5.195-14.431,5.195
 			c-12.503,0-22.634-10.128-22.634-22.631c0-12.503,10.132-22.638,22.634-22.638c5.487,0,10.516,1.952,14.431,5.195l0.011-23.852
 			h8.219C1884.789,386.76,1884.773,450.172,1884.777,450.687z M1876.574,428.033c0-8.092-6.651-14.424-14.447-14.424
 			c-7.973,0-14.443,6.47-14.443,14.447c0,7.976,6.466,14.439,14.443,14.439C1869.923,442.495,1876.574,436.125,1876.574,428.033z"/>
 		<path fill="#07242D" d="M1922.865,438.038c-0.411,4.687-4.657,12.672-15.303,12.672c-10.094,0-16.137-6.762-16.137-6.762
 			l5.798-5.802c4.906,4.664,10.339,4.372,10.339,4.372c3.473-0.238,6.259-2.643,6.47-5.471c0.242-3.235-2.009-5.487-6.47-6.124
 			c-2.098-0.307-7.185-0.792-11.361-4.534c-1.36-1.222-6.489-6.578-2.217-14.193c0.834-1.491,4.557-6.77,13.578-6.77
 			c0,0,7.435-0.53,14.312,5.087l-5.867,5.863c-1.16-0.961-4.461-2.905-8.445-2.882c-7.208,0.046-7.008,4.011-7.008,4.011
 			c0.062,3.166,2.874,4.864,7.008,5.41C1921.639,424.767,1923.276,433.397,1922.865,438.038z"/>
 		<path fill="#07242D" d="M1975.107,428.041c0,12.526-10.151,22.73-22.661,22.73c-5.471,0-10.493-1.952-14.416-5.195v35.371h-8.276
 			V405.41h8.276v5.156c3.923-3.22,8.945-5.156,14.416-5.156C1964.956,405.41,1975.107,415.523,1975.107,428.041z M1966.831,428.041
 			c0-7.953-6.432-14.347-14.385-14.347s-14.416,6.393-14.416,14.347s6.463,14.462,14.416,14.462S1966.831,435.994,1966.831,428.041z
 			"/>
 		<path fill="#07242D" d="M1981.877,450.71v-63.95h8.245v63.95H1981.877z"/>
 		<path fill="#07242D" d="M2042.192,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
 			s10.159-22.654,22.654-22.654C2032.041,405.41,2042.192,415.561,2042.192,428.064z M2033.916,428.064
 			c0-7.938-6.432-14.378-14.37-14.378c-7.946,0-14.393,6.432-14.393,14.378c0,7.946,6.447,14.385,14.393,14.385
 			C2027.484,442.449,2033.916,436.01,2033.916,428.064z"/>
 		<path fill="#07242D" d="M2049.016,394.906v-8.168h8.168v8.168H2049.016z M2049.016,450.71v-45.3h8.168v45.3H2049.016z"/>
 		<path fill="#07242D" d="M2087.737,442.503v8.207c-5.594,0-10.627-2.013-14.6-5.348c-4.987-4.188-8.161-10.474-8.161-17.497V386.76
 			h8.161v18.65h14.6v8.261h-14.6v14.393C2073.252,436.056,2079.722,442.503,2087.737,442.503z"/>
 	</g>
 	<g display="inline">
 		<path fill="#07242D" d="M690.837,442.596v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495V386.86
 			h8.16v18.648h14.599v8.26h-14.599v14.391C676.35,436.15,682.823,442.596,690.837,442.596z"/>
 		<path fill="#07242D" d="M719.939,405.508v8.152c-7.737,0.015-14.042,6.154-14.322,13.823v23.319h-8.179v-45.294h8.179v5.171
 			C709.504,407.452,714.495,405.516,719.939,405.508z"/>
 		<path fill="#07242D" d="M766.789,428.12v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
 			c-3.289-4.003-5.171-8.928-5.183-14.414c0.523-25.548,35.102-31.264,44.026-7.699C766.335,422.88,766.789,425.508,766.789,428.12z
 			 M758.398,428.12c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008c-2.609,2.605-4.226,6.17-4.226,10.142
 			c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0S758.398,432.101,758.398,428.12z"/>
 		<path fill="#07242D" d="M805.36,438.37l5.801,5.801c-4.099,4.095-9.762,6.631-16.016,6.631c-6.254,0-11.913-2.536-16.012-6.631
 			c-4.099-4.103-6.631-9.766-6.631-16.02c0-6.247,2.532-11.909,6.631-16.012c4.099-4.095,9.758-6.631,16.012-6.631
 			c6.254,0,11.917,2.536,16.016,6.631l-5.801,5.801c-2.612-2.612-6.224-4.234-10.215-4.234c-3.988,0-7.599,1.621-10.211,4.234
 			c-2.616,2.612-4.234,6.224-4.234,10.211c0,3.995,1.617,7.607,4.234,10.219c2.612,2.612,6.224,4.234,10.211,4.234
 			C799.136,442.604,802.747,440.983,805.36,438.37z"/>
 		<path fill="#07242D" d="M858.664,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
 			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
 			C849.774,405.4,860.539,417.679,858.664,431.109z M849.59,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
 			s-11.276,3.742-13.385,9.059H849.59z"/>
 		<path fill="#07242D" d="M908.514,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
 			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
 			C899.625,405.4,910.389,417.679,908.514,431.109z M899.44,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
 			s-11.276,3.742-13.385,9.059H899.44z"/>
 	</g>
 </g>
 <g>
 	<path fill="#07242D" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
 		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
 	<path fill="#07242D" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
 		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
 	<path fill="#07242D" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
 	<path fill="#07242D" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
 	<path fill="#07242D" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
 		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
 		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
 		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
 </g>
 <g>
 	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
 		"/>
 	<g>
 		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
 			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
 		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
 			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
 		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
 			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
 		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
 			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
 		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
 			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
 			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
 		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
 			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
 			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
 		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
 			V347.086z"/>
 		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
 			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
 		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
 			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
 		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
 			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
 			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
 	</g>
 </g>
 <g>
 	<path fill="#07242D" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
 		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
 		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
 	<path fill="#07242D" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
 		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
 		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
 	<path fill="#07242D" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
 		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
 	<path fill="#07242D" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
 		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
 		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
 </g>
 </svg>
--- a/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg
@@ -0,0 +1,84 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
 <!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 <svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
 	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
 <g display="none">
 	<polygon display="inline" fill="#FFFFFF" points="65.469,9.61 12.669,40.117 12.669,101.621 65.463,132.371 118.268,101.639 
 		118.268,40.115 	"/>
 	<g display="inline">
 		<path fill="#08B1D5" d="M64.511,80.035c-5.972-2.687-9.502-8.433-9.313-14.534l-12.765-7.371c-0.952,7.062,0.569,14.449,4.4,20.85
 			c4.078,6.813,9.966,11.887,17.678,14.825V80.035L64.511,80.035z"/>
 		<path fill="#08B1D5" d="M64.511,111.257V95.432c-8.26-3.017-14.588-8.448-18.931-15.703c-4.108-6.864-5.671-14.819-4.507-22.384
 			l-11.864-6.851C22.412,75.299,37.662,101.72,64.511,111.257z"/>
 		<path fill="#0D819B" d="M66.259,95.288v15.969c26.352-9.758,42.17-36.132,35.489-60.682l-11.8,6.874
 			c1.473,8.16,0.189,16.115-3.759,22.77C82.134,87.057,75.052,92.189,66.259,95.288z"/>
 		<path fill="#0D819B" d="M75.879,65.569c0.053,5.924-3.429,11.136-9.62,14.466v13.769c8.227-2.999,14.873-7.918,18.675-14.329
 			c3.681-6.207,4.934-13.613,3.671-21.243L75.879,65.569z"/>
 		<path fill="#F69421" d="M77.717,44.4c4.977,2.427,9.031,6.315,11.724,11.244c0.035,0.065,0.069,0.132,0.104,0.198l11.574-6.684
 			c-0.184-0.232-0.361-0.466-0.506-0.701c-4.246-6.868-9.855-12.036-16.673-15.361c-19.245-9.385-42.827-2.309-54.094,16.087
 			l11.546,6.665C49.232,43.242,65.013,38.204,77.717,44.4z"/>
 		<path fill="#F69421" d="M70.489,59.089c2.06,1.005,3.731,2.627,4.832,4.692c0.037,0.07,0.07,0.143,0.105,0.214l12.854-7.423
 			c-0.04-0.076-0.079-0.153-0.12-0.228c-2.546-4.662-6.379-8.339-11.082-10.632c-12.018-5.861-26.965-1.08-34.421,10.866
 			l12.783,7.379C58.771,58.613,65.217,56.518,70.489,59.089z"/>
 		<path fill="#0D819B" d="M116.672,41.881l-13.621,7.936c7.185,25.544-9.291,53.076-36.791,62.992v17.294l50.413-29.381V41.881z"/>
 		<path fill="#08B1D5" d="M14.265,41.864v58.842l50.245,29.397v-17.294C36.51,103.127,20.607,75.545,27.905,49.74l-13.001-7.508
 			L14.265,41.864z"/>
 		<path fill="#F69421" d="M14.987,40.606l1.484,0.857l12.109,6.989C40.23,29.398,64.649,22.066,84.579,31.784
 			c7.069,3.448,12.881,8.799,17.274,15.904c0.139,0.225,0.333,0.472,0.543,0.731l13.542-7.82l-50.47-29.146L14.987,40.606z"/>
 		<path fill="#F0DF36" d="M66.202,78.433c4.968-2.778,7.95-7.226,8.141-12.159c0,0,0.022-0.489-0.015-1.283
 			c-0.007-0.163-1.102-2.766-4.435-4.583c-4.476-2.441-10.828-0.093-13.372,4.583c0,0-0.061,0.574-0.033,1.283
 			c0.182,4.483,2.945,9.749,7.836,12.159l0.991,0.473L66.202,78.433z"/>
 	</g>
 </g>
 <g>
 	<path fill="#FFFFFF" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
 		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
 	<path fill="#FFFFFF" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
 		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
 	<path fill="#FFFFFF" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
 	<path fill="#FFFFFF" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
 	<path fill="#FFFFFF" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
 		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
 		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
 		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
 </g>
 <g>
 	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
 	<g>
 		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
 			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
 		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
 			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
 		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
 			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
 		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
 			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
 		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.105-0.146-0.211-0.211-0.316
 			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
 			C48.47,40.15,65.268,34.975,78.53,41.442z"/>
 		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
 			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
 			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
 		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
 		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
 		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
 			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
 		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
 			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
 			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
 	</g>
 </g>
 <g>
 	<path fill="#FFFFFF" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
 		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
 		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
 	<path fill="#FFFFFF" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
 		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
 		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
 	<path fill="#FFFFFF" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
 		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
 	<path fill="#FFFFFF" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
 		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
 		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
 </g>
 </svg>
--- a/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.png
+++ b/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.png
--- a/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg
+++ b/brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg
@@ -0,0 +1,59 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
 <!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 <svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
 	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
 <g>
 	<path fill="#FFFFFF" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
 		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
 	<path fill="#FFFFFF" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
 		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
 	<path fill="#FFFFFF" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
 	<path fill="#FFFFFF" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
 	<path fill="#FFFFFF" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
 		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
 		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
 		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
 </g>
 <g>
 	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
 		"/>
 	<g>
 		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
 			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
 		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
 			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
 		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
 			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
 		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
 			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
 		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
 			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
 			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
 		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
 			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
 			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
 		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
 			V347.086z"/>
 		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
 			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
 		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
 			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
 		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
 			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
 			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
 	</g>
 </g>
 <g>
 	<path fill="#FFFFFF" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
 		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
 		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
 	<path fill="#FFFFFF" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
 		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
 		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
 	<path fill="#FFFFFF" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
 		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
 	<path fill="#FFFFFF" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
 		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
 		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
 </g>
 </svg>
--- a/brand/readme.md
+++ b/brand/readme.md
@@ -0,0 +1,2 @@
 This directory contains media assets, such as the Trivy logo.
 Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>
--- a/ci/Dockerfile
+++ b/ci/Dockerfile
@@ -1,10 +0,0 @@
 FROM circleci/golang:1.13-buster 
 RUN sudo apt-get -y update \
    && sudo apt-get -y install rpm reprepro createrepo
 ARG GORELEASER_VERSION=0.110.0
 ARG GORELEASER_ARTIFACT=goreleaser_Linux_x86_64.tar.gz
 RUN wget https://github.com/goreleaser/goreleaser/releases/download/v${GORELEASER_VERSION}/${GORELEASER_ARTIFACT} \
    && sudo tar -xzf ${GORELEASER_ARTIFACT} -C /usr/bin/ goreleaser \
    && rm ${GORELEASER_ARTIFACT}
--- a/ci/deploy-deb.sh
+++ b/ci/deploy-deb.sh
@@ -1,17 +1,24 @@
 #!/bin/bash
-RELEASES=(wheezy jessie stretch buster trusty xenial bionic)
+DEBIAN_RELEASES=$(debian-distro-info --supported)
 UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))
 cd trivy-repo/deb
-for release in ${RELEASES[@]}; do
+for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
-  echo "Adding deb package to $release"
+  echo "Removing deb package of $release"
  reprepro -A i386 remove $release trivy
  reprepro -A amd64 remove $release trivy
  reprepro -A arm64 remove $release trivy
 done
 for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
  echo "Adding deb package to $release"
  reprepro includedeb $release ../../dist/*Linux-64bit.deb
  reprepro includedeb $release ../../dist/*Linux-32bit.deb
  reprepro includedeb $release ../../dist/*Linux-ARM64.deb
 done
 git add .
 git commit -m "Update deb packages"
-git push origin master
+git push origin main
--- a/ci/deploy-rpm.sh
+++ b/ci/deploy-rpm.sh
@@ -15,7 +15,7 @@ function create_rpm_repo () {
 cd trivy-repo
-VERSIONS=(5 6 7 8)
+VERSIONS=(5 6 7 8 9)
 for version in ${VERSIONS[@]}; do
        echo "Processing RHEL/CentOS $version..."
        create_rpm_repo $version
@@ -23,5 +23,5 @@ done
 git add .
 git commit -m "Update rpm packages"
-git push origin master
+git push origin main
--- a/cmd/trivy/main.go
+++ b/cmd/trivy/main.go
@@ -1,12 +1,14 @@
 package main
 import (
-	l "log"
+	"context"
 	"os"
-	"github.com/aquasecurity/trivy/internal"
+	"golang.org/x/xerrors"
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/plugin"
 )
 var (
@@ -14,12 +16,26 @@ var (
 )
 func main() {
-	app := internal.NewApp(version)
+	if err := run(); err != nil {
-	err := app.Run(os.Args)
+		log.Fatal(err)
 	if err != nil {
 		if log.Logger != nil {
 			log.Fatal(err)
 		}
 		l.Fatal(err)
 	}
 }
 func run() error {
 	// Trivy behaves as the specified plugin.
 	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
 		if !plugin.IsPredefined(runAsPlugin) {
 			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
 		}
 		if err := plugin.RunWithArgs(context.Background(), runAsPlugin, os.Args[1:]); err != nil {
 			return xerrors.Errorf("plugin error: %w", err)
 		}
 		return nil
 	}
 	app := commands.NewApp(version)
 	if err := app.Execute(); err != nil {
 		return err
 	}
 	return nil
 }
--- a/contrib/Trivy.gitlab-ci.yml
+++ b/contrib/Trivy.gitlab-ci.yml
@@ -0,0 +1,29 @@
 Trivy_container_scanning:
  stage: test
  image:
    name: alpine:3.11
  variables:
    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
    # for details
    GIT_STRATEGY: none
    IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
  allow_failure: true
  before_script:
    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
    - apk add --no-cache curl docker-cli
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
    - curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/${TRIVY_VERSION}/contrib/gitlab.tpl
  script:
    - trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
  cache:
    paths:
      - .trivycache/
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
  dependencies: []
  only:
    refs:
      - branches
--- a/contrib/asff.tpl
+++ b/contrib/asff.tpl
@@ -0,0 +1,161 @@
 {
    "Findings": [
    {{- $t_first := true -}}
    {{- range . -}}
    {{- $target := .Target -}}
    {{- $image := .Target -}}
    {{- if gt (len $image) 127 -}}
        {{- $image = $image | regexFind ".{124}$" | printf "...%v" -}}
    {{- end}}
    {{- range .Vulnerabilities -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
    {{- else -}}
      ,
    {{- end -}}
    {{- $severity := .Severity -}}
    {{- if eq $severity "UNKNOWN" -}}
    {{- $severity = "INFORMATIONAL" -}}
    {{- end -}}
    {{- $description := .Description -}}
    {{- if gt (len $description ) 512 -}}
        {{- $description = (substr 0 512 $description) | printf "%v .." -}}
    {{- end}}
        {
            "SchemaVersion": "2018-10-08",
            "Id": "{{ $target }}/{{ .VulnerabilityID }}",
            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
            "GeneratorId": "Trivy/{{ .VulnerabilityID }}",
            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
            "Severity": {
                "Label": "{{ $severity }}"
            },
            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
            "Description": {{ escapeString $description | printf "%q" }},
            {{ if not (empty .PrimaryURL) -}}
            "Remediation": {
                "Recommendation": {
                    "Text": "More information on this vulnerability is provided in the hyperlink",
                    "Url": "{{ .PrimaryURL }}"
                }
            },
            {{ end -}}
            "ProductFields": { "Product Name": "Trivy" },
            "Resources": [
                {
                    "Type": "Container",
                    "Id": "{{ $target }}",
                    "Partition": "aws",
                    "Region": "{{ env "AWS_REGION" }}",
                    "Details": {
                        "Container": { "ImageName": "{{ $image }}" },
                        "Other": {
                            "CVE ID": "{{ .VulnerabilityID }}",
                            "CVE Title": {{ .Title | printf "%q" }},
                            "PkgName": "{{ .PkgName }}",
                            "Installed Package": "{{ .InstalledVersion }}",
                            "Patched Package": "{{ .FixedVersion }}",
                            "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
                            "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
                            "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
                            "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
                        }
                    }
                }
            ],
            "RecordState": "ACTIVE"
        }
        {{- end -}}
        {{- range .Misconfigurations -}}
            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
            {{- $severity := .Severity -}}
            {{- if eq $severity "UNKNOWN" -}}
                {{- $severity = "INFORMATIONAL" -}}
            {{- end -}}
            {{- $description := .Description -}}
            {{- if gt (len $description ) 512 -}}
                {{- $description = (substr 0 512 $description) | printf "%v .." -}}
            {{- end}}
        {
            "SchemaVersion": "2018-10-08",
            "Id": "{{ $target }}/{{ .ID }}",
            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
            "GeneratorId": "Trivy/{{ .ID }}",
            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
            "Types": [ "Software and Configuration Checks" ],
            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
            "Severity": {
                "Label": "{{ $severity }}"
            },
            "Title": "Trivy found a misconfiguration in {{ $target }}: {{ .Title }}",
            "Description": {{ escapeString $description | printf "%q" }},
            "Remediation": {
                "Recommendation": {
                    "Text": "{{ .Resolution }}",
                    "Url": "{{ .PrimaryURL }}"
                }
            },
            "ProductFields": { "Product Name": "Trivy" },
            "Resources": [
                {
                    "Type": "Other",
                    "Id": "{{ $target }}",
                    "Partition": "aws",
                    "Region": "{{ env "AWS_REGION" }}",
                    "Details": {
                        "Other": {
                            "Message": "{{ .Message }}",
                            "Filename": "{{ $target }}",
                            "StartLine": "{{ .CauseMetadata.StartLine }}",
                            "EndLine": "{{ .CauseMetadata.EndLine }}"
                        }
                    }
                }
            ],
            "RecordState": "ACTIVE"
        }
        {{- end -}}
        {{- range .Secrets -}}
            {{- if $t_first -}}{{- $t_first = false -}}{{- else -}},{{- end -}}
            {{- $severity := .Severity -}}
            {{- if eq $severity "UNKNOWN" -}}
                {{- $severity = "INFORMATIONAL" -}}
            {{- end -}}
        {
            "SchemaVersion": "2018-10-08",
            "Id": "{{ $target }}",
            "ProductArn": "arn:aws:securityhub:{{ env "AWS_DEFAULT_REGION" }}::product/aquasecurity/aquasecurity",
            "GeneratorId": "Trivy",
            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
            "Types": [ "Sensitive Data Identifications" ],
            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
            "Severity": {
                "Label": "{{ $severity }}"
            },
            "Title": "Trivy found a secret in {{ $target }}: {{ .Title }}",
            "Description": "Trivy found a secret in {{ $target }}: {{ .Title }}",
            "ProductFields": { "Product Name": "Trivy" },
            "Resources": [
                {
                    "Type": "Other",
                    "Id": "{{ $target }}",
                    "Partition": "aws",
                    "Region": "{{ env "AWS_DEFAULT_REGION" }}",
                    "Details": {
                        "Other": {
                            "Filename": "{{ $target }}"
                        }
                    }
                }
            ],
            "RecordState": "ACTIVE"
        }
        {{- end -}}
      {{- end }}
    ]
 }
--- a/contrib/example_policy/advanced.rego
+++ b/contrib/example_policy/advanced.rego
@@ -0,0 +1,106 @@
 package trivy
 import data.lib.trivy
 default ignore = false
 nvd_v3_vector = v {
 	v := input.CVSS.nvd.V3Vector
 }
 redhat_v3_vector = v {
 	v := input.CVSS.redhat.V3Vector
 }
 # Ignore a vulnerability which requires high privilege
 ignore {
 	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	nvd_cvss_vector.PrivilegesRequired == "High"
        # Check against RedHat scores as well as NVD
 	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
 	redhat_cvss_vector.PrivilegesRequired == "High"
 }
 # Ignore a vulnerability which requires user interaction
 ignore {
 	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	nvd_cvss_vector.UserInteraction == "Required"
        # Check against RedHat scores as well as NVD
 	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
 	redhat_cvss_vector.UserInteraction == "Required"
 }
 ignore {
 	input.PkgName == "openssl"
 	# Split CVSSv3 vector
 	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
 	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 }
 ignore {
 	input.PkgName == "openssl"
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
 	# Evaluate CWE-ID
 	deny_cwe_ids := {
 		"CWE-119", # Improper Restriction of Operations within the Bounds of a Memory Buffer
 		"CWE-200", # Exposure of Sensitive Information to an Unauthorized Actor
 	}
 	count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
 }
 ignore {
 	input.PkgName == "bash"
 	# Split CVSSv3 vector
 	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local", "Adjacent"}
 	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
 }
 ignore {
 	input.PkgName == "django"
 	# Split CVSSv3 vector
 	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
 	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM"}[_]
 	# Evaluate CWE-ID
 	deny_cwe_ids := {
 		"CWE-89", # SQL Injection
 		"CWE-78", # OS Command Injection
 	}
 	count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
 }
 ignore {
 	input.PkgName == "jquery"
 	# Split CVSSv3 vector
 	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	# Evaluate CWE-ID
 	deny_cwe_ids := {"CWE-79"} # XSS
 	count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
 }
--- a/contrib/example_policy/basic.rego
+++ b/contrib/example_policy/basic.rego
@@ -0,0 +1,58 @@
 package trivy
 import data.lib.trivy
 default ignore = false
 ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
 ignore_severities := {"LOW", "MEDIUM"}
 nvd_v3_vector = v {
 	v := input.CVSS.nvd.V3Vector
 }
 redhat_v3_vector = v {
 	v := input.CVSS.redhat.V3Vector
 }
 ignore {
 	input.PkgName == ignore_pkgs[_]
 }
 ignore {
 	input.Severity == ignore_severities[_]
 }
 # Ignore a vulnerability which is not remotely exploitable
 ignore {
 	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	nvd_cvss_vector.AttackVector != "Network"
 	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
 	redhat_cvss_vector.AttackVector != "Network"
 }
 # Ignore a vulnerability which requires high privilege
 ignore {
 	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	nvd_cvss_vector.PrivilegesRequired == "High"
 	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
 	redhat_cvss_vector.PrivilegesRequired == "High"
 }
 # Ignore a vulnerability which requires user interaction
 ignore {
 	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 	nvd_cvss_vector.UserInteraction == "Required"
 	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
 	redhat_cvss_vector.UserInteraction == "Required"
 }
 # Ignore CSRF
 ignore {
 	# https://cwe.mitre.org/data/definitions/352.html
 	input.CweIDs[_] == "CWE-352"
 }
--- a/contrib/gitlab-codequality.tpl
+++ b/contrib/gitlab-codequality.tpl
@@ -0,0 +1,103 @@
 {{- /* Template based on https://github.com/codeclimate/platform/blob/master/spec/analyzers/SPEC.md#data-types */ -}}
 [
  {{- $t_first := true }}
  {{- range . }}
  {{- $target := .Target }}
    {{- range .Vulnerabilities -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
    {{ else -}}
      ,
    {{- end }}
    {
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
      "description": {{ list .VulnerabilityID .PkgName .InstalledVersion .Title | join " - " | printf "%q" }},
      "fingerprint": "{{ list .VulnerabilityID .PkgName .InstalledVersion $target | join "" | sha1sum }}",
      "content": {{ .Description | printf "%q" }},
      "severity": {{ if eq .Severity "LOW" -}}
                    "info"
                  {{- else if eq .Severity "MEDIUM" -}}
                    "minor"
                  {{- else if eq .Severity "HIGH" -}}
                    "major"
                  {{- else if eq .Severity "CRITICAL" -}}
                    "critical"
                  {{-  else -}}
                    "info"
                  {{- end }},
      "location": {
        "path": "{{ $target }}",
        "lines": {
          "begin": 0
        }
      }
    }
    {{- end -}}
    {{- range .Misconfigurations -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
    {{ else -}}
      ,
    {{- end }}
    {
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
      "description": {{ list "Misconfig" .ID .Title | join " - " | printf "%q" }},
      "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
      "content": {{ .Description | printf "%q" }},
      "severity": {{ if eq .Severity "LOW" -}}
                    "info"
                  {{- else if eq .Severity "MEDIUM" -}}
                    "minor"
                  {{- else if eq .Severity "HIGH" -}}
                    "major"
                  {{- else if eq .Severity "CRITICAL" -}}
                    "critical"
                  {{-  else -}}
                    "info"
                  {{- end }},
      "location": {
        "path": "{{ $target }}",
        "lines": {
          "begin": {{ .CauseMetadata.StartLine }}
        }
      }
    }
    {{- end -}}
    {{- range .Secrets -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
    {{ else -}}
      ,
    {{- end }}
    {
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
      "description": {{ list "Secret" .RuleID .Title | join " - " | printf "%q" }},
      "fingerprint": "{{ list .RuleID .Title $target | join "" | sha1sum }}",
      "content": {{ .Title | printf "%q" }},
      "severity": {{ if eq .Severity "LOW" -}}
                    "info"
                  {{- else if eq .Severity "MEDIUM" -}}
                    "minor"
                  {{- else if eq .Severity "HIGH" -}}
                    "major"
                  {{- else if eq .Severity "CRITICAL" -}}
                    "critical"
                  {{-  else -}}
                    "info"
                  {{- end }},
      "location": {
        "path": "{{ $target }}",
        "lines": {
          "begin": {{ .StartLine }}
        }
      }
    }
    {{- end -}}
  {{- end }}
 ]
--- a/contrib/gitlab.tpl
+++ b/contrib/gitlab.tpl
@@ -0,0 +1,82 @@
 {{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
 {
  "version": "14.0.6",
  "vulnerabilities": [
  {{- $t_first := true }}
  {{- range . }}
  {{- $target := .Target }}
    {{- $image := $target | regexFind "[^\\s]+" }}
    {{- range .Vulnerabilities -}}
    {{- if $t_first -}}
      {{- $t_first = false -}}
    {{ else -}}
      ,
    {{- end }}
    {
      "id": "{{ .VulnerabilityID }}",
      "category": "container_scanning",
      "message": {{ .Title | printf "%q" }},
      "description": {{ .Description | printf "%q" }},
      {{- /* cve is a deprecated key, use id instead */}}
      "cve": "{{ .VulnerabilityID }}",
      "severity": {{ if eq .Severity "UNKNOWN" -}}
                    "Unknown"
                  {{- else if eq .Severity "LOW" -}}
                    "Low"
                  {{- else if eq .Severity "MEDIUM" -}}
                    "Medium"
                  {{- else if eq .Severity "HIGH" -}}
                    "High"
                  {{- else if eq .Severity "CRITICAL" -}}
                    "Critical"
                  {{-  else -}}
                    "{{ .Severity }}"
                  {{- end }},
      "solution": {{ if .FixedVersion -}}
                    "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
                  {{- else -}}
                    "No solution provided"
                  {{- end }},
      "scanner": {
        "id": "trivy",
        "name": "trivy"
      },
      "location": {
        "dependency": {
          "package": {
            "name": "{{ .PkgName }}"
          },
          "version": "{{ .InstalledVersion }}"
        },
        {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
        "operating_system": "Unknown",
        "image": "{{ $image }}"
      },
      "identifiers": [
        {
 	  {{- /* TODO: Type not extractable - https://github.com/aquasecurity/trivy-db/pull/24 */}}
          "type": "cve",
          "name": "{{ .VulnerabilityID }}",
          "value": "{{ .VulnerabilityID }}",
          "url": "{{ .PrimaryURL }}"
        }
      ],
      "links": [
        {{- $l_first := true -}}
        {{- range .References -}}
        {{- if $l_first -}}
          {{- $l_first = false }}
        {{- else -}}
          ,
        {{- end -}}
        {
          "url": "{{ regexFind "[^ ]+" . }}"
        }
        {{- end }}
      ]
    }
    {{- end -}}
  {{- end }}
  ],
  "remediations": []
 }
--- a/contrib/html.tpl
+++ b/contrib/html.tpl
@@ -0,0 +1,148 @@
 <!DOCTYPE html>
 <html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 {{- if . }}
    <style>
      * {
        font-family: Arial, Helvetica, sans-serif;
      }
      h1 {
        text-align: center;
      }
      .group-header th {
        font-size: 200%;
      }
      .sub-header th {
        font-size: 150%;
      }
      table, th, td {
        border: 1px solid black;
        border-collapse: collapse;
        white-space: nowrap;
        padding: .3em;
      }
      table {
        margin: 0 auto;
      }
      .severity {
        text-align: center;
        font-weight: bold;
        color: #fafafa;
      }
      .severity-LOW .severity { background-color: #5fbb31; }
      .severity-MEDIUM .severity { background-color: #e9c600; }
      .severity-HIGH .severity { background-color: #ff8800; }
      .severity-CRITICAL .severity { background-color: #e40000; }
      .severity-UNKNOWN .severity { background-color: #747474; }
      .severity-LOW { background-color: #5fbb3160; }
      .severity-MEDIUM { background-color: #e9c60060; }
      .severity-HIGH { background-color: #ff880060; }
      .severity-CRITICAL { background-color: #e4000060; }
      .severity-UNKNOWN { background-color: #74747460; }
      table tr td:first-of-type {
        font-weight: bold;
      }
      .links a,
      .links[data-more-links=on] a {
        display: block;
      }
      .links[data-more-links=off] a:nth-of-type(1n+5) {
        display: none;
      }
      a.toggle-more-links { cursor: pointer; }
    </style>
    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
    <script>
      window.onload = function() {
        document.querySelectorAll('td.links').forEach(function(linkCell) {
          var links = [].concat.apply([], linkCell.querySelectorAll('a'));
          [].sort.apply(links, function(a, b) {
            return a.href > b.href ? 1 : -1;
          });
          links.forEach(function(link, idx) {
            if (links.length > 3 && 3 === idx) {
              var toggleLink = document.createElement('a');
              toggleLink.innerText = "Toggle more links";
              toggleLink.href = "#toggleMore";
              toggleLink.setAttribute("class", "toggle-more-links");
              linkCell.appendChild(toggleLink);
            }
            linkCell.appendChild(link);
          });
        });
        document.querySelectorAll('a.toggle-more-links').forEach(function(toggleLink) {
          toggleLink.onclick = function() {
            var expanded = toggleLink.parentElement.getAttribute("data-more-links");
            toggleLink.parentElement.setAttribute("data-more-links", "on" === expanded ? "off" : "on");
            return false;
          };
        });
      };
    </script>
  </head>
  <body>
    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
    <table>
    {{- range . }}
      <tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>
      {{- if (eq (len .Vulnerabilities) 0) }}
      <tr><th colspan="6">No Vulnerabilities found</th></tr>
      {{- else }}
      <tr class="sub-header">
        <th>Package</th>
        <th>Vulnerability ID</th>
        <th>Severity</th>
        <th>Installed Version</th>
        <th>Fixed Version</th>
        <th>Links</th>
      </tr>
        {{- range .Vulnerabilities }}
      <tr class="severity-{{ escapeXML .Vulnerability.Severity }}">
        <td class="pkg-name">{{ escapeXML .PkgName }}</td>
        <td>{{ escapeXML .VulnerabilityID }}</td>
        <td class="severity">{{ escapeXML .Vulnerability.Severity }}</td>
        <td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
        <td>{{ escapeXML .FixedVersion }}</td>
        <td class="links" data-more-links="off">
          {{- range .Vulnerability.References }}
          <a href={{ escapeXML . | printf "%q" }}>{{ escapeXML . }}</a>
          {{- end }}
        </td>
      </tr>
        {{- end }}
      {{- end }}
      {{- if (eq (len .Misconfigurations ) 0) }}
      <tr><th colspan="6">No Misconfigurations found</th></tr>
      {{- else }}
      <tr class="sub-header">
        <th>Type</th>
        <th>Misconf ID</th>
        <th>Check</th>
        <th>Severity</th>
        <th>Message</th>
      </tr>
        {{- range .Misconfigurations }}
      <tr class="severity-{{ escapeXML .Severity }}">
        <td class="misconf-type">{{ escapeXML .Type }}</td>
        <td>{{ escapeXML .ID }}</td>
        <td class="misconf-check">{{ escapeXML .Title }}</td>
        <td class="severity">{{ escapeXML .Severity }}</td>
        <td class="link" data-more-links="off"  style="white-space:normal;"">
          {{ escapeXML .Message }}
          <br>
            <a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
          </br>
        </td>
      </tr>
        {{- end }}
      {{- end }}
    {{- end }}
    </table>
 {{- else }}
  </head>
  <body>
    <h1>Trivy Returned Empty Report</h1>
 {{- end }}
  </body>
 </html>
--- a/contrib/install.sh
+++ b/contrib/install.sh
@@ -0,0 +1,413 @@
 #!/bin/sh
 set -e
 # Code generated by godownloader on 2020-01-14T10:03:29Z. DO NOT EDIT.
 #
 usage() {
  this=$1
  cat <<EOF
 $this: download go binaries for aquasecurity/trivy
 Usage: $this [-b] bindir [-d] [tag]
  -b sets bindir or installation directory, Defaults to ./bin
  -d turns on debug logging
   [tag] is a tag from
   https://github.com/aquasecurity/trivy/releases
   If tag is missing, then the latest will be used.
 Generated by godownloader
  https://github.com/goreleaser/godownloader
 EOF
  exit 2
 }
 parse_args() {
  #BINDIR is ./bin unless set be ENV
  # over-ridden by flag below
  BINDIR=${BINDIR:-./bin}
  while getopts "b:dh?x" arg; do
    case "$arg" in
      b) BINDIR="$OPTARG" ;;
      d) log_set_priority 10 ;;
      h | \?) usage "$0" ;;
      x) set -x ;;
    esac
  done
  shift $((OPTIND - 1))
  TAG=$1
 }
 # this function wraps all the destructive operations
 # if a curl|bash cuts off the end of the script due to
 # network, either nothing will happen or will syntax error
 # out preventing half-done work
 execute() {
  tmpdir=$(mktemp -d)
  log_debug "downloading files into ${tmpdir}"
  http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
  http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
  hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"
  srcdir="${tmpdir}"
  (cd "${tmpdir}" && untar "${TARBALL}")
  test ! -d "${BINDIR}" && install -d "${BINDIR}"
  for binexe in $BINARIES; do
    if [ "$OS" = "windows" ]; then
      binexe="${binexe}.exe"
    fi
    install "${srcdir}/${binexe}" "${BINDIR}/"
    log_info "installed ${BINDIR}/${binexe}"
  done
  rm -rf "${tmpdir}"
 }
 get_binaries() {
  case "$PLATFORM" in
    darwin/386) BINARIES="trivy" ;;
    darwin/amd64) BINARIES="trivy" ;;
    darwin/arm64) BINARIES="trivy" ;;
    darwin/armv7) BINARIES="trivy" ;;
    freebsd/386) BINARIES="trivy" ;;
    freebsd/amd64) BINARIES="trivy" ;;
    freebsd/arm64) BINARIES="trivy" ;;
    freebsd/armv7) BINARIES="trivy" ;;
    linux/386) BINARIES="trivy" ;;
    linux/amd64) BINARIES="trivy" ;;
    linux/ppc64le) BINARIES="trivy" ;;
    linux/arm64) BINARIES="trivy" ;;
    linux/armv7) BINARIES="trivy" ;;
    openbsd/386) BINARIES="trivy" ;;
    openbsd/amd64) BINARIES="trivy" ;;
    openbsd/arm64) BINARIES="trivy" ;;
    openbsd/armv7) BINARIES="trivy" ;;
    *)
      log_crit "platform $PLATFORM is not supported.  Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new"
      exit 1
      ;;
  esac
 }
 tag_to_version() {
  if [ -z "${TAG}" ]; then
    log_info "checking GitHub for latest tag"
  else
    log_info "checking GitHub for tag '${TAG}'"
  fi
  REALTAG=$(github_release "$OWNER/$REPO" "${TAG}") && true
  if test -z "$REALTAG"; then
    log_crit "unable to find '${TAG}' - use 'latest' or see https://github.com/${PREFIX}/releases for details"
    exit 1
  fi
  # if version starts with 'v', remove it
  TAG="$REALTAG"
  VERSION=${TAG#v}
 }
 adjust_format() {
  # change format (tar.gz or zip) based on OS
  true
 }
 adjust_os() {
  # adjust archive name based on OS
  case ${OS} in
    386) OS=32bit ;;
    amd64) OS=64bit ;;
    arm) OS=ARM ;;
    arm64) OS=ARM64 ;;
    ppc64le) OS=PPC64LE ;;
    darwin) OS=macOS ;;
    dragonfly) OS=DragonFlyBSD ;;
    freebsd) OS=FreeBSD ;;
    linux) OS=Linux ;;
    netbsd) OS=NetBSD ;;
    openbsd) OS=OpenBSD ;;
  esac
  true
 }
 adjust_arch() {
  # adjust archive name based on ARCH
  case ${ARCH} in
    386) ARCH=32bit ;;
    amd64) ARCH=64bit ;;
    arm) ARCH=ARM ;;
    arm64) ARCH=ARM64 ;;
    ppc64le) OS=PPC64LE ;;
    darwin) ARCH=macOS ;;
    dragonfly) ARCH=DragonFlyBSD ;;
    freebsd) ARCH=FreeBSD ;;
    linux) ARCH=Linux ;;
    netbsd) ARCH=NetBSD ;;
    openbsd) ARCH=OpenBSD ;;
  esac
  true
 }
 cat /dev/null <<EOF
 ------------------------------------------------------------------------
 https://github.com/client9/shlib - portable posix shell functions
 Public domain - http://unlicense.org
 https://github.com/client9/shlib/blob/master/LICENSE.md
 but credit (and pull requests) appreciated.
 ------------------------------------------------------------------------
 EOF
 is_command() {
  command -v "$1" >/dev/null
 }
 echoerr() {
  echo "$@" 1>&2
 }
 log_prefix() {
  echo "$0"
 }
 _logp=6
 log_set_priority() {
  _logp="$1"
 }
 log_priority() {
  if test -z "$1"; then
    echo "$_logp"
    return
  fi
  [ "$1" -le "$_logp" ]
 }
 log_tag() {
  case $1 in
    0) echo "emerg" ;;
    1) echo "alert" ;;
    2) echo "crit" ;;
    3) echo "err" ;;
    4) echo "warning" ;;
    5) echo "notice" ;;
    6) echo "info" ;;
    7) echo "debug" ;;
    *) echo "$1" ;;
  esac
 }
 log_debug() {
  log_priority 7 || return 0
  echo "$(log_prefix)" "$(log_tag 7)" "$@"
 }
 log_info() {
  log_priority 6 || return 0
  echo "$(log_prefix)" "$(log_tag 6)" "$@"
 }
 log_err() {
  log_priority 3 || return 0
  echoerr "$(log_prefix)" "$(log_tag 3)" "$@"
 }
 log_crit() {
  log_priority 2 || return 0
  echoerr "$(log_prefix)" "$(log_tag 2)" "$@"
 }
 uname_os() {
  os=$(uname -s | tr '[:upper:]' '[:lower:]')
  case "$os" in
    cygwin_nt*) os="windows" ;;
    mingw*) os="windows" ;;
    msys_nt*) os="windows" ;;
  esac
  echo "$os"
 }
 uname_arch() {
  arch=$(uname -m)
  case $arch in
    x86_64) arch="amd64" ;;
    x86) arch="386" ;;
    i686) arch="386" ;;
    i386) arch="386" ;;
    ppc64le) arch="ppc64le" ;;
    aarch64) arch="arm64" ;;
    armv5*) arch="armv5" ;;
    armv6*) arch="armv6" ;;
    armv7*) arch="armv7" ;;
  esac
  echo ${arch}
 }
 uname_os_check() {
  os=$(uname_os)
  case "$os" in
    darwin) return 0 ;;
    dragonfly) return 0 ;;
    freebsd) return 0 ;;
    linux) return 0 ;;
    android) return 0 ;;
    nacl) return 0 ;;
    netbsd) return 0 ;;
    openbsd) return 0 ;;
    plan9) return 0 ;;
    solaris) return 0 ;;
    windows) return 0 ;;
  esac
  log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib"
  return 1
 }
 uname_arch_check() {
  arch=$(uname_arch)
  case "$arch" in
    386) return 0 ;;
    amd64) return 0 ;;
    arm64) return 0 ;;
    armv5) return 0 ;;
    armv6) return 0 ;;
    armv7) return 0 ;;
    ppc64) return 0 ;;
    ppc64le) return 0 ;;
    mips) return 0 ;;
    mipsle) return 0 ;;
    mips64) return 0 ;;
    mips64le) return 0 ;;
    s390x) return 0 ;;
    amd64p32) return 0 ;;
  esac
  log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value.  Please file bug report at https://github.com/client9/shlib"
  return 1
 }
 untar() {
  tarball=$1
  case "${tarball}" in
    *.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;;
    *.tar) tar --no-same-owner -xf "${tarball}" ;;
    *.zip) unzip "${tarball}" ;;
    *)
      log_err "untar unknown archive format for ${tarball}"
      return 1
      ;;
  esac
 }
 http_download_curl() {
  local_file=$1
  source_url=$2
  header=$3
  if [ -z "$header" ]; then
    code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url")
  else
    code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url")
  fi
  if [ "$code" != "200" ]; then
    log_debug "http_download_curl received HTTP status $code"
    return 1
  fi
  return 0
 }
 http_download_wget() {
  local_file=$1
  source_url=$2
  header=$3
  if [ -z "$header" ]; then
    wget -q -O "$local_file" "$source_url"
  else
    wget -q --header "$header" -O "$local_file" "$source_url"
  fi
 }
 http_download() {
  log_debug "http_download $2"
  if is_command curl; then
    http_download_curl "$@"
    return
  elif is_command wget; then
    http_download_wget "$@"
    return
  fi
  log_crit "http_download unable to find wget or curl"
  return 1
 }
 http_copy() {
  tmp=$(mktemp)
  http_download "${tmp}" "$1" "$2" || return 1
  body=$(cat "$tmp")
  rm -f "${tmp}"
  echo "$body"
 }
 github_release() {
  owner_repo=$1
  version=$2
  test -z "$version" && version="latest"
  giturl="https://github.com/${owner_repo}/releases/${version}"
  json=$(http_copy "$giturl" "Accept:application/json")
  test -z "$json" && return 1
  version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//')
  test -z "$version" && return 1
  echo "$version"
 }
 hash_sha256() {
  TARGET=${1:-/dev/stdin}
  if is_command gsha256sum; then
    hash=$(gsha256sum "$TARGET") || return 1
    echo "$hash" | cut -d ' ' -f 1
  elif is_command sha256sum; then
    hash=$(sha256sum "$TARGET") || return 1
    echo "$hash" | cut -d ' ' -f 1
  elif is_command shasum; then
    hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1
    echo "$hash" | cut -d ' ' -f 1
  elif is_command openssl; then
    hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1
    echo "$hash" | cut -d ' ' -f a
  else
    log_crit "hash_sha256 unable to find command to compute sha-256 hash"
    return 1
  fi
 }
 hash_sha256_verify() {
  TARGET=$1
  checksums=$2
  if [ -z "$checksums" ]; then
    log_err "hash_sha256_verify checksum file not specified in arg2"
    return 1
  fi
  BASENAME=${TARGET##*/}
  want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
  if [ -z "$want" ]; then
    log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'"
    return 1
  fi
  got=$(hash_sha256 "$TARGET")
  if [ "$want" != "$got" ]; then
    log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got"
    return 1
  fi
 }
 cat /dev/null <<EOF
 ------------------------------------------------------------------------
 End of functions from https://github.com/client9/shlib
 ------------------------------------------------------------------------
 EOF
 PROJECT_NAME="trivy"
 OWNER=aquasecurity
 REPO="trivy"
 BINARY=trivy
 FORMAT=tar.gz
 OS=$(uname_os)
 ARCH=$(uname_arch)
 PREFIX="$OWNER/$REPO"
 # use in logging routines
 log_prefix() {
 	echo "$PREFIX"
 }
 PLATFORM="${OS}/${ARCH}"
 GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download
 uname_os_check "$OS"
 uname_arch_check "$ARCH"
 parse_args "$@"
 get_binaries
 tag_to_version
 adjust_format
 adjust_os
 adjust_arch
 log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}"
 NAME=${PROJECT_NAME}_${VERSION}_${OS}-${ARCH}
 TARBALL=${NAME}.${FORMAT}
 TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
 CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
 CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}
 execute
--- a/contrib/junit.tpl
+++ b/contrib/junit.tpl
@@ -0,0 +1,31 @@
 <?xml version="1.0" ?>
 <testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
    {{- if not (eq .Type "") }}
        <properties>
            <property name="type" value="{{ .Type }}"></property>
        </properties>
        {{- end -}}
        {{ range .Vulnerabilities }}
        <testcase classname="{{ .PkgName }}-{{ .InstalledVersion }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
        </testcase>
    {{- end }}
    </testsuite>
 {{- $failures := len .Misconfigurations }}
    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
    {{- if not (eq .Type "") }}
        <properties>
            <property name="type" value="{{ .Type }}"></property>
        </properties>
        {{- end -}}
        {{ range .Misconfigurations }}
        <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
        </testcase>
    {{- end }}
    </testsuite>
 {{- end }}
 </testsuites>
--- a/docs/build/Dockerfile
+++ b/docs/build/Dockerfile
@@ -0,0 +1,10 @@
 FROM squidfunk/mkdocs-material:8.3.9
 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.
 # docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN} ghcr.io
 # FROM ghcr.io/squidfunk/mkdocs-material-insiders
 COPY requirements.txt .
 RUN pip install -r requirements.txt
--- a/docs/build/requirements.txt
+++ b/docs/build/requirements.txt
@@ -0,0 +1,30 @@
 click==8.1.2
 csscompressor==0.9.5
 ghp-import==2.0.2
 htmlmin==0.1.12
 importlib-metadata==4.11.3
 Jinja2==3.1.1
 jsmin==3.0.1
 Markdown==3.3.6
 MarkupSafe==2.1.1
 mergedeep==1.3.4
 mike==1.1.2
 mkdocs==1.3.0
 mkdocs-macros-plugin==0.7.0
 mkdocs-material==8.3.9
 mkdocs-material-extensions==1.0.3
 mkdocs-minify-plugin==0.5.0
 mkdocs-redirects==1.0.4
 packaging==21.3
 Pygments==2.12.0
 pymdown-extensions==9.5
 pyparsing==3.0.8
 python-dateutil==2.8.2
 PyYAML==6.0
 pyyaml-env-tag==0.1
 six==1.16.0
 termcolor==1.1.0
 verspec==0.1.0
 watchdog==2.1.7
 zipp==3.8.0
--- a/docs/community/contribute/issue.md
+++ b/docs/community/contribute/issue.md
@@ -0,0 +1,31 @@
 Thank you for taking interest in contributing to Trivy!
 - Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
 - Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
 - Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
 - The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
 ## Wrong detection
 Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
 Sometime these databases contain mistakes.
 If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
 1. Run Trivy with `-f json` that shows data sources.
 2. According to the shown data source, make sure that the security advisory in the data source is correct.
 If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
 ### GitHub Advisory Database
 Visit [here](https://github.com/advisories) and search CVE-ID.
 If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
 ### GitLab Advisory Database
 Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
 If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
 ### Red Hat CVE Database
 Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
--- a/docs/community/contribute/pr.md
+++ b/docs/community/contribute/pr.md
@@ -0,0 +1,164 @@
 Thank you for taking interest in contributing to Trivy!
 1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
 1. Please add the associated Issue link in the PR description.
 1. Your PR is more likely to be accepted if it focuses on just one change.
 1. There's no need to add or tag reviewers.
 1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
 1. Please include a comment with the results before and after your change.
 1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
 1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
 ### Title
 It is not that strict, but we use the title conventions in this repository.
 Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
 #### Format of the title
 ```
 <type>(<scope>): <subject>
 ```
 The `type` and `scope` should always be lowercase as shown below.
 **Allowed `<type>` values:**
 - **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
 - **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
 - **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
 - **docs** for changes to the documentation.
 - **style** for formatting changes, missing semicolons, etc.
 - **refactor** for refactoring production code, e.g. renaming a variable.
 - **test** for adding missing tests, refactoring tests; no production code change.
 - **build** for updating build configuration, development tools or other changes irrelevant to the user.
 - **chore** for updates that do not apply to the above, such as dependency updates.
 - **ci** for changes to CI configuration files and scripts
 - **revert** for revert to a previous commit
 **Allowed `<scope>` values:**
 checks:
 - vuln
 - misconf
 - secret
 - license
 mode:
 - image
 - fs
 - repo
 - sbom
 - server
 os:
 - alpine
 - redhat
 - alma
 - rocky
 - mariner
 - oracle
 - debian
 - ubuntu
 - amazon
 - suse
 - photon
 - distroless
 language:
 - ruby
 - php
 - python
 - nodejs
 - rust
 - dotnet
 - java
 - go
 vuln:
 - os
 - lang
 config:
 - kubernetes
 - dockerfile
 - terraform
 - cloudformation
 container
 - docker
 - podman
 - containerd
 - oci
 cli:
 - cli
 - flag
 others:
 - helm
 - report
 - db
 - deps
 The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
 #### Example titles
 ```
 feat(alma): add support for AlmaLinux
 ```
 ```
 fix(oracle): handle advisories with ksplice versions
 ```
 ```
 docs(misconf): add comparison with Conftest and TFsec
 ```
 ```
 chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
 ```
 **NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
 The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
 ### Unit tests
 Your PR must pass all the unit tests. You can test it as below.
 ```
 $ make test
 ```
 ### Integration tests
 Your PR must pass all the integration tests. You can test it as below.
 ```
 $ make test-integration
 ```
 ### Documentation
 You can build the documents as below and view it at http://localhost:8000.
 ```
 $ make mkdocs-serve
 ```
 ## Understand where your pull request belongs
 Trivy is composed of several repositories that work together:
 - [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
 - [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
 - [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
 - [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
 - [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.
--- a/docs/community/maintainer/help-wanted.md
+++ b/docs/community/maintainer/help-wanted.md
@@ -0,0 +1,78 @@
 # Overview
 We use two labels [help wanted](#help-wanted) and [good first
 issue](#good-first-issue) to identify issues that have been specially groomed
 for new contributors. The `good first issue` label is a subset of `help wanted`
 label, indicating that members have committed to providing extra assistance for
 new contributors. All `good first issue` items also have the `help wanted`
 label.
 ## Help Wanted
 Items marked with the `help wanted` label need to ensure that they are:
 - **Low Barrier to Entry**
  It should be tractable for new contributors. Documentation on how that type of
  change should be made should already exist.
 - **Clear Task**
  The task is agreed upon and does not require further discussions in the
  community. Call out if that area of code is untested and requires new
  fixtures.
  API / CLI behavior is decided and included in the OP issue, for example: "The
  new command syntax is `trivy --format yaml IMAGE_NAME`"_ with
  expected validations called out.
 - **Goldilocks priority**
  Not too high that a core contributor should do it, but not too low that it
  isn't useful enough for a core contributor to spend time to review it, answer
  questions, help get it into a release, etc.
 - **Up-To-Date**
  Often these issues become obsolete and have already been done, are no longer
  desired, no longer make sense, have changed priority or difficulty , etc.
 ## Good First Issue
 Items marked with the `good first issue` label are intended for _first-time
 contributors_. It indicates that members will keep an eye out for these pull
 requests and shepherd it through our processes.
 These items need to ensure that they follow the guidelines for `help wanted`
 labels (above) in addition to meeting the following criteria:
 - **No Barrier to Entry**
  The task is something that a new contributor can tackle without advanced
  setup, or domain knowledge.
 - **Solution Explained**
  The recommended solution is clearly described in the issue.
 - **Provides Context**
  If background knowledge is required, this should be explicitly mentioned and a
  list of suggested readings included.
 - **Gives Examples**
  Link to examples of similar implementations so new contributors have a
  reference guide for their changes.
 - **Identifies Relevant Code**
  The relevant code and tests to be changed should be linked in the issue.
 - **Ready to Test**
  There should be existing tests that can be modified, or existing test cases
  fit to be copied. If the area of code doesn't have tests, before labeling the
  issue, add a test fixture. This prep often makes a great `help wanted` task!
--- a/docs/community/maintainer/triage.md
+++ b/docs/community/maintainer/triage.md
@@ -0,0 +1,198 @@
 # Triage
 Triage is an important part of maintaining the health of the trivy repo.
 A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible.
 Triage includes:
 - Labeling issues
 - Responding to issues
 - Closing issues
 # Daily Triage
 Daily triage has two goals:
 1. Responsiveness for new issues
 1. Responsiveness when explicitly requested information was provided
 It covers:
 1. Issues without a `kind/` or `triage/` label
 1. Issues without a `priority/` label
 1. `triage/needs-information` issues which the user has followed up on, and now require a response.
 ## Categorization
 The most important level of categorizing the issue is defining what type it is.
 We typically want at least one of the following labels on every issue, and some issues may fall into multiple categories:
 - `triage/support`   - The default for most incoming issues
 - `kind/bug` - When it’s a bug or we aren’t delivering the best user experience
 Other possibilities: 
 - `kind/feature`- Identify new feature requests
 - `kind/testing` - Update or fix unit/integration tests
 - `kind/cleanup` - Cleaning up/refactoring the codebase
 - `kind/documentation` - Updates or additions to trivy documentation
 If the issue is specific to a driver for OS packages or libraries:
 **co/[driver for OS packages]**
  - `co/alpine`
  - `co/amazon`
  - `co/debian`
  - `co/oracle`
  - `co/photon`
  - `co/redhat`
  - `co/suse`
  - `co/ubuntu`
 **co/[driver for libraries of programming languages]** 
  - `co/bundler`
  - `co/cargo`
  - `co/composer`
  - `co/npm`
  - `co/yarn`
  - `co/pipenv`
  - `co/poetry`
 **Help wanted?**
 `Good First Issue` - bug has a proposed solution, can be implemented w/o further discussion.
 `Help wanted` - if the bug could use help from a contributor
 ## Prioritization
 If the issue is not `triage/support`, it needs a priority label.
 `priority/critical-urgent` - someones top priority ASAP, such as security issue, user-visible bug, or build breakage. Rarely used.
 `priority/important-soon`: in time for the next two releases. It should be attached to a milestone.
 `priority/important-longterm`: 2-4 releases from now
 `priority/backlog`: agreed that this would be good to have, but no one is available at the moment. Consider tagging as `help wanted`
 `priority/awaiting-more-evidence`: may be useful, but there is not yet enough support.
 # Weekly Triage
 Weekly triage has three goals:
 1. Catching up on unresponded issues
 1. Reviewing and closing PR’s
 1. Closing stale issues
 ## Post-Release Triage
 Post-release triage occurs after a major release (around every 4-6 weeks).
 It focuses on:
 1. Closing bugs that have been resolved by the release
 1. Reprioritizing bugs that have not been resolved by the release
 1. Letting users know if we believe that there is still an issue
 This includes reviewing:
 1. Every issue that hasn’t been touched in the last 2 days
 1. Re-evaluation of long-term issues
 1. Re-evaluation of short-term issues
 ## Responding to Issues
 ### Needs More Information
 A sample response to ask for more info:
 > I don’t yet have a clear way to replicate this issue. Do you mind adding some additional details. Here is additional information that would be helpful:
 >
 > \*  The exact `trivy` command line used
 >
 > \*  The exact image you want to scan
 >
 > \*  The full output of the `trivy` command, preferably with `--debug` for extra logging.
 >
 >
 > Thank you for sharing your experience!
 Then: Label with `triage/needs-information`.
 ### Issue might be resolved
 If you think a release may have resolved an issue, ask the author to see if their issue has been resolved:
 > Could you please check to see if trivy <x> addresses this issue? We've made some changes with how this is handled, and improved the trivy logs output to help us debug tricky cases like this.
 Then: Label with `triage/needs-information`.
 ## Closing with Care
 Issues typically need to be closed for the following reasons:
 - The issue has been addressed
 - The issue is a duplicate of an existing issue
 - There has been a lack of information over a long period of time
 In any of these situations, we aim to be kind when closing the issue, and offer the author action items should they need to reopen their issue or still require a solution.
 Samples responses for these situations include:
 ### Issue has been addressed
 >@author: I believe this issue is now addressed by trivy v1.0.0, as it <reason>. If you still see this issue with trivy v1.0 or higher, please reopen this issue.
 >
 >Thank you for reporting this issue!
 Then: Close the issue
 ### Duplicate Issue
 >This issue appears to be a duplicate of #X, do you mind if we move the conversation there?
 >
 >This way we can centralize the content relating to the issue. If you feel that this issue is not in fact a duplicate, please re-open it. If you have additional information to share, please add it to the new issue.
 >
 >Thank you for reporting this!
 Then: Label with `triage/duplicate` and close the issue.
 ### Lack of Information
 If an issue hasn't been active for more than four weeks, and the author has been pinged at least once, then the issue can be closed.
 >Hey @author -- hopefully it's OK if I close this - there wasn't enough information to make it actionable, and some time has already passed. If you are able to provide additional details, you may reopen it at any point.
 > 
 >Here is additional information that may be helpful to us:
 >
 >\* Whether the issue occurs with the latest trivy release
 >
 >\* The exact `trivy` command line used
 >
 >\* The exact image you want to scan
 >
 >\* The full output of the `trivy` command, preferably with `--debug` for extra logging.
 >
 >
 >Thank you for sharing your experience!
 Then: Close the issue.
 ## Help Wanted issues
 We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22)
 and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
 to identify issues that have been specially groomed for new contributors.
 We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
 for how to use these labels. If you see an issue that satisfies these
 guidelines, you can add the `help wanted` label and the `good first issue` label.
 Please note that adding the `good first issue` label must also 
 add the `help wanted` label.
 If an issue has these labels but does not satisfy the guidelines, please
 ask for more details to be added to the issue or remove the labels.
--- a/docs/docs/advanced/air-gap.md
+++ b/docs/docs/advanced/air-gap.md
@@ -0,0 +1,86 @@
 # Air-Gapped Environment
 Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
 ## Air-Gapped Environment for vulnerabilities
 ### Download the vulnerability database
 === "Trivy"
    ```
    TRIVY_TEMP_DIR=$(mktemp -d)
    trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
    tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
    rm -rf $TRIVY_TEMP_DIR
    ```
 === "oras >= v0.13.0"
    At first, you need to download the vulnerability database for use in air-gapped environments.
    Please follow [oras installation instruction][oras].
    Download `db.tar.gz`:
    ```
    $ oras pull ghcr.io/aquasecurity/trivy-db:2
    ```
 === "oras < v0.13.0"
    At first, you need to download the vulnerability database for use in air-gapped environments.
    Please follow [oras installation instruction][oras].
    Download `db.tar.gz`:
    ```
    $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
    ```
 ### Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.
 ```
 $ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
 ```
 ### Put the DB file in Trivy's cache directory
 You have to know where to put the DB file. The following command shows the default cache directory.
 ```
 $ ssh user@host
 $ trivy -h | grep cache
   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
 ```
 Put the DB file in the cache directory + `/db`.
 ```
 $ mkdir -p /home/myuser/.cache/trivy/db
 $ cd /home/myuser/.cache/trivy/db
 $ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
 x trivy.db
 x metadata.json
 $ rm /path/to/db.tar.gz
 ```
 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
 ### Run Trivy with `--skip-update` and `--offline-scan` option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
 In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
 ```
 $ trivy image --skip-update --offline-scan alpine:3.12
 ```
 ## Air-Gapped Environment for misconfigurations
 No special measures are required to detect misconfigurations in an air-gapped environment.
 ### Run Trivy with `--skip-policy-update` option
 In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
 ```
 $ trivy conf --skip-policy-update /path/to/conf
 ```
 [allowlist]: ../references/troubleshooting.md
 [oras]: https://oras.land/cli/
--- a/docs/docs/advanced/container/containerd.md
+++ b/docs/docs/advanced/container/containerd.md
@@ -0,0 +1,29 @@
 # containerd
 !!! warning "EXPERIMENTAL"
    This feature might change without preserving backwards compatibility.
 Scan your image in [containerd][containerd] running locally.
 ```bash
 $ nerdctl images
 REPOSITORY        TAG       IMAGE ID        CREATED         PLATFORM       SIZE         BLOB SIZE
 aquasec/nginx    latest    2bcabc23b454    3 hours ago     linux/amd64    149.1 MiB    54.1 MiB
 $ trivy image aquasec/nginx
 ```
 If your containerd socket is not the default path (`//run/containerd/containerd.sock`), you can override it via `CONTAINERD_ADDRESS`.
 ```bash
 $ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock
 $ trivy image aquasec/nginx
 ```
 If your scan targets are images in a namespace other than containerd's default namespace (`default`), you can override it via `CONTAINERD_NAMESPACE`.
 ```bash
 $ export CONTAINERD_NAMESPACE=k8s.io
 $ trivy image aquasec/nginx
 ```
 [containerd]: https://containerd.io/
--- a/docs/docs/advanced/container/embed-in-dockerfile.md
+++ b/docs/docs/advanced/container/embed-in-dockerfile.md
@@ -0,0 +1,28 @@
 # Embed in Dockerfile
 Scan your image as part of the build process by embedding Trivy in the
 Dockerfile. This approach can be used to update Dockerfiles currently using
 Aqua’s [Microscanner][microscanner].
 ```bash
 $ cat Dockerfile
 FROM alpine:3.7
 RUN apk add curl \
    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
    && trivy rootfs --exit-code 1 --no-progress /
 $ docker build -t vulnerable-image .
 ```
 Alternatively you can use Trivy in a multistage build. Thus avoiding the
 insecure `curl | sh`. Also the image is not changed.
 ```bash
 [...]
 # Run vulnerability scan on build image
 FROM build AS vulnscan
 COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
 RUN trivy rootfs --exit-code 1 --no-progress /
 [...]
 ```
 [microscanner]: https://github.com/aquasecurity/microscanner
--- a/docs/docs/advanced/container/oci.md
+++ b/docs/docs/advanced/container/oci.md
@@ -0,0 +1,17 @@
 # OCI Image Layout
 An image directory compliant with [Open Container Image Layout Specification](https://github.com/opencontainers/image-spec/blob/master/spec.md).
 Buildah:
 ```
 $ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
 $ trivy image --input /path/to/alpine
 ```
 Skopeo:
 ```
 $ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
 $ trivy image --input /path/to/alpine
 ```
--- a/docs/docs/advanced/container/podman.md
+++ b/docs/docs/advanced/container/podman.md
@@ -0,0 +1,28 @@
 # Podman
 !!! warning "EXPERIMENTAL"
    This feature might change without preserving backwards compatibility.
 Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported.
 Before performing Trivy commands, you must enable the podman.sock systemd service on your machine.
 For more details, see [here][sock].
 ```bash
 $ systemctl --user enable --now podman.socket
 ```
 Then, you can scan your image in Podman.
 ```bash
 $ cat Dockerfile
 FROM alpine:3.12
 RUN apk add --no-cache bash
 $ podman build -t test .
 $ podman images
 REPOSITORY                TAG     IMAGE ID      CREATED      SIZE
 localhost/test            latest  efc372d4e0de  About a minute ago  7.94 MB
 $ trivy image test
 ```
 [sock]: https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md#enable-the-podman-service-on-the-server-machine
--- a/docs/docs/advanced/container/unpacked-filesystem.md
+++ b/docs/docs/advanced/container/unpacked-filesystem.md
@@ -0,0 +1,116 @@
 # Unpacked Filesystem
 Scan an unpacked container image filesystem.
 In this case, Trivy works the same way when scanning containers
 ```bash
 $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
 $ trivy rootfs /tmp/rootfs
 ```
 <details>
 <summary>Result</summary>
 ```bash
 2021-03-08T05:22:26.378Z        INFO    Need to update DB
 2021-03-08T05:22:26.380Z        INFO    Downloading DB...
 20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
 2021-03-08T05:22:30.134Z        INFO    Detecting Alpine vulnerabilities...
 /tmp/rootfs (alpine 3.10.2)
 ===========================
 Total: 20 (UNKNOWN: 0, LOW: 2, MEDIUM: 10, HIGH: 8, CRITICAL: 0)
 +--------------+------------------+----------+-------------------+---------------+---------------------------------------+
 |   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
 +--------------+------------------+----------+-------------------+---------------+---------------------------------------+
 | libcrypto1.1 | CVE-2020-1967    | HIGH     | 1.1.1c-r0         | 1.1.1g-r0     | openssl: Segmentation                 |
 |              |                  |          |                   |               | fault in SSL_check_chain              |
 |              |                  |          |                   |               | causes denial of service              |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1967  |
 +              +------------------+          +                   +---------------+---------------------------------------+
 |              | CVE-2021-23839   |          |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
 |              |                  |          |                   |               | rollback protection                   |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
 +              +------------------+          +                   +               +---------------------------------------+
 |              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
 |              |                  |          |                   |               | overflow in CipherUpdate              |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
 +              +------------------+          +                   +               +---------------------------------------+
 |              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
 |              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
 +              +------------------+----------+                   +---------------+---------------------------------------+
 |              | CVE-2019-1547    | MEDIUM   |                   | 1.1.1d-r0     | openssl: side-channel weak            |
 |              |                  |          |                   |               | encryption vulnerability              |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1547  |
 +              +------------------+          +                   +               +---------------------------------------+
 |              | CVE-2019-1549    |          |                   |               | openssl: information                  |
 |              |                  |          |                   |               | disclosure in fork()                  |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1549  |
 +              +------------------+          +                   +---------------+---------------------------------------+
 |              | CVE-2019-1551    |          |                   | 1.1.1d-r2     | openssl: Integer overflow in RSAZ     |
 |              |                  |          |                   |               | modular exponentiation on x86_64      |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1551  |
 +              +------------------+          +                   +---------------+---------------------------------------+
 |              | CVE-2020-1971    |          |                   | 1.1.1i-r0     | openssl: EDIPARTYNAME                 |
 |              |                  |          |                   |               | NULL pointer de-reference             |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971  |
 +              +------------------+----------+                   +---------------+---------------------------------------+
 |              | CVE-2019-1563    | LOW      |                   | 1.1.1d-r0     | openssl: information                  |
 |              |                  |          |                   |               | disclosure in PKCS7_dataDecode        |
 |              |                  |          |                   |               | and CMS_decrypt_set1_pkey             |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1563  |
 +--------------+------------------+----------+                   +---------------+---------------------------------------+
 | libssl1.1    | CVE-2020-1967    | HIGH     |                   | 1.1.1g-r0     | openssl: Segmentation                 |
 |              |                  |          |                   |               | fault in SSL_check_chain              |
 |              |                  |          |                   |               | causes denial of service              |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1967  |
 +              +------------------+          +                   +---------------+---------------------------------------+
 |              | CVE-2021-23839   |          |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
 |              |                  |          |                   |               | rollback protection                   |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
 +              +------------------+          +                   +               +---------------------------------------+
 |              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
 |              |                  |          |                   |               | overflow in CipherUpdate              |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
 +              +------------------+          +                   +               +---------------------------------------+
 |              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
 |              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
 +              +------------------+----------+                   +---------------+---------------------------------------+
 |              | CVE-2019-1547    | MEDIUM   |                   | 1.1.1d-r0     | openssl: side-channel weak            |
 |              |                  |          |                   |               | encryption vulnerability              |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1547  |
 +              +------------------+          +                   +               +---------------------------------------+
 |              | CVE-2019-1549    |          |                   |               | openssl: information                  |
 |              |                  |          |                   |               | disclosure in fork()                  |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1549  |
 +              +------------------+          +                   +---------------+---------------------------------------+
 |              | CVE-2019-1551    |          |                   | 1.1.1d-r2     | openssl: Integer overflow in RSAZ     |
 |              |                  |          |                   |               | modular exponentiation on x86_64      |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1551  |
 +              +------------------+          +                   +---------------+---------------------------------------+
 |              | CVE-2020-1971    |          |                   | 1.1.1i-r0     | openssl: EDIPARTYNAME                 |
 |              |                  |          |                   |               | NULL pointer de-reference             |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971  |
 +              +------------------+----------+                   +---------------+---------------------------------------+
 |              | CVE-2019-1563    | LOW      |                   | 1.1.1d-r0     | openssl: information                  |
 |              |                  |          |                   |               | disclosure in PKCS7_dataDecode        |
 |              |                  |          |                   |               | and CMS_decrypt_set1_pkey             |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1563  |
 +--------------+------------------+----------+-------------------+---------------+---------------------------------------+
 | musl         | CVE-2020-28928   | MEDIUM   | 1.1.22-r3         | 1.1.22-r4     | In musl libc through 1.2.1,           |
 |              |                  |          |                   |               | wcsnrtombs mishandles particular      |
 |              |                  |          |                   |               | combinations of destination buffer... |
 |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28928 |
 +--------------+                  +          +                   +               +                                       +
 | musl-utils   |                  |          |                   |               |                                       |
 |              |                  |          |                   |               |                                       |
 |              |                  |          |                   |               |                                       |
 |              |                  |          |                   |               |                                       |
 +--------------+------------------+----------+-------------------+---------------+---------------------------------------+
 ```
 </details>
--- a/docs/docs/advanced/modules.md
+++ b/docs/docs/advanced/modules.md
@@ -0,0 +1,358 @@
 # Modules
 !!! warning "EXPERIMENTAL"
    This feature might change without preserving backwards compatibility.
 Trivy provides a module feature to allow others to extend the Trivy CLI without the need to change the Trivy code base.
 It changes the behavior during scanning by WebAssembly.
 ## Overview
 Trivy modules are add-on tools that integrate seamlessly with Trivy.
 They provide a way to extend the core feature set of Trivy, but without updating the Trivy binary.
 - They can be added and removed from a Trivy installation without impacting the core Trivy tool.
 - They can be written in any programming language supporting WebAssembly.
  - It supports only [TinyGo][tinygo] at the moment.
 You can write your own detection logic.
 - Evaluate complex vulnerability conditions like [Spring4Shell][spring4shell]
 - Detect a shell script communicating with malicious domains
 - Detect malicious python install script (setup.py)
 - Even detect misconfigurations in WordPress setting
 - etc.
 Then, you can update the scan result however you want.
 - Change a severity
 - Remove a vulnerability
 - Add a new vulnerability
 - etc.
 Modules should be distributed in OCI registries like GitHub Container Registry.
 !!! warning
    WebAssembly doesn't allow file access and network access by default.
    Modules can read required files only, but cannot overwrite them.
    WebAssembly is sandboxed and secure by design, but Trivy modules available in public are not audited for security.
    You should install and run third-party modules at your own risk even though 
 Under the hood Trivy leverages [wazero][wazero] to run WebAssembly modules without CGO.
 ## Installing a Module
 A module can be installed using the `trivy module install` command.
 This command takes an url. It will download the module and install it in the module cache.
 Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
 Trivy will now search XDG_DATA_HOME for the location of the Trivy modules cache.
 The preference order is as follows:
 - XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
 - $HOME/.trivy/plugins
 For example, to download the WebAssembly module, you can execute the following command:
 ```bash
 $ trivy module install ghcr.io/aquasecurity/trivy-module-spring4shell
 ```
 ## Using Modules
 Once the module is installed, Trivy will load all available modules in the cache on the start of the next Trivy execution.
 The modules may inject custom logic into scanning and change the result.
 You can run Trivy as usual and modules are loaded automatically.
 You will see the log messages about WASM modules.
 ```shell
 $ trivy image ghcr.io/aquasecurity/trivy-test-images:spring4shell-jre8
 2022-06-12T12:57:13.210+0300    INFO    Loading ghcr.io/aquasecurity/trivy-module-spring4shell/spring4shell.wasm...
 2022-06-12T12:57:13.596+0300    INFO    Registering WASM module: spring4shell@v1
 ...
 2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: Java Version: 8, Tomcat Version: 8.5.77
 2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: change CVE-2022-22965 severity from CRITICAL to LOW
 Java (jar)
 Total: 9 (UNKNOWN: 1, LOW: 3, MEDIUM: 2, HIGH: 3, CRITICAL: 0)
 ┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────────┐
 │                           Library                            │    Vulnerability    │ Severity │ Installed Version │     Fixed Version      │                           Title                            │
 ├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
 │ org.springframework.boot:spring-boot (helloworld.war)        │ CVE-2022-22965      │ LOW      │ 2.6.3             │ 2.5.12, 2.6.6          │ spring-framework: RCE via Data Binding on JDK 9+           │
 │                                                              │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22965                 │
 ├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
 ...(snip)...
 ```
 In the above example, the Spring4Shell module changed the severity from CRITICAL to LOW because the application doesn't satisfy one of conditions.
 ## Uninstalling Modules
 Specify a module repository with `trivy module uninstall` command.
 ```bash
 $ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
 ```
 ## Building Modules
 It supports TinyGo only at the moment.
 ### TinyGo
 Trivy provides Go SDK including three interfaces.
 Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.
 ```go
 type Module interface {
    Version() int
    Name() string
 }
 type Analyzer interface {
    RequiredFiles() []string
    Analyze(filePath string) (*serialize.AnalysisResult, error)
 }
 type PostScanner interface {
    PostScanSpec() serialize.PostScanSpec
    PostScan(serialize.Results) (serialize.Results, error)
 }
 ```
 In the following tutorial, it creates a WordPress module that detects a WordPress version and a critical vulnerability accordingly.
 !!! tips
    You can use logging functions such as `Debug` and `Info` for debugging.
    See [examples](#examples) for the detail.
 #### Initialize your module
 Replace the repository name with yours.
 ```
 $ go mod init github.com/aquasecurity/trivy-module-wordpress
 ```
 #### Module interface
 `Version()` returns your module version and should be incremented after updates.
 `Name()` returns your module name.
 ```go
 package main
 const (
    version = 1
    name = "wordpress-module"
 )
 type WordpressModule struct{
 	// Cannot define fields as modules can't keep state.
 }
 func (WordpressModule) Version() int {
    return version
 }
 func (WordpressModule) Name() string {
    return name
 }
 ```
 !!! info
    A struct cannot have any fields. Each method invocation is performed in different states.
 #### Analyzer interface
 If you implement the `Analyzer` interface, `Analyze` method is called when the file path is matched to file patterns returned by `RequiredFiles()`.
 A file pattern must be a regular expression. The syntax detail is [here][regexp].
 `Analyze` takes the matched file path, then the file can be opened by `os.Open()`.
 ```go
 const typeWPVersion = "wordpress-version"
 func (WordpressModule) RequiredFiles() []string {
    return []string{
        `wp-includes\/version.php`,
    }
 }
 func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, error) {
    f, err := os.Open(filePath) // e.g. filePath: /usr/src/wordpress/wp-includes/version.php
    if err != nil {
        return nil, err
    }
    defer f.Close()
    var wpVersion string
    scanner := bufio.NewScanner(f)
    for scanner.Scan() {
        line := scanner.Text()
        if !strings.HasPrefix(line, "$wp_version=") {
            continue
        }
        ss := strings.Split(line, "=")
        if len(ss) != 2 {
            return nil, fmt.Errorf("invalid wordpress version: %s", line)
        }
        // NOTE: it is an example; you actually need to handle comments, etc
        ss[1] = strings.TrimSpace(ss[1])
        wpVersion = strings.Trim(ss[1], `";`)
    }
    if err = scanner.Err(); err != nil {
        return nil, err
    }
    return &serialize.AnalysisResult{
        CustomResources: []serialize.CustomResource{
            {
                Type:     typeWPVersion,
                FilePath: filePath,
                Data:     wpVersion,
            },
        },
    }, nil
 }
 ```
 !!! tips
    Trivy caches analysis results according to the module version.
    We'd recommend cleaning the cache or changing the module version every time you update `Analyzer`.
 #### PostScanner interface
 `PostScan` is called after scanning and takes the scan result as an argument from Trivy.
 In post scanning, your module can perform one of three actions:
 - Insert
    - Add a new security finding
    - e.g. Add a new vulnerability and misconfiguration
 - Update
    - Update the detected vulnerability and misconfiguration
    - e.g. Change a severity
 - Delete
    - Delete the detected vulnerability and misconfiguration
    - e.g. Remove Spring4Shell because it is not actually affected.
 `PostScanSpec()` returns which action the module does.
 If it is `Update` or `Delete`, it also needs to return IDs such as CVE-ID and misconfiguration ID, which your module wants to update or delete.
 `serialize.Results` contains the filtered results matching IDs you specified.
 Also, it includes `CustomResources` with the values your `Analyze` returns, so you can modify the scan result according to the custom resources.
 ```go
 func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
    return serialize.PostScanSpec{
        Action: api.ActionInsert, // Add new vulnerabilities
    }
 }
 func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
    // e.g. results
    // [
    //   {
    //     "Target": "",
    //     "Class": "custom",
    //     "CustomResources": [
    //       {
    //         "Type": "wordpress-version",
    //         "FilePath": "/usr/src/wordpress/wp-includes/version.php",
    //         "Layer": {
    //           "DiffID": "sha256:057649e61046e02c975b84557c03c6cca095b8c9accd3bd20eb4e432f7aec887"
    //         },
    //         "Data": "5.7.1"
    //       }
    //     ]
    //   }
    // ]   
    var wpVersion int
    for _, result := range results {
        if result.Class != types.ClassCustom {
            continue
        }
        for _, c := range result.CustomResources {
            if c.Type != typeWPVersion {
                continue
            }
            wpVersion = c.Data.(string)
            wasm.Info(fmt.Sprintf("WordPress Version: %s", wpVersion))
            ...snip...
            if affectedVersion.Check(ver) {
                vulnerable = true
            }
            break
        }
    }
    if vulnerable {
        // Add CVE-2020-36326
        results = append(results, serialize.Result{
            Target: wpPath,
            Class:  types.ClassLangPkg,
 			Type:   "wordpress",
            Vulnerabilities: []types.DetectedVulnerability {
                {
                    VulnerabilityID:  "CVE-2020-36326",
                    PkgName:          "wordpress",
                    InstalledVersion: wpVersion,
                    FixedVersion:     "5.7.2",
                    Vulnerability: dbTypes.Vulnerability{
                        Title:    "PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.",
                        Severity: "CRITICAL",
                    },
                },
            },
        })
    }
    return results, nil
 }
 ```
 The new vulnerability will be added to the scan results.
 This example shows how the module inserts a new finding.
 If you are interested in `Update`, you can see an example of [Spring4Shell][trivy-module-spring4shell].
 In the `Delete` action, `PostScan` needs to return results you want to delete.
 If `PostScan` returns an empty, Trivy will not delete anything.
 #### Build
 Follow [the install guide][tinygo-installation] and install TinyGo.
 ```bash
 $ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
 ```
 Put the built binary to the module directory that is under the home directory by default.
 ```bash
 $ mkdir -p ~/.trivy/modules
 $ cp spring4shell.wasm ~/.trivy/modules
 ```
 ## Distribute Your Module
 You can distribute your own module in OCI registries. Please follow [the oras installation instruction][oras].
 ```bash
 oras push ghcr.io/aquasecurity/trivy-module-wordpress:latest wordpress.wasm:application/vnd.module.wasm.content.layer.v1+wasm
 Uploading 3daa3dac086b wordpress.wasm
 Pushed ghcr.io/aquasecurity/trivy-module-wordpress:latest
 Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
 ```
 ## Examples
 - [Spring4Shell][trivy-module-spring4shell]
 - [WordPress][trivy-module-wordpress]
 [regexp]: https://github.com/google/re2/wiki/Syntax
 [tinygo]: https://tinygo.org/
 [spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
 [wazero]: https://github.com/tetratelabs/wazero
 [trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
 [trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
 [tinygo-installation]: https://tinygo.org/getting-started/install/
 [oras]: https://oras.land/cli/
--- a/docs/docs/advanced/plugins.md
+++ b/docs/docs/advanced/plugins.md
@@ -0,0 +1,173 @@
 # Plugins
 Trivy provides a plugin feature to allow others to extend the Trivy CLI without the need to change the Trivycode base.
 This plugin system was inspired by the plugin system used in [kubectl][kubectl], [Helm][helm], and [Conftest][conftest].
 ## Overview
 Trivy plugins are add-on tools that integrate seamlessly with Trivy.
 They provide a way to extend the core feature set of Trivy, but without requiring every new feature to be written in Go and added to the core tool.
 - They can be added and removed from a Trivy installation without impacting the core Trivy tool.
 - They can be written in any programming language.
 - They integrate with Trivy, and will show up in Trivy help and subcommands.
 !!! warning
    Trivy plugins available in public are not audited for security.
    You should install and run third-party plugins at your own risk, since they are arbitrary programs running on your machine.
 ## Installing a Plugin
 A plugin can be installed using the `trivy plugin install` command.
 This command takes a url and will download the plugin and install it in the plugin cache.
 Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
 Trivy will now search XDG_DATA_HOME for the location of the Trivy plugins cache.
 The preference order is as follows:
 - XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
 - ~/.trivy/plugins
 Under the hood Trivy leverages [go-getter][go-getter] to download plugins.
 This means the following protocols are supported for downloading plugins:
 - OCI Registries
 - Local Files
 - Git
 - HTTP/HTTPS
 - Mercurial
 - Amazon S3
 - Google Cloud Storage
 For example, to download the Kubernetes Trivy plugin you can execute the following command:
 ```bash
 $ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
 ```
 ## Using Plugins
 Once the plugin is installed, Trivy will load all available plugins in the cache on the start of the next Trivy execution.
 A plugin will be made in the Trivy CLI based on the plugin name.
 To display all plugins, you can list them by `trivy --help`
 ```bash
 $ trivy --help
 NAME:
   trivy - A simple and comprehensive vulnerability scanner for containers
 USAGE:
   trivy [global options] command [command options] target
 VERSION:
   dev
 COMMANDS:
   image, i          scan an image
   filesystem, fs    scan local filesystem
   repository, repo  scan remote repository
   client, c         client mode
   server, s         server mode
   plugin, p         manage plugins
   kubectl           scan kubectl resources
   help, h           Shows a list of commands or help for one command
 ```
 As shown above, `kubectl` subcommand exists in the `COMMANDS` section.
 To call the kubectl plugin and scan existing Kubernetes deployments, you can execute the following command:
 ```
 $ trivy kubectl deployment <deployment-id> -- --ignore-unfixed --severity CRITICAL
 ```
 Internally the kubectl plugin calls the kubectl binary to fetch information about that deployment and passes the using images to Trivy.
 You can see the detail [here][trivy-plugin-kubectl].
 If you want to omit even the subcommand, you can use `TRIVY_RUN_AS_PLUGIN` environment variable.
 ```bash
 $ TRIVY_RUN_AS_PLUGIN=kubectl trivy job your-job -- --format json
 ```
 ## Installing and Running Plugins on the fly
 `trivy plugin run` installs a plugin and runs it on the fly.
 If the plugin is already present in the cache, the installation is skipped.
 ```bash
 trivy plugin run github.com/aquasecurity/trivy-plugin-kubectl pod your-pod -- --exit-code 1
 ```
 ## Uninstalling Plugins
 Specify a plugin name with `trivy plugin uninstall` command.
 ```bash
 $ trivy plugin uninstall kubectl
 ```
 ## Building Plugins
 Each plugin has a top-level directory, and then a plugin.yaml file.
 ```bash
 your-plugin/
  |
  |- plugin.yaml
  |- your-plugin.sh
 ```
 In the example above, the plugin is contained inside of a directory named `your-plugin`.
 It has two files: plugin.yaml (required) and an executable script, your-plugin.sh (optional).
 The core of a plugin is a simple YAML file named plugin.yaml.
 Here is an example YAML of trivy-plugin-kubectl plugin that adds support for Kubernetes scanning.
 ```yaml
 name: "kubectl"
 repository: github.com/aquasecurity/trivy-plugin-kubectl
 version: "0.1.0"
 usage: scan kubectl resources
 description: |-
  A Trivy plugin that scans the images of a kubernetes resource.
  Usage: trivy kubectl TYPE[.VERSION][.GROUP] NAME
 platforms:
  - selector: # optional
      os: darwin
      arch: amd64
    uri: ./trivy-kubectl # where the execution file is (local file, http, git, etc.)
    bin: ./trivy-kubectl # path to the execution file
  - selector: # optional
      os: linux
      arch: amd64
    uri: https://github.com/aquasecurity/trivy-plugin-kubectl/releases/download/v0.1.0/trivy-kubectl.tar.gz
    bin: ./trivy-kubectl
 ```
 The `plugin.yaml` field should contain the following information:
 - name: The name of the plugin. This also determines how the plugin will be made available in the Trivy CLI. For example, if the plugin is named kubectl, you can call the plugin with `trivy kubectl`. (required)
 - version: The version of the plugin. (required)
 - usage: A short usage description. (required)
 - description: A long description of the plugin. This is where you could provide a helpful documentation of your plugin. (required)
 - platforms: (required)
  - selector: The OS/Architecture specific variations of a execution file. (optional)
    - os: OS information based on GOOS (linux, darwin, etc.) (optional)
    - arch: The architecture information based on GOARCH (amd64, arm64, etc.) (optional)
  - uri: Where the executable file is. Relative path from the root directory of the plugin or remote URL such as HTTP and S3. (required)
  - bin: Which file to call when the plugin is executed. Relative path from the root directory of the plugin. (required)
 The following rules will apply in deciding which platform to select:
 - If both `os` and `arch` under `selector` match the current platform, search will stop and the platform will be used.
 - If `selector` is not present, the platform will be used.
 - If `os` matches and there is no more specific `arch` match, the platform will be used.
 - If no `platform` match is found, Trivy will exit with an error.
 After determining platform, Trivy will download the execution file from `uri` and store it in the plugin cache.
 When the plugin is called via Trivy CLI, `bin` command will be executed.
 The plugin is responsible for handling flags and arguments. Any arguments are passed to the plugin from the `trivy` command.
 ## Example
 https://github.com/aquasecurity/trivy-plugin-kubectl
 [kubectl]: https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/
 [helm]: https://helm.sh/docs/topics/plugins/
 [conftest]: https://www.conftest.dev/plugins/
 [go-getter]: https://github.com/hashicorp/go-getter
 [trivy-plugin-kubectl]: https://github.com/aquasecurity/trivy-plugin-kubectl
--- a/docs/docs/advanced/private-registries/acr.md
+++ b/docs/docs/advanced/private-registries/acr.md
@@ -0,0 +1,27 @@
 # Requirements
 None, Trivy uses Azure SDK for Go. You don't need to install `az` command.
 # Privileges
 Service principal must have the `AcrPull` permissions.
 ## Creation of a service principal
 ```bash
 export SP_DATA=$(az ad sp create-for-rbac --name TrivyTest --role AcrPull --scope "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ContainerRegistry/registries/<registry_name>")
 ```
 # Usage
 ```bash
 # must set TRIVY_USERNAME empty char
 export AZURE_CLIENT_ID$(echo $SP_DATA | jq -r .appId)
 export AZURE_CLIENT_SECRET$(echo $SP_DATA | jq -r .password)
 export AZURE_TENANT_ID$(echo $SP_DATA | jq -r .tenant)
 ```
 # Testing
 You can test credentials in the following manner.
 ```bash
 docker run -it --rm -v /tmp:/tmp\
  -e AZURE_CLIENT_ID=${AZURE_CLIENT_ID} -e AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} \
  -e AZURE_TENANT_ID=${AZURE_TENANT_ID} aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag
 ```
--- a/docs/docs/advanced/private-registries/docker-hub.md
+++ b/docs/docs/advanced/private-registries/docker-hub.md
@@ -0,0 +1,7 @@
 Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
 You don't need to set ENV vars when download from public repository.
 ```bash
 export TRIVY_USERNAME={DOCKERHUB_USERNAME}
 export TRIVY_PASSWORD={DOCKERHUB_PASSWORD}
 ```
--- a/docs/docs/advanced/private-registries/ecr.md
+++ b/docs/docs/advanced/private-registries/ecr.md
@@ -0,0 +1,4 @@
 Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
 You can use [AWS CLI's ENV Vars][env-var].
 [env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
--- a/docs/docs/advanced/private-registries/gcr.md
+++ b/docs/docs/advanced/private-registries/gcr.md
@@ -0,0 +1,40 @@
 # Requirements
 None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
 # Privileges
 Credential file must have the `roles/storage.objectViewer` permissions.
 More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
 ## JSON File Format
 The JSON file specified should have the following format provided by google's service account mechanisms:
 ```json
 {
  "type": "service_account",
  "project_id": "your_special_project",
  "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
  "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
  "client_email": "somedude@your_special_project.iam.gserviceaccount.com",
  "client_id": "1234567890",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
 }
 ```
 # Usage
 If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
 ```bash
 # must set TRIVY_USERNAME empty char
 export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
 ```
 # Testing
 You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
 ```bash
 docker run -it --rm -v /tmp:/tmp\
  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
  aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
 ```
--- a/docs/docs/advanced/private-registries/index.md
+++ b/docs/docs/advanced/private-registries/index.md
@@ -0,0 +1,4 @@
 Trivy can download images from a private registry, without installing `Docker` or any other 3rd party tools.
 That's because it's easy to run in a CI process.
 All you have to do is install `Trivy` and set ENV vars.
--- a/docs/docs/advanced/private-registries/self.md
+++ b/docs/docs/advanced/private-registries/self.md
@@ -0,0 +1,9 @@
 BasicAuth server needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
 ```bash
 export TRIVY_USERNAME={USERNAME}
 export TRIVY_PASSWORD={PASSWORD}
 # if you want to use 80 port, use NonSSL
 export TRIVY_NON_SSL=true
 ```
--- a/docs/docs/attestation/rekor.md
+++ b/docs/docs/attestation/rekor.md
@@ -0,0 +1,142 @@
 # Scan SBOM attestation in Rekor
 !!! warning "EXPERIMENTAL"
    This feature might change without preserving backwards compatibility.
 ## Container images
 Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities.
 ### Prerequisites
 1. SBOM attestation stored in Rekor
    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
 ### Scanning
 You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor.
 !!! note
    `--sbom-sources` can be used only with `trivy image` at the moment.
 ```bash
 $ trivy image --sbom-sources rekor otms61/alpine:3.7.3                                                                            [~/src/github.com/aquasecurity/trivy]
 2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
 2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
 2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
 2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
 2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
 2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
 2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
 2022-09-16T17:37:14.903+0900	INFO	Detecting Alpine vulnerabilities...
 2022-09-16T17:37:14.907+0900	INFO	Number of language-specific files: 0
 2022-09-16T17:37:14.908+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
 2022-09-16T17:37:14.908+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided
 otms61/alpine:3.7.3 (alpine 3.7.3)
 ==================================
 Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
 ┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
 │  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
 ├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
 │ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
 │            │                │          │                   │               │ adjustment im ......                                     │
 │            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
 ├────────────┤                │          │                   │               │                                                          │
 │ musl-utils │                │          │                   │               │                                                          │
 │            │                │          │                   │               │                                                          │
 │            │                │          │                   │               │                                                          │
 └────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
 ```
 If you have your own Rekor instance, you can specify the URL via `--rekor-url`.
 ```bash
 $ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3
 ```
 ## Non-packaged binaries
 Trivy can retrieve SBOM attestation of non-packaged binaries in the [Rekor][rekor] instance and scan it for vulnerabilities.
 ### Prerequisites
 1. SBOM attestation stored in Rekor
    - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
 Cosign currently does not support keyless signing for blob attestation, so use our plugin at the moment.
 This example uses a cat clone [bat][bat] written in Rust.
 You need to generate SBOM from lock files like `Cargo.lock` at first.
 ```bash
 $ git clone -b v0.20.0 https://github.com/sharkdp/bat
 $ trivy fs --format cyclonedx --output bat.cdx ./bat/Cargo.lock
 ```
 Then [our attestation plugin][plugin-attest] allows you to store the SBOM attestation linking to a `bat` binary in the Rekor instance.
 ```bash
 $ wget https://github.com/sharkdp/bat/releases/download/v0.20.0/bat-v0.20.0-x86_64-apple-darwin.tar.gz
 $ tar xvf bat-v0.20.0-x86_64-apple-darwin.tar.gz
 $ trivy plugin install github.com/aquasecurity/trivy-plugin-attest
 $ trivy attest --predicate ./bat.cdx --type cyclonedx ./bat-v0.20.0-x86_64-apple-darwin/bat
 ```
 ### Scan a non-packaged binary
 Trivy calculates the digest of the `bat` binary and searches for the SBOM attestation by the digest in Rekor.
 If it is found, Trivy uses that for vulnerability scanning.
 ```bash
 $ trivy fs --sbom-sources rekor ./bat-v0.20.0-x86_64-apple-darwin/bat
 2022-10-25T13:27:25.950+0300    INFO    Found SBOM attestation in Rekor: bat
 2022-10-25T13:27:25.993+0300    INFO    Number of language-specific files: 1
 2022-10-25T13:27:25.993+0300    INFO    Detecting cargo vulnerabilities...
 bat (cargo)
 ===========
 Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 ┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
 │  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
 ├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
 │ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
 │           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
 └───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
 ```
 Also, it is applied to non-packaged binaries even in container images.
 ```bash
 $ trivy image --sbom-sources rekor --security-checks vuln alpine-with-bat
 2022-10-25T13:40:14.920+0300    INFO    Vulnerability scanning is enabled
 2022-10-25T13:40:18.047+0300    INFO    Found SBOM attestation in Rekor: bat
 2022-10-25T13:40:18.186+0300    INFO    Detected OS: alpine
 2022-10-25T13:40:18.186+0300    INFO    Detecting Alpine vulnerabilities...
 2022-10-25T13:40:18.199+0300    INFO    Number of language-specific files: 1
 2022-10-25T13:40:18.199+0300    INFO    Detecting cargo vulnerabilities...
 alpine-with-bat (alpine 3.15.6)
 ===============================
 Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 bat (cargo)
 ===========
 Total: 4 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 ┌───────────┬───────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
 │  Library  │   Vulnerability   │ Severity │ Installed Version │ Fixed Version │                           Title                            │
 ├───────────┼───────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
 │ regex     │ CVE-2022-24713    │ HIGH     │ 1.5.4             │ 1.5.5         │ Mozilla: Denial of Service via complex regular expressions │
 │           │                   │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24713                 │
 └───────────┴───────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
 ```
 !!! note
    The `--sbom-sources rekor` flag slows down the scanning as it queries Rekor on the Internet for all non-packaged binaries.
 [rekor]: https://github.com/sigstore/rekor
 [sbom-attest]: sbom.md#keyless-signing
 [plugin-attest]: https://github.com/aquasecurity/trivy-plugin-attest
 [bat]: https://github.com/sharkdp/bat
--- a/docs/docs/attestation/sbom.md
+++ b/docs/docs/attestation/sbom.md
@@ -0,0 +1,87 @@
 # SBOM attestation
 [Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify SBOM attestation.
 And, Trivy can take an SBOM attestation as input and scan for vulnerabilities
 !!! note
    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
 ## Sign with a local key pair
 Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
 ```bash
 $ cosign generate-key-pair
 ```
 In the following example, Trivy generates an SBOM in the CycloneDX format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
 ```bash
 # The cyclonedx type is supported in Cosign v1.10.0 or later.
 $ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
 $ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>
 ```
 Then, you can verify attestations on the image.
 ```bash
 $ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE>
 ```
 You can also create attestations of other formatted SBOM.
 ```bash
 # spdx
 $ trivy image --format spdx -o sbom.spdx <IMAGE>
 $ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx <IMAGE>
 # spdx-json
 $ trivy image --format spdx-json -o sbom.spdx.json <IMAGE>
 $ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json <IMAGE>
 ```
 ## Keyless signing
 You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
 ```bash
 # The cyclonedx type is supported in Cosign v1.10.0 or later.
 $ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
 # The following command uploads SBOM attestation to the public Rekor instance.
 $ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
 ```
 You can verify attestations.
 ```bash
 $ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>
 ```
 ## Scanning
 Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
 In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it.
 You must create CycloneDX-type attestation before trying the example.
 To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [Sign with a local key pair](#sign-with-a-local-key-pair) section.
 ```bash
 $ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
 $ trivy sbom ./sbom.cdx.intoto.jsonl
 sbom.cdx.intoto.jsonl (alpine 3.7.3)
 =========================
 Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
 ┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
 │  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
 ├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
 │ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
 │            │                │          │                   │               │ adjustment im ......                                     │
 │            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
 ├────────────┤                │          │                   │               │                                                          │
 │ musl-utils │                │          │                   │               │                                                          │
 │            │                │          │                   │               │                                                          │
 │            │                │          │                   │               │                                                          │
 └────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
 ```
--- a/docs/docs/attestation/vuln.md
+++ b/docs/docs/attestation/vuln.md
@@ -0,0 +1,190 @@
 # Cosign Vulnerability Attestation
 ## Generate Cosign Vulnerability Scan Record
 Trivy generates reports in the [Cosign vulnerability scan record format][vuln-attest-spec].
 You can use the regular subcommands (like image, fs and rootfs) and specify `cosign-vuln` with the --format option.
 ```
 $ trivy image --format cosign-vuln --output vuln.json alpine:3.10
 ```
 <details>
 <summary>Result</summary>
 ```json
 {
  "invocation": {
    "parameters": null,
    "uri": "",
    "event_id": "",
    "builder.id": ""
  },
  "scanner": {
    "uri": "pkg:github/aquasecurity/trivy@v0.30.1-8-gf9cb8a28",
    "version": "v0.30.1-8-gf9cb8a28",
    "db": {
      "uri": "",
      "version": ""
    },
    "result": {
      "SchemaVersion": 2,
      "ArtifactName": "alpine:3.10",
      "ArtifactType": "container_image",
      "Metadata": {
        "OS": {
          "Family": "alpine",
          "Name": "3.10.9",
          "EOSL": true
        },
        "ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
        "DiffIDs": [
          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
        ],
        "RepoTags": [
          "alpine:3.10"
        ],
        "RepoDigests": [
          "alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
        ],
        "ImageConfig": {
          "architecture": "amd64",
          "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
          "created": "2021-04-14T19:20:05.338397761Z",
          "docker_version": "19.03.12",
          "history": [
            {
              "created": "2021-04-14T19:20:04.987219124Z",
              "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
            },
            {
              "created": "2021-04-14T19:20:05.338397761Z",
              "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
              "empty_layer": true
            }
          ],
          "os": "linux",
          "rootfs": {
            "type": "layers",
            "diff_ids": [
              "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
            ]
          },
          "config": {
            "Cmd": [
              "/bin/sh"
            ],
            "Env": [
              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
          }
        }
      },
      "Results": [
        {
          "Target": "alpine:3.10 (alpine 3.10.9)",
          "Class": "os-pkgs",
          "Type": "alpine",
          "Vulnerabilities": [
            {
              "VulnerabilityID": "CVE-2021-36159",
              "PkgName": "apk-tools",
              "InstalledVersion": "2.10.6-r0",
              "FixedVersion": "2.10.7-r0",
              "Layer": {
                "Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
                "DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
              },
              "SeveritySource": "nvd",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
              "DataSource": {
                "ID": "alpine",
                "Name": "Alpine Secdb",
                "URL": "https://secdb.alpinelinux.org/"
              },
              "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
              "Severity": "CRITICAL",
              "CweIDs": [
                "CWE-125"
              ],
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                  "V2Score": 6.4,
                  "V3Score": 9.1
                }
              },
              "References": [
                "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
                "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
              ],
              "PublishedDate": "2021-08-03T14:15:00Z",
              "LastModifiedDate": "2021-10-18T12:19:00Z"
            }
          ]
        }
      ]
    }
  },
  "metadata": {
    "scanStartedOn": "2022-07-24T17:14:04.864682+09:00",
    "scanFinishedOn": "2022-07-24T17:14:04.864682+09:00"
  }
 }
 ```
 </details>
 ## Create Cosign Vulnerability Attestation
 [Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify Cosign vulnerability attestation.
 !!! note
    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
 ### Sign with a local key pair
 Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
 ```bash
 $ cosign generate-key-pair
 ```
 In the following example, Trivy generates a cosign vulnerability scan record, and then Cosign attaches an attestation of it to a container image with a local key pair.
 ```
 $ trivy image --format cosign-vuln --output vuln.json <IMAGE>
 $ cosign attest --key /path/to/cosign.key --type vuln --predicate vuln.json <IMAGE>
 ```
 Then, you can verify attestations on the image.
 ```
 $ cosign verify-attestation --key /path/to/cosign.pub --type vuln <IMAGE>
 ```
 ### Keyless signing
 You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
 ```
 $ trivy image --format cosign-vuln -o vuln.json <IMAGE>
 $ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>
 ```
 You can verify attestations.
 ```
 $ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type vuln <IMAGE>
 ```
 [vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md
--- a/docs/docs/cloud/aws/scanning.md
+++ b/docs/docs/cloud/aws/scanning.md
@@ -0,0 +1,59 @@
 # Amazon Web Services
 !!! warning "EXPERIMENTAL"
    This feature might change without preserving backwards compatibility.
 The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. 
 Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
 The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
 Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
 You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
 Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region.
 ## CLI Commands
 Scan a full AWS account (all supported services):
 ```shell
 trivy aws --region us-east-1
 ```
 You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
 ![AWS Summary Report](../../../imgs/trivy-aws.png)
 The summary view is the default when scanning multiple services.
 Scan a specific service:
 ```shell
 trivy aws --service s3
 ```
 Scan multiple services:
 ```shell
 # --service s3,ec2 works too
 trivy aws --service s3 --service ec2
 ```
 Show results for a specific AWS resource:
 ```shell
 trivy aws --service s3 --arn arn:aws:s3:::example-bucket
 ```
 All ARNs with detected issues will be displayed when showing results for their associated service.
 ## Cached Results
 By default, Trivy will cache a representation of each AWS service for 24 hours. This means you can filter and view results for a service without having to wait for the entire scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.). Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`.
 ## Custom Policies
 You can write custom policies for Trivy to evaluate against your AWS account. These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). See the [Custom Policies](../../misconfiguration/custom/index.md) page for more information.
--- a/docs/docs/compliance/compliance.md
+++ b/docs/docs/compliance/compliance.md
@@ -0,0 +1,8 @@
 # Compliance Reports
 Trivy support producing compliance reports.
 ## Supported reports
 - [NSA, CISA Kubernetes Hardening Guidance v1.0](../kubernetes/cli/compliance.md) 
--- a/docs/docs/index.md
+++ b/docs/docs/index.md
@@ -0,0 +1,72 @@
 # Docs
 This documentation details how to use Trivy to access the features listed below.
 ## Features
 - Comprehensive vulnerability detection
    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
 - Detect IaC misconfigurations
    - A wide variety of [built-in policies][builtin] are provided **out of the box**:
        - Kubernetes
        - Docker
        - Terraform
        - more coming soon
    - Support custom policies
 - Simple
    - Specify only an image name, a directory containing IaC configs, or an artifact name
    - See [Quick Start][quickstart]
 - Fast
    - The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
    - Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
 - Easy installation
    - `apt-get install`, `yum install` and `brew install` is possible (See [Installation][installation])
    - **No pre-requisites** such as installation of DB, libraries, etc.
 - High accuracy
    - **Especially Alpine Linux and RHEL/CentOS**
    - Other OSes are also high
 - DevSecOps
    - **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
    - See [CI Example][integrations]
 - Support multiple formats
    - container image
        - A local image in Docker Engine which is running as a daemon
        - A local image in [Podman][podman] (>=2.0) which is exposing a socket
        - A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
        - A tar archive stored in the `docker save` / `podman save` formatted file
        - An image directory compliant with [OCI Image Format][oci]
    - local filesystem and rootfs
    - remote git repository
 - [SBOM][sbom] (Software Bill of Materials) support
    - CycloneDX
    - SPDX
    - GitHub Dependency Snapshots
 Please see [LICENSE][license] for Trivy licensing information.
 [installation]: ../index.md
 [vuln]: ../docs/vulnerability/scanning/index.md
 [misconf]: ../docs/misconfiguration/scanning.md
 [kubernetesoperator]: ../docs/kubernetes/operator/index.md
 [container]: ../docs/vulnerability/scanning/image.md
 [rootfs]: ../docs/vulnerability/scanning/rootfs.md
 [filesystem]: ../docs/vulnerability/scanning/filesystem.md
 [repo]: ../docs/vulnerability/scanning/git-repository.md
 [kubernetes]: ../docs/kubernetes/cli/scanning.md
 [standalone]: ../docs/references/modes/standalone.md
 [client-server]: ../docs/references/modes/client-server.md
 [integrations]: ../tutorials/integrations/index.md
 [os]: ../docs/vulnerability/detection/os.md
 [lang]: ../docs/vulnerability/detection/language.md
 [builtin]: ../docs/misconfiguration/policy/builtin.md
 [quickstart]: ../getting-started/quickstart.md
 [podman]: ../docs/advanced/container/podman.md
 [sbom]: ../docs/sbom/index.md
 [oci]: https://github.com/opencontainers/image-spec
 [license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/docs/integrations/woodpecker-ci.md
+++ b/docs/docs/integrations/woodpecker-ci.md
@@ -0,0 +1,17 @@
 # Woodpecker CI
 This is a simple example configuration `.woodpecker/trivy.yml` that shows how you could get started:
 ```yml
 pipeline:
  securitycheck:
    image: aquasec/trivy:latest
    commands:
      # use any trivy command, if exit code is 0 woodpecker marks it as passed, else it assumes it failed
      - trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL .
 ```
 Woodpecker does use Trivy itself so you can see an [Example][example] run at its [Repository][repository] and how it was [added](https://github.com/woodpecker-ci/woodpecker/pull/1163).
 [example]: https://ci.woodpecker-ci.org/woodpecker-ci/woodpecker/build/3520/37
 [repository]: https://github.com/woodpecker-ci/woodpecker
--- a/docs/docs/kubernetes/cli/compliance.md
+++ b/docs/docs/kubernetes/cli/compliance.md
@@ -0,0 +1,68 @@
 # Kubernetes Compliance
 ## NSA Complaince Report
 !!! warning "EXPERIMENTAL"
    This feature might change without preserving backwards compatibility.
 The Trivy K8s CLI allows you to scan your Kubernetes cluster resources and generate the `NSA, CISA Kubernetes Hardening Guidance` report
 [NSA, CISA Kubernetes Hardening Guidance v1.2](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) cybersecurity technical report is produced by trivy and validate the following control checks :
 | NAME                                                     | DESCRIPTION                                                                                             |          |
 |----------------------------------------------------------|---------------------------------------------------------------------------------------------------------|---------------|
 | Non-root containers                                      | Check that container is not running as root                                                       |
 | Immutable container file systems                         | Check that container root file system is immutable                                                  |
 | Preventing privileged containers                         | Controls whether Pods can run privileged containers                                                 |
 | Share containers process namespaces                      | Controls whether containers can share process namespaces                                                 |
 | Share host process namespaces                            | Controls whether share host process namespaces                                                 |
 | Use the host network                                     | Controls whether containers can use the host network                                                    |
 | Run with root privileges or with root group membership   | Controls whether container applications can run with <br/>root privileges or with root group membership                   |
 | Restricts escalation to root privileges                  | Control check restrictions escalation to root privileges                                                 |
 | Sets the SELinux context of the container                | Control checks if pod sets the SELinux context of the container                                                  |
 | Restrict a container's access to resources with AppArmor | Control checks the restriction of containers access to resources with AppArmor                                    | 
 | Sets the seccomp profile used to sandbox containers      | Control checks the sets the seccomp profile used to sandbox containers                                                 |
 | Protecting Pod service account tokens                    | Control check whether disable secret token been mount ,automountServiceAccountToken: false                        | 
 | Namespace kube-system should not be used by users        | Control check whether Namespace kube-system is not be used by users                                                      |
 | Pod and/or namespace Selectors usage                     | Control check validate the pod and/or namespace Selectors usage                                                      |
 | Use CNI plugin that supports NetworkPolicy API           | Control check whether check cni plugin installed                                                  |
 | Use ResourceQuota policies to limit resources            | Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace                  | 
 | Use LimitRange policies to limit resources               | Control check the use of LimitRange policy limit resource usage for namespaces or nodes                              |
 | Control plan disable insecure port                       | Control check whether control plan disable insecure port                                                       |
 | Encrypt etcd communication                               | Control check whether etcd communication is encrypted                                                  |
 | Ensure kube config file permission                       | Control check whether kube config file permissions                                                |
 | Check that encryption resource has been set              | Control checks whether encryption resource has been set                                                        |
 | Check encryption provider                                | Control checks whether encryption provider has been set                                                        |
 | Make sure anonymous-auth is unset                        | Control checks whether anonymous-auth is unset                                                      |
 | Make sure -authorization-mode=RBAC                       | Control check whether RBAC permission is in use                                                        |
 | Audit policy is configure                                | Control check whether audit policy is configure                                                  |
 | Audit log path is configure                              | Control check whether audit log path is configure                                                  |
 | Audit log aging                                          | Control check whether audit log aging is configure                                                  |
 ## CLI Commands
 Scan a full cluster and generate a complliance NSA summary report:
 ```
 $ trivy k8s cluster --compliance=nsa --report summary
 ```
 ![k8s Summary Report](../../../imgs/trivy-nsa-summary.png)
 ***Note*** : The `compliance` column represent the calculation of all tests pass vs. fail for all resources per control check in percentage format.
 Example: if I have two resources in cluster and one resource scan result show pass while the other one show fail for `1.0 Non-root Containers` then it compliance will show 50%
 An additional report is supported to get all of the detail the output contains, use `--report all`
 ```
 $ trivy k8s cluster --compliance=nsa --report all
 ```
 Report also supported in json format examples :
 ```
 $ trivy k8s cluster --compliance=nsa --report summary --format json
 ```
 ```
 $ trivy k8s cluster --compliance=nsa --report all --format json
 ```
--- a/docs/docs/kubernetes/cli/scanning.md
+++ b/docs/docs/kubernetes/cli/scanning.md
@@ -0,0 +1,279 @@
 # Kubernetes
 !!! warning "EXPERIMENTAL"
    This feature might change without preserving backwards compatibility.
 The Trivy K8s CLI allows you to scan your Kubernetes cluster for Vulnerabilities, Secrets and Misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.
 If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/index.md)
 Trivy uses your local kubectl configuration to access the API server to list artifacts.
 ## CLI Commands
 Scan a full cluster and generate a simple summary report:
 ```
 $ trivy k8s --report=summary cluster
 ```
 ![k8s Summary Report](../../../imgs/trivy-k8s.png)
 The summary report is the default. To get all of the detail the output contains, use `--report all`.
 Filter by severity:
 ```
 $ trivy k8s --severity=CRITICAL --report=all cluster
 ```
 Filter by security check (Vulnerabilities, Secrets or Misconfigurations):
 ```
 $ trivy k8s --security-checks=secret --report=summary cluster
 # or
 $ trivy k8s --security-checks=config --report=summary cluster
 ```
 Scan a specific namespace:
 ```
 $ trivy k8s -n kube-system --report=summary all
 ```
 Use a specific kubeconfig file:
 ```
 $ trivy k8s --kubeconfig ~/.kube/config2 -n kube-system --report=summary all
 ```
 Scan a specific resource and get all the output:
 ```
 $ trivy k8s deployment appname
 ```
 Scan all deploys, or deploys and configmaps:
 ```
 $ trivy k8s --report=summary deployment
 $ trivy k8s --report=summary deployment,configmaps
 ```
 If you want to pass in flags before scanning specific workloads, you will have to do it before the resource name.
 For example, scanning a deployment in the app namespace of your Kubernetes cluster for critical vulnerabilities would be done through the following command:
 ```
 $ trivy k8s -n app --severity=CRITICAL deployment/appname
 ```
 This is specific to all Trivy CLI commands.
 The supported formats are `table`, which is the default, and `json`.
 To get a JSON output on a full cluster scan:
 ```
 $ trivy k8s --format json -o results.json cluster
 ```
 <details>
 <summary>Result</summary>
 ```json
 {
  "ClusterName": "minikube",
  "Vulnerabilities": [
    {
      "Namespace": "default",
      "Kind": "Deployment",
      "Name": "app",
      "Results": [
        {
          "Target": "ubuntu:latest (ubuntu 22.04)",
          "Class": "os-pkgs",
          "Type": "ubuntu",
          "Vulnerabilities": [
            {
              "VulnerabilityID": "CVE-2016-2781",
              "PkgName": "coreutils",
              "InstalledVersion": "8.32-4.1ubuntu1",
              "Layer": {
                "Digest": "sha256:125a6e411906fe6b0aaa50fc9d600bf6ff9bb11a8651727ce1ed482dc271c24c",
                "DiffID": "sha256:e59fc94956120a6c7629f085027578e6357b48061d45714107e79f04a81a6f0c"
              },
              "SeveritySource": "ubuntu",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-2781",
              "DataSource": {
                "ID": "ubuntu",
                "Name": "Ubuntu CVE Tracker",
                "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
              },
              "Title": "coreutils: Non-privileged session can escape to the parent session in chroot",
              "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
              "Severity": "LOW",
              "CweIDs": [
                "CWE-20"
              ],
              "VendorSeverity": {
                "cbl-mariner": 2,
                "nvd": 2,
                "redhat": 2,
                "ubuntu": 1
              },
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
                  "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
                  "V2Score": 2.1,
                  "V3Score": 6.5
                },
                "redhat": {
                  "V2Vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
                  "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                  "V2Score": 6.2,
                  "V3Score": 8.6
                }
              },
              "References": [
                "http://seclists.org/oss-sec/2016/q1/452",
                "http://www.openwall.com/lists/oss-security/2016/02/28/2",
                "http://www.openwall.com/lists/oss-security/2016/02/28/3",
                "https://access.redhat.com/security/cve/CVE-2016-2781",
                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2781",
                "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
                "https://lore.kernel.org/patchwork/patch/793178/",
                "https://nvd.nist.gov/vuln/detail/CVE-2016-2781"
              ],
              "PublishedDate": "2017-02-07T15:59:00Z",
              "LastModifiedDate": "2021-02-25T17:15:00Z"
            }
          ]
        }
      ]
    }
  ],
  "Misconfigurations": [
    {
      "Namespace": "default",
      "Kind": "Deployment",
      "Name": "app",
      "Results": [
        {
          "Target": "Deployment/app",
          "Class": "config",
          "Type": "kubernetes",
          "MisconfSummary": {
            "Successes": 20,
            "Failures": 19,
            "Exceptions": 0
          },
          "Misconfigurations": [
            {
              "Type": "Kubernetes Security Check",
              "ID": "KSV001",
              "Title": "Process can elevate its own privileges",
              "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
              "Message": "Container 'app' of Deployment 'app' should set 'securityContext.allowPrivilegeEscalation' to false",
              "Namespace": "builtin.kubernetes.KSV001",
              "Query": "data.builtin.kubernetes.KSV001.deny",
              "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.",
              "Severity": "MEDIUM",
              "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001",
              "References": [
                "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
                "https://avd.aquasec.com/misconfig/ksv001"
              ],
              "Status": "FAIL",
              "Layer": {},
              "IacMetadata": {
                "Provider": "Kubernetes",
                "Service": "general",
                "StartLine": 121,
                "EndLine": 133
              }
            },
            {
              "Type": "Kubernetes Security Check",
              "ID": "KSV003",
              "Title": "Default capabilities not dropped",
              "Description": "The container should drop all default capabilities and add only those that are needed for its execution.",
              "Message": "Container 'app' of Deployment 'app' should add 'ALL' to 'securityContext.capabilities.drop'",
              "Namespace": "builtin.kubernetes.KSV003",
              "Query": "data.builtin.kubernetes.KSV003.deny",
              "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.",
              "Severity": "LOW",
              "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003",
              "References": [
                "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/",
                "https://avd.aquasec.com/misconfig/ksv003"
              ],
              "Status": "FAIL",
              "Layer": {},
              "IacMetadata": {
                "Provider": "Kubernetes",
                "Service": "general",
                "StartLine": 121,
                "EndLine": 133
              }
            }
          ]
        }
      ]
    },
    {
      "Namespace": "default",
      "Kind": "ConfigMap",
      "Name": "kube-root-ca.crt"
    }
  ]
 }
 ```
 </details>
 ## Infra checks
 Trivy by default scans kubernetes infra components (apiserver, controller-manager, scheduler and etcd)
 if they exist under the `kube-system` namespace. For example, if you run a full cluster scan, or scan all
 components under `kube-system` with commands:
 ```
 $ trivy k8s cluster --report summary # full cluster scan
 $ trivy k8s all -n kube-system --report summary # scan all componetns under kube-system
 ```
 A table will be printed about misconfigurations found on kubernetes core components:
 ```
 Summary Report for minikube
 ┌─────────────┬──────────────────────────────────────┬─────────────────────────────┐
 │  Namespace  │               Resource               │ Kubernetes Infra Assessment │
 │             │                                      ├────┬────┬────┬─────┬────────┤
 │             │                                      │ C  │ H  │ M  │ L   │   U    │
 ├─────────────┼──────────────────────────────────────┼────┼────┼────┼─────┼────────┤
 │ kube-system │ Pod/kube-apiserver-minikube          │    │    │ 1  │ 10  │        │
 │ kube-system │ Pod/kube-controller-manager-minikube │    │    │    │ 3   │        │
 │ kube-system │ Pod/kube-scheduler-minikube          │    │    │    │ 1   │        │
 └─────────────┴──────────────────────────────────────┴────┴────┴────┴─────┴────────┘
 Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
 ```
 The infra checks are based on CIS Benchmarks recommendations for kubernetes.
 If you want filter only for the infra checks, you can use the flag `--components` along with the `--security-checks=config`
 ```
 $ trivy k8s cluster --report summary --components=infra --security-checks=config # scan only infra
 ```
 Or, to filter for all other checks besides the infra checks, you can:
 ```
 $ trivy k8s cluster --report summary --components=workload --security-checks=config # scan all components besides infra
 ```
--- a/docs/docs/kubernetes/operator/index.md
+++ b/docs/docs/kubernetes/operator/index.md
@@ -0,0 +1,14 @@
 # Trivy Operator  
 Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
 > Kubernetes-native security toolkit. ([Documentation][trivy-operator]).
 <figure>
  <figcaption>Workload reconcilers discover K8s controllers, manage scan jobs, and create VulnerabilityReport and ConfigAuditReport objects.</figcaption>
 </figure>
 [operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/
 [crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
 [trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest
--- a/docs/docs/licenses/scanning.md
+++ b/docs/docs/licenses/scanning.md
@@ -0,0 +1,320 @@
 # License Scanning
 Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
 License are classified using the [Google License Classification][google-license-classification] -
 - Forbidden
 - Restricted 
 - Reciprocal
 - Notice
 - Permissive
 - Unencumbered
 - Unknown
 !!! tip
    Licenses that Trivy fails to recognize are classified as UNKNOWN.
    As those licenses may be in violation, it is recommended to check those unknown licenses as well.    
 By default, Trivy scans licenses for packages installed by `apk`, `apt-get`, `dnf`, `npm`, `pip`, `gem`, etc.
 To enable extended license scanning, you can use `--license-full`.
 In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
 !!! note
    The full license scanning is expensive. It takes a while.
 Currently, the standard license scanning doesn't support filesystem and repository scanning.
 |   License scnanning   | Image | Rootfs    | Filesystem | Repository |
 |:---------------------:|:-----:|:---------:|:----------:|:----------:|
 |       Standard        |  ✅   |     ✅    |   -        |      -     |
 | Full (--license-full) |  ✅   |     ✅    |     ✅     |     ✅     |
 License checking classifies the identified licenses and map the classification to severity.
 | Classification | Severity |
 |----------------|----------|
 | Forbidden      | CRITICAL |
 | Restricted     | HIGH     |
 | Reciprocal     | MEDIUM   |
 | Notice         | LOW      |
 | Permissive     | LOW      |
 | Unencumbered   | LOW      |
 | Unknown        | UNKNOWN  |
 ## Quick start
 This section shows how to scan license in container image and filesystem.
 ### Standard scanning
 Specify an image name with `--security-cheks license`.
 ``` shell
 $ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
 2022-07-13T17:28:39.526+0300    INFO    License scanning is enabled
 OS Packages (license)
 =====================
 Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
 ┌───────────────────┬─────────┬────────────────┬──────────┐
 │      Package      │ License │ Classification │ Severity │
 ├───────────────────┼─────────┼────────────────┼──────────┤
 │ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
 ├───────────────────┤         │                │          │
 │ apk-tools         │         │                │          │
 ├───────────────────┤         │                │          │
 │ busybox           │         │                │          │
 ├───────────────────┤         │                │          │
 │ musl-utils        │         │                │          │
 ├───────────────────┤         │                │          │
 │ scanelf           │         │                │          │
 ├───────────────────┤         │                │          │
 │ ssl_client        │         │                │          │
 └───────────────────┴─────────┴────────────────┴──────────┘
 ```
 ### Full scanning
 Specify `--license-full`
 ``` shell
 $ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
 2022-07-13T17:48:40.905+0300    INFO    Full license scanning is enabled
 OS Packages (license)
 =====================
 Total: 20 (UNKNOWN: 9, HIGH: 11, CRITICAL: 0)
 ┌───────────────────┬───────────────────┬────────────────┬──────────┐
 │      Package      │      License      │ Classification │ Severity │
 ├───────────────────┼───────────────────┼────────────────┼──────────┤
 │ alpine-baselayout │ GPL-2.0           │ Restricted     │ HIGH     │
 ├───────────────────┤                   │                │          │
 │ apk-tools         │                   │                │          │
 ├───────────────────┼───────────────────┤                │          │
 │ bash              │ GPL-3.0           │                │          │
 ├───────────────────┼───────────────────┼────────────────┼──────────┤
 │ keyutils-libs     │ GPL-2.0           │ Restricted     │ HIGH     │
 │                   ├───────────────────┼────────────────┼──────────┤
 │                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
 ├───────────────────┼───────────────────┤                │          │
 │ libaio            │ LGPL-2.1-or-later │                │          │
 ├───────────────────┼───────────────────┼────────────────┼──────────┤
 │ libcom_err        │ GPL-2.0           │ Restricted     │ HIGH     │
 │                   ├───────────────────┼────────────────┼──────────┤
 │                   │ LGPL-2.0-or-later │ Non Standard   │ UNKNOWN  │
 ├───────────────────┼───────────────────┼────────────────┼──────────┤
 │ tzdata            │ Public-Domain     │ Non Standard   │ UNKNOWN  │
 └───────────────────┴───────────────────┴────────────────┴──────────┘
 Loose File License(s) (license)
 ===============================
 Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)
 ┌────────────────┬──────────┬──────────────┬──────────────────────────────────────────────────────────────┐
 │ Classification │ Severity │   License    │                        File Location                         │
 ├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
 │ Forbidden      │ CRITICAL │ AGPL-3.0     │ /usr/share/grafana/LICENSE                                   │
 │                │          │              │                                                              │
 │                │          │              │                                                              │
 ├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
 │ Non Standard   │ UNKNOWN  │ BSD-0-Clause │ /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- │
 │                │          │              │ s.LICENSE.txt                                                │
 │                │          │              ├──────────────────────────────────────────────────────────────┤
 │                │          │              │ /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- │
 │                │          │              │ s.LICENSE.txt                                                │
 │                │          │              ├──────────────────────────────────────────────────────────────┤
 │                │          │              │ /usr/share/grafana/public/build/7889.d6aae9dd11d49c741a80.j- │
 │                │          │              │ s.LICENSE.txt                                                │
 │                │          │              ├──────────────────────────────────────────────────────────────┤
 │                │          │              │ /usr/share/grafana/public/build/canvasPanel.d6aae9dd11d49c7- │
 │                │          │              │ 41a80.js.LICENSE.txt                                         │
 └────────────────┴──────────┴──────────────┴──────────────────────────────────────────────────────────────┘
 ```
 ## Configuration
 Trivy has number of configuration flags for use with license scanning;
 ### Ignored Licenses
 Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the `--ignored-licenses` flag;
 ```shell
 $ trivy image --security-checks license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
 2022-07-13T18:15:28.605Z        INFO    License scanning is enabled
 OS Packages (license)
 =====================
 Total: 2 (HIGH: 2, CRITICAL: 0)
 ┌───────────────────┬─────────┬────────────────┬──────────┐
 │      Package      │ License │ Classification │ Severity │
 ├───────────────────┼─────────┼────────────────┼──────────┤
 │ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
 ├───────────────────┤         │                │          │
 │ ssl_client        │         │                │          │
 └───────────────────┴─────────┴────────────────┴──────────┘
 ```
 ### Custom Classification
 You can generate the default config by the `--generate-default-config` flag and customize the license classification.
 For example, if you want to forbid only AGPL-3.0, you can leave it under `forbidden` and move other licenses to another classification.
 ```shell
 $ trivy image --generate-default-config
 $ vim trivy.yaml
 license:
  forbidden:
  - AGPL-3.0
  restricted:
  - AGPL-1.0
  - CC-BY-NC-1.0
  - CC-BY-NC-2.0
  - CC-BY-NC-2.5
  - CC-BY-NC-3.0
  - CC-BY-NC-4.0
  - CC-BY-NC-ND-1.0
  - CC-BY-NC-ND-2.0
  - CC-BY-NC-ND-2.5
  - CC-BY-NC-ND-3.0
  - CC-BY-NC-ND-4.0
  - CC-BY-NC-SA-1.0
  - CC-BY-NC-SA-2.0
  - CC-BY-NC-SA-2.5
  - CC-BY-NC-SA-3.0
  - CC-BY-NC-SA-4.0
  - Commons-Clause
  - Facebook-2-Clause
  - Facebook-3-Clause
  - Facebook-Examples
  - WTFPL
  - BCL
  - CC-BY-ND-1.0
  - CC-BY-ND-2.0
  - CC-BY-ND-2.5
  - CC-BY-ND-3.0
  - CC-BY-ND-4.0
  - CC-BY-SA-1.0
  - CC-BY-SA-2.0
  - CC-BY-SA-2.5
  - CC-BY-SA-3.0
  - CC-BY-SA-4.0
  - GPL-1.0
  - GPL-2.0
  - GPL-2.0-with-autoconf-exception
  - GPL-2.0-with-bison-exception
  - GPL-2.0-with-classpath-exception
  - GPL-2.0-with-font-exception
  - GPL-2.0-with-GCC-exception
  - GPL-3.0
  - GPL-3.0-with-autoconf-exception
  - GPL-3.0-with-GCC-exception
  - LGPL-2.0
  - LGPL-2.1
  - LGPL-3.0
  - NPL-1.0
  - NPL-1.1
  - OSL-1.0
  - OSL-1.1
  - OSL-2.0
  - OSL-2.1
  - OSL-3.0
  - QPL-1.0
  - Sleepycat
  reciprocal:
  - APSL-1.0
  - APSL-1.1
  - APSL-1.2
  - APSL-2.0
  - CDDL-1.0
  - CDDL-1.1
  - CPL-1.0
  - EPL-1.0
  - EPL-2.0
  - FreeImage
  - IPL-1.0
  - MPL-1.0
  - MPL-1.1
  - MPL-2.0
  - Ruby
  notice:
  - AFL-1.1
  - AFL-1.2
  - AFL-2.0
  - AFL-2.1
  - AFL-3.0
  - Apache-1.0
  - Apache-1.1
  - Apache-2.0
  - Artistic-1.0-cl8
  - Artistic-1.0-Perl
  - Artistic-1.0
  - Artistic-2.0
  - BSL-1.0
  - BSD-2-Clause-FreeBSD
  - BSD-2-Clause-NetBSD
  - BSD-2-Clause
  - BSD-3-Clause-Attribution
  - BSD-3-Clause-Clear
  - BSD-3-Clause-LBNL
  - BSD-3-Clause
  - BSD-4-Clause
  - BSD-4-Clause-UC
  - BSD-Protection
  - CC-BY-1.0
  - CC-BY-2.0
  - CC-BY-2.5
  - CC-BY-3.0
  - CC-BY-4.0
  - FTL
  - ISC
  - ImageMagick
  - Libpng
  - Lil-1.0
  - Linux-OpenIB
  - LPL-1.02
  - LPL-1.0
  - MS-PL
  - MIT
  - NCSA
  - OpenSSL
  - PHP-3.01
  - PHP-3.0
  - PIL
  - Python-2.0
  - Python-2.0-complete
  - PostgreSQL
  - SGI-B-1.0
  - SGI-B-1.1
  - SGI-B-2.0
  - Unicode-DFS-2015
  - Unicode-DFS-2016
  - Unicode-TOU
  - UPL-1.0
  - W3C-19980720
  - W3C-20150513
  - W3C
  - X11
  - Xnet
  - Zend-2.0
  - zlib-acknowledgement
  - Zlib
  - ZPL-1.1
  - ZPL-2.0
  - ZPL-2.1
  unencumbered:
  - CC0-1.0
  - Unlicense
  - 0BSD
  permissive: []
 ```
 [google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses
--- a/docs/docs/misconfiguration/comparison/cfsec.md
+++ b/docs/docs/misconfiguration/comparison/cfsec.md
@@ -0,0 +1,24 @@
 # vs cfsec
 [cfsec][cfsec] uses static analysis of your CloudFormation templates to spot potential security issues.
 Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec.
 This section describes the differences between Trivy and cfsec.
 | Feature               | Trivy                                                  | cfsec                        |
 |-----------------------|--------------------------------------------------------|------------------------------|
 | Built-in Policies     | :material-check:                                       | :material-check:             |
 | Custom Policies       | :material-check:                                       | :material-close:             |
 | Policy Metadata[^1]   | :material-check:                                       | :material-check:             |
 | Show Successes        | :material-check:                                       | :material-check:             |
 | Disable Policies      | :material-check:                                       | :material-check:             |
 | Show Issue Lines      | :material-check:                                       | :material-check:             |
 | View Statistics       | :material-close:                                       | :material-check:             |
 | Filtering by Severity | :material-check:                                       | :material-close:             |
 | Supported Formats     | Dockerfile, JSON, YAML, Terraform, CloudFormation etc. | CloudFormation JSON and YAML |
 [^1]: To enrich the results such as ID, Title, Description, Severity, etc.
 cfsec is designed for CloudFormation.
 People who use only want to scan their CloudFormation templates should use cfsec.
 People who want to scan a wide range of configuration files should use Trivy.
 [cfsec]: https://github.com/aquasecurity/cfsec
--- a/docs/docs/misconfiguration/comparison/conftest.md
+++ b/docs/docs/misconfiguration/comparison/conftest.md
@@ -0,0 +1,43 @@
 # vs Conftest
 [Conftest][conftest] is a really nice tool to help you write tests against structured configuration data.
 Misconfiguration detection in Trivy is heavily inspired by Conftest and provides similar features Conftest has.
 This section describes the differences between Trivy and Conftest.
 | Feature                     | Trivy                | Conftest             |
 | --------------------------- | -------------------- | -------------------- |
 | Support Rego Language       | :material-check:     | :material-check:     |
 | Built-in Policies           | :material-check:     | :material-close:     |
 | Custom Policies             | :material-check:     | :material-check:     |
 | Custom Data                 | :material-check:     | :material-check:     |
 | Combine                     | :material-check:     | :material-check:     |
 | Combine per Policy          | :material-check:     | :material-close:     |
 | Policy Input Selector[^1]   | :material-check:     | :material-close:     |
 | Policy Metadata[^2]         | :material-check:     | :material-close:[^3] |
 | Filtering by Severity       | :material-check:     | :material-close:     |
 | Rule-based Exceptions       | :material-check:     | :material-check:     |
 | Namespace-based Exceptions  | :material-check:     | :material-close:     |
 | Sharing Policies            | :material-close:     | :material-check:     |
 | Show Successes              | :material-check:     | :material-close:     |
 | Flexible Exit Code          | :material-check:     | :material-close:     |
 | Rego Unit Tests             | :material-close:[^4] | :material-check:     |
 | Go Testing                  | :material-check:     | :material-close:     |
 | Verbose Trace               | :material-check:     | :material-check:     |
 | Supported Formats           | 6 formats[^5]        | 14 formats[^6]       |
 Trivy offers built-in policies and a variety of options, while Conftest only supports custom policies.
 In other words, Conftest is simpler and lighter.
 Conftest is a general testing tool for configuration files, and Trivy is more security-focused.
 People who need an out-of-the-box misconfiguration scanner should use Trivy.
 People who don't need built-in policies and write your policies should use Conftest.
 [^1]: Pass only the types of configuration file as input, specified in selector
 [^2]: To enrich the results such as ID, Title, Description, etc.
 [^3]: Conftest supports [structured errors in rules][conftest-structured], but they are free format and not natively supported by Conftest.
 [^4]: Trivy is not able to run `*_test.rego` like `conftest verify`.
 [^5]: Dockerfile, HCL, HCL2, JSON, TOML, and YAML
 [^6]: CUE, Dockerfile, EDN, HCL, HCL2, HOCON, Ignore files, INI, JSON, Jsonnet, TOML, VCL, XML, and YAML
 [conftest-structured]: https://github.com/open-policy-agent/conftest/pull/243
 [conftest]: https://github.com/open-policy-agent/conftest
--- a/docs/docs/misconfiguration/comparison/tfsec.md
+++ b/docs/docs/misconfiguration/comparison/tfsec.md
@@ -0,0 +1,25 @@
 # vs tfsec
 [tfsec][tfsec] uses static analysis of your Terraform templates to spot potential security issues.
 Trivy uses tfsec internally to scan Terraform HCL files, but Trivy doesn't support some features provided by tfsec.
 This section describes the differences between Trivy and tfsec.
 | Feature               | Trivy                                                  | tfsec                |
 |-----------------------|--------------------------------------------------------|----------------------|
 | Built-in Policies     | :material-check:                                       | :material-check:     |
 | Custom Policies       | Rego                                                   | Rego, JSON, and YAML |
 | Policy Metadata[^1]   | :material-check:                                       | :material-check:     |
 | Show Successes        | :material-check:                                       | :material-check:     |
 | Disable Policies      | :material-check:                                       | :material-check:     |
 | Show Issue Lines      | :material-check:                                       | :material-check:     |
 | Support .tfvars       | :material-close:                                       | :material-check:     |
 | View Statistics       | :material-close:                                       | :material-check:     |
 | Filtering by Severity | :material-check:                                       | :material-check:     |
 | Supported Formats     | Dockerfile, JSON, YAML, Terraform, CloudFormation etc. | Terraform            |
 [^1]: To enrich the results such as ID, Title, Description, Severity, etc.
 tfsec is designed for Terraform.
 People who use only Terraform should use tfsec.
 People who want to scan a wide range of configuration files should use Trivy.
 [tfsec]: https://github.com/aquasecurity/tfsec
--- a/docs/docs/misconfiguration/custom/combine.md
+++ b/docs/docs/misconfiguration/custom/combine.md
@@ -0,0 +1,44 @@
 # Combined input
 ## Overview
 Trivy usually scans each configuration file individually. 
 Sometimes it might be useful to compare values from different configuration files simultaneously.
 When `combine` is set to true, all config files under the specified directory are combined into one input data structure.
 !!! example
    ```
    __rego_input__ := {
        "combine": false,
    }
    ```
 In "combine" mode, the `input` document becomes an array, where each element is an object with two fields:
 - `"path": "path/to/file"`: the relative file path of the respective file
 - `"contents": ...`: the parsed content of the respective file
 Now you can ensure that duplicate values match across the entirety of your configuration files.
 ## Return value
 In "combine" mode, the `deny` entrypoint must return an object with two keys
 `filepath` (required)
 : the relative file path of the file being evaluated
 `msg` (required)
 : the message describing an issue
 !!! example
    ```
    deny[res] {
        resource := input[i].contents
        ... some logic ...
    	res := {
    		"filepath": input[i].path,
    		"msg": "something bad",
    	}
    }
    ```
--- a/docs/docs/misconfiguration/custom/data.md
+++ b/docs/docs/misconfiguration/custom/data.md
@@ -0,0 +1,35 @@
 # Custom Data
 Custom policies may require additional data in order to determine an answer.
 For example, an allowed list of resources that can be created. 
 Instead of hardcoding this information inside of your policy, Trivy allows passing paths to data files with the `--data` flag.
 Given the following yaml file:
 ```bash
 $ cd examples/misconf/custom-data
 $ cat data/ports.yaml                                                                                                                                                                      [~/src/github.com/aquasecurity/trivy/examples/misconf/custom-data]
 services:
  ports:
    - "20"
    - "20/tcp"
    - "20/udp"
    - "23"
    - "23/tcp"
 ```
 This can be imported into your policy:
 ```rego
 import data.services
 ports := services.ports
 ```
 Then, you need to pass data paths through `--data` option.
 Trivy recursively searches the specified paths for JSON (`*.json`) and YAML (`*.yaml`) files.
 ```bash
 $ trivy conf --policy ./policy --data data --namespaces user ./configs
 ```
--- a/docs/docs/misconfiguration/custom/debug.md
+++ b/docs/docs/misconfiguration/custom/debug.md
@@ -0,0 +1,304 @@
 # Debugging policies
 When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied.
 For this purpose you can use the `--trace` flag.
 This will output a large trace from Open Policy Agent like the following:
 !!! tip
    Only failed policies show traces. If you want to debug a passed policy, you need to make it fail on purpose.
 ```shell
 $ trivy conf --trace configs/
 2022-05-16T13:47:58.853+0100	INFO	Detected config files: 1
 Dockerfile (dockerfile)
 =======================
 Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
 Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
 MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
 See https://avd.aquasec.com/misconfig/ds001
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile:1
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ FROM alpine:latest
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 HIGH: Last USER command in Dockerfile should not be 'root'
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
 See https://avd.aquasec.com/misconfig/ds002
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile:3
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 [ USER root
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ID: DS001
 File: Dockerfile
 Namespace: builtin.dockerfile.DS001
 Query: data.builtin.dockerfile.DS001.deny
 Message: Specify a tag in the 'FROM' statement for image 'alpine'
 TRACE  Enter data.builtin.dockerfile.DS001.deny = _
 TRACE  | Eval data.builtin.dockerfile.DS001.deny = _
 TRACE  | Index data.builtin.dockerfile.DS001.deny (matched 1 rule)
 TRACE  | Enter data.builtin.dockerfile.DS001.deny
 TRACE  | | Eval output = data.builtin.dockerfile.DS001.fail_latest[_]
 TRACE  | | Index data.builtin.dockerfile.DS001.fail_latest (matched 1 rule)
 TRACE  | | Enter data.builtin.dockerfile.DS001.fail_latest
 TRACE  | | | Eval output = data.builtin.dockerfile.DS001.image_tags[_]
 TRACE  | | | Index data.builtin.dockerfile.DS001.image_tags (matched 2 rules)
 TRACE  | | | Enter data.builtin.dockerfile.DS001.image_tags
 TRACE  | | | | Eval from = data.lib.docker.from[_]
 TRACE  | | | | Index data.lib.docker.from (matched 1 rule)
 TRACE  | | | | Enter data.lib.docker.from
 TRACE  | | | | | Eval instruction = input.stages[_][_]
 TRACE  | | | | | Eval instruction.Cmd = "from"
 TRACE  | | | | | Exit data.lib.docker.from
 TRACE  | | | | Redo data.lib.docker.from
 TRACE  | | | | | Redo instruction.Cmd = "from"
 TRACE  | | | | | Redo instruction = input.stages[_][_]
 TRACE  | | | | | Eval instruction.Cmd = "from"
 TRACE  | | | | | Fail instruction.Cmd = "from"
 TRACE  | | | | | Redo instruction = input.stages[_][_]
 TRACE  | | | | | Eval instruction.Cmd = "from"
 TRACE  | | | | | Fail instruction.Cmd = "from"
 TRACE  | | | | | Redo instruction = input.stages[_][_]
 TRACE  | | | | Eval name = from.Value[0]
 TRACE  | | | | Eval not startswith(name, "$")
 TRACE  | | | | Enter startswith(name, "$")
 TRACE  | | | | | Eval startswith(name, "$")
 TRACE  | | | | | Fail startswith(name, "$")
 TRACE  | | | | Eval data.builtin.dockerfile.DS001.parse_tag(name, __local505__)
 TRACE  | | | | Index data.builtin.dockerfile.DS001.parse_tag (matched 2 rules)
 TRACE  | | | | Enter data.builtin.dockerfile.DS001.parse_tag
 TRACE  | | | | | Eval split(name, ":", __local504__)
 TRACE  | | | | | Eval [img, tag] = __local504__
 TRACE  | | | | | Exit data.builtin.dockerfile.DS001.parse_tag
 TRACE  | | | | Eval [img, tag] = __local505__
 TRACE  | | | | Eval output = {"cmd": from, "img": img, "tag": tag}
 TRACE  | | | | Exit data.builtin.dockerfile.DS001.image_tags
 TRACE  | | | Redo data.builtin.dockerfile.DS001.image_tags
 TRACE  | | | | Redo output = {"cmd": from, "img": img, "tag": tag}
 TRACE  | | | | Redo [img, tag] = __local505__
 TRACE  | | | | Redo data.builtin.dockerfile.DS001.parse_tag(name, __local505__)
 TRACE  | | | | Redo data.builtin.dockerfile.DS001.parse_tag
 TRACE  | | | | | Redo [img, tag] = __local504__
 TRACE  | | | | | Redo split(name, ":", __local504__)
 TRACE  | | | | Enter data.builtin.dockerfile.DS001.parse_tag
 TRACE  | | | | | Eval tag = "latest"
 TRACE  | | | | | Eval not contains(img, ":")
 TRACE  | | | | | Enter contains(img, ":")
 TRACE  | | | | | | Eval contains(img, ":")
 TRACE  | | | | | | Exit contains(img, ":")
 TRACE  | | | | | Redo contains(img, ":")
 TRACE  | | | | | | Redo contains(img, ":")
 TRACE  | | | | | Fail not contains(img, ":")
 TRACE  | | | | | Redo tag = "latest"
 TRACE  | | | | Redo name = from.Value[0]
 TRACE  | | | | Redo from = data.lib.docker.from[_]
 TRACE  | | | Enter data.builtin.dockerfile.DS001.image_tags
 TRACE  | | | | Eval from = data.lib.docker.from[i]
 TRACE  | | | | Index data.lib.docker.from (matched 1 rule)
 TRACE  | | | | Eval name = from.Value[0]
 TRACE  | | | | Eval cmd_obj = input.stages[j][k]
 TRACE  | | | | Eval possibilities = {"arg", "env"}
 TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
 TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
 TRACE  | | | | Redo possibilities = {"arg", "env"}
 TRACE  | | | | Redo cmd_obj = input.stages[j][k]
 TRACE  | | | | Eval possibilities = {"arg", "env"}
 TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
 TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
 TRACE  | | | | Redo possibilities = {"arg", "env"}
 TRACE  | | | | Redo cmd_obj = input.stages[j][k]
 TRACE  | | | | Eval possibilities = {"arg", "env"}
 TRACE  | | | | Eval cmd_obj.Cmd = possibilities[l]
 TRACE  | | | | Fail cmd_obj.Cmd = possibilities[l]
 TRACE  | | | | Redo possibilities = {"arg", "env"}
 TRACE  | | | | Redo cmd_obj = input.stages[j][k]
 TRACE  | | | | Redo name = from.Value[0]
 TRACE  | | | | Redo from = data.lib.docker.from[i]
 TRACE  | | | Eval __local752__ = output.img
 TRACE  | | | Eval neq(__local752__, "scratch")
 TRACE  | | | Eval __local753__ = output.img
 TRACE  | | | Eval not data.builtin.dockerfile.DS001.is_alias(__local753__)
 TRACE  | | | Enter data.builtin.dockerfile.DS001.is_alias(__local753__)
 TRACE  | | | | Eval data.builtin.dockerfile.DS001.is_alias(__local753__)
 TRACE  | | | | Index data.builtin.dockerfile.DS001.is_alias (matched 1 rule, early exit)
 TRACE  | | | | Enter data.builtin.dockerfile.DS001.is_alias
 TRACE  | | | | | Eval img = data.builtin.dockerfile.DS001.get_aliases[_]
 TRACE  | | | | | Index data.builtin.dockerfile.DS001.get_aliases (matched 1 rule)
 TRACE  | | | | | Enter data.builtin.dockerfile.DS001.get_aliases
 TRACE  | | | | | | Eval from_cmd = data.lib.docker.from[_]
 TRACE  | | | | | | Index data.lib.docker.from (matched 1 rule)
 TRACE  | | | | | | Eval __local749__ = from_cmd.Value
 TRACE  | | | | | | Eval data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)
 TRACE  | | | | | | Index data.builtin.dockerfile.DS001.get_alias (matched 1 rule)
 TRACE  | | | | | | Enter data.builtin.dockerfile.DS001.get_alias
 TRACE  | | | | | | | Eval __local748__ = values[i]
 TRACE  | | | | | | | Eval lower(__local748__, __local501__)
 TRACE  | | | | | | | Eval "as" = __local501__
 TRACE  | | | | | | | Fail "as" = __local501__
 TRACE  | | | | | | | Redo lower(__local748__, __local501__)
 TRACE  | | | | | | | Redo __local748__ = values[i]
 TRACE  | | | | | | Fail data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)
 TRACE  | | | | | | Redo __local749__ = from_cmd.Value
 TRACE  | | | | | | Redo from_cmd = data.lib.docker.from[_]
 TRACE  | | | | | Fail img = data.builtin.dockerfile.DS001.get_aliases[_]
 TRACE  | | | | Fail data.builtin.dockerfile.DS001.is_alias(__local753__)
 TRACE  | | | Eval output.tag = "latest"
 TRACE  | | | Exit data.builtin.dockerfile.DS001.fail_latest
 TRACE  | | Redo data.builtin.dockerfile.DS001.fail_latest
 TRACE  | | | Redo output.tag = "latest"
 TRACE  | | | Redo __local753__ = output.img
 TRACE  | | | Redo neq(__local752__, "scratch")
 TRACE  | | | Redo __local752__ = output.img
 TRACE  | | | Redo output = data.builtin.dockerfile.DS001.image_tags[_]
 TRACE  | | Eval __local754__ = output.img
 TRACE  | | Eval sprintf("Specify a tag in the 'FROM' statement for image '%s'", [__local754__], __local509__)
 TRACE  | | Eval msg = __local509__
 TRACE  | | Eval __local755__ = output.cmd
 TRACE  | | Eval data.lib.docker.result(msg, __local755__, __local510__)
 TRACE  | | Index data.lib.docker.result (matched 1 rule)
 TRACE  | | Enter data.lib.docker.result
 TRACE  | | | Eval object.get(cmd, "EndLine", 0, __local470__)
 TRACE  | | | Eval object.get(cmd, "Path", "", __local471__)
 TRACE  | | | Eval object.get(cmd, "StartLine", 0, __local472__)
 TRACE  | | | Eval result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
 TRACE  | | | Exit data.lib.docker.result
 TRACE  | | Eval res = __local510__
 TRACE  | | Exit data.builtin.dockerfile.DS001.deny
 TRACE  | Redo data.builtin.dockerfile.DS001.deny
 TRACE  | | Redo res = __local510__
 TRACE  | | Redo data.lib.docker.result(msg, __local755__, __local510__)
 TRACE  | | Redo data.lib.docker.result
 TRACE  | | | Redo result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
 TRACE  | | | Redo object.get(cmd, "StartLine", 0, __local472__)
 TRACE  | | | Redo object.get(cmd, "Path", "", __local471__)
 TRACE  | | | Redo object.get(cmd, "EndLine", 0, __local470__)
 TRACE  | | Redo __local755__ = output.cmd
 TRACE  | | Redo msg = __local509__
 TRACE  | | Redo sprintf("Specify a tag in the 'FROM' statement for image '%s'", [__local754__], __local509__)
 TRACE  | | Redo __local754__ = output.img
 TRACE  | | Redo output = data.builtin.dockerfile.DS001.fail_latest[_]
 TRACE  | Exit data.builtin.dockerfile.DS001.deny = _
 TRACE  Redo data.builtin.dockerfile.DS001.deny = _
 TRACE  | Redo data.builtin.dockerfile.DS001.deny = _
 TRACE
 ID: DS002
 File: Dockerfile
 Namespace: builtin.dockerfile.DS002
 Query: data.builtin.dockerfile.DS002.deny
 Message: Last USER command in Dockerfile should not be 'root'
 TRACE  Enter data.builtin.dockerfile.DS002.deny = _
 TRACE  | Eval data.builtin.dockerfile.DS002.deny = _
 TRACE  | Index data.builtin.dockerfile.DS002.deny (matched 2 rules)
 TRACE  | Enter data.builtin.dockerfile.DS002.deny
 TRACE  | | Eval data.builtin.dockerfile.DS002.fail_user_count
 TRACE  | | Index data.builtin.dockerfile.DS002.fail_user_count (matched 1 rule, early exit)
 TRACE  | | Enter data.builtin.dockerfile.DS002.fail_user_count
 TRACE  | | | Eval __local771__ = data.builtin.dockerfile.DS002.get_user
 TRACE  | | | Index data.builtin.dockerfile.DS002.get_user (matched 1 rule)
 TRACE  | | | Enter data.builtin.dockerfile.DS002.get_user
 TRACE  | | | | Eval user = data.lib.docker.user[_]
 TRACE  | | | | Index data.lib.docker.user (matched 1 rule)
 TRACE  | | | | Enter data.lib.docker.user
 TRACE  | | | | | Eval instruction = input.stages[_][_]
 TRACE  | | | | | Eval instruction.Cmd = "user"
 TRACE  | | | | | Fail instruction.Cmd = "user"
 TRACE  | | | | | Redo instruction = input.stages[_][_]
 TRACE  | | | | | Eval instruction.Cmd = "user"
 TRACE  | | | | | Exit data.lib.docker.user
 TRACE  | | | | Redo data.lib.docker.user
 TRACE  | | | | | Redo instruction.Cmd = "user"
 TRACE  | | | | | Redo instruction = input.stages[_][_]
 TRACE  | | | | | Eval instruction.Cmd = "user"
 TRACE  | | | | | Fail instruction.Cmd = "user"
 TRACE  | | | | | Redo instruction = input.stages[_][_]
 TRACE  | | | | Eval username = user.Value[_]
 TRACE  | | | | Exit data.builtin.dockerfile.DS002.get_user
 TRACE  | | | Redo data.builtin.dockerfile.DS002.get_user
 TRACE  | | | | Redo username = user.Value[_]
 TRACE  | | | | Redo user = data.lib.docker.user[_]
 TRACE  | | | Eval count(__local771__, __local536__)
 TRACE  | | | Eval lt(__local536__, 1)
 TRACE  | | | Fail lt(__local536__, 1)
 TRACE  | | | Redo count(__local771__, __local536__)
 TRACE  | | | Redo __local771__ = data.builtin.dockerfile.DS002.get_user
 TRACE  | | Fail data.builtin.dockerfile.DS002.fail_user_count
 TRACE  | Enter data.builtin.dockerfile.DS002.deny
 TRACE  | | Eval cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]
 TRACE  | | Index data.builtin.dockerfile.DS002.fail_last_user_root (matched 1 rule)
 TRACE  | | Enter data.builtin.dockerfile.DS002.fail_last_user_root
 TRACE  | | | Eval stage_users = data.lib.docker.stage_user[_]
 TRACE  | | | Index data.lib.docker.stage_user (matched 1 rule)
 TRACE  | | | Enter data.lib.docker.stage_user
 TRACE  | | | | Eval stage = input.stages[stage_name]
 TRACE  | | | | Eval users = [cmd | cmd = stage[_]; cmd.Cmd = "user"]
 TRACE  | | | | Enter cmd = stage[_]; cmd.Cmd = "user"
 TRACE  | | | | | Eval cmd = stage[_]
 TRACE  | | | | | Eval cmd.Cmd = "user"
 TRACE  | | | | | Fail cmd.Cmd = "user"
 TRACE  | | | | | Redo cmd = stage[_]
 TRACE  | | | | | Eval cmd.Cmd = "user"
 TRACE  | | | | | Exit cmd = stage[_]; cmd.Cmd = "user"
 TRACE  | | | | Redo cmd = stage[_]; cmd.Cmd = "user"
 TRACE  | | | | | Redo cmd.Cmd = "user"
 TRACE  | | | | | Redo cmd = stage[_]
 TRACE  | | | | | Eval cmd.Cmd = "user"
 TRACE  | | | | | Fail cmd.Cmd = "user"
 TRACE  | | | | | Redo cmd = stage[_]
 TRACE  | | | | Exit data.lib.docker.stage_user
 TRACE  | | | Redo data.lib.docker.stage_user
 TRACE  | | | | Redo users = [cmd | cmd = stage[_]; cmd.Cmd = "user"]
 TRACE  | | | | Redo stage = input.stages[stage_name]
 TRACE  | | | Eval count(stage_users, __local537__)
 TRACE  | | | Eval len = __local537__
 TRACE  | | | Eval minus(len, 1, __local538__)
 TRACE  | | | Eval last = stage_users[__local538__]
 TRACE  | | | Eval user = last.Value[0]
 TRACE  | | | Eval user = "root"
 TRACE  | | | Exit data.builtin.dockerfile.DS002.fail_last_user_root
 TRACE  | | Redo data.builtin.dockerfile.DS002.fail_last_user_root
 TRACE  | | | Redo user = "root"
 TRACE  | | | Redo user = last.Value[0]
 TRACE  | | | Redo last = stage_users[__local538__]
 TRACE  | | | Redo minus(len, 1, __local538__)
 TRACE  | | | Redo len = __local537__
 TRACE  | | | Redo count(stage_users, __local537__)
 TRACE  | | | Redo stage_users = data.lib.docker.stage_user[_]
 TRACE  | | Eval msg = "Last USER command in Dockerfile should not be 'root'"
 TRACE  | | Eval data.lib.docker.result(msg, cmd, __local540__)
 TRACE  | | Index data.lib.docker.result (matched 1 rule)
 TRACE  | | Enter data.lib.docker.result
 TRACE  | | | Eval object.get(cmd, "EndLine", 0, __local470__)
 TRACE  | | | Eval object.get(cmd, "Path", "", __local471__)
 TRACE  | | | Eval object.get(cmd, "StartLine", 0, __local472__)
 TRACE  | | | Eval result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
 TRACE  | | | Exit data.lib.docker.result
 TRACE  | | Eval res = __local540__
 TRACE  | | Exit data.builtin.dockerfile.DS002.deny
 TRACE  | Redo data.builtin.dockerfile.DS002.deny
 TRACE  | | Redo res = __local540__
 TRACE  | | Redo data.lib.docker.result(msg, cmd, __local540__)
 TRACE  | | Redo data.lib.docker.result
 TRACE  | | | Redo result = {"endline": __local470__, "filepath": __local471__, "msg": msg, "startline": __local472__}
 TRACE  | | | Redo object.get(cmd, "StartLine", 0, __local472__)
 TRACE  | | | Redo object.get(cmd, "Path", "", __local471__)
 TRACE  | | | Redo object.get(cmd, "EndLine", 0, __local470__)
 TRACE  | | Redo msg = "Last USER command in Dockerfile should not be 'root'"
 TRACE  | | Redo cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]
 TRACE  | Exit data.builtin.dockerfile.DS002.deny = _
 TRACE  Redo data.builtin.dockerfile.DS002.deny = _
 TRACE  | Redo data.builtin.dockerfile.DS002.deny = _
 TRACE
 ```
--- a/docs/docs/misconfiguration/custom/examples.md
+++ b/docs/docs/misconfiguration/custom/examples.md
@@ -0,0 +1,296 @@
 # Examples
 ## Custom Policy
 ### Kubernetes
 See [here][k8s].
 The custom policy is defined in `user.kubernetes.ID001` package.
 You need to pass the package prefix you want to evaluate through `--namespaces` option.
 In this case, the package prefix should be `user`, `user.kubernetes`, or `user.kubernetes.ID001`.
 ### Dockerfile
 See [here][dockerfile].
 The input will be a dictionary of stages.
 #### Single Stage
 ??? example
    Dockerfile
    ```dockerfile
    FROM foo
    COPY . /
    RUN echo hello
    ```
    Rego Input
    ```json
    {
        "stages": {
            "foo": [
                {
                    "Cmd": "from",
                    "EndLine": 1,
                    "Flags": [],
                    "JSON": false,
                    "Original": "FROM foo",
                    "Stage": 0,
                    "StartLine": 1,
                    "SubCmd": "",
                    "Value": [
                        "foo"
                    ]
                },
                {
                    "Cmd": "copy",
                    "EndLine": 2,
                    "Flags": [],
                    "JSON": false,
                    "Original": "COPY . /",
                    "Stage": 0,
                    "StartLine": 2,
                    "SubCmd": "",
                    "Value": [
                        ".",
                        "/"
                    ]
                },
                {
                    "Cmd": "run",
                    "EndLine": 3,
                    "Flags": [],
                    "JSON": false,
                    "Original": "RUN echo hello",
                    "Stage": 0,
                    "StartLine": 3,
                    "SubCmd": "",
                    "Value": [
                        "echo hello"
                    ]
                }
            ]
        }
    }
    ```
 #### Multi Stage
 ??? example
    Dockerfile
    ```dockerfile
    FROM golang:1.16 AS builder
    WORKDIR /go/src/github.com/alexellis/href-counter/
    RUN go get -d -v golang.org/x/net/html
    COPY app.go .
    RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
    FROM alpine:latest
    RUN apk --no-cache add ca-certificates \
    && apk add --no-cache bash
    WORKDIR /root/
    COPY --from=builder /go/src/github.com/alexellis/href-counter/app .
    CMD ["./app"]
    ```
    Rego Input
    ```json
    {
        "stages": {
            "alpine:latest": [
                {
                    "Cmd": "from",
                    "EndLine": 7,
                    "Flags": [],
                    "JSON": false,
                    "Original": "FROM alpine:latest",
                    "Stage": 1,
                    "StartLine": 7,
                    "SubCmd": "",
                    "Value": [
                        "alpine:latest"
                    ]
                },
                {
                    "Cmd": "run",
                    "EndLine": 9,
                    "Flags": [],
                    "JSON": false,
                    "Original": "RUN apk --no-cache add ca-certificates     \u0026\u0026 apk add --no-cache bash",
                    "Stage": 1,
                    "StartLine": 8,
                    "SubCmd": "",
                    "Value": [
                        "apk --no-cache add ca-certificates     \u0026\u0026 apk add --no-cache bash"
                    ]
                },
                {
                    "Cmd": "workdir",
                    "EndLine": 10,
                    "Flags": [],
                    "JSON": false,
                    "Original": "WORKDIR /root/",
                    "Stage": 1,
                    "StartLine": 10,
                    "SubCmd": "",
                    "Value": [
                        "/root/"
                    ]
                },
                {
                    "Cmd": "copy",
                    "EndLine": 11,
                    "Flags": [
                        "--from=builder"
                    ],
                    "JSON": false,
                    "Original": "COPY --from=builder /go/src/github.com/alexellis/href-counter/app .",
                    "Stage": 1,
                    "StartLine": 11,
                    "SubCmd": "",
                    "Value": [
                        "/go/src/github.com/alexellis/href-counter/app",
                        "."
                    ]
                },
                {
                    "Cmd": "cmd",
                    "EndLine": 12,
                    "Flags": [],
                    "JSON": true,
                    "Original": "CMD [\"./app\"]",
                    "Stage": 1,
                    "StartLine": 12,
                    "SubCmd": "",
                    "Value": [
                        "./app"
                    ]
                }
            ],
            "golang:1.16 AS builder": [
                {
                    "Cmd": "from",
                    "EndLine": 1,
                    "Flags": [],
                    "JSON": false,
                    "Original": "FROM golang:1.16 AS builder",
                    "Stage": 0,
                    "StartLine": 1,
                    "SubCmd": "",
                    "Value": [
                        "golang:1.16",
                        "AS",
                        "builder"
                    ]
                },
                {
                    "Cmd": "workdir",
                    "EndLine": 2,
                    "Flags": [],
                    "JSON": false,
                    "Original": "WORKDIR /go/src/github.com/alexellis/href-counter/",
                    "Stage": 0,
                    "StartLine": 2,
                    "SubCmd": "",
                    "Value": [
                        "/go/src/github.com/alexellis/href-counter/"
                    ]
                    },
                {
                    "Cmd": "run",
                    "EndLine": 3,
                    "Flags": [],
                    "JSON": false,
                    "Original": "RUN go get -d -v golang.org/x/net/html",
                    "Stage": 0,
                    "StartLine": 3,
                    "SubCmd": "",
                    "Value": [
                        "go get -d -v golang.org/x/net/html"
                    ]
                },
                {
                    "Cmd": "copy",
                    "EndLine": 4,
                    "Flags": [],
                    "JSON": false,
                    "Original": "COPY app.go .",
                    "Stage": 0,
                    "StartLine": 4,
                    "SubCmd": "",
                    "Value": [
                        "app.go",
                        "."
                    ]
                },
                {
                    "Cmd": "run",
                    "EndLine": 5,
                    "Flags": [],
                    "JSON": false,
                    "Original": "RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .",
                    "Stage": 0,
                    "StartLine": 5,
                    "SubCmd": "",
                    "Value": [
                        "CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app ."
                    ]
                }
            ]
        }
    }
    ```
 ### Docker Compose
 See [here][compose].
 Docker Compose uses YAML format for configurations. You can apply your Rego policies to `docker-compose.yml`.
 ### HCL
 See [here][hcl].
 Trivy parses HCL files and converts into structured data.
 !!! warning
    Terraform HCL files are not supported yet.
 ### Terraform Plan
 See [here][tfplan].
 Use the command [terraform show][terraform-show] to convert the Terraform plan into JSON so that OPA can read the plan.
 ```bash
 $ terraform init
 $ terraform plan --out tfplan.binary
 $ terraform show -json tfplan.binary > tfplan.json
 ```
 For more details, see also [OPA document][opa-terraform].
 ### Serverless Framework
 See [here][serverless].
 Server Framework uses YAML format for configurations. You can apply your Rego policies to `serverless.yaml`.
 ## Custom Data
 See [here][data].
 ## Combined Input
 See [here][combine].
 ## Go Testing
 See [here][go-testing].
 [k8s]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/kubernetes/
 [dockerfile]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/dockerfile/
 [compose]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/docker-compose/
 [hcl]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/hcl/
 [serverless]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/serverless/
 [tfplan]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/terraform-plan/
 [terraform-show]: https://www.terraform.io/docs/cli/commands/show.html
 [opa-terraform]: https://www.openpolicyagent.org/docs/latest/terraform/
 [custom]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy
 [data]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-data
 [combine]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/combine
 [go-testing]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/go-testing
--- a/docs/docs/misconfiguration/custom/index.md
+++ b/docs/docs/misconfiguration/custom/index.md
@@ -0,0 +1,209 @@
 # Custom Policies
 ## Overview
 You can write custom policies in [Rego][rego].
 Once you finish writing custom policies, you can pass the directory where those policies are stored with `--policy` option.
 ``` bash
 trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
 ```
 As for `--namespaces` option, the detail is described as below.
 ### File formats
 If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.
 | File format   | File pattern                                              |
 |---------------|-----------------------------------------------------------|
 | JSON          | `*.json`                                                  |
 | YAML          | `*.yaml` and `*.yml`                                      |
 | Dockerfile    | `Dockerfile`, `Dockerfile.*`, and `*.Dockerfile`          |
 | Containerfile | `Containerfile`, `Containerfile.*`, and `*.Containerfile` |
 | Terraform     | `*.tf` and `*.tf.json`                                    |
 ### Configuration languages
 In the above general file formats, Trivy automatically identifies the following types of configuration files:
 - CloudFormation (JSON/YAML)
 - Kubernetes (JSON/YAML)
 - Helm (YAML)
 - Terraform Plan (JSON)
 This is useful for filtering inputs, as described below.
 ## Rego format
 A single package must contain only one policy.
 !!!example
    ``` rego
    # METADATA
    # title: Deployment not allowed
    # description: Deployments are not allowed because of some reasons.
    # schemas:
    #   - input: schema.input
    # custom:
    #   id: ID001
    #   severity: LOW
    #   input:
    #     selector: 
    #     - type: kubernetes
    package user.kubernetes.ID001
    deny[res] {
        input.kind == "Deployment"
        msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name])
        res := result.new(msg, input.kind)
    }
    ```
 In this example, ID001 "Deployment not allowed" is defined under `user.kubernetes.ID001`.
 If you add a new custom policy, it must be defined under a new package like `user.kubernetes.ID002`.
 ### Policy structure
 `# METADATA` (optional)
 :   - SHOULD be defined for clarity since these values will be displayed in the scan results
    - `custom.input` SHOULD be set to indicate the input type the policy should be applied to. See [list of available types](https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
 `package` (required)
 :   - MUST follow the Rego's [specification][package]
    - MUST be unique per policy
    - SHOULD include policy id for uniqueness
    - MAY include the group name such as `kubernetes` for clarity
        - Group name has no effect on policy evaluation
 `deny` (required)
 :   - SHOULD be `deny` or start with `deny_`
        - Although `warn`, `warn_*`, `violation`, `violation_` also work for compatibility, `deny` is recommended as severity can be defined in `__rego_metadata__`.
    - SHOULD return ONE OF:
        - The result of a call to `result.new(msg, cause)`. The `msg` is a `string` describing the issue occurrence, and the `cause` is the property/object where the issue occurred. Providing this allows Trivy to ascertain line numbers and highlight code in the output. 
        - A `string` denoting the detected issue
            - Although `object` with `msg` field is accepted, other fields are dropped and `string` is recommended if `result.new()` is not utilised.
            - e.g. `{"msg": "deny message", "details": "something"}`
 ### Package
 A package name must be unique per policy.
 !!!example
    ``` rego
    package user.kubernetes.ID001
    ```
 By default, only `builtin.*` packages will be evaluated.
 If you define custom packages, you have to specify the package prefix via `--namespaces` option. 
 ``` bash
 trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
 ```
 In this case, `user.*` will be evaluated.
 Any package prefixes such as `main` and `user` are allowed.
 ### Metadata
 Metadata helps enrich Trivy's scan results with useful information.
 The annotation format is described in the [OPA documentation](https://www.openpolicyagent.org/docs/latest/annotations/).
 Trivy supports extra fields in the `custom` section as described below.
 !!!example
    ``` rego
    # METADATA
    # title: Deployment not allowed
    # description: Deployments are not allowed because of some reasons.
    # custom:
    #   id: ID001
    #   severity: LOW
    #   input:
    #     selector:
    #     - type: kubernetes
    ```
 All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The 
 schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are 
 correct and do not reference incorrect properties/values.
 | Field name                 | Allowed values                           |        Default value         |     In table     |     In JSON      |
 |----------------------------|------------------------------------------|:----------------------------:|:----------------:|:----------------:|
 | title                      | Any characters                           |             N/A              | :material-check: | :material-check: |
 | description                | Any characters                           |                              | :material-close: | :material-check: |
 | schemas.input              | `schema.input`                           | (applied to all input types) | :material-close: | :material-close: |
 | custom.id                  | Any characters                           |             N/A              | :material-check: | :material-check: |
 | custom.severity            | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`      |           UNKNOWN            | :material-check: | :material-check: |
 | custom.recommended_actions | Any characters                           |                              | :material-close: | :material-check: | 
 | custom.input.selector.type | Any item(s) in [this list][source-types] |                              | :material-close: | :material-check: | 
 | url                        | Any characters                           |                              | :material-close: | :material-check: |
 Some fields are displayed in scan results.
 ``` bash
 k.yaml (kubernetes)
 ───────────────────
 Tests: 32 (SUCCESSES: 31, FAILURES: 1, EXCEPTIONS: 0)
 Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 LOW: Found deployment 'my-deployment' but deployments are not allowed
 ════════════════════════════════════════════════════════════════════════
 Deployments are not allowed because of some reasons.
 ────────────────────────────────────────────────────────────────────────
 k.yaml:1-2
 ────────────────────────────────────────────────────────────────────────
   1 ┌ apiVersion: v1
   2 └ kind: Deployment
 ────────────────────────────────────────────────────────────────────────
 ```
 ### Input
 You can specify input format via the `custom.input` annotation.
 !!!example
    ``` rego
    # METADATA
    # custom:
    #   input:
    #     combine: false
    #     selector:
    #     - type: kubernetes
    ```
 `combine` (boolean)
 : The details are [here](combine.md).
 `selector` (array)
 :   This option filters the input by file format or configuration language. 
    In the above example, Trivy passes only Kubernetes files to this policy.
    Even if a Dockerfile exists in the specified directory, it will not be passed to the policy as input.
    Possible values for input types are:
    - `dockerfile` (Dockerfile)
    - `kubernetes` (Kubernetes YAML/JSON)
    - `rbac` (Kubernetes RBAC YAML/JSON)
    - `cloud` (Cloud format, as defined by defsec - this is used for Terraform, CloudFormation, and Cloud/AWS scanning)
    - `yaml` (Generic YAML)
    - `json` (Generic JSON)
    - `toml` (Generic TOML)
    When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as `type`.
    When a configuration language is identified, it will overwrite `type`.
    !!! example
        `pod.yaml` including Kubernetes Pod will be handled as `kubernetes`, not `yaml`.
        `type` is overwritten by `kubernetes` from `yaml`.
    `type` accepts `kubernetes`, `dockerfile`, `cloudformation`, `terraform`, `terraformplan`, `json`, or `yaml`.
 ### Schemas
 You can explore the format of input documents by browsing the schema for the relevant input type:
 - [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
 - [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
 - [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
 - [RBAC](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/rbac.json)
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [package]: https://www.openpolicyagent.org/docs/latest/policy-language/#packages
 [source-types]: https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
--- a/docs/docs/misconfiguration/custom/testing.md
+++ b/docs/docs/misconfiguration/custom/testing.md
@@ -0,0 +1,90 @@
 # Testing
 It is highly recommended to write tests for your custom policies.
 ## Rego testing
 To help you verify the correctness of your custom policies, OPA gives you a framework that you can use to write tests for your policies. 
 By writing tests for your custom policies you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve.
 For more details, see [Policy Testing][opa-testing].
 !!! example
    ```
    package user.dockerfile.ID002
    test_add_denied {
        r := deny with input as {"stages": {"alpine:3.13": [
            {"Cmd": "add", "Value": ["/target/resources.tar.gz", "resources.jar"]},
            {"Cmd": "add", "Value": ["/target/app.jar", "app.jar"]},
        ]}}
        count(r) == 1
        r[_] == "Consider using 'COPY /target/app.jar app.jar' command instead of 'ADD /target/app.jar app.jar'"
    }
    ```
 To write tests for custom policies, you can refer to existing tests under [defsec][defsec].
 ## Go testing
 [Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
 You can scan config files in Go and test your custom policies using Go's testing methods, such as [table-driven tests][table].
 This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom policies work in practice.
 In particular, Dockerfile and HCL need to be converted to structural data as input, which may be different from the expected input format.
 !!! tip
    We recommend writing OPA and Go tests both since they have different roles, like unit tests and integration tests.
 The following example stores allowed and denied configuration files in a directory.
 `Successes` contains the result of successes, and `Failures` contains the result of failures.
 ``` go
 {
 	name:  "disallowed ports",
 	input: "configs/",
 	fields: fields{
 		policyPaths: []string{"policy"},
 		dataPaths:   []string{"data"},
 		namespaces:  []string{"user"},
 	},
 	want: []types.Misconfiguration{
 		{
 			FileType: types.Dockerfile,
 			FilePath: "Dockerfile.allowed",
 			Successes: types.MisconfResults{
 				{
 					Namespace: "user.dockerfile.ID002",
 					PolicyMetadata: types.PolicyMetadata{
 						ID:          "ID002",
 						Type:        "Docker Custom Check",
 						Title:       "Disallowed ports exposed",
 						Severity:    "HIGH",
 					},
 				},
 			},
 		},
 		{
 			FileType: types.Dockerfile,
 			FilePath: "Dockerfile.denied",
 			Failures: types.MisconfResults{
 				{
 					Namespace: "user.dockerfile.ID002",
 					Message:   "Port 23 should not be exposed",
 					PolicyMetadata: types.PolicyMetadata{
 						ID:          "ID002",
 						Type:        "Docker Custom Check",
 						Title:       "Disallowed ports exposed",
 						Severity:    "HIGH",
 					},
 				},
 			},
 		},
 	},
 },
 ```
 `Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.
 [opa-testing]: https://www.openpolicyagent.org/docs/latest/policy-testing/
 [defsec]: https://github.com/aquasecurity/defsec
 [table]: https://github.com/golang/go/wiki/TableDrivenTests
 [fanal]: https://github.com/aquasecurity/fanal
--- a/docs/docs/misconfiguration/options/filter.md
+++ b/docs/docs/misconfiguration/options/filter.md
@@ -0,0 +1,60 @@
 # Filter Misconfigurations
 ## By Severity
 Use `--severity` option.
 ```bash
 trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
 ```
 <details>
 <summary>Result</summary>
 ```shell
 2022-05-16T13:50:42.718+0100	INFO	Detected config files: 3
 Dockerfile (dockerfile)
 =======================
 Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
 Failures: 1 (HIGH: 1, CRITICAL: 0)
 HIGH: Last USER command in Dockerfile should not be 'root'
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
 See https://avd.aquasec.com/misconfig/ds002
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile:3
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 [ USER root
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml (kubernetes)
 ============================
 Tests: 8 (SUCCESSES: 8, FAILURES: 0, EXCEPTIONS: 0)
 Failures: 0 (HIGH: 0, CRITICAL: 0)
 main.tf (terraform)
 ===================
 Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
 Failures: 1 (HIGH: 0, CRITICAL: 1)
 CRITICAL: Classic resources should not be used.
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run
 resources in a VPC instead.
 See https://avd.aquasec.com/misconfig/avd-aws-0081
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:2-4
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2 ┌ resource "aws_db_security_group" "sg" {
   3 │
   4 └ }
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ```
 </details>
--- a/docs/docs/misconfiguration/options/others.md
+++ b/docs/docs/misconfiguration/options/others.md
@@ -0,0 +1,4 @@
 # Others
 !!! hint
    See also [Others](../../vulnerability/examples/others.md) in Vulnerability section.
--- a/docs/docs/misconfiguration/options/policy.md
+++ b/docs/docs/misconfiguration/options/policy.md
@@ -0,0 +1,35 @@
 # Policy
 ## Pass custom policies
 You can pass directories including your custom policies through `--policy` option.
 This can be repeated for specifying multiple directories.
 ```bash
 cd examplex/misconf/
 trivy conf --policy custom-policy/policy --policy combine/policy --namespaces user misconf/mixed
 ```
 For more details, see [Custom Policies](../custom/index.md).
 !!! tip
    You also need to specify `--namespaces` option.
 ## Pass custom data
 You can pass directories including your custom data through `--data` option.
 This can be repeated for specifying multiple directories.
 ```bash
 cd examples/misconf/custom-data
 trivy conf --policy ./policy --data ./data --namespaces user ./configs
 ```
 For more details, see [Custom Data](../custom/data.md).
 ## Pass namespaces
 By default, Trivy evaluates policies defined in `builtin.*`.
 If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option.
 This can be repeated for specifying multiple packages.
 ``` bash
 trivy conf --policy ./policy --namespaces main --namespaces user ./configs
 ```
--- a/docs/docs/misconfiguration/options/report.md
+++ b/docs/docs/misconfiguration/options/report.md
@@ -0,0 +1,6 @@
 # Report Formats
 See [Reports Formats](../../vulnerability/examples/report.md) in Vulnerability section.
 !!! caution
    Misconfiguration scanning doesn't support default templates such as XML for now.
--- a/docs/docs/misconfiguration/options/values.md
+++ b/docs/docs/misconfiguration/options/values.md
@@ -0,0 +1,48 @@
 # Value Overrides
 Value files can be passed for supported scannable config files.
 ## Terraform value overrides
 You can pass `tf-vars` files to Trivy to override default values found in the Terraform HCL code.
 ```bash
 trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
 ```
 ## Helm value overrides
 There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
 ### Setting inline value overrides
 Overrides can be set inline on the command line
 ```bash
 trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
 ```
 ### Setting value file overrides
 Overrides can be in a file that has the key=value set. 
 ```yaml
 # Example override file (overrides.yaml)
 securityContext:
  runAsUser: 0
 ```
 ```bash
 trivy conf --helm-values overrides.yaml ./charts/mySql
 ``` 
 ### Setting value as explicit string
 the `--helm-set-string` is the same as `--helm-set` but explicitly retains the value as a string
 ```bash
 trivy config --helm-set-string name=false ./infrastructure/tf
 ```
 ### Setting specific values from files
 Specific override values can come from specific files
 ```bash
 trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
 ```
--- a/docs/docs/misconfiguration/policy/builtin.md
+++ b/docs/docs/misconfiguration/policy/builtin.md
@@ -0,0 +1,28 @@
 # Built-in Policies
 ## Policy Sources
 Built-in policies are mainly written in [Rego][rego] and Go.
 Those policies are managed under [defsec repository][defsec].
 | Config type               | Source               |
 |---------------------------|----------------------|
 | Kubernetes                | [defsec][kubernetes] |
 | Dockerfile, Containerfile | [defsec][docker]     |
 | Terraform                 | [defsec][defsec]     |
 | CloudFormation            | [defsec][defsec]     |
 | Azure ARM Template        | [defsec][defsec]     |
 | Helm Chart                | [defsec][kubernetes] |      
 | RBAC                      | [defsec][rbac]       |      
 For suggestions or issues regarding policy content, please open an issue under the [defsec][defsec] repository.
 Helm Chart scanning will resolve the chart to Kubernetes manifests then run the [kubernetes][kubernetes] checks.
 Ansible scanning is coming soon.
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [defsec]: https://github.com/aquasecurity/defsec
 [kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/kubernetes
 [kubernetes]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/rbac
 [docker]: https://github.com/aquasecurity/defsec/tree/master/internal/rules/docker
--- a/docs/docs/misconfiguration/policy/exceptions.md
+++ b/docs/docs/misconfiguration/policy/exceptions.md
@@ -0,0 +1,98 @@
 # Exceptions
 Exceptions let you specify cases where you allow policy violations.
 Trivy supports two types of exceptions.
 !!! info
    Exceptions can be applied to built-in policies as well as custom policies.
 ## Namespace-based exceptions
 There are some cases where you need to disable built-in policies partially or fully.
 Namespace-based exceptions lets you rough choose which individual packages to exempt.
 To use namespace-based exceptions, create a Rego rule with the name `exception` that returns the package names to exempt.
 The `exception` rule must be defined under `namespace.exceptions`.
 `data.namespaces` includes all package names.
 !!! example
    ``` rego
    package namespace.exceptions
    import data.namespaces
    exception[ns] {
        ns := data.namespaces[_]
        startswith(ns, "builtin.kubernetes")
    }
    ```
 This example exempts all built-in policies for Kubernetes.
 For more details, see [an example][ns-example].
 ## Rule-based exceptions
 There are some cases where you need more flexibility and granularity in defining which cases to exempt.
 Rule-based exceptions lets you granularly choose which individual rules to exempt, while also declaring under which conditions to exempt them.
 To use rule-based exceptions, create a Rego rule with the name `exception` that returns the rule name suffixes to exempt, prefixed by `deny_` (for example, returning `foo` will exempt `deny_foo`). 
 The rule can make any other assertion, for example, on the input or data documents. 
 This is useful to specify the exemption for a specific case.
 Note that if you specify the empty string, the exception will match all rules named `deny`.
 ```
 exception[rules] {
    # Logic
    rules = ["foo","bar"]
 }
 ```
 The above would provide an exception from `deny_foo` and `deny_bar`.
 !!! example
    ```
    package user.kubernetes.ID100
    __rego_metadata := {
        "id": "ID100",
        "title": "Deployment not allowed",
        "severity": "HIGH",
        "type": "Kubernetes Custom Check",
    }
    deny_deployment[msg] {
        input.kind == "Deployment"
    	msg = sprintf("Found deployment '%s' but deployments are not allowed", [name])
    }
    exception[rules] {
        input.kind == "Deployment"
        input.metadata.name == "allow-deployment"
        rules := ["deployment"]
    }
    ```
 If you want to apply rule-based exceptions to built-in policies, you have to define the exception under the same package.
 !!! example
    ``` rego
    package builtin.kubernetes.KSV012
    exception[rules] {
        input.metadata.name == "can-run-as-root"
        rules := [""]
    }
    ```
 This exception is applied to [KSV012][ksv012] in defsec.
 You can get the package names in the [defsec repository][defsec] or the JSON output from Trivy.
 For more details, see [an example][rule-example].
 [ns-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/namespace-exception
 [rule-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/rule-exception
 [ksv012]: https://github.com/aquasecurity/defsec/blob/master/internal/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego
 [defsec]: https://github.com/aquasecurity/defsec/
--- a/docs/docs/misconfiguration/scanning.md
+++ b/docs/docs/misconfiguration/scanning.md
@@ -0,0 +1,321 @@
 # Misconfiguration Scanning
 Trivy provides built-in policies to detect configuration issues in Docker, Kubernetes, Terraform and CloudFormation.
 Also, you can write your own policies in [Rego][rego] to scan JSON, YAML, etc, like [Conftest][conftest].
 ![misconf](../../imgs/misconf.png)
 ## Quick start
 Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.
 ``` bash
 $ trivy config [YOUR_IaC_DIRECTORY]
 ```
 !!! example
    ```
    $ ls build/
    Dockerfile
    $ trivy config ./build
    2022-05-16T13:29:29.952+0100	INFO	Detected config files: 1
    Dockerfile (dockerfile)
    =======================
    Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
    Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
    MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
    ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
    When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
    See https://avd.aquasec.com/misconfig/ds001
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    Dockerfile:1
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    1 [ FROM alpine:latest
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ```
 You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--security-checks config`.
 ```bash
 $ trivy image --security-checks config IMAGE_NAME
 ```
 ```bash
 $ trivy fs --security-checks config /path/to/dir
 ```
 !!! note
    Misconfiguration detection is not enabled by default in `image`, `fs` and `repo` subcommands.
 Unlike the `config` subcommand, `image`, `fs` and `repo` subcommands can also scan for vulnerabilities and secrets at the same time. 
 You can specify `--security-checks vuln,config,secret` to enable vulnerability and secret detection as well as misconfiguration detection.
 !!! example
    ``` bash
    $ ls myapp/
    Dockerfile Pipfile.lock
    $ trivy fs --security-checks vuln,config,secret --severity HIGH,CRITICAL myapp/
    2022-05-16T13:42:21.440+0100	INFO	Number of language-specific files: 1
    2022-05-16T13:42:21.440+0100	INFO	Detecting pipenv vulnerabilities...
    2022-05-16T13:42:21.440+0100	INFO	Detected config files: 1
    Pipfile.lock (pipenv)
    =====================
    Total: 1 (HIGH: 1, CRITICAL: 0)
    ┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
    │ Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
    ├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
    │ httplib2 │ CVE-2021-21240 │ HIGH     │ 0.12.1            │ 0.19.0        │ python-httplib2: Regular expression denial of service via │
    │          │                │          │                   │               │ malicious header                                          │
    │          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-21240                │
    └──────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
    Dockerfile (dockerfile)
    =======================
    Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
    Failures: 1 (HIGH: 1, CRITICAL: 0)
    HIGH: Last USER command in Dockerfile should not be 'root'
    ════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
    Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
    See https://avd.aquasec.com/misconfig/ds002
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    Dockerfile:3
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    3 [ USER root
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ```
 In the above example, Trivy detected vulnerabilities of Python dependencies and misconfigurations in Dockerfile.
 ## Type detection
 The specified directory can contain mixed types of IaC files.
 Trivy automatically detects config types and applies relevant policies.
 For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, Helm Charts, and Dockerfile in the same directory.
 ``` bash
 $ ls iac/
 Dockerfile  deployment.yaml  main.tf mysql-8.8.26.tar
 $ trivy conf --severity HIGH,CRITICAL ./iac
 ```
 <details>
 <summary>Result</summary>
 ```
 2022-06-06T11:01:21.142+0100	INFO	Detected config files: 8
 Dockerfile (dockerfile)
 Tests: 21 (SUCCESSES: 20, FAILURES: 1, EXCEPTIONS: 0)
 Failures: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
 See https://avd.aquasec.com/misconfig/ds002
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml (kubernetes)
 Tests: 20 (SUCCESSES: 15, FAILURES: 5, EXCEPTIONS: 0)
 Failures: 5 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)
 MEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.allowPrivilegeEscalation' to false
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
 See https://avd.aquasec.com/misconfig/ksv001
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:16-19
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  16 ┌       - name: hello-kubernetes
  17 │         image: hello-kubernetes:1.5
  18 │         ports:
  19 └         - containerPort: 8080
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 HIGH: Deployment 'hello-kubernetes' should not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 Mounting docker.sock from the host can give the container full root access to the host.
 See https://avd.aquasec.com/misconfig/ksv006
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:6-29
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   6 ┌   replicas: 3
   7 │   selector:
   8 │     matchLabels:
   9 │       app: hello-kubernetes
  10 │   template:
  11 │     metadata:
  12 │       labels:
  13 │         app: hello-kubernetes
  14 └     spec:
  ..   
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 MEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.runAsNonRoot' to true
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
 See https://avd.aquasec.com/misconfig/ksv012
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:16-19
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  16 ┌       - name: hello-kubernetes
  17 │         image: hello-kubernetes:1.5
  18 │         ports:
  19 └         - containerPort: 8080
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 MEDIUM: Deployment 'hello-kubernetes' should not set 'spec.template.volumes.hostPath'
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 HostPath volumes must be forbidden.
 See https://avd.aquasec.com/misconfig/ksv023
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:6-29
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   6 ┌   replicas: 3
   7 │   selector:
   8 │     matchLabels:
   9 │       app: hello-kubernetes
  10 │   template:
  11 │     metadata:
  12 │       labels:
  13 │         app: hello-kubernetes
  14 └     spec:
  ..   
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 MEDIUM: Deployment 'hello-kubernetes' should set 'securityContext.sysctl' to the allowed values
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.
 See https://avd.aquasec.com/misconfig/ksv026
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 deployment.yaml:6-29
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   6 ┌   replicas: 3
   7 │   selector:
   8 │     matchLabels:
   9 │       app: hello-kubernetes
  10 │   template:
  11 │     metadata:
  12 │       labels:
  13 │         app: hello-kubernetes
  14 └     spec:
  ..   
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
 Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
 Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 MEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.allowPrivilegeEscalation' to false
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
 See https://avd.aquasec.com/misconfig/ksv001
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  56 ┌         - name: mysql
  57 │           image: docker.io/bitnami/mysql:8.0.28-debian-10-r23
  58 │           imagePullPolicy: "IfNotPresent"
  59 │           securityContext:
  60 │             runAsUser: 1001
  61 │           env:
  62 │             - name: BITNAMI_DEBUG
  63 │               value: "false"
  64 └             - name: MYSQL_ROOT_PASSWORD
  ..   
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 MEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.runAsNonRoot' to true
 ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
 See https://avd.aquasec.com/misconfig/ksv012
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  56 ┌         - name: mysql
  57 │           image: docker.io/bitnami/mysql:8.0.28-debian-10-r23
  58 │           imagePullPolicy: "IfNotPresent"
  59 │           securityContext:
  60 │             runAsUser: 1001
  61 │           env:
  62 │             - name: BITNAMI_DEBUG
  63 │               value: "false"
  64 └             - name: MYSQL_ROOT_PASSWORD
  ..   
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ```
 </details>
 You can see the config type next to each file name.
 !!! example
 ``` bash
 Dockerfile (dockerfile)
 =======================
 Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
 Failures: 1 (HIGH: 1, CRITICAL: 0)
 ...
 deployment.yaml (kubernetes)
 ============================
 Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
 Failures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)
 ...
 main.tf (terraform)
 ===================
 Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
 Failures: 9 (HIGH: 6, CRITICAL: 1)
 ...
 bucket.yaml (cloudformation)
 ============================
 Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
 Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
 ...
 mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
 ==========================================================
 Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
 Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 ```
 ## Examples
 See [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/misconf/mixed)
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [conftest]: https://github.com/open-policy-agent/conftest/
--- a/docs/docs/references/cli/client.md
+++ b/docs/docs/references/cli/client.md
@@ -0,0 +1,70 @@
 # Client
 ```bash
 Usage:
  trivy client [flags] IMAGE_NAME
 Aliases:
  client, c
 Scan Flags
      --offline-scan             do not issue API requests to identify dependencies
      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
      --skip-dirs strings        specify the directories where the traversal is skipped
      --skip-files strings       specify the file paths to skip traversal
 Report Flags
      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
      --exit-code int          specify exit code when any security issues are found
  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
      --ignorefile string      specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
  -o, --output string          output file name
      --report string          specify a report format for the output. (all,summary) (default "all")
  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
  -t, --template string        output template
 Cache Flags
      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration     cache TTL when using redis as cache backend
      --clear-cache            clear image caches without scanning
      --redis-ca string        redis ca file location, if using redis as cache backend
      --redis-cert string      redis certificate file location, if using redis as cache backend
      --redis-key string       redis key file location, if using redis as cache backend
 DB Flags
      --db-repository string   OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
      --download-db-only       download/update vulnerability database but don't run a scan
      --no-progress            suppress progress bar
      --reset                  remove all caches and database
      --skip-db-update         skip updating vulnerability database
 Vulnerability Flags
      --ignore-unfixed     display only fixed vulnerabilities
      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
 Misconfiguration Flags
      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
      --config-policy strings       specify paths to the Rego policy files directory, applying config files
      --file-patterns strings       specify config file patterns, available with '--security-checks config'
      --include-non-failures        include successes and exceptions, available with '--security-checks config'
      --policy-namespaces strings   Rego namespaces
      --trace                       enable more verbose trace output for custom queries
 Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --remote string            server address (default "http://localhost:4954")
      --token string             for authentication in client/server mode
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
 Global Flags:
      --cache-dir string          cache directory (default "/Users/teppei/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version
 ```
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`This directory contains media assets, such as the Trivy logo.`
							`Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>`