feat(repo): support local repositories (#4890)

* feat(repo): support local repositories

* fix tests

* test: fix client/server tests

* docs: update

* test: add fs tests

* test: do not update golden files if overridden

* docs: remove a comment about fs deprecation

.github/CODEOWNERS

@@ -1,24 +1,15 @@
 # Global
 *   @knqyf263
 
-# Docs
-/docs/** @knqyf263 @AnaisUrlichs @itaysk
-/mkdocs.yml @knqyf263 @AnaisUrlichs @itaysk
-/README.md @knqyf263 @AnaisUrlichs @itaysk
+# Misconfiguration scanning
+docs/docs/scanner/misconfiguration  @knqyf263 @simar7
+docs/docs/target/aws.md             @knqyf263 @simar7
+pkg/fanal/analyzer/config           @knqyf263 @simar7
+pkg/cloud                           @knqyf263 @simar7
 
 # Helm chart
 helm/trivy/ @chen-keinan
 
-# Misconfiguration scanning
-examples/misconf/           @knqyf263
-docs/docs/misconfiguration  @knqyf263
-docs/docs/cloud             @knqyf263
-pkg/fanal/analyzer/config   @knqyf263
-pkg/fanal/handler/misconf   @knqyf263
-pkg/cloud                   @knqyf263
-pkg/flag/aws_flags.go       @knqyf263
-pkg/flag/misconf_flags.go   @knqyf263
-
 # Kubernetes scanning
 pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
 docs/docs/kubernetes/   @josedonizetti @chen-keinan @knqyf263

.github/DISCUSSION_TEMPLATE/bugs.yml

@@ -114,7 +114,7 @@ body:
       label: Checklist
       description: Have you tried the following?
       options:
-        - label: Run `trivy --reset`
+        - label: Run `trivy image --reset`
         - label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
   - type: markdown
     attributes:

Dockerfile.canary

@@ -1,4 +1,4 @@
-FROM alpine:3.18.0
+FROM alpine:3.18.2
 RUN apk --no-cache add ca-certificates git
 
 # binaries were created with GoReleaser

Dockerfile.protoc

@@ -1,4 +1,4 @@
-FROM golang:1.19
+FROM --platform=linux/amd64 golang:1.19
 
 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

contrib/install.sh

@@ -75,6 +75,7 @@ get_binaries() {
     linux/ppc64le) BINARIES="trivy" ;;
     linux/arm64) BINARIES="trivy" ;;
     linux/armv7) BINARIES="trivy" ;;
+    linux/s390x) BINARIES="trivy" ;;
     openbsd/386) BINARIES="trivy" ;;
     openbsd/amd64) BINARIES="trivy" ;;
     openbsd/arm64) BINARIES="trivy" ;;
@@ -115,7 +116,8 @@ adjust_os() {
     amd64) OS=64bit ;;
     arm) OS=ARM ;;
     arm64) OS=ARM64 ;;
-    ppc64le) OS=PPC64LE ;;
+    ppc64le) OS=Linux ;;
+    s390x) OS=Linux ;;
     darwin) OS=macOS ;;
     dragonfly) OS=DragonFlyBSD ;;
     freebsd) OS=FreeBSD ;;
@@ -133,7 +135,8 @@ adjust_arch() {
     arm) ARCH=ARM ;;
     armv7) ARCH=ARM ;;
     arm64) ARCH=ARM64 ;;
-    ppc64le) OS=PPC64LE ;;
+    ppc64le) ARCH=PPC64LE ;;
+    s390x) ARCH=s390x ;;
     darwin) ARCH=macOS ;;
     dragonfly) ARCH=DragonFlyBSD ;;
     freebsd) ARCH=FreeBSD ;;
@@ -222,6 +225,7 @@ uname_arch() {
     armv5*) arch="armv5" ;;
     armv6*) arch="armv6" ;;
     armv7*) arch="armv7" ;;
+    s390*) arch="s390x" ;;
   esac
   echo ${arch}
 }

docs/docs/configuration/filtering.md

@@ -2,7 +2,7 @@
 Trivy provides various methods for filtering the results.
 
 
-## Hide Unfixed Vulnerabilities
+## By Status
 
 |     Scanner      | Supported |
 |:----------------:|:---------:|
@@ -11,53 +11,70 @@ Trivy provides various methods for filtering the results.
 |      Secret      |           |
 |     License      |           |
 
-By default, `Trivy` also detects unpatched/unfixed vulnerabilities.
-This means you can't fix these vulnerabilities even if you update all packages.
-If you would like to ignore them, use the `--ignore-unfixed` option.
+Trivy supports the following vulnerability statuses:
+
+- `unknown`
+- `not_affected`: this package is not affected by this vulnerability on this platform
+- `affected`: this package is affected by this vulnerability on this platform, but there is no patch released yet
+- `fixed`: this vulnerability is fixed on this platform
+- `under_investigation`: it is currently unknown whether or not this vulnerability affects this package on this platform, and it is under investigation
+- `will_not_fix`: this package is affected by this vulnerability on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)
+- `fix_deferred`: this package is affected by this vulnerability on this platform, and may be fixed in the future
+- `end_of_life`: this package has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed
+
+Note that vulnerabilities with the `unknown`, `not_affected` or `under_investigation` status are not detected.
+These are only defined for comprehensiveness, and you will not have the opportunity to specify these statuses.
+
+Some statuses are supported in limited distributions.
+
+|     OS     | Fixed | Affected | Under Investigation | Will Not Fix | Fix Deferred | End of Life |
+|:----------:|:-----:|:--------:|:-------------------:|:------------:|:------------:|:-----------:|
+|   Debian   |   ✓   |    ✓     |                     |              |      ✓       |      ✓      |
+|    RHEL    |   ✓   |    ✓     |          ✓          |      ✓       |      ✓       |      ✓      |
+| Other OSes |   ✓   |    ✓     |                     |              |              |             |
+
+
+To ignore vulnerabilities with specific statuses, use the `--ignore-status <list_of_statuses>` option.
+
 
 ```bash
-$ trivy image --ignore-unfixed ruby:2.4.0
+$ trivy image --ignore-status affected,fixed ruby:2.4.0
 ```
 
 <details>
 <summary>Result</summary>
 
 ```
-2019-05-16T12:49:52.656+0900    INFO    Updating vulnerability database...
 2019-05-16T12:50:14.786+0900    INFO    Detecting Debian vulnerabilities...
 
 ruby:2.4.0 (debian 8.7)
 =======================
-Total: 4730 (UNKNOWN: 1, LOW: 145, MEDIUM: 3487, HIGH: 1014, CRITICAL: 83)
+Total: 527 (UNKNOWN: 0, LOW: 276, MEDIUM: 83, HIGH: 158, CRITICAL: 10)
 
-+------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
-|           LIBRARY            | VULNERABILITY ID | SEVERITY |     INSTALLED VERSION      |          FIXED VERSION           |                        TITLE                        |
-+------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
-| apt                          | CVE-2019-3462    | CRITICAL | 1.0.9.8.3                  | 1.0.9.8.5                        | Incorrect sanitation of the                         |
-|                              |                  |          |                            |                                  | 302 redirect field in HTTP                          |
-|                              |                  |          |                            |                                  | transport method of...                              |
-+                              +------------------+----------+                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2016-1252    | MEDIUM   |                            | 1.0.9.8.4                        | The apt package in Debian                           |
-|                              |                  |          |                            |                                  | jessie before 1.0.9.8.4, in                         |
-|                              |                  |          |                            |                                  | Debian unstable before...                           |
-+------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
-| bash                         | CVE-2019-9924    | HIGH     | 4.3-11                     | 4.3-11+deb8u2                    | bash: BASH_CMD is writable in                       |
-|                              |                  |          |                            |                                  | restricted bash shells                              |
-+                              +------------------+          +                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2016-7543    |          |                            | 4.3-11+deb8u1                    | bash: Specially crafted                             |
-|                              |                  |          |                            |                                  | SHELLOPTS+PS4 variables allows                      |
-|                              |                  |          |                            |                                  | command substitution                                |
-+                              +------------------+----------+                            +                                  +-----------------------------------------------------+
-|                              | CVE-2016-0634    | MEDIUM   |                            |                                  | bash: Arbitrary code execution                      |
-|                              |                  |          |                            |                                  | via malicious hostname                              |
-+                              +------------------+----------+                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2016-9401    | LOW      |                            | 4.3-11+deb8u2                    | bash: popd controlled free                          |
-+------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
+┌─────────────────────────────┬──────────────────┬──────────┬──────────────┬────────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
+│           Library           │  Vulnerability   │ Severity │    Status    │     Installed Version      │ Fixed Version │                            Title                             │
+├─────────────────────────────┼──────────────────┼──────────┼──────────────┼────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ binutils                    │ CVE-2014-9939    │ CRITICAL │ will_not_fix │ 2.25-5                     │               │ binutils: buffer overflow in ihex.c                          │
+│                             │                  │          │              │                            │               │ https://avd.aquasec.com/nvd/cve-2014-9939                    │
+│                             ├──────────────────┤          │              │                            ├───────────────┼──────────────────────────────────────────────────────────────┤
+│                             │ CVE-2017-6969    │          │              │                            │               │ binutils: Heap-based buffer over-read in readelf when        │
+│                             │                  │          │              │                            │               │ processing corrupt RL78 binaries                             │
+│                             │                  │          │              │                            │               │ https://avd.aquasec.com/nvd/cve-2017-6969                    │
+│                             ├──────────────────┤          │              │                            ├───────────────┼──────────────────────────────────────────────────────────────┤
 ...
 ```
 
 </details>
 
+!!! tip
+    To skip all unfixed vulnerabilities, you can use the `--ignore-unfixed` flag .
+    It is a shorthand of `-ignore-status affected,will_not_fix,fix_deferred,end_of_life`.
+    It displays "fixed" vulnerabilities only.
+
+```bash
+$ trivy image --ignore-unfixed ruby:2.4.0
+```
+
 ## By Severity
 
 |     Scanner      | Supported |

docs/docs/references/configuration/cli/trivy_aws.md

@@ -65,38 +65,40 @@ trivy aws [flags]
 ### Options
 
 ```
-      --account string              The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
-      --arn string                  The AWS ARN to show results for. Useful to filter results once a scan is cached.
-      --compliance string           compliance report to generate (aws-cis-1.2, aws-cis-1.4)
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --dependency-tree             [EXPERIMENTAL] show dependency origin tree of vulnerable packages
-      --endpoint string             AWS Endpoint override
-      --exit-code int               specify exit code when any security issues are found
-  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
-      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-values strings         specify paths to override the Helm values.yaml files
-  -h, --help                        help for aws
-      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
-      --ignorefile string           specify .trivyignore file (default ".trivyignore")
-      --include-non-failures        include successes and exceptions, available with '--scanners config'
-      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
-      --max-cache-age duration      The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
-  -o, --output string               output file name
-      --policy-namespaces strings   Rego namespaces
-      --region string               AWS Region to scan
-      --report string               specify a report format for the output. (all,summary) (default "all")
-      --reset-policy-bundle         remove policy bundle
-      --service strings             Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
-  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-      --skip-policy-update          skip fetching rego policy updates
-      --skip-service strings        Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc.
-  -t, --template string             output template
-      --tf-vars strings             specify paths to override the Terraform tfvars files
-      --trace                       enable more verbose trace output for custom queries
-      --update-cache                Update the cache for the applicable cloud provider instead of using cached results.
+      --account string                    The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
+      --arn string                        The AWS ARN to show results for. Useful to filter results once a scan is cached.
+      --compliance string                 compliance report to generate (aws-cis-1.2,aws-cis-1.4)
+      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --endpoint string                   AWS Endpoint override
+      --exit-code int                     specify exit code when any security issues are found
+  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings               specify paths to override the Helm values.yaml files
+  -h, --help                              help for aws
+      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
+      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
+      --include-non-failures              include successes and exceptions, available with '--scanners config'
+      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --max-cache-age duration            The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
+  -o, --output string                     output file name
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-namespaces strings         Rego namespaces
+      --region string                     AWS Region to scan
+      --report string                     specify a report format for the output (all,summary) (default "all")
+      --reset-policy-bundle               remove policy bundle
+      --service strings                   Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
+  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --skip-policy-update                skip fetching rego policy updates
+      --skip-service strings              Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc.
+  -t, --template string                   output template
+      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
+      --tf-vars strings                   specify paths to override the Terraform tfvars files
+      --trace                             enable more verbose trace output for custom queries
+      --update-cache                      Update the cache for the applicable cloud provider instead of using cached results.
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_config.md

@@ -9,43 +9,45 @@ trivy config [flags] DIR
 ### Options
 
 ```
-      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration          cache TTL when using redis as cache backend
-      --clear-cache                 clear image caches without scanning
-      --compliance string           compliance report to generate
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --enable-modules strings      [EXPERIMENTAL] module names to enable
-      --exit-code int               specify exit code when any security issues are found
-      --file-patterns strings       specify config file patterns
-  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
-      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-values strings         specify paths to override the Helm values.yaml files
-  -h, --help                        help for config
-      --ignorefile string           specify .trivyignore file (default ".trivyignore")
-      --include-non-failures        include successes and exceptions, available with '--scanners config'
-      --k8s-version string          specify k8s version to validate outdated api by it (example: 1.21.0)
-      --module-dir string           specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-  -o, --output string               output file name
-      --password strings            password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-namespaces strings   Rego namespaces
-      --redis-ca string             redis ca file location, if using redis as cache backend
-      --redis-cert string           redis certificate file location, if using redis as cache backend
-      --redis-key string            redis key file location, if using redis as cache backend
-      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
-      --registry-token string       registry token
-      --report string               specify a compliance report format for the output. (all,summary) (default "all")
-      --reset-policy-bundle         remove policy bundle
-  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-      --skip-dirs strings           specify the directories where the traversal is skipped
-      --skip-files strings          specify the file paths to skip traversal
-      --skip-policy-update          skip fetching rego policy updates
-  -t, --template string             output template
-      --tf-vars strings             specify paths to override the Terraform tfvars files
-      --trace                       enable more verbose trace output for custom queries
-      --username strings            username. Comma-separated usernames allowed.
+      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration                cache TTL when using redis as cache backend
+      --clear-cache                       clear image caches without scanning
+      --compliance string                 compliance report to generate
+      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --enable-modules strings            [EXPERIMENTAL] module names to enable
+      --exit-code int                     specify exit code when any security issues are found
+      --file-patterns strings             specify config file patterns
+  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings               specify paths to override the Helm values.yaml files
+  -h, --help                              help for config
+      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
+      --include-non-failures              include successes and exceptions, available with '--scanners config'
+      --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
+      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+  -o, --output string                     output file name
+      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-namespaces strings         Rego namespaces
+      --redis-ca string                   redis ca file location, if using redis as cache backend
+      --redis-cert string                 redis certificate file location, if using redis as cache backend
+      --redis-key string                  redis key file location, if using redis as cache backend
+      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string             registry token
+      --report string                     specify a compliance report format for the output (all,summary) (default "all")
+      --reset-policy-bundle               remove policy bundle
+  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --skip-dirs strings                 specify the directories where the traversal is skipped
+      --skip-files strings                specify the file paths to skip traversal
+      --skip-policy-update                skip fetching rego policy updates
+  -t, --template string                   output template
+      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
+      --tf-vars strings                   specify paths to override the Terraform tfvars files
+      --trace                             enable more verbose trace output for custom queries
+      --username strings                  username. Comma-separated usernames allowed.
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_convert.md

@@ -22,14 +22,14 @@ trivy convert [flags] RESULT_JSON
       --dependency-tree        [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --exit-code int          specify exit code when any security issues are found
       --exit-on-eol int        exit with the specified code when the OS reaches end of service/life
-  -f, --format string          format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+  -f, --format string          format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
   -h, --help                   help for convert
       --ignore-policy string   specify the Rego file path to evaluate each vulnerability
       --ignorefile string      specify .trivyignore file (default ".trivyignore")
       --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
   -o, --output string          output file name
-      --report string          specify a report format for the output. (all,summary) (default "all")
-  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+      --report string          specify a report format for the output (all,summary) (default "all")
+  -s, --severity strings       severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
   -t, --template string        output template
 ```
 

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -19,69 +19,72 @@ trivy filesystem [flags] PATH
 ### Options
 
 ```
-      --cache-backend string             cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration               cache TTL when using redis as cache backend
-      --clear-cache                      clear image caches without scanning
-      --compliance string                compliance report to generate
-      --config-data strings              specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings            specify paths to the Rego policy files directory, applying config files
-      --custom-headers strings           custom headers in client mode
-      --db-repository string             OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --dependency-tree                  [EXPERIMENTAL] show dependency origin tree of vulnerable packages
-      --download-db-only                 download/update vulnerability database but don't run a scan
-      --download-java-db-only            download/update Java index database but don't run a scan
-      --enable-modules strings           [EXPERIMENTAL] module names to enable
-      --exit-code int                    specify exit code when any security issues are found
-      --file-patterns strings            specify config file patterns
-  -f, --format string                    format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --helm-set strings                 specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-set-file strings            specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
-      --helm-set-string strings          specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-values strings              specify paths to override the Helm values.yaml files
-  -h, --help                             help for filesystem
-      --ignore-policy string             specify the Rego file path to evaluate each vulnerability
-      --ignore-unfixed                   display only fixed vulnerabilities
-      --ignored-licenses strings         specify a list of license to ignore
-      --ignorefile string                specify .trivyignore file (default ".trivyignore")
-      --include-dev-deps                 include development dependencies in the report (supported: npm)
-      --include-non-failures             include successes and exceptions, available with '--scanners config'
-      --java-db-repository string        OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
-      --license-confidence-level float   specify license classifier's confidence level (default 0.9)
-      --license-full                     eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                    enabling the option will output all packages regardless of vulnerability
-      --module-dir string                specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-      --no-progress                      suppress progress bar
-      --offline-scan                     do not issue API requests to identify dependencies
-  -o, --output string                    output file name
-      --password strings                 password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-namespaces strings        Rego namespaces
-      --redis-ca string                  redis ca file location, if using redis as cache backend
-      --redis-cert string                redis certificate file location, if using redis as cache backend
-      --redis-key string                 redis key file location, if using redis as cache backend
-      --redis-tls                        enable redis TLS with public certificates, if using redis as cache backend
-      --registry-token string            registry token
-      --rekor-url string                 [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --report string                    specify a compliance report format for the output. (all,summary) (default "all")
-      --reset                            remove all caches and database
-      --reset-policy-bundle              remove policy bundle
-      --sbom-sources strings             [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                 comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
-      --secret-config string             specify a path to config file for secret scanning (default "trivy-secret.yaml")
-      --server string                    server address in client mode
-  -s, --severity string                  severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-      --skip-db-update                   skip updating vulnerability database
-      --skip-dirs strings                specify the directories where the traversal is skipped
-      --skip-files strings               specify the file paths to skip traversal
-      --skip-java-db-update              skip updating Java index database
-      --skip-policy-update               skip fetching rego policy updates
-      --slow                             scan over time with lower CPU and memory utilization
-  -t, --template string                  output template
-      --tf-vars strings                  specify paths to override the Terraform tfvars files
-      --token string                     for authentication in client/server mode
-      --token-header string              specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                            enable more verbose trace output for custom queries
-      --username strings                 username. Comma-separated usernames allowed.
-      --vuln-type strings                comma-separated list of vulnerability types (os,library) (default [os,library])
+      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration                cache TTL when using redis as cache backend
+      --clear-cache                       clear image caches without scanning
+      --compliance string                 compliance report to generate
+      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --custom-headers strings            custom headers in client mode
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --download-db-only                  download/update vulnerability database but don't run a scan
+      --download-java-db-only             download/update Java index database but don't run a scan
+      --enable-modules strings            [EXPERIMENTAL] module names to enable
+      --exit-code int                     specify exit code when any security issues are found
+      --file-patterns strings             specify config file patterns
+  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings               specify paths to override the Helm values.yaml files
+  -h, --help                              help for filesystem
+      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
+      --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-unfixed                    display only fixed vulnerabilities
+      --ignored-licenses strings          specify a list of license to ignore
+      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
+      --include-dev-deps                  include development dependencies in the report (supported: npm, yarn)
+      --include-non-failures              include successes and exceptions, available with '--scanners config'
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
+      --license-full                      eagerly look for licenses in source code headers and license files
+      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+      --no-progress                       suppress progress bar
+      --offline-scan                      do not issue API requests to identify dependencies
+  -o, --output string                     output file name
+      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-namespaces strings         Rego namespaces
+      --redis-ca string                   redis ca file location, if using redis as cache backend
+      --redis-cert string                 redis certificate file location, if using redis as cache backend
+      --redis-key string                  redis key file location, if using redis as cache backend
+      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string             registry token
+      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --report string                     specify a compliance report format for the output (all,summary) (default "all")
+      --reset                             remove all caches and database
+      --reset-policy-bundle               remove policy bundle
+      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
+      --server string                     server address in client mode
+  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --skip-db-update                    skip updating vulnerability database
+      --skip-dirs strings                 specify the directories where the traversal is skipped
+      --skip-files strings                specify the file paths to skip traversal
+      --skip-java-db-update               skip updating Java index database
+      --skip-policy-update                skip fetching rego policy updates
+      --slow                              scan over time with lower CPU and memory utilization
+  -t, --template string                   output template
+      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
+      --tf-vars strings                   specify paths to override the Terraform tfvars files
+      --token string                      for authentication in client/server mode
+      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
+      --trace                             enable more verbose trace output for custom queries
+      --username strings                  username. Comma-separated usernames allowed.
+      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_image.md

@@ -34,75 +34,78 @@ trivy image [flags] IMAGE_NAME
 ### Options
 
 ```
-      --cache-backend string             cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration               cache TTL when using redis as cache backend
-      --clear-cache                      clear image caches without scanning
-      --compliance string                compliance report to generate (docker-cis)
-      --config-data strings              specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings            specify paths to the Rego policy files directory, applying config files
-      --custom-headers strings           custom headers in client mode
-      --db-repository string             OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --dependency-tree                  [EXPERIMENTAL] show dependency origin tree of vulnerable packages
-      --docker-host string               unix domain socket path to use for docker scanning
-      --download-db-only                 download/update vulnerability database but don't run a scan
-      --download-java-db-only            download/update Java index database but don't run a scan
-      --enable-modules strings           [EXPERIMENTAL] module names to enable
-      --exit-code int                    specify exit code when any security issues are found
-      --exit-on-eol int                  exit with the specified code when the OS reaches end of service/life
-      --file-patterns strings            specify config file patterns
-  -f, --format string                    format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --helm-set strings                 specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-set-file strings            specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
-      --helm-set-string strings          specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-values strings              specify paths to override the Helm values.yaml files
-  -h, --help                             help for image
-      --ignore-policy string             specify the Rego file path to evaluate each vulnerability
-      --ignore-unfixed                   display only fixed vulnerabilities
-      --ignored-licenses strings         specify a list of license to ignore
-      --ignorefile string                specify .trivyignore file (default ".trivyignore")
-      --image-config-scanners string     comma-separated list of what security issues to detect on container image configurations (config,secret)
-      --image-src strings                image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
-      --include-non-failures             include successes and exceptions, available with '--scanners config'
-      --input string                     input file path instead of image name
-      --java-db-repository string        OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
-      --license-confidence-level float   specify license classifier's confidence level (default 0.9)
-      --license-full                     eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                    enabling the option will output all packages regardless of vulnerability
-      --module-dir string                specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-      --no-progress                      suppress progress bar
-      --offline-scan                     do not issue API requests to identify dependencies
-  -o, --output string                    output file name
-      --password strings                 password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --platform string                  set platform in the form os/arch if image is multi-platform capable
-      --policy-namespaces strings        Rego namespaces
-      --redis-ca string                  redis ca file location, if using redis as cache backend
-      --redis-cert string                redis certificate file location, if using redis as cache backend
-      --redis-key string                 redis key file location, if using redis as cache backend
-      --redis-tls                        enable redis TLS with public certificates, if using redis as cache backend
-      --registry-token string            registry token
-      --rekor-url string                 [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --removed-pkgs                     detect vulnerabilities of removed packages (only for Alpine)
-      --report string                    specify a format for the compliance report. (default "summary")
-      --reset                            remove all caches and database
-      --reset-policy-bundle              remove policy bundle
-      --sbom-sources strings             [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                 comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
-      --secret-config string             specify a path to config file for secret scanning (default "trivy-secret.yaml")
-      --server string                    server address in client mode
-  -s, --severity string                  severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-      --skip-db-update                   skip updating vulnerability database
-      --skip-dirs strings                specify the directories where the traversal is skipped
-      --skip-files strings               specify the file paths to skip traversal
-      --skip-java-db-update              skip updating Java index database
-      --skip-policy-update               skip fetching rego policy updates
-      --slow                             scan over time with lower CPU and memory utilization
-  -t, --template string                  output template
-      --tf-vars strings                  specify paths to override the Terraform tfvars files
-      --token string                     for authentication in client/server mode
-      --token-header string              specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                            enable more verbose trace output for custom queries
-      --username strings                 username. Comma-separated usernames allowed.
-      --vuln-type strings                comma-separated list of vulnerability types (os,library) (default [os,library])
+      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration                cache TTL when using redis as cache backend
+      --clear-cache                       clear image caches without scanning
+      --compliance string                 compliance report to generate (docker-cis)
+      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --custom-headers strings            custom headers in client mode
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --docker-host string                unix domain socket path to use for docker scanning
+      --download-db-only                  download/update vulnerability database but don't run a scan
+      --download-java-db-only             download/update Java index database but don't run a scan
+      --enable-modules strings            [EXPERIMENTAL] module names to enable
+      --exit-code int                     specify exit code when any security issues are found
+      --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
+      --file-patterns strings             specify config file patterns
+  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings               specify paths to override the Helm values.yaml files
+  -h, --help                              help for image
+      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
+      --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-unfixed                    display only fixed vulnerabilities
+      --ignored-licenses strings          specify a list of license to ignore
+      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
+      --image-config-scanners strings     comma-separated list of what security issues to detect on container image configurations (config,secret)
+      --image-src strings                 image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
+      --include-non-failures              include successes and exceptions, available with '--scanners config'
+      --input string                      input file path instead of image name
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
+      --license-full                      eagerly look for licenses in source code headers and license files
+      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+      --no-progress                       suppress progress bar
+      --offline-scan                      do not issue API requests to identify dependencies
+  -o, --output string                     output file name
+      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --platform string                   set platform in the form os/arch if image is multi-platform capable
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-namespaces strings         Rego namespaces
+      --redis-ca string                   redis ca file location, if using redis as cache backend
+      --redis-cert string                 redis certificate file location, if using redis as cache backend
+      --redis-key string                  redis key file location, if using redis as cache backend
+      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string             registry token
+      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --removed-pkgs                      detect vulnerabilities of removed packages (only for Alpine)
+      --report string                     specify a format for the compliance report. (all,summary) (default "summary")
+      --reset                             remove all caches and database
+      --reset-policy-bundle               remove policy bundle
+      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
+      --server string                     server address in client mode
+  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --skip-db-update                    skip updating vulnerability database
+      --skip-dirs strings                 specify the directories where the traversal is skipped
+      --skip-files strings                specify the file paths to skip traversal
+      --skip-java-db-update               skip updating Java index database
+      --skip-policy-update                skip fetching rego policy updates
+      --slow                              scan over time with lower CPU and memory utilization
+  -t, --template string                   output template
+      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
+      --tf-vars strings                   specify paths to override the Terraform tfvars files
+      --token string                      for authentication in client/server mode
+      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
+      --trace                             enable more verbose trace output for custom queries
+      --username strings                  username. Comma-separated usernames allowed.
+      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -31,10 +31,10 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
       --clear-cache                       clear image caches without scanning
-      --compliance string                 compliance report to generate (k8s-nsa,k8s-cis, k8s-pss-baseline, k8s-pss-restricted)
-      --components strings                specify which components to scan (default [workload,infra])
+      --compliance string                 compliance report to generate (k8s-nsa,k8s-cis,k8s-pss-baseline,k8s-pss-restricted)
+      --components strings                specify which components to scan (workload,infra) (default [workload,infra])
       --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify paths to the Rego policy files directory, applying config files
+      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
       --context string                    specify a context to scan
       --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -43,13 +43,14 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --exclude-nodes strings             indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
-  -f, --format string                     format (table, json, cyclonedx) (default "table")
+  -f, --format string                     format (table,json,cyclonedx) (default "table")
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-values strings               specify paths to override the Helm values.yaml files
   -h, --help                              help for kubernetes
       --ignore-policy string              specify the Rego file path to evaluate each vulnerability
+      --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
       --ignore-unfixed                    display only fixed vulnerabilities
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --image-src strings                 image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
@@ -65,6 +66,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
   -o, --output string                     output file name
       --parallel int                      number (between 1-20) of goroutines enabled for parallel scanning (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
       --policy-namespaces strings         Rego namespaces
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
@@ -72,13 +74,13 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --report string                     specify a report format for the output. (all,summary) (default "all")
+      --report string                     specify a report format for the output (all,summary) (default "all")
       --reset                             remove all caches and database
       --reset-policy-bundle               remove policy bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners string                   comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac")
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
-  -s, --severity string                   severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories where the traversal is skipped
       --skip-files strings                specify the file paths to skip traversal
@@ -86,6 +88,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --skip-policy-update                skip fetching rego policy updates
       --slow                              scan over time with lower CPU and memory utilization
   -t, --template string                   output template
+      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
       --tf-vars strings                   specify paths to override the Terraform tfvars files
       --tolerations strings               specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
       --trace                             enable more verbose trace output for custom queries

docs/docs/references/configuration/cli/trivy_repository.md

@@ -16,69 +16,73 @@ trivy repository [flags] REPO_URL
 ### Options
 
 ```
-      --branch string                    pass the branch name to be scanned
-      --cache-backend string             cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration               cache TTL when using redis as cache backend
-      --clear-cache                      clear image caches without scanning
-      --commit string                    pass the commit hash to be scanned
-      --config-data strings              specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings            specify paths to the Rego policy files directory, applying config files
-      --custom-headers strings           custom headers in client mode
-      --db-repository string             OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --dependency-tree                  [EXPERIMENTAL] show dependency origin tree of vulnerable packages
-      --download-db-only                 download/update vulnerability database but don't run a scan
-      --download-java-db-only            download/update Java index database but don't run a scan
-      --enable-modules strings           [EXPERIMENTAL] module names to enable
-      --exit-code int                    specify exit code when any security issues are found
-      --file-patterns strings            specify config file patterns
-  -f, --format string                    format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --helm-set strings                 specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-set-file strings            specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
-      --helm-set-string strings          specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-values strings              specify paths to override the Helm values.yaml files
-  -h, --help                             help for repository
-      --ignore-policy string             specify the Rego file path to evaluate each vulnerability
-      --ignore-unfixed                   display only fixed vulnerabilities
-      --ignored-licenses strings         specify a list of license to ignore
-      --ignorefile string                specify .trivyignore file (default ".trivyignore")
-      --include-non-failures             include successes and exceptions, available with '--scanners config'
-      --java-db-repository string        OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
-      --license-confidence-level float   specify license classifier's confidence level (default 0.9)
-      --license-full                     eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                    enabling the option will output all packages regardless of vulnerability
-      --module-dir string                specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-      --no-progress                      suppress progress bar
-      --offline-scan                     do not issue API requests to identify dependencies
-  -o, --output string                    output file name
-      --password strings                 password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-namespaces strings        Rego namespaces
-      --redis-ca string                  redis ca file location, if using redis as cache backend
-      --redis-cert string                redis certificate file location, if using redis as cache backend
-      --redis-key string                 redis key file location, if using redis as cache backend
-      --redis-tls                        enable redis TLS with public certificates, if using redis as cache backend
-      --registry-token string            registry token
-      --rekor-url string                 [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --reset                            remove all caches and database
-      --reset-policy-bundle              remove policy bundle
-      --sbom-sources strings             [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                 comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
-      --secret-config string             specify a path to config file for secret scanning (default "trivy-secret.yaml")
-      --server string                    server address in client mode
-  -s, --severity string                  severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-      --skip-db-update                   skip updating vulnerability database
-      --skip-dirs strings                specify the directories where the traversal is skipped
-      --skip-files strings               specify the file paths to skip traversal
-      --skip-java-db-update              skip updating Java index database
-      --skip-policy-update               skip fetching rego policy updates
-      --slow                             scan over time with lower CPU and memory utilization
-      --tag string                       pass the tag name to be scanned
-  -t, --template string                  output template
-      --tf-vars strings                  specify paths to override the Terraform tfvars files
-      --token string                     for authentication in client/server mode
-      --token-header string              specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                            enable more verbose trace output for custom queries
-      --username strings                 username. Comma-separated usernames allowed.
-      --vuln-type strings                comma-separated list of vulnerability types (os,library) (default [os,library])
+      --branch string                     pass the branch name to be scanned
+      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration                cache TTL when using redis as cache backend
+      --clear-cache                       clear image caches without scanning
+      --commit string                     pass the commit hash to be scanned
+      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --custom-headers strings            custom headers in client mode
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --download-db-only                  download/update vulnerability database but don't run a scan
+      --download-java-db-only             download/update Java index database but don't run a scan
+      --enable-modules strings            [EXPERIMENTAL] module names to enable
+      --exit-code int                     specify exit code when any security issues are found
+      --file-patterns strings             specify config file patterns
+  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings               specify paths to override the Helm values.yaml files
+  -h, --help                              help for repository
+      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
+      --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-unfixed                    display only fixed vulnerabilities
+      --ignored-licenses strings          specify a list of license to ignore
+      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
+      --include-dev-deps                  include development dependencies in the report (supported: npm, yarn)
+      --include-non-failures              include successes and exceptions, available with '--scanners config'
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
+      --license-full                      eagerly look for licenses in source code headers and license files
+      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+      --no-progress                       suppress progress bar
+      --offline-scan                      do not issue API requests to identify dependencies
+  -o, --output string                     output file name
+      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-namespaces strings         Rego namespaces
+      --redis-ca string                   redis ca file location, if using redis as cache backend
+      --redis-cert string                 redis certificate file location, if using redis as cache backend
+      --redis-key string                  redis key file location, if using redis as cache backend
+      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string             registry token
+      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --reset                             remove all caches and database
+      --reset-policy-bundle               remove policy bundle
+      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
+      --server string                     server address in client mode
+  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --skip-db-update                    skip updating vulnerability database
+      --skip-dirs strings                 specify the directories where the traversal is skipped
+      --skip-files strings                specify the file paths to skip traversal
+      --skip-java-db-update               skip updating Java index database
+      --skip-policy-update                skip fetching rego policy updates
+      --slow                              scan over time with lower CPU and memory utilization
+      --tag string                        pass the tag name to be scanned
+  -t, --template string                   output template
+      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
+      --tf-vars strings                   specify paths to override the Terraform tfvars files
+      --token string                      for authentication in client/server mode
+      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
+      --trace                             enable more verbose trace output for custom queries
+      --username strings                  username. Comma-separated usernames allowed.
+      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -22,67 +22,70 @@ trivy rootfs [flags] ROOTDIR
 ### Options
 
 ```
-      --cache-backend string             cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration               cache TTL when using redis as cache backend
-      --clear-cache                      clear image caches without scanning
-      --config-data strings              specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings            specify paths to the Rego policy files directory, applying config files
-      --custom-headers strings           custom headers in client mode
-      --db-repository string             OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --dependency-tree                  [EXPERIMENTAL] show dependency origin tree of vulnerable packages
-      --download-db-only                 download/update vulnerability database but don't run a scan
-      --download-java-db-only            download/update Java index database but don't run a scan
-      --enable-modules strings           [EXPERIMENTAL] module names to enable
-      --exit-code int                    specify exit code when any security issues are found
-      --exit-on-eol int                  exit with the specified code when the OS reaches end of service/life
-      --file-patterns strings            specify config file patterns
-  -f, --format string                    format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --helm-set strings                 specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-set-file strings            specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
-      --helm-set-string strings          specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-values strings              specify paths to override the Helm values.yaml files
-  -h, --help                             help for rootfs
-      --ignore-policy string             specify the Rego file path to evaluate each vulnerability
-      --ignore-unfixed                   display only fixed vulnerabilities
-      --ignored-licenses strings         specify a list of license to ignore
-      --ignorefile string                specify .trivyignore file (default ".trivyignore")
-      --include-non-failures             include successes and exceptions, available with '--scanners config'
-      --java-db-repository string        OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
-      --license-confidence-level float   specify license classifier's confidence level (default 0.9)
-      --license-full                     eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                    enabling the option will output all packages regardless of vulnerability
-      --module-dir string                specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-      --no-progress                      suppress progress bar
-      --offline-scan                     do not issue API requests to identify dependencies
-  -o, --output string                    output file name
-      --password strings                 password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-namespaces strings        Rego namespaces
-      --redis-ca string                  redis ca file location, if using redis as cache backend
-      --redis-cert string                redis certificate file location, if using redis as cache backend
-      --redis-key string                 redis key file location, if using redis as cache backend
-      --redis-tls                        enable redis TLS with public certificates, if using redis as cache backend
-      --registry-token string            registry token
-      --rekor-url string                 [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --reset                            remove all caches and database
-      --reset-policy-bundle              remove policy bundle
-      --sbom-sources strings             [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                 comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
-      --secret-config string             specify a path to config file for secret scanning (default "trivy-secret.yaml")
-      --server string                    server address in client mode
-  -s, --severity string                  severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-      --skip-db-update                   skip updating vulnerability database
-      --skip-dirs strings                specify the directories where the traversal is skipped
-      --skip-files strings               specify the file paths to skip traversal
-      --skip-java-db-update              skip updating Java index database
-      --skip-policy-update               skip fetching rego policy updates
-      --slow                             scan over time with lower CPU and memory utilization
-  -t, --template string                  output template
-      --tf-vars strings                  specify paths to override the Terraform tfvars files
-      --token string                     for authentication in client/server mode
-      --token-header string              specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                            enable more verbose trace output for custom queries
-      --username strings                 username. Comma-separated usernames allowed.
-      --vuln-type strings                comma-separated list of vulnerability types (os,library) (default [os,library])
+      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration                cache TTL when using redis as cache backend
+      --clear-cache                       clear image caches without scanning
+      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --custom-headers strings            custom headers in client mode
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --download-db-only                  download/update vulnerability database but don't run a scan
+      --download-java-db-only             download/update Java index database but don't run a scan
+      --enable-modules strings            [EXPERIMENTAL] module names to enable
+      --exit-code int                     specify exit code when any security issues are found
+      --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
+      --file-patterns strings             specify config file patterns
+  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings               specify paths to override the Helm values.yaml files
+  -h, --help                              help for rootfs
+      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
+      --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-unfixed                    display only fixed vulnerabilities
+      --ignored-licenses strings          specify a list of license to ignore
+      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
+      --include-non-failures              include successes and exceptions, available with '--scanners config'
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
+      --license-full                      eagerly look for licenses in source code headers and license files
+      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+      --no-progress                       suppress progress bar
+      --offline-scan                      do not issue API requests to identify dependencies
+  -o, --output string                     output file name
+      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-namespaces strings         Rego namespaces
+      --redis-ca string                   redis ca file location, if using redis as cache backend
+      --redis-cert string                 redis certificate file location, if using redis as cache backend
+      --redis-key string                  redis key file location, if using redis as cache backend
+      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string             registry token
+      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --reset                             remove all caches and database
+      --reset-policy-bundle               remove policy bundle
+      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
+      --server string                     server address in client mode
+  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --skip-db-update                    skip updating vulnerability database
+      --skip-dirs strings                 specify the directories where the traversal is skipped
+      --skip-files strings                specify the file paths to skip traversal
+      --skip-java-db-update               skip updating Java index database
+      --skip-policy-update                skip fetching rego policy updates
+      --slow                              scan over time with lower CPU and memory utilization
+  -t, --template string                   output template
+      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
+      --tf-vars strings                   specify paths to override the Terraform tfvars files
+      --token string                      for authentication in client/server mode
+      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
+      --trace                             enable more verbose trace output for custom queries
+      --username strings                  username. Comma-separated usernames allowed.
+      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -31,9 +31,10 @@ trivy sbom [flags] SBOM_PATH
       --exit-code int               specify exit code when any security issues are found
       --exit-on-eol int             exit with the specified code when the OS reaches end of service/life
       --file-patterns strings       specify config file patterns
-  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+  -f, --format string               format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
   -h, --help                        help for sbom
       --ignore-policy string        specify the Rego file path to evaluate each vulnerability
+      --ignore-status strings       comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
       --ignore-unfixed              display only fixed vulnerabilities
       --ignorefile string           specify .trivyignore file (default ".trivyignore")
       --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
@@ -49,7 +50,7 @@ trivy sbom [flags] SBOM_PATH
       --reset                       remove all caches and database
       --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --server string               server address in client mode
-  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -s, --severity strings            severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
       --skip-db-update              skip updating vulnerability database
       --skip-dirs strings           specify the directories where the traversal is skipped
       --skip-files strings          specify the file paths to skip traversal

docs/docs/references/configuration/cli/trivy_vm.md

@@ -20,58 +20,61 @@ trivy vm [flags] VM_IMAGE
 ### Options
 
 ```
-      --aws-region string           AWS region to scan
-      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration          cache TTL when using redis as cache backend
-      --clear-cache                 clear image caches without scanning
-      --compliance string           compliance report to generate
-      --custom-headers strings      custom headers in client mode
-      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --dependency-tree             [EXPERIMENTAL] show dependency origin tree of vulnerable packages
-      --download-db-only            download/update vulnerability database but don't run a scan
-      --download-java-db-only       download/update Java index database but don't run a scan
-      --enable-modules strings      [EXPERIMENTAL] module names to enable
-      --exit-code int               specify exit code when any security issues are found
-      --exit-on-eol int             exit with the specified code when the OS reaches end of service/life
-      --file-patterns strings       specify config file patterns
-  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
-      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-values strings         specify paths to override the Helm values.yaml files
-  -h, --help                        help for vm
-      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
-      --ignore-unfixed              display only fixed vulnerabilities
-      --ignorefile string           specify .trivyignore file (default ".trivyignore")
-      --include-non-failures        include successes and exceptions, available with '--scanners config'
-      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
-      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
-      --module-dir string           specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-      --no-progress                 suppress progress bar
-      --offline-scan                do not issue API requests to identify dependencies
-  -o, --output string               output file name
-      --redis-ca string             redis ca file location, if using redis as cache backend
-      --redis-cert string           redis certificate file location, if using redis as cache backend
-      --redis-key string            redis key file location, if using redis as cache backend
-      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
-      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --reset                       remove all caches and database
-      --reset-policy-bundle         remove policy bundle
-      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings            comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
-      --secret-config string        specify a path to config file for secret scanning (default "trivy-secret.yaml")
-      --server string               server address in client mode
-  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-      --skip-db-update              skip updating vulnerability database
-      --skip-dirs strings           specify the directories where the traversal is skipped
-      --skip-files strings          specify the file paths to skip traversal
-      --skip-java-db-update         skip updating Java index database
-      --slow                        scan over time with lower CPU and memory utilization
-  -t, --template string             output template
-      --tf-vars strings             specify paths to override the Terraform tfvars files
-      --token string                for authentication in client/server mode
-      --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")
-      --vuln-type strings           comma-separated list of vulnerability types (os,library) (default [os,library])
+      --aws-region string                 AWS region to scan
+      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration                cache TTL when using redis as cache backend
+      --clear-cache                       clear image caches without scanning
+      --compliance string                 compliance report to generate
+      --custom-headers strings            custom headers in client mode
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --download-db-only                  download/update vulnerability database but don't run a scan
+      --download-java-db-only             download/update Java index database but don't run a scan
+      --enable-modules strings            [EXPERIMENTAL] module names to enable
+      --exit-code int                     specify exit code when any security issues are found
+      --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
+      --file-patterns strings             specify config file patterns
+  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings               specify paths to override the Helm values.yaml files
+  -h, --help                              help for vm
+      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
+      --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-unfixed                    display only fixed vulnerabilities
+      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
+      --include-non-failures              include successes and exceptions, available with '--scanners config'
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+      --no-progress                       suppress progress bar
+      --offline-scan                      do not issue API requests to identify dependencies
+  -o, --output string                     output file name
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --redis-ca string                   redis ca file location, if using redis as cache backend
+      --redis-cert string                 redis certificate file location, if using redis as cache backend
+      --redis-key string                  redis key file location, if using redis as cache backend
+      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
+      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --reset                             remove all caches and database
+      --reset-policy-bundle               remove policy bundle
+      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
+      --server string                     server address in client mode
+  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --skip-db-update                    skip updating vulnerability database
+      --skip-dirs strings                 specify the directories where the traversal is skipped
+      --skip-files strings                specify the file paths to skip traversal
+      --skip-java-db-update               skip updating Java index database
+      --slow                              scan over time with lower CPU and memory utilization
+  -t, --template string                   output template
+      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
+      --tf-vars strings                   specify paths to override the Terraform tfvars files
+      --token string                      for authentication in client/server mode
+      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
+      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/config-file.md

@@ -243,6 +243,7 @@ rego
   policy:
     - policy/repository
     - policy/custom
+    - policy/some-policy.rego
 
   # Same as '--config-data'
   # Default is empty
@@ -291,6 +292,11 @@ misconfiguration:
     vars:
       - dev-terraform.tfvars
       - common-terraform.tfvars
+  
+  # Same as '--tf-exclude-downloaded-modules'
+  # Default is false
+  terraform:
+    exclude-downloaded-modules: false
 ```
 
 ## Kubernetes Options

docs/docs/scanner/license.md

@@ -143,7 +143,7 @@ Trivy has number of configuration flags for use with license scanning;
 Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the `--ignored-licenses` flag;
 
 ```shell
-$ trivy image --scanners license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
+$ trivy image --scanners license --ignored-licenses MPL-2.0,MIT --severity HIGH grafana/grafana:latest
 2022-07-13T18:15:28.605Z        INFO    License scanning is enabled
 
 OS Packages (license)

docs/docs/scanner/misconfiguration/custom/data.md

@@ -3,7 +3,7 @@
 Custom policies may require additional data in order to determine an answer.
 
 For example, an allowed list of resources that can be created. 
-Instead of hardcoding this information inside of your policy, Trivy allows passing paths to data files with the `--data` flag.
+Instead of hardcoding this information inside your policy, Trivy allows passing paths to data files with the `--data` flag.
 
 Given the following yaml file:
 

docs/docs/scanner/misconfiguration/custom/index.md

@@ -2,15 +2,12 @@
 
 ## Overview
 You can write custom policies in [Rego][rego].
-Once you finish writing custom policies, you can pass the directory where those policies are stored with `--policy` option.
+Once you finish writing custom policies, you can pass the policy files or the directory where those policies are stored with `--policy` option.
 
 ``` bash
-trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
+trivy conf --policy /path/to/policy.rego --policy /path/to/custom_policies --namespaces user /path/to/config_dir
 ```
 
-!!! Tip
-    Note: The `--policy` path always needs to refer to a directory. You cannot pass a specific policy file.
-
 As for `--namespaces` option, the detail is described as below.
 
 ### File formats

docs/docs/scanner/misconfiguration/custom/schema.md

@@ -83,8 +83,7 @@ The policies can be placed in a structure as follows
         └── barschema.json
     ```
 
-To use such a policy with Trivy, use the `--config-policy` flag that points to the directory where the schemas and policies
-are contained.
+To use such a policy with Trivy, use the `--config-policy` flag that points to the policy file or to the directory where the schemas and policies are contained.
 
 ```bash
 $ trivy --config-policy=/Users/user/my-custom-policies <path/to/iac>

docs/docs/scanner/misconfiguration/index.md

@@ -316,19 +316,18 @@ This section describes misconfiguration-specific configuration.
 Other common options are documented [here](../../configuration/index.md).
 
 ### Pass custom policies
-You can pass directories including your custom policies through `--policy` option.
-This can be repeated for specifying multiple directories.
+You can pass policy files or directories including your custom policies through `--policy` option.
+This can be repeated for specifying multiple files or directories.
 
 ```bash
 cd examplex/misconf/
-trivy conf --policy custom-policy/policy --policy combine/policy --namespaces user misconf/mixed
+trivy conf --policy custom-policy/policy --policy combine/policy --policy policy.rego --namespaces user misconf/mixed
 ```
 
 For more details, see [Custom Policies](./custom/index.md).
 
 !!! tip
-    You also need to specify `--namespaces` option.
-    Furthermore, the `--policy` path always needs to refer to a directory. You cannot pass a specific policy file.
+You also need to specify `--namespaces` option.
 
 ### Pass custom data
 You can pass directories including your custom data through `--data` option.
@@ -357,6 +356,12 @@ You can pass `tf-vars` files to Trivy to override default values found in the Te
 trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
 ```
 
+### Exclude downloaded Terraform modules
+You can remove results for downloaded modules in `.terraform` folder.
+```bash
+trivy conf --tf-exclude-downloaded-modules ./configs
+```
+
 ### Helm value overrides
 There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
 

docs/docs/scanner/vulnerability/language/index.md

@@ -65,7 +65,6 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 | Java     | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
 |          | [GitHub Advisory Database (Maven)][java-ghsa]       |       ✅        |     -     |
 | Go       | [GitHub Advisory Database (Go)][go-ghsa]            |       ✅        |     -     |
-|          | [The Go Vulnerability Database][go]                 |       ✅        |     -     |
 | Rust     | [Open Source Vulnerabilities (crates.io)][rust-osv] |       ✅        |     -     |
 | .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     |       ✅        |     -     |
 | C/C++    | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
@@ -88,7 +87,6 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [ruby]: https://github.com/rubysec/ruby-advisory-db
 [nodejs]: https://github.com/nodejs/security-wg
 [gitlab]: https://gitlab.com/gitlab-org/advisories-community
-[go]: https://github.com/golang/vulndb
 
 [python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
 [rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io

docs/docs/scanner/vulnerability/language/nodejs.md

@@ -35,6 +35,8 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
 Trivy parses `yarn.lock`, which doesn't contain information about development dependencies.
 To exclude devDependencies, `package.json` also needs to be present next to `yarn.lock`.
 
+By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
+
 ### pnpm
 Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree] of dependencies with vulnerabilities.
 

docs/docs/target/aws.md

@@ -103,5 +103,7 @@ Regardless of whether the cache is used or not, rules will be evaluated again wi
 
 You can write custom policies for Trivy to evaluate against your AWS account.
 These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/).
-See the [Custom Policies](../scanner/misconfiguration/custom/index.md) page for more information.
+See the [Custom Policies](../scanner/misconfiguration/custom/index.md) page for more information on how to write custom policies.
 
+Custom policies in cloud scanning also support passing in custom data. This can be useful when you want to selectively enable/disable certain aspects of your cloud policies.
+See the [Custom Data](../scanner/misconfiguration/custom/data.md) page for more information on how to provide custom data to custom policies.

docs/docs/target/git-repository.md

@@ -1,236 +0,0 @@
-# Git Repository
-
-Scan your remote git repositories for
-
-- Vulnerabilities
-- Misconfigurations
-- Secrets
-- Licenses
- 
-By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`.
-
-```bash
-$ trivy repo [YOUR_REPO_URL]
-```
-
-## Scanners
-### Vulnerabilities
-It is enabled by default.
-Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
-See [here](../scanner/vulnerability/index.md) for the detail.
-
-```
-$ trivy repo https://github.com/knqyf263/trivy-ci-test
-```
-
-<details>
-<summary>Result</summary>
-
-```
-2021-03-09T15:04:19.003+0200    INFO    Detecting cargo vulnerabilities...
-2021-03-09T15:04:19.005+0200    INFO    Detecting pipenv vulnerabilities...
-
-Cargo.lock
-==========
-Total: 7 (UNKNOWN: 7, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
-
-+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
-| LIBRARY  | VULNERABILITY ID  | SEVERITY | INSTALLED VERSION |        FIXED VERSION         |                    TITLE                    |
-+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
-| ammonia  | RUSTSEC-2019-0001 | UNKNOWN  | 1.9.0             | >= 2.1.0                     | Uncontrolled recursion leads                |
-|          |                   |          |                   |                              | to abort in HTML serialization              |
-|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2019-0001 |
-+----------+-------------------+          +-------------------+------------------------------+---------------------------------------------+
-| openssl  | RUSTSEC-2016-0001 |          | 0.8.3             | >= 0.9.0                     | SSL/TLS MitM vulnerability                  |
-|          |                   |          |                   |                              | due to insecure defaults                    |
-|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2016-0001 |
-+----------+-------------------+          +-------------------+------------------------------+---------------------------------------------+
-| smallvec | RUSTSEC-2018-0018 |          | 0.6.9             | >= 0.6.13                    | smallvec creates uninitialized              |
-|          |                   |          |                   |                              | value of any type                           |
-|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2018-0018 |
-+          +-------------------+          +                   +------------------------------+---------------------------------------------+
-|          | RUSTSEC-2019-0009 |          |                   | >= 0.6.10                    | Double-free and use-after-free              |
-|          |                   |          |                   |                              | in SmallVec::grow()                         |
-|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2019-0009 |
-+          +-------------------+          +                   +                              +---------------------------------------------+
-|          | RUSTSEC-2019-0012 |          |                   |                              | Memory corruption in SmallVec::grow()       |
-|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2019-0012 |
-+          +-------------------+          +                   +------------------------------+---------------------------------------------+
-|          | RUSTSEC-2021-0003 |          |                   | >= 0.6.14, < 1.0.0, >= 1.6.1 | Buffer overflow in SmallVec::insert_many    |
-|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2021-0003 |
-+----------+-------------------+          +-------------------+------------------------------+---------------------------------------------+
-| tempdir  | RUSTSEC-2018-0017 |          | 0.3.7             |                              | `tempdir` crate has been                    |
-|          |                   |          |                   |                              | deprecated; use `tempfile` instead          |
-|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2018-0017 |
-+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
-
-Pipfile.lock
-============
-Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
-
-+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
-|       LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |                 TITLE                 |
-+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
-| django              | CVE-2019-19844   | CRITICAL | 2.0.9             | 3.0.1, 2.2.9, 1.11.27  | Django: crafted email address         |
-|                     |                  |          |                   |                        | allows account takeover               |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-19844 |
-+                     +------------------+          +                   +------------------------+---------------------------------------+
-|                     | CVE-2020-7471    |          |                   | 3.0.3, 2.2.10, 1.11.28 | django: potential SQL injection       |
-|                     |                  |          |                   |                        | via StringAgg(delimiter)              |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-7471  |
-+                     +------------------+----------+                   +------------------------+---------------------------------------+
-|                     | CVE-2019-6975    | HIGH     |                   | 2.1.6, 2.0.11, 1.11.19 | python-django: memory exhaustion in   |
-|                     |                  |          |                   |                        | django.utils.numberformat.format()    |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-6975  |
-+                     +------------------+          +                   +------------------------+---------------------------------------+
-|                     | CVE-2020-9402    |          |                   | 3.0.4, 2.2.11, 1.11.29 | django: potential SQL injection       |
-|                     |                  |          |                   |                        | via "tolerance" parameter in          |
-|                     |                  |          |                   |                        | GIS functions and aggregates...       |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-9402  |
-+                     +------------------+----------+                   +------------------------+---------------------------------------+
-|                     | CVE-2019-3498    | MEDIUM   |                   | 2.1.5, 2.0.10, 1.11.18 | python-django: Content spoofing       |
-|                     |                  |          |                   |                        | via URL path in default 404 page      |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-3498  |
-+                     +------------------+          +                   +------------------------+---------------------------------------+
-|                     | CVE-2020-13254   |          |                   | 3.0.7, 2.2.13          | django: potential data leakage        |
-|                     |                  |          |                   |                        | via malformed memcached keys          |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-13254 |
-+                     +------------------+          +                   +                        +---------------------------------------+
-|                     | CVE-2020-13596   |          |                   |                        | django: possible XSS via              |
-|                     |                  |          |                   |                        | admin ForeignKeyRawIdWidget           |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-13596 |
-+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
-| django-cors-headers | pyup.io-37132    | UNKNOWN  | 2.5.2             | 3.0.0                  | In django-cors-headers                |
-|                     |                  |          |                   |                        | version 3.0.0,                        |
-|                     |                  |          |                   |                        | ``CORS_ORIGIN_WHITELIST``             |
-|                     |                  |          |                   |                        | requires URI schemes, and             |
-|                     |                  |          |                   |                        | optionally ports. This...             |
-+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
-| djangorestframework | CVE-2020-25626   | MEDIUM   | 3.9.2             | 3.11.2                 | django-rest-framework: XSS            |
-|                     |                  |          |                   |                        | Vulnerability in API viewer           |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-25626 |
-+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
-| httplib2            | CVE-2021-21240   | HIGH     | 0.12.1            | 0.19.0                 | python-httplib2: Regular              |
-|                     |                  |          |                   |                        | expression denial of                  |
-|                     |                  |          |                   |                        | service via malicious header          |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2021-21240 |
-+                     +------------------+----------+                   +------------------------+---------------------------------------+
-|                     | CVE-2020-11078   | MEDIUM   |                   | 0.18.0                 | python-httplib2: CRLF injection       |
-|                     |                  |          |                   |                        | via an attacker controlled            |
-|                     |                  |          |                   |                        | unescaped part of uri for...          |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-11078 |
-+                     +------------------+----------+                   +                        +---------------------------------------+
-|                     | pyup.io-38303    | UNKNOWN  |                   |                        | Httplib2 0.18.0 is an                 |
-|                     |                  |          |                   |                        | important security update to          |
-|                     |                  |          |                   |                        | patch a CWE-93 CRLF...                |
-+---------------------+------------------+          +-------------------+------------------------+---------------------------------------+
-| jinja2              | pyup.io-39525    |          | 2.10.1            | 2.11.3                 | This affects the package              |
-|                     |                  |          |                   |                        | jinja2 from 0.0.0 and before          |
-|                     |                  |          |                   |                        | 2.11.3. The ReDOS...                  |
-+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
-| py                  | CVE-2020-29651   | HIGH     | 1.8.0             |                        | python-py: ReDoS in the py.path.svnwc |
-|                     |                  |          |                   |                        | component via malicious input         |
-|                     |                  |          |                   |                        | to blame functionality...             |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-29651 |
-+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
-| pyyaml              | CVE-2019-20477   | CRITICAL |               5.1 |                        | PyYAML: command execution             |
-|                     |                  |          |                   |                        | through python/object/apply           |
-|                     |                  |          |                   |                        | constructor in FullLoader             |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-20477 |
-+                     +------------------+          +                   +------------------------+---------------------------------------+
-|                     | CVE-2020-14343   |          |                   |                    5.4 | PyYAML: incomplete                    |
-|                     |                  |          |                   |                        | fix for CVE-2020-1747                 |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-14343 |
-+                     +------------------+          +                   +------------------------+---------------------------------------+
-|                     | CVE-2020-1747    |          |                   | 5.3.1                  | PyYAML: arbitrary command             |
-|                     |                  |          |                   |                        | execution through python/object/new   |
-|                     |                  |          |                   |                        | when FullLoader is used               |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-1747  |
-+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
-| urllib3             | CVE-2019-11324   | HIGH     | 1.24.1            | 1.24.2                 | python-urllib3: Certification         |
-|                     |                  |          |                   |                        | mishandle when error should be thrown |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-11324 |
-+                     +------------------+----------+                   +------------------------+---------------------------------------+
-|                     | CVE-2019-11236   | MEDIUM   |                   |                        | python-urllib3: CRLF injection        |
-|                     |                  |          |                   |                        | due to not encoding the               |
-|                     |                  |          |                   |                        | '\r\n' sequence leading to...         |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-11236 |
-+                     +------------------+          +                   +------------------------+---------------------------------------+
-|                     | CVE-2020-26137   |          |                   | 1.25.9                 | python-urllib3: CRLF injection        |
-|                     |                  |          |                   |                        | via HTTP request method               |
-|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-26137 |
-+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
-```
-
-</details>
-
-### Misconfigurations
-It is disabled by default and can be enabled with `--scanners config`.
-See [here](../scanner/misconfiguration/index.md) for the detail.
-
-```shell
-$ trivy repo --scanners config [YOUR_REPO_URL]
-```
-
-### Secrets
-It is enabled by default.
-See [here](../scanner/secret.md) for the detail.
-
-```shell
-$ trivy repo [YOUR_REPO_URL]
-```
-
-### Licenses
-It is disabled by default.
-See [here](../scanner/license.md) for the detail.
-
-```shell
-$ trivy repo --scanners license [YOUR_REPO_URL]
-```
-
-## SBOM generation
-Trivy can generate SBOM for git repositories.
-See [here](../supply-chain/sbom.md) for the detail.
-
-## References
-### Scanning a Branch
-
-Pass a `--branch` argument with a valid branch name on the remote repository provided:
-
-```
-$ trivy repo --branch <branch-name> <repo-name>
-```
-
-### Scanning upto a Commit
-
-Pass a `--commit` argument with a valid commit hash on the remote repository provided:
-
-```
-$ trivy repo --commit <commit-hash> <repo-name>
-```
-
-### Scanning a Tag
-
-Pass a `--tag` argument with a valid tag on the remote repository provided:
-
-```
-$ trivy repo --tag <tag-name> <repo-name>
-```
-
-### Scanning Private Repositories
-In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
-
-The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
-
-You can find how to generate your GitHub Token in the following [GitHub documentation.](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
-
-For example:
-
-```
-$ export GITHUB_TOKEN="your_private_github_token"
-$ trivy repo <your private GitHub repo URL>
-$
-$ # or
-$ export GITLAB_TOKEN="your_private_gitlab_token"
-$ trivy repo <your private GitLab repo URL>
-```

docs/docs/target/repository.md

@@ -0,0 +1,155 @@
+# Code Repository
+
+Scan your local or remote code repositories for
+
+- Vulnerabilities
+- Misconfigurations
+- Secrets
+- Licenses
+
+By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`.
+
+```bash
+$ trivy repo (REPO_PATH | REPO_URL)
+```
+
+For example, you can scan a local repository as below.
+
+```bash
+$ trivy repo ./
+```
+
+It's also possible to scan a single file.
+
+```
+$ trivy repo ./trivy-ci-test/Pipfile.lock
+```
+
+To scan remote code repositories, you need to specify the URL.
+
+```bash
+$ trivy repo https://github.com/aquasecurity/trivy-ci-test
+```
+
+## Rationale
+`trivy repo` is  designed to scan code repositories, and it is intended to be used for scanning local/remote repositories in your machine or in your CI environment.
+Therefore, unlike container/VM image scanning, it targets lock files such as package-lock.json and does not target artifacts like JAR files, binary files, etc.
+See [here](../scanner/vulnerability/language/index.md) for the detail.
+
+## Scanners
+### Vulnerabilities
+It is enabled by default.
+Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
+See [here](../scanner/vulnerability/index.md) for the detail.
+
+```
+$ trivy repo ~/src/github.com/aquasecurity/trivy-ci-test
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2020-06-01T17:06:58.652+0300    WARN    OS is not detected and vulnerabilities in OS packages are not detected.
+2020-06-01T17:06:58.652+0300    INFO    Detecting pipenv vulnerabilities...
+2020-06-01T17:06:58.691+0300    INFO    Detecting cargo vulnerabilities...
+
+Pipfile.lock
+============
+Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
+
++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
+|       LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |               TITLE                |
++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
+| django              | CVE-2020-7471    | HIGH     | 2.0.9             | 3.0.3, 2.2.10, 1.11.28 | django: potential                  |
+|                     |                  |          |                   |                        | SQL injection via                  |
+|                     |                  |          |                   |                        | StringAgg(delimiter)               |
++                     +------------------+----------+                   +------------------------+------------------------------------+
+|                     | CVE-2019-19844   | MEDIUM   |                   | 3.0.1, 2.2.9, 1.11.27  | Django: crafted email address      |
+|                     |                  |          |                   |                        | allows account takeover            |
++                     +------------------+          +                   +------------------------+------------------------------------+
+|                     | CVE-2019-3498    |          |                   | 2.1.5, 2.0.10, 1.11.18 | python-django: Content             |
+|                     |                  |          |                   |                        | spoofing via URL path in           |
+|                     |                  |          |                   |                        | default 404 page                   |
++                     +------------------+          +                   +------------------------+------------------------------------+
+|                     | CVE-2019-6975    |          |                   | 2.1.6, 2.0.11, 1.11.19 | python-django:                     |
+|                     |                  |          |                   |                        | memory exhaustion in               |
+|                     |                  |          |                   |                        | django.utils.numberformat.format() |
++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
+...
+```
+
+</details>
+
+### Misconfigurations
+It is disabled by default and can be enabled with `--scanners config`.
+See [here](../scanner/misconfiguration/index.md) for the detail.
+
+```shell
+$ trivy repo --scanners config [YOUR_REPO_URL]
+```
+
+### Secrets
+It is enabled by default.
+See [here](../scanner/secret.md) for the detail.
+
+```shell
+$ trivy repo [YOUR_REPO_URL]
+```
+
+### Licenses
+It is disabled by default.
+See [here](../scanner/license.md) for the detail.
+
+```shell
+$ trivy repo --scanners license [YOUR_REPO_URL]
+```
+
+## SBOM generation
+Trivy can generate SBOM for code repositories.
+See [here](../supply-chain/sbom.md) for the detail.
+
+## References
+The following flags and environmental variables are available for remote git repositories.
+
+### Scanning a Branch
+
+Pass a `--branch` argument with a valid branch name on the remote repository provided:
+
+```
+$ trivy repo --branch <branch-name> <repo-name>
+```
+
+### Scanning upto a Commit
+
+Pass a `--commit` argument with a valid commit hash on the remote repository provided:
+
+```
+$ trivy repo --commit <commit-hash> <repo-name>
+```
+
+### Scanning a Tag
+
+Pass a `--tag` argument with a valid tag on the remote repository provided:
+
+```
+$ trivy repo --tag <tag-name> <repo-name>
+```
+
+### Scanning Private Repositories
+In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
+
+The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
+
+You can find how to generate your GitHub Token in the following [GitHub documentation.](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
+
+For example:
+
+```
+$ export GITHUB_TOKEN="your_private_github_token"
+$ trivy repo <your private GitHub repo URL>
+
+# or
+$ export GITLAB_TOKEN="your_private_gitlab_token"
+$ trivy repo <your private GitLab repo URL>
+```

docs/getting-started/coverage.md

@@ -55,4 +55,4 @@ Trivy reads IaC & configuration languages for the purpose of misconfiguration de
 - Azure ARM Template
 - Helm Chart
 
-For more information about checks [see here](../docs/misconfiguration/policy/builtin.md).
+For more information about checks [see here](../docs/scanner/misconfiguration/policy/builtin.md).

docs/getting-started/faq.md

@@ -21,3 +21,5 @@ See [here](../docs/configuration/reporting.md#converting).
 ### How to run Trivy under air-gapped environment?
 See [here](../docs/advanced/air-gap.md).
 
+### Why `trivy fs` and `trivy repo` does not scan JAR files for vulnerabilities?
+See [here](../docs/target/repository.md#rationale).

docs/tutorials/integrations/gitlab-ci.md

@@ -74,8 +74,8 @@ container_scanning:
     name: docker.io/aquasec/trivy:latest
     entrypoint: [""]
   variables:
-    # No need to clone the repo, we exclusively work on artifacts.  See
-    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
+    # No need to clone the repo, we exclusively work on artifacts. See
+    # https://docs.gitlab.com/ee/ci/runners/configure_runners.html#git-strategy
     GIT_STRATEGY: none
     TRIVY_USERNAME: "$CI_REGISTRY_USER"
     TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"

docs/tutorials/kubernetes/cluster-scanning.md

@@ -10,19 +10,18 @@ Pro tip: The output of the commands will be even more interesting if you have so
 
 Trivy K8s is great to get an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster. You would want to use the Trivy K8s command either on your own local cluster or in your CI/CD pipeline post deployments.  
 
-The Trivy K8s command is part of the Trivy CLI: 
-
+The `trivy k8s` command is part of the Trivy CLI. 
 
 With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan: 
 
 ```
-trivy k8s --report=summary 
+trivy k8s --report=summary cluster
 ```
 
 To get detailed information for all your resources, just replace ‘summary’ with ‘all’: 
 
 ```
-trivy k8s --report=all 
+trivy k8s --report=all cluster
 ```
 
 However, we recommend displaying all information only in case you scan a specific namespace or resource since you can get overwhelmed with additional details. 
@@ -30,19 +29,19 @@ However, we recommend displaying all information only in case you scan a specifi
 Furthermore, we can specify the namespace that Trivy is supposed to scan to focus on specific resources in the scan result: 
 
 ```
-trivy k8s -n kube-system --report=summary 
+trivy k8s -n kube-system --report=summary cluster
 ```
 
 Again, if you’d like to receive additional details, use the ‘--report=all’ flag: 
 
 ```
-trivy k8s -n kube-system --report=all 
+trivy k8s -n kube-system --report=all cluster
 ```
 
 Like with scanning for vulnerabilities, we can also filter in-cluster security issues by severity of the vulnerabilities: 
 
 ```
-trivy k8s --severity=CRITICAL --report=summary 
+trivy k8s --severity=CRITICAL --report=summary cluster
 ```
 
 Note that you can use any of the Trivy flags on the Trivy K8s command. 
@@ -50,7 +49,7 @@ Note that you can use any of the Trivy flags on the Trivy K8s command.
 With the Trivy K8s command, you can also scan specific workloads that are running within your cluster, such as our deployment: 
 
 ```
-trivy k8s –n app --report=summary deployments/react-application
+trivy k8s --namespace  app --report=summary deployments/react-application
 ```
 
 ## Trivy Operator 

go.mod

@@ -11,10 +11,10 @@ require (
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/NYTimes/gziphandler v1.1.1
-	github.com/alicebob/miniredis/v2 v2.30.3
+	github.com/alicebob/miniredis/v2 v2.30.4
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/defsec v0.90.1
-	github.com/aquasecurity/go-dep-parser v0.0.0-20230626110909-e7ea5097483b
+	github.com/aquasecurity/defsec v0.91.0
+	github.com/aquasecurity/go-dep-parser v0.0.0-20230731081423-69e49e750d15
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -23,11 +23,11 @@ require (
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-db v0.0.0-20230515061101-378ab9ed302c
+	github.com/aquasecurity/trivy-db v0.0.0-20230726112157-167ba4f2faeb
 	github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
-	github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230628140707-dae3bdb6ee81
+	github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230708090141-f44c2292c9a9
 	github.com/aws/aws-sdk-go v1.44.245
-	github.com/aws/aws-sdk-go-v2 v1.18.1
+	github.com/aws/aws-sdk-go-v2 v1.19.0
 	github.com/aws/aws-sdk-go-v2/config v1.18.25
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0
 	github.com/aws/aws-sdk-go-v2/service/sts v1.19.0
@@ -35,7 +35,7 @@ require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.1.2
 	github.com/containerd/containerd v1.7.0
-	github.com/docker/docker v23.0.5+incompatible
+	github.com/docker/docker v23.0.7-0.20230714215826-f00e7af96042+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/fatih/color v1.14.1
 	github.com/go-git/go-git/v5 v5.7.0
@@ -68,13 +68,13 @@ require (
 	github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/moby/buildkit v0.11.5
+	github.com/moby/buildkit v0.11.6
 	github.com/open-policy-agent/opa v0.45.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.1.0-rc3
+	github.com/opencontainers/image-spec v1.1.0-rc4
 	github.com/openvex/go-vex v0.2.0
 	github.com/owenrumney/go-sarif/v2 v2.2.0
-	github.com/package-url/packageurl-go v0.1.1-0.20220428063043-89078438f170
+	github.com/package-url/packageurl-go v0.1.1
 	github.com/samber/lo v1.38.1
 	github.com/saracen/walker v0.1.3
 	github.com/secure-systems-lab/go-securesystemslib v0.6.0
@@ -87,24 +87,24 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.15.0
 	github.com/stretchr/testify v1.8.4
-	github.com/testcontainers/testcontainers-go v0.20.1
-	github.com/tetratelabs/wazero v1.2.0
+	github.com/testcontainers/testcontainers-go v0.21.0
+	github.com/tetratelabs/wazero v1.2.1
 	github.com/twitchtv/twirp v8.1.2+incompatible
 	github.com/xlab/treeprint v1.1.0
 	go.etcd.io/bbolt v1.3.7
 	go.uber.org/zap v1.24.0
-	golang.org/x/exp v0.0.0-20230321023759-10a507213a29
-	golang.org/x/mod v0.11.0
-	golang.org/x/sync v0.2.0
-	golang.org/x/term v0.9.0
-	golang.org/x/text v0.10.0
+	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
+	golang.org/x/mod v0.12.0
+	golang.org/x/sync v0.3.0
+	golang.org/x/term v0.10.0
+	golang.org/x/text v0.11.0
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
-	google.golang.org/protobuf v1.30.0
+	google.golang.org/protobuf v1.31.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools v2.2.0+incompatible
-	k8s.io/api v0.27.2
+	k8s.io/api v0.27.3
 	k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5
-	modernc.org/sqlite v1.20.3
+	modernc.org/sqlite v1.23.1
 )
 
 require (
@@ -146,14 +146,14 @@ require (
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.13.24 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 // indirect
 	github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.16.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.24 // indirect
 	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.13.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/athena v1.18.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/athena v1.30.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.20.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.27.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.26.2 // indirect
@@ -163,14 +163,14 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ebs v1.15.19 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26 // indirect
-	github.com/aws/aws-sdk-go-v2/service/efs v1.20.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/eks v1.22.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecs v1.28.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/efs v1.20.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/eks v1.27.14 // indirect
 	github.com/aws/aws-sdk-go-v2/service/elasticache v1.26.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.19.11 // indirect
 	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.19.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/emr v1.24.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/iam v1.19.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/iam v1.21.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.23 // indirect
@@ -178,7 +178,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kafka v1.19.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.19 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.21.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.23.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/lambda v1.24.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/mq v1.15.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/neptune v1.20.7 // indirect
@@ -302,7 +302,7 @@ require (
 	github.com/moby/sys/mountinfo v0.6.2 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/moby/sys/signal v0.7.0 // indirect
-	github.com/moby/term v0.0.0-20221205130635-1aeaba878587 // indirect
+	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
@@ -326,7 +326,7 @@ require (
 	github.com/prometheus/common v0.42.0 // indirect
 	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
-	github.com/remyoudompheng/bigfft v0.0.0-20230126093431-47fa9a501578 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rubenv/sql-migrate v1.3.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
@@ -356,12 +356,12 @@ require (
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
-	golang.org/x/crypto v0.10.0 // indirect
-	golang.org/x/net v0.11.0 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/net v0.12.0 // indirect
 	golang.org/x/oauth2 v0.7.0 // indirect
-	golang.org/x/sys v0.9.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.8.0 // indirect
+	golang.org/x/tools v0.10.0 // indirect
 	google.golang.org/api v0.121.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
@@ -373,18 +373,18 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	helm.sh/helm/v3 v3.12.1 // indirect
 	k8s.io/apiextensions-apiserver v0.27.2 // indirect
-	k8s.io/apimachinery v0.27.2 // indirect
+	k8s.io/apimachinery v0.27.3 // indirect
 	k8s.io/apiserver v0.27.2 // indirect
-	k8s.io/cli-runtime v0.27.2 // indirect
-	k8s.io/client-go v0.27.2 // indirect
-	k8s.io/component-base v0.27.2 // indirect
+	k8s.io/cli-runtime v0.27.3 // indirect
+	k8s.io/client-go v0.27.3 // indirect
+	k8s.io/component-base v0.27.3 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
-	k8s.io/kubectl v0.27.2 // indirect
+	k8s.io/kubectl v0.27.3 // indirect
 	lukechampine.com/uint128 v1.2.0 // indirect
 	modernc.org/cc/v3 v3.40.0 // indirect
 	modernc.org/ccgo/v3 v3.16.13 // indirect
-	modernc.org/libc v1.22.2 // indirect
+	modernc.org/libc v1.22.5 // indirect
 	modernc.org/mathutil v1.5.0 // indirect
 	modernc.org/memory v1.5.0 // indirect
 	modernc.org/opt v0.1.3 // indirect

go.sum

@@ -308,8 +308,8 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF
 github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
 github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a h1:HbKu58rmZpUGpz5+4FfNmIU+FmZg2P3Xaj2v2bfNWmk=
 github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
-github.com/alicebob/miniredis/v2 v2.30.3 h1:hrqDB4cHFSHQf4gO3xu6YKQg8PqJpNjLYsQAFYHstqw=
-github.com/alicebob/miniredis/v2 v2.30.3/go.mod h1:b25qWj4fCEsBeAAR2mlb0ufImGC6uH3VlUfb/HS5zKg=
+github.com/alicebob/miniredis/v2 v2.30.4 h1:8S4/o1/KoUArAGbGwPxcwf0krlzceva2XVOSchFS7Eo=
+github.com/alicebob/miniredis/v2 v2.30.4/go.mod h1:b25qWj4fCEsBeAAR2mlb0ufImGC6uH3VlUfb/HS5zKg=
 github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc=
 github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
@@ -321,10 +321,10 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/defsec v0.90.1 h1:6c8bdv6tFnutDlY6V7uRrgZ3DqMmanPOy2VKVfmBYYM=
-github.com/aquasecurity/defsec v0.90.1/go.mod h1:ehFnrY3h2yJkd6EeHjPs2Y95431bHaFrMMurANDJumY=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230626110909-e7ea5097483b h1:9Ju7hWzTS8H9K/z1CqkJdZi+yxw1pZQZE11gVICtmTE=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230626110909-e7ea5097483b/go.mod h1:VjG2wX19QDny5yKN+he0v9wuZjF0k+00173mh0FJCVU=
+github.com/aquasecurity/defsec v0.91.0 h1:JGTiKL2UgnANZ4RoQQKokzpZ2vFv2LlXGoNjIypz9RQ=
+github.com/aquasecurity/defsec v0.91.0/go.mod h1:l/srzxtuuyb6c6FlqUvMp3xw2ZbvuZ0l9972MNJM7V8=
+github.com/aquasecurity/go-dep-parser v0.0.0-20230731081423-69e49e750d15 h1:kHCZ2eQkRMm08Kkg6U12s0cqthclWDGEwohM2mb4hhk=
+github.com/aquasecurity/go-dep-parser v0.0.0-20230731081423-69e49e750d15/go.mod h1:Cl6aYro+Ddzh1MB451j/C6rvwKdn/Ifa7z98sFirJ9I=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20230328195059-5bf52338aec3 h1:Vt9y1gZS5JGY3tsL9zc++Cg4ofX51CG7PaMyC5SXWPg=
@@ -343,12 +343,12 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
 github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy-db v0.0.0-20230515061101-378ab9ed302c h1:mFMfHmb5GC6xrnUGk2mJcKNt5vBaFSzJx1MMW47uzB0=
-github.com/aquasecurity/trivy-db v0.0.0-20230515061101-378ab9ed302c/go.mod h1:s7x7CTxYeiFf6gPOakSsg4mCD93au4dbYplG4h0FGrs=
+github.com/aquasecurity/trivy-db v0.0.0-20230726112157-167ba4f2faeb h1:uz2+9G7E0/mjf5Q0MB/BwbpdObU34CKGUdnypTYWTfs=
+github.com/aquasecurity/trivy-db v0.0.0-20230726112157-167ba4f2faeb/go.mod h1:st35g9O0ecDGBqnRHNFFz8imlDD3GWTCwo1WyJixI2c=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
-github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230628140707-dae3bdb6ee81 h1:5/tKpCr861auON/CMHSXnRzNixx1FTWAeHSwV0PtA0U=
-github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230628140707-dae3bdb6ee81/go.mod h1:GCm7uq++jz7Ij8cA9mAorpKJ9/qSBCl7v6EKYA8DxJ8=
+github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230708090141-f44c2292c9a9 h1:PA91rctNeAZY0hb2tPK68lAEpau3ItSto4FnqFXPF4g=
+github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230708090141-f44c2292c9a9/go.mod h1:R7LNrrjSc4PEs0suUd+pXSqSUMMU/eY5byWHfKSZyjQ=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
@@ -371,8 +371,9 @@ github.com/aws/aws-sdk-go-v2 v1.17.5/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3eP
 github.com/aws/aws-sdk-go-v2 v1.17.7/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
 github.com/aws/aws-sdk-go-v2 v1.17.8/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
 github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
-github.com/aws/aws-sdk-go-v2 v1.18.1 h1:+tefE750oAb7ZQGzla6bLkOwfcQCEtC5y2RqoqCeqKo=
 github.com/aws/aws-sdk-go-v2 v1.18.1/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
+github.com/aws/aws-sdk-go-v2 v1.19.0 h1:klAT+y3pGFBU/qVf1uzwttpBbiuozJYWzNLHioyDJ+k=
+github.com/aws/aws-sdk-go-v2 v1.19.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 h1:tcFliCWne+zOuUfKNRn8JdFBuWPDuISDH08wD2ULkhk=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8/go.mod h1:JTnlBSot91steJeti4ryyu/tLd4Sk84O5W22L7O2EQU=
 github.com/aws/aws-sdk-go-v2/config v1.18.25 h1:JuYyZcnMPBiFqn87L2cRppo+rNwgah6YwD3VuyvaW6Q=
@@ -387,16 +388,18 @@ github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.29/go.mod h1:Dip3sIGv48
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31/go.mod h1:QT0BqUvX1Bh2ABdTGnjqEjvjzrCfIniM9Sc8zn9Yndo=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.32/go.mod h1:RudqOgadTWdcS3t/erPQo24pcVEoYyqj/kKW5Vya21I=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33/go.mod h1:7i0PF1ME/2eUPFcjkVIwq+DOygHEoK92t5cDqNgYbIw=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 h1:A5UqQEmPaCFpedKouS4v+dHCTUo2sKqhoKO9U5kxyWo=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34/go.mod h1:wZpTEecJe0Btj3IYnDx/VlUzor9wm3fJHyvLpQF0VwY=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35 h1:hMUCiE3Zi5AHrRNGf5j985u0WyqI6r2NULhUfo0N/No=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35/go.mod h1:ipR5PvpSPqIqL5Mi82BxLnfMkHVbmco8kUwO2xrCi0M=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17/go.mod h1:pRwaTYCJemADaqCbUAxltMoHKata7hmB5PjEXeu0kfg=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.23/go.mod h1:mr6c4cHC+S/MMkrjtSlG4QA36kOznDep+0fga5L/fGQ=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25/go.mod h1:zBHOPwhBc3FlQjQJE/D3IfPWiWaQmT06Vq9aNukDo0k=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.26/go.mod h1:vq86l7956VgFr0/FWQ2BWnK07QC3WYsepKzy33qqY5U=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27/go.mod h1:UrHnn3QV/d0pBZ6QBAEQcqFLf8FAzLmoUfPVIueOvoM=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 h1:srIVS45eQuewqz6fKKu6ZGXaq6FuFg5NzgQBAM6g8Y4=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28/go.mod h1:7VRpKQQedkfIEXb4k52I7swUnZP0wohVajJMRn3vsUw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29 h1:yOpYx+FTBdpk/g+sBU6Cb1H0U/TLEcYYp66mYqsPpcc=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29/go.mod h1:M/eUABlDbw2uVrdAn+UsI6M727qp2fxkp8K0ejcBDUY=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 h1:gGLG7yKaXG02/jBlg210R7VgQIotiQntNhsCFejawx8=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34/go.mod h1:Etz2dj6UHYuw+Xw830KfzCfWGMzqvUTCjUj5b76GVDc=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 h1:ZSIPAkAsCCjYrhqfw2+lNzWDzxzHXEckFkTePL5RSWQ=
@@ -407,8 +410,8 @@ github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.24 h1:eWwaF3m67oAJGBhfzVC9
 github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.24/go.mod h1:3olVANhEv+CFhEvC/TTkqh+1kg+r0px3CbH5eRKx7J4=
 github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.13.11 h1:1L2042GftNVyI3TtWclGodfN5zBQjBNXsTQxDNaPXs8=
 github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.13.11/go.mod h1:Cs+mG0DXkVYPWsWIE8Ga78C/HeN5zFBbPHdOnJPwZ4M=
-github.com/aws/aws-sdk-go-v2/service/athena v1.18.10 h1:s8cE1HX3Pi53iMg+A+d7gGvmjA+Z4nH6u0BbbuFwXXE=
-github.com/aws/aws-sdk-go-v2/service/athena v1.18.10/go.mod h1:LiVr7tVQ2lrlv82VQhyuulN8uysLHsEeptFjA5PY1Pc=
+github.com/aws/aws-sdk-go-v2/service/athena v1.30.4 h1:x6pNnhCWXrkGX43gkJkcdCtlYSFx3tzqJKnm2QBqz6k=
+github.com/aws/aws-sdk-go-v2/service/athena v1.30.4/go.mod h1:XyrQmcmWx6BNhu1K5la/Zub8gX29MqiIMQ9silULHjk=
 github.com/aws/aws-sdk-go-v2/service/cloudfront v1.20.5 h1:nLAPA7/DSmDWYP/MGtRNP6bHjiL8Fmyg8qeDxW90nm0=
 github.com/aws/aws-sdk-go-v2/service/cloudfront v1.20.5/go.mod h1:HYQXu2AKM7RLCn3APoQ5EvL2N/RlI4LSNN8pIGbdaDQ=
 github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.27.1 h1:Qw1G/M7eanpm6s/URkG1UuRLKEnRnpUvkUb7NMVvWb8=
@@ -429,12 +432,12 @@ github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0 h1:WblDV33AG9dhv0zFEPEmGtD5UECS
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0/go.mod h1:L3ZT0N/vBsw77mOAawXmRnREpEjcHd2v5Hzf7AkIH8M=
 github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 h1:uiF/RI+Up8H2xdgT2GWa20YzxiKEalHieqNjm6HC3Xk=
 github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18/go.mod h1:DQtDYmexqR+z+B6HBCvY7zK/tuXKv6Zy/IwOXOK3eow=
-github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26 h1:EHJAYkUnlFJ/KwuFMvUs/bPbb0DaqAI+gTfXxffTPZ0=
-github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26/go.mod h1:NpR78BP2STxvF/R1GXLDM4gAEfjz68W/h0nC5b6Jk3s=
-github.com/aws/aws-sdk-go-v2/service/efs v1.20.1 h1:fJFdGkf0Xj04IBnps3YlL6mGPSjzfgAZ7ZX+mbsrPDc=
-github.com/aws/aws-sdk-go-v2/service/efs v1.20.1/go.mod h1:7szMjYu35IWLaJEG23z6x/KOFckAF4/oQdNuDni99Pk=
-github.com/aws/aws-sdk-go-v2/service/eks v1.22.1 h1:f07Bk+xMm0Q8PCzvrBg8Bd6m67CTvZSxQWB0H7ZEJOU=
-github.com/aws/aws-sdk-go-v2/service/eks v1.22.1/go.mod h1:YoafRRQM4SnTFwb49e4LCAel6n99q2DMxkeAfbgvq8s=
+github.com/aws/aws-sdk-go-v2/service/ecs v1.28.1 h1:PxWgrtfQvct60NjxSrFsSWG/Yg1HATRKP4IeUPiLlrE=
+github.com/aws/aws-sdk-go-v2/service/ecs v1.28.1/go.mod h1:eZBCsRjzc+ZX8x3h0beHOu+uxRWRwnEHzzvDgKy9v0E=
+github.com/aws/aws-sdk-go-v2/service/efs v1.20.3 h1:+rQHxWkGK5GyanoetOyOG/U0sgXjlt3vw+jufY7wp4k=
+github.com/aws/aws-sdk-go-v2/service/efs v1.20.3/go.mod h1:UpiMmYILiWWe5wfcz6dJded9/K1XVmcOD3LB1ZCLVdw=
+github.com/aws/aws-sdk-go-v2/service/eks v1.27.14 h1:47HQVuJXgwvuoc4AT3rVdm77H0qGFbFnsuE4PRT+xX0=
+github.com/aws/aws-sdk-go-v2/service/eks v1.27.14/go.mod h1:QxuWcm9rlLkW3aEV8tiDzqZewnNSNUZfnqJvo1Nv9A0=
 github.com/aws/aws-sdk-go-v2/service/elasticache v1.26.8 h1:QBi/EzjmsZAm2qWCftCDHQ5DW1iDd4IwLDvXA6ikj8E=
 github.com/aws/aws-sdk-go-v2/service/elasticache v1.26.8/go.mod h1:HPSFSw7eCcEJFRaNZxnlMxOOctdrSNttq5JR/Q9yusU=
 github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.19.11 h1:IN2XMTLmhIEL5e3o+tY9JsLFSAxmjgM8gI7W2+CPrpw=
@@ -443,8 +446,8 @@ github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.19.0 h1:XE/MewOiHgW
 github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.19.0/go.mod h1:2GKcrxIvmAf07PsxbJ7tccJDXzVj0oHT/MuBQ9835X8=
 github.com/aws/aws-sdk-go-v2/service/emr v1.24.4 h1:C6I3p2ENt01I5iO5oEXyfzSk1VIEKADXSMgNdiW1Tw8=
 github.com/aws/aws-sdk-go-v2/service/emr v1.24.4/go.mod h1:hvWrBVsomnNf7Y0Onrl+wGAkcOAH81Ybcy8FSQrvARM=
-github.com/aws/aws-sdk-go-v2/service/iam v1.19.12 h1:JH1H7POlsZt41X9JYIBLZoXW0Qv+WOuC48xsafsls2Q=
-github.com/aws/aws-sdk-go-v2/service/iam v1.19.12/go.mod h1:kAnokExGCYs7zfvZEZdFHvQ/x4ZKIci0Raps6mZI1Ag=
+github.com/aws/aws-sdk-go-v2/service/iam v1.21.1 h1:VTCWgsrromZqnlRgfziqqWWcW7LFkQLwJVYgf/5zgWA=
+github.com/aws/aws-sdk-go-v2/service/iam v1.21.1/go.mod h1:LBsjrFczXiQLASO6FtDGTeHuZh6oHuIH6VKaOozFghg=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9/go.mod h1:a9j48l6yL5XINLHLcOKInjdvknN+vWqPBxqeIDw7ktw=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10 h1:dpiPHgmFstgkLG07KaYAewvuptq5kvo52xn7tVSrtrQ=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10/go.mod h1:9cBNUHI2aW4ho0A5T87O294iPDuuUOSIEDjnd1Lq/z0=
@@ -463,8 +466,8 @@ github.com/aws/aws-sdk-go-v2/service/kafka v1.19.4 h1:EmEk3gRJzSEK8DUnkvTGDn/RQc
 github.com/aws/aws-sdk-go-v2/service/kafka v1.19.4/go.mod h1:+O9qi0UC83Lk0KAnC/ixNcw4piXfUtPzXpYn/KC2Mhg=
 github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.19 h1:qVaBkJxFxm6o/9DPNnJU6L9O3V7ycEKhCvRm2BFBQTU=
 github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.19/go.mod h1:9rLNg+J9SEe7rhge/YzKU3QTovlLqOmqH8akb0IB1ko=
-github.com/aws/aws-sdk-go-v2/service/kms v1.21.1 h1:Q03Jqh1enA8keCiGZpLetpk58Ll9iGejE5bOErxyGAU=
-github.com/aws/aws-sdk-go-v2/service/kms v1.21.1/go.mod h1:EEfb4gfSphdVpRo5sGf2W3KvJbelYUno5VaXR5MJ3z4=
+github.com/aws/aws-sdk-go-v2/service/kms v1.23.0 h1:NXYeZBNg35rDBhcus60DFkIP7q6RNSkarLx+37ERX1g=
+github.com/aws/aws-sdk-go-v2/service/kms v1.23.0/go.mod h1:aNfh11Smy55o65PB3MyKbkM8BFyFUcZmj1k+4g8eNfg=
 github.com/aws/aws-sdk-go-v2/service/lambda v1.24.6 h1:N7RkXX2SJbN+TCp295J3LdMR0KRFd2Bhi5nIO+svLQY=
 github.com/aws/aws-sdk-go-v2/service/lambda v1.24.6/go.mod h1:oTJIIluTaJCRT6xP1AZpuU3JwRHBC0Q5O4Hg+SUxFHw=
 github.com/aws/aws-sdk-go-v2/service/mq v1.15.0 h1:Z1q5y9q4feZb/h2H4D+MHqGflTEeyZH6MarBG6o00ng=
@@ -725,8 +728,8 @@ github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m3
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v23.0.0-rc.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v23.0.5+incompatible h1:DaxtlTJjFSnLOXVNUBU1+6kXGz2lpDoEAH6QoxaSg8k=
-github.com/docker/docker v23.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v23.0.7-0.20230714215826-f00e7af96042+incompatible h1:j7cPAKd+yLS4f16Jqri/wXRK+7TtFQCt89WPqECWnIM=
+github.com/docker/docker v23.0.7-0.20230714215826-f00e7af96042+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
@@ -1303,8 +1306,8 @@ github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
 github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI=
 github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
+github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
@@ -1343,8 +1346,8 @@ github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQ
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/buildkit v0.11.5 h1:S6YrFJ0bfBT2w9e8kOxqsDV8Bw+HtfqdB6eHL17BXRI=
-github.com/moby/buildkit v0.11.5/go.mod h1:P5Qi041LvCfhkfYBHry+Rwoo3Wi6H971J2ggE+PcIoo=
+github.com/moby/buildkit v0.11.6 h1:VYNdoKk5TVxN7k4RvZgdeM4GOyRvIi4Z8MXOY7xvyUs=
+github.com/moby/buildkit v0.11.6/go.mod h1:GCqKfHhz+pddzfgaR7WmHVEE3nKKZMMDPpK8mh3ZLv4=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
@@ -1362,8 +1365,8 @@ github.com/moby/sys/signal v0.7.0 h1:25RW3d5TnQEoKvRbEKUGay6DCQ46IxAVTT9CUMgmsSI
 github.com/moby/sys/signal v0.7.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn88Kg8Tg=
 github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ=
 github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo=
-github.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA=
-github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
+github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
+github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -1418,8 +1421,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
-github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0=
+github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
 github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
@@ -1450,8 +1453,8 @@ github.com/owenrumney/go-sarif/v2 v2.2.0 h1:1DmZaijK0HBZCR1fgcDSGa7VzYkU9NDmbZ7q
 github.com/owenrumney/go-sarif/v2 v2.2.0/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
 github.com/owenrumney/squealer v1.1.1 h1:e+fg29IxdNARSc4s7CbYnqVSepm9eOqErLNNNR5XbAs=
 github.com/owenrumney/squealer v1.1.1/go.mod h1:Q5ekVoyFSG2FlnCVIBGsyk/FSMA/ATv8PtwKIVX7t/o=
-github.com/package-url/packageurl-go v0.1.1-0.20220428063043-89078438f170 h1:DiLBVp4DAcZlBVBEtJpNWZpZVq0AEeCY7Hqk8URVs4o=
-github.com/package-url/packageurl-go v0.1.1-0.20220428063043-89078438f170/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
+github.com/package-url/packageurl-go v0.1.1 h1:KTRE0bK3sKbFKAk3yy63DpeskU7Cvs/x/Da5l+RtzyU=
+github.com/package-url/packageurl-go v0.1.1/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
@@ -1522,8 +1525,8 @@ github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40T
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
-github.com/remyoudompheng/bigfft v0.0.0-20230126093431-47fa9a501578 h1:VstopitMQi3hZP0fzvnsLmzXZdQGc4bEcgu24cp+d4M=
-github.com/remyoudompheng/bigfft v0.0.0-20230126093431-47fa9a501578/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
@@ -1648,10 +1651,10 @@ github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ
 github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes=
 github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
 github.com/terminalstatic/go-xsd-validate v0.1.5 h1:RqpJnf6HGE2CB/lZB1A8BYguk8uRtcvYAPLCF15qguo=
-github.com/testcontainers/testcontainers-go v0.20.1 h1:mK15UPJ8c5P+NsQKmkqzs/jMdJt6JMs5vlw2y4j92c0=
-github.com/testcontainers/testcontainers-go v0.20.1/go.mod h1:zb+NOlCQBkZ7RQp4QI+YMIHyO2CQ/qsXzNF5eLJ24SY=
-github.com/tetratelabs/wazero v1.2.0 h1:I/8LMf4YkCZ3r2XaL9whhA0VMyAvF6QE+O7rco0DCeQ=
-github.com/tetratelabs/wazero v1.2.0/go.mod h1:wYx2gNRg8/WihJfSDxA1TIL8H+GkfLYm+bIfbblu9VQ=
+github.com/testcontainers/testcontainers-go v0.21.0 h1:syePAxdeTzfkap+RrJaQZpJQ/s/fsUgn11xIvHrOE9U=
+github.com/testcontainers/testcontainers-go v0.21.0/go.mod h1:c1ez3WVRHq7T/Aj+X3TIipFBwkBaNT5iNCY8+1b83Ng=
+github.com/tetratelabs/wazero v1.2.1 h1:J4X2hrGzJvt+wqltuvcSjHQ7ujQxA9gb6PeMs4qlUWs=
+github.com/tetratelabs/wazero v1.2.1/go.mod h1:wYx2gNRg8/WihJfSDxA1TIL8H+GkfLYm+bIfbblu9VQ=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
@@ -1799,8 +1802,8 @@ golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4
 golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM=
-golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1811,8 +1814,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug=
-golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1840,8 +1843,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
-golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1913,8 +1916,8 @@ golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU=
-golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
+golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
+golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1959,8 +1962,8 @@ golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
-golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -2093,8 +2096,8 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -2102,8 +2105,8 @@ golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.9.0 h1:GRRCnKYhdQrD8kfRAdQ6Zcw1P0OcELxGLKJvtjVMZ28=
-golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=
+golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
+golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -2118,8 +2121,8 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
-golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -2197,8 +2200,8 @@ golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyj
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y=
-golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4=
+golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
+golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -2435,8 +2438,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -2504,32 +2507,32 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
 k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ=
 k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8=
-k8s.io/api v0.27.2 h1:+H17AJpUMvl+clT+BPnKf0E3ksMAzoBBg7CntpSuADo=
-k8s.io/api v0.27.2/go.mod h1:ENmbocXfBT2ADujUXcBhHV55RIT31IIEvkntP6vZKS4=
+k8s.io/api v0.27.3 h1:yR6oQXXnUEBWEWcvPWS0jQL575KoAboQPfJAuKNrw5Y=
+k8s.io/api v0.27.3/go.mod h1:C4BNvZnQOF7JA/0Xed2S+aUyJSfTGkGFxLXz9MnpIpg=
 k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo=
 k8s.io/apiextensions-apiserver v0.27.2/go.mod h1:Oz9UdvGguL3ULgRdY9QMUzL2RZImotgxvGjdWRq6ZXQ=
 k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
 k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
 k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc=
-k8s.io/apimachinery v0.27.2 h1:vBjGaKKieaIreI+oQwELalVG4d8f3YAMNpWLzDXkxeg=
-k8s.io/apimachinery v0.27.2/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
+k8s.io/apimachinery v0.27.3 h1:Ubye8oBufD04l9QnNtW05idcOe9Z3GQN8+7PqmuVcUM=
+k8s.io/apimachinery v0.27.3/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
 k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
 k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM=
 k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q=
 k8s.io/apiserver v0.27.2 h1:p+tjwrcQEZDrEorCZV2/qE8osGTINPuS5ZNqWAvKm5E=
 k8s.io/apiserver v0.27.2/go.mod h1:EsOf39d75rMivgvvwjJ3OW/u9n1/BmUMK5otEOJrb1Y=
-k8s.io/cli-runtime v0.27.2 h1:9HI8gfReNujKXt16tGOAnb8b4NZ5E+e0mQQHKhFGwYw=
-k8s.io/cli-runtime v0.27.2/go.mod h1:9UecpyPDTkhiYY4d9htzRqN+rKomJgyb4wi0OfrmCjw=
+k8s.io/cli-runtime v0.27.3 h1:h592I+2eJfXj/4jVYM+tu9Rv8FEc/dyCoD80UJlMW2Y=
+k8s.io/cli-runtime v0.27.3/go.mod h1:LzXud3vFFuDFXn2LIrWnscPgUiEj7gQQcYZE2UPn9Kw=
 k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
 k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k=
 k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0=
-k8s.io/client-go v0.27.2 h1:vDLSeuYvCHKeoQRhCXjxXO45nHVv2Ip4Fe0MfioMrhE=
-k8s.io/client-go v0.27.2/go.mod h1:tY0gVmUsHrAmjzHX9zs7eCjxcBsf8IiNe7KQ52biTcQ=
+k8s.io/client-go v0.27.3 h1:7dnEGHZEJld3lYwxvLl7WoehK6lAq7GvgjxpA3nv1E8=
+k8s.io/client-go v0.27.3/go.mod h1:2MBEKuTo6V1lbKy3z1euEGnhPfGZLKTS9tiJ2xodM48=
 k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk=
 k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI=
 k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM=
-k8s.io/component-base v0.27.2 h1:neju+7s/r5O4x4/txeUONNTS9r1HsPbyoPBAtHsDCpo=
-k8s.io/component-base v0.27.2/go.mod h1:5UPk7EjfgrfgRIuDBFtsEFAe4DAvP3U+M8RTzoSJkpo=
+k8s.io/component-base v0.27.3 h1:g078YmdcdTfrCE4fFobt7qmVXwS8J/3cI1XxRi/2+6k=
+k8s.io/component-base v0.27.3/go.mod h1:JNiKYcGImpQ44iwSYs6dysxzR9SxIIgQalk4HaCNVUY=
 k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM=
 k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI=
 k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI=
@@ -2542,8 +2545,8 @@ k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg=
-k8s.io/kubectl v0.27.2 h1:sSBM2j94MHBFRWfHIWtEXWCicViQzZsb177rNsKBhZg=
-k8s.io/kubectl v0.27.2/go.mod h1:GCOODtxPcrjh+EC611MqREkU8RjYBh10ldQCQ6zpFKw=
+k8s.io/kubectl v0.27.3 h1:HyC4o+8rCYheGDWrkcOQHGwDmyLKR5bxXFgpvF82BOw=
+k8s.io/kubectl v0.27.3/go.mod h1:g9OQNCC2zxT+LT3FS09ZYqnDhlvsKAfFq76oyarBcq4=
 k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 h1:kmDqav+P+/5e1i9tFfHq1qcF3sOrDp+YEkVDAHu7Jwk=
@@ -2556,22 +2559,22 @@ modernc.org/ccgo/v3 v3.16.13 h1:Mkgdzl46i5F/CNR/Kj80Ri59hC8TKAhZrYSaqvkwzUw=
 modernc.org/ccgo/v3 v3.16.13/go.mod h1:2Quk+5YgpImhPjv2Qsob1DnZ/4som1lJTodubIcoUkY=
 modernc.org/ccorpus v1.11.6 h1:J16RXiiqiCgua6+ZvQot4yUuUy8zxgqbqEEUuGPlISk=
 modernc.org/httpfs v1.0.6 h1:AAgIpFZRXuYnkjftxTAZwMIiwEqAfk8aVB2/oA6nAeM=
-modernc.org/libc v1.22.2 h1:4U7v51GyhlWqQmwCHj28Rdq2Yzwk55ovjFrdPjs8Hb0=
-modernc.org/libc v1.22.2/go.mod h1:uvQavJ1pZ0hIoC/jfqNoMLURIMhKzINIWypNM17puug=
+modernc.org/libc v1.22.5 h1:91BNch/e5B0uPbJFgqbxXuOnxBQjlS//icfQEGmvyjE=
+modernc.org/libc v1.22.5/go.mod h1:jj+Z7dTNX8fBScMVNRAYZ/jF91K8fdT2hYMThc3YjBY=
 modernc.org/mathutil v1.5.0 h1:rV0Ko/6SfM+8G+yKiyI830l3Wuz1zRutdslNoQ0kfiQ=
 modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
 modernc.org/memory v1.5.0 h1:N+/8c5rE6EqugZwHii4IFsaJ7MUhoWX07J5tC/iI5Ds=
 modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
 modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
 modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
-modernc.org/sqlite v1.20.3 h1:SqGJMMxjj1PHusLxdYxeQSodg7Jxn9WWkaAQjKrntZs=
-modernc.org/sqlite v1.20.3/go.mod h1:zKcGyrICaxNTMEHSr1HQ2GUraP0j+845GYw37+EyT6A=
+modernc.org/sqlite v1.23.1 h1:nrSBg4aRQQwq59JpvGEQ15tNxoO5pX/kUjcRNwSAGQM=
+modernc.org/sqlite v1.23.1/go.mod h1:OrDj17Mggn6MhE+iPbBNf7RGKODDE9NFT0f3EwDzJqk=
 modernc.org/strutil v1.1.3 h1:fNMm+oJklMGYfU9Ylcywl0CO5O6nTfaowNsh2wpPjzY=
 modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw=
-modernc.org/tcl v1.15.0 h1:oY+JeD11qVVSgVvodMJsu7Edf8tr5E/7tuhF5cNYz34=
+modernc.org/tcl v1.15.2 h1:C4ybAYCGJw968e+Me18oW55kD/FexcHbqH2xak1ROSY=
 modernc.org/token v1.0.1 h1:A3qvTqOwexpfZZeyI0FeGPDlSWX5pjZu9hF4lU+EKWg=
 modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
-modernc.org/z v1.7.0 h1:xkDw/KepgEjeizO2sNco+hqYkU12taxQFqPEmgm1GWE=
+modernc.org/z v1.7.3 h1:zDJf6iHjrnB+WRD88stbXokugjyc0/pB91ri1gO6LZY=
 oras.land/oras-go v1.2.3 h1:v8PJl+gEAntI1pJ/LCrDgsuk+1PKVavVEPsYIHFE5uY=
 oras.land/oras-go v1.2.3/go.mod h1:M/uaPdYklze0Vf3AakfarnpoEckvw0ESbRdN8Z1vdJg=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

integration/client_server_test.go

@@ -236,21 +236,21 @@ func TestClientServer(t *testing.T) {
 			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
 		{
-			name: "scan pox.xml with fs command in client/server mode",
+			name: "scan pox.xml with repo command in client/server mode",
 			args: csArgs{
-				Command:          "fs",
+				Command:          "repo",
 				RemoteAddrOption: "--server",
-				Target:           "testdata/fixtures/fs/pom/",
+				Target:           "testdata/fixtures/repo/pom/",
 			},
 			golden: "testdata/pom.json.golden",
 		},
 		{
-			name: "scan sample.pem with fs command in client/server mode",
+			name: "scan sample.pem with repo command in client/server mode",
 			args: csArgs{
-				Command:          "fs",
+				Command:          "repo",
 				RemoteAddrOption: "--server",
-				secretConfig:     "testdata/fixtures/fs/secrets/trivy-secret.yaml",
-				Target:           "testdata/fixtures/fs/secrets/",
+				secretConfig:     "testdata/fixtures/repo/secrets/trivy-secret.yaml",
+				Target:           "testdata/fixtures/repo/secrets/",
 			},
 			golden: "testdata/secrets.json.golden",
 		},
@@ -279,7 +279,7 @@ func TestClientServer(t *testing.T) {
 			err := execute(osArgs)
 			require.NoError(t, err)
 
-			compareReports(t, c.golden, outputFile)
+			compareReports(t, c.golden, outputFile, nil)
 		})
 	}
 }
@@ -328,11 +328,11 @@ func TestClientServerWithFormat(t *testing.T) {
 		{
 			name: "scan secrets with ASFF template",
 			args: csArgs{
-				Command:          "fs",
+				Command:          "repo",
 				RemoteAddrOption: "--server",
 				Format:           "template",
 				TemplatePath:     "@../contrib/asff.tpl",
-				Target:           "testdata/fixtures/fs/secrets/",
+				Target:           "testdata/fixtures/repo/secrets/",
 			},
 			golden: "testdata/secrets.asff.golden",
 		},
@@ -501,7 +501,7 @@ func TestClientServerWithToken(t *testing.T) {
 			}
 
 			require.NoError(t, err, c.name)
-			compareReports(t, c.golden, outputFile)
+			compareReports(t, c.golden, outputFile, nil)
 		})
 	}
 }
@@ -528,7 +528,7 @@ func TestClientServerWithRedis(t *testing.T) {
 		err := execute(osArgs)
 		require.NoError(t, err)
 
-		compareReports(t, golden, outputFile)
+		compareReports(t, golden, outputFile, nil)
 	})
 
 	// Terminate the Redis container

integration/docker_engine_test.go

@@ -26,6 +26,7 @@ func TestDockerEngine(t *testing.T) {
 		imageTag      string
 		invalidImage  bool
 		ignoreUnfixed bool
+		ignoreStatus  []string
 		severity      []string
 		ignoreIDs     []string
 		input         string
@@ -101,6 +102,13 @@ func TestDockerEngine(t *testing.T) {
 			input:         "testdata/fixtures/images/centos-7.tar.gz",
 			golden:        "testdata/centos-7-ignore-unfixed.json.golden",
 		},
+		{
+			name:         "centos 7, with --ignore-status option",
+			imageTag:     "ghcr.io/aquasecurity/trivy-test-images:centos-7",
+			ignoreStatus: []string{"will_not_fix"},
+			input:        "testdata/fixtures/images/centos-7.tar.gz",
+			golden:       "testdata/centos-7-ignore-unfixed.json.golden",
+		},
 		{
 			name:          "centos 7, with --ignore-unfixed option, with medium severity",
 			imageTag:      "ghcr.io/aquasecurity/trivy-test-images:centos-7",
@@ -128,6 +136,13 @@ func TestDockerEngine(t *testing.T) {
 			input:         "testdata/fixtures/images/debian-buster.tar.gz",
 			golden:        "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
+		{
+			name:         "debian buster/10, with --ignore-status option",
+			ignoreStatus: []string{"affected"},
+			imageTag:     "ghcr.io/aquasecurity/trivy-test-images:debian-buster",
+			input:        "testdata/fixtures/images/debian-buster.tar.gz",
+			golden:       "testdata/debian-buster-ignore-unfixed.json.golden",
+		},
 		{
 			name:     "debian stretch/9",
 			imageTag: "ghcr.io/aquasecurity/trivy-test-images:debian-stretch",
@@ -240,6 +255,12 @@ func TestDockerEngine(t *testing.T) {
 			if tt.ignoreUnfixed {
 				osArgs = append(osArgs, "--ignore-unfixed")
 			}
+
+			if len(tt.ignoreStatus) != 0 {
+				osArgs = append(osArgs,
+					[]string{"--ignore-status", strings.Join(tt.ignoreStatus, ",")}...,
+				)
+			}
 			if len(tt.severity) != 0 {
 				osArgs = append(osArgs,
 					[]string{"--severity", strings.Join(tt.severity, ",")}...,
@@ -264,7 +285,7 @@ func TestDockerEngine(t *testing.T) {
 			assert.NoError(t, err, tt.name)
 
 			// check for vulnerability output info
-			compareReports(t, tt.golden, output)
+			compareReports(t, tt.golden, output, nil)
 
 			// cleanup
 			_, err = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{

integration/integration_test.go

@@ -199,9 +199,12 @@ func execute(osArgs []string) error {
 	return app.Execute()
 }
 
-func compareReports(t *testing.T, wantFile, gotFile string) {
+func compareReports(t *testing.T, wantFile, gotFile string, override func(*types.Report)) {
 	want := readReport(t, wantFile)
 	got := readReport(t, gotFile)
+	if override != nil {
+		override(&want)
+	}
 	assert.Equal(t, want, got)
 }
 

integration/module_test.go

@@ -1,4 +1,5 @@
 //go:build module_integration
+
 package integration
 
 import (
@@ -70,7 +71,7 @@ func TestModule(t *testing.T) {
 			}()
 
 			// Compare want and got
-			compareReports(t, tt.golden, outputFile)
+			compareReports(t, tt.golden, outputFile, nil)
 		})
 	}
 }

integration/repo_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package integration
 
@@ -12,13 +11,14 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
-func TestFilesystem(t *testing.T) {
+// TestRepository tests `trivy repo` with the local code repositories
+func TestRepository(t *testing.T) {
 	type args struct {
 		scanner        types.Scanner
-		severity       []string
 		ignoreIDs      []string
 		policyPaths    []string
 		namespaces     []string
@@ -35,15 +35,16 @@ func TestFilesystem(t *testing.T) {
 		includeDevDeps bool
 	}
 	tests := []struct {
-		name   string
-		args   args
-		golden string
+		name     string
+		args     args
+		golden   string
+		override func(*types.Report)
 	}{
 		{
 			name: "gomod",
 			args: args{
 				scanner: types.VulnerabilityScanner,
-				input:   "testdata/fixtures/fs/gomod",
+				input:   "testdata/fixtures/repo/gomod",
 			},
 			golden: "testdata/gomod.json.golden",
 		},
@@ -51,8 +52,8 @@ func TestFilesystem(t *testing.T) {
 			name: "gomod with skip files",
 			args: args{
 				scanner:   types.VulnerabilityScanner,
-				input:     "testdata/fixtures/fs/gomod",
-				skipFiles: []string{"testdata/fixtures/fs/gomod/submod2/go.mod"},
+				input:     "testdata/fixtures/repo/gomod",
+				skipFiles: []string{"testdata/fixtures/repo/gomod/submod2/go.mod"},
 			},
 			golden: "testdata/gomod-skip.json.golden",
 		},
@@ -60,8 +61,8 @@ func TestFilesystem(t *testing.T) {
 			name: "gomod with skip dirs",
 			args: args{
 				scanner:  types.VulnerabilityScanner,
-				input:    "testdata/fixtures/fs/gomod",
-				skipDirs: []string{"testdata/fixtures/fs/gomod/submod2"},
+				input:    "testdata/fixtures/repo/gomod",
+				skipDirs: []string{"testdata/fixtures/repo/gomod/submod2"},
 			},
 			golden: "testdata/gomod-skip.json.golden",
 		},
@@ -69,7 +70,7 @@ func TestFilesystem(t *testing.T) {
 			name: "npm",
 			args: args{
 				scanner:     types.VulnerabilityScanner,
-				input:       "testdata/fixtures/fs/npm",
+				input:       "testdata/fixtures/repo/npm",
 				listAllPkgs: true,
 			},
 			golden: "testdata/npm.json.golden",
@@ -78,7 +79,7 @@ func TestFilesystem(t *testing.T) {
 			name: "npm with dev deps",
 			args: args{
 				scanner:        types.VulnerabilityScanner,
-				input:          "testdata/fixtures/fs/npm",
+				input:          "testdata/fixtures/repo/npm",
 				listAllPkgs:    true,
 				includeDevDeps: true,
 			},
@@ -88,7 +89,7 @@ func TestFilesystem(t *testing.T) {
 			name: "yarn",
 			args: args{
 				scanner:     types.VulnerabilityScanner,
-				input:       "testdata/fixtures/fs/yarn",
+				input:       "testdata/fixtures/repo/yarn",
 				listAllPkgs: true,
 			},
 			golden: "testdata/yarn.json.golden",
@@ -97,7 +98,7 @@ func TestFilesystem(t *testing.T) {
 			name: "pnpm",
 			args: args{
 				scanner: types.VulnerabilityScanner,
-				input:   "testdata/fixtures/fs/pnpm",
+				input:   "testdata/fixtures/repo/pnpm",
 			},
 			golden: "testdata/pnpm.json.golden",
 		},
@@ -106,7 +107,7 @@ func TestFilesystem(t *testing.T) {
 			args: args{
 				scanner:     types.VulnerabilityScanner,
 				listAllPkgs: true,
-				input:       "testdata/fixtures/fs/pip",
+				input:       "testdata/fixtures/repo/pip",
 			},
 			golden: "testdata/pip.json.golden",
 		},
@@ -115,7 +116,7 @@ func TestFilesystem(t *testing.T) {
 			args: args{
 				scanner:     types.VulnerabilityScanner,
 				listAllPkgs: true,
-				input:       "testdata/fixtures/fs/pipenv",
+				input:       "testdata/fixtures/repo/pipenv",
 			},
 			golden: "testdata/pipenv.json.golden",
 		},
@@ -124,7 +125,7 @@ func TestFilesystem(t *testing.T) {
 			args: args{
 				scanner:     types.VulnerabilityScanner,
 				listAllPkgs: true,
-				input:       "testdata/fixtures/fs/poetry",
+				input:       "testdata/fixtures/repo/poetry",
 			},
 			golden: "testdata/poetry.json.golden",
 		},
@@ -132,7 +133,7 @@ func TestFilesystem(t *testing.T) {
 			name: "pom",
 			args: args{
 				scanner: types.VulnerabilityScanner,
-				input:   "testdata/fixtures/fs/pom",
+				input:   "testdata/fixtures/repo/pom",
 			},
 			golden: "testdata/pom.json.golden",
 		},
@@ -140,7 +141,7 @@ func TestFilesystem(t *testing.T) {
 			name: "gradle",
 			args: args{
 				scanner: types.VulnerabilityScanner,
-				input:   "testdata/fixtures/fs/gradle",
+				input:   "testdata/fixtures/repo/gradle",
 			},
 			golden: "testdata/gradle.json.golden",
 		},
@@ -149,7 +150,7 @@ func TestFilesystem(t *testing.T) {
 			args: args{
 				scanner:     types.VulnerabilityScanner,
 				listAllPkgs: true,
-				input:       "testdata/fixtures/fs/conan",
+				input:       "testdata/fixtures/repo/conan",
 			},
 			golden: "testdata/conan.json.golden",
 		},
@@ -158,7 +159,7 @@ func TestFilesystem(t *testing.T) {
 			args: args{
 				scanner:     types.VulnerabilityScanner,
 				listAllPkgs: true,
-				input:       "testdata/fixtures/fs/nuget",
+				input:       "testdata/fixtures/repo/nuget",
 			},
 			golden: "testdata/nuget.json.golden",
 		},
@@ -167,7 +168,7 @@ func TestFilesystem(t *testing.T) {
 			args: args{
 				scanner:     types.VulnerabilityScanner,
 				listAllPkgs: true,
-				input:       "testdata/fixtures/fs/dotnet",
+				input:       "testdata/fixtures/repo/dotnet",
 			},
 			golden: "testdata/dotnet.json.golden",
 		},
@@ -176,7 +177,7 @@ func TestFilesystem(t *testing.T) {
 			args: args{
 				scanner:     types.VulnerabilityScanner,
 				listAllPkgs: true,
-				input:       "testdata/fixtures/fs/cocoapods",
+				input:       "testdata/fixtures/repo/cocoapods",
 			},
 			golden: "testdata/cocoapods.json.golden",
 		},
@@ -185,7 +186,7 @@ func TestFilesystem(t *testing.T) {
 			args: args{
 				scanner:     types.VulnerabilityScanner,
 				listAllPkgs: true,
-				input:       "testdata/fixtures/fs/pubspec",
+				input:       "testdata/fixtures/repo/pubspec",
 			},
 			golden: "testdata/pubspec.lock.json.golden",
 		},
@@ -194,7 +195,7 @@ func TestFilesystem(t *testing.T) {
 			args: args{
 				scanner:     types.VulnerabilityScanner,
 				listAllPkgs: true,
-				input:       "testdata/fixtures/fs/mixlock",
+				input:       "testdata/fixtures/repo/mixlock",
 			},
 			golden: "testdata/mix.lock.json.golden",
 		},
@@ -203,7 +204,7 @@ func TestFilesystem(t *testing.T) {
 			args: args{
 				scanner:     types.VulnerabilityScanner,
 				listAllPkgs: true,
-				input:       "testdata/fixtures/fs/composer",
+				input:       "testdata/fixtures/repo/composer",
 			},
 			golden: "testdata/composer.lock.json.golden",
 		},
@@ -211,7 +212,7 @@ func TestFilesystem(t *testing.T) {
 			name: "dockerfile",
 			args: args{
 				scanner:    types.MisconfigScanner,
-				input:      "testdata/fixtures/fs/dockerfile",
+				input:      "testdata/fixtures/repo/dockerfile",
 				namespaces: []string{"testing"},
 			},
 			golden: "testdata/dockerfile.json.golden",
@@ -220,7 +221,7 @@ func TestFilesystem(t *testing.T) {
 			name: "dockerfile with custom file pattern",
 			args: args{
 				scanner:      types.MisconfigScanner,
-				input:        "testdata/fixtures/fs/dockerfile_file_pattern",
+				input:        "testdata/fixtures/repo/dockerfile_file_pattern",
 				namespaces:   []string{"testing"},
 				filePatterns: []string{"dockerfile:Customfile"},
 			},
@@ -230,8 +231,8 @@ func TestFilesystem(t *testing.T) {
 			name: "dockerfile with rule exception",
 			args: args{
 				scanner:     types.MisconfigScanner,
-				policyPaths: []string{"testdata/fixtures/fs/rule-exception/policy"},
-				input:       "testdata/fixtures/fs/rule-exception",
+				policyPaths: []string{"testdata/fixtures/repo/rule-exception/policy"},
+				input:       "testdata/fixtures/repo/rule-exception",
 			},
 			golden: "testdata/dockerfile-rule-exception.json.golden",
 		},
@@ -239,8 +240,8 @@ func TestFilesystem(t *testing.T) {
 			name: "dockerfile with namespace exception",
 			args: args{
 				scanner:     types.MisconfigScanner,
-				policyPaths: []string{"testdata/fixtures/fs/namespace-exception/policy"},
-				input:       "testdata/fixtures/fs/namespace-exception",
+				policyPaths: []string{"testdata/fixtures/repo/namespace-exception/policy"},
+				input:       "testdata/fixtures/repo/namespace-exception",
 			},
 			golden: "testdata/dockerfile-namespace-exception.json.golden",
 		},
@@ -248,9 +249,9 @@ func TestFilesystem(t *testing.T) {
 			name: "dockerfile with custom policies",
 			args: args{
 				scanner:     types.MisconfigScanner,
-				policyPaths: []string{"testdata/fixtures/fs/custom-policy/policy"},
+				policyPaths: []string{"testdata/fixtures/repo/custom-policy/policy"},
 				namespaces:  []string{"user"},
-				input:       "testdata/fixtures/fs/custom-policy",
+				input:       "testdata/fixtures/repo/custom-policy",
 			},
 			golden: "testdata/dockerfile-custom-policies.json.golden",
 		},
@@ -258,7 +259,7 @@ func TestFilesystem(t *testing.T) {
 			name: "tarball helm chart scanning with builtin policies",
 			args: args{
 				scanner: types.MisconfigScanner,
-				input:   "testdata/fixtures/fs/helm",
+				input:   "testdata/fixtures/repo/helm",
 			},
 			golden: "testdata/helm.json.golden",
 		},
@@ -266,7 +267,7 @@ func TestFilesystem(t *testing.T) {
 			name: "helm chart directory scanning with builtin policies",
 			args: args{
 				scanner: types.MisconfigScanner,
-				input:   "testdata/fixtures/fs/helm_testchart",
+				input:   "testdata/fixtures/repo/helm_testchart",
 			},
 			golden: "testdata/helm_testchart.json.golden",
 		},
@@ -274,7 +275,7 @@ func TestFilesystem(t *testing.T) {
 			name: "helm chart directory scanning with value overrides using set",
 			args: args{
 				scanner: types.MisconfigScanner,
-				input:   "testdata/fixtures/fs/helm_testchart",
+				input:   "testdata/fixtures/repo/helm_testchart",
 				helmSet: []string{"securityContext.runAsUser=0"},
 			},
 			golden: "testdata/helm_testchart.overridden.json.golden",
@@ -283,8 +284,8 @@ func TestFilesystem(t *testing.T) {
 			name: "helm chart directory scanning with value overrides using value file",
 			args: args{
 				scanner:        types.MisconfigScanner,
-				input:          "testdata/fixtures/fs/helm_testchart",
-				helmValuesFile: []string{"testdata/fixtures/fs/helm_values/values.yaml"},
+				input:          "testdata/fixtures/repo/helm_testchart",
+				helmValuesFile: []string{"testdata/fixtures/repo/helm_values/values.yaml"},
 			},
 			golden: "testdata/helm_testchart.overridden.json.golden",
 		},
@@ -292,7 +293,7 @@ func TestFilesystem(t *testing.T) {
 			name: "helm chart directory scanning with builtin policies and non string Chart name",
 			args: args{
 				scanner: types.MisconfigScanner,
-				input:   "testdata/fixtures/fs/helm_badname",
+				input:   "testdata/fixtures/repo/helm_badname",
 			},
 			golden: "testdata/helm_badname.json.golden",
 		},
@@ -300,8 +301,8 @@ func TestFilesystem(t *testing.T) {
 			name: "secrets",
 			args: args{
 				scanner:      "vuln,secret",
-				input:        "testdata/fixtures/fs/secrets",
-				secretConfig: "testdata/fixtures/fs/secrets/trivy-secret.yaml",
+				input:        "testdata/fixtures/repo/secrets",
+				secretConfig: "testdata/fixtures/repo/secrets/trivy-secret.yaml",
 			},
 			golden: "testdata/secrets.json.golden",
 		},
@@ -310,7 +311,7 @@ func TestFilesystem(t *testing.T) {
 			args: args{
 				command: "rootfs",
 				format:  "cyclonedx",
-				input:   "testdata/fixtures/fs/conda",
+				input:   "testdata/fixtures/repo/conda",
 			},
 			golden: "testdata/conda-cyclonedx.json.golden",
 		},
@@ -319,10 +320,37 @@ func TestFilesystem(t *testing.T) {
 			args: args{
 				command: "rootfs",
 				format:  "spdx-json",
-				input:   "testdata/fixtures/fs/conda",
+				input:   "testdata/fixtures/repo/conda",
 			},
 			golden: "testdata/conda-spdx.json.golden",
 		},
+		{
+			name: "gomod with fs subcommand",
+			args: args{
+				command:   "fs",
+				scanner:   types.VulnerabilityScanner,
+				input:     "testdata/fixtures/repo/gomod",
+				skipFiles: []string{"testdata/fixtures/repo/gomod/submod2/go.mod"},
+			},
+			golden: "testdata/gomod-skip.json.golden",
+			override: func(report *types.Report) {
+				report.ArtifactType = ftypes.ArtifactFilesystem
+			},
+		},
+		{
+			name: "dockerfile with fs subcommand",
+			args: args{
+				command:     "fs",
+				scanner:     types.MisconfigScanner,
+				policyPaths: []string{"testdata/fixtures/repo/custom-policy/policy"},
+				namespaces:  []string{"user"},
+				input:       "testdata/fixtures/repo/custom-policy",
+			},
+			golden: "testdata/dockerfile-custom-policies.json.golden",
+			override: func(report *types.Report) {
+				report.ArtifactType = ftypes.ArtifactFilesystem
+			},
+		},
 	}
 
 	// Set up testing DB
@@ -334,7 +362,7 @@ func TestFilesystem(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 
-			command := "fs"
+			command := "repo"
 			if tt.args.command != "" {
 				command = tt.args.command
 			}
@@ -372,10 +400,6 @@ func TestFilesystem(t *testing.T) {
 				}
 			}
 
-			if len(tt.args.severity) != 0 {
-				osArgs = append(osArgs, "--severity", strings.Join(tt.args.severity, ","))
-			}
-
 			if len(tt.args.ignoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
 				err := os.WriteFile(trivyIgnore, []byte(strings.Join(tt.args.ignoreIDs, "\n")), 0444)
@@ -415,7 +439,7 @@ func TestFilesystem(t *testing.T) {
 
 			// Setup the output file
 			outputFile := filepath.Join(t.TempDir(), "output.json")
-			if *update {
+			if *update && tt.override == nil {
 				outputFile = tt.golden
 			}
 
@@ -434,7 +458,7 @@ func TestFilesystem(t *testing.T) {
 			osArgs = append(osArgs, "--output", outputFile)
 			osArgs = append(osArgs, tt.args.input)
 
-			// Run "trivy fs"
+			// Run "trivy repo"
 			err := execute(osArgs)
 			require.NoError(t, err)
 
@@ -445,7 +469,7 @@ func TestFilesystem(t *testing.T) {
 			case "spdx-json":
 				compareSpdxJson(t, tt.golden, outputFile)
 			case "json":
-				compareReports(t, tt.golden, outputFile)
+				compareReports(t, tt.golden, outputFile, tt.override)
 			default:
 				require.Fail(t, "invalid format", "format: %s", format)
 			}

integration/standalone_tar_test.go

@@ -418,7 +418,7 @@ func TestTar(t *testing.T) {
 			require.NoError(t, err)
 
 			// Compare want and got
-			compareReports(t, tt.golden, outputFile)
+			compareReports(t, tt.golden, outputFile, nil)
 		})
 	}
 }
@@ -513,7 +513,7 @@ func TestTarWithEnv(t *testing.T) {
 			require.NoError(t, err)
 
 			// Compare want and got
-			compareReports(t, tt.golden, outputFile)
+			compareReports(t, tt.golden, outputFile, nil)
 		})
 	}
 }
@@ -588,7 +588,7 @@ cache:
 			require.NoError(t, err)
 
 			// Compare want and got
-			compareReports(t, tt.golden, outputFile)
+			compareReports(t, tt.golden, outputFile, nil)
 		})
 	}
 }

integration/testdata/almalinux-8.json.golden

@@ -57,6 +57,7 @@
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.1.1k-4.el8",
           "FixedVersion": "1:1.1.1k-5.el8_5",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:a1f18d9dc5496c63197eb9a4f1d4bf5cc88c6a34f64f0fe11ea233070392ce48",
             "DiffID": "sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"

integration/testdata/alpine-310-registry.json.golden

@@ -65,6 +65,7 @@
           "PkgName": "libcrypto1.1",
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r0",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
             "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
@@ -125,6 +126,7 @@
           "PkgName": "libcrypto1.1",
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r2",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
             "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
@@ -195,6 +197,7 @@
           "PkgName": "libssl1.1",
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r0",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
             "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
@@ -255,6 +258,7 @@
           "PkgName": "libssl1.1",
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r2",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
             "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"

integration/testdata/alpine-310.json.golden

@@ -59,6 +59,7 @@
           "PkgName": "libcrypto1.1",
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r0",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
             "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
@@ -119,6 +120,7 @@
           "PkgName": "libcrypto1.1",
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r2",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
             "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
@@ -189,6 +191,7 @@
           "PkgName": "libssl1.1",
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r0",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
             "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
@@ -249,6 +252,7 @@
           "PkgName": "libssl1.1",
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r2",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
             "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"

integration/testdata/alpine-39-high-critical.json.golden

@@ -59,6 +59,7 @@
           "PkgName": "musl",
           "InstalledVersion": "1.1.20-r4",
           "FixedVersion": "1.1.20-r5",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10",
             "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
@@ -97,6 +98,7 @@
           "PkgName": "musl-utils",
           "InstalledVersion": "1.1.20-r4",
           "FixedVersion": "1.1.20-r5",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10",
             "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"

integration/testdata/alpine-39-ignore-cveids.json.golden

@@ -59,6 +59,7 @@
           "PkgName": "libcrypto1.1",
           "InstalledVersion": "1.1.1b-r1",
           "FixedVersion": "1.1.1d-r2",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10",
             "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
@@ -129,6 +130,7 @@
           "PkgName": "libssl1.1",
           "InstalledVersion": "1.1.1b-r1",
           "FixedVersion": "1.1.1d-r2",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10",
             "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"

integration/testdata/alpine-39.json.golden

@@ -59,6 +59,7 @@
           "PkgName": "libcrypto1.1",
           "InstalledVersion": "1.1.1b-r1",
           "FixedVersion": "1.1.1d-r0",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10",
             "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
@@ -119,6 +120,7 @@
           "PkgName": "libcrypto1.1",
           "InstalledVersion": "1.1.1b-r1",
           "FixedVersion": "1.1.1d-r2",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10",
             "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
@@ -189,6 +191,7 @@
           "PkgName": "libssl1.1",
           "InstalledVersion": "1.1.1b-r1",
           "FixedVersion": "1.1.1d-r0",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10",
             "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
@@ -249,6 +252,7 @@
           "PkgName": "libssl1.1",
           "InstalledVersion": "1.1.1b-r1",
           "FixedVersion": "1.1.1d-r2",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10",
             "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
@@ -319,6 +323,7 @@
           "PkgName": "musl",
           "InstalledVersion": "1.1.20-r4",
           "FixedVersion": "1.1.20-r5",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10",
             "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
@@ -357,6 +362,7 @@
           "PkgName": "musl-utils",
           "InstalledVersion": "1.1.20-r4",
           "FixedVersion": "1.1.20-r5",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10",
             "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"

integration/testdata/alpine-distroless.json.golden

@@ -54,6 +54,7 @@
           "PkgName": "git",
           "InstalledVersion": "2.35.1-r2",
           "FixedVersion": "2.35.2-r0",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:6c6f69aa25501b090c54c62a9c17e978064c2f1328f67a7ef88c81ce5f2d7983",
             "DiffID": "sha256:89da7cc836da4b53ab1ceb572576458c005e7e444b8bb79abda196668a2f0c92"

integration/testdata/amazon-1.json.golden

@@ -58,6 +58,7 @@
           "PkgName": "curl",
           "InstalledVersion": "7.61.1-11.91.amzn1",
           "FixedVersion": "7.61.1-12.93.amzn1",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:105ff6bf468b1422ad7c47ea9d63eae82f875c93310cb8d34551951e754ef43b",
             "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"

integration/testdata/amazon-2.json.golden

@@ -58,6 +58,7 @@
           "PkgName": "curl",
           "InstalledVersion": "7.61.1-9.amzn2.0.1",
           "FixedVersion": "7.61.1-12.amzn2.0.1",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:72d97abdfae3b3c933ff41e39779cc72853d7bd9dc1e4800c5294d6715257799",
             "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6"
@@ -116,6 +117,7 @@
           "PkgName": "curl",
           "InstalledVersion": "7.61.1-9.amzn2.0.1",
           "FixedVersion": "7.61.1-11.amzn2.0.2",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:72d97abdfae3b3c933ff41e39779cc72853d7bd9dc1e4800c5294d6715257799",
             "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6"

integration/testdata/amazonlinux2-gp2-x86-vm.json.golden

@@ -30,6 +30,7 @@
           "PkgName": "bind-export-libs",
           "InstalledVersion": "32:9.11.4-26.P2.amzn2.5.2",
           "FixedVersion": "99:9.11.4-26.P2.amzn2.13",
+          "Status": "fixed",
           "Layer": {},
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-38177",

integration/testdata/busybox-with-lockfile.json.golden

@@ -58,6 +58,7 @@
           "PkgName": "ammonia",
           "InstalledVersion": "1.9.0",
           "FixedVersion": "\u003e= 2.1.0",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:fd2e3bc9bccc9c677572a542d020998389de94f127ca2c252ae627fc7c241cee",
             "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
@@ -96,6 +97,7 @@
           "PkgName": "ammonia",
           "InstalledVersion": "1.9.0",
           "FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:fd2e3bc9bccc9c677572a542d020998389de94f127ca2c252ae627fc7c241cee",
             "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"

integration/testdata/centos-6.json.golden

@@ -79,6 +79,7 @@
           "PkgID": "glibc@2.12-1.212.el6.x86_64",
           "PkgName": "glibc",
           "InstalledVersion": "2.12-1.212.el6",
+          "Status": "end_of_life",
           "Layer": {
             "Digest": "sha256:ff50d722b38227ec8f2bbf0cdbce428b66745077c173d8117d91376128fa532e",
             "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9"
@@ -124,6 +125,7 @@
           "PkgName": "openssl",
           "InstalledVersion": "1.0.1e-57.el6",
           "FixedVersion": "1.0.1e-58.el6_10",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:ff50d722b38227ec8f2bbf0cdbce428b66745077c173d8117d91376128fa532e",
             "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9"

integration/testdata/centos-7-ignore-unfixed.json.golden

@@ -73,6 +73,7 @@
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b",
             "DiffID": "sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"
@@ -154,6 +155,7 @@
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b",
             "DiffID": "sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"

integration/testdata/centos-7-medium.json.golden

@@ -73,6 +73,7 @@
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b",
             "DiffID": "sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"

integration/testdata/centos-7.json.golden

@@ -69,6 +69,7 @@
           "PkgID": "bash@4.2.46-31.el7.x86_64",
           "PkgName": "bash",
           "InstalledVersion": "4.2.46-31.el7",
+          "Status": "will_not_fix",
           "Layer": {
             "Digest": "sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b",
             "DiffID": "sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"
@@ -118,6 +119,7 @@
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b",
             "DiffID": "sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"
@@ -199,6 +201,7 @@
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b",
             "DiffID": "sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"

integration/testdata/cocoapods.json.golden

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/fs/cocoapods",
-  "ArtifactType": "filesystem",
+  "ArtifactName": "testdata/fixtures/repo/cocoapods",
+  "ArtifactType": "repository",
   "Metadata": {
     "ImageConfig": {
       "architecture": "",

integration/testdata/composer.lock.json.golden

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/fs/composer",
-  "ArtifactType": "filesystem",
+  "ArtifactName": "testdata/fixtures/repo/composer",
+  "ArtifactType": "repository",
   "Metadata": {
     "ImageConfig": {
       "architecture": "",
@@ -62,6 +62,7 @@
           "PkgName": "guzzlehttp/psr7",
           "InstalledVersion": "1.8.3",
           "FixedVersion": "1.8.4",
+          "Status": "fixed",
           "Layer": {},
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24775",

integration/testdata/conan.json.golden

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/fs/conan",
-  "ArtifactType": "filesystem",
+  "ArtifactName": "testdata/fixtures/repo/conan",
+  "ArtifactType": "repository",
   "Metadata": {
     "ImageConfig": {
       "architecture": "",
@@ -87,6 +87,7 @@
           "PkgName": "pcre",
           "InstalledVersion": "8.43",
           "FixedVersion": "8.45",
+          "Status": "fixed",
           "Layer": {},
           "Severity": "UNKNOWN"
         }

integration/testdata/conda-cyclonedx.json.golden

@@ -15,7 +15,7 @@
     "component": {
       "bom-ref": "cd0ebb00-5c53-4b82-a3f7-271add663c51",
       "type": "application",
-      "name": "testdata/fixtures/fs/conda",
+      "name": "testdata/fixtures/repo/conda",
       "properties": [
         {
           "name": "aquasecurity:trivy:SchemaVersion",

integration/testdata/conda-spdx.json.golden

@@ -2,8 +2,8 @@
   "spdxVersion": "SPDX-2.3",
   "dataLicense": "CC0-1.0",
   "SPDXID": "SPDXRef-DOCUMENT",
-  "name": "testdata/fixtures/fs/conda",
-  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/fs/conda-2738b2fe-b40c-4ecb-b8ae-5b3cc4cbc004",
+  "name": "testdata/fixtures/repo/conda",
+  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/conda-08df146c-0996-4718-8648-b2a45769ab79",
   "creationInfo": {
     "licenseListVersion": "",
     "creators": [
@@ -58,8 +58,8 @@
       "primaryPackagePurpose": "LIBRARY"
     },
     {
-      "name": "testdata/fixtures/fs/conda",
-      "SPDXID": "SPDXRef-Filesystem-6e0ac6a0fab50ab4",
+      "name": "testdata/fixtures/repo/conda",
+      "SPDXID": "SPDXRef-Filesystem-2e2426fd0f2580ef",
       "downloadLocation": "NONE",
       "copyrightText": "",
       "attributionTexts": [
@@ -95,11 +95,11 @@
   "relationships": [
     {
       "spdxElementId": "SPDXRef-DOCUMENT",
-      "relatedSpdxElement": "SPDXRef-Filesystem-6e0ac6a0fab50ab4",
+      "relatedSpdxElement": "SPDXRef-Filesystem-2e2426fd0f2580ef",
       "relationshipType": "DESCRIBES"
     },
     {
-      "spdxElementId": "SPDXRef-Filesystem-6e0ac6a0fab50ab4",
+      "spdxElementId": "SPDXRef-Filesystem-2e2426fd0f2580ef",
       "relatedSpdxElement": "SPDXRef-Application-ee5ef1aa4ac89125",
       "relationshipType": "CONTAINS"
     },

integration/testdata/debian-buster-ignore-unfixed.json.golden

@@ -61,6 +61,7 @@
           "PkgName": "libidn2-0",
           "InstalledVersion": "2.0.5-1",
           "FixedVersion": "2.0.5-1+deb10u1",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:4a56a430b2bac33260d6449e162017e2b23076c6411a17b46db67f5b84dde2bd",
             "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"

integration/testdata/debian-buster.json.golden

@@ -57,6 +57,7 @@
           "PkgID": "bash@5.0-4",
           "PkgName": "bash",
           "InstalledVersion": "5.0-4",
+          "Status": "affected",
           "Layer": {
             "Digest": "sha256:4a56a430b2bac33260d6449e162017e2b23076c6411a17b46db67f5b84dde2bd",
             "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
@@ -111,6 +112,7 @@
           "PkgName": "libidn2-0",
           "InstalledVersion": "2.0.5-1",
           "FixedVersion": "2.0.5-1+deb10u1",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:4a56a430b2bac33260d6449e162017e2b23076c6411a17b46db67f5b84dde2bd",
             "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"

integration/testdata/debian-stretch.json.golden

@@ -58,6 +58,7 @@
           "PkgID": "bash@4.4-5",
           "PkgName": "bash",
           "InstalledVersion": "4.4-5",
+          "Status": "end_of_life",
           "Layer": {
             "Digest": "sha256:9cc2ad81d40d54dcae7fa5e8e17d9c34e8bba3b7c2cc7e26fb22734608bda32e",
             "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307"
@@ -112,6 +113,7 @@
           "PkgName": "e2fslibs",
           "InstalledVersion": "1.43.4-2",
           "FixedVersion": "1.43.4-2+deb9u1",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:9cc2ad81d40d54dcae7fa5e8e17d9c34e8bba3b7c2cc7e26fb22734608bda32e",
             "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307"
@@ -172,6 +174,7 @@
           "PkgName": "e2fsprogs",
           "InstalledVersion": "1.43.4-2",
           "FixedVersion": "1.43.4-2+deb9u1",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:9cc2ad81d40d54dcae7fa5e8e17d9c34e8bba3b7c2cc7e26fb22734608bda32e",
             "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307"
@@ -232,6 +235,7 @@
           "PkgName": "libcomerr2",
           "InstalledVersion": "1.43.4-2",
           "FixedVersion": "1.43.4-2+deb9u1",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:9cc2ad81d40d54dcae7fa5e8e17d9c34e8bba3b7c2cc7e26fb22734608bda32e",
             "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307"
@@ -292,6 +296,7 @@
           "PkgName": "libss2",
           "InstalledVersion": "1.43.4-2",
           "FixedVersion": "1.43.4-2+deb9u1",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:9cc2ad81d40d54dcae7fa5e8e17d9c34e8bba3b7c2cc7e26fb22734608bda32e",
             "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307"

integration/testdata/distroless-base.json.golden

@@ -56,6 +56,7 @@
           "PkgID": "libssl1.1@1.1.0k-1~deb9u1",
           "PkgName": "libssl1.1",
           "InstalledVersion": "1.1.0k-1~deb9u1",
+          "Status": "affected",
           "Layer": {
             "Digest": "sha256:e005d777a298a3529b1c8cf890883359e050cc966089ce84fea4d17b111907db",
             "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
@@ -129,6 +130,7 @@
           "PkgName": "libssl1.1",
           "InstalledVersion": "1.1.0k-1~deb9u1",
           "FixedVersion": "1.1.0l-1~deb9u1",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e005d777a298a3529b1c8cf890883359e050cc966089ce84fea4d17b111907db",
             "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
@@ -206,6 +208,7 @@
           "PkgID": "openssl@1.1.0k-1~deb9u1",
           "PkgName": "openssl",
           "InstalledVersion": "1.1.0k-1~deb9u1",
+          "Status": "affected",
           "Layer": {
             "Digest": "sha256:e005d777a298a3529b1c8cf890883359e050cc966089ce84fea4d17b111907db",
             "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
@@ -279,6 +282,7 @@
           "PkgName": "openssl",
           "InstalledVersion": "1.1.0k-1~deb9u1",
           "FixedVersion": "1.1.0l-1~deb9u1",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e005d777a298a3529b1c8cf890883359e050cc966089ce84fea4d17b111907db",
             "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"

integration/testdata/distroless-python27.json.golden

@@ -73,6 +73,7 @@
           "PkgID": "libssl1.1@1.1.0k-1~deb9u1",
           "PkgName": "libssl1.1",
           "InstalledVersion": "1.1.0k-1~deb9u1",
+          "Status": "affected",
           "Layer": {
             "Digest": "sha256:e005d777a298a3529b1c8cf890883359e050cc966089ce84fea4d17b111907db",
             "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
@@ -146,6 +147,7 @@
           "PkgName": "libssl1.1",
           "InstalledVersion": "1.1.0k-1~deb9u1",
           "FixedVersion": "1.1.0l-1~deb9u1",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e005d777a298a3529b1c8cf890883359e050cc966089ce84fea4d17b111907db",
             "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
@@ -223,6 +225,7 @@
           "PkgID": "openssl@1.1.0k-1~deb9u1",
           "PkgName": "openssl",
           "InstalledVersion": "1.1.0k-1~deb9u1",
+          "Status": "affected",
           "Layer": {
             "Digest": "sha256:e005d777a298a3529b1c8cf890883359e050cc966089ce84fea4d17b111907db",
             "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
@@ -296,6 +299,7 @@
           "PkgName": "openssl",
           "InstalledVersion": "1.1.0k-1~deb9u1",
           "FixedVersion": "1.1.0l-1~deb9u1",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e005d777a298a3529b1c8cf890883359e050cc966089ce84fea4d17b111907db",
             "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"

integration/testdata/dockerfile-custom-policies.json.golden

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/fs/custom-policy",
-  "ArtifactType": "filesystem",
+  "ArtifactName": "testdata/fixtures/repo/custom-policy",
+  "ArtifactType": "repository",
   "Metadata": {
     "ImageConfig": {
       "architecture": "",

integration/testdata/dockerfile-namespace-exception.json.golden

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/fs/namespace-exception",
-  "ArtifactType": "filesystem",
+  "ArtifactName": "testdata/fixtures/repo/namespace-exception",
+  "ArtifactType": "repository",
   "Metadata": {
     "ImageConfig": {
       "architecture": "",

integration/testdata/dockerfile-rule-exception.json.golden

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/fs/rule-exception",
-  "ArtifactType": "filesystem",
+  "ArtifactName": "testdata/fixtures/repo/rule-exception",
+  "ArtifactType": "repository",
   "Metadata": {
     "ImageConfig": {
       "architecture": "",

integration/testdata/dockerfile.json.golden

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/fs/dockerfile",
-  "ArtifactType": "filesystem",
+  "ArtifactName": "testdata/fixtures/repo/dockerfile",
+  "ArtifactType": "repository",
   "Metadata": {
     "ImageConfig": {
       "architecture": "",

integration/testdata/dockerfile_file_pattern.json.golden

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/fs/dockerfile_file_pattern",
-  "ArtifactType": "filesystem",
+  "ArtifactName": "testdata/fixtures/repo/dockerfile_file_pattern",
+  "ArtifactType": "repository",
   "Metadata": {
     "ImageConfig": {
       "architecture": "",

integration/testdata/dotnet.json.golden

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/fs/dotnet",
-  "ArtifactType": "filesystem",
+  "ArtifactName": "testdata/fixtures/repo/dotnet",
+  "ArtifactType": "repository",
   "Metadata": {
     "ImageConfig": {
       "architecture": "",
@@ -38,6 +38,7 @@
           "PkgName": "Newtonsoft.Json",
           "InstalledVersion": "9.0.1",
           "FixedVersion": "13.0.1",
+          "Status": "fixed",
           "Layer": {},
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://github.com/advisories/GHSA-5crp-9r3c-p9vr",

integration/testdata/fixtures/db/data-source.yaml

@@ -40,6 +40,11 @@
         ID: "ghsa"
         Name: "GitHub Security Advisory Erlang"
         URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Aerlang"
+    - key: "go::GitHub Security Advisory Go"
+      value:
+        ID: "ghsa"
+        Name: "GitHub Security Advisory Go"
+        URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
     - key: Oracle Linux 8
       value:
         ID: "oracle-oval"
@@ -89,16 +94,6 @@
         ID: "debian"
         Name: "Debian Security Tracker"
         URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
-    - key: go::GitLab Advisory Database Community
-      value:
-        ID: "glad"
-        Name: "GitLab Advisory Database Community"
-        URL:  "https://gitlab.com/gitlab-org/advisories-community"
-    - key: go::The Go Vulnerability Database
-      value:
-        ID: "go-vulndb"
-        Name: "The Go Vulnerability Database"
-        URL:  "https://github.com/golang/vulndb"
     - key: maven::GitLab Advisory Database Community
       value:
         ID: "glad"

integration/testdata/fixtures/db/debian.yaml

@@ -5,6 +5,7 @@
         - key: CVE-2019-18276
           value:
             Severity: 1.0
+            Status: 7 # changed for test
     - bucket: openssl
       pairs:
         - key: CVE-2019-1551

integration/testdata/fixtures/db/go.yaml

@@ -1,4 +1,4 @@
-- bucket: go::The Go Vulnerability Database
+- bucket: go::GitHub Security Advisory Go
   pairs:
     - bucket: golang.org/x/text
       pairs:
@@ -8,8 +8,6 @@
               - "0.3.7"
             VulnerableVersions:
               - ">= 0, < 0.3.7"
-- bucket: go::GitLab Advisory Database Community
-  pairs:
     - bucket: github.com/docker/distribution
       pairs:
         - key: GMS-2022-20

integration/testdata/fixtures/db/redhat.yaml

@@ -18,6 +18,7 @@
                   - Severity: 1.0
                 Arches:
                   - x86_64
+                Status: 5
     - bucket: openssl
       pairs:
         - key: RHSA-2019:2304
@@ -72,4 +73,5 @@
                   - 857
                   - 858
                 Cves:
-                  - Severity: 2.0
+                  - Severity: 2.0
+                Status: 7

integration/testdata/fixtures/db/rockylinux.yaml

@@ -4,4 +4,10 @@
       pairs:
         - key: CVE-2021-3712
           value:
-            FixedVersion: 1:1.1.1k-5.el8_5
+            FixedVersion: 1:1.1.1k-5.el8_5
+            Entries:
+              - FixedVersion: "1:1.1.1k-5.el8_5"
+                Arches:
+                  - x86_64
+                VendorIds:
+                  - RLSA-2021:4647

integration/testdata/fixtures/repo/gomod/submod/go.sum

@@ -1,4 +1,5 @@
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -7,4 +8,4 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=