chore: downgrade trivy-checks and trivy-aws

Signed-off-by: knqyf263 <knqyf263@gmail.com>

.github/CODEOWNERS

@@ -1,15 +1,22 @@
 # Global
 *   @knqyf263
 
+# SBOM/Vulnerability scanning
+pkg/dependency/  @knqyf263 @DmitriyLewen
+pkg/fanal/       @knqyf263 @DmitriyLewen
+pkg/sbom/        @knqyf263 @DmitriyLewen
+pkg/scanner/     @knqyf263 @DmitriyLewen
+
 # Misconfiguration scanning
-docs/docs/scanner/misconfiguration  @knqyf263 @simar7
-docs/docs/target/aws.md             @knqyf263 @simar7
-pkg/fanal/analyzer/config           @knqyf263 @simar7
-pkg/cloud                           @knqyf263 @simar7
+docs/docs/scanner/misconfiguration/  @simar7 @nikpivkin
+docs/docs/target/aws.md              @simar7 @nikpivkin
+pkg/fanal/analyzer/config/           @simar7 @nikpivkin
+pkg/cloud/                           @simar7 @nikpivkin
+pkg/iac/                             @simar7 @nikpivkin
 
 # Helm chart
 helm/trivy/ @chen-keinan
 
 # Kubernetes scanning
-pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
-docs/docs/kubernetes/   @josedonizetti @chen-keinan @knqyf263
+pkg/k8s/                         @chen-keinan
+docs/docs/target/kubernetes.md   @chen-keinan

.github/DISCUSSION_TEMPLATE/adopters.yml

@@ -7,6 +7,12 @@ body:
       label: "[Optional] How do you use Trivy?"
     validations:
       required: false
+  - type: textarea
+    id: info
+    attributes:
+      label: "[Optional] Can you provide us with a quote on your favourite part of Trivy? This may be used on the trivy.dev website, posted on Twitter (@AquaTrivy) or similar marketing material."
+    validations:
+      required: false
   - type: checkboxes
     attributes:
       label: "[Optional] Which targets are you scanning with Trivy?"
@@ -29,3 +35,13 @@ body:
         - label: "IaC issues and misconfigurations"
         - label: "Sensitive information and secrets"
         - label: "Software licenses"
+  - type: markdown
+    attributes:
+      value: |
+        ## Get in touch
+        We are always looking for 
+        * User feedback
+        * Collaboration with other companies and organisations
+        * Or just to have a chat with you about trivy. 
+        If any of this interests you or your marketing team, please reach out at: oss@aquasec.com
+        We would love to hear from you!

.github/workflows/auto-close-issue.yaml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Close issue if user does not have write or admin permissions
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             // Get the issue creator's username

.github/workflows/auto-update-labels.yaml

@@ -5,22 +5,24 @@ on:
       - 'misc/triage/labels.yaml'
     branches:
       - main
-
+env:
+  GO_VERSION: '1.22'
 jobs:
   deploy:
     name: Auto-update labels
     runs-on: ubuntu-latest
     steps:
       - name: Checkout main
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version-file: go.mod
+          # cf. https://github.com/aquasecurity/trivy/pull/6711
+          go-version: ${{ env.GO_VERSION }}
 
       - name: Install aqua tools
-        uses: aquaproj/aqua-installer@v2.1.2
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
 

.github/workflows/canary.yaml

@@ -25,35 +25,35 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@v4.0.2
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
 
         # Upload artifacts
       - name: Upload artifacts (trivy_Linux-64bit)
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: trivy_Linux-64bit
           path: dist/trivy_*_Linux-64bit.tar.gz
           if-no-files-found: error
 
       - name: Upload artifacts (trivy_Linux-ARM64)
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: trivy_Linux-ARM64
           path: dist/trivy_*_Linux-ARM64.tar.gz
           if-no-files-found: error
 
       - name: Upload artifacts (trivy_macOS-64bit)
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: trivy_macOS-64bit
           path: dist/trivy_*_macOS-64bit.tar.gz
           if-no-files-found: error
 
       - name: Upload artifacts (trivy_macOS-ARM64)
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: trivy_macOS-ARM64
           path: dist/trivy_*_macOS-ARM64.tar.gz

.github/workflows/check-go-versions.yaml

@@ -1,31 +0,0 @@
-name: Check Go versions of dependencies
-on:
-  pull_request:
-    paths:
-      - 'go.mod'
-  workflow_dispatch:
-
-jobs:
-  check-go-versions:
-    name: Check Go versions of dependencies
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.0
-
-      - name: Set up Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: stable
-
-      # This workflow is a workaround before the "old stable" version becomes Go 1.21.
-      # To avoid updating dependencies that require Go 1.21, we use this workflow
-      # Example of wrong update:
-      # https://github.com/aquasecurity/trivy/discussions/5323#discussioncomment-7186321
-      - name: Check that dependencies doesn't require Go 1.21
-        run: |
-          go mod tidy
-          if grep -q "go 1.21" go.mod; then
-            echo "One of new dependencies requires Go '1.21'. Use 'go get go@1.20' to fix this."
-            exit 1
-          fi

.github/workflows/mkdocs-dev.yaml

@@ -12,15 +12,16 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: 3.x
       - name: Install dependencies
         run: |
+          python -m pip install --upgrade pip setuptools wheel
           pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
           pip install -r docs/build/requirements.txt
         env:

.github/workflows/mkdocs-latest.yaml

@@ -14,15 +14,16 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: 3.x
       - name: Install dependencies
         run: |
+          python -m pip install --upgrade pip setuptools wheel
           pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
           pip install -r docs/build/requirements.txt
         env:

.github/workflows/publish-chart.yaml

@@ -22,22 +22,22 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
         with:
           version: v3.5.0
       - name: Set up python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.7
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992
       - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140
+        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}
@@ -55,7 +55,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
         with:
           fetch-depth: 0
       - name: Install chart-releaser

.github/workflows/release.yaml

@@ -19,12 +19,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
         with:
           fetch-depth: 0
 
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@v4.0.2
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -35,7 +35,7 @@ jobs:
           sudo apt-get -y install rpm reprepro createrepo-c distro-info
 
       - name: Checkout trivy-repo
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
         with:
           repository: ${{ github.repository_owner }}/trivy-repo
           path: trivy-repo

.github/workflows/reusable-release.yaml

@@ -14,6 +14,7 @@ on:
 
 env:
   GH_USER: "aqua-bot"
+  GO_VERSION: '1.22'
 
 jobs:
   release:
@@ -27,16 +28,16 @@ jobs:
       contents: read  # Not required for public repositories, but for clarity
     steps:
       - name: Maximize build space
-        uses: easimon/maximize-build-space@v8
+        uses: easimon/maximize-build-space@v10
         with:
-          root-reserve-mb: 35840 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
+          root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
           remove-android: 'true'
           remove-docker-images: 'true'
           remove-dotnet: 'true'
           remove-haskell: 'true'
 
       - name: Cosign install
-        uses: sigstore/cosign-installer@4a861528be5e691840a69536975ada1d4c30349d
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -69,14 +70,15 @@ jobs:
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
         with:
           fetch-depth: 0
 
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version-file: go.mod
+          go-version: ${{ env.GO_VERSION }}
+          cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
 
       - name: Generate SBOM
         uses: CycloneDX/gh-gomod-generate-sbom@v2
@@ -90,8 +92,13 @@ jobs:
         run: |
           echo "$GPG_KEY" > gpg.key
 
+      # Create tmp dir for GoReleaser
+      - name: "create tmp dir"
+        run: |
+          mkdir tmp    
+
       - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v5
         with:
           version: v1.20.0
           args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
@@ -99,6 +106,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
           NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
           GPG_FILE: "gpg.key"
+          TMPDIR: "tmp"
 
       - name: "remove gpg key"
         run: |
@@ -109,7 +117,7 @@ jobs:
       # because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
       - name: Build and push
         if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           platforms: linux/amd64, linux/arm64
           file: ./Dockerfile.canary # path to Dockerfile
@@ -121,7 +129,7 @@ jobs:
             public.ecr.aws/aquasecurity/trivy:canary
 
       - name: Cache Trivy binaries
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@v4.0.2
         with:
           path: dist/
           # use 'github.sha' to create a unique cache folder for each run.

.github/workflows/roadmap.yaml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
-      - uses: actions/add-to-project@v0.4.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.0 # add new issue to project
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -28,7 +28,7 @@ jobs:
           field-values: Backlog
 
       # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
-      - uses: actions/add-to-project@v0.4.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.0 # add new issue to project
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -45,7 +45,7 @@ jobs:
           field-values: Important (long-term)
 
       # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
-      - uses: actions/add-to-project@v0.4.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.0 # add new issue to project
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -62,7 +62,7 @@ jobs:
           field-values: Important (soon)
 
       # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
-      - uses: actions/add-to-project@v0.4.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.0 # add new issue to project
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}

.github/workflows/scan.yaml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
 
       - name: Run Trivy vulnerability scanner and create GitHub issues
         uses: knqyf263/trivy-issue-action@v0.0.5

.github/workflows/semantic-pr.yaml

@@ -75,6 +75,7 @@ jobs:
             dart
             swift
             bitnami
+            conda
 
             os
             lang
@@ -100,4 +101,5 @@ jobs:
             helm
             report
             db
+            parser
             deps

.github/workflows/stale-issues.yaml

@@ -7,7 +7,7 @@ jobs:
     timeout-minutes: 1
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v8
+    - uses: actions/stale@v9
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-pr-message: 'This PR is stale because it has been labeled with inactivity.'

.github/workflows/test-docs.yaml

@@ -10,15 +10,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v4.1.0
+      uses: actions/checkout@v4.1.4
       with:
         fetch-depth: 0
         persist-credentials: true
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@v5
       with:
         python-version: 3.x
     - name: Install dependencies
       run: |
+        python -m pip install --upgrade pip setuptools wheel
         pip install -r docs/build/requirements.txt
     - name: Configure the git user
       run: |

.github/workflows/test.yaml

@@ -7,6 +7,8 @@ on:
       - 'mkdocs.yml'
       - 'LICENSE'
   merge_group:
+env:
+  GO_VERSION: '1.22'
 jobs:
   test:
     name: Test
@@ -15,13 +17,22 @@ jobs:
       matrix:
         operating-system: [ubuntu-latest, windows-latest, macos-latest]
     steps:
-      - uses: actions/checkout@v4.1.0
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@v10
+        with:
+          root-reserve-mb: 32768 # The golangci-lint uses a lot of space.
+          remove-android: "true"
+          remove-docker-images: "true"
+          remove-dotnet: "true"
+          remove-haskell: "true"
+        if: matrix.operating-system == 'ubuntu-latest'
+
+      - uses: actions/checkout@v4.1.4
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version: oldstable
-
+          go-version: ${{ env.GO_VERSION }}
       - name: go mod tidy
         run: |
           go mod tidy
@@ -33,10 +44,10 @@ jobs:
 
       - name: Lint
         id: lint
-        uses: golangci/golangci-lint-action@v3.7.0
+        uses: golangci/golangci-lint-action@v4.0.0
         with:
-          version: v1.54
-          args: --deadline=30m --out-format=line-number
+          version: v1.57
+          args: --timeout=30m --out-format=line-number
           skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
         if: matrix.operating-system == 'ubuntu-latest'
 
@@ -47,7 +58,7 @@ jobs:
         if: ${{ failure() && steps.lint.conclusion == 'failure' }}
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.2
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
           aqua_opts: ""
@@ -69,15 +80,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version-file: go.mod
+          go-version: ${{ env.GO_VERSION }}
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.2
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
 
@@ -88,16 +99,25 @@ jobs:
     name: K8s Integration Test
     runs-on: ubuntu-latest
     steps:
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@v10
+        with:
+          root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
+          remove-android: "true"
+          remove-docker-images: "true"
+          remove-dotnet: "true"
+          remove-haskell: "true"
+
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version-file: go.mod
+          go-version: ${{ env.GO_VERSION }}
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.2
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
 
@@ -109,15 +129,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version-file: go.mod
+          go-version: ${{ env.GO_VERSION }}
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.2
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
 
@@ -131,23 +151,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Maximize build space
-        uses: easimon/maximize-build-space@v8
+        uses: easimon/maximize-build-space@v10
         with:
-          root-reserve-mb: 35840 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
+          root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
           remove-android: 'true'
           remove-docker-images: 'true'
           remove-dotnet: 'true'
           remove-haskell: 'true'
 
       - name: Checkout
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.4
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version-file: go.mod
+          go-version: ${{ env.GO_VERSION }}
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.2
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
       - name: Run vm integration tests
@@ -164,9 +184,9 @@ jobs:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
     - name: Maximize build space
-      uses: easimon/maximize-build-space@v8
+      uses: easimon/maximize-build-space@v10
       with:
-        root-reserve-mb: 35840 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
+        root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
         remove-android: 'true'
         remove-docker-images: 'true'
         remove-dotnet: 'true'
@@ -174,12 +194,12 @@ jobs:
       if: matrix.operating-system == 'ubuntu-latest'
 
     - name: Checkout
-      uses: actions/checkout@v4.1.0
+      uses: actions/checkout@v4.1.4
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
-        go-version-file: go.mod
+        go-version: ${{ env.GO_VERSION }}
 
     - name: Determine GoReleaser ID
       id: goreleaser_id
@@ -194,7 +214,7 @@ jobs:
         fi
 
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v4
+      uses: goreleaser/goreleaser-action@v5
       with:
         version: v1.20.0
         args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }}

.golangci.yaml

@@ -19,6 +19,7 @@ linters-settings:
     locale: US
     ignore-words:
       - licence
+      - optimise
   gosec:
     excludes:
       - G101
@@ -87,14 +88,16 @@ linters:
     - gocritic
 
 run:
-  go: '1.20'
-  skip-files:
+  go: '1.22'
+
+issues:
+  exclude-files:
     - ".*_mock.go$"
     - ".*_test.go$"
     - "integration/*"
     - "examples/*"
-
-issues:
+  exclude-dirs:
+    - "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
   exclude-rules:
     - linters:
         - gosec

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.18.4
+FROM alpine:3.19.1
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.canary

@@ -1,4 +1,4 @@
-FROM alpine:3.18.4
+FROM alpine:3.19.1
 RUN apk --no-cache add ca-certificates git
 
 # binaries were created with GoReleaser

Dockerfile.protoc

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.20
+FROM --platform=linux/amd64 golang:1.22
 
 # Set environment variable for protoc
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
@@ -14,7 +14,7 @@ RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/down
 
 # Install Go tools
 RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
-RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1
-RUN go install github.com/magefile/mage@v1.14.0
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.0
+RUN go install github.com/magefile/mage@v1.15.0
 
 ENV TRIVY_PROTOC_CONTAINER=true

README.md

@@ -78,7 +78,7 @@ https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-a
 </details>
 
 ```bash
-trivy fs --scanners vuln,secret,config myproject/
+trivy fs --scanners vuln,secret,misconfig myproject/
 ```
 
 <details>

aqua.yaml

@@ -5,6 +5,6 @@ registries:
 - type: standard
   ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
 packages:
-- name: tinygo-org/tinygo@v0.29.0
+- name: tinygo-org/tinygo@v0.31.1
 - name: WebAssembly/binaryen@version_112
 - name: magefile/mage@v1.14.0

brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg

@@ -1,56 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
-<g>
-	<path fill="#07242D" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
-		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
-	<path fill="#07242D" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
-		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
-	<path fill="#07242D" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
-	<path fill="#07242D" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
-	<path fill="#07242D" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
-		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
-		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
-		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
-</g>
-<g>
-	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
-	<g>
-		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
-			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
-		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
-			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
-		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
-			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
-		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
-			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
-		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.106-0.146-0.211-0.211-0.316
-			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
-			C48.47,40.151,65.268,34.975,78.53,41.442z"/>
-		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
-			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
-			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
-		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
-		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
-		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
-			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
-		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
-			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
-			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
-	</g>
-</g>
-<g>
-	<path fill="#07242D" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
-		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
-		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
-	<path fill="#07242D" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
-		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
-		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
-	<path fill="#07242D" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
-		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
-	<path fill="#07242D" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
-		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
-		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
-</g>
-</svg>

brand/Trivy-OSS-Logo-Color-Horizontal-RGB.svg

@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 28.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#031730;}
+	.st1{fill:#08B1D5;}
+	.st2{fill:#1904DA;}
+	.st3{fill:#FFC900;}
+	.st4{fill:#FF0036;}
+</style>
+<g>
+	<g>
+		<g>
+			<g>
+				<g>
+					<path class="st0" d="M1437.8,277.53h-46.05c-25.39,0-46.05-20.66-46.05-46.05c0-25.39,20.66-46.05,46.05-46.05
+						c25.39,0,46.05,20.66,46.05,46.05V277.53z M1391.75,204.13c-15.08,0-27.35,12.27-27.35,27.35c0,15.08,12.27,27.35,27.35,27.35
+						h27.35v-27.35C1419.1,216.4,1406.84,204.13,1391.75,204.13z"/>
+				</g>
+			</g>
+			<g>
+				<g>
+					<path class="st0" d="M1746.82,277.53h-46.05c-25.39,0-46.05-20.66-46.05-46.05c0-25.39,20.66-46.05,46.05-46.05
+						c25.39,0,46.05,20.66,46.05,46.05V277.53z M1700.77,204.13c-15.08,0-27.35,12.27-27.35,27.35c0,15.08,12.27,27.35,27.35,27.35
+						h27.35v-27.35C1728.12,216.4,1715.85,204.13,1700.77,204.13z"/>
+				</g>
+			</g>
+			<g>
+				<path class="st0" d="M1597.76,277.55c-25.4,0-46.07-20.66-46.07-46.07v-43.22h18.71v43.22c0,15.09,12.28,27.36,27.36,27.36
+					s27.36-12.28,27.36-27.36v-43.22h18.71v43.22C1643.83,256.88,1623.16,277.55,1597.76,277.55z"/>
+			</g>
+			<g>
+				<path class="st0" d="M1494.75,185.43c-25.39,0-46.05,20.66-46.05,46.05c0,25.39,20.66,46.05,46.05,46.05l18.7-18.7h-18.7
+					c-15.08,0-27.35-12.27-27.35-27.35c0-15.08,12.27-27.35,27.35-27.35s27.35,12.27,27.35,27.35v90h18.7v-90
+					C1540.8,206.09,1520.14,185.43,1494.75,185.43z"/>
+			</g>
+		</g>
+	</g>
+	<g>
+		<g>
+			<path class="st0" d="M968.09,578.05v45.38c-30.92,0-58.76-11.12-80.72-29.55c-27.59-23.17-45.14-57.93-45.14-96.78V269.82h45.14
+				v103.14h80.72v45.68h-80.72v79.6C887.98,542.42,923.77,578.05,968.09,578.05z"/>
+			<path class="st0" d="M1128.93,372.97v45.08c-42.79,0.09-77.63,34.03-79.2,76.45v128.94h-45.21V372.96h45.21v28.59
+				C1071.24,383.73,1098.84,373.01,1128.93,372.97z"/>
+			<path class="st0" d="M1157.94,347.93v-39.5h45.14v39.5H1157.94z M1157.94,623.44V372.96h45.14v250.48H1157.94z"/>
+			<path class="st0" d="M1479.86,372.96l-125.14,250.48l-125.3-250.48h51.3l73.99,147.93l73.84-147.93H1479.86z"/>
+			<path class="st0" d="M1750.5,372.96c0,0,0,273.85,0,291.97c0,69.91-57.37,125.75-125.32,125.69
+				c-31.84,0.03-61.33-12.05-83.7-32.11l32.45-32.45c13.85,11.74,31.73,18.85,51.25,18.82c43.98,0,79.58-35.97,79.58-79.95v-69.99
+				c-21.82,18.06-49.68,28.52-79.58,28.49c-68.1,0.06-125.44-54.9-125.44-125.35c0-1.49,0-125.13,0-125.13h45.73
+				c0,0,0.02,121.79,0.02,125.13c0,43.8,35.68,80,79.69,79.96c43.98,0,79.58-35.97,79.58-79.96V372.96H1750.5z"/>
+		</g>
+	</g>
+	<g>
+		<g>
+			<g>
+				<path class="st1" d="M463.95,358.89c0.04,0,0.08,0,0.12,0c6.43,0.01,11.75-4.93,11.75-11.36V134.47l-11.99-6.7l-11.94,6.67
+					v213.1c0,6.43,5.32,11.38,11.75,11.35C463.73,358.89,463.84,358.89,463.95,358.89z"/>
+				<path class="st2" d="M392.02,455.6L194.35,588.27v15.11l11.26,6.17L405.34,475.5c5.13-3.44,6.41-10.31,3.09-15.52
+					c-0.14-0.22-0.28-0.44-0.42-0.67C404.58,453.78,397.42,451.98,392.02,455.6z"/>
+				<path class="st3" d="M522.51,475.6l199.56,133.93l11.23-6.15v-15.14L535.83,455.71c-5.4-3.62-12.56-1.83-16,3.69
+					c-0.13,0.21-0.26,0.42-0.4,0.63C516.09,465.26,517.36,472.15,522.51,475.6z"/>
+				<path class="st0" d="M757.23,277.9V264.2l-12.26-6.85l-0.91-0.48L475.5,106.89l-11.68-6.51l-11.63,6.51L183.58,256.88
+					l-0.91,0.48l-12.25,6.85v13.69l-0.91,0.53l0.91,0.48v13.64v325.01l12.45,6.8l261.62,143.33l3.3,1.82l16.08,8.81l16.04-8.81
+					l3.3-1.82l261.62-143.33l12.4-6.8V292.55v-13.6l0.96-0.53L757.23,277.9z M476.11,744.33V502.51c0-6.59-5.39-11.98-11.98-11.97
+					l-0.18,0l-0.12,0c-6.59-0.01-11.98,5.38-11.98,11.97v241.81L205.61,609.55l-11.26-6.17v-15.11V290.06l196.06,107.42
+					c5.66,3.1,12.84,1.02,15.97-4.63l0.14-0.25c3.16-5.71,1.06-12.96-4.67-16.1L208.33,270.47l243.55-136.03l11.94-6.67l11.99,6.7
+					l243.5,136.01L525.64,376.58c-5.7,3.12-7.48,10.25-4.32,15.92c0.05,0.1,0.11,0.19,0.16,0.29c3.1,5.62,10.02,7.85,15.65,4.77
+					l196.16-107.5v298.19v15.14l-11.23,6.15L476.11,744.33z"/>
+			</g>
+			<circle class="st4" cx="463.95" cy="424.72" r="34.73"/>
+		</g>
+		<path class="st1" d="M649.35,258.97L461.77,153.83c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59
+			l187.58,105.15c5.77,3.23,7.82,10.53,4.59,16.29v0C662.41,260.15,655.12,262.2,649.35,258.97z"/>
+		<path class="st1" d="M567.15,267.09l-105.38-59.07c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59
+			l105.38,59.07c5.77,3.23,7.82,10.53,4.59,16.29l0,0C580.21,268.26,572.92,270.32,567.15,267.09z"/>
+		<path class="st1" d="M601.67,286.44L601.67,286.44c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59l0,0
+			c5.77,3.23,7.82,10.53,4.59,16.29v0C614.73,287.61,607.44,289.67,601.67,286.44z"/>
+		<path class="st1" d="M497.04,283.82l-35-19.62c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59l35,19.62
+			c5.77,3.23,7.82,10.53,4.59,16.29l0,0C510.1,284.99,502.8,287.05,497.04,283.82z"/>
+		<path class="st1" d="M549.85,316.05l-20.26-11.36c-5.77-3.23-7.82-10.53-4.59-16.29h0c3.23-5.77,10.53-7.82,16.29-4.59
+			l20.26,11.36c5.77,3.23,7.82,10.53,4.59,16.29v0C562.91,317.23,555.61,319.28,549.85,316.05z"/>
+	</g>
+</g>
+</svg>

brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg

@@ -1,202 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
-<g display="none">
-	<g display="inline">
-		<path fill="#07242D" d="M-483.763,450.803h-11.559l-22.557-22.807c-0.919,0.114-1.853,0.174-2.802,0.174v22.632h-8.238v-63.931
-			h8.239c0,0-0.016,33.158,0,33.158c4.013,0,7.684-1.656,10.29-4.32l9.86-10.073h11.814l-16.032,15.918
-			c-1.42,1.421-3.031,2.655-4.787,3.659L-483.763,450.803z"/>
-		<path fill="#07242D" d="M-438.316,405.517v22.819c0,0,0,0.033,0,0.049c0,12.39-10.039,22.418-22.429,22.418
-			c-12.389,0-22.421-10.059-22.421-22.448c0-0.017,0-22.837,0-22.837h7.989v22.819c0,7.967,6.466,14.457,14.433,14.457
-			c7.966,0,14.424-6.491,14.424-14.457v-22.819H-438.316z"/>
-		<path fill="#07242D" d="M-385.244,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
-			c0.005-0.516,0.005-63.931,0.005-63.931h8.217l-0.004,23.854c3.918-3.246,8.947-5.196,14.432-5.196
-			C-395.377,405.529-385.242,415.664-385.244,428.166z M-393.437,428.166c0-7.976-6.466-14.441-14.442-14.441
-			c-7.793,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-399.903,442.607-393.437,436.142-393.437,428.166z"/>
-		<path fill="#07242D" d="M-335.539,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
-			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
-			C-344.426,405.411-333.664,417.688-335.539,431.11z M-344.611,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
-			c-6.076,0-11.275,3.746-13.382,9.06H-344.611z"/>
-		<path fill="#07242D" d="M-306.194,420.895v7.548h-23.302v-7.548H-306.194z"/>
-		<path fill="#07242D" d="M-252.987,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
-			c0.005-0.516,0.005-63.931,0.005-63.931h8.218l-0.004,23.854c3.918-3.246,8.946-5.196,14.431-5.196
-			C-263.12,405.529-252.985,415.664-252.987,428.166z M-261.181,428.166c0-7.976-6.467-14.441-14.442-14.441
-			c-7.794,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-267.647,442.607-261.181,436.142-261.181,428.166z"/>
-		<path fill="#07242D" d="M-203.283,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
-			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
-			C-212.17,405.411-201.408,417.688-203.283,431.11z M-212.355,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
-			c-6.076,0-11.275,3.746-13.382,9.06H-212.355z"/>
-		<path fill="#07242D" d="M-151.113,428.114c0,15.871,0,22.688,0,22.688h-8.262c0,0,0-14.878,0-22.688
-			c0-8.095-6.591-14.327-14.363-14.327c-7.772,0-14.393,6.163-14.393,14.327c0,7.814,0,22.688,0,22.688h-8.26v-45.285
-			c0,0,3.539,0,8.26,0v5.101c0,0,5.421-5.101,14.393-5.101C-163.095,405.517-151.113,413.789-151.113,428.114z"/>
-		<path fill="#07242D" d="M-112.598,438.373l5.799,5.798c-4.098,4.097-9.758,6.632-16.01,6.632c-6.252,0-11.912-2.534-16.01-6.632
-			c-4.097-4.098-6.632-9.758-6.632-16.01s2.534-11.912,6.632-16.01c4.098-4.097,9.758-6.632,16.01-6.632
-			c6.252,0,11.912,2.534,16.01,6.632l-5.799,5.799c-2.613-2.615-6.224-4.231-10.212-4.231c-3.988,0-7.599,1.617-10.212,4.231
-			c-2.614,2.613-4.23,6.224-4.23,10.212s1.616,7.599,4.23,10.213c2.613,2.613,6.224,4.229,10.212,4.229
-			C-118.821,442.602-115.211,440.986-112.598,438.373z"/>
-		<path fill="#07242D" d="M-55.678,428.174c0,15.827,0,22.626,0,22.626h-8.239c0,0,0-14.838,0-22.626
-			c0-8.072-6.575-14.287-14.324-14.287c-7.751,0-14.353,6.146-14.353,14.287c0,7.793,0,22.626,0,22.626h-8.238v-63.929h8.238v23.856
-			c0,0,5.405-5.086,14.353-5.086C-67.626,405.641-55.678,413.889-55.678,428.174z"/>
-	</g>
-	<g display="inline">
-		<path fill="#07242D" d="M186.582,442.579v8.203c-5.588,0-10.623-2.012-14.594-5.346c-4.989-4.186-8.157-10.469-8.157-17.489
-			v-41.085h8.157v18.642h14.594v8.257h-14.594v14.386C172.1,436.134,178.571,442.579,186.582,442.579z"/>
-		<path fill="#07242D" d="M215.674,405.503v8.149c-7.739,0.015-14.037,6.152-14.317,13.818v23.312h-8.176v-45.279h8.176v5.169
-			C205.243,407.446,210.232,405.51,215.674,405.503z"/>
-		<path fill="#07242D" d="M220.928,395.003v-8.165h8.161v8.165H220.928z M220.928,450.782v-45.279h8.161v45.279H220.928z"/>
-		<path fill="#07242D" d="M279.137,405.503l-22.624,45.279l-22.647-45.279h9.271l13.376,26.737l13.349-26.737H279.137z"/>
-		<path fill="#07242D" d="M328.08,405.503c0,0,0,49.504,0,52.776c0,12.643-10.369,22.736-22.655,22.728
-			c-5.753,0-11.084-2.181-15.131-5.807l5.868-5.868c2.504,2.12,5.734,3.41,9.263,3.403c7.95,0,14.386-6.498,14.386-14.456v-12.651
-			c-3.944,3.264-8.979,5.154-14.386,5.154c-12.309,0.008-22.674-9.924-22.674-22.659c0-0.269,0-22.62,0-22.62h8.265
-			c0,0,0.004,22.014,0.004,22.62c0,7.919,6.448,14.463,14.406,14.456c7.95,0,14.386-6.506,14.386-14.456v-22.62H328.08z"/>
-	</g>
-	<g display="inline">
-		<path fill="#07242D" d="M1186.898,438.384c-0.411,4.687-4.656,12.67-15.302,12.67c-10.092,0-16.135-6.761-16.135-6.761
-			l5.797-5.801c4.906,4.664,10.338,4.372,10.338,4.372c3.473-0.238,6.258-2.643,6.469-5.471c0.242-3.235-2.009-5.486-6.469-6.124
-			c-2.098-0.307-7.184-0.791-11.36-4.533c-1.36-1.222-6.489-6.577-2.217-14.191c0.834-1.491,4.556-6.769,13.577-6.769
-			c0,0,7.434-0.53,14.311,5.086l-5.866,5.863c-1.16-0.96-4.46-2.904-8.444-2.881c-7.207,0.046-7.007,4.011-7.007,4.011
-			c0.061,3.166,2.874,4.864,7.007,5.409C1185.672,425.114,1187.309,433.743,1186.898,438.384z"/>
-		<path fill="#07242D" d="M1215.419,442.848v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495v-41.099
-			h8.16v18.648h14.599v8.26h-14.599v14.391C1200.932,436.401,1207.405,442.848,1215.419,442.848z"/>
-		<path fill="#07242D" d="M1263.522,428.372v22.682h-22.705c-0.5,0-0.999-0.015-1.495-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
-			c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
-			C1263.068,423.132,1263.522,425.76,1263.522,428.372z M1255.131,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
-			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
-			S1255.131,432.352,1255.131,428.372z"/>
-		<path fill="#07242D" d="M1293.898,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
-			C1283.464,407.704,1288.454,405.767,1293.898,405.76z"/>
-		<path fill="#07242D" d="M1344.448,428.411c0,12.509-10.135,22.643-22.639,22.643c-5.486,0-10.515-1.952-14.433-5.194v5.194h-8.221
-			c0.008-0.515,0.008-63.942,0.008-63.942h8.217l-0.004,23.857c3.919-3.25,8.947-5.202,14.433-5.202
-			C1334.313,405.767,1344.452,415.91,1344.448,428.411z M1336.254,428.411c0-7.975-6.466-14.445-14.445-14.445
-			c-7.795,0-14.445,6.331-14.445,14.422c0,8.091,6.65,14.468,14.445,14.468C1329.788,442.856,1336.254,436.394,1336.254,428.411z"/>
-		<path fill="#07242D" d="M1394.394,428.411c0,12.509-10.15,22.643-22.643,22.643s-22.651-10.135-22.651-22.643
-			s10.157-22.651,22.651-22.651S1394.394,415.91,1394.394,428.411z M1386.127,428.411c0-7.937-6.431-14.376-14.376-14.376
-			c-7.941,0-14.387,6.431-14.387,14.376s6.446,14.383,14.387,14.383C1379.696,442.794,1386.127,436.355,1386.127,428.411z"/>
-		<path fill="#07242D" d="M1444.414,428.372v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054
-			c-6.431-0.423-12.128-3.527-15.985-8.214c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
-			C1443.961,423.132,1444.414,425.76,1444.414,428.372z M1436.024,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
-			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
-			S1436.024,432.352,1436.024,428.372z"/>
-		<path fill="#07242D" d="M1474.791,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
-			C1464.356,407.704,1469.347,405.767,1474.791,405.76z"/>
-		<path fill="#07242D" d="M1521.556,451.031h-8.214v-5.194c-3.919,3.242-8.951,5.194-14.43,5.194
-			c-12.501,0-22.635-10.127-22.635-22.628s10.135-22.636,22.635-22.636c5.478,0,10.511,1.952,14.43,5.194l0.008-23.85h8.221
-			C1521.572,387.112,1521.556,450.516,1521.556,451.031z M1513.35,428.38c0-8.091-6.646-14.422-14.437-14.422
-			c-7.975,0-14.445,6.469-14.445,14.445s6.469,14.437,14.445,14.437C1506.704,442.84,1513.35,436.471,1513.35,428.38z"/>
-	</g>
-	<g display="inline">
-		<path fill="#07242D" d="M1711.171,438.276l5.802,5.802c-4.1,4.096-9.763,6.632-16.014,6.632c-6.255,0-11.918-2.536-16.018-6.632
-			c-4.1-4.103-6.635-9.759-6.635-16.014s2.536-11.918,6.635-16.022c4.1-4.096,9.763-6.632,16.018-6.632
-			c6.251,0,11.915,2.536,16.014,6.632l-5.802,5.802c-2.613-2.613-6.224-4.234-10.213-4.234c-3.992,0-7.604,1.621-10.216,4.234
-			c-2.617,2.613-4.234,6.224-4.234,10.22c0,3.988,1.618,7.6,4.234,10.213c2.613,2.613,6.224,4.234,10.216,4.234
-			C1704.947,442.511,1708.559,440.889,1711.171,438.276z"/>
-		<path fill="#07242D" d="M1722.967,450.71v-63.95h8.241v63.95H1722.967z"/>
-		<path fill="#07242D" d="M1783.282,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
-			s10.159-22.654,22.654-22.654C1773.131,405.41,1783.282,415.561,1783.282,428.064z M1775.013,428.064
-			c0-7.938-6.432-14.378-14.378-14.378c-7.942,0-14.389,6.432-14.389,14.378c0,7.946,6.447,14.385,14.389,14.385
-			C1768.581,442.449,1775.013,436.01,1775.013,428.064z"/>
-		<path fill="#07242D" d="M1833.833,405.41v22.823c0,0,0,0.038,0,0.054c0,12.395-10.04,22.423-22.435,22.423
-			c-12.395,0-22.427-10.059-22.427-22.454c0-0.015,0-22.846,0-22.846h7.992v22.823c0,7.976,6.466,14.462,14.435,14.462
-			c7.969,0,14.431-6.486,14.431-14.462V405.41H1833.833z"/>
-		<path fill="#07242D" d="M1884.777,450.687h-8.218v-5.195c-3.915,3.243-8.945,5.195-14.431,5.195
-			c-12.503,0-22.634-10.128-22.634-22.631c0-12.503,10.132-22.638,22.634-22.638c5.487,0,10.516,1.952,14.431,5.195l0.011-23.852
-			h8.219C1884.789,386.76,1884.773,450.172,1884.777,450.687z M1876.574,428.033c0-8.092-6.651-14.424-14.447-14.424
-			c-7.973,0-14.443,6.47-14.443,14.447c0,7.976,6.466,14.439,14.443,14.439C1869.923,442.495,1876.574,436.125,1876.574,428.033z"/>
-		<path fill="#07242D" d="M1922.865,438.038c-0.411,4.687-4.657,12.672-15.303,12.672c-10.094,0-16.137-6.762-16.137-6.762
-			l5.798-5.802c4.906,4.664,10.339,4.372,10.339,4.372c3.473-0.238,6.259-2.643,6.47-5.471c0.242-3.235-2.009-5.487-6.47-6.124
-			c-2.098-0.307-7.185-0.792-11.361-4.534c-1.36-1.222-6.489-6.578-2.217-14.193c0.834-1.491,4.557-6.77,13.578-6.77
-			c0,0,7.435-0.53,14.312,5.087l-5.867,5.863c-1.16-0.961-4.461-2.905-8.445-2.882c-7.208,0.046-7.008,4.011-7.008,4.011
-			c0.062,3.166,2.874,4.864,7.008,5.41C1921.639,424.767,1923.276,433.397,1922.865,438.038z"/>
-		<path fill="#07242D" d="M1975.107,428.041c0,12.526-10.151,22.73-22.661,22.73c-5.471,0-10.493-1.952-14.416-5.195v35.371h-8.276
-			V405.41h8.276v5.156c3.923-3.22,8.945-5.156,14.416-5.156C1964.956,405.41,1975.107,415.523,1975.107,428.041z M1966.831,428.041
-			c0-7.953-6.432-14.347-14.385-14.347s-14.416,6.393-14.416,14.347s6.463,14.462,14.416,14.462S1966.831,435.994,1966.831,428.041z
-			"/>
-		<path fill="#07242D" d="M1981.877,450.71v-63.95h8.245v63.95H1981.877z"/>
-		<path fill="#07242D" d="M2042.192,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
-			s10.159-22.654,22.654-22.654C2032.041,405.41,2042.192,415.561,2042.192,428.064z M2033.916,428.064
-			c0-7.938-6.432-14.378-14.37-14.378c-7.946,0-14.393,6.432-14.393,14.378c0,7.946,6.447,14.385,14.393,14.385
-			C2027.484,442.449,2033.916,436.01,2033.916,428.064z"/>
-		<path fill="#07242D" d="M2049.016,394.906v-8.168h8.168v8.168H2049.016z M2049.016,450.71v-45.3h8.168v45.3H2049.016z"/>
-		<path fill="#07242D" d="M2087.737,442.503v8.207c-5.594,0-10.627-2.013-14.6-5.348c-4.987-4.188-8.161-10.474-8.161-17.497V386.76
-			h8.161v18.65h14.6v8.261h-14.6v14.393C2073.252,436.056,2079.722,442.503,2087.737,442.503z"/>
-	</g>
-	<g display="inline">
-		<path fill="#07242D" d="M690.837,442.596v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495V386.86
-			h8.16v18.648h14.599v8.26h-14.599v14.391C676.35,436.15,682.823,442.596,690.837,442.596z"/>
-		<path fill="#07242D" d="M719.939,405.508v8.152c-7.737,0.015-14.042,6.154-14.322,13.823v23.319h-8.179v-45.294h8.179v5.171
-			C709.504,407.452,714.495,405.516,719.939,405.508z"/>
-		<path fill="#07242D" d="M766.789,428.12v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
-			c-3.289-4.003-5.171-8.928-5.183-14.414c0.523-25.548,35.102-31.264,44.026-7.699C766.335,422.88,766.789,425.508,766.789,428.12z
-			 M758.398,428.12c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008c-2.609,2.605-4.226,6.17-4.226,10.142
-			c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0S758.398,432.101,758.398,428.12z"/>
-		<path fill="#07242D" d="M805.36,438.37l5.801,5.801c-4.099,4.095-9.762,6.631-16.016,6.631c-6.254,0-11.913-2.536-16.012-6.631
-			c-4.099-4.103-6.631-9.766-6.631-16.02c0-6.247,2.532-11.909,6.631-16.012c4.099-4.095,9.758-6.631,16.012-6.631
-			c6.254,0,11.917,2.536,16.016,6.631l-5.801,5.801c-2.612-2.612-6.224-4.234-10.215-4.234c-3.988,0-7.599,1.621-10.211,4.234
-			c-2.616,2.612-4.234,6.224-4.234,10.211c0,3.995,1.617,7.607,4.234,10.219c2.612,2.612,6.224,4.234,10.211,4.234
-			C799.136,442.604,802.747,440.983,805.36,438.37z"/>
-		<path fill="#07242D" d="M858.664,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
-			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
-			C849.774,405.4,860.539,417.679,858.664,431.109z M849.59,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
-			s-11.276,3.742-13.385,9.059H849.59z"/>
-		<path fill="#07242D" d="M908.514,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
-			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
-			C899.625,405.4,910.389,417.679,908.514,431.109z M899.44,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
-			s-11.276,3.742-13.385,9.059H899.44z"/>
-	</g>
-</g>
-<g>
-	<path fill="#07242D" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
-		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
-	<path fill="#07242D" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
-		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
-	<path fill="#07242D" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
-	<path fill="#07242D" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
-	<path fill="#07242D" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
-		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
-		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
-		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
-</g>
-<g>
-	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
-		"/>
-	<g>
-		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
-			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
-		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
-			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
-		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
-			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
-		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
-			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
-		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
-			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
-			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
-		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
-			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
-			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
-		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
-			V347.086z"/>
-		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
-			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
-		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
-			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
-		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
-			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
-			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
-	</g>
-</g>
-<g>
-	<path fill="#07242D" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
-		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
-		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
-	<path fill="#07242D" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
-		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
-		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
-	<path fill="#07242D" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
-		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
-	<path fill="#07242D" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
-		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
-		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
-</g>
-</svg>

brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg

@@ -1,84 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
-<g display="none">
-	<polygon display="inline" fill="#FFFFFF" points="65.469,9.61 12.669,40.117 12.669,101.621 65.463,132.371 118.268,101.639 
-		118.268,40.115 	"/>
-	<g display="inline">
-		<path fill="#08B1D5" d="M64.511,80.035c-5.972-2.687-9.502-8.433-9.313-14.534l-12.765-7.371c-0.952,7.062,0.569,14.449,4.4,20.85
-			c4.078,6.813,9.966,11.887,17.678,14.825V80.035L64.511,80.035z"/>
-		<path fill="#08B1D5" d="M64.511,111.257V95.432c-8.26-3.017-14.588-8.448-18.931-15.703c-4.108-6.864-5.671-14.819-4.507-22.384
-			l-11.864-6.851C22.412,75.299,37.662,101.72,64.511,111.257z"/>
-		<path fill="#0D819B" d="M66.259,95.288v15.969c26.352-9.758,42.17-36.132,35.489-60.682l-11.8,6.874
-			c1.473,8.16,0.189,16.115-3.759,22.77C82.134,87.057,75.052,92.189,66.259,95.288z"/>
-		<path fill="#0D819B" d="M75.879,65.569c0.053,5.924-3.429,11.136-9.62,14.466v13.769c8.227-2.999,14.873-7.918,18.675-14.329
-			c3.681-6.207,4.934-13.613,3.671-21.243L75.879,65.569z"/>
-		<path fill="#F69421" d="M77.717,44.4c4.977,2.427,9.031,6.315,11.724,11.244c0.035,0.065,0.069,0.132,0.104,0.198l11.574-6.684
-			c-0.184-0.232-0.361-0.466-0.506-0.701c-4.246-6.868-9.855-12.036-16.673-15.361c-19.245-9.385-42.827-2.309-54.094,16.087
-			l11.546,6.665C49.232,43.242,65.013,38.204,77.717,44.4z"/>
-		<path fill="#F69421" d="M70.489,59.089c2.06,1.005,3.731,2.627,4.832,4.692c0.037,0.07,0.07,0.143,0.105,0.214l12.854-7.423
-			c-0.04-0.076-0.079-0.153-0.12-0.228c-2.546-4.662-6.379-8.339-11.082-10.632c-12.018-5.861-26.965-1.08-34.421,10.866
-			l12.783,7.379C58.771,58.613,65.217,56.518,70.489,59.089z"/>
-		<path fill="#0D819B" d="M116.672,41.881l-13.621,7.936c7.185,25.544-9.291,53.076-36.791,62.992v17.294l50.413-29.381V41.881z"/>
-		<path fill="#08B1D5" d="M14.265,41.864v58.842l50.245,29.397v-17.294C36.51,103.127,20.607,75.545,27.905,49.74l-13.001-7.508
-			L14.265,41.864z"/>
-		<path fill="#F69421" d="M14.987,40.606l1.484,0.857l12.109,6.989C40.23,29.398,64.649,22.066,84.579,31.784
-			c7.069,3.448,12.881,8.799,17.274,15.904c0.139,0.225,0.333,0.472,0.543,0.731l13.542-7.82l-50.47-29.146L14.987,40.606z"/>
-		<path fill="#F0DF36" d="M66.202,78.433c4.968-2.778,7.95-7.226,8.141-12.159c0,0,0.022-0.489-0.015-1.283
-			c-0.007-0.163-1.102-2.766-4.435-4.583c-4.476-2.441-10.828-0.093-13.372,4.583c0,0-0.061,0.574-0.033,1.283
-			c0.182,4.483,2.945,9.749,7.836,12.159l0.991,0.473L66.202,78.433z"/>
-	</g>
-</g>
-<g>
-	<path fill="#FFFFFF" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
-		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
-	<path fill="#FFFFFF" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
-		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
-	<path fill="#FFFFFF" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
-	<path fill="#FFFFFF" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
-	<path fill="#FFFFFF" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
-		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
-		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
-		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
-</g>
-<g>
-	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
-	<g>
-		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
-			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
-		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
-			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
-		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
-			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
-		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
-			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
-		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.105-0.146-0.211-0.211-0.316
-			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
-			C48.47,40.15,65.268,34.975,78.53,41.442z"/>
-		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
-			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
-			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
-		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
-		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
-		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
-			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
-		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
-			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
-			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
-	</g>
-</g>
-<g>
-	<path fill="#FFFFFF" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
-		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
-		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
-	<path fill="#FFFFFF" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
-		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
-		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
-	<path fill="#FFFFFF" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
-		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
-	<path fill="#FFFFFF" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
-		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
-		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
-</g>
-</svg>

brand/Trivy-OSS-Logo-White-Horizontal-RGB.svg

@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 28.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#FFFFFF;}
+	.st1{fill:#50F0FF;}
+	.st2{fill:#0744DD;}
+	.st3{fill:#FFC900;}
+	.st4{fill:#FF0036;}
+</style>
+<g>
+	<g>
+		<path class="st0" d="M1421.86,281.92h-46.97c-25.9,0-46.97-21.07-46.97-46.97c0-25.9,21.07-46.97,46.97-46.97
+			c25.9,0,46.97,21.07,46.97,46.97V281.92z M1374.89,207.05c-15.38,0-27.9,12.52-27.9,27.9c0,15.38,12.52,27.9,27.9,27.9h27.9v-27.9
+			C1402.79,219.57,1390.28,207.05,1374.89,207.05z"/>
+		<path class="st0" d="M1737.06,281.92h-46.97c-25.9,0-46.97-21.07-46.97-46.97c0-25.9,21.07-46.97,46.97-46.97
+			c25.9,0,46.97,21.07,46.97,46.97V281.92z M1690.09,207.05c-15.38,0-27.9,12.52-27.9,27.9c0,15.38,12.52,27.9,27.9,27.9h27.9v-27.9
+			C1717.98,219.57,1705.47,207.05,1690.09,207.05z"/>
+		<path class="st0" d="M1585.02,281.94c-25.91,0-46.99-21.08-46.99-46.99v-44.08h19.08v44.08c0,15.39,12.52,27.91,27.91,27.91
+			c15.39,0,27.91-12.52,27.91-27.91v-44.08h19.09v44.08C1632.01,260.86,1610.92,281.94,1585.02,281.94z"/>
+		<path class="st0" d="M1479.94,187.98c-25.9,0-46.97,21.07-46.97,46.97c0,25.9,21.07,46.97,46.97,46.97l19.07-19.07h-19.07
+			c-15.38,0-27.9-12.52-27.9-27.9c0-15.38,12.52-27.9,27.9-27.9c15.38,0,27.9,12.52,27.9,27.9v91.8h19.07v-91.8
+			C1526.91,209.05,1505.84,187.98,1479.94,187.98z"/>
+	</g>
+	<g>
+		<path class="st0" d="M942.76,588.45v46.29c-31.53,0-59.94-11.34-82.34-30.14c-28.15-23.63-46.04-59.08-46.04-98.71V274.06h46.04
+			v105.2h82.34v46.59h-82.34v81.19C861.05,552.1,897.55,588.45,942.76,588.45z"/>
+		<path class="st0" d="M1106.82,379.26v45.98c-43.65,0.1-79.18,34.71-80.78,77.98v131.52h-46.12V379.26h46.12v29.16
+			C1047.97,390.24,1076.12,379.3,1106.82,379.26z"/>
+		<path class="st0" d="M1136.4,353.72v-40.29h46.05v40.29H1136.4z M1136.4,634.74V379.26h46.05v255.48H1136.4z"/>
+		<path class="st0" d="M1464.76,379.26l-127.64,255.48l-127.8-255.48h52.33l75.47,150.88l75.31-150.88H1464.76z"/>
+		<path class="st0" d="M1740.81,379.26c0,0,0,279.32,0,297.8c0,71.31-58.52,128.26-127.83,128.2
+			c-32.47,0.03-62.55-12.29-85.37-32.76l33.1-33.09c14.13,11.97,32.36,19.22,52.28,19.2c44.86,0,81.17-36.69,81.17-81.55v-71.39
+			c-22.26,18.42-50.67,29.09-81.17,29.06c-69.46,0.06-127.95-56-127.95-127.85c0-1.51,0-127.64,0-127.64h46.64
+			c0,0,0.02,124.23,0.02,127.64c0,44.67,36.39,81.6,81.28,81.55c44.86,0,81.17-36.69,81.17-81.55V379.26H1740.81z"/>
+	</g>
+	<g>
+		<g>
+			<g>
+				<path class="st1" d="M428.54,364.9c0.04,0,0.08,0,0.12,0c6.56,0.01,11.98-5.03,11.98-11.58V135.99l-12.23-6.83l-12.18,6.8
+					v217.36c0,6.56,5.43,11.61,11.98,11.58C428.32,364.9,428.43,364.9,428.54,364.9z"/>
+				<path class="st2" d="M355.18,463.55L153.55,598.87v15.41l11.49,6.29l203.73-136.73c5.23-3.51,6.53-10.52,3.15-15.84
+					c-0.14-0.23-0.29-0.45-0.43-0.68C367.99,461.7,360.68,459.86,355.18,463.55z"/>
+				<path class="st3" d="M488.27,483.95l203.55,136.61l11.45-6.28v-15.44L501.86,463.66c-5.51-3.7-12.82-1.87-16.32,3.76
+					c-0.13,0.21-0.27,0.43-0.4,0.64C481.73,473.4,483.02,480.43,488.27,483.95z"/>
+				<path class="st0" d="M727.69,282.29v-13.96l-12.5-6.98l-0.93-0.49L440.33,107.87l-11.92-6.64l-11.87,6.64L142.56,260.86
+					l-0.93,0.49l-12.5,6.98v13.96l-0.93,0.54l0.93,0.49v13.92v331.5l12.69,6.94l266.85,146.2l3.37,1.85l16.41,8.98l16.36-8.98
+					l3.37-1.85l266.85-146.2l12.65-6.94v-331.5v-13.87l0.98-0.54L727.69,282.29z M440.95,758.05V511.4c0-6.72-5.5-12.22-12.22-12.21
+					l-0.19,0l-0.13,0c-6.72-0.01-12.22,5.49-12.22,12.21v246.64L165.04,620.57l-11.49-6.29v-15.41V294.7l199.98,109.56
+					c5.77,3.16,13.1,1.04,16.28-4.72l0.14-0.26c3.22-5.83,1.08-13.22-4.76-16.42L167.81,274.72l248.42-138.75l12.18-6.8l12.23,6.83
+					l248.37,138.73L491.47,382.95c-5.81,3.18-7.63,10.45-4.41,16.24c0.05,0.1,0.11,0.2,0.16,0.29c3.16,5.73,10.22,8.01,15.96,4.86
+					L703.27,294.7v304.15v15.44l-11.45,6.28L440.95,758.05z"/>
+			</g>
+			<circle class="st4" cx="428.54" cy="432.05" r="35.42"/>
+		</g>
+		<path class="st1" d="M617.65,262.99L426.32,155.74c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68
+			l191.33,107.25c5.88,3.3,7.98,10.74,4.68,16.62l0,0C630.97,264.19,623.53,266.29,617.65,262.99z"/>
+		<path class="st1" d="M533.81,271.27l-107.48-60.25c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68
+			l107.48,60.25c5.88,3.3,7.98,10.74,4.68,16.62v0C547.13,272.47,539.69,274.56,533.81,271.27z"/>
+		<path class="st1" d="M569.02,291L569.02,291c-5.88-3.3-7.98-10.74-4.68-16.62l0,0c3.3-5.88,10.74-7.98,16.62-4.68v0
+			c5.88,3.3,7.98,10.74,4.68,16.62v0C582.34,292.2,574.9,294.3,569.02,291z"/>
+		<path class="st1" d="M462.29,288.33l-35.7-20.01c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68l35.7,20.01
+			c5.88,3.3,7.98,10.74,4.68,16.62v0C475.61,289.53,468.17,291.63,462.29,288.33z"/>
+		<path class="st1" d="M516.16,321.21l-20.67-11.58c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68l20.67,11.58
+			c5.88,3.3,7.98,10.74,4.68,16.62v0C529.48,322.41,522.04,324.51,516.16,321.21z"/>
+	</g>
+</g>
+</svg>

brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg

@@ -1,59 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
-<g>
-	<path fill="#FFFFFF" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
-		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
-	<path fill="#FFFFFF" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
-		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
-	<path fill="#FFFFFF" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
-	<path fill="#FFFFFF" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
-	<path fill="#FFFFFF" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
-		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
-		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
-		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
-</g>
-<g>
-	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
-		"/>
-	<g>
-		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
-			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
-		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
-			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
-		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
-			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
-		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
-			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
-		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
-			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
-			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
-		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
-			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
-			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
-		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
-			V347.086z"/>
-		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
-			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
-		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
-			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
-		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
-			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
-			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
-	</g>
-</g>
-<g>
-	<path fill="#FFFFFF" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
-		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
-		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
-	<path fill="#FFFFFF" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
-		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
-		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
-	<path fill="#FFFFFF" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
-		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
-	<path fill="#FFFFFF" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
-		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
-		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
-</g>
-</svg>

ci/deploy-deb.sh

@@ -5,14 +5,14 @@ UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-
 
 cd trivy-repo/deb
 
-for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
+for release in generic ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Removing deb package of $release"
   reprepro -A i386 remove $release trivy
   reprepro -A amd64 remove $release trivy
   reprepro -A arm64 remove $release trivy
 done
 
-for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
+for release in generic ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Adding deb package to $release"
   reprepro includedeb $release ../../dist/*Linux-32bit.deb
   reprepro includedeb $release ../../dist/*Linux-64bit.deb

cmd/trivy/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"errors"
 	"os"
 
 	"golang.org/x/xerrors"
@@ -9,13 +10,18 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/plugin"
+	"github.com/aquasecurity/trivy/pkg/types"
 
 	_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB
 )
 
 func main() {
 	if err := run(); err != nil {
-		log.Fatal(err)
+		var exitError *types.ExitError
+		if errors.As(err, &exitError) {
+			os.Exit(exitError.Code)
+		}
+		log.Fatal("Fatal error", log.Err(err))
 	}
 }
 
@@ -25,7 +31,7 @@ func run() error {
 		if !plugin.IsPredefined(runAsPlugin) {
 			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
 		}
-		if err := plugin.RunWithArgs(context.Background(), runAsPlugin, os.Args[1:]); err != nil {
+		if err := plugin.RunWithURL(context.Background(), runAsPlugin, plugin.RunOptions{Args: os.Args[1:]}); err != nil {
 			return xerrors.Errorf("plugin error: %w", err)
 		}
 		return nil

contrib/asff.tpl

@@ -128,7 +128,7 @@
         {
             "SchemaVersion": "2018-10-08",
             "Id": "{{ $target }}",
-            "ProductArn": "arn:aws:securityhub:{{ env "AWS_DEFAULT_REGION" }}::product/aquasecurity/aquasecurity",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
             "GeneratorId": "Trivy",
             "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
             "Types": [ "Sensitive Data Identifications" ],
@@ -145,7 +145,7 @@
                     "Type": "Other",
                     "Id": "{{ $target }}",
                     "Partition": "aws",
-                    "Region": "{{ env "AWS_DEFAULT_REGION" }}",
+                    "Region": "{{ env "AWS_REGION" }}",
                     "Details": {
                         "Other": {
                             "Filename": "{{ $target }}"

contrib/example_policy/basic.rego

@@ -56,3 +56,21 @@ ignore {
 	# https://cwe.mitre.org/data/definitions/352.html
 	input.CweIDs[_] == "CWE-352"
 }
+
+# Ignore a license
+ignore {
+    input.PkgName == "alpine-baselayout"
+    input.Name == "GPL-2.0"
+}
+
+# Ignore loose file license
+ignore {
+	input.Name == "AGPL-3.0"
+	input.FilePath == "/usr/share/grafana/LICENSE"
+}
+
+# Ignore secret
+ignore {
+	input.RuleID == "aws-access-key-id"
+	input.Match == "AWS_ACCESS_KEY_ID=\"********************\""
+}

contrib/gitlab.tpl

@@ -1,6 +1,29 @@
 {{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
 {
-  "version": "14.0.6",
+  "version": "15.0.7",
+  "scan": {
+    "analyzer": {
+      "id": "trivy",
+      "name": "Trivy",
+      "vendor": {
+        "name": "Aqua Security"
+      },
+      "version": "{{ appVersion }}"
+    },
+    "end_time": "{{ now | date "2006-01-02T15:04:05" }}",
+    "scanner": {
+      "id": "trivy",
+      "name": "Trivy",
+      "url": "https://github.com/aquasecurity/trivy/",
+      "vendor": {
+        "name": "Aqua Security"
+      },
+      "version": "{{ appVersion }}"
+    },
+    "start_time": "{{ now | date "2006-01-02T15:04:05" }}",
+    "status": "success",
+    "type": "container_scanning"
+  },
   "vulnerabilities": [
   {{- $t_first := true }}
   {{- range . }}
@@ -14,11 +37,8 @@
     {{- end }}
     {
       "id": "{{ .VulnerabilityID }}",
-      "category": "container_scanning",
-      "message": {{ .Title | printf "%q" }},
+      "name": {{ .Title | printf "%q" }},
       "description": {{ .Description | printf "%q" }},
-      {{- /* cve is a deprecated key, use id instead */}}
-      "cve": "{{ .VulnerabilityID }}",
       "severity": {{ if eq .Severity "UNKNOWN" -}}
                     "Unknown"
                   {{- else if eq .Severity "LOW" -}}
@@ -37,10 +57,6 @@
                   {{- else -}}
                     "No solution provided"
                   {{- end }},
-      "scanner": {
-        "id": "trivy",
-        "name": "trivy"
-      },
       "location": {
         "dependency": {
           "package": {
@@ -57,8 +73,11 @@
 	  {{- /* TODO: Type not extractable - https://github.com/aquasecurity/trivy-db/pull/24 */}}
           "type": "cve",
           "name": "{{ .VulnerabilityID }}",
-          "value": "{{ .VulnerabilityID }}",
+          "value": "{{ .VulnerabilityID }}"
+          {{- /* cf. https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/e3d280d7f0862ca66a1555ea8b24016a004bb914/dist/container-scanning-report-format.json#L157-179 */}}
+          {{- if .PrimaryURL | regexMatch "^(https?|ftp)://.+" -}},
           "url": "{{ .PrimaryURL }}"
+          {{- end }}
         }
       ],
       "links": [
@@ -69,9 +88,13 @@
         {{- else -}}
           ,
         {{- end -}}
+        {{- if . | regexMatch "^(https?|ftp)://.+" -}}
         {
-          "url": "{{ regexFind "[^ ]+" . }}"
+          "url": "{{ . }}"
         }
+        {{- else -}}
+          {{- $l_first = true }}
+        {{- end -}}
         {{- end }}
       ]
     }

contrib/junit.tpl

@@ -14,8 +14,12 @@
         </testcase>
     {{- end }}
     </testsuite>
-{{- $failures := len .Misconfigurations }}
-    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+
+{{- if .MisconfSummary }}
+    <testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{  .Target }}" errors="0" skipped="{{ .MisconfSummary.Exceptions }}" time="">
+{{- else }}
+    <testsuite tests="0" failures="0" name="{{  .Target }}" errors="0" skipped="0" time="">
+{{- end }}
     {{- if not (eq .Type "") }}
         <properties>
             <property name="type" value="{{ .Type }}"></property>
@@ -23,7 +27,9 @@
         {{- end -}}
         {{ range .Misconfigurations }}
         <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
+        {{- if (eq .Status "FAIL") }}
             <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
+        {{- end }}
         </testcase>
     {{- end }}
     </testsuite>

docs/build/Dockerfile

@@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material:8.3.9
+FROM squidfunk/mkdocs-material:9.4.6
 
 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.

docs/build/requirements.txt

@@ -20,7 +20,7 @@ Pygments==2.12.0
 pymdown-extensions==9.5
 pyparsing==3.0.8
 python-dateutil==2.8.2
-PyYAML==6.0
+PyYAML==6.0.1
 pyyaml-env-tag==0.1
 six==1.16.0
 termcolor==1.1.0

docs/community/contribute/discussion.md

@@ -24,7 +24,7 @@ There are 4 categories:
     If you find any false positives or false negatives, please make sure to report them under the "False Detection" category, not "Bugs".
 
 ## False detection
-Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
+Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#data-sources).
 Sometime these databases contain mistakes.
 
 If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:

docs/community/contribute/pr.md

@@ -178,6 +178,7 @@ others:
 - helm
 - report
 - db
+- parser
 - deps
 
 The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.

docs/community/principles.md

@@ -0,0 +1,53 @@
+# Trivy Project Principles
+This document outlines the guiding principles and governance framework for the Trivy project.
+
+## Core Principles
+Trivy is a security scanner focused on static analysis and designed with simplicity and security at its core.
+All new proposals to the project must adhere to the following principles.
+
+### Static Analysis (No Runtime Required)
+Trivy operates without requiring container or VM image startups, eliminating the need for Docker or similar runtimes, except for scanning images stored within a container runtime.
+This approach enhances security and efficiency by minimizing dependencies.
+
+### External Dependency Free (Single Binary)
+Operating as a single binary, Trivy is independent of external environments and avoids executing external OS commands or processes.
+If specific functionality, like Maven's, is needed, Trivy opts for internal reimplementations or processing outputs of the tool without direct execution of external tools.
+
+This approach obviously requires more effort but significantly reduces security risks associated with executing OS commands and dependency errors due to external environment versions.
+Simplifying the scanner's use by making it operational immediately upon binary download facilitates easier initiation of scans.
+
+### No Setup Required
+Trivy must be ready to use immediately after installation.
+It's unacceptable for Trivy not to function without setting up a database or writing configuration files by default.
+Such setups should only be necessary for users requiring specific customizations.
+
+Security often isn't a top priority for many organizations and can be easily deferred.
+Trivy aims to lower the barrier to entry by simplifying the setup process, making it easier for users to start securing their projects.
+
+### Security Focus
+Trivy prioritizes the identification of security issues, excluding features unrelated to security, such as performance metrics or content listings of container images.
+It can, however, produce and output intermediate representations like SBOMs for comprehensive security assessments.
+
+Trivy serves as a tool with opinions on security, used to warn users about potential issues.
+
+### Detecting Unintended States
+Trivy is designed to detect unintended vulnerable states in projects, such as the use of vulnerable versions of dependencies or misconfigurations in Infrastructure as Code (IaC) that may unintentionally expose servers to the internet.
+The focus is on identifying developer mistakes or undesirable states, not on detecting intentional attacks, such as malicious images and malware.
+
+## Out of Scope Features
+Aqua Security offers a premium version with several features not available in the open-source Trivy project. 
+While detailed information can be found [here][trivy-aqua], it's beneficial to highlight specific functionalities frequently inquired about:
+
+### Runtime Security
+As mentioned in [the Core Principles](#static-analysis-no-runtime-required), Trivy is a static analysis security scanner, making runtime security outside its scope.
+Runtime security needs are addressed by [Tracee][tracee] or [the commercial version of Aqua Security]().
+
+### Intentional Attacks
+As mentioned in [the Core Principles](#detecting-unintended-states), detection of intentional attacks, such as malware or malicious container images, is not covered by Trivy and is supported in [the commercial version][aqua].
+
+### User Interface
+Trivy primarily operates via CLI for displaying results, with a richer UI available in [the commercial version][aqua].
+
+[trivy-aqua]: https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md
+[tracee]: https://github.com/aquasecurity/tracee
+[aqua]: https://www.aquasec.com/

docs/docs/advanced/air-gap.md

@@ -137,6 +137,6 @@ $ trivy conf --skip-policy-update /path/to/conf
 ```
 
 [allowlist]: ../references/troubleshooting.md
-[oras]: https://oras.land/cli/
+[oras]: https://oras.land/docs/installation
 
 [^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../coverage/language/java.md)

docs/docs/advanced/modules.md

@@ -328,7 +328,7 @@ Put the built binary to the module directory that is under the home directory by
 
 ```bash
 $ mkdir -p ~/.trivy/modules
-$ cp spring4shell.wasm ~/.trivy/modules
+$ cp wordpress.wasm ~/.trivy/modules
 ```
 
 ## Distribute Your Module

docs/docs/advanced/plugins.md

@@ -182,8 +182,51 @@ $ trivy myplugin
 Hello from Trivy demo plugin!
 ```
 
+## Plugin Types
+Plugins are typically intended to be used as subcommands of Trivy,
+but some plugins can be invoked as part of Trivy's built-in commands.
+Currently, the following type of plugin is experimentally supported:
+
+- Output plugins
+
+### Output Plugins
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy supports "output plugins" which process Trivy's output, 
+such as by transforming the output format or sending it elsewhere.
+For instance, in the case of image scanning, the output plugin can be called as follows:
+
+```shell
+$ trivy image --format json --output plugin=<plugin_name> [--output-plugin-arg <plugin_flags>] <image_name>
+```
+
+Since scan results are passed to the plugin via standard input, plugins must be capable of handling standard input.
+
+!!! warning
+    To avoid Trivy hanging, you need to read all data from `Stdin` before the plugin exits successfully or stops with an error.
+
+While the example passes JSON to the plugin, other formats like SBOM can also be passed (e.g., `--format cyclonedx`).
+
+If a plugin requires flags or other arguments, they can be passed using `--output-plugin-arg`.
+This is directly forwarded as arguments to the plugin.
+For example, `--output plugin=myplugin --output-plugin-arg "--foo --bar=baz"` translates to `myplugin --foo --bar=baz` in execution.
+
+An example of the output plugin is available [here](https://github.com/aquasecurity/trivy-output-plugin-count).
+It can be used as below:
+
+```shell
+# Install the plugin first
+$ trivy plugin install github.com/aquasecurity/trivy-output-plugin-count
+
+# Call the output plugin in image scanning
+$ trivy image --format json --output plugin=count --output-plugin-arg "--published-after 2023-10-01" debian:12
+```
+
 ## Example
-https://github.com/aquasecurity/trivy-plugin-kubectl
+- https://github.com/aquasecurity/trivy-plugin-kubectl
+- https://github.com/aquasecurity/trivy-output-plugin-count 
 
 [kubectl]: https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/
 [helm]: https://helm.sh/docs/topics/plugins/

docs/docs/configuration/cache.md

@@ -70,7 +70,7 @@ $ trivy server --cache-backend redis://localhost:6379 \
 
 [trivy-db]: ./db.md#vulnerability-database
 [trivy-java-db]: ./db.md#java-index-database
-[misconf-policies]: ../scanner/misconfiguration/policy/builtin.md
+[misconf-policies]: ../scanner/misconfiguration/check/builtin.md
 
 [^1]: Downloaded when scanning for vulnerabilities
 [^2]: Downloaded when scanning `jar/war/par/ear` files

docs/docs/configuration/db.md

@@ -54,18 +54,28 @@ $ trivy image --download-db-only
 $ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
 ```
 
+!!!note
+    Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used:
+
+    `trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`.
+
 ## Java Index Database
 The same options are also available for the Java index DB, which is used for scanning Java applications.
 Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
 
+!!! Note
+    In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side.
+
 Downloading the Java index DB from an external OCI registry can be done by using the `--java-db-repository` option.
 
 ```
 $ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db --download-java-db-only
 ```
 
-!!! Note
-    In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side.
+!!!note
+    Trivy automatically adds the `trivy-java-db` schema version as a tag if the tag is not used:
+
+    `java-db-registry:latest` => `java-db-registry:latest`, but `java-db-registry` => `java-db-registry:1`.
 
 ## Remove DBs
 The `--reset` flag removes all caches and databases.

docs/docs/configuration/filtering.md

@@ -1,81 +1,34 @@
 # Filtering
 Trivy provides various methods for filtering the results.
 
+```mermaid
+flowchart LR
+  Issues("Detected\nIssues") --> Severity
 
-## By Status
-
-|     Scanner      | Supported |
-|:----------------:|:---------:|
-|  Vulnerability   |     ✓     |
-| Misconfiguration |           |
-|      Secret      |           |
-|     License      |           |
-
-Trivy supports the following vulnerability statuses:
-
-- `unknown`
-- `not_affected`: this package is not affected by this vulnerability on this platform
-- `affected`: this package is affected by this vulnerability on this platform, but there is no patch released yet
-- `fixed`: this vulnerability is fixed on this platform
-- `under_investigation`: it is currently unknown whether or not this vulnerability affects this package on this platform, and it is under investigation
-- `will_not_fix`: this package is affected by this vulnerability on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)
-- `fix_deferred`: this package is affected by this vulnerability on this platform, and may be fixed in the future
-- `end_of_life`: this package has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed
-
-Note that vulnerabilities with the `unknown`, `not_affected` or `under_investigation` status are not detected.
-These are only defined for comprehensiveness, and you will not have the opportunity to specify these statuses.
-
-Some statuses are supported in limited distributions.
-
-|     OS     | Fixed | Affected | Under Investigation | Will Not Fix | Fix Deferred | End of Life |
-|:----------:|:-----:|:--------:|:-------------------:|:------------:|:------------:|:-----------:|
-|   Debian   |   ✓   |    ✓     |                     |              |      ✓       |      ✓      |
-|    RHEL    |   ✓   |    ✓     |          ✓          |      ✓       |      ✓       |      ✓      |
-| Other OSes |   ✓   |    ✓     |                     |              |              |             |
-
-
-To ignore vulnerabilities with specific statuses, use the `--ignore-status <list_of_statuses>` option.
-
-
-```bash
-$ trivy image --ignore-status affected,fixed ruby:2.4.0
+  subgraph Filtering
+    subgraph Prioritization
+        direction TB
+        Severity("By Severity") --> Status("By Status")
+    end
+    subgraph Suppression
+        Status --> Ignore("By Finding IDs")
+        Ignore --> Rego("By Rego")
+        Rego --> VEX("By VEX")
+    end
+  end
+  VEX --> Results
 ```
 
-<details>
-<summary>Result</summary>
+Similar to the functionality of filtering results, you can also limit the sub-targets for each scanner.
+For information on these settings, please refer to the scanner-specific documentation ([vulnerability](../scanner/vulnerability.md) , [misconfiguration](../scanner/misconfiguration/index.md), etc.).
 
-```
-2019-05-16T12:50:14.786+0900    INFO    Detecting Debian vulnerabilities...
+## Prioritization
+You can filter the results by 
 
-ruby:2.4.0 (debian 8.7)
-=======================
-Total: 527 (UNKNOWN: 0, LOW: 276, MEDIUM: 83, HIGH: 158, CRITICAL: 10)
+- [Severity](#by-severity)
+- [Status](#by-status)
 
-┌─────────────────────────────┬──────────────────┬──────────┬──────────────┬────────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
-│           Library           │  Vulnerability   │ Severity │    Status    │     Installed Version      │ Fixed Version │                            Title                             │
-├─────────────────────────────┼──────────────────┼──────────┼──────────────┼────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ binutils                    │ CVE-2014-9939    │ CRITICAL │ will_not_fix │ 2.25-5                     │               │ binutils: buffer overflow in ihex.c                          │
-│                             │                  │          │              │                            │               │ https://avd.aquasec.com/nvd/cve-2014-9939                    │
-│                             ├──────────────────┤          │              │                            ├───────────────┼──────────────────────────────────────────────────────────────┤
-│                             │ CVE-2017-6969    │          │              │                            │               │ binutils: Heap-based buffer over-read in readelf when        │
-│                             │                  │          │              │                            │               │ processing corrupt RL78 binaries                             │
-│                             │                  │          │              │                            │               │ https://avd.aquasec.com/nvd/cve-2017-6969                    │
-│                             ├──────────────────┤          │              │                            ├───────────────┼──────────────────────────────────────────────────────────────┤
-...
-```
-
-</details>
-
-!!! tip
-    To skip all unfixed vulnerabilities, you can use the `--ignore-unfixed` flag .
-    It is a shorthand of `--ignore-status affected,will_not_fix,fix_deferred,end_of_life`.
-    It displays "fixed" vulnerabilities only.
-
-```bash
-$ trivy image --ignore-unfixed ruby:2.4.0
-```
-
-## By Severity
+### By Severity
 
 |     Scanner      | Supported |
 |:----------------:|:---------:|
@@ -202,11 +155,125 @@ See https://avd.aquasec.com/misconfig/avd-aws-0081
 ```
 </details>
 
-## By Finding IDs
+### By Status
+
+|     Scanner      | Supported |
+|:----------------:|:---------:|
+|  Vulnerability   |     ✓     |
+| Misconfiguration |           |
+|      Secret      |           |
+|     License      |           |
+
+Trivy supports the following vulnerability statuses:
+
+- `unknown`
+- `not_affected`: this package is not affected by this vulnerability on this platform
+- `affected`: this package is affected by this vulnerability on this platform, but there is no patch released yet
+- `fixed`: this vulnerability is fixed on this platform
+- `under_investigation`: it is currently unknown whether or not this vulnerability affects this package on this platform, and it is under investigation
+- `will_not_fix`: this package is affected by this vulnerability on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)
+- `fix_deferred`: this package is affected by this vulnerability on this platform, and may be fixed in the future
+- `end_of_life`: this package has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed
+
+Note that vulnerabilities with the `unknown`, `not_affected` or `under_investigation` status are not detected.
+These are only defined for comprehensiveness, and you will not have the opportunity to specify these statuses.
+
+Some statuses are supported in limited distributions.
+
+|     OS     | Fixed | Affected | Under Investigation | Will Not Fix | Fix Deferred | End of Life |
+|:----------:|:-----:|:--------:|:-------------------:|:------------:|:------------:|:-----------:|
+|   Debian   |   ✓   |    ✓     |                     |              |      ✓       |      ✓      |
+|    RHEL    |   ✓   |    ✓     |          ✓          |      ✓       |      ✓       |      ✓      |
+| Other OSes |   ✓   |    ✓     |                     |              |              |             |
+
+
+To ignore vulnerabilities with specific statuses, use the `--ignore-status <list_of_statuses>` option.
+
+
+```bash
+$ trivy image --ignore-status affected,fixed ruby:2.4.0
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2019-05-16T12:50:14.786+0900    INFO    Detecting Debian vulnerabilities...
+
+ruby:2.4.0 (debian 8.7)
+=======================
+Total: 527 (UNKNOWN: 0, LOW: 276, MEDIUM: 83, HIGH: 158, CRITICAL: 10)
+
+┌─────────────────────────────┬──────────────────┬──────────┬──────────────┬────────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
+│           Library           │  Vulnerability   │ Severity │    Status    │     Installed Version      │ Fixed Version │                            Title                             │
+├─────────────────────────────┼──────────────────┼──────────┼──────────────┼────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ binutils                    │ CVE-2014-9939    │ CRITICAL │ will_not_fix │ 2.25-5                     │               │ binutils: buffer overflow in ihex.c                          │
+│                             │                  │          │              │                            │               │ https://avd.aquasec.com/nvd/cve-2014-9939                    │
+│                             ├──────────────────┤          │              │                            ├───────────────┼──────────────────────────────────────────────────────────────┤
+│                             │ CVE-2017-6969    │          │              │                            │               │ binutils: Heap-based buffer over-read in readelf when        │
+│                             │                  │          │              │                            │               │ processing corrupt RL78 binaries                             │
+│                             │                  │          │              │                            │               │ https://avd.aquasec.com/nvd/cve-2017-6969                    │
+│                             ├──────────────────┤          │              │                            ├───────────────┼──────────────────────────────────────────────────────────────┤
+...
+```
+
+</details>
+
+!!! tip
+    To skip all unfixed vulnerabilities, you can use the `--ignore-unfixed` flag .
+    It is a shorthand of `--ignore-status affected,will_not_fix,fix_deferred,end_of_life`.
+    It displays "fixed" vulnerabilities only.
+
+```bash
+$ trivy image --ignore-unfixed ruby:2.4.0
+```
+
+## Suppression
+You can filter the results by
+
+- [Finding IDs](#by-finding-ids)
+- [Rego](#by-rego)
+- [Vulnerability Exploitability Exchange (VEX)](#by-vulnerability-exploitability-exchange-vex)
+
+To show the suppressed results, use the `--show-suppressed` flag.
+
+!!! note
+    This flag is currently available only in the table format.
+
+```bash
+$ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11
+...
+
+Suppressed Vulnerabilities (Total: 9)
+
+┌───────────────┬───────────────┬──────────┬──────────────┬─────────────────────────────────────────────┬───────────────────┐
+│    Library    │ Vulnerability │ Severity │    Status    │                  Statement                  │      Source       │
+├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
+│ libdb5.3      │ CVE-2019-8457 │ CRITICAL │ not_affected │ vulnerable_code_not_in_execute_path         │ CSAF VEX          │
+├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
+│ bsdutils      │ CVE-2022-0563 │ LOW      │ ignored      │ Accept the risk                             │ .trivyignore.yaml │
+├───────────────┤               │          │              │                                             │                   │
+│ libblkid1     │               │          │              │                                             │                   │
+├───────────────┤               │          │              │                                             │                   │
+│ libmount1     │               │          │              │                                             │                   │
+├───────────────┤               │          │              │                                             │                   │
+│ libsmartcols1 │               │          │              │                                             │                   │
+├───────────────┤               │          │              │                                             │                   │
+│ libuuid1      │               │          │              │                                             │                   │
+├───────────────┤               │          │              │                                             │                   │
+│ mount         │               │          │              │                                             │                   │
+├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
+│ tar           │ CVE-2005-2541 │          │              │ The vulnerable configuration is not enabled │                   │
+├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
+│ util-linux    │ CVE-2022-0563 │          │              │ Accept the risk                             │                   │
+└───────────────┴───────────────┴──────────┴──────────────┴─────────────────────────────────────────────┴───────────────────┘
+```
+
+### By Finding IDs
 
 Trivy supports the [.trivyignore](#trivyignore) and [.trivyignore.yaml](#trivyignoreyaml) ignore files.
 
-### .trivyignore
+#### .trivyignore
 
 |     Scanner      | Supported |
 |:----------------:|:---------:|
@@ -254,7 +321,7 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 
 </details>
 
-### .trivyignore.yaml
+#### .trivyignore.yaml
 
 |     Scanner      | Supported |
 |:----------------:|:---------:|
@@ -271,12 +338,13 @@ For the `.trivyignore.yaml` file, you can set ignored IDs separately for `vulner
 
 Available fields:
 
-| Field      | Required | Type                | Description                                                                                                |
-|------------|:--------:|---------------------|------------------------------------------------------------------------------------------------------------|
-| id         |    ✓     | string              | The identifier of the vulnerability, misconfiguration, secret, or license[^1].                             |
-| paths      |          | string array        | The list of file paths to be ignored. If `paths` is not set, the ignore finding is applied to all files.   |
-| expired_at |          | date (`yyyy-mm-dd`) | The expiration date of the ignore finding. If `expired_at` is not set, the ignore finding is always valid. |
-| statement  |          | string              | The reason for ignoring the finding. (This field is not used for filtering.)                               |
+| Field      | Required | Type                | Description                                                                                                                                                             |
+|------------|:--------:|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| id         |    ✓     | string              | The identifier of the vulnerability, misconfiguration, secret, or license[^1].                                                                                          |
+| paths[^2]  |          | string array        | The list of file paths to ignore. If `paths` is not set, the ignore finding is applied to all files.                                                                    |
+| purls      |          | string array        | The list of PURLs to ignore packages. If `purls` is not set, the ignore finding is applied to all packages. This field is currently available only for vulnerabilities. |
+| expired_at |          | date (`yyyy-mm-dd`) | The expiration date of the ignore finding. If `expired_at` is not set, the ignore finding is always valid.                                                              |
+| statement  |          | string              | The reason for ignoring the finding. (This field is not used for filtering.)                                                                                            |
 
 ```bash
 $ cat .trivyignore.yaml
@@ -288,6 +356,8 @@ vulnerabilities:
   - id: CVE-2023-2650
   - id: CVE-2023-3446
   - id: CVE-2023-3817
+    purls:
+      - "pkg:deb/debian/libssl1.1"
   - id: CVE-2023-29491
     expired_at: 2023-09-01
 
@@ -339,8 +409,83 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 
 </details>
 
+### By Rego
 
-## By Vulnerability Target
+|     Scanner      | Supported |
+|:----------------:|:---------:|
+|  Vulnerability   |     ✓     |
+| Misconfiguration |     ✓     |
+|      Secret      |     ✓     |
+|     License      |     ✓     |
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+[Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) is a policy language that allows you to express decision logic in a concise syntax. 
+Rego is part of the popular [Open Policy Agent (OPA)](https://www.openpolicyagent.org) CNCF project.
+For advanced filtering, Trivy allows you to use Rego language to filter vulnerabilities.
+
+Use the `--ignore-policy` flag which takes a path to a Rego file that defines the filtering policy.
+The Rego package name must be `trivy` and it must include a "rule" named `ignore` which determines if each individual scan result should be excluded (ignore=true) or not (ignore=false).
+The `input` for the evaluation is each [DetectedVulnerability](https://github.com/aquasecurity/trivy/blob/00f2059e5d7bc2ca2e3e8b1562bdfede1ed570e3/pkg/types/vulnerability.go#L9) and [DetectedMisconfiguration](https://github.com/aquasecurity/trivy/blob/00f2059e5d7bc2ca2e3e8b1562bdfede1ed570e3/pkg/types/misconfiguration.go#L6).
+
+A practical way to observe the filtering policy input in your case, is to run a scan with the `--format json` option and look at the resulting structure:
+
+```bash
+trivy image -f json centos:7
+
+...
+  "Results": [
+    {
+      "Target": "centos:7 (centos 7.9.2009)",
+      "Class": "os-pkgs",
+      "Type": "centos",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2015-5186",
+          "PkgID": "audit-libs@2.8.5-4.el7.x86_64",
+          "PkgName": "audit-libs",
+          "InstalledVersion": "2.8.5-4.el7",
+          "Layer": {
+            "Digest": "sha256:2d473b07cdd5f0912cd6f1a703352c82b512407db6b05b43f2553732b55df3bc",
+            "DiffID": "sha256:174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02"
+          },
+          "SeveritySource": "redhat",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-5186",
+          "Title": "log terminal emulator escape sequences handling",
+          "Description": "Audit before 2.4.4 in Linux does not sanitize escape characters in filenames.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-20"
+          ],
+...
+```
+
+Each individual Vulnerability, Misconfiguration, License and Secret (under `Results.Vulnerabilities`, `Results.Misconfigurations`, 
+`Results.Licenses`, `Results.Secrets`) is evaluated for exclusion or inclusion by the `ignore` rule.
+
+The following is a Rego ignore policy that filters out every vulnerability with a specific CWE ID (as seen in the JSON example above):
+
+```rego
+package trivy
+
+default ignore = false
+
+ignore {
+	input.CweIDs[_] == "CWE-20"
+}
+```
+
+```bash
+trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
+```
+
+For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`.
+More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go).
+
+You can find more example policies [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)
+
+### By Vulnerability Exploitability Exchange (VEX)
 |     Scanner      | Supported |
 |:----------------:|:---------:|
 |  Vulnerability   |     ✓     |
@@ -348,171 +493,8 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 |      Secret      |           |
 |     License      |           |
 
-Use `--vuln-type` option.
+Please refer to the [VEX documentation](../supply-chain/vex.md) for the details.
 
-```bash
-$ trivy image --vuln-type os ruby:2.4.0
-```
 
-Available values:
-
-- library
-- os
-
-<details>
-<summary>Result</summary>
-
-```bash
-2019-05-22T19:36:50.530+0200    INFO    Updating vulnerability database...
-2019-05-22T19:36:51.681+0200    INFO    Detecting Alpine vulnerabilities...
-2019-05-22T19:36:51.685+0200    INFO    Updating npm Security DB...
-2019-05-22T19:36:52.389+0200    INFO    Detecting npm vulnerabilities...
-2019-05-22T19:36:52.390+0200    INFO    Updating pipenv Security DB...
-2019-05-22T19:36:53.406+0200    INFO    Detecting pipenv vulnerabilities...
-
-ruby:2.4.0 (debian 8.7)
-=======================
-Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
-
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |              TITLE               |
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-| curl    | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow     |
-|         |                  |          |                   |               | via integer overflow             |
-+         +------------------+----------+                   +---------------+----------------------------------+
-|         | CVE-2018-16839   | HIGH     |                   | 7.61.1-r1     | curl: Integer overflow leading   |
-|         |                  |          |                   |               | to heap-based buffer overflow in |
-|         |                  |          |                   |               | Curl_sasl_create_plain_message() |
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-| git     | CVE-2018-17456   | HIGH     | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code execution    |
-|         |                  |          |                   |               | via .gitmodules                  |
-+         +------------------+          +                   +               +----------------------------------+
-|         | CVE-2018-19486   |          |                   |               | git: Improper handling of        |
-|         |                  |          |                   |               | PATH allows for commands to be   |
-|         |                  |          |                   |               | executed from...                 |
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-| libssh2 | CVE-2019-3855    | CRITICAL | 1.8.0-r2          | 1.8.1-r0      | libssh2: Integer overflow in     |
-|         |                  |          |                   |               | transport read resulting in      |
-|         |                  |          |                   |               | out of bounds write...           |
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-| sqlite  | CVE-2018-20346   | MEDIUM   | 3.21.0-r1         | 3.25.3-r0     | CVE-2018-20505 CVE-2018-20506    |
-|         |                  |          |                   |               | sqlite: Multiple flaws in        |
-|         |                  |          |                   |               | sqlite which can be triggered    |
-|         |                  |          |                   |               | via...                           |
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-| tar     | CVE-2018-20482   | LOW      | 1.29-r1           | 1.31-r0       | tar: Infinite read loop in       |
-|         |                  |          |                   |               | sparse_dump_region function in   |
-|         |                  |          |                   |               | sparse.c                         |
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-```
-
-</details>
-
-## By Open Policy Agent
-
-|     Scanner      | Supported |
-|:----------------:|:---------:|
-|  Vulnerability   |     ✓     |
-| Misconfiguration |     ✓     |
-|      Secret      |           |
-|     License      |           |
-
-!!! warning "EXPERIMENTAL"
-    This feature might change without preserving backwards compatibility.
-
-Trivy supports Open Policy Agent (OPA) to filter vulnerabilities.
-You can specify a Rego file with `--ignore-policy` option.
-
-The Rego package name must be `trivy` and it must include a rule called `ignore` which determines if each individual vulnerability should be excluded (ignore=true) or not (ignore=false). In the policy, each vulnerability will be available for inspection as the `input` variable. The structure of each vulnerability input is the same as for the Trivy JSON output.  
-There is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`. For more info about the helper functions, look at the library [here][helper]
-
-To get started, see the [example policy][policy].
-
-```bash
-$ trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
-```
-
-<details>
-<summary>Result</summary>
-
-```bash
-centos:7 (centos 7.9.2009)
-==========================
-Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 5)
-
-+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
-|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION   |                  TITLE                  |
-+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
-| glib2        | CVE-2015-8385    | HIGH     | 2.56.1-7.el7      |                   | pcre: buffer overflow caused            |
-|              |                  |          |                   |                   | by named forward reference              |
-|              |                  |          |                   |                   | to duplicate group number...            |
-|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2015-8385    |
-+              +------------------+          +                   +-------------------+-----------------------------------------+
-|              | CVE-2016-3191    |          |                   |                   | pcre: workspace overflow for            |
-|              |                  |          |                   |                   | (*ACCEPT) with deeply nested            |
-|              |                  |          |                   |                   | parentheses (8.39/13, 10.22/12)         |
-|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2016-3191    |
-+              +------------------+          +                   +-------------------+-----------------------------------------+
-|              | CVE-2021-27219   |          |                   | 2.56.1-9.el7_9    | glib: integer overflow in               |
-|              |                  |          |                   |                   | g_bytes_new function on                 |
-|              |                  |          |                   |                   | 64-bit platforms due to an...           |
-|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2021-27219   |
-+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
-| glibc        | CVE-2019-1010022 | CRITICAL | 2.17-317.el7      |                   | glibc: stack guard protection bypass    |
-|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2019-1010022 |
-+--------------+                  +          +                   +-------------------+                                         +
-| glibc-common |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-+--------------+------------------+          +-------------------+-------------------+-----------------------------------------+
-| nss          | CVE-2021-43527   |          | 3.53.1-3.el7_9    | 3.67.0-4.el7_9    | nss: Memory corruption in               |
-|              |                  |          |                   |                   | decodeECorDsaSignature with             |
-|              |                  |          |                   |                   | DSA signatures (and RSA-PSS)            |
-|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2021-43527   |
-+--------------+                  +          +                   +                   +                                         +
-| nss-sysinit  |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-+--------------+                  +          +                   +                   +                                         +
-| nss-tools    |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
-| openssl-libs | CVE-2020-1971    | HIGH     | 1:1.0.2k-19.el7   | 1:1.0.2k-21.el7_9 | openssl: EDIPARTYNAME                   |
-|              |                  |          |                   |                   | NULL pointer de-reference               |
-|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2020-1971    |
-+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
-```
-
-</details>
-
-[helper]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go
-[policy]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/contrib/example_policy
-
-## By Inline Comments
-
-|     Scanner      | Supported |
-|:----------------:|:---------:|
-|  Vulnerability   |           |
-| Misconfiguration |     ✓     |
-|      Secret      |           |
-|     License      |           |
-
-Some configuration file formats (e.g. Terraform) support inline comments.
-
-In cases where trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to filter/ignore findings from a single point of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned).
-
-The format for these comments is `trivy:ignore:<Vulnerability ID>` immediately following the format-specific line-comment token.
-
-For example, to filter a Vulnerability ID "AVD-GCP-0051" in a Terraform HCL file:
-
-```terraform
-#trivy:ignore:AVD-GCP-0051
-resource "google_container_cluster" "one_off_test" {
-  name     = var.cluster_name
-  location = var.region
-}
-```
-
-[^1]: license name is used as id for `.trivyignore.yaml` files
+[^1]: license name is used as id for `.trivyignore.yaml` files.
+[^2]: This doesn't work for os package licenses (e.g. apk, dpkg, rpm). For projects which manage dependencies through a dependency file (e.g. go.mod, yarn.lock) `path` should point to that particular file.

docs/docs/configuration/others.md

@@ -6,7 +6,7 @@ You can enable/disable scanners with the `--scanners` flag.
 Supported values:
 
 - vuln
-- config
+- misconfig
 - secret
 - license
  

docs/docs/configuration/reporting.md

@@ -1,6 +1,6 @@
 # Reporting
 
-## Supported Formats
+## Format
 Trivy supports the following formats:
 
 - Table
@@ -41,32 +41,32 @@ In some cases, vulnerable dependencies are not linked directly, and it requires
 To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
 This flag is only available with the `--format table` flag.
 
-The following packages/languages are currently supported:
+The following OS package managers are currently supported:
 
-- OS packages 
-    - apk
-    - dpkg
-    - rpm
-- Node.js 
-    - npm: package-lock.json
-    - pnpm: pnpm-lock.yaml
-    - yarn: yarn.lock
-- .NET
-    - NuGet: packages.lock.json
-- Python 
-    - Poetry: poetry.lock
-- Ruby
-    - Bundler: Gemfile.lock
-- Rust
-    - Binaries built with [cargo-auditable][cargo-auditable]
-- Go
-    - Modules: go.mod
-- PHP
-    - Composer
-- Java
-    - Maven: pom.xml
+| OS Package Managers |
+|---------------------|
+| apk                 |
+| dpkg                |
+| rpm                 |
 
-This tree is the reverse of the npm list command.
+The following languages are currently supported:
+
+| Language | File                                       |
+|----------|--------------------------------------------|
+| Node.js  | [package-lock.json][nodejs-package-lock]   |
+|          | [pnpm-lock.yaml][pnpm-lock]                |
+|          | [yarn.lock][yarn-lock]                     |
+| .NET     | [packages.lock.json][dotnet-packages-lock] |
+| Python   | [poetry.lock][poetry-lock]                 |
+| Ruby     | [Gemfile.lock][gemfile-lock]               |
+| Rust     | [cargo-auditable binaries][cargo-binaries] |
+| Go       | [go.mod][go-mod]                           |
+| PHP      | [composer.lock][composer-lock]             |
+| Java     | [pom.xml][pom-xml]                         |
+|          | [*gradle.lockfile][gradle-lockfile]        |
+| Dart     | [pubspec.lock][pubspec-lock]               |
+
+This tree is the reverse of the dependency graph.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
 
 In table output, it looks like:
@@ -374,6 +374,33 @@ $ trivy image --format template --template "@/usr/local/share/trivy/templates/ht
 ### SBOM
 See [here](../supply-chain/sbom.md) for details.
 
+## Output
+Trivy supports the following output destinations:
+
+- File
+- Plugin
+
+### File
+By specifying `--output <file_path>`, you can output the results to a file.
+Here is an example:
+
+```
+$ trivy image --format json --output result.json debian:12
+```
+
+### Plugin
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Plugins capable of receiving Trivy's results via standard input, called "output plugin", can be seamlessly invoked using the `--output` flag.
+
+```
+$ trivy <target> [--format <format>] --output plugin=<plugin_name> [--output-plugin-arg <plugin_flags>] <target_name>
+```
+
+This is useful for cases where you want to convert the output into a custom format, or when you want to send the output somewhere.
+For more details, please check [here](../advanced/plugins.md#output-plugins).
+
 ## Converting
 To generate multiple reports, you can generate the JSON report first and convert it to other formats with the `convert` subcommand.
 
@@ -408,4 +435,17 @@ $ trivy convert --format table --severity CRITICAL result.json
 [github-sbom-submit]: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#create-a-snapshot-of-dependencies-for-a-repository
 
 [os_packages]: ../scanner/vulnerability.md#os-packages
-[language_packages]: ../scanner/vulnerability.md#language-specific-packages
+[language_packages]: ../scanner/vulnerability.md#language-specific-packages
+
+[nodejs-package-lock]: ../coverage/language/nodejs.md#npm
+[pnpm-lock]: ../coverage/language/nodejs.md#pnpm
+[yarn-lock]: ../coverage/language/nodejs.md#yarn
+[dotnet-packages-lock]: ../coverage/language/dotnet.md#packageslockjson
+[poetry-lock]: ../coverage/language/python.md#poetry
+[gemfile-lock]: ../coverage/language/ruby.md#bundler
+[go-mod]: ../coverage/language/golang.md#go-modules
+[composer-lock]: ../coverage/language/php.md#composer
+[pom-xml]: ../coverage/language/java.md#pomxml
+[gradle-lockfile]: ../coverage/language/java.md#gradlelock
+[pubspec-lock]: ../coverage/language/dart.md#dart
+[cargo-binaries]: ../coverage/language/rust.md#binaries

docs/docs/configuration/skipping.md

@@ -98,7 +98,7 @@ This will skip the file `foo` that happens to be nested under any parent(s).
 |  Vulnerability   |     ✓     |
 | Misconfiguration |     ✓     |
 |      Secret      |           |
-|     License      |           |
+|     License      |   ✓[^1]   |
 
 When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
 The default file patterns are [here](../scanner/misconfiguration/custom/index.md).
@@ -114,3 +114,6 @@ A file pattern contains the analyzer it is used for, and the pattern itself, joi
 ```
 
 The prefixes are listed [here](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/pkg/fanal/analyzer/const.go)
+
+
+[^1]: Only work with the [license-full](../scanner/license.md) flag)

docs/docs/coverage/iac/cloudformation.md

@@ -2,14 +2,14 @@
 Trivy supports the scanners listed in the table below.
 
 |      Scanner       | Supported |
-| :----------------: | :-------: |
+|:------------------:|:---------:|
 | [Misconfiguration] |     ✓     |
 |      [Secret]      |     ✓     |
 
 It supports the following formats.
 
 | Format | Supported |
-| :----: | :-------: |
+|:------:|:---------:|
 |  JSON  |     ✓     |
 |  YAML  |     ✓     |
 
@@ -17,8 +17,19 @@ It supports the following formats.
 Trivy recursively searches directories and scans all found CloudFormation files.
 It evaluates properties, functions, and other elements within CloudFormation files to detect misconfigurations.
 
+### Value Overrides
+You can provide `cf-params` with path to [CloudFormation Parameters] file to Trivy to scan your CloudFormation code with parameters.
+
+```bash
+trivy conf --cf-params params.json ./infrastructure/cf
+```
+
+You can check a [CloudFormation Parameters Example]
+
 ## Secret
 The secret scan is performed on plain text files, with no special treatment for CloudFormation.
 
 [Misconfiguration]: ../../scanner/misconfiguration/index.md
-[Secret]: ../../scanner/secret.md
+[Secret]: ../../scanner/secret.md
+[CloudFormation Parameters]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html
+[CloudFormation Parameters Example]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudformation/deploy.html#supported-json-syntax

docs/docs/coverage/iac/helm.md

@@ -11,7 +11,7 @@ The following scanners are supported.
 Trivy recursively searches directories and scans all found Helm files.
 
 It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks.
-See [here](../../scanner/misconfiguration/policy/builtin.md) for more details on the built-in policies.
+See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in policies.
 
 ### Value overrides
 There are a number of options for overriding values in Helm charts.

docs/docs/coverage/iac/index.md

@@ -8,14 +8,15 @@ Trivy scans Infrastructure as Code (IaC) files for
 
 ## Supported configurations
 
-| Config type                         | File patterns                 |
-| ----------------------------------- | ----------------------------- |
-| [Kubernetes](kubernetes.md)         | *.yml, *.yaml, *.json         |
-| [Docker](docker.md)                 | Dockerfile, Containerfile     |
-| [Terraform](terraform.md)           | *.tf, *.tf.json, *.tfvars,    |
-| [CloudFormation](cloudformation.md) | *.yml, *.yaml, *.json         |
-| [Azure ARM Template](azure-arm.md)  | *.json                        |
-| [Helm](helm.md)                     | *.yaml, *.tpl, *.tar.gz, etc. |
+| Config type                         | File patterns                                 |
+|-------------------------------------|-----------------------------------------------|
+| [Kubernetes](kubernetes.md)         | \*.yml, \*.yaml, \*.json                      |
+| [Docker](docker.md)                 | Dockerfile, Containerfile                     |
+| [Terraform](terraform.md)           | \*.tf, \*.tf.json, \*.tfvars                  |
+| [Terraform Plan](terraform.md)      | tfplan, \*.tfplan, \*.tfplan.json, \*.tf.json |
+| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json                      |
+| [Azure ARM Template](azure-arm.md)  | \*.json                                       |
+| [Helm](helm.md)                     | \*.yaml, \*.tpl, \*.tar.gz, etc.              |
 
 [misconf]: ../../scanner/misconfiguration/index.md
 [secret]: ../../scanner/secret.md

docs/docs/coverage/iac/terraform.md

@@ -2,24 +2,29 @@
 Trivy supports the scanners listed in the table below.
 
 |     Scanner      | Supported |
-| :--------------: | :-------: |
+|:----------------:|:---------:|
 | Misconfiguration |     ✓     |
 |      Secret      |     ✓     |
 
 It supports the following formats:
 
-|  Format   | Supported |
-| :-------: | :-------: |
-|   JSON    |     ✓     |
-|    HCL    |     ✓     |
-| Plan JSON |     ✓     |
-
-Trivy can scan the results of `terraform plan`.
-You can scan by passing the file generated as shown below to Trivy:
+|     Format    | Supported |
+|:-------------:|:---------:|
+|     JSON      |     ✓     |
+|      HCL      |     ✓     |
+| Plan Snapshot |     ✓     |
+|   Plan JSON   |     ✓     |
 
+Trivy can scan Terraform Plan files (snapshots) or their JSON representations. To create a Terraform Plan and scan it, run the following command:
+```bash
+terraform plan --out tfplan
+trivy conf tfplan
 ```
-$ terraform plan --out tfplan.binary
-$ terraform show -json tfplan.binary > tfplan.json
+
+To scan a Terraform Plan representation in JSON format, run the following command:
+```bash
+terraform show -json tfplan > tfplan.json
+trivy conf tfplan.json
 ```
 
 ## Misconfiguration
@@ -35,7 +40,7 @@ trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
 
 ### Exclude Downloaded Terraform Modules
 By default, downloaded modules are also scanned.
-If you don't want to scan modules downloaded into the `.terraform` directory, you can use the `--tf-exclude-downloaded-modules` flag.
+If you don't want to scan them, you can use the `--tf-exclude-downloaded-modules` flag.
 
 ```bash
 trivy conf --tf-exclude-downloaded-modules ./configs

docs/docs/coverage/kubernetes.md

@@ -10,13 +10,15 @@ Whenever Trivy scans either of these Kubernetes resources, the container image i
 When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
 
 Container image is scanned for:
+
 - Vulnerabilities
 - Misconfigurations
 - Exposed secrets
 
 Kubernetes resource definition is scanned for:
+
 - Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
 - Misconfigurations
 - Exposed secrets
 
-To learn more, please see the [documentation for Kubernetes scanning](../target/kubernetes.md)
+To learn more, please see the [documentation for Kubernetes scanning](../target/kubernetes.md).

docs/docs/coverage/language/c.md

@@ -1,23 +1,34 @@
 # C/C++
 
-Trivy supports [Conan][conan] C/C++ Package Manager.
+Trivy supports Conan C/C++ Package Manager ([v1][conanV1] and [v2][conanV2] with limitations).
 
 The following scanners are supported.
 
-| Package manager | SBOM  | Vulnerability | License |
-| --------------- | :---: | :-----------: | :-----: |
-| Conan           |   ✓   |       ✓       |    -    |
+| Package manager | SBOM | Vulnerability | License |
+|-----------------|:----:|:-------------:|:-------:|
+| Conan           |  ✓   |       ✓       |  ✓[^1]  |
 
 The following table provides an outline of the features Trivy offers.
 
-| Package manager | File           | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
-| --------------- | -------------- | :---------------------: | :--------------: | :----------------------------------: | :------: |
-| Conan           | conan.lock[^1] |            ✓            |     Excluded     |                  ✓                   |    ✓     |
+| Package manager       | File           | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
+|-----------------------|----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
+| Conan (lockfile v1)   | conan.lock[^2] |            ✓            |     Excluded     |                  ✓                   |    ✓     |
+| Conan (lockfile v2)   | conan.lock[^2] |            ✓ [^3]       |     Excluded     |                  -                   |    ✓     |
 
 ## Conan
 In order to detect dependencies, Trivy searches for `conan.lock`[^1].
 
-[conan]: https://docs.conan.io/1/index.html
+[conanV1]: https://docs.conan.io/1/index.html
+[conanV2]: https://docs.conan.io/2/
+
+### Licenses
+The Conan lock file doesn't contain any license information.
+To obtain licenses we parse the `conanfile.py` files from the [conan cache directory][conan-cache-dir].
+To correctly detection licenses, ensure that the cache directory contains all dependencies used.
+
+[conan-cache-dir]: https://docs.conan.io/1/mastering/custom_cache.html
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 
-[^1]: `conan.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns)
+[^1]: The local cache should contain the dependencies used. See [licenses](#licenses).
+[^2]: `conan.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns).
+[^3]: For `conan.lock` in version 2, indirect dependencies are included in analysis but not flagged explicitly in dependency tree

docs/docs/coverage/language/dart.md

@@ -13,7 +13,7 @@ The following table provides an outline of the features Trivy offers.
 
 | Package manager         | File         | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
 |-------------------------|--------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
-| [Dart][dart-repository] | pubspec.lock |            ✓            |     Included     |                  -                   |    -     |
+| [Dart][dart-repository] | pubspec.lock |            ✓            |     Included     |                  ✓                   |    -     |
 
 ## Dart
 In order to detect dependencies, Trivy searches for `pubspec.lock`.
@@ -21,6 +21,11 @@ In order to detect dependencies, Trivy searches for `pubspec.lock`.
 Trivy marks indirect dependencies, but `pubspec.lock` file doesn't have options to separate root and dev transitive dependencies.
 So Trivy includes all dependencies in report.
 
+To build `dependency tree` Trivy parses [cache directory][cache-directory]. Currently supported default directories and `PUB_CACHE` environment (absolute path only).
+!!! note
+    Make sure the cache directory contains all the dependencies installed in your application. To download missing dependencies, use `dart pub get` command.     
+
 [dart]: https://dart.dev/
 [dart-repository]: https://pub.dev/
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[cache-directory]: https://dart.dev/tools/pub/glossary#system-cache

docs/docs/coverage/language/dotnet.md

@@ -15,6 +15,7 @@ The following table provides an outline of the features Trivy offers.
 |:---------------:|--------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
 |    .Net Core    | *.deps.json        |            ✓            |     Excluded     |                  -                   |    ✓     |
 |      NuGet      | packages.config    |            ✓            |     Excluded     |                  -                   |    -     |
+|      NuGet      | *Packages.props    |            -            |     Excluded     |                  -                   |    -     |
 |      NuGet      | packages.lock.json |            ✓            |     Included     |                  ✓                   |    ✓     |
 
 ## *.deps.json
@@ -23,6 +24,9 @@ Trivy parses `*.deps.json` files. Trivy currently excludes dev dependencies from
 ## packages.config
 Trivy only finds dependency names and versions from `packages.config` files. To build dependency graph, it is better to use `packages.lock.json` files.
 
+## *Packages.props
+Trivy parses `*Packages.props` files. Both legacy `Packages.props` and modern `Directory.Packages.props` are supported.
+
 ### license detection
 `packages.config` files don't have information about the licenses used.
 Trivy uses [*.nuspec][nuspec] files from [global packages folder][global-packages] to detect licenses.

docs/docs/coverage/language/golang.md

@@ -1,5 +1,9 @@
 # Go
 
+## Data Sources
+The data sources are listed [here](../../scanner/vulnerability.md#data-sources-1).
+Trivy uses Go Vulnerability Database for standard packages, such as `net/http`, and uses GitHub Advisory Database for third-party packages.
+
 ## Features
 Trivy supports two types of Go scanning, Go Modules and binaries built by Go.
 
@@ -12,10 +16,10 @@ The following scanners are supported.
 
 The table below provides an outline of the features Trivy offers.
 
-| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] |
-|----------|:-----------:|:-----------------|:----------------------------------:|
-| Modules  |      ✅      | Include          |               ✅[^2]                |
-| Binaries |      ✅      | Exclude          |                 -                  |
+| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib |
+|----------|:-----------:|:-----------------|:------------------------------------:|:------:|
+| Modules  |      ✅      | Include          |                ✅[^2]                 |   -    |
+| Binaries |      ✅      | Exclude          |                  -                   | ✅[^4]  |
 
 !!! note
     Trivy scans only dependencies of the Go project.
@@ -68,13 +72,26 @@ If there is a Go binary in your container image, Trivy automatically finds and s
 Also, you can scan your local binaries.
 
 ```
-$ trivy fs ./your_binary
+$ trivy rootfs ./your_binary
 ```
 
 !!! note
     It doesn't work with UPX-compressed binaries.
 
+#### Empty versions
+There are times when Go uses the `(devel)` version for modules/dependencies.
+
+- Only Go binaries installed using the `go install` command contain correct (semver) version for the main module. 
+  In other cases, Go uses the `(devel)` version[^3].
+- Dependencies replaced with local ones use the `(devel)` versions.
+
+In the first case, Trivy will attempt to parse any `-ldflags` as a secondary source, and will leave the version
+empty if it cannot do so[^5]. For the second case, the version of such packages is empty.
+
 [^1]: It doesn't require the Internet access.
 [^2]: Need to download modules to local cache beforehand
+[^3]: See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477
+[^4]: Identify the Go version used to compile the binary and detect its vulnerabilities
+[^5]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604
 
-[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies

docs/docs/coverage/language/index.md

@@ -34,6 +34,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [.NET](dotnet.md)    | packages.lock.json                                                                         |     ✅     |     ✅      |       ✅        |       ✅        |
 |                      | packages.config                                                                            |     ✅     |     ✅      |       ✅        |       ✅        |
 |                      | .deps.json                                                                                 |     ✅     |     ✅      |       ✅        |       ✅        |
+|                      | *Packages.props[^11]                                                                       |     ✅     |     ✅      |       ✅        |       ✅        |
 | [Java](java.md)      | JAR/WAR/PAR/EAR[^4]                                                                        |     ✅     |     ✅      |       -        |       -        |
 |                      | pom.xml                                                                                    |     -     |     -      |       ✅        |       ✅        |
 |                      | *gradle.lockfile                                                                           |     -     |     -      |       ✅        |       ✅        |
@@ -65,3 +66,4 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [^8]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
 [^9]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../../configuration/reporting.md#json) and [sarif](../../configuration/reporting.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
 [^10]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
+[^11]: `Directory.Packages.props` and  legacy `Packages.props` file names are supported

docs/docs/coverage/language/java.md

@@ -3,19 +3,19 @@ Trivy supports three types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml` and `*
 
 Each artifact supports the following scanners:
 
-| Artifact         | SBOM  | Vulnerability | License |
-| ---------------- | :---: | :-----------: | :-----: |
-| JAR/WAR/PAR/EAR  |   ✓   |       ✓       |    -    |
-| pom.xml          |   ✓   |       ✓       |    ✓    |
-| *gradle.lockfile |   ✓   |       ✓       |    -    |
+| Artifact         | SBOM | Vulnerability | License |
+|------------------|:----:|:-------------:|:-------:|
+| JAR/WAR/PAR/EAR  |  ✓   |       ✓       |    -    |
+| pom.xml          |  ✓   |       ✓       |    ✓    |
+| *gradle.lockfile |  ✓   |       ✓       |    ✓    |
 
 The following table provides an outline of the features Trivy offers.
 
-| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] |
-|------------------|:---------------------:|:----------------:|:------------------------------------:|
-| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |
-| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |
-| *gradle.lockfile |           -           |     Exclude      |                  -                   |
+| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] | Position |
+|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|
+| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |
+| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |
+| *gradle.lockfile |           -           |     Exclude      |                  ✓                   |    ✓     |
 
 These may be enabled or disabled depending on the target.
 See [here](./index.md) for the detail.
@@ -42,11 +42,23 @@ Trivy parses your `pom.xml` file and tries to find files with dependencies from
 - relativePath field[^5]
 - local repository directory[^6].
 
-If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the [maven repository](https://repo.maven.apache.org/maven2/).
+### remote repositories
+If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the remote repositories:
+
+- [repositories from pom files][maven-pom-repos]
+- [maven central repository][maven-central]
+
+Trivy reproduces Maven's repository selection and priority:
+
+- for snapshot artifacts:
+    - check only snapshot repositories from pom files (if exists)
+- for other artifacts:
+    - check release repositories from pom files (if exists)
+    - check [maven central][maven-central]
 
 !!! Note
     Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
-    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources_1).
+    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources-1).
 
 You can disable connecting to the maven repository with the `--offline-scan` flag.
 The `--offline-scan` flag does not affect the Trivy database.
@@ -55,17 +67,43 @@ The vulnerability database will be downloaded anyway.
 !!! Warning
     Trivy may skip some dependencies (that were not found on your local machine) when the `--offline-scan` flag is passed.
 
-## Gradle.lock
-`gradle.lock` files contain all necessary information about used dependencies.
-Trivy simply parses the file, extract dependencies, and finds vulnerabilities for them.
-It doesn't require the internet access.
 
-[^1]: https://github.com/aquasecurity/trivy-java-db
+### maven-invoker-plugin
+Typically, the integration tests directory (`**/[src|target]/it/*/pom.xml`) of [maven-invoker-plugin][maven-invoker-plugin] doesn't contain actual `pom.xml` files and should be skipped to avoid noise.
+
+Trivy marks dependencies from these files as the development dependencies and skip them by default.
+If you need to show them, use the `--include-dev-deps` flag.
+
+
+## Gradle.lock
+`gradle.lock` files only contain information about used dependencies.
+
+!!!note
+    All necessary files are checked locally. Gradle file scanning doesn't require internet access.
+
+### Dependency-tree
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+Trivy finds child dependencies from `*.pom` files in the cache[^8] directory.
+
+But there is no reliable way to determine direct dependencies (even using other files).
+Therefore, we mark all dependencies as indirect to use logic to guess direct dependencies and build a dependency tree.
+
+### Licenses
+Trity also can detect licenses for dependencies.
+
+Make sure that you have cache[^8] directory to find licenses from `*.pom` dependency files.
+
 [^1]: Uses maven repository to get information about dependencies. Internet access required.
 [^2]: It means `*.jar`, `*.war`, `*.par` and `*.ear` file
 [^3]: `ArtifactID`, `GroupID` and `Version`
 [^4]: e.g. when parent pom.xml file has `../pom.xml` path
 [^5]: When you use dependency path in `relativePath` field in pom.xml file
 [^6]: `/Users/<username>/.m2/repository` (for Linux and Mac) and `C:/Users/<username>/.m2/repository` (for Windows) by default
+[^7]: To avoid confusion, Trivy only finds locations for direct dependencies from the base pom.xml file.
+[^8]: The supported directories are `$GRADLE_USER_HOME/caches` and `$HOME/.gradle/caches` (`%HOMEPATH%\.gradle\caches` for Windows).
 
-[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[maven-invoker-plugin]: https://maven.apache.org/plugins/maven-invoker-plugin/usage.html
+[maven-central]: https://repo.maven.apache.org/maven2/
+[maven-pom-repos]: https://maven.apache.org/settings.html#repositories

docs/docs/coverage/language/nodejs.md

@@ -1,14 +1,15 @@
 # Node.js
 
-Trivy supports three types of Node.js package managers: `npm`, `Yarn` and `pnpm`.
+Trivy supports four types of Node.js package managers: `npm`, `Yarn`, `pnpm` and `Bun`[^1].
 
 The following scanners are supported.
 
-| Artifact | SBOM  | Vulnerability | License |
-| -------- | :---: | :-----------: | :-----: |
-| npm      |   ✓   |       ✓       |    ✓    |
-| Yarn     |   ✓   |       ✓       |    ✓    |
-| pnpm     |   ✓   |       ✓       |    -    |
+| Artifact | SBOM | Vulnerability | License |
+|----------|:----:|:-------------:|:-------:|
+| npm      |  ✓   |       ✓       |    ✓    |
+| Yarn     |  ✓   |       ✓       |    ✓    |
+| pnpm     |  ✓   |       ✓       |    -    |
+| Bun      |  ✓   |       ✓       |    ✓    |
 
 The following table provides an outline of the features Trivy offers.
 
@@ -17,11 +18,12 @@ The following table provides an outline of the features Trivy offers.
 |       npm       | package-lock.json |            ✓            | [Excluded](#npm)  |                  ✓                   |    ✓     |
 |      Yarn       | yarn.lock         |            ✓            | [Excluded](#yarn) |                  ✓                   |    ✓     |
 |      pnpm       | pnpm-lock.yaml    |            ✓            |     Excluded      |                  ✓                   |    -     |
+|       Bun       | yarn.lock         |            ✓            | [Excluded](#yarn) |                  ✓                   |    ✓     |
 
 In addition, Trivy scans installed packages with `package.json`.
 
 | File         | Dependency graph | Position | License |
-| ------------ | :--------------: | :------: | :-----: |
+|--------------|:----------------:|:--------:|:-------:|
 | package.json |        -         |    -     |    ✅    |
 
 These may be enabled or disabled depending on the target.
@@ -42,7 +44,10 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
 
 ### Yarn
 Trivy parses `yarn.lock`, which doesn't contain information about development dependencies.
-To exclude devDependencies, `package.json` also needs to be present next to `yarn.lock`. 
+Trivy also uses `package.json` file to handle [aliases](https://classic.yarnpkg.com/lang/en/docs/cli/add/#toc-yarn-add-alias).
+
+To exclude devDependencies and allow aliases, `package.json` also needs to be present next to `yarn.lock`.
+
 Trivy analyzes `.yarn` (Yarn 2+) or `node_modules` (Yarn Classic) folder next to the yarn.lock file to detect licenses.
 
 By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
@@ -50,6 +55,15 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
 ### pnpm
 Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
 
+!!! note
+    Trivy currently only supports Lockfile [v6][pnpm-lockfile-v6] or earlier.
+
+### Bun
+Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.
+
+!!! note
+    `bun.lockb` is not supported.
+
 ## Packages
 Trivy parses the manifest files of installed packages in container image scanning and so on.
 
@@ -57,4 +71,7 @@ Trivy parses the manifest files of installed packages in container image scannin
 Trivy searches for `package.json` files under `node_modules` and identifies installed packages.
 It only extracts package names, versions and licenses for those packages.
 
-[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[pnpm-lockfile-v6]: https://github.com/pnpm/spec/blob/fd3238639af86c09b7032cc942bab3438b497036/lockfile/6.0.md
+
+[^1]: [yarn.lock](#bun) must be generated

docs/docs/coverage/language/python.md

@@ -40,6 +40,31 @@ See [here](./index.md) for the detail.
 Trivy parses your files generated by package managers in filesystem/repository scanning.
 
 ### pip
+Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id4) with `==` comparison operator and without `.*`.
+To convert unsupported version specifiers - use the `pip  freeze` command.
+
+```bash
+$ cat requirements.txt 
+boto3~=1.24.60
+click>=8.0
+json-fix==0.5.*
+$ pip install -r requirements.txt
+...
+$ pip freeze > requirements.txt 
+$ cat requirements.txt 
+boto3==1.24.96
+botocore==1.27.96
+click==8.1.7
+jmespath==1.0.1
+json-fix==0.5.2
+python-dateutil==2.8.2
+s3transfer==0.6.2
+setuptools==69.0.2
+six==1.16.0
+urllib3==1.26.18
+wheel==0.42.0
+```
+
 `requirements.txt` files usually contain only the direct dependencies and not contain the transitive dependencies.
 Therefore, Trivy scans only for the direct dependencies with `requirements.txt`.
 

docs/docs/coverage/os/conda.md

@@ -0,0 +1,36 @@
+# Conda
+
+Trivy supports the following scanners for Conda packages.
+
+|    Scanner    | Supported |
+|:-------------:|:---------:|
+|     SBOM      |     ✓     |
+| Vulnerability |     -     |
+|    License    |   ✓[^1]   |
+
+
+## SBOM
+Trivy detects packages that have been installed with `Conda`.
+
+
+### `<package>.json`
+Trivy parses `<conda-root>/envs/<env>/conda-meta/<package>.json` files to find the version and license for the dependencies installed in your env.
+
+### `environment.yml`[^2]
+Trivy supports parsing [environment.yml][environment.yml][^2] files to find dependency list.
+
+!!! note
+    License detection is currently not supported.
+
+`environment.yml`[^2] files supports [version range][env-version-range]. We can't be sure about versions for these dependencies.
+Therefore, you need to use `conda env export` command to get dependency list in `Conda` default format before scanning `environment.yml`[^2] file.
+
+!!! note
+    For dependencies in a non-Conda format, Trivy doesn't include a version of them.
+
+
+[^1]: License detection is only supported for `<package>.json` files
+[^2]: Trivy supports both `yaml` and `yml` extensions.
+
+[environment.yml]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#sharing-an-environment
+[env-version-range]: https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#examples-of-package-specs

docs/docs/coverage/os/index.md

@@ -9,23 +9,24 @@ Trivy supports operating systems for
 
 ## Supported OS
 
-| OS                                            | Supported Versions                  | Package Managers |
-|-----------------------------------------------|-------------------------------------|------------------|
-| [Alpine Linux](alpine.md)                     | 2.2 - 2.7, 3.0 - 3.18, edge         | apk              |
-| [Wolfi Linux](wolfi.md)                       | (n/a)                               | apk              |
-| [Chainguard](chainguard.md)                   | (n/a)                               | apk              |
-| [Red Hat Enterprise Linux](rhel.md)           | 6, 7, 8                             | dnf/yum/rpm      |
-| [CentOS](centos.md)[^1]                       | 6, 7, 8                             | dnf/yum/rpm      |
-| [AlmaLinux](alma.md)                          | 8, 9                                | dnf/yum/rpm      |
-| [Rocky Linux](rocky.md)                       | 8, 9                                | dnf/yum/rpm      |
-| [Oracle Linux](oracle.md)                     | 5, 6, 7, 8                          | dnf/yum/rpm      |
-| [CBL-Mariner](cbl-mariner.md)                 | 1.0, 2.0                            | dnf/yum/rpm      |
-| [Amazon Linux](amazon.md)                     | 1, 2, 2023                          | dnf/yum/rpm      |
-| [openSUSE Leap](suse.md)                      | 42, 15                              | zypper/rpm       |
-| [SUSE Enterprise Linux](suse.md)              | 11, 12, 15                          | zypper/rpm       |
-| [Photon OS](photon.md)                        | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
-| [Debian GNU/Linux](debian.md)                 | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
-| [Ubuntu](ubuntu.md)                           | All versions supported by Canonical | apt/dpkg         |
+| OS                                   | Supported Versions                  | Package Managers |
+|--------------------------------------|-------------------------------------|------------------|
+| [Alpine Linux](alpine.md)            | 2.2 - 2.7, 3.0 - 3.19, edge         | apk              |
+| [Wolfi Linux](wolfi.md)              | (n/a)                               | apk              |
+| [Chainguard](chainguard.md)          | (n/a)                               | apk              |
+| [Red Hat Enterprise Linux](rhel.md)  | 6, 7, 8                             | dnf/yum/rpm      |
+| [CentOS](centos.md)[^1]              | 6, 7, 8                             | dnf/yum/rpm      |
+| [AlmaLinux](alma.md)                 | 8, 9                                | dnf/yum/rpm      |
+| [Rocky Linux](rocky.md)              | 8, 9                                | dnf/yum/rpm      |
+| [Oracle Linux](oracle.md)            | 5, 6, 7, 8                          | dnf/yum/rpm      |
+| [CBL-Mariner](cbl-mariner.md)        | 1.0, 2.0                            | dnf/yum/rpm      |
+| [Amazon Linux](amazon.md)            | 1, 2, 2023                          | dnf/yum/rpm      |
+| [openSUSE Leap](suse.md)             | 42, 15                              | zypper/rpm       |
+| [SUSE Enterprise Linux](suse.md)     | 11, 12, 15                          | zypper/rpm       |
+| [Photon OS](photon.md)               | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
+| [Debian GNU/Linux](debian.md)        | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
+| [Ubuntu](ubuntu.md)                  | All versions supported by Canonical | apt/dpkg         |
+| [OSs with installed Conda](conda.md) | -                                   | conda            |
 
 ## Supported container images
 
@@ -42,4 +43,4 @@ Each page gives more details.
 
 [sbom]: ../../supply-chain/sbom.md
 [vuln]: ../../scanner/vulnerability.md
-[license]: ../../scanner/license.md
+[license]: ../../scanner/license.md

docs/docs/index.md

@@ -1,5 +1,5 @@
 # Docs
 
-In this section you can find the complete reference documentation for all of the different features and settings that Trivy has to offer.
+In this section you can find the complete reference documentation for all the different features and settings that Trivy has to offer.
 
 👈 Please use the side-navigation on the left in order to browse the different topics.

docs/docs/references/configuration/cli/trivy.md

@@ -53,7 +53,7 @@ trivy [global flags] command [flags] target
 * [trivy plugin](trivy_plugin.md)	 - Manage plugins
 * [trivy repository](trivy_repository.md)	 - Scan a repository
 * [trivy rootfs](trivy_rootfs.md)	 - Scan rootfs
-* [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities
+* [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities and licenses
 * [trivy server](trivy_server.md)	 - Server mode
 * [trivy version](trivy_version.md)	 - Print the version
 * [trivy vm](trivy_vm.md)	 - [EXPERIMENTAL] Scan a virtual machine image

docs/docs/references/configuration/cli/trivy_aws.md

@@ -7,6 +7,7 @@
 Scan an AWS account for misconfigurations. Trivy uses the same authentication methods as the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
 
 The following services are supported:
+
 - accessanalyzer
 - api-gateway
 - athena
@@ -67,13 +68,18 @@ trivy aws [flags]
 ```
       --account string                    The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
       --arn string                        The AWS ARN to show results for. Useful to filter results once a scan is cached.
+      --cf-params strings                 specify paths to override the CloudFormation parameters files
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
       --compliance string                 compliance report to generate (aws-cis-1.2,aws-cis-1.4)
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --endpoint string                   AWS Endpoint override
       --exit-code int                     specify exit code when any security issues are found
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -81,21 +87,21 @@ trivy aws [flags]
   -h, --help                              help for aws
       --ignore-policy string              specify the Rego file path to evaluate each vulnerability
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
-      --include-non-failures              include successes and exceptions, available with '--scanners config'
+      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
-      --max-cache-age duration            The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
+      --max-cache-age duration            The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s)
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
   -o, --output string                     output file name
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
-      --policy-namespaces strings         Rego namespaces
+      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --region string                     AWS Region to scan
       --report string                     specify a report format for the output (all,summary) (default "all")
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
       --service strings                   Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-      --skip-policy-update                skip fetching rego policy updates
+      --skip-check-update                 skip fetching rego check updates
       --skip-service strings              Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc.
   -t, --template string                   output template
-      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
+      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tf-vars strings                   specify paths to override the Terraform tfvars files
       --trace                             enable more verbose trace output for custom queries
       --update-cache                      Update the cache for the applicable cloud provider instead of using cached results.

docs/docs/references/configuration/cli/trivy_config.md

@@ -11,40 +11,46 @@ trivy config [flags] DIR
 ```
       --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
+      --cf-params strings                 specify paths to override the CloudFormation parameters files
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
       --clear-cache                       clear image caches without scanning
       --compliance string                 compliance report to generate
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --enable-modules strings            [EXPERIMENTAL] module names to enable
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-values strings               specify paths to override the Helm values.yaml files
   -h, --help                              help for config
+      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
-      --include-non-failures              include successes and exceptions, available with '--scanners config'
+      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
       --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
   -o, --output string                     output file name
+      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
-      --policy-namespaces strings         Rego namespaces
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --report string                     specify a compliance report format for the output (all,summary) (default "all")
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --skip-check-update                 skip fetching rego check updates
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
-      --skip-policy-update                skip fetching rego policy updates
   -t, --template string                   output template
-      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
+      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tf-vars strings                   specify paths to override the Terraform tfvars files
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.

docs/docs/references/configuration/cli/trivy_convert.md

@@ -18,19 +18,21 @@ trivy convert [flags] RESULT_JSON
 ### Options
 
 ```
-      --compliance string      compliance report to generate
-      --dependency-tree        [EXPERIMENTAL] show dependency origin tree of vulnerable packages
-      --exit-code int          specify exit code when any security issues are found
-      --exit-on-eol int        exit with the specified code when the OS reaches end of service/life
-  -f, --format string          format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-  -h, --help                   help for convert
-      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
-      --ignorefile string      specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
-  -o, --output string          output file name
-      --report string          specify a report format for the output (all,summary) (default "all")
-  -s, --severity strings       severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-  -t, --template string        output template
+      --compliance string          compliance report to generate
+      --dependency-tree            [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --exit-code int              specify exit code when any security issues are found
+      --exit-on-eol int            exit with the specified code when the OS reaches end of service/life
+  -f, --format string              format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -h, --help                       help for convert
+      --ignore-policy string       specify the Rego file path to evaluate each vulnerability
+      --ignorefile string          specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs              enabling the option will output all packages regardless of vulnerability
+  -o, --output string              output file name
+      --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
+      --report string              specify a report format for the output (all,summary) (default "all")
+  -s, --severity strings           severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed            [EXPERIMENTAL] show suppressed vulnerabilities
+  -t, --template string            output template
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -21,12 +21,15 @@ trivy filesystem [flags] PATH
 ```
       --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
+      --cf-params strings                 specify paths to override the CloudFormation parameters files
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
       --clear-cache                       clear image caches without scanning
       --compliance string                 compliance report to generate
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -34,6 +37,8 @@ trivy filesystem [flags] PATH
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -45,18 +50,19 @@ trivy filesystem [flags] PATH
       --ignored-licenses strings          specify a list of license to ignore
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-dev-deps                  include development dependencies in the report (supported: npm, yarn)
-      --include-non-failures              include successes and exceptions, available with '--scanners config'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
+      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
+      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
-      --policy-namespaces strings         Rego namespaces
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
@@ -65,25 +71,26 @@ trivy filesystem [flags] PATH
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --report string                     specify a compliance report format for the output (all,summary) (default "all")
       --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-check-update                 skip fetching rego check updates
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
-      --skip-policy-update                skip fetching rego policy updates
-      --slow                              scan over time with lower CPU and memory utilization
   -t, --template string                   output template
-      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
+      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tf-vars strings                   specify paths to override the Terraform tfvars files
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
+      --vex string                        [EXPERIMENTAL] file path to VEX
       --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 

docs/docs/references/configuration/cli/trivy_image.md

@@ -36,12 +36,14 @@ trivy image [flags] IMAGE_NAME
 ```
       --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
       --clear-cache                       clear image caches without scanning
       --compliance string                 compliance report to generate (docker-cis)
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --docker-host string                unix domain socket path to use for docker scanning
       --download-db-only                  download/update vulnerability database but don't run a scan
@@ -51,6 +53,8 @@ trivy image [flags] IMAGE_NAME
       --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -61,22 +65,24 @@ trivy image [flags] IMAGE_NAME
       --ignore-unfixed                    display only fixed vulnerabilities
       --ignored-licenses strings          specify a list of license to ignore
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
-      --image-config-scanners strings     comma-separated list of what security issues to detect on container image configurations (config,secret)
+      --image-config-scanners strings     comma-separated list of what security issues to detect on container image configurations (misconfig,secret)
       --image-src strings                 image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
-      --include-non-failures              include successes and exceptions, available with '--scanners config'
+      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
       --input string                      input file path instead of image name
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
+      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
+      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
       --platform string                   set platform in the form os/arch if image is multi-platform capable
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
-      --policy-namespaces strings         Rego namespaces
+      --podman-host string                unix podman socket path to use for podman scanning
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
@@ -86,25 +92,25 @@ trivy image [flags] IMAGE_NAME
       --removed-pkgs                      detect vulnerabilities of removed packages (only for Alpine)
       --report string                     specify a format for the compliance report. (all,summary) (default "summary")
       --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-check-update                 skip fetching rego check updates
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
-      --skip-policy-update                skip fetching rego policy updates
-      --slow                              scan over time with lower CPU and memory utilization
   -t, --template string                   output template
-      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
-      --tf-vars strings                   specify paths to override the Terraform tfvars files
+      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
+      --vex string                        [EXPERIMENTAL] file path to VEX
       --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -2,49 +2,56 @@
 
 [EXPERIMENTAL] Scan kubernetes cluster
 
+### Synopsis
+
+Default context in kube configuration will be used unless specified
+
 ```
-trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: pods, pod/NAME }
+trivy kubernetes [flags] [CONTEXT]
 ```
 
 ### Examples
 
 ```
   # cluster scanning
-  $ trivy k8s --report summary cluster
+  $ trivy k8s --report summary
 
-  # namespace scanning:
-  $ trivy k8s -n kube-system --report summary all
+  # cluster scanning with specific namespace:
+  $ trivy k8s --include-namespaces kube-system --report summary 
 
-  # resources scanning:
-  $ trivy k8s --report=summary deploy
-  $ trivy k8s --namespace=kube-system --report=summary deploy,configmaps
-
-  # resource scanning:
-  $ trivy k8s deployment/orion
+  # cluster with specific context:
+  $ trivy k8s kind-kind --report summary 
+  
+  
 
 ```
 
 ### Options
 
 ```
-  -A, --all-namespaces                    fetch resources from all cluster namespaces
+      --burst int                         specify the maximum burst for throttle (default 10)
       --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
       --clear-cache                       clear image caches without scanning
       --compliance string                 compliance report to generate (k8s-nsa,k8s-cis,k8s-pss-baseline,k8s-pss-restricted)
-      --components strings                specify which components to scan (workload,infra) (default [workload,infra])
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
-      --context string                    specify a context to scan
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --disable-node-collector            When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
+      --exclude-kinds strings             indicate the kinds exclude from scanning (example: node)
+      --exclude-namespaces strings        indicate the namespaces excluded from scanning (example: kube-system)
       --exclude-nodes strings             indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)
       --exclude-owned                     exclude resources that have an owner reference
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,cyclonedx) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -55,20 +62,23 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --ignore-unfixed                    display only fixed vulnerabilities
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --image-src strings                 image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
-      --include-non-failures              include successes and exceptions, available with '--scanners config'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --include-kinds strings             indicate the kinds included in scanning (example: node)
+      --include-namespaces strings        indicate the namespaces included in scanning (example: kube-system)
+      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
       --kubeconfig string                 specify the kubeconfig file path to use
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
-  -n, --namespace string                  specify a namespace to scan
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --no-progress                       suppress progress bar
+      --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.2.1")
       --node-collector-namespace string   specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
-      --parallel int                      number (between 1-20) of goroutines enabled for parallel scanning (default 5)
+      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
+      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
-      --policy-namespaces strings         Rego namespaces
+      --qps float                         specify the maximum QPS to the master from this client (default 5)
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
@@ -77,23 +87,24 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --report string                     specify a report format for the output (all,summary) (default "all")
       --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners string                   comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac")
+      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-check-update                 skip fetching rego check updates
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
+      --skip-images                       skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
       --skip-java-db-update               skip updating Java index database
-      --skip-policy-update                skip fetching rego policy updates
-      --slow                              scan over time with lower CPU and memory utilization
   -t, --template string                   output template
-      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
-      --tf-vars strings                   specify paths to override the Terraform tfvars files
+      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tolerations strings               specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
+      --vex string                        [EXPERIMENTAL] file path to VEX
       --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 

docs/docs/references/configuration/cli/trivy_repository.md

@@ -21,12 +21,15 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --branch string                     pass the branch name to be scanned
       --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
+      --cf-params strings                 specify paths to override the CloudFormation parameters files
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
       --clear-cache                       clear image caches without scanning
       --commit string                     pass the commit hash to be scanned
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -34,6 +37,8 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -45,18 +50,19 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --ignored-licenses strings          specify a list of license to ignore
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-dev-deps                  include development dependencies in the report (supported: npm, yarn)
-      --include-non-failures              include successes and exceptions, available with '--scanners config'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
+      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
+      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
-      --policy-namespaces strings         Rego namespaces
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
@@ -64,26 +70,27 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-check-update                 skip fetching rego check updates
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
-      --skip-policy-update                skip fetching rego policy updates
-      --slow                              scan over time with lower CPU and memory utilization
       --tag string                        pass the tag name to be scanned
   -t, --template string                   output template
-      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
+      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tf-vars strings                   specify paths to override the Terraform tfvars files
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
+      --vex string                        [EXPERIMENTAL] file path to VEX
       --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -24,11 +24,14 @@ trivy rootfs [flags] ROOTDIR
 ```
       --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
+      --cf-params strings                 specify paths to override the CloudFormation parameters files
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
       --clear-cache                       clear image caches without scanning
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -37,6 +40,8 @@ trivy rootfs [flags] ROOTDIR
       --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -47,18 +52,19 @@ trivy rootfs [flags] ROOTDIR
       --ignore-unfixed                    display only fixed vulnerabilities
       --ignored-licenses strings          specify a list of license to ignore
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
-      --include-non-failures              include successes and exceptions, available with '--scanners config'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
+      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
+      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
-      --policy-namespaces strings         Rego namespaces
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
@@ -66,25 +72,26 @@ trivy rootfs [flags] ROOTDIR
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-check-update                 skip fetching rego check updates
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
-      --skip-policy-update                skip fetching rego policy updates
-      --slow                              scan over time with lower CPU and memory utilization
   -t, --template string                   output template
-      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
+      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tf-vars strings                   specify paths to override the Terraform tfvars files
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
+      --vex string                        [EXPERIMENTAL] file path to VEX
       --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -1,6 +1,6 @@
 ## trivy sbom
 
-Scan SBOM for vulnerabilities
+Scan SBOM for vulnerabilities and licenses
 
 ```
 trivy sbom [flags] SBOM_PATH
@@ -25,7 +25,7 @@ trivy sbom [flags] SBOM_PATH
       --clear-cache                 clear image caches without scanning
       --compliance string           compliance report to generate
       --custom-headers strings      custom headers in client mode
-      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --download-db-only            download/update vulnerability database but don't run a scan
       --download-java-db-only       download/update Java index database but don't run a scan
       --exit-code int               specify exit code when any security issues are found
@@ -36,12 +36,14 @@ trivy sbom [flags] SBOM_PATH
       --ignore-policy string        specify the Rego file path to evaluate each vulnerability
       --ignore-status strings       comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
       --ignore-unfixed              display only fixed vulnerabilities
+      --ignored-licenses strings    specify a list of license to ignore
       --ignorefile string           specify .trivyignore file (default ".trivyignore")
-      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
       --no-progress                 suppress progress bar
       --offline-scan                do not issue API requests to identify dependencies
   -o, --output string               output file name
+      --output-plugin-arg string    [EXPERIMENTAL] output plugin arguments
       --redis-ca string             redis ca file location, if using redis as cache backend
       --redis-cert string           redis certificate file location, if using redis as cache backend
       --redis-key string            redis key file location, if using redis as cache backend
@@ -49,13 +51,14 @@ trivy sbom [flags] SBOM_PATH
       --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --reset                       remove all caches and database
       --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings            comma-separated list of what security issues to detect (vuln,license) (default [vuln])
       --server string               server address in client mode
   -s, --severity strings            severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed             [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update              skip updating vulnerability database
       --skip-dirs strings           specify the directories or glob patterns to skip
       --skip-files strings          specify the files or glob patterns to skip
       --skip-java-db-update         skip updating Java index database
-      --slow                        scan over time with lower CPU and memory utilization
   -t, --template string             output template
       --token string                for authentication in client/server mode
       --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")

docs/docs/references/configuration/cli/trivy_server.md

@@ -23,7 +23,7 @@ trivy server [flags]
       --cache-backend string     cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration       cache TTL when using redis as cache backend
       --clear-cache              clear image caches without scanning
-      --db-repository string     OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string     OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --download-db-only         download/update vulnerability database but don't run a scan
       --enable-modules strings   [EXPERIMENTAL] module names to enable
   -h, --help                     help for server

docs/docs/references/configuration/cli/trivy_vm.md

@@ -23,10 +23,11 @@ trivy vm [flags] VM_IMAGE
       --aws-region string                 AWS region to scan
       --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
       --clear-cache                       clear image caches without scanning
       --compliance string                 compliance report to generate
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -35,6 +36,8 @@ trivy vm [flags] VM_IMAGE
       --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -44,36 +47,38 @@ trivy vm [flags] VM_IMAGE
       --ignore-status strings             comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
       --ignore-unfixed                    display only fixed vulnerabilities
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
-      --include-non-failures              include successes and exceptions, available with '--scanners config'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
+      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
-      --slow                              scan over time with lower CPU and memory utilization
   -t, --template string                   output template
-      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
-      --tf-vars strings                   specify paths to override the Terraform tfvars files
+      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
+      --vex string                        [EXPERIMENTAL] file path to VEX
       --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 

docs/docs/references/configuration/config-file.md

@@ -81,6 +81,15 @@ severity:
   - MEDIUM
   - HIGH
   - CRITICAL
+
+scan:
+  # Same as '--compliance'
+  # Default is empty  
+  compliance:
+
+  # Same as '--show-suppressed'
+  # Default is false  
+  show-suppressed: false
 ```
 
 ## Scan Options
@@ -106,14 +115,33 @@ scan:
 
   # Same as '--offline-scan'
   # Default is false
-  offline-scan: false
+  offline: false
 
   # Same as '--scanners'
   # Default depends on subcommand
   scanners:
     - vuln
-    - config
+    - misconfig
     - secret
+    - license
+    - 
+  # Same as '--parallel'
+  # Default is 5
+  parallel: 1
+
+  # Same as '--sbom-sources'
+  # Default is empty
+  sbom-sources: 
+    - oci
+    - rekor
+
+  # Same as '--rekor-url'
+  # Default is 'https://rekor.sigstore.dev'
+  rekor-url: https://rekor.sigstore.dev
+
+  # Same as '--include-dev-deps'
+  # Default is false
+  include-dev-deps: false
 ```
 
 ## Cache Options
@@ -130,6 +158,9 @@ cache:
 
   # Redis options
   redis:
+    # Same as '--redis-tls'
+    # Default is false
+    tls:    
     # Same as '--redis-ca'
     # Default is empty
     ca:
@@ -147,21 +178,25 @@ cache:
 
 ```yaml
 db:
+  # Same as '--no-progress'
+  # Default is false
+  no-progress: false
+  
   # Same as '--skip-db-update'
   # Default is false
   skip-update: false
 
-  # Same as '--no-progress'
-  # Default is false
-  no-progress: false
-
   # Same as '--db-repository'
-  # Default is 'ghcr.io/aquasecurity/trivy-db'
-  repository: ghcr.io/aquasecurity/trivy-db
+  # Default is 'ghcr.io/aquasecurity/trivy-db:2'
+  repository: ghcr.io/aquasecurity/trivy-db:2
+
+  # Same as '--skip-java-db-update'
+  # Default is false
+  java-skip-update: false  
 
   # Same as '--java-db-repository'
-  # Default is 'ghcr.io/aquasecurity/trivy-java-db'
-  java-repository: ghcr.io/aquasecurity/trivy-java-db
+  # Default is 'ghcr.io/aquasecurity/trivy-java-db:1'
+  java-repository: ghcr.io/aquasecurity/trivy-java-db:1
 ```
 
 ## Registry Options
@@ -196,12 +231,29 @@ image:
   
   # Same as '--platform'
   # Default is empty
-  platform: 
+  platform:
+
+  # Same as '--image-src'
+  # Default is 'docker,containerd,podman,remote'
+  source:
+    - podman
+    - docker
+      
+  # Same as '--image-config-scanners'
+  # Default is empty
+  image-config-scanners:
+    - misconfig
+    - secret      
   
   docker:
     # Same as '--docker-host'
     # Default is empty
     host: 
+  
+  podman:
+    # Same as '--podman-host'
+    # Default is empty
+    host: 
 ```
 
 ## Vulnerability Options
@@ -218,6 +270,67 @@ vulnerability:
   # Same as '--ignore-unfixed'
   # Default is false
   ignore-unfixed: false
+
+  # Same as '--ignore-unfixed'
+  # Default is empty
+  ignore-status: 
+    - end_of_life
+```
+
+## License Options
+Available with license scanning
+
+```yaml
+license:
+  # Same as '--license-full'
+  # Default is false
+  full: false
+
+  # Same as '--ignored-licenses'
+  # Default is empty
+  ignored:
+    - MPL-2.0
+    - MIT
+
+  # Same as '--license-confidence-level'
+  # Default is 0.9
+  confidenceLevel: 0.9
+
+  # Set list of forbidden licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L171
+  forbidden:
+    - AGPL-1.0
+    - AGPL-3.0
+
+  # Set list of restricted licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L199
+  restricted:
+    - AGPL-1.0
+    - AGPL-3.0
+
+  # Set list of reciprocal licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L238
+  reciprocal:
+    - AGPL-1.0
+    - AGPL-3.0
+
+  # Set list of notice licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L260
+  notice:
+    - AGPL-1.0
+    - AGPL-3.0  
+
+  # Set list of permissive licenses
+  # Default is empty
+  permissive:
+    - AGPL-1.0
+    - AGPL-3.0  
+
+  # Set list of unencumbered licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L334
+  unencumbered:
+    - AGPL-1.0
+    - AGPL-3.0    
 ```
 
 ## Secret Options
@@ -233,11 +346,15 @@ secret:
 ## Rego Options
 
 ```yaml
-rego
+rego:
   # Same as '--trace'
   # Default is false
   trace: false
 
+  # Same as '--skip-policy-update'
+  # Default is false
+  skip-policy-update: false
+
   # Same as '--config-policy'
   # Default is empty
   policy:
@@ -266,37 +383,57 @@ misconfiguration:
   # Default is false
   include-non-failures: false
 
+  # Same as '--policy-bundle-repository'
+  # Default is 'ghcr.io/aquasecurity/trivy-checks:0'
+  policy-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0  
+  
+  # Same as '--miconfig-scanners'
+  # Default is all scanners
+  scanners:
+    - dockerfile
+    - terraform
+
   # helm value override configurations
-  # set individual values
   helm:
+    # set individual values
     set:
       - securityContext.runAsUser=10001
 
-  # set values with file
-  helm:
+    # set values with file
     values:
       - overrides.yaml
 
-  # set specific values from specific files
-  helm:
+    # set specific values from specific files
     set-file:
       - image=dev-overrides.yaml
 
-  # set as string and preserve type
-  helm:
+    # set as string and preserve type
     set-string:
       - name=true
 
+    # Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command.
+    api-versions:
+      - policy/v1/PodDisruptionBudget
+      - apps/v1/Deployment
+
+    # Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
+    kube-version: "v1.21.0"
+
   # terraform tfvars overrrides
   terraform:
     vars:
       - dev-terraform.tfvars
       - common-terraform.tfvars
   
-  # Same as '--tf-exclude-downloaded-modules'
-  # Default is false
-  terraform:
+    # Same as '--tf-exclude-downloaded-modules'
+    # Default is false
     exclude-downloaded-modules: false
+
+    # Same as '--cf-params'
+    # Default is false
+  cloudformation:
+    params:
+      - params.json
 ```
 
 ## Kubernetes Options
@@ -311,6 +448,58 @@ kubernetes:
   # Same as '--namespace'
   # Default is empty
   namespace:
+
+  # Same as '--kubeconfig'
+  # Default is empty
+  kubeconfig: ~/.kube/config2
+
+  # Same as '--components'
+  # Default is 'workload,infra'
+  components: 
+    - workload
+    - infra
+
+  # Same as '--k8s-version'
+  # Default is empty
+  k8s-version: 1.21.0
+
+  # Same as '--tolerations'
+  # Default is empty
+  tolerations:
+    - key1=value1:NoExecute
+    - key2=value2:NoSchedule
+
+  # Same as '--all-namespaces'
+  # Default is false
+  all-namespaces: false
+
+  node-collector:
+    # Same as '--node-collector-namespace'
+    # Default is 'trivy-temp'
+    namespace: ~/.kube/config2
+
+    # Same as '--node-collector-imageref'
+    # Default is 'ghcr.io/aquasecurity/node-collector:0.0.9'
+    imageref: ghcr.io/aquasecurity/node-collector:0.0.9
+
+  exclude:
+    # Same as '--exclude-owned'
+    # Default is false
+    owned: true
+
+    # Same as '--exclude-nodes'
+    # Default is empty
+    nodes:
+      - kubernetes.io/arch:arm64
+      - team:dev
+
+  # Same as '--qps'
+  # Default is 5.0
+  qps: 5.0
+
+  # Same as '--burst'
+  # Default is 10
+  burst: 10
 ```
 
 ## Repository Options
@@ -381,6 +570,35 @@ cloud:
 
     # the aws account to use (this will be determined from your environment when not set)
     account: 123456789012
+
+    # the aws specific services
+    service: 
+      - s3
+      - ec2
+        
+    # the aws specific arn
+    arn: arn:aws:s3:::example-bucket      
+
+    # skip the aws specific services
+    skip-service:
+      - s3
+      - ec2 
+```
+
+## Module Options
+Available for modules
+
+```yaml
+module:
+  # Same as '--module-dir'
+  # Default is '$HOME/.trivy/modules'
+  dir: $HOME/.trivy/modules
+
+  # Same as '--enable-modules'
+  # Default is empty
+  enable-modules: 
+    - trivy-module-spring4shell
+    - trivy-module-wordpress
 ```
 
 [example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml

docs/docs/references/troubleshooting.md

@@ -12,6 +12,61 @@
 
 Your scan may time out. Java takes a particularly long time to scan. Try increasing the value of the ---timeout option such as `--timeout 15m`.
 
+### Unable to initialize an image scanner
+
+!!! error
+    ```bash
+    $ trivy image ...
+    ...
+    2024-01-19T08:15:33.288Z	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: 4 errors occurred:
+	* docker error: unable to inspect the image (ContainerImageName): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
+	* containerd error: containerd socket not found: /run/containerd/containerd.sock
+	* podman error: unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
+	* remote error: GET https://index.docker.io/v2/ContainerImageName: MANIFEST_UNKNOWN: manifest unknown; unknown tag=0.1
+    ```
+    
+It means Trivy is unable to find the container image in the following places:
+
+* Docker Engine
+* containerd
+* Podman
+* A remote registry
+
+Please see error messages for details of each error.
+
+Common mistakes include the following, depending on where you are pulling images from:
+
+#### Common
+- Typos in the image name
+    - Common mistake :)
+- Forgetting to specify the registry
+    - By default, it is considered to be Docker Hub ( `index.docker.io` ).
+
+#### Docker Engine
+- Incorrect Docker host
+    - If the Docker daemon's socket path is not `/var/run/docker.sock`, you need to specify the `--docker-host` flag or the `DOCKER_HOST` environment variable.
+      The same applies when using TCP; you must specify the correct host address.
+
+#### containerd
+- Incorrect containerd address
+    - If you are using a non-default path, you need to specify the `CONTAINERD_ADDRESS` environment variable.
+      Please refer to [this documentation](../target/container_image.md#containerd).
+- Incorrect namespace
+    - If you are using a non-default namespace, you need to specify the `CONTAINERD_NAMESPACE` environment variable.
+      Please refer to [this documentation](../target/container_image.md#containerd).
+    - 
+#### Podman
+- Podman socket configuration
+    - You need to enable the Podman socket. Please refer to [this documentation](../target/container_image.md#podman).
+
+#### Container Registry
+- Unauthenticated
+    - If you are using a private container registry, you need to authenticate. Please refer to [this documentation](../advanced/private-registries/index.md).
+- Using a proxy
+    - If you are using a proxy within your network, you need to correctly set the `HTTP_PROXY`, `HTTPS_PROXY`, etc., environment variables.
+- Use of a self-signed certificate in the registry
+    - Because certificate verification will fail, you need to either trust that certificate or use the `--insecure` flag (not recommended in production).
+
 ### Certification
 
 !!! error

docs/docs/scanner/license.md

@@ -22,18 +22,16 @@ Check out [the coverage document][coverage] for details.
 To enable extended license scanning, you can use `--license-full`.
 In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
 
-By default, Trivy only classifies licenses that are matched with a confidence level of 0.9 or more by the classifer.
+By default, Trivy only classifies licenses that are matched with a confidence level of 0.9 or more by the classifier.
 To configure the confidence level, you can use `--license-confidence-level`. This enables us to classify licenses that might be matched with a lower confidence level by the classifer. 
 
 !!! note
     The full license scanning is expensive. It takes a while.
 
-Currently, the standard license scanning doesn't support filesystem and repository scanning.
-
-|   License scanning    | Image | Rootfs | Filesystem | Repository |
-| :-------------------: | :---: | :----: | :--------: | :--------: |
-|       Standard        |   ✅   |   ✅    |     -      |     -      |
-| Full (--license-full) |   ✅   |   ✅    |     ✅      |     ✅      |
+|   License scanning    | Image | Rootfs | Filesystem | Repository | SBOM |
+|:---------------------:|:-----:|:------:|:----------:|:----------:|:----:|
+|       Standard        |   ✅   |   ✅    | ✅[^1][^2]  | ✅[^1][^2]  |  ✅   |
+| Full (--license-full) |   ✅   |   ✅    |     ✅      |     ✅      |  -   |
 
 License checking classifies the identified licenses and map the classification to severity.
 
@@ -344,6 +342,8 @@ license:
   permissive: []
 ```
 
+[^1]: See the list of supported language files [here](../coverage/language/index.md).
+[^2]: Some lock files require additional files (e.g. files from the cache directory) to detect licenses. Check [coverage][coverage] for more information.
 
 [coverage]: ../coverage/index.md
 [google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses

docs/docs/scanner/misconfiguration/check/builtin.md

@@ -0,0 +1,21 @@
+# Built-in Checks 
+
+## Check Sources
+Built-in checks are mainly written in [Rego][rego] and Go.
+Those checks are managed under [trivy-checks repository][trivy-checks].
+See [here](../../../coverage/iac/index.md) for the list of supported config types.
+
+For suggestions or issues regarding policy content, please open an issue under the [trivy-checks][trivy-checks] repository.
+
+## Check Distribution
+Trivy checks are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
+When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
+Those checks are then loaded into Trivy OPA engine and used for detecting misconfigurations.
+If Trivy is unable to pull down newer checks, it will use the embedded set of checks as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
+
+## Update Interval
+Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
+
+[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
+[trivy-checks]: https://github.com/aquasecurity/trivy-checks
+[ghcr]: https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks

docs/docs/scanner/misconfiguration/check/exceptions.md

@@ -28,8 +28,6 @@ The `exception` rule must be defined under `namespace.exceptions`.
 
 This example exempts all built-in policies for Kubernetes.
 
-For more details, see [an example][ns-example].
-
 ## Rule-based exceptions
 There are some cases where you need more flexibility and granularity in defining which cases to exempt.
 Rule-based exceptions lets you granularly choose which individual rules to exempt, while also declaring under which conditions to exempt them.
@@ -87,12 +85,8 @@ If you want to apply rule-based exceptions to built-in policies, you have to def
     }
     ```
 
-This exception is applied to [KSV012][ksv012] in defsec.
-You can get the package names in the [defsec repository][defsec] or the JSON output from Trivy.
+This exception is applied to [KSV012][ksv012] in trivy-checks.
+You can get the package names in the [trivy-checks repository][trivy-checks] or the JSON output from Trivy.
 
-For more details, see [an example][rule-example].
-
-[ns-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/namespace-exception
-[rule-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/rule-exception
-[ksv012]: https://github.com/aquasecurity/defsec/blob/master/internal/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego
-[defsec]: https://github.com/aquasecurity/defsec/
+[ksv012]: https://github.com/aquasecurity/trivy-checks/blob/f36a5b732c4b1293a720c40baab0a7c106ea455e/checks/kubernetes/pss/restricted/3_runs_as_root.rego 
+[trivy-checks]: https://github.com/aquasecurity/trivy-checks/

docs/docs/scanner/misconfiguration/custom/index.md

@@ -14,7 +14,7 @@ As for `--namespaces` option, the detail is described as below.
 If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.
 
 | File format   | File pattern                                              |
-| ------------- | --------------------------------------------------------- |
+|---------------|-----------------------------------------------------------|
 | JSON          | `*.json`                                                  |
 | YAML          | `*.yaml` and `*.yml`                                      |
 | Dockerfile    | `Dockerfile`, `Dockerfile.*`, and `*.Dockerfile`          |
@@ -27,7 +27,7 @@ In the above general file formats, Trivy automatically identifies the following
 - CloudFormation (JSON/YAML)
 - Kubernetes (JSON/YAML)
 - Helm (YAML)
-- Terraform Plan (JSON)
+- Terraform Plan (JSON/Snapshot)
 
 This is useful for filtering inputs, as described below.
 
@@ -101,9 +101,8 @@ In this case, `user.*` will be evaluated.
 Any package prefixes such as `main` and `user` are allowed.
 
 ### Metadata
-Metadata helps enrich Trivy's scan results with useful information.
 
-The annotation format is described in the [OPA documentation](https://www.openpolicyagent.org/docs/latest/annotations/).
+The check must contain a [Rego Metadata](https://www.openpolicyagent.org/docs/latest/policy-language/#metadata) section. Trivy uses standard rego metadata to define the new policy and general information about it.
 
 Trivy supports extra fields in the `custom` section as described below.
 
@@ -125,7 +124,7 @@ schema that will be used is based on the input document type. It is recommended
 correct and do not reference incorrect properties/values.
 
 | Field name                 | Allowed values                                                    |        Default value         |     In table     |     In JSON      |
-| -------------------------- | ----------------------------------------------------------------- | :--------------------------: | :--------------: | :--------------: |
+|----------------------------|-------------------------------------------------------------------|:----------------------------:|:----------------:|:----------------:|
 | title                      | Any characters                                                    |             N/A              | :material-check: | :material-check: |
 | description                | Any characters                                                    |                              | :material-close: | :material-check: |
 | schemas.input              | `schema["kubernetes"]`, `schema["dockerfile"]`, `schema["cloud"]` | (applied to all input types) | :material-close: | :material-close: |
@@ -201,4 +200,4 @@ See [here](schema.md) for the detail.
 
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [package]: https://www.openpolicyagent.org/docs/latest/policy-language/#packages
-[source-types]: https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)
+[source-types]: https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go

docs/docs/scanner/misconfiguration/custom/schema.md

@@ -4,8 +4,7 @@
 Policies can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
 enables Trivy to show more detailed error messages when an invalid input is encountered.
 
-In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json).
-Without input schemas, a policy would be as follows:
+In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json). Without input schemas, a policy would be as follows:
 
 !!! example
     ```
@@ -36,7 +35,7 @@ schema as such
     ```
 
 Here `input: schema["dockerfile"]` points to a schema that expects a valid `Dockerfile` as input. An example of this
-can be found [here](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
+can be found [here](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json).
 
 Now if this policy is evaluated against, a more descriptive error will be available to help fix the problem.
 
@@ -50,9 +49,9 @@ Now if this policy is evaluated against, a more descriptive error will be availa
 
 Currently, out of the box the following schemas are supported natively:
 
-1. [Docker](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
-2. [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
-3. [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
+1. [Docker](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json)
+2. [Kubernetes](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/kubernetes.json)
+3. [Cloud](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json)
 
 
 ## Custom Policies with Custom Schemas
@@ -89,4 +88,4 @@ To use such a policy with Trivy, use the `--config-policy` flag that points to t
 $ trivy --config-policy=/Users/user/my-custom-policies <path/to/iac>
 ```
 
-For more details on how to define schemas within Rego policies, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/schemas/#schema-annotations) that describes it in more detail.
+For more details on how to define schemas within Rego policies, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail.

docs/docs/scanner/misconfiguration/custom/testing.md

@@ -22,7 +22,7 @@ For more details, see [Policy Testing][opa-testing].
     }
     ```
 
-To write tests for custom policies, you can refer to existing tests under [defsec][defsec].
+To write tests for custom policies, you can refer to existing tests under [trivy-checks][trivy-checks].
 
 ## Go testing
 [Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
@@ -85,6 +85,6 @@ The following example stores allowed and denied configuration files in a directo
 `Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.
 
 [opa-testing]: https://www.openpolicyagent.org/docs/latest/policy-testing/
-[defsec]: https://github.com/aquasecurity/defsec
+[defsec]: https://github.com/aquasecurity/trivy-checks/tree/main
 [table]: https://github.com/golang/go/wiki/TableDrivenTests
 [fanal]: https://github.com/aquasecurity/fanal

docs/docs/scanner/misconfiguration/index.md

@@ -6,7 +6,7 @@ In addition to built-in policies, you can write your own custom policies, as you
 
 Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.
 
-``` bash
+```bash
 $ trivy config [YOUR_IaC_DIRECTORY]
 ```
 
@@ -35,28 +35,28 @@ $ trivy config [YOUR_IaC_DIRECTORY]
     ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     ```
 
-You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--scanners config`.
+You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--scanners misconfig`.
 
 ```bash
-$ trivy image --scanners config IMAGE_NAME
+$ trivy image --scanners misconfig IMAGE_NAME
 ```
 
 ```bash
-$ trivy fs --scanners config /path/to/dir
+$ trivy fs --scanners misconfig /path/to/dir
 ```
 
 !!! note
     Misconfiguration detection is not enabled by default in `image`, `fs` and `repo` subcommands.
 
 Unlike the `config` subcommand, `image`, `fs` and `repo` subcommands can also scan for vulnerabilities and secrets at the same time. 
-You can specify `--scanners vuln,config,secret` to enable vulnerability and secret detection as well as misconfiguration detection.
+You can specify `--scanners vuln,misconfig,secret` to enable vulnerability and secret detection as well as misconfiguration detection.
 
 
 !!! example
     ``` bash
     $ ls myapp/
     Dockerfile Pipfile.lock
-    $ trivy fs --scanners vuln,config,secret --severity HIGH,CRITICAL myapp/
+    $ trivy fs --scanners vuln,misconfig,secret --severity HIGH,CRITICAL myapp/
     2022-05-16T13:42:21.440+0100	INFO	Number of language-specific files: 1
     2022-05-16T13:42:21.440+0100	INFO	Detecting pipenv vulnerabilities...
     2022-05-16T13:42:21.440+0100	INFO	Detected config files: 1
@@ -315,7 +315,18 @@ Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 This section describes misconfiguration-specific configuration.
 Other common options are documented [here](../../configuration/index.md).
 
-### Pass custom policies
+### Enabling a subset of misconfiguration scanners
+It's possible to only enable certain misconfiguration scanners if you prefer.
+You can do so by passing the `--misconfig-scanners` option.
+This flag takes a comma-separated list of configuration scanner types.
+
+```bash
+trivy config --misconfig-scanners=terraform,dockerfile .
+```
+
+Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.
+
+### Passing custom policies
 You can pass policy files or directories including your custom policies through `--policy` option.
 This can be repeated for specifying multiple files or directories.
 
@@ -329,7 +340,7 @@ For more details, see [Custom Policies](./custom/index.md).
 !!! tip
 You also need to specify `--namespaces` option.
 
-### Pass custom data
+### Passing custom data
 You can pass directories including your custom data through `--data` option.
 This can be repeated for specifying multiple directories.
 
@@ -340,7 +351,7 @@ trivy conf --policy ./policy --data ./data --namespaces user ./configs
 
 For more details, see [Custom Data](./custom/data.md).
 
-### Pass namespaces
+### Passing namespaces
 By default, Trivy evaluates policies defined in `builtin.*`.
 If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option.
 This can be repeated for specifying multiple packages.
@@ -349,4 +360,202 @@ This can be repeated for specifying multiple packages.
 trivy conf --policy ./policy --namespaces main --namespaces user ./configs
 ```
 
-[custom]: custom/index.md
+### Private terraform registries
+Trivy can download terraform code from private registries.
+To pass credentials you must use the `TF_TOKEN_` environment variables.
+You cannot use a `.terraformrc` or `terraform.rc` file, these are not supported by trivy yet.
+
+From the terraform [docs](https://developer.hashicorp.com/terraform/cli/config/config-file#environment-variable-credentials):
+
+> Environment variable names should have the prefix TF_TOKEN_ added to the domain name, with periods encoded as underscores.
+> For example, the value of a variable named `TF_TOKEN_app_terraform_io` will be used as a bearer authorization token when the CLI makes service requests to the hostname `app.terraform.io`.
+>
+> You must convert domain names containing non-ASCII characters to their punycode equivalent with an ACE prefix.
+> For example, token credentials for `例えば.com` must be set in a variable called `TF_TOKEN_xn--r8j3dr99h_com`.
+>
+> Hyphens are also valid within host names but usually invalid as variable names and may be encoded as double underscores.
+> For example, you can set a token for the domain name café.fr as TF_TOKEN_xn--caf-dma_fr or TF_TOKEN_xn____caf__dma_fr.
+
+If multiple variables evaluate to the same hostname, Trivy will choose the environment variable name where the dashes have not been encoded as double underscores.
+
+
+### Skipping resources by inline comments
+
+Trivy supports ignoring misconfigured resources by inline comments for Terraform and CloudFormation configuration files only.
+
+In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to ignore findings from a single source of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). The format for these comments is `trivy:ignore:<rule>` immediately following the format-specific line-comment [token](https://developer.hashicorp.com/terraform/language/syntax/configuration#comments).
+
+The ignore rule must contain one of the possible check IDs that can be found in its metadata: ID, short code or alias. The `id` from the metadata is not case-sensitive, so you can specify, for example, `AVD-AWS-0089` or `avd-aws-0089`.
+
+For example, to ignore a misconfiguration ID `AVD-GCP-0051` in a Terraform HCL file:
+
+```terraform
+#trivy:ignore:AVD-GCP-0051
+resource "google_container_cluster" "example" {
+  name     = var.cluster_name
+  location = var.region
+}
+```
+
+You can add multiple ignores on the same comment line:
+```terraform
+#trivy:ignore:AVD-GCP-0051 trivy:ignore:AVD-GCP-0053
+resource "google_container_cluster" "example" {
+  name     = var.cluster_name
+  location = var.region
+}
+```
+
+You can also specify a long ID, which is formed as follows: `<provider>-<service>-<short-code>`.
+
+As an example, consider the following check metadata:
+
+```yaml
+# custom:
+  # id: AVD-AWS-0089
+  # avd_id: AVD-AWS-0089
+  # provider: aws
+  # service: s3
+  # severity: LOW
+  # short_code: enable-logging
+```
+
+Long ID would look like the following: `aws-s3-enable-logging`.
+
+Example for CloudFromation:
+```yaml
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+#trivy:ignore:*
+  S3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: test-bucket
+```
+
+#### Expiration Date
+
+You can specify the expiration date of the ignore rule in `yyyy-mm-dd` format. This is a useful feature when you want to make sure that an ignored issue is not forgotten and worth revisiting in the future. For example:
+```tf
+#trivy:ignore:aws-s3-enable-logging:exp:2024-03-10
+resource "aws_s3_bucket" "example" {
+  bucket = "test"
+}
+```
+
+The `aws-s3-enable-logging` check will be ignored until `2024-03-10` until the ignore rule expires.
+
+#### Ignoring by attributes
+
+You can ignore a resource by its attribute value. This is useful when using the `for-each` meta-argument. For example:
+
+```tf
+locals {
+  ports = ["3306", "5432"]
+}
+
+#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]
+resource "aws_security_group_rule" "example" {
+  for_each                 = toset(local.ports)
+  type                     = "ingress"
+  from_port                = each.key
+  to_port                  = each.key
+  protocol                 = "TCP"
+  cidr_blocks              = ["0.0.0.0/0"]
+  security_group_id        = aws_security_group.example.id
+  source_security_group_id = aws_security_group.example.id
+}
+```
+
+The `aws-ec2-no-public-ingress-sgr` check will be ignored only for the `aws_security_group_rule` resource with port number `5432`. It is important to note that the ignore rule should not enclose the attribute value in quotes, despite the fact that the port is represented as a string.
+
+If you want to ignore multiple resources on different attributes, you can specify multiple ignore rules:
+
+```tf
+#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]
+#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=5432]
+```
+
+You can also ignore a resource on multiple attributes:
+```tf
+locals {
+  rules = {
+    first = {
+      port = 1000
+      type = "ingress"
+    },
+    second = {
+      port = 1000
+      type = "egress"
+    }
+  }
+}
+
+#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=1000,type=egress]
+resource "aws_security_group_rule" "example" {
+  for_each = { for k, v in local.rules : k => v }
+
+  type                     = each.value.type
+  from_port                = each.value.port
+  to_port                  = each.value.port
+  protocol                 = "TCP"
+  cidr_blocks              = ["0.0.0.0/0"]
+  security_group_id        = aws_security_group.example.id
+  source_security_group_id = aws_security_group.example.id
+}
+```
+
+Checks can also be ignored by nested attributes, but certain restrictions apply:
+
+- You cannot access an individual block using indexes, for example when working with dynamic blocks.
+- Special variables like [each](https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#the-each-object) and [count](https://developer.hashicorp.com/terraform/language/meta-arguments/count#the-count-object) cannot be accessed.
+
+```tf
+#trivy:ignore:*[logging_config.prefix=myprefix]
+resource "aws_cloudfront_distribution" "example" {
+  logging_config {
+    include_cookies = false
+    bucket          = "mylogs.s3.amazonaws.com"
+    prefix          = "myprefix"
+  }
+}
+```
+
+#### Ignoring module issues
+
+Issues in third-party modules cannot be ignored using the method described above, because you may not have access to modify the module source code. In such a situation you can add ignore rules above the module block, for example:
+
+```tf
+#trivy:ignore:aws-s3-enable-logging
+module "s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket = "my-s3-bucket"
+}
+```
+
+An example of ignoring checks for a specific bucket in a module:
+```tf
+locals {
+  bucket = ["test1", "test2"]
+}
+
+#trivy:ignore:*[bucket=test1]
+module "s3_bucket" {
+  for_each = toset(local.bucket)
+  source   = "terraform-aws-modules/s3-bucket/aws"
+  bucket   = each.value
+}
+```
+
+#### Support for Wildcards
+
+You can use wildcards in the `ws` (workspace) and `ignore` sections of the ignore rules.
+
+```tf
+# trivy:ignore:aws-s3-*:ws:dev-*
+```
+
+This example ignores all checks starting with `aws-s3-` for workspaces matching the pattern `dev-*`.
+
+[custom]: custom/index.md

docs/docs/scanner/misconfiguration/policy/builtin.md

@@ -1,24 +0,0 @@
-# Built-in Policies
-
-## Policy Sources
-Built-in policies are mainly written in [Rego][rego] and Go.
-Those policies are managed under [defsec repository][defsec].
-See [here](../../../coverage/iac/index.md) for the list of supported config types.
-
-For suggestions or issues regarding policy content, please open an issue under the [defsec][defsec] repository.
-
-## Policy Distribution
-defsec policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
-When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
-Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.
-If Trivy is unable to pull down newer policies, it will use the embedded set of policies as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
-
-## Update Interval
-Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
-
-[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
-
-[kubernetes-policies]: https://github.com/aquasecurity/defsec/tree/master/rules/kubernetes/policies
-[docker-policies]: https://github.com/aquasecurity/defsec/tree/master/rules/docker/policies
-[defsec]: https://github.com/aquasecurity/defsec
-[ghcr]: https://github.com/aquasecurity/defsec/pkgs/container/defsec

docs/docs/scanner/vulnerability.md

@@ -5,7 +5,7 @@ The following packages are supported.
 
 - [OS packages](#os-packages)
 - [Language-specific packages](#language-specific-packages)
-- [Kubernetes components (control plane, node and addons)](#kubernetes-components-control-plane-node-and-addons)
+- [Kubernetes components (control plane, node and addons)](#kubernetes)
 
 Trivy also detects known vulnerabilities in Kubernetes components using KBOM (Kubernetes bill of Material) scanning. To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md#KBOM).
 
@@ -89,9 +89,9 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 |          | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    |       ✅        |     -     |
 | Node.js  | [Ecosystem Security Working Group][nodejs]          |       ✅        |     -     |
 |          | [GitHub Advisory Database (npm)][nodejs-ghsa]       |       ✅        |     -     |
-| Java     | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
-|          | [GitHub Advisory Database (Maven)][java-ghsa]       |       ✅        |     -     |
+| Java     | [GitHub Advisory Database (Maven)][java-ghsa]       |       ✅        |     -     |
 | Go       | [GitHub Advisory Database (Go)][go-ghsa]            |       ✅        |     -     |
+|          | [Go Vulnerability Database][go-vulndb]              |       ✅        |     -     |
 | Rust     | [Open Source Vulnerabilities (crates.io)][rust-osv] |       ✅        |     -     |
 | .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     |       ✅        |     -     |
 | C/C++    | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
@@ -153,6 +153,76 @@ The default is `ghcr.io/aquasecurity/trivy-java-db`.
 If authentication is required, you need to run `docker login YOUR_REGISTRY`.
 Currently, specifying a username and password is not supported.
 
+## Configuration
+This section describes vulnerability-specific configuration.
+Other common options are documented [here](../configuration/index.md).
+
+### Enabling a subset of package types
+It's possible to only enable certain package types if you prefer.
+You can do so by passing the `--vuln-type` option.
+This flag takes a comma-separated list of package types.
+
+Available values:
+
+- os
+    - Scan OS packages managed by the OS package manager (e.g. `dpkg`, `yum`, `apk`).
+- library
+    - Scan language-specific packages (e.g. packages installed by `pip`, `npm`, or `gem`).
+
+```bash
+$ trivy image --vuln-type os ruby:2.4.0
+```
+
+
+<details>
+<summary>Result</summary>
+
+```bash
+2019-05-22T19:36:50.530+0200    INFO    Updating vulnerability database...
+2019-05-22T19:36:51.681+0200    INFO    Detecting Alpine vulnerabilities...
+2019-05-22T19:36:51.685+0200    INFO    Updating npm Security DB...
+2019-05-22T19:36:52.389+0200    INFO    Detecting npm vulnerabilities...
+2019-05-22T19:36:52.390+0200    INFO    Updating pipenv Security DB...
+2019-05-22T19:36:53.406+0200    INFO    Detecting pipenv vulnerabilities...
+
+ruby:2.4.0 (debian 8.7)
+=======================
+Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
+
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |              TITLE               |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| curl    | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow     |
+|         |                  |          |                   |               | via integer overflow             |
++         +------------------+----------+                   +---------------+----------------------------------+
+|         | CVE-2018-16839   | HIGH     |                   | 7.61.1-r1     | curl: Integer overflow leading   |
+|         |                  |          |                   |               | to heap-based buffer overflow in |
+|         |                  |          |                   |               | Curl_sasl_create_plain_message() |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| git     | CVE-2018-17456   | HIGH     | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code execution    |
+|         |                  |          |                   |               | via .gitmodules                  |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2018-19486   |          |                   |               | git: Improper handling of        |
+|         |                  |          |                   |               | PATH allows for commands to be   |
+|         |                  |          |                   |               | executed from...                 |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| libssh2 | CVE-2019-3855    | CRITICAL | 1.8.0-r2          | 1.8.1-r0      | libssh2: Integer overflow in     |
+|         |                  |          |                   |               | transport read resulting in      |
+|         |                  |          |                   |               | out of bounds write...           |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| sqlite  | CVE-2018-20346   | MEDIUM   | 3.21.0-r1         | 3.25.3-r0     | CVE-2018-20505 CVE-2018-20506    |
+|         |                  |          |                   |               | sqlite: Multiple flaws in        |
+|         |                  |          |                   |               | sqlite which can be triggered    |
+|         |                  |          |                   |               | via...                           |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| tar     | CVE-2018-20482   | LOW      | 1.29-r1           | 1.31-r0       | tar: Infinite read loop in       |
+|         |                  |          |                   |               | sparse_dump_region function in   |
+|         |                  |          |                   |               | sparse.c                         |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+```
+
+</details>
+
 [^1]: https://github.com/GoogleContainerTools/distroless
 
 [nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464
@@ -186,6 +256,7 @@ Currently, specifying a username and password is not supported.
 [go-ghsa]: https://github.com/advisories?query=ecosystem%3Ago
 [swift-ghsa]: https://github.com/advisories?query=ecosystem%3Aswift
 
+[go-vulndb]: https://pkg.go.dev/vuln/
 [php]: https://github.com/FriendsOfPHP/security-advisories
 [ruby]: https://github.com/rubysec/ruby-advisory-db
 [nodejs]: https://github.com/nodejs/security-wg

docs/docs/supply-chain/attestation/vuln.md

@@ -30,6 +30,7 @@ $ trivy image --format cosign-vuln --output vuln.json alpine:3.10
     },
     "result": {
       "SchemaVersion": 2,
+      "CreatedAt": 1629894030,
       "ArtifactName": "alpine:3.10",
       "ArtifactType": "container_image",
       "Metadata": {
@@ -178,13 +179,14 @@ You can use Cosign to sign without keys by authenticating with an OpenID Connect
 
 ```
 $ trivy image --format cosign-vuln -o vuln.json <IMAGE>
-$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>
+$ cosign attest --type vuln --predicate vuln.json <IMAGE>
 ```
+This will provide a certificate in the output section.
 
-You can verify attestations.
+You can verify attestations:
 
 ```
-$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type vuln <IMAGE>
+$ cosign verify-attestation --certificate=path-to-the-certificate --type vuln --certificate-identity Email-used-to-sign  --certificate-oidc-issuer='the-issuer-used' <IMAGE>
 ```
 
 [vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md

docs/docs/supply-chain/sbom.md

@@ -217,13 +217,16 @@ $ cat result.json | jq .
   "version": 1,
   "metadata": {
     "timestamp": "2022-02-22T15:11:40.270597Z",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
     "component": {
       "bom-ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
       "type": "container",