chore: downgrade trivy-checks and trivy-aws

Signed-off-by: knqyf263 <knqyf263@gmail.com>
build: use main package instead of main.go (#6766 )
2025-12-18 02:09:32 -08:00 · 2024-05-24 15:30:40 +04:00 · 2024-05-24 13:26:06 +04:00 · 2024-05-24 13:25:56 +04:00 · 2024-05-24 13:24:37 +04:00 · 2024-05-24 13:23:56 +04:00
668 changed files with 23865 additions and 12789 deletions
--- a/.github/workflows/auto-update-labels.yaml
+++ b/.github/workflows/auto-update-labels.yaml
@@ -5,22 +5,24 @@ on:
      - 'misc/triage/labels.yaml'
    branches:
      - main
-
+env:
+  GO_VERSION: '1.22'
 jobs:
  deploy:
    name: Auto-update labels
    runs-on: ubuntu-latest
    steps:
      - name: Checkout main
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: go.mod
+          # cf. https://github.com/aquasecurity/trivy/pull/6711
+          go-version: ${{ env.GO_VERSION }}

      - name: Install aqua tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
        with:
          aqua_version: v1.25.0

--- a/.github/workflows/canary.yaml
+++ b/.github/workflows/canary.yaml
@@ -25,7 +25,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4.0.0
+        uses: actions/cache@v4.0.2
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/.github/workflows/mkdocs-dev.yaml
+++ b/.github/workflows/mkdocs-dev.yaml
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout main
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4
        with:
          fetch-depth: 0
          persist-credentials: true
--- a/.github/workflows/mkdocs-latest.yaml
+++ b/.github/workflows/mkdocs-latest.yaml
@@ -14,7 +14,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout main
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4
        with:
          fetch-depth: 0
          persist-credentials: true
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -22,11 +22,11 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
        with:
          version: v3.5.0
      - name: Set up python
@@ -55,7 +55,7 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4
        with:
          fetch-depth: 0
      - name: Install chart-releaser
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -19,12 +19,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4
        with:
          fetch-depth: 0

      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4.0.0
+        uses: actions/cache@v4.0.2
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -35,7 +35,7 @@ jobs:
          sudo apt-get -y install rpm reprepro createrepo-c distro-info

      - name: Checkout trivy-repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4
        with:
          repository: ${{ github.repository_owner }}/trivy-repo
          path: trivy-repo
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -14,6 +14,7 @@ on:

 env:
  GH_USER: "aqua-bot"
+  GO_VERSION: '1.22'

 jobs:
  release:
@@ -36,7 +37,7 @@ jobs:
          remove-haskell: 'true'

      - name: Cosign install
-        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
@@ -69,14 +70,15 @@ jobs:
          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}

      - name: Checkout code
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4
        with:
          fetch-depth: 0

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: go.mod
+          go-version: ${{ env.GO_VERSION }}
+          cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.

      - name: Generate SBOM
        uses: CycloneDX/gh-gomod-generate-sbom@v2
@@ -90,6 +92,11 @@ jobs:
        run: |
          echo "$GPG_KEY" > gpg.key

+      # Create tmp dir for GoReleaser
+      - name: "create tmp dir"
+        run: |
+          mkdir tmp    
+
      - name: GoReleaser
        uses: goreleaser/goreleaser-action@v5
        with:
@@ -99,6 +106,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
          NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
          GPG_FILE: "gpg.key"
+          TMPDIR: "tmp"

      - name: "remove gpg key"
        run: |
@@ -121,7 +129,7 @@ jobs:
            public.ecr.aws/aquasecurity/trivy:canary

      - name: Cache Trivy binaries
-        uses: actions/cache@v4.0.0
+        uses: actions/cache@v4.0.2
        with:
          path: dist/
          # use 'github.sha' to create a unique cache folder for each run.
--- a/.github/workflows/roadmap.yaml
+++ b/.github/workflows/roadmap.yaml
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
-      - uses: actions/add-to-project@v0.4.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.0 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -28,7 +28,7 @@ jobs:
          field-values: Backlog

      # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
-      - uses: actions/add-to-project@v0.4.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.0 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -45,7 +45,7 @@ jobs:
          field-values: Important (long-term)

      # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
-      - uses: actions/add-to-project@v0.4.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.0 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -62,7 +62,7 @@ jobs:
          field-values: Important (soon)

      # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
-      - uses: actions/add-to-project@v0.4.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.0 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4

      - name: Run Trivy vulnerability scanner and create GitHub issues
        uses: knqyf263/trivy-issue-action@v0.0.5
--- a/.github/workflows/semantic-pr.yaml
+++ b/.github/workflows/semantic-pr.yaml
@@ -75,6 +75,7 @@ jobs:
            dart
            swift
            bitnami
+            conda

            os
            lang
--- a/.github/workflows/test-docs.yaml
+++ b/.github/workflows/test-docs.yaml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
-      uses: actions/checkout@v4.1.1
+      uses: actions/checkout@v4.1.4
      with:
        fetch-depth: 0
        persist-credentials: true
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -7,6 +7,8 @@ on:
      - 'mkdocs.yml'
      - 'LICENSE'
  merge_group:
+env:
+  GO_VERSION: '1.22'
 jobs:
  test:
    name: Test
@@ -25,13 +27,12 @@ jobs:
          remove-haskell: "true"
        if: matrix.operating-system == 'ubuntu-latest'

-      - uses: actions/checkout@v4.1.1
+      - uses: actions/checkout@v4.1.4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: go.mod
-
+          go-version: ${{ env.GO_VERSION }}
      - name: go mod tidy
        run: |
          go mod tidy
@@ -45,8 +46,8 @@ jobs:
        id: lint
        uses: golangci/golangci-lint-action@v4.0.0
        with:
-          version: v1.54
-          args: --deadline=30m --out-format=line-number
+          version: v1.57
+          args: --timeout=30m --out-format=line-number
          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
        if: matrix.operating-system == 'ubuntu-latest'

@@ -57,7 +58,7 @@ jobs:
        if: ${{ failure() && steps.lint.conclusion == 'failure' }}

      - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
        with:
          aqua_version: v1.25.0
          aqua_opts: ""
@@ -79,15 +80,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: go.mod
+          go-version: ${{ env.GO_VERSION }}

      - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
        with:
          aqua_version: v1.25.0

@@ -108,15 +109,15 @@ jobs:
          remove-haskell: "true"

      - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: go.mod
+          go-version: ${{ env.GO_VERSION }}

      - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
        with:
          aqua_version: v1.25.0

@@ -128,15 +129,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: go.mod
+          go-version: ${{ env.GO_VERSION }}

      - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
        with:
          aqua_version: v1.25.0

@@ -159,14 +160,14 @@ jobs:
          remove-haskell: 'true'

      - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: go.mod
+          go-version: ${{ env.GO_VERSION }}
      - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
        with:
          aqua_version: v1.25.0
      - name: Run vm integration tests
@@ -193,12 +194,12 @@ jobs:
      if: matrix.operating-system == 'ubuntu-latest'

    - name: Checkout
-      uses: actions/checkout@v4.1.1
+      uses: actions/checkout@v4.1.4

    - name: Set up Go
      uses: actions/setup-go@v5
      with:
-        go-version-file: go.mod
+        go-version: ${{ env.GO_VERSION }}

    - name: Determine GoReleaser ID
      id: goreleaser_id
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -88,14 +88,16 @@ linters:
    - gocritic

 run:
-  go: '1.21'
-  skip-files:
+  go: '1.22'
+
+issues:
+  exclude-files:
    - ".*_mock.go$"
    - ".*_test.go$"
    - "integration/*"
    - "examples/*"
-
-issues:
+  exclude-dirs:
+    - "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
  exclude-rules:
    - linters:
        - gosec
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.21
+FROM --platform=linux/amd64 golang:1.22

 # Set environment variable for protoc
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
@@ -14,7 +14,7 @@ RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/down

 # Install Go tools
 RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
-RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1
-RUN go install github.com/magefile/mage@v1.14.0
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.0
+RUN go install github.com/magefile/mage@v1.15.0

 ENV TRIVY_PROTOC_CONTAINER=true
--- a/aqua.yaml
+++ b/aqua.yaml
@@ -5,6 +5,6 @@ registries:
 - type: standard
  ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
 packages:
- name: tinygo-org/tinygo@v0.29.0
+- name: tinygo-org/tinygo@v0.31.1
 - name: WebAssembly/binaryen@version_112
 - name: magefile/mage@v1.14.0
--- a/ci/deploy-deb.sh
+++ b/ci/deploy-deb.sh
@@ -5,14 +5,14 @@ UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-

 cd trivy-repo/deb

-for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
+for release in generic ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
  echo "Removing deb package of $release"
  reprepro -A i386 remove $release trivy
  reprepro -A amd64 remove $release trivy
  reprepro -A arm64 remove $release trivy
 done

-for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
+for release in generic ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
  echo "Adding deb package to $release"
  reprepro includedeb $release ../../dist/*Linux-32bit.deb
  reprepro includedeb $release ../../dist/*Linux-64bit.deb
--- a/cmd/trivy/main.go
+++ b/cmd/trivy/main.go
@@ -2,6 +2,7 @@ package main

 import (
 	"context"
+	"errors"
 	"os"

 	"golang.org/x/xerrors"
@@ -9,13 +10,18 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/plugin"
+	"github.com/aquasecurity/trivy/pkg/types"

 	_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB
 )

 func main() {
 	if err := run(); err != nil {
-		log.Fatal(err)
+		var exitError *types.ExitError
+		if errors.As(err, &exitError) {
+			os.Exit(exitError.Code)
+		}
+		log.Fatal("Fatal error", log.Err(err))
 	}
 }

--- a/docs/docs/advanced/air-gap.md
+++ b/docs/docs/advanced/air-gap.md
@@ -137,6 +137,6 @@ $ trivy conf --skip-policy-update /path/to/conf
 ```

 [allowlist]: ../references/troubleshooting.md
-[oras]: https://oras.land/cli/
+[oras]: https://oras.land/docs/installation

 [^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../coverage/language/java.md)
--- a/docs/docs/configuration/cache.md
+++ b/docs/docs/configuration/cache.md
@@ -70,7 +70,7 @@ $ trivy server --cache-backend redis://localhost:6379 \

 [trivy-db]: ./db.md#vulnerability-database
 [trivy-java-db]: ./db.md#java-index-database
-[misconf-policies]: ../scanner/misconfiguration/policy/builtin.md
+[misconf-policies]: ../scanner/misconfiguration/check/builtin.md

 [^1]: Downloaded when scanning for vulnerabilities
 [^2]: Downloaded when scanning `jar/war/par/ear` files
--- a/docs/docs/configuration/filtering.md
+++ b/docs/docs/configuration/filtering.md
@@ -237,6 +237,9 @@ You can filter the results by

 To show the suppressed results, use the `--show-suppressed` flag.

+!!! note
+    This flag is currently available only in the table format.
+
 ```bash
 $ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11
 ...
--- a/docs/docs/coverage/iac/helm.md
+++ b/docs/docs/coverage/iac/helm.md
@@ -11,7 +11,7 @@ The following scanners are supported.
 Trivy recursively searches directories and scans all found Helm files.

 It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks.
-See [here](../../scanner/misconfiguration/policy/builtin.md) for more details on the built-in policies.
+See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in policies.

 ### Value overrides
 There are a number of options for overriding values in Helm charts.
--- a/docs/docs/coverage/language/c.md
+++ b/docs/docs/coverage/language/c.md
@@ -1,23 +1,34 @@
 # C/C++

-Trivy supports [Conan][conan] C/C++ Package Manager.
+Trivy supports Conan C/C++ Package Manager ([v1][conanV1] and [v2][conanV2] with limitations).

 The following scanners are supported.

-| Package manager | SBOM  | Vulnerability | License |
-| --------------- | :---: | :-----------: | :-----: |
-| Conan           |   ✓   |       ✓       |    -    |
+| Package manager | SBOM | Vulnerability | License |
+|-----------------|:----:|:-------------:|:-------:|
+| Conan           |  ✓   |       ✓       |  ✓[^1]  |

 The following table provides an outline of the features Trivy offers.

-| Package manager | File           | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
-| --------------- | -------------- | :---------------------: | :--------------: | :----------------------------------: | :------: |
-| Conan           | conan.lock[^1] |            ✓            |     Excluded     |                  ✓                   |    ✓     |
+| Package manager       | File           | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
+|-----------------------|----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
+| Conan (lockfile v1)   | conan.lock[^2] |            ✓            |     Excluded     |                  ✓                   |    ✓     |
+| Conan (lockfile v2)   | conan.lock[^2] |            ✓ [^3]       |     Excluded     |                  -                   |    ✓     |

 ## Conan
 In order to detect dependencies, Trivy searches for `conan.lock`[^1].

-[conan]: https://docs.conan.io/1/index.html
+[conanV1]: https://docs.conan.io/1/index.html
+[conanV2]: https://docs.conan.io/2/
+
+### Licenses
+The Conan lock file doesn't contain any license information.
+To obtain licenses we parse the `conanfile.py` files from the [conan cache directory][conan-cache-dir].
+To correctly detection licenses, ensure that the cache directory contains all dependencies used.
+
+[conan-cache-dir]: https://docs.conan.io/1/mastering/custom_cache.html
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies

-[^1]: `conan.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns)
+[^1]: The local cache should contain the dependencies used. See [licenses](#licenses).
+[^2]: `conan.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns).
+[^3]: For `conan.lock` in version 2, indirect dependencies are included in analysis but not flagged explicitly in dependency tree
--- a/docs/docs/coverage/language/golang.md
+++ b/docs/docs/coverage/language/golang.md
@@ -1,5 +1,9 @@
 # Go

+## Data Sources
+The data sources are listed [here](../../scanner/vulnerability.md#data-sources-1).
+Trivy uses Go Vulnerability Database for standard packages, such as `net/http`, and uses GitHub Advisory Database for third-party packages.
+
 ## Features
 Trivy supports two types of Go scanning, Go Modules and binaries built by Go.

@@ -12,10 +16,10 @@ The following scanners are supported.

 The table below provides an outline of the features Trivy offers.

-| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] |
-|----------|:-----------:|:-----------------|:----------------------------------:|
-| Modules  |      ✅      | Include          |               ✅[^2]                |
-| Binaries |      ✅      | Exclude          |                 -                  |
+| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib |
+|----------|:-----------:|:-----------------|:------------------------------------:|:------:|
+| Modules  |      ✅      | Include          |                ✅[^2]                 |   -    |
+| Binaries |      ✅      | Exclude          |                  -                   | ✅[^4]  |

 !!! note
    Trivy scans only dependencies of the Go project.
@@ -74,7 +78,20 @@ $ trivy rootfs ./your_binary
 !!! note
    It doesn't work with UPX-compressed binaries.

+#### Empty versions
+There are times when Go uses the `(devel)` version for modules/dependencies.
+
+- Only Go binaries installed using the `go install` command contain correct (semver) version for the main module. 
+  In other cases, Go uses the `(devel)` version[^3].
+- Dependencies replaced with local ones use the `(devel)` versions.
+
+In the first case, Trivy will attempt to parse any `-ldflags` as a secondary source, and will leave the version
+empty if it cannot do so[^5]. For the second case, the version of such packages is empty.
+
 [^1]: It doesn't require the Internet access.
 [^2]: Need to download modules to local cache beforehand
+[^3]: See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477
+[^4]: Identify the Go version used to compile the binary and detect its vulnerabilities
+[^5]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604

-[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
--- a/docs/docs/coverage/language/java.md
+++ b/docs/docs/coverage/language/java.md
@@ -42,7 +42,19 @@ Trivy parses your `pom.xml` file and tries to find files with dependencies from
 - relativePath field[^5]
 - local repository directory[^6].

-If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the [maven repository](https://repo.maven.apache.org/maven2/).
+### remote repositories
+If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the remote repositories:
+
+- [repositories from pom files][maven-pom-repos]
+- [maven central repository][maven-central]
+
+Trivy reproduces Maven's repository selection and priority:
+
+- for snapshot artifacts:
+    - check only snapshot repositories from pom files (if exists)
+- for other artifacts:
+    - check release repositories from pom files (if exists)
+    - check [maven central][maven-central]

 !!! Note
    Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
@@ -92,4 +104,6 @@ Make sure that you have cache[^8] directory to find licenses from `*.pom` depend
 [^8]: The supported directories are `$GRADLE_USER_HOME/caches` and `$HOME/.gradle/caches` (`%HOMEPATH%\.gradle\caches` for Windows).

 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
-[maven-invoker-plugin]: https://maven.apache.org/plugins/maven-invoker-plugin/usage.html
+[maven-invoker-plugin]: https://maven.apache.org/plugins/maven-invoker-plugin/usage.html
+[maven-central]: https://repo.maven.apache.org/maven2/
+[maven-pom-repos]: https://maven.apache.org/settings.html#repositories
--- a/docs/docs/coverage/language/nodejs.md
+++ b/docs/docs/coverage/language/nodejs.md
@@ -55,6 +55,9 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
 ### pnpm
 Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.

+!!! note
+    Trivy currently only supports Lockfile [v6][pnpm-lockfile-v6] or earlier.
+
 ### Bun
 Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.

@@ -69,5 +72,6 @@ Trivy searches for `package.json` files under `node_modules` and identifies inst
 It only extracts package names, versions and licenses for those packages.

 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[pnpm-lockfile-v6]: https://github.com/pnpm/spec/blob/fd3238639af86c09b7032cc942bab3438b497036/lockfile/6.0.md

 [^1]: [yarn.lock](#bun) must be generated
--- a/docs/docs/coverage/os/conda.md
+++ b/docs/docs/coverage/os/conda.md
@@ -0,0 +1,36 @@
+# Conda
+
+Trivy supports the following scanners for Conda packages.
+
+|    Scanner    | Supported |
+|:-------------:|:---------:|
+|     SBOM      |     ✓     |
+| Vulnerability |     -     |
+|    License    |   ✓[^1]   |
+
+
+## SBOM
+Trivy detects packages that have been installed with `Conda`.
+
+
+### `<package>.json`
+Trivy parses `<conda-root>/envs/<env>/conda-meta/<package>.json` files to find the version and license for the dependencies installed in your env.
+
+### `environment.yml`[^2]
+Trivy supports parsing [environment.yml][environment.yml][^2] files to find dependency list.
+
+!!! note
+    License detection is currently not supported.
+
+`environment.yml`[^2] files supports [version range][env-version-range]. We can't be sure about versions for these dependencies.
+Therefore, you need to use `conda env export` command to get dependency list in `Conda` default format before scanning `environment.yml`[^2] file.
+
+!!! note
+    For dependencies in a non-Conda format, Trivy doesn't include a version of them.
+
+
+[^1]: License detection is only supported for `<package>.json` files
+[^2]: Trivy supports both `yaml` and `yml` extensions.
+
+[environment.yml]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#sharing-an-environment
+[env-version-range]: https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#examples-of-package-specs
--- a/docs/docs/coverage/os/index.md
+++ b/docs/docs/coverage/os/index.md
@@ -9,23 +9,24 @@ Trivy supports operating systems for

 ## Supported OS

-| OS                                            | Supported Versions                  | Package Managers |
-|-----------------------------------------------|-------------------------------------|------------------|
-| [Alpine Linux](alpine.md)                     | 2.2 - 2.7, 3.0 - 3.19, edge         | apk              |
-| [Wolfi Linux](wolfi.md)                       | (n/a)                               | apk              |
-| [Chainguard](chainguard.md)                   | (n/a)                               | apk              |
-| [Red Hat Enterprise Linux](rhel.md)           | 6, 7, 8                             | dnf/yum/rpm      |
-| [CentOS](centos.md)[^1]                       | 6, 7, 8                             | dnf/yum/rpm      |
-| [AlmaLinux](alma.md)                          | 8, 9                                | dnf/yum/rpm      |
-| [Rocky Linux](rocky.md)                       | 8, 9                                | dnf/yum/rpm      |
-| [Oracle Linux](oracle.md)                     | 5, 6, 7, 8                          | dnf/yum/rpm      |
-| [CBL-Mariner](cbl-mariner.md)                 | 1.0, 2.0                            | dnf/yum/rpm      |
-| [Amazon Linux](amazon.md)                     | 1, 2, 2023                          | dnf/yum/rpm      |
-| [openSUSE Leap](suse.md)                      | 42, 15                              | zypper/rpm       |
-| [SUSE Enterprise Linux](suse.md)              | 11, 12, 15                          | zypper/rpm       |
-| [Photon OS](photon.md)                        | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
-| [Debian GNU/Linux](debian.md)                 | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
-| [Ubuntu](ubuntu.md)                           | All versions supported by Canonical | apt/dpkg         |
+| OS                                   | Supported Versions                  | Package Managers |
+|--------------------------------------|-------------------------------------|------------------|
+| [Alpine Linux](alpine.md)            | 2.2 - 2.7, 3.0 - 3.19, edge         | apk              |
+| [Wolfi Linux](wolfi.md)              | (n/a)                               | apk              |
+| [Chainguard](chainguard.md)          | (n/a)                               | apk              |
+| [Red Hat Enterprise Linux](rhel.md)  | 6, 7, 8                             | dnf/yum/rpm      |
+| [CentOS](centos.md)[^1]              | 6, 7, 8                             | dnf/yum/rpm      |
+| [AlmaLinux](alma.md)                 | 8, 9                                | dnf/yum/rpm      |
+| [Rocky Linux](rocky.md)              | 8, 9                                | dnf/yum/rpm      |
+| [Oracle Linux](oracle.md)            | 5, 6, 7, 8                          | dnf/yum/rpm      |
+| [CBL-Mariner](cbl-mariner.md)        | 1.0, 2.0                            | dnf/yum/rpm      |
+| [Amazon Linux](amazon.md)            | 1, 2, 2023                          | dnf/yum/rpm      |
+| [openSUSE Leap](suse.md)             | 42, 15                              | zypper/rpm       |
+| [SUSE Enterprise Linux](suse.md)     | 11, 12, 15                          | zypper/rpm       |
+| [Photon OS](photon.md)               | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
+| [Debian GNU/Linux](debian.md)        | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
+| [Ubuntu](ubuntu.md)                  | All versions supported by Canonical | apt/dpkg         |
+| [OSs with installed Conda](conda.md) | -                                   | conda            |

 ## Supported container images

--- a/docs/docs/references/configuration/cli/trivy_aws.md
+++ b/docs/docs/references/configuration/cli/trivy_aws.md
@@ -69,13 +69,17 @@ trivy aws [flags]
      --account string                    The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
      --arn string                        The AWS ARN to show results for. Useful to filter results once a scan is cached.
      --cf-params strings                 specify paths to override the CloudFormation parameters files
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --compliance string                 compliance report to generate (aws-cis-1.2,aws-cis-1.4)
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --endpoint string                   AWS Endpoint override
      --exit-code int                     specify exit code when any security issues are found
  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -85,18 +89,16 @@ trivy aws [flags]
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
-      --max-cache-age duration            The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
+      --max-cache-age duration            The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s)
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
  -o, --output string                     output file name
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
-      --policy-namespaces strings         Rego namespaces
      --region string                     AWS Region to scan
      --report string                     specify a report format for the output (all,summary) (default "all")
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --service strings                   Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-      --skip-policy-update                skip fetching rego policy updates
+      --skip-check-update                 skip fetching rego check updates
      --skip-service strings              Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc.
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
--- a/docs/docs/references/configuration/cli/trivy_config.md
+++ b/docs/docs/references/configuration/cli/trivy_config.md
@@ -12,14 +12,18 @@ trivy config [flags] DIR
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
      --compliance string                 compliance report to generate
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --enable-modules strings            [EXPERIMENTAL] module names to enable
      --exit-code int                     specify exit code when any security issues are found
      --file-patterns strings             specify config file patterns
  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -34,19 +38,17 @@ trivy config [flags] DIR
  -o, --output string                     output file name
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
-      --policy-namespaces strings         Rego namespaces
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
      --registry-token string             registry token
      --report string                     specify a compliance report format for the output (all,summary) (default "all")
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --skip-check-update                 skip fetching rego check updates
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
-      --skip-policy-update                skip fetching rego policy updates
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
--- a/docs/docs/references/configuration/cli/trivy_filesystem.md
+++ b/docs/docs/references/configuration/cli/trivy_filesystem.md
@@ -22,10 +22,12 @@ trivy filesystem [flags] PATH
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
      --compliance string                 compliance report to generate
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --custom-headers strings            custom headers in client mode
      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -35,6 +37,8 @@ trivy filesystem [flags] PATH
      --exit-code int                     specify exit code when any security issues are found
      --file-patterns strings             specify config file patterns
  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -59,8 +63,6 @@ trivy filesystem [flags] PATH
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
-      --policy-namespaces strings         Rego namespaces
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
@@ -69,18 +71,18 @@ trivy filesystem [flags] PATH
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --report string                     specify a compliance report format for the output (all,summary) (default "all")
      --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
-      --skip-policy-update                skip fetching rego policy updates
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
--- a/docs/docs/references/configuration/cli/trivy_image.md
+++ b/docs/docs/references/configuration/cli/trivy_image.md
@@ -36,10 +36,12 @@ trivy image [flags] IMAGE_NAME
 ```
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
      --compliance string                 compliance report to generate (docker-cis)
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --custom-headers strings            custom headers in client mode
      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -51,6 +53,8 @@ trivy image [flags] IMAGE_NAME
      --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
      --file-patterns strings             specify config file patterns
  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -79,8 +83,6 @@ trivy image [flags] IMAGE_NAME
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --platform string                   set platform in the form os/arch if image is multi-platform capable
      --podman-host string                unix podman socket path to use for podman scanning
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
-      --policy-namespaces strings         Rego namespaces
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
@@ -90,18 +92,18 @@ trivy image [flags] IMAGE_NAME
      --removed-pkgs                      detect vulnerabilities of removed packages (only for Alpine)
      --report string                     specify a format for the compliance report. (all,summary) (default "summary")
      --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
-      --skip-policy-update                skip fetching rego policy updates
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --token string                      for authentication in client/server mode
--- a/docs/docs/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -2,50 +2,56 @@

 [EXPERIMENTAL] Scan kubernetes cluster

+### Synopsis
+
+Default context in kube configuration will be used unless specified
+
 ```
-trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: pods, pod/NAME }
+trivy kubernetes [flags] [CONTEXT]
 ```

 ### Examples

 ```
  # cluster scanning
-  $ trivy k8s --report summary cluster
+  $ trivy k8s --report summary

-  # namespace scanning:
-  $ trivy k8s -n kube-system --report summary all
+  # cluster scanning with specific namespace:
+  $ trivy k8s --include-namespaces kube-system --report summary 

-  # resources scanning:
-  $ trivy k8s --report=summary deploy
-  $ trivy k8s --namespace=kube-system --report=summary deploy,configmaps
-
-  # resource scanning:
-  $ trivy k8s deployment/orion
+  # cluster with specific context:
+  $ trivy k8s kind-kind --report summary 
+  
+  

 ```

 ### Options

 ```
-  -A, --all-namespaces                    fetch resources from all cluster namespaces
      --burst int                         specify the maximum burst for throttle (default 10)
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
      --compliance string                 compliance report to generate (k8s-nsa,k8s-cis,k8s-pss-baseline,k8s-pss-restricted)
-      --components strings                specify which components to scan (workload,infra) (default [workload,infra])
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
-      --context string                    specify a context to scan
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --disable-node-collector            When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
+      --exclude-kinds strings             indicate the kinds exclude from scanning (example: node)
+      --exclude-namespaces strings        indicate the namespaces excluded from scanning (example: kube-system)
      --exclude-nodes strings             indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)
      --exclude-owned                     exclude resources that have an owner reference
      --exit-code int                     specify exit code when any security issues are found
      --file-patterns strings             specify config file patterns
  -f, --format string                     format (table,json,cyclonedx) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -56,23 +62,22 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
      --ignore-unfixed                    display only fixed vulnerabilities
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
      --image-src strings                 image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
+      --include-kinds strings             indicate the kinds included in scanning (example: node)
+      --include-namespaces strings        indicate the namespaces included in scanning (example: kube-system)
      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
      --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
      --kubeconfig string                 specify the kubeconfig file path to use
      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
-  -n, --namespace string                  specify a namespace to scan
      --no-progress                       suppress progress bar
-      --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.0.9")
+      --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.2.1")
      --node-collector-namespace string   specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
      --offline-scan                      do not issue API requests to identify dependencies
  -o, --output string                     output file name
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
-      --policy-namespaces strings         Rego namespaces
      --qps float                         specify the maximum QPS to the master from this client (default 5)
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
@@ -82,17 +87,18 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --report string                     specify a report format for the output (all,summary) (default "all")
      --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
+      --skip-images                       skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
      --skip-java-db-update               skip updating Java index database
-      --skip-policy-update                skip fetching rego policy updates
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tolerations strings               specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
--- a/docs/docs/references/configuration/cli/trivy_repository.md
+++ b/docs/docs/references/configuration/cli/trivy_repository.md
@@ -22,10 +22,12 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
      --commit string                     pass the commit hash to be scanned
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --custom-headers strings            custom headers in client mode
      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -35,6 +37,8 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --exit-code int                     specify exit code when any security issues are found
      --file-patterns strings             specify config file patterns
  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -59,8 +63,6 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
-      --policy-namespaces strings         Rego namespaces
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
@@ -68,18 +70,18 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --registry-token string             registry token
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
-      --skip-policy-update                skip fetching rego policy updates
      --tag string                        pass the tag name to be scanned
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
--- a/docs/docs/references/configuration/cli/trivy_rootfs.md
+++ b/docs/docs/references/configuration/cli/trivy_rootfs.md
@@ -25,9 +25,11 @@ trivy rootfs [flags] ROOTDIR
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
+      --check-namespaces strings          Rego namespaces
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
-      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
+      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
      --custom-headers strings            custom headers in client mode
      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -38,6 +40,8 @@ trivy rootfs [flags] ROOTDIR
      --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
      --file-patterns strings             specify config file patterns
  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -61,8 +65,6 @@ trivy rootfs [flags] ROOTDIR
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
-      --policy-namespaces strings         Rego namespaces
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
@@ -70,18 +72,18 @@ trivy rootfs [flags] ROOTDIR
      --registry-token string             registry token
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
      --server string                     server address in client mode
  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-check-update                 skip fetching rego check updates
      --skip-db-update                    skip updating vulnerability database
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
-      --skip-policy-update                skip fetching rego policy updates
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
--- a/docs/docs/references/configuration/cli/trivy_vm.md
+++ b/docs/docs/references/configuration/cli/trivy_vm.md
@@ -23,6 +23,7 @@ trivy vm [flags] VM_IMAGE
      --aws-region string                 AWS region to scan
      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
      --clear-cache                       clear image caches without scanning
      --compliance string                 compliance report to generate
      --custom-headers strings            custom headers in client mode
@@ -35,6 +36,8 @@ trivy vm [flags] VM_IMAGE
      --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
      --file-patterns strings             specify config file patterns
  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -54,14 +57,13 @@ trivy vm [flags] VM_IMAGE
  -o, --output string                     output file name
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --reset                             remove all caches and database
-      --reset-policy-bundle               remove policy bundle
+      --reset-checks-bundle               remove checks bundle
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
--- a/docs/docs/references/configuration/config-file.md
+++ b/docs/docs/references/configuration/config-file.md
@@ -81,6 +81,15 @@ severity:
  - MEDIUM
  - HIGH
  - CRITICAL
+
+scan:
+  # Same as '--compliance'
+  # Default is empty  
+  compliance:
+
+  # Same as '--show-suppressed'
+  # Default is false  
+  show-suppressed: false
 ```

 ## Scan Options
@@ -106,7 +115,7 @@ scan:

  # Same as '--offline-scan'
  # Default is false
-  offline-scan: false
+  offline: false

  # Same as '--scanners'
  # Default depends on subcommand
@@ -115,6 +124,24 @@ scan:
    - misconfig
    - secret
    - license
+    - 
+  # Same as '--parallel'
+  # Default is 5
+  parallel: 1
+
+  # Same as '--sbom-sources'
+  # Default is empty
+  sbom-sources: 
+    - oci
+    - rekor
+
+  # Same as '--rekor-url'
+  # Default is 'https://rekor.sigstore.dev'
+  rekor-url: https://rekor.sigstore.dev
+
+  # Same as '--include-dev-deps'
+  # Default is false
+  include-dev-deps: false
 ```

 ## Cache Options
@@ -131,6 +158,9 @@ cache:

  # Redis options
  redis:
+    # Same as '--redis-tls'
+    # Default is false
+    tls:    
    # Same as '--redis-ca'
    # Default is empty
    ca:
@@ -148,21 +178,25 @@ cache:

 ```yaml
 db:
+  # Same as '--no-progress'
+  # Default is false
+  no-progress: false
+  
  # Same as '--skip-db-update'
  # Default is false
  skip-update: false

-  # Same as '--no-progress'
-  # Default is false
-  no-progress: false
-
  # Same as '--db-repository'
-  # Default is 'ghcr.io/aquasecurity/trivy-db'
-  repository: ghcr.io/aquasecurity/trivy-db
+  # Default is 'ghcr.io/aquasecurity/trivy-db:2'
+  repository: ghcr.io/aquasecurity/trivy-db:2
+
+  # Same as '--skip-java-db-update'
+  # Default is false
+  java-skip-update: false  

  # Same as '--java-db-repository'
-  # Default is 'ghcr.io/aquasecurity/trivy-java-db'
-  java-repository: ghcr.io/aquasecurity/trivy-java-db
+  # Default is 'ghcr.io/aquasecurity/trivy-java-db:1'
+  java-repository: ghcr.io/aquasecurity/trivy-java-db:1
 ```

 ## Registry Options
@@ -197,7 +231,19 @@ image:
  
  # Same as '--platform'
  # Default is empty
-  platform: 
+  platform:
+
+  # Same as '--image-src'
+  # Default is 'docker,containerd,podman,remote'
+  source:
+    - podman
+    - docker
+      
+  # Same as '--image-config-scanners'
+  # Default is empty
+  image-config-scanners:
+    - misconfig
+    - secret      
  
  docker:
    # Same as '--docker-host'
@@ -224,6 +270,67 @@ vulnerability:
  # Same as '--ignore-unfixed'
  # Default is false
  ignore-unfixed: false
+
+  # Same as '--ignore-unfixed'
+  # Default is empty
+  ignore-status: 
+    - end_of_life
+```
+
+## License Options
+Available with license scanning
+
+```yaml
+license:
+  # Same as '--license-full'
+  # Default is false
+  full: false
+
+  # Same as '--ignored-licenses'
+  # Default is empty
+  ignored:
+    - MPL-2.0
+    - MIT
+
+  # Same as '--license-confidence-level'
+  # Default is 0.9
+  confidenceLevel: 0.9
+
+  # Set list of forbidden licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L171
+  forbidden:
+    - AGPL-1.0
+    - AGPL-3.0
+
+  # Set list of restricted licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L199
+  restricted:
+    - AGPL-1.0
+    - AGPL-3.0
+
+  # Set list of reciprocal licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L238
+  reciprocal:
+    - AGPL-1.0
+    - AGPL-3.0
+
+  # Set list of notice licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L260
+  notice:
+    - AGPL-1.0
+    - AGPL-3.0  
+
+  # Set list of permissive licenses
+  # Default is empty
+  permissive:
+    - AGPL-1.0
+    - AGPL-3.0  
+
+  # Set list of unencumbered licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L334
+  unencumbered:
+    - AGPL-1.0
+    - AGPL-3.0    
 ```

 ## Secret Options
@@ -239,11 +346,15 @@ secret:
 ## Rego Options

 ```yaml
-rego
+rego:
  # Same as '--trace'
  # Default is false
  trace: false

+  # Same as '--skip-policy-update'
+  # Default is false
+  skip-policy-update: false
+
  # Same as '--config-policy'
  # Default is empty
  policy:
@@ -271,6 +382,10 @@ misconfiguration:
  # Same as '--include-non-failures'
  # Default is false
  include-non-failures: false
+
+  # Same as '--policy-bundle-repository'
+  # Default is 'ghcr.io/aquasecurity/trivy-checks:0'
+  policy-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0  
  
  # Same as '--miconfig-scanners'
  # Default is all scanners
@@ -279,36 +394,46 @@ misconfiguration:
    - terraform

  # helm value override configurations
-  # set individual values
  helm:
+    # set individual values
    set:
      - securityContext.runAsUser=10001

-  # set values with file
-  helm:
+    # set values with file
    values:
      - overrides.yaml

-  # set specific values from specific files
-  helm:
+    # set specific values from specific files
    set-file:
      - image=dev-overrides.yaml

-  # set as string and preserve type
-  helm:
+    # set as string and preserve type
    set-string:
      - name=true

+    # Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command.
+    api-versions:
+      - policy/v1/PodDisruptionBudget
+      - apps/v1/Deployment
+
+    # Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
+    kube-version: "v1.21.0"
+
  # terraform tfvars overrrides
  terraform:
    vars:
      - dev-terraform.tfvars
      - common-terraform.tfvars
  
-  # Same as '--tf-exclude-downloaded-modules'
-  # Default is false
-  terraform:
+    # Same as '--tf-exclude-downloaded-modules'
+    # Default is false
    exclude-downloaded-modules: false
+
+    # Same as '--cf-params'
+    # Default is false
+  cloudformation:
+    params:
+      - params.json
 ```

 ## Kubernetes Options
@@ -323,6 +448,58 @@ kubernetes:
  # Same as '--namespace'
  # Default is empty
  namespace:
+
+  # Same as '--kubeconfig'
+  # Default is empty
+  kubeconfig: ~/.kube/config2
+
+  # Same as '--components'
+  # Default is 'workload,infra'
+  components: 
+    - workload
+    - infra
+
+  # Same as '--k8s-version'
+  # Default is empty
+  k8s-version: 1.21.0
+
+  # Same as '--tolerations'
+  # Default is empty
+  tolerations:
+    - key1=value1:NoExecute
+    - key2=value2:NoSchedule
+
+  # Same as '--all-namespaces'
+  # Default is false
+  all-namespaces: false
+
+  node-collector:
+    # Same as '--node-collector-namespace'
+    # Default is 'trivy-temp'
+    namespace: ~/.kube/config2
+
+    # Same as '--node-collector-imageref'
+    # Default is 'ghcr.io/aquasecurity/node-collector:0.0.9'
+    imageref: ghcr.io/aquasecurity/node-collector:0.0.9
+
+  exclude:
+    # Same as '--exclude-owned'
+    # Default is false
+    owned: true
+
+    # Same as '--exclude-nodes'
+    # Default is empty
+    nodes:
+      - kubernetes.io/arch:arm64
+      - team:dev
+
+  # Same as '--qps'
+  # Default is 5.0
+  qps: 5.0
+
+  # Same as '--burst'
+  # Default is 10
+  burst: 10
 ```

 ## Repository Options
@@ -393,6 +570,35 @@ cloud:

    # the aws account to use (this will be determined from your environment when not set)
    account: 123456789012
+
+    # the aws specific services
+    service: 
+      - s3
+      - ec2
+        
+    # the aws specific arn
+    arn: arn:aws:s3:::example-bucket      
+
+    # skip the aws specific services
+    skip-service:
+      - s3
+      - ec2 
+```
+
+## Module Options
+Available for modules
+
+```yaml
+module:
+  # Same as '--module-dir'
+  # Default is '$HOME/.trivy/modules'
+  dir: $HOME/.trivy/modules
+
+  # Same as '--enable-modules'
+  # Default is empty
+  enable-modules: 
+    - trivy-module-spring4shell
+    - trivy-module-wordpress
 ```

 [example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml
--- a/docs/docs/scanner/misconfiguration/check/builtin.md
+++ b/docs/docs/scanner/misconfiguration/check/builtin.md
@@ -0,0 +1,21 @@
+# Built-in Checks 
+
+## Check Sources
+Built-in checks are mainly written in [Rego][rego] and Go.
+Those checks are managed under [trivy-checks repository][trivy-checks].
+See [here](../../../coverage/iac/index.md) for the list of supported config types.
+
+For suggestions or issues regarding policy content, please open an issue under the [trivy-checks][trivy-checks] repository.
+
+## Check Distribution
+Trivy checks are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
+When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
+Those checks are then loaded into Trivy OPA engine and used for detecting misconfigurations.
+If Trivy is unable to pull down newer checks, it will use the embedded set of checks as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
+
+## Update Interval
+Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
+
+[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
+[trivy-checks]: https://github.com/aquasecurity/trivy-checks
+[ghcr]: https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks
--- a/docs/docs/scanner/misconfiguration/policy/exceptions.md
+++ b/docs/docs/scanner/misconfiguration/policy/exceptions.md
@@ -28,8 +28,6 @@ The `exception` rule must be defined under `namespace.exceptions`.

 This example exempts all built-in policies for Kubernetes.

-For more details, see [an example][ns-example].
-
 ## Rule-based exceptions
 There are some cases where you need more flexibility and granularity in defining which cases to exempt.
 Rule-based exceptions lets you granularly choose which individual rules to exempt, while also declaring under which conditions to exempt them.
@@ -87,12 +85,8 @@ If you want to apply rule-based exceptions to built-in policies, you have to def
    }
    ```

-This exception is applied to [KSV012][ksv012] in trivy-policies.
-You can get the package names in the [trivy-policies repository][trivy-policies] or the JSON output from Trivy.
+This exception is applied to [KSV012][ksv012] in trivy-checks.
+You can get the package names in the [trivy-checks repository][trivy-checks] or the JSON output from Trivy.

-For more details, see [an example][rule-example].
-
-[ns-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/namespace-exception
-[rule-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/rule-exception
-[ksv012]: https://github.com/aquasecurity/trivy-policies/blob/main/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego 
-[trivy-policies]: https://github.com/aquasecurity/trivy-policies/
+[ksv012]: https://github.com/aquasecurity/trivy-checks/blob/f36a5b732c4b1293a720c40baab0a7c106ea455e/checks/kubernetes/pss/restricted/3_runs_as_root.rego 
+[trivy-checks]: https://github.com/aquasecurity/trivy-checks/
--- a/docs/docs/scanner/misconfiguration/custom/index.md
+++ b/docs/docs/scanner/misconfiguration/custom/index.md
@@ -101,9 +101,8 @@ In this case, `user.*` will be evaluated.
 Any package prefixes such as `main` and `user` are allowed.

 ### Metadata
-Metadata helps enrich Trivy's scan results with useful information.

-The annotation format is described in the [OPA documentation](https://www.openpolicyagent.org/docs/latest/annotations/).
+The check must contain a [Rego Metadata](https://www.openpolicyagent.org/docs/latest/policy-language/#metadata) section. Trivy uses standard rego metadata to define the new policy and general information about it.

 Trivy supports extra fields in the `custom` section as described below.

--- a/docs/docs/scanner/misconfiguration/custom/schema.md
+++ b/docs/docs/scanner/misconfiguration/custom/schema.md
@@ -4,8 +4,7 @@
 Policies can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
 enables Trivy to show more detailed error messages when an invalid input is encountered.

-In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/trivy-iac/blob/main/pkg/rego/schemas/dockerfile.json)
-Without input schemas, a policy would be as follows:
+In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json). Without input schemas, a policy would be as follows:

 !!! example
    ```
@@ -36,7 +35,7 @@ schema as such
    ```

 Here `input: schema["dockerfile"]` points to a schema that expects a valid `Dockerfile` as input. An example of this
-can be found [here](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
+can be found [here](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json).

 Now if this policy is evaluated against, a more descriptive error will be available to help fix the problem.

@@ -50,9 +49,9 @@ Now if this policy is evaluated against, a more descriptive error will be availa

 Currently, out of the box the following schemas are supported natively:

-1. [Docker](https://github.com/aquasecurity/trivy-iac/blob/main/pkg/rego/schemas/dockerfile.json)
-2. [Kubernetes](https://github.com/aquasecurity/trivy-iac/blob/main/pkg/rego/schemas/kubernetes.json)
-3. [Cloud](https://github.com/aquasecurity/trivy-iac/blob/main/pkg/rego/schemas/cloud.json)
+1. [Docker](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json)
+2. [Kubernetes](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/kubernetes.json)
+3. [Cloud](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json)


 ## Custom Policies with Custom Schemas
@@ -89,4 +88,4 @@ To use such a policy with Trivy, use the `--config-policy` flag that points to t
 $ trivy --config-policy=/Users/user/my-custom-policies <path/to/iac>
 ```

-For more details on how to define schemas within Rego policies, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/schemas/#schema-annotations) that describes it in more detail.
+For more details on how to define schemas within Rego policies, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail.
--- a/docs/docs/scanner/misconfiguration/custom/testing.md
+++ b/docs/docs/scanner/misconfiguration/custom/testing.md
@@ -22,7 +22,7 @@ For more details, see [Policy Testing][opa-testing].
    }
    ```

-To write tests for custom policies, you can refer to existing tests under [trivy-policies][trivy-policies].
+To write tests for custom policies, you can refer to existing tests under [trivy-checks][trivy-checks].

 ## Go testing
 [Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
@@ -85,6 +85,6 @@ The following example stores allowed and denied configuration files in a directo
 `Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.

 [opa-testing]: https://www.openpolicyagent.org/docs/latest/policy-testing/
-[defsec]: https://github.com/aquasecurity/trivy-policies/tree/main
+[defsec]: https://github.com/aquasecurity/trivy-checks/tree/main
 [table]: https://github.com/golang/go/wiki/TableDrivenTests
 [fanal]: https://github.com/aquasecurity/fanal
--- a/docs/docs/scanner/misconfiguration/index.md
+++ b/docs/docs/scanner/misconfiguration/index.md
@@ -381,7 +381,7 @@ If multiple variables evaluate to the same hostname, Trivy will choose the envir

 ### Skipping resources by inline comments

-Trivy supports ignoring misconfigured resources by inline comments for Terraform configuration files only.
+Trivy supports ignoring misconfigured resources by inline comments for Terraform and CloudFormation configuration files only.

 In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to ignore findings from a single source of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). The format for these comments is `trivy:ignore:<rule>` immediately following the format-specific line-comment [token](https://developer.hashicorp.com/terraform/language/syntax/configuration#comments).

@@ -422,6 +422,17 @@ As an example, consider the following check metadata:

 Long ID would look like the following: `aws-s3-enable-logging`.

+Example for CloudFromation:
+```yaml
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+#trivy:ignore:*
+  S3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: test-bucket
+```
+
 #### Expiration Date

 You can specify the expiration date of the ignore rule in `yyyy-mm-dd` format. This is a useful feature when you want to make sure that an ignored issue is not forgotten and worth revisiting in the future. For example:
@@ -494,8 +505,21 @@ resource "aws_security_group_rule" "example" {
 }
 ```

-!!! note
-    Currently nested attributes are not supported. For example you will not be able to reference the `each.key` attribute.
+Checks can also be ignored by nested attributes, but certain restrictions apply:
+
+- You cannot access an individual block using indexes, for example when working with dynamic blocks.
+- Special variables like [each](https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#the-each-object) and [count](https://developer.hashicorp.com/terraform/language/meta-arguments/count#the-count-object) cannot be accessed.
+
+```tf
+#trivy:ignore:*[logging_config.prefix=myprefix]
+resource "aws_cloudfront_distribution" "example" {
+  logging_config {
+    include_cookies = false
+    bucket          = "mylogs.s3.amazonaws.com"
+    prefix          = "myprefix"
+  }
+}
+```

 #### Ignoring module issues

@@ -523,4 +547,15 @@ module "s3_bucket" {
  bucket   = each.value
 }
 ```
-[custom]: custom/index.md
+
+#### Support for Wildcards
+
+You can use wildcards in the `ws` (workspace) and `ignore` sections of the ignore rules.
+
+```tf
+# trivy:ignore:aws-s3-*:ws:dev-*
+```
+
+This example ignores all checks starting with `aws-s3-` for workspaces matching the pattern `dev-*`.
+
+[custom]: custom/index.md
--- a/docs/docs/scanner/misconfiguration/policy/builtin.md
+++ b/docs/docs/scanner/misconfiguration/policy/builtin.md
@@ -1,24 +0,0 @@
-# Built-in Policies
-
-## Policy Sources
-Built-in policies are mainly written in [Rego][rego] and Go.
-Those policies are managed under [trivy-policies repository][trivy-policies].
-See [here](../../../coverage/iac/index.md) for the list of supported config types.
-
-For suggestions or issues regarding policy content, please open an issue under the [trivy-policies][trivy-policies] repository.
-
-## Policy Distribution
-Trivy policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
-When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
-Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.
-If Trivy is unable to pull down newer policies, it will use the embedded set of policies as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
-
-## Update Interval
-Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
-
-[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
-
-[kubernetes-policies]: https://github.com/aquasecurity/trivy-policies/tree/main/rules/kubernetes/policies
-[docker-policies]: https://github.com/aquasecurity/trivy-policies/tree/main/rules/docker/policies
-[trivy-policies]: https://github.com/aquasecurity/trivy-policies
-[ghcr]: https://github.com/aquasecurity/trivy-policies/pkgs/container/trivy-policies
--- a/docs/docs/scanner/vulnerability.md
+++ b/docs/docs/scanner/vulnerability.md
@@ -91,6 +91,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 |          | [GitHub Advisory Database (npm)][nodejs-ghsa]       |       ✅        |     -     |
 | Java     | [GitHub Advisory Database (Maven)][java-ghsa]       |       ✅        |     -     |
 | Go       | [GitHub Advisory Database (Go)][go-ghsa]            |       ✅        |     -     |
+|          | [Go Vulnerability Database][go-vulndb]              |       ✅        |     -     |
 | Rust     | [Open Source Vulnerabilities (crates.io)][rust-osv] |       ✅        |     -     |
 | .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     |       ✅        |     -     |
 | C/C++    | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
@@ -255,6 +256,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 [go-ghsa]: https://github.com/advisories?query=ecosystem%3Ago
 [swift-ghsa]: https://github.com/advisories?query=ecosystem%3Aswift

+[go-vulndb]: https://pkg.go.dev/vuln/
 [php]: https://github.com/FriendsOfPHP/security-advisories
 [ruby]: https://github.com/rubysec/ruby-advisory-db
 [nodejs]: https://github.com/nodejs/security-wg
--- a/docs/docs/target/container_image.md
+++ b/docs/docs/target/container_image.md
@@ -107,10 +107,10 @@ The image config is converted into Dockerfile and Trivy handles it as Dockerfile
 See [here](../scanner/misconfiguration/index.md) for the detail of Dockerfile scanning.

 It is disabled by default.
-You can enable it with `--image-config-scanners config`.
+You can enable it with `--image-config-scanners misconfig`.

 ```
-$ trivy image --image-config-scanners config [YOUR_IMAGE_NAME]
+$ trivy image --image-config-scanners misconfig [YOUR_IMAGE_NAME]
 ```

 <details>
@@ -506,4 +506,4 @@ You can configure Podman daemon socket with `--podman-host`.

 ```shell
 $ trivy image --podman-host /run/user/1000/podman/podman.sock YOUR_IMAGE
-```
+```
--- a/docs/docs/target/kubernetes.md
+++ b/docs/docs/target/kubernetes.md
@@ -9,7 +9,7 @@ Trivy can also be installed *inside* your cluster as a Kubernetes Operator, and
 When scanning a Kubernetes cluster, Trivy differentiates between the following:

 1. Cluster infrastructure (e.g api-server, kubelet, addons)
-1. Cluster configuration (e.g Roles, ClusterRoles). 
+1. Cluster configuration (e.g Roles, ClusterRoles).
 1. Application workloads (e.g nginx, postgresql).

 When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
@@ -28,60 +28,79 @@ Kubernetes resource definition is scanned for:

 ## Kubernetes target configurations

-Trivy follows the behavior of the `kubectl` tool as much as possible.
-
-### Scope
-
-The command expects an argument that selects the scope of the scan (similarly to how `kubectl` expects an argument after `kubectl get`). This argument can be:
-1. A Kubernetes Kind. e.g `pod`, `deployment`, etc. 
-2. A Kubernetes Resource. e.g `pods/mypod`, etc.
-3. `all`. Scan common workload kinds, as listed [here](https://github.com/aquasecurity/trivy-kubernetes/blob/bf8cc2a00d9772e0aa271f06d375b936152b54b1/pkg/k8s/k8s.go#L296:L314)
-4. `cluster` scan the entire cluster including all namespaced resources and cluster level resources.
-
-Examples:
-
-```
-trivy k8s all
-trivy k8s pods
-trivy k8s deploy myapp
-trivy k8s pod/mypod
-trivy k8s pods,deploy
-trivy k8s cluster
+```sh
+trivy k8s [flags] [CONTEXT] -  if the target name [CONTEXT] is not specified, the default will be used.
 ```

-Note that the scope argument must appear last in the command line, after any other flag.
+for example:

-### Cluster
+```sh
+trivy k8s --report summary
+```

 By default Trivy will look for a [`kubeconfig` configuration file in the default location](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/), and use the default cluster that is specified.  
 You can also specify a `kubeconfig` using the `--kubeconfig` flag:

-```
+```sh
 trivy k8s --kubeconfig ~/.kube/config2
 ```

-### Namespace
+By default, all cluster resource images will be downloaded and scanned.

-By default Trivy will scan all namespaces (following `kubectl` behavior). To specify a namespace use the `--namespace` flag:
+### Skip-images

+You can control whether Trivy will scan and download the cluster resource images. To disable this feature, add the --skip-images flag.
+
+- `--skip-images` flag will prevent the downloading and scanning of images (including vulnerabilities and secrets) in the cluster resources.
+
+Example:
+
+```sh
+trivy k8s --report summary --skip-images
 ```
-trivy k8s --kubeconfig ~/.kube/config2 --namespace default
-```
-### Node

-You can exclude specific nodes from the scan using the `--exclude-nodes` flag, which takes a label in the format `label-name:label-value` and excludes all matching nodes:
+### Include/Exclude Kinds

+You can control which kinds of resources will be discovered using the `--include-kinds` or `--exclude-kinds` comma-separated flags:
+
+***Note:*** Both flags (`--include-kinds` or `--exclude-kinds`) cannot be set in conjunction.
+
+- `--include-kinds` will include the listed kinds in cluster scanning.
+- `--exclude-kinds` will exclude the listed kinds from cluster scanning.
+
+By default, all kinds will be included in cluster scanning.
+
+Example:
+
+```sh
+trivy k8s --report summary --exclude-kinds node,pod
 ```
-trivy k8s cluster --report summary --exclude-nodes kubernetes.io/arch:arm6
+
+### Include/Exclude Namespaces
+
+You can control which namespaces will be discovered using the `--include-namespaces` or `--exclude-namespaces` comma-separated flags:
+
+***Note:*** Both flags (`--include-namespaces` or `--exclude-namespaces`) cannot be set in conjunction.
+
+- `--include-namespaces` will include the listed namespaces in cluster scanning.
+- `--exclude-namespaces` will exclude the listed namespaces from cluster scanning.
+
+By default, all namespaces will be included in cluster scanning.
+
+Example:
+
+```sh
+trivy k8s --report summary --exclude-namespace dev-system,staging-system
 ```

 ## Control Plane and Node Components Vulnerability Scanning

-Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds
+Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds.

+To read more about KBOM, see the [documentation for Kubernetes scanning](./sbom.md#kbom).

-```
-trivy k8s cluster --scanners vuln  --report all
+```sh
+trivy k8s --scanners vuln  --report all

 NodeComponents/kind-control-plane (kubernetes)

@@ -101,13 +120,43 @@ Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
 └────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘
 ```

+## Node-Collector

-### Components types
+Node-collector is a scan job that collects node configuration parameters and permission information. This information will be evaluated against Kubernetes hardening (e.g. CIS benchmark) and best practices values. The scan results will be output in infrastructure assessment and CIS benchmark compliance reports.

-You can control what kinds of components are discovered using the `--components` flag:
- `--components infra` will discover only cluster infrastructure components.
- `--components workloads` will discover only application workloads.
- If the flag is omitted: infra, workloads, and RBAC are discovered.
+### Disable Node Collector
+
+You can control whether the node scan-job (`node-collector`) will run in the cluster. To disable it, add the `--disable-node-collector` flag  
+
+- `--disable-node-collector` This flag will exclude findings related to Node (infra assessment) misconfigurations
+
+By default, the node scan-job (`node-collector`) will run in the cluster.
+
+Example:
+
+```sh
+trivy k8s --report summary --disable-node-collector
+```
+
+### Taints and Tolerations
+
+The node-collector scan-job will run on every node. In case the node has been tainted, it is possible to add toleration to the scan job for it to be scheduled on the tainted node. for more details [see k8s docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
+
+- `--tolerations  key1=value1:NoExecute,key2=value2:NoSchedule` this flag wil enable node-collector to be schedule on tainted Node
+
+Example:
+
+```sh
+trivy k8s --report summary --tolerations  key1=value1:NoExecute,key2=value2:NoSchedule
+```
+
+### Exclude Nodes by Label
+
+You can exclude specific nodes from the scan using the `--exclude-nodes` flag, which takes a label in the format `label-name:label-value` and excludes all matching nodes:
+
+```sh
+trivy k8s --report summary --exclude-nodes kubernetes.io/arch:arm6
+```

 ## Reporting and filtering

@@ -117,8 +166,8 @@ You can always choose the report granularity using the `--report summary`/`--rep

 Scan a full cluster and generate a simple summary report:

-```
-$ trivy k8s --report=summary cluster
+```sh
+trivy k8s --report=summary
 ```

 ![k8s Summary Report](../../imgs/trivy-k8s.png)
@@ -126,15 +175,15 @@ $ trivy k8s --report=summary cluster
 Filter by severity:

 ```
-trivy k8s --severity=CRITICAL --report=all cluster
+trivy k8s --severity=CRITICAL --report=all
 ```

 Filter by scanners (Vulnerabilities, Secrets or Misconfigurations):

 ```
-trivy k8s --scanners=secret --report=summary cluster
+trivy k8s --scanners=secret --report=summary
 # or
-trivy k8s --scanners=misconfig --report=summary cluster
+trivy k8s --scanners=misconfig --report=summary
 ```

 The supported output formats are `table`, which is the default, and `json`.
@@ -300,6 +349,7 @@ trivy k8s --format json -o results.json cluster
 </details>

 ## Compliance
+
 This section describes Kubernetes specific compliance reports.
 For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).

@@ -318,7 +368,7 @@ Scan the cluster for Kubernetes Pod Security Standards Baseline compliance:

 ```

-$ trivy k8s cluster --compliance=k8s-pss-baseline --report summary
+trivy k8s --compliance=k8s-pss-baseline --report summary

 ```

@@ -326,7 +376,7 @@ Get the detailed report for checks:

 ```

-$ trivy k8s cluster --compliance=k8s-cis --report all
+trivy k8s --compliance=k8s-cis --report all

 ```

@@ -334,7 +384,7 @@ Get summary report in JSON format:

 ```

-$ trivy k8s cluster --compliance=k8s-cis --report summary --format json
+trivy k8s --compliance=k8s-cis --report summary --format json

 ```

@@ -342,7 +392,7 @@ Get detailed report in JSON format:

 ```

-$ trivy k8s cluster --compliance=k8s-cis --report all --format json
+trivy k8s --compliance=k8s-cis --report all --format json

 ```

@@ -355,7 +405,7 @@ Trivy can generate KBOM in CycloneDX format:

 ```sh

-$ trivy k8s cluster --format cyclonedx --output mykbom.cdx.json
+trivy k8s --format cyclonedx --output mykbom.cdx.json

 ```

@@ -363,7 +413,7 @@ Trivy can also scan that generated KBOM (or any SBOM) for vulnerabilities:

 ```sh

-$ trivy sbom mykbom.cdx.json
+trivy sbom mykbom.cdx.json

 ```

--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@@ -10,11 +10,10 @@ In this section you will find an aggregation of the different ways to install Tr
    Add repository setting to `/etc/yum.repos.d`.

    ``` bash
-    RELEASE_VERSION=$(grep -Po '(?<=VERSION_ID=")[0-9]' /etc/os-release)
    cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo
    [trivy]
    name=Trivy repository
-    baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
+    baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/\$basearch/
    gpgcheck=1
    enabled=1
    gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key
@@ -35,9 +34,9 @@ In this section you will find an aggregation of the different ways to install Tr
    Add repository setting to `/etc/apt/sources.list.d`.

    ``` bash
-    sudo apt-get install wget apt-transport-https gnupg lsb-release
+    sudo apt-get install wget apt-transport-https gnupg
    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
-    echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+    echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
    sudo apt-get update
    sudo apt-get install trivy
    ```
@@ -86,31 +85,29 @@ References:
 Nix package manager for Linux and MacOS.

 === "Command line"
-
-`nix-env --install -A nixpkgs.trivy`
+    `nix-env --install -A nixpkgs.trivy`

 === "Configuration"
-
-```nix
-  # your other config ...
-  environment.systemPackages = with pkgs; [
-    # your other packages ...
-    trivy
-  ];
-```
+    ```nix
+    # your other config ...
+    environment.systemPackages = with pkgs; [
+      # your other packages ...
+      trivy
+    ];
+    ```

 === "Home Manager"
-
-```nix
-  # your other config ...
-  home.packages = with pkgs; [
-    # your other packages ...
-    trivy
-  ];
-```
+    ```nix
+    # your other config ...
+    home.packages = with pkgs; [
+      # your other packages ...
+      trivy
+    ];
+    ```

 References: 
-  <https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/admin/trivy/default.nix>
+
+-  https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/admin/trivy/default.nix

 ### FreeBSD (Official)

@@ -120,6 +117,48 @@ References:
 pkg install trivy
 ```

+### asdf/mise (Community)
+
+[asdf](https://github.com/asdf-vm/asdf) and [mise](https://github.com/jdx/mise) are quite similar tools you can use to install trivy.
+See their respective documentation for more information of how to install them and use them:
+
+- [asdf](https://asdf-vm.com/guide/getting-started.html)
+- [mise](https://mise.jdx.dev/getting-started.html)
+
+The plugin used by both tools is developped [here](https://github.com/zufardhiyaulhaq/asdf-trivy)
+
+
+=== "asdf"
+    A basic global installation is shown below, for specific version or/and local version to a directory see "asdf" documentation.
+
+    ```shell
+    # Install plugin
+    asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git
+
+    # Install latest version
+    asdf install trivy latest
+
+    # Set a version globally (on your ~/.tool-versions file)
+    asdf global trivy latest
+
+    # Now trivy commands are available
+    trivy --version
+    ```
+
+=== "mise"
+    A basic global installation is shown below, for specific version or/and local version to a directory see "mise" documentation.
+
+    ``` shell
+    # Install plugin and install latest version
+    mise install trivy@latest
+
+    # Set a version globally (on your ~/.tool-versions file)
+    mise use -g trivy@latest
+
+    # Now trivy commands are available
+    trivy --version
+    ```
+
 ## Install from GitHub Release (Official)

 ### Download Binary
--- a/docs/imgs/trivy-k8s.png
+++ b/docs/imgs/trivy-k8s.png
--- a/docs/tutorials/integrations/gitlab-ci.md
+++ b/docs/tutorials/integrations/gitlab-ci.md
@@ -49,7 +49,7 @@ trivy:
  cache:
    paths:
      - .trivycache/
-  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
+  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab Ultimate)
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
--- a/docs/tutorials/kubernetes/cluster-scanning.md
+++ b/docs/tutorials/kubernetes/cluster-scanning.md
@@ -1,58 +1,51 @@
 # Kubernetes Scanning Tutorial

-## Prerequisites 
+## Prerequisites

 To test the following commands yourself, make sure that you’re connected to a Kubernetes cluster. A simple kind, a Docker-Desktop or microk8s cluster will do. In our case, we’ll use a one-node kind cluster.  
- 
-Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster. 
+Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster.

 ## Cluster Scanning

 Trivy K8s is great to get an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster. You would want to use the Trivy K8s command either on your own local cluster or in your CI/CD pipeline post deployments.  

-The `trivy k8s` command is part of the Trivy CLI. 
+The `trivy k8s` command is part of the Trivy CLI.

-With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan: 
+With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan:

-```
-trivy k8s --report=summary cluster
+```sh
+trivy k8s --report=summary
 ```

 To get detailed information for all your resources, just replace ‘summary’ with ‘all’: 

-```
-trivy k8s --report=all cluster
+```sh
+trivy k8s --report=all
 ```

 However, we recommend displaying all information only in case you scan a specific namespace or resource since you can get overwhelmed with additional details. 

 Furthermore, we can specify the namespace that Trivy is supposed to scan to focus on specific resources in the scan result: 

-```
-trivy k8s -n kube-system --report=summary cluster
+```sh
+trivy k8s --include-namespaces kube-system --report summary
 ```

 Again, if you’d like to receive additional details, use the ‘--report=all’ flag: 

-```
-trivy k8s -n kube-system --report=all cluster
+```sh
+trivy k8s --include-namespaces kube-system --report all
 ```

 Like with scanning for vulnerabilities, we can also filter in-cluster security issues by severity of the vulnerabilities: 

-```
-trivy k8s --severity=CRITICAL --report=summary cluster
+```sh
+trivy k8s --severity=CRITICAL --report=summary
 ```

 Note that you can use any of the Trivy flags on the Trivy K8s command. 

-With the Trivy K8s command, you can also scan specific workloads that are running within your cluster, such as our deployment: 
-
-```
-trivy k8s --namespace  app --report=summary deployments/react-application
-```
-
-## Trivy Operator 
+## Trivy Operator

 The Trivy K8s command is an imperative model to scan resources. We wouldn’t want to manually scan each resource across different environments. The larger the cluster and the more workloads are running in it, the more error-prone this process would become. With the Trivy Operator, we can automate the scanning process after the deployment.  

@@ -66,15 +59,9 @@ This has several benefits:

 - The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator. 

- 
 There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator)

 Please follow the Trivy Operator documentation for further information on:

 - [Installation of the Trivy Operator](https://aquasecurity.github.io/trivy-operator/latest/getting-started/installation/)
- [Getting started guide](https://aquasecurity.github.io/trivy-operator/latest/getting-started/quick-start/)
-
-
-
- 
-
+- [Getting started guide](https://aquasecurity.github.io/trivy-operator/latest/getting-started/quick-start/)
--- a/docs/tutorials/misconfiguration/custom-checks.md
+++ b/docs/tutorials/misconfiguration/custom-checks.md
@@ -8,8 +8,8 @@ When you are writing a check, it's important to understand the input to the chec

 Since Rego is primarily tailored to query JSON objects, all incoming configuration files needs to be first converted to structured objects, which is available to the Rego code as the input variable. This is nothing that users have to do manually in Trivy. Instead, Rego makes it possible to pass in custom Schemas that detail how files are converted. Once Rego has access to a custom Schema, it will know in which format to access configuration files such as a Dockerfile. 

-[Here you can find the schemas](https://github.com/aquasecurity/defsec/tree/master/pkg/rego/schemas) that define how different configuration files are converted to JSON by Trivy.
-This tutorial will make use of the [dockerfile.json schema](https://github.com/aquasecurity/defsec/tree/master/pkg/rego/schemas). The schema will need to be parsed into your custom check. 
+[Here you can find the schemas](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas) that define how different configuration files are converted to JSON by Trivy.
+This tutorial will make use of the [dockerfile.json schema](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json). The schema will need to be parsed into your custom check. 

 Users can also use the [Schema Explorer](https://aquasecurity.github.io/trivy-schemas/) to view the structure of the data provided to Rego.

@@ -108,4 +108,4 @@ Please replace:

 * [Rego provides a long list of courses](https://academy.styra.com/collections) that can be useful in writing more complex checks
 * [The Rego documentation provides detailed information on the different types, iterations etc.](https://www.openpolicyagent.org/docs/latest/)
-* Have a look at the [built-in checks](https://github.com/aquasecurity/trivy-policies/tree/main/checks) for Trivy for inspiration on how to write custom checks.
+* Have a look at the [built-in checks](https://github.com/aquasecurity/trivy-checks/tree/main/checks) for Trivy for inspiration on how to write custom checks.
--- a/go.mod
+++ b/go.mod
@@ -1,17 +1,22 @@
 module github.com/aquasecurity/trivy

-go 1.21
+go 1.22.0
+
+toolchain go1.22.2

 require (
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2
 	github.com/BurntSushi/toml v1.3.2
 	github.com/CycloneDX/cyclonedx-go v0.8.0
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/NYTimes/gziphandler v1.1.1
-	github.com/alicebob/miniredis/v2 v2.31.1
+	github.com/alecthomas/chroma v0.10.0
+	github.com/alicebob/miniredis/v2 v2.32.1
+	github.com/antchfx/htmlquery v1.3.1
+	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
@@ -19,54 +24,60 @@ require (
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
 	github.com/aquasecurity/loading v0.0.5
 	github.com/aquasecurity/table v1.8.0
-	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
+	github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-aws v0.8.0
+	github.com/aquasecurity/trivy-checks v0.10.5-0.20240430045208-6cc735de6b9e
 	github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
-	github.com/aquasecurity/trivy-kubernetes v0.6.3
-	github.com/aquasecurity/trivy-policies v0.10.0
-	github.com/aws/aws-sdk-go-v2 v1.25.2
-	github.com/aws/aws-sdk-go-v2/config v1.27.4
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.4
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.15
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.149.1
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.24.6
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.51.1
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.1
+	github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240516051533-4c5a4aad13b7
+	github.com/aws/aws-sdk-go-v2 v1.27.0
+	github.com/aws/aws-sdk-go-v2/config v1.27.15
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.15
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.20
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.161.3
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.28.2
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.54.2
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.9
+	github.com/aws/smithy-go v1.20.2
 	github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
 	github.com/bmatcuk/doublestar/v4 v4.6.1
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/cheggaaa/pb/v3 v3.1.4
-	github.com/containerd/containerd v1.7.13
+	github.com/cheggaaa/pb/v3 v3.1.5
+	github.com/containerd/containerd v1.7.17
 	github.com/csaf-poc/csaf_distribution/v3 v3.0.0
-	github.com/docker/docker v25.0.5+incompatible
+	github.com/docker/docker v26.1.3+incompatible
 	github.com/docker/go-connections v0.5.0
-	github.com/fatih/color v1.16.0
-	github.com/go-git/go-git/v5 v5.11.0
-	github.com/go-openapi/runtime v0.27.1
-	github.com/go-openapi/strfmt v0.22.0
+	github.com/fatih/color v1.17.0
+	github.com/go-git/go-git/v5 v5.12.0
+	github.com/go-openapi/runtime v0.28.0
+	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/golang-jwt/jwt v3.2.2+incompatible
-	github.com/golang/protobuf v1.5.3
-	github.com/google/go-containerregistry v0.19.0
+	github.com/google/go-containerregistry v0.19.1
 	github.com/google/licenseclassifier/v2 v2.0.0
 	github.com/google/uuid v1.6.0
-	github.com/google/wire v0.5.0
-	github.com/hashicorp/go-getter v1.7.3
+	github.com/google/wire v0.6.0
+	github.com/hashicorp/go-getter v1.7.4
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-retryablehttp v0.7.5
-	github.com/hashicorp/golang-lru/v2 v2.0.6
+	github.com/hashicorp/go-retryablehttp v0.7.6
+	github.com/hashicorp/go-uuid v1.0.3
+	github.com/hashicorp/go-version v1.6.0
+	github.com/hashicorp/golang-lru/v2 v2.0.7
+	github.com/hashicorp/hc-install v0.7.0
+	github.com/hashicorp/hcl/v2 v2.20.1
+	github.com/hashicorp/terraform-exec v0.21.0
 	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
-	github.com/knqyf263/go-rpmdb v0.0.0-20231008124120-ac49267ab4e1
+	github.com/knqyf263/go-rpmdb v0.1.1
 	github.com/knqyf263/nested v0.0.1
 	github.com/kylelemons/godebug v1.1.0
+	github.com/liamg/iamgo v0.0.9
 	github.com/liamg/jfather v0.0.7
+	github.com/liamg/memoryfs v1.6.0
 	github.com/magefile/mage v1.15.0
-	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
 	github.com/masahiro331/go-ebs-file v0.0.0-20240112135404-d5fbb1d46323
 	github.com/masahiro331/go-ext4-filesystem v0.0.0-20231208112839-4339555a0cd4
@@ -75,114 +86,100 @@ require (
 	github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
+	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/moby/buildkit v0.12.5
-	github.com/open-policy-agent/opa v0.62.0
+	github.com/moby/buildkit v0.13.2
+	github.com/open-policy-agent/opa v0.64.1
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.1.0-rc6
+	github.com/opencontainers/image-spec v1.1.0
 	github.com/openvex/go-vex v0.2.5
-	github.com/owenrumney/go-sarif/v2 v2.3.0
-	github.com/package-url/packageurl-go v0.1.2
+	github.com/owenrumney/go-sarif/v2 v2.3.1
+	github.com/owenrumney/squealer v1.2.2
+	github.com/package-url/packageurl-go v0.1.3
 	github.com/quasilyte/go-ruleguard/dsl v0.3.22
 	github.com/samber/lo v1.39.0
-	github.com/saracen/walker v0.1.3
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0
-	github.com/sigstore/rekor v1.2.2
+	github.com/sigstore/rekor v1.3.6
 	github.com/sirupsen/logrus v1.9.3
 	github.com/sosedoff/gitkit v0.4.0
-	github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
+	github.com/spdx/tools-golang v0.5.4 // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
 	github.com/spf13/cast v1.6.0
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.18.2
-	github.com/stretchr/testify v1.8.4
-	github.com/testcontainers/testcontainers-go v0.28.0
-	github.com/testcontainers/testcontainers-go/modules/localstack v0.26.0
-	github.com/tetratelabs/wazero v1.7.0
-	github.com/twitchtv/twirp v8.1.2+incompatible
+	github.com/stretchr/testify v1.9.0
+	github.com/testcontainers/testcontainers-go v0.31.0
+	github.com/testcontainers/testcontainers-go/modules/localstack v0.31.0
+	github.com/tetratelabs/wazero v1.7.2
+	github.com/twitchtv/twirp v8.1.3+incompatible
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/xlab/treeprint v1.2.0
-	go.etcd.io/bbolt v1.3.8
-	go.uber.org/zap v1.27.0
-	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
-	golang.org/x/mod v0.15.0
-	golang.org/x/net v0.21.0
-	golang.org/x/sync v0.6.0
-	golang.org/x/term v0.17.0
-	golang.org/x/text v0.14.0
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
-	google.golang.org/protobuf v1.33.0
-	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.29.1
-	k8s.io/utils v0.0.0-20231127182322-b307cd553661
-	modernc.org/sqlite v1.28.0
-)
-
-require (
-	github.com/alecthomas/chroma v0.10.0
-	github.com/antchfx/htmlquery v1.3.0
-	github.com/apparentlymart/go-cidr v1.1.0
-	github.com/aws/smithy-go v1.20.1
-	github.com/hashicorp/go-uuid v1.0.3
-	github.com/hashicorp/go-version v1.6.0
-	github.com/hashicorp/hc-install v0.6.3
-	github.com/hashicorp/hcl/v2 v2.19.1
-	github.com/hashicorp/terraform-exec v0.20.0
-	github.com/liamg/iamgo v0.0.9
-	github.com/liamg/memoryfs v1.6.0
-	github.com/mitchellh/go-homedir v1.1.0
-	github.com/olekukonko/tablewriter v0.0.5
-	github.com/owenrumney/squealer v1.2.2
-	github.com/zclconf/go-cty v1.14.1
+	github.com/zclconf/go-cty v1.14.4
 	github.com/zclconf/go-cty-yaml v1.0.3
-	golang.org/x/crypto v0.19.0
-	helm.sh/helm/v3 v3.14.2
+	go.etcd.io/bbolt v1.3.10
+	golang.org/x/crypto v0.23.0
+	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
+	golang.org/x/mod v0.17.0
+	golang.org/x/net v0.25.0
+	golang.org/x/sync v0.7.0
+	golang.org/x/term v0.20.0
+	golang.org/x/text v0.15.0
+	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
+	google.golang.org/protobuf v1.34.1
+	gopkg.in/yaml.v3 v3.0.1
+	helm.sh/helm/v3 v3.15.0
+	k8s.io/api v0.30.1
+	k8s.io/utils v0.0.0-20231127182322-b307cd553661
+	modernc.org/sqlite v1.29.10
+	sigs.k8s.io/yaml v1.4.0
 )

+require github.com/golang/protobuf v1.5.4
+
 require (
-	cloud.google.com/go v0.112.0 // indirect
-	cloud.google.com/go/compute v1.23.3 // indirect
+	cloud.google.com/go v0.112.1 // indirect
+	cloud.google.com/go/compute v1.25.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v1.1.5 // indirect
-	cloud.google.com/go/storage v1.36.0 // indirect
+	cloud.google.com/go/iam v1.1.6 // indirect
+	cloud.google.com/go/storage v1.39.1 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/Intevation/gval v1.3.0 // indirect
 	github.com/Intevation/jsonpath v0.2.1 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/Microsoft/hcsshim v0.11.4 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/hcsshim v0.12.0 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/ProtonMail/go-crypto v1.1.0-alpha.0 // indirect
+	github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
-	github.com/antchfx/xpath v1.2.3 // indirect
+	github.com/antchfx/xpath v1.3.0 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go v1.49.21 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 // indirect
+	github.com/aws/aws-sdk-go v1.53.0 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.26.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/apigateway v1.21.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.18.6 // indirect
@@ -203,14 +200,14 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.25.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/emr v1.36.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/iam v1.28.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.8.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kafka v1.28.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kinesis v1.24.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.27.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/lambda v1.49.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/mq v1.20.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/neptune v1.28.1 // indirect
@@ -219,8 +216,8 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.26.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sns v1.26.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sqs v1.29.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/workspaces v1.38.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
@@ -229,23 +226,25 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
-	github.com/containerd/cgroups v1.1.0 // indirect
-	github.com/containerd/continuity v0.4.2 // indirect
+	github.com/containerd/cgroups/v3 v3.0.2 // indirect
+	github.com/containerd/continuity v0.4.3 // indirect
+	github.com/containerd/errdefs v0.1.0 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
-	github.com/containerd/ttrpc v1.2.2 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
+	github.com/containerd/ttrpc v1.2.4 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
+	github.com/creack/pty v1.1.21 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/distribution/reference v0.5.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/docker/cli v25.0.1+incompatible // indirect
+	github.com/docker/cli v25.0.3+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
@@ -264,32 +263,31 @@ require (
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/analysis v0.21.5 // indirect
-	github.com/go-openapi/errors v0.21.0 // indirect
-	github.com/go-openapi/jsonpointer v0.20.1 // indirect
-	github.com/go-openapi/jsonreference v0.20.3 // indirect
-	github.com/go-openapi/loads v0.21.3 // indirect
-	github.com/go-openapi/spec v0.20.12 // indirect
-	github.com/go-openapi/swag v0.22.5 // indirect
-	github.com/go-openapi/validate v0.22.4 // indirect
-	github.com/go-sql-driver/mysql v1.7.1 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/go-test/deep v1.1.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-yaml v1.9.5 // indirect
 	github.com/gofrs/uuid v4.3.1+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
-	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20230406165453-00490a63f317 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
-	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
@@ -299,7 +297,7 @@ require (
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/golang-lru v0.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/terraform-json v0.19.0 // indirect
+	github.com/hashicorp/terraform-json v0.22.1 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -308,26 +306,28 @@ require (
 	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.17.2 // indirect
+	github.com/klauspost/compress v1.17.7 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a // indirect
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/sys/mountinfo v0.6.2 // indirect
+	github.com/moby/sys/mountinfo v0.7.1 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/moby/sys/signal v0.7.0 // indirect
 	github.com/moby/sys/user v0.1.0 // indirect
@@ -338,6 +338,7 @@ require (
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/runtime-spec v1.1.0 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
@@ -345,89 +346,88 @@ require (
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/prometheus/client_golang v1.19.0 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/rubenv/sql-migrate v1.5.2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
-	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/shirou/gopsutil/v3 v3.24.2 // indirect
+	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
-	github.com/skeema/knownhosts v1.2.1 // indirect
+	github.com/skeema/knownhosts v1.2.2 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
-	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/tklauser/go-sysconf v0.3.13 // indirect
+	github.com/tklauser/numcpus v0.7.0 // indirect
 	github.com/ulikunitz/xz v0.5.11 // indirect
-	github.com/vbatts/tar-split v0.11.3 // indirect
+	github.com/vbatts/tar-split v0.11.5 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
-	github.com/yuin/gopher-lua v1.1.0 // indirect
-	go.mongodb.org/mongo-driver v1.13.1 // indirect
+	github.com/yuin/gopher-lua v1.1.1 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
-	go.opentelemetry.io/otel v1.23.1 // indirect
-	go.opentelemetry.io/otel/metric v1.23.1 // indirect
-	go.opentelemetry.io/otel/sdk v1.23.1 // indirect
-	go.opentelemetry.io/otel/trace v1.23.1 // indirect
-	go.opentelemetry.io/proto/otlp v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/oauth2 v0.16.0 // indirect
-	golang.org/x/sys v0.17.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	golang.org/x/oauth2 v0.18.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
-	google.golang.org/api v0.155.0 // indirect
+	golang.org/x/tools v0.19.0 // indirect
+	google.golang.org/api v0.172.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240123012728-ef4313101c80 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect
-	google.golang.org/grpc v1.62.0 // indirect
+	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
+	google.golang.org/grpc v1.63.2 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apiextensions-apiserver v0.29.0 // indirect
-	k8s.io/apimachinery v0.29.1 // indirect
-	k8s.io/apiserver v0.29.0 // indirect
-	k8s.io/cli-runtime v0.29.0 // indirect
-	k8s.io/client-go v0.29.0 // indirect
-	k8s.io/component-base v0.29.0 // indirect
-	k8s.io/klog/v2 v2.120.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
-	k8s.io/kubectl v0.29.0 // indirect
-	lukechampine.com/uint128 v1.2.0 // indirect
-	modernc.org/cc/v3 v3.40.0 // indirect
-	modernc.org/ccgo/v3 v3.16.13 // indirect
-	modernc.org/libc v1.29.0 // indirect
+	k8s.io/apiextensions-apiserver v0.30.0 // indirect
+	k8s.io/apimachinery v0.30.1 // indirect
+	k8s.io/apiserver v0.30.0 // indirect
+	k8s.io/cli-runtime v0.30.0 // indirect
+	k8s.io/client-go v0.30.0 // indirect
+	k8s.io/component-base v0.30.0 // indirect
+	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/kubectl v0.30.0 // indirect
+	modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
+	modernc.org/libc v1.49.3 // indirect
 	modernc.org/mathutil v1.6.0 // indirect
-	modernc.org/memory v1.7.2 // indirect
-	modernc.org/opt v0.1.3 // indirect
-	modernc.org/strutil v1.1.3 // indirect
+	modernc.org/memory v1.8.0 // indirect
+	modernc.org/strutil v1.2.0 // indirect
 	modernc.org/token v1.1.0 // indirect
 	oras.land/oras-go v1.2.5 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
 )
-
-// testcontainers-go has a bug with versions v0.25.0 and v0.26.0
-// ref: https://github.com/testcontainers/testcontainers-go/issues/1782
-replace github.com/testcontainers/testcontainers-go => github.com/testcontainers/testcontainers-go v0.23.0
--- a/go.sum
+++ b/go.sum
--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -1,7 +1,7 @@
 project_name: trivy
 builds:
  - id: build-linux
-    main: cmd/trivy/main.go
+    main: ./cmd/trivy/
    binary: trivy
    ldflags:
      - -s -w
@@ -21,7 +21,7 @@ builds:
    goarm:
      - 7
  - id: build-bsd
-    main: cmd/trivy/main.go
+    main: ./cmd/trivy/
    binary: trivy
    ldflags:
      - -s -w
@@ -36,7 +36,7 @@ builds:
      - 386
      - amd64
  - id: build-macos
-    main: cmd/trivy/main.go
+    main: ./cmd/trivy/
    binary: trivy
    ldflags:
      - -s -w
@@ -52,7 +52,7 @@ builds:
    goarm:
      - 7
  - id: build-windows
-    main: cmd/trivy/main.go
+    main: ./cmd/trivy/
    binary: trivy
    ldflags:
      - -s -w
--- a/integration/aws_cloud_test.go
+++ b/integration/aws_cloud_test.go
@@ -25,7 +25,7 @@ func TestAwsCommandRun(t *testing.T) {
 		{
 			name: "fail without region",
 			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
+				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
 			},
 			envs: map[string]string{
 				"AWS_ACCESS_KEY_ID":     "test",
@@ -39,7 +39,7 @@ func TestAwsCommandRun(t *testing.T) {
 				"AWS_PROFILE": "non-existent-profile",
 			},
 			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
+				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
 				AWSOptions: flag.AWSOptions{
 					Region: "us-east-1",
 				},
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -283,7 +283,9 @@ func TestClientServer(t *testing.T) {
 				osArgs = append(osArgs, "--secret-config", tt.args.secretConfig)
 			}

-			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{})
+			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{
+				override: overrideUID,
+			})
 		})
 	}
 }
@@ -397,7 +399,9 @@ func TestClientServerWithFormat(t *testing.T) {
 			t.Setenv("AWS_ACCOUNT_ID", "123456789012")
 			osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)

-			runTest(t, osArgs, tt.golden, "", tt.args.Format, runOptions{})
+			runTest(t, osArgs, tt.golden, "", tt.args.Format, runOptions{
+				override: overrideUID,
+			})
 		})
 	}
 }
@@ -475,7 +479,10 @@ func TestClientServerWithToken(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
-			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{wantErr: tt.wantErr})
+			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{
+				override: overrideUID,
+				wantErr:  tt.wantErr,
+			})
 		})
 	}
 }
@@ -501,7 +508,9 @@ func TestClientServerWithRedis(t *testing.T) {
 		osArgs := setupClient(t, testArgs, addr, cacheDir, golden)

 		// Run Trivy client
-		runTest(t, osArgs, golden, "", types.FormatJSON, runOptions{})
+		runTest(t, osArgs, golden, "", types.FormatJSON, runOptions{
+			override: overrideUID,
+		})
 	})

 	// Terminate the Redis container
--- a/integration/integration_test.go
+++ b/integration/integration_test.go
@@ -192,9 +192,10 @@ func readSpdxJson(t *testing.T, filePath string) *spdx.Document {
 	return bom
 }

+type OverrideFunc func(t *testing.T, want, got *types.Report)
 type runOptions struct {
 	wantErr  string
-	override func(want, got *types.Report)
+	override OverrideFunc
 	fakeUUID string
 }

@@ -262,11 +263,11 @@ func compareRawFiles(t *testing.T, wantFile, gotFile string) {
 	assert.EqualValues(t, string(want), string(got))
 }

-func compareReports(t *testing.T, wantFile, gotFile string, override func(want, got *types.Report)) {
+func compareReports(t *testing.T, wantFile, gotFile string, override func(t *testing.T, want, got *types.Report)) {
 	want := readReport(t, wantFile)
 	got := readReport(t, gotFile)
 	if override != nil {
-		override(&want, &got)
+		override(t, &want, &got)
 	}
 	assert.Equal(t, want, got)
 }
@@ -307,3 +308,33 @@ func validateReport(t *testing.T, schema string, report any) {
 		assert.True(t, valid, strings.Join(errs, "\n"))
 	}
 }
+
+func overrideFuncs(funcs ...OverrideFunc) OverrideFunc {
+	return func(t *testing.T, want, got *types.Report) {
+		for _, f := range funcs {
+			if f == nil {
+				continue
+			}
+			f(t, want, got)
+		}
+	}
+}
+
+// overrideUID only checks for the presence of the package UID and clears the UID;
+// the UID is calculated from the package metadata, but the UID does not match
+// as it varies slightly depending on the mode of scanning, e.g. the digest of the layer.
+func overrideUID(t *testing.T, want, got *types.Report) {
+	for i, result := range got.Results {
+		for j, vuln := range result.Vulnerabilities {
+			assert.NotEmptyf(t, vuln.PkgIdentifier.UID, "UID is empty: %s", vuln.VulnerabilityID)
+			// Do not compare UID as the package metadata is slightly different between the tests,
+			// causing different UIDs.
+			got.Results[i].Vulnerabilities[j].PkgIdentifier.UID = ""
+		}
+	}
+	for i, result := range want.Results {
+		for j := range result.Vulnerabilities {
+			want.Results[i].Vulnerabilities[j].PkgIdentifier.UID = ""
+		}
+	}
+}
--- a/integration/k8s_test.go
+++ b/integration/k8s_test.go
@@ -31,7 +31,7 @@ func TestK8s(t *testing.T) {
 			"--cache-dir",
 			cacheDir,
 			"k8s",
-			"cluster",
+			"kind-kind-test",
 			"--report",
 			"summary",
 			"-q",
@@ -39,10 +39,6 @@ func TestK8s(t *testing.T) {
 			"5m0s",
 			"--format",
 			"json",
-			"--components",
-			"workload",
-			"--context",
-			"kind-kind-test",
 			"--output",
 			outputFile,
 		}
@@ -79,12 +75,10 @@ func TestK8s(t *testing.T) {
 		outputFile := filepath.Join(t.TempDir(), "output.json")
 		osArgs := []string{
 			"k8s",
-			"cluster",
+			"kind-kind-test",
 			"--format",
 			"cyclonedx",
 			"-q",
-			"--context",
-			"kind-kind-test",
 			"--output",
 			outputFile,
 		}
@@ -111,51 +105,5 @@ func TestK8s(t *testing.T) {
 		assert.True(t, lo.SomeBy(*got.Dependencies, func(r cdx.Dependency) bool {
 			return len(*r.Dependencies) > 0
 		}))
-
-	})
-
-	t.Run("specific resource scan", func(t *testing.T) {
-		// Set up the output file
-		outputFile := filepath.Join(t.TempDir(), "output.json")
-
-		osArgs := []string{
-			"k8s",
-			"-n",
-			"default",
-			"deployments/nginx-deployment",
-			"-q",
-			"--timeout",
-			"5m0s",
-			"--format",
-			"json",
-			"--components",
-			"workload",
-			"--context",
-			"kind-kind-test",
-			"--output",
-			outputFile,
-		}
-
-		// Run Trivy
-		err := execute(osArgs)
-		require.NoError(t, err)
-
-		var got report.Report
-		f, err := os.Open(outputFile)
-		require.NoError(t, err)
-		defer f.Close()
-
-		err = json.NewDecoder(f).Decode(&got)
-		require.NoError(t, err)
-
-		// Flatten findings
-		results := lo.FlatMap(got.Resources, func(resource report.Resource, _ int) []types.Result {
-			return resource.Results
-		})
-
-		// Has vulnerabilities
-		assert.True(t, lo.SomeBy(results, func(r types.Result) bool {
-			return len(r.Vulnerabilities) > 0
-		}))
 	})
 }
--- a/integration/registry_test.go
+++ b/integration/registry_test.go
@@ -202,12 +202,12 @@ func TestRegistry(t *testing.T) {
 			// Run Trivy
 			runTest(t, osArgs, tc.golden, "", types.FormatJSON, runOptions{
 				wantErr: tc.wantErr,
-				override: func(_, got *types.Report) {
+				override: overrideFuncs(overrideUID, func(t *testing.T, _, got *types.Report) {
 					got.ArtifactName = tc.imageName
 					for i := range got.Results {
 						got.Results[i].Target = fmt.Sprintf("%s (alpine 3.10.2)", tc.imageName)
 					}
-				},
+				}),
 			})
 		})
 	}
--- a/integration/repo_test.go
+++ b/integration/repo_test.go
@@ -37,7 +37,7 @@ func TestRepository(t *testing.T) {
 		name     string
 		args     args
 		golden   string
-		override func(want, got *types.Report)
+		override func(t *testing.T, want, got *types.Report)
 	}{
 		{
 			name: "gomod",
@@ -341,6 +341,15 @@ func TestRepository(t *testing.T) {
 			},
 			golden: "testdata/conda-cyclonedx.json.golden",
 		},
+		{
+			name: "conda environment.yaml generating CycloneDX SBOM",
+			args: args{
+				command: "fs",
+				format:  "cyclonedx",
+				input:   "testdata/fixtures/repo/conda-environment",
+			},
+			golden: "testdata/conda-environment-cyclonedx.json.golden",
+		},
 		{
 			name: "pom.xml generating CycloneDX SBOM (with vulnerabilities)",
 			args: args{
@@ -369,7 +378,7 @@ func TestRepository(t *testing.T) {
 				skipFiles: []string{"testdata/fixtures/repo/gomod/submod2/go.mod"},
 			},
 			golden: "testdata/gomod-skip.json.golden",
-			override: func(want, _ *types.Report) {
+			override: func(_ *testing.T, want, _ *types.Report) {
 				want.ArtifactType = ftypes.ArtifactFilesystem
 			},
 		},
@@ -383,7 +392,7 @@ func TestRepository(t *testing.T) {
 				input:       "testdata/fixtures/repo/custom-policy",
 			},
 			golden: "testdata/dockerfile-custom-policies.json.golden",
-			override: func(want, got *types.Report) {
+			override: func(_ *testing.T, want, got *types.Report) {
 				want.ArtifactType = ftypes.ArtifactFilesystem
 			},
 		},
--- a/integration/sbom_test.go
+++ b/integration/sbom_test.go
@@ -6,11 +6,11 @@ import (
 	"path/filepath"
 	"testing"

-	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 )

@@ -25,7 +25,7 @@ func TestSBOM(t *testing.T) {
 		name     string
 		args     args
 		golden   string
-		override types.Report
+		override OverrideFunc
 	}{
 		{
 			name: "centos7 cyclonedx",
@@ -35,31 +35,17 @@ func TestSBOM(t *testing.T) {
 				artifactType: "cyclonedx",
 			},
 			golden: "testdata/centos-7.json.golden",
-			override: types.Report{
-				ArtifactName: "testdata/fixtures/sbom/centos-7-cyclonedx.json",
-				ArtifactType: ftypes.ArtifactType("cyclonedx"),
-				Results: types.Results{
-					{
-						Target: "testdata/fixtures/sbom/centos-7-cyclonedx.json (centos 7.6.1810)",
-						Vulnerabilities: []types.DetectedVulnerability{
-							{
-								PkgIdentifier: ftypes.PkgIdentifier{
-									BOMRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
-								},
-							},
-							{
-								PkgIdentifier: ftypes.PkgIdentifier{
-									BOMRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
-								},
-							},
-							{
-								PkgIdentifier: ftypes.PkgIdentifier{
-									BOMRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
-								},
-							},
-						},
-					},
-				},
+			override: func(t *testing.T, want, got *types.Report) {
+				want.ArtifactName = "testdata/fixtures/sbom/centos-7-cyclonedx.json"
+				want.ArtifactType = ftypes.ArtifactCycloneDX
+
+				require.Len(t, got.Results, 1)
+				want.Results[0].Target = "testdata/fixtures/sbom/centos-7-cyclonedx.json (centos 7.6.1810)"
+
+				require.Len(t, got.Results[0].Vulnerabilities, 3)
+				want.Results[0].Vulnerabilities[0].PkgIdentifier.BOMRef = "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"
+				want.Results[0].Vulnerabilities[1].PkgIdentifier.BOMRef = "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"
+				want.Results[0].Vulnerabilities[2].PkgIdentifier.BOMRef = "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"
 			},
 		},
 		{
@@ -88,31 +74,17 @@ func TestSBOM(t *testing.T) {
 				artifactType: "cyclonedx",
 			},
 			golden: "testdata/centos-7.json.golden",
-			override: types.Report{
-				ArtifactName: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl",
-				ArtifactType: ftypes.ArtifactType("cyclonedx"),
-				Results: types.Results{
-					{
-						Target: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl (centos 7.6.1810)",
-						Vulnerabilities: []types.DetectedVulnerability{
-							{
-								PkgIdentifier: ftypes.PkgIdentifier{
-									BOMRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
-								},
-							},
-							{
-								PkgIdentifier: ftypes.PkgIdentifier{
-									BOMRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
-								},
-							},
-							{
-								PkgIdentifier: ftypes.PkgIdentifier{
-									BOMRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
-								},
-							},
-						},
-					},
-				},
+			override: func(t *testing.T, want, got *types.Report) {
+				want.ArtifactName = "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl"
+				want.ArtifactType = ftypes.ArtifactCycloneDX
+
+				require.Len(t, got.Results, 1)
+				want.Results[0].Target = "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl (centos 7.6.1810)"
+
+				require.Len(t, got.Results[0].Vulnerabilities, 3)
+				want.Results[0].Vulnerabilities[0].PkgIdentifier.BOMRef = "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"
+				want.Results[0].Vulnerabilities[1].PkgIdentifier.BOMRef = "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"
+				want.Results[0].Vulnerabilities[2].PkgIdentifier.BOMRef = "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"
 			},
 		},
 		{
@@ -123,14 +95,12 @@ func TestSBOM(t *testing.T) {
 				artifactType: "spdx",
 			},
 			golden: "testdata/centos-7.json.golden",
-			override: types.Report{
-				ArtifactName: "testdata/fixtures/sbom/centos-7-spdx.txt",
-				ArtifactType: ftypes.ArtifactType("spdx"),
-				Results: types.Results{
-					{
-						Target: "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)",
-					},
-				},
+			override: func(t *testing.T, want, got *types.Report) {
+				want.ArtifactName = "testdata/fixtures/sbom/centos-7-spdx.txt"
+				want.ArtifactType = ftypes.ArtifactSPDX
+
+				require.Len(t, got.Results, 1)
+				want.Results[0].Target = "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)"
 			},
 		},
 		{
@@ -141,14 +111,12 @@ func TestSBOM(t *testing.T) {
 				artifactType: "spdx",
 			},
 			golden: "testdata/centos-7.json.golden",
-			override: types.Report{
-				ArtifactName: "testdata/fixtures/sbom/centos-7-spdx.json",
-				ArtifactType: ftypes.ArtifactType("spdx"),
-				Results: types.Results{
-					{
-						Target: "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)",
-					},
-				},
+			override: func(t *testing.T, want, got *types.Report) {
+				want.ArtifactName = "testdata/fixtures/sbom/centos-7-spdx.json"
+				want.ArtifactType = ftypes.ArtifactSPDX
+
+				require.Len(t, got.Results, 1)
+				want.Results[0].Target = "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)"
 			},
 		},
 		{
@@ -195,20 +163,30 @@ func TestSBOM(t *testing.T) {
 			osArgs = append(osArgs, tt.args.input)

 			// Run "trivy sbom"
-			err := execute(osArgs)
-			assert.NoError(t, err)
-
-			// Compare want and got
-			switch tt.args.format {
-			case "json":
-				compareSBOMReports(t, tt.golden, outputFile, tt.override)
-			default:
-				require.Fail(t, "invalid format", "format: %s", tt.args.format)
-			}
+			runTest(t, osArgs, tt.golden, outputFile, types.Format(tt.args.format), runOptions{
+				override: overrideFuncs(overrideSBOMReport, overrideUID, tt.override),
+			})
 		})
 	}
 }

+func overrideSBOMReport(t *testing.T, want, got *types.Report) {
+	want.Metadata.ImageID = ""
+	want.Metadata.ImageConfig = v1.ConfigFile{}
+	want.Metadata.DiffIDs = nil
+	for i, result := range want.Results {
+		for j := range result.Vulnerabilities {
+			want.Results[i].Vulnerabilities[j].Layer.DiffID = ""
+		}
+	}
+
+	// when running on Windows FS
+	got.ArtifactName = filepath.ToSlash(filepath.Clean(got.ArtifactName))
+	for i, result := range got.Results {
+		got.Results[i].Target = filepath.ToSlash(filepath.Clean(result.Target))
+	}
+}
+
 // TODO(teppei): merge into compareReports
 func compareSBOMReports(t *testing.T, wantFile, gotFile string, overrideWant types.Report) {
 	want := readReport(t, wantFile)
--- a/integration/testdata/almalinux-8.json.golden
+++ b/integration/testdata/almalinux-8.json.golden
@@ -57,7 +57,8 @@
          "PkgID": "openssl-libs@1.1.1k-4.el8.x86_64",
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/alma/openssl-libs@1.1.1k-4.el8?arch=x86_64\u0026distro=alma-8.5\u0026epoch=1"
+            "PURL": "pkg:rpm/alma/openssl-libs@1.1.1k-4.el8?arch=x86_64\u0026distro=alma-8.5\u0026epoch=1",
+            "UID": "3f965238234faa63"
          },
          "InstalledVersion": "1:1.1.1k-4.el8",
          "FixedVersion": "1:1.1.1k-5.el8_5",
--- a/integration/testdata/alpine-310.json.golden
+++ b/integration/testdata/alpine-310.json.golden
@@ -59,7 +59,8 @@
          "PkgID": "libcrypto1.1@1.1.1c-r0",
          "PkgName": "libcrypto1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
+            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2",
+            "UID": "c6c116a4441ec6de"
          },
          "InstalledVersion": "1.1.1c-r0",
          "FixedVersion": "1.1.1d-r0",
@@ -131,7 +132,8 @@
          "PkgID": "libcrypto1.1@1.1.1c-r0",
          "PkgName": "libcrypto1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
+            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2",
+            "UID": "c6c116a4441ec6de"
          },
          "InstalledVersion": "1.1.1c-r0",
          "FixedVersion": "1.1.1d-r2",
@@ -213,7 +215,8 @@
          "PkgID": "libssl1.1@1.1.1c-r0",
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
+            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2",
+            "UID": "e132dcfcc51772ef"
          },
          "InstalledVersion": "1.1.1c-r0",
          "FixedVersion": "1.1.1d-r0",
@@ -285,7 +288,8 @@
          "PkgID": "libssl1.1@1.1.1c-r0",
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
+            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2",
+            "UID": "e132dcfcc51772ef"
          },
          "InstalledVersion": "1.1.1c-r0",
          "FixedVersion": "1.1.1d-r2",
--- a/integration/testdata/alpine-39-high-critical.json.golden
+++ b/integration/testdata/alpine-39-high-critical.json.golden
@@ -59,7 +59,8 @@
          "PkgID": "musl@1.1.20-r4",
          "PkgName": "musl",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
+            "PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
+            "UID": "d6abd271e71d3ce2"
          },
          "InstalledVersion": "1.1.20-r4",
          "FixedVersion": "1.1.20-r5",
@@ -104,7 +105,8 @@
          "PkgID": "musl-utils@1.1.20-r4",
          "PkgName": "musl-utils",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
+            "PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
+            "UID": "8c341199f4077fc8"
          },
          "InstalledVersion": "1.1.20-r4",
          "FixedVersion": "1.1.20-r5",
--- a/integration/testdata/alpine-39-ignore-cveids.json.golden
+++ b/integration/testdata/alpine-39-ignore-cveids.json.golden
@@ -59,7 +59,8 @@
          "PkgID": "libcrypto1.1@1.1.1b-r1",
          "PkgName": "libcrypto1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
+            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4",
+            "UID": "d2c46e721bca75d3"
          },
          "InstalledVersion": "1.1.1b-r1",
          "FixedVersion": "1.1.1d-r2",
@@ -141,7 +142,8 @@
          "PkgID": "libssl1.1@1.1.1b-r1",
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
+            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4",
+            "UID": "e39a91b0fefcbb1d"
          },
          "InstalledVersion": "1.1.1b-r1",
          "FixedVersion": "1.1.1d-r2",
--- a/integration/testdata/alpine-39.json.golden
+++ b/integration/testdata/alpine-39.json.golden
@@ -59,7 +59,8 @@
          "PkgID": "libcrypto1.1@1.1.1b-r1",
          "PkgName": "libcrypto1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
+            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4",
+            "UID": "d2c46e721bca75d3"
          },
          "InstalledVersion": "1.1.1b-r1",
          "FixedVersion": "1.1.1d-r0",
@@ -131,7 +132,8 @@
          "PkgID": "libcrypto1.1@1.1.1b-r1",
          "PkgName": "libcrypto1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
+            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4",
+            "UID": "d2c46e721bca75d3"
          },
          "InstalledVersion": "1.1.1b-r1",
          "FixedVersion": "1.1.1d-r2",
@@ -213,7 +215,8 @@
          "PkgID": "libssl1.1@1.1.1b-r1",
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
+            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4",
+            "UID": "e39a91b0fefcbb1d"
          },
          "InstalledVersion": "1.1.1b-r1",
          "FixedVersion": "1.1.1d-r0",
@@ -285,7 +288,8 @@
          "PkgID": "libssl1.1@1.1.1b-r1",
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
+            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4",
+            "UID": "e39a91b0fefcbb1d"
          },
          "InstalledVersion": "1.1.1b-r1",
          "FixedVersion": "1.1.1d-r2",
@@ -367,7 +371,8 @@
          "PkgID": "musl@1.1.20-r4",
          "PkgName": "musl",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
+            "PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
+            "UID": "d6abd271e71d3ce2"
          },
          "InstalledVersion": "1.1.20-r4",
          "FixedVersion": "1.1.20-r5",
@@ -412,7 +417,8 @@
          "PkgID": "musl-utils@1.1.20-r4",
          "PkgName": "musl-utils",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
+            "PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
+            "UID": "8c341199f4077fc8"
          },
          "InstalledVersion": "1.1.20-r4",
          "FixedVersion": "1.1.20-r5",
--- a/integration/testdata/alpine-distroless.json.golden
+++ b/integration/testdata/alpine-distroless.json.golden
@@ -54,7 +54,8 @@
          "PkgID": "git@2.35.1-r2",
          "PkgName": "git",
          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/git@2.35.1-r2?arch=x86_64\u0026distro=3.16"
+            "PURL": "pkg:apk/alpine/git@2.35.1-r2?arch=x86_64\u0026distro=3.16",
+            "UID": "d44ac4666246b919"
          },
          "InstalledVersion": "2.35.1-r2",
          "FixedVersion": "2.35.2-r0",
--- a/integration/testdata/amazon-1.json.golden
+++ b/integration/testdata/amazon-1.json.golden
@@ -58,7 +58,8 @@
          "PkgID": "curl@7.61.1-11.91.amzn1.x86_64",
          "PkgName": "curl",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/amazon/curl@7.61.1-11.91.amzn1?arch=x86_64\u0026distro=amazon-AMI+release+2018.03"
+            "PURL": "pkg:rpm/amazon/curl@7.61.1-11.91.amzn1?arch=x86_64\u0026distro=amazon-AMI+release+2018.03",
+            "UID": "9fafb1be522b1e7"
          },
          "InstalledVersion": "7.61.1-11.91.amzn1",
          "FixedVersion": "7.61.1-12.93.amzn1",
--- a/integration/testdata/amazon-2.json.golden
+++ b/integration/testdata/amazon-2.json.golden
@@ -58,7 +58,8 @@
          "PkgID": "curl@7.61.1-9.amzn2.0.1.x86_64",
          "PkgName": "curl",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29"
+            "PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29",
+            "UID": "c5998529d683c5c3"
          },
          "InstalledVersion": "7.61.1-9.amzn2.0.1",
          "FixedVersion": "7.61.1-12.amzn2.0.1",
@@ -129,7 +130,8 @@
          "PkgID": "curl@7.61.1-9.amzn2.0.1.x86_64",
          "PkgName": "curl",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29"
+            "PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29",
+            "UID": "c5998529d683c5c3"
          },
          "InstalledVersion": "7.61.1-9.amzn2.0.1",
          "FixedVersion": "7.61.1-11.amzn2.0.2",
--- a/integration/testdata/busybox-with-lockfile.json.golden
+++ b/integration/testdata/busybox-with-lockfile.json.golden
@@ -58,7 +58,8 @@
          "PkgID": "ammonia@1.9.0",
          "PkgName": "ammonia",
          "PkgIdentifier": {
-            "PURL": "pkg:cargo/ammonia@1.9.0"
+            "PURL": "pkg:cargo/ammonia@1.9.0",
+            "UID": "fa518cac41270ffe"
          },
          "InstalledVersion": "1.9.0",
          "FixedVersion": "\u003e= 2.1.0",
@@ -103,7 +104,8 @@
          "PkgID": "ammonia@1.9.0",
          "PkgName": "ammonia",
          "PkgIdentifier": {
-            "PURL": "pkg:cargo/ammonia@1.9.0"
+            "PURL": "pkg:cargo/ammonia@1.9.0",
+            "UID": "fa518cac41270ffe"
          },
          "InstalledVersion": "1.9.0",
          "FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0",
--- a/integration/testdata/centos-6.json.golden
+++ b/integration/testdata/centos-6.json.golden
@@ -80,7 +80,8 @@
          "PkgID": "glibc@2.12-1.212.el6.x86_64",
          "PkgName": "glibc",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/centos/glibc@2.12-1.212.el6?arch=x86_64\u0026distro=centos-6.10"
+            "PURL": "pkg:rpm/centos/glibc@2.12-1.212.el6?arch=x86_64\u0026distro=centos-6.10",
+            "UID": "24b11591bb7262c4"
          },
          "InstalledVersion": "2.12-1.212.el6",
          "Status": "end_of_life",
@@ -136,7 +137,8 @@
          "PkgID": "openssl@1.0.1e-57.el6.x86_64",
          "PkgName": "openssl",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/centos/openssl@1.0.1e-57.el6?arch=x86_64\u0026distro=centos-6.10"
+            "PURL": "pkg:rpm/centos/openssl@1.0.1e-57.el6?arch=x86_64\u0026distro=centos-6.10",
+            "UID": "935959fd0ed81eb9"
          },
          "InstalledVersion": "1.0.1e-57.el6",
          "FixedVersion": "1.0.1e-58.el6_10",
--- a/integration/testdata/centos-7-ignore-unfixed.json.golden
+++ b/integration/testdata/centos-7-ignore-unfixed.json.golden
@@ -73,7 +73,8 @@
          "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
+            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
+            "UID": "20f09cdcea6545a2"
          },
          "InstalledVersion": "1:1.0.2k-16.el7",
          "FixedVersion": "1:1.0.2k-19.el7",
@@ -166,7 +167,8 @@
          "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
+            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
+            "UID": "20f09cdcea6545a2"
          },
          "InstalledVersion": "1:1.0.2k-16.el7",
          "FixedVersion": "1:1.0.2k-19.el7",
--- a/integration/testdata/centos-7-medium.json.golden
+++ b/integration/testdata/centos-7-medium.json.golden
@@ -73,7 +73,8 @@
          "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
+            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
+            "UID": "20f09cdcea6545a2"
          },
          "InstalledVersion": "1:1.0.2k-16.el7",
          "FixedVersion": "1:1.0.2k-19.el7",
--- a/integration/testdata/centos-7.json.golden
+++ b/integration/testdata/centos-7.json.golden
@@ -70,7 +70,8 @@
          "PkgID": "bash@4.2.46-31.el7.x86_64",
          "PkgName": "bash",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64\u0026distro=centos-7.6.1810"
+            "PURL": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64\u0026distro=centos-7.6.1810",
+            "UID": "64aff37eb11b9c25"
          },
          "InstalledVersion": "4.2.46-31.el7",
          "Status": "will_not_fix",
@@ -130,7 +131,8 @@
          "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
+            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
+            "UID": "20f09cdcea6545a2"
          },
          "InstalledVersion": "1:1.0.2k-16.el7",
          "FixedVersion": "1:1.0.2k-19.el7",
@@ -223,7 +225,8 @@
          "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
+            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
+            "UID": "20f09cdcea6545a2"
          },
          "InstalledVersion": "1:1.0.2k-16.el7",
          "FixedVersion": "1:1.0.2k-19.el7",
--- a/integration/testdata/cocoapods.json.golden
+++ b/integration/testdata/cocoapods.json.golden
@@ -25,7 +25,8 @@
          "ID": "_NIODataStructures@2.41.0",
          "Name": "_NIODataStructures",
          "Identifier": {
-            "PURL": "pkg:cocoapods/_NIODataStructures@2.41.0"
+            "PURL": "pkg:cocoapods/_NIODataStructures@2.41.0",
+            "UID": "ddc948d6b5e15241"
          },
          "Version": "2.41.0",
          "Layer": {}
@@ -37,7 +38,8 @@
          "PkgID": "_NIODataStructures@2.41.0",
          "PkgName": "_NIODataStructures",
          "PkgIdentifier": {
-            "PURL": "pkg:cocoapods/_NIODataStructures@2.41.0"
+            "PURL": "pkg:cocoapods/_NIODataStructures@2.41.0",
+            "UID": "ddc948d6b5e15241"
          },
          "InstalledVersion": "2.41.0",
          "FixedVersion": "2.29.1, 2.39.1, 2.42.0",
--- a/integration/testdata/composer.lock.json.golden
+++ b/integration/testdata/composer.lock.json.golden
@@ -25,12 +25,14 @@
          "ID": "guzzlehttp/guzzle@7.4.4",
          "Name": "guzzlehttp/guzzle",
          "Identifier": {
-            "PURL": "pkg:composer/guzzlehttp/guzzle@7.4.4"
+            "PURL": "pkg:composer/guzzlehttp/guzzle@7.4.4",
+            "UID": "c26bf8868607a91c"
          },
          "Version": "7.4.4",
          "Licenses": [
            "MIT"
          ],
+          "Relationship": "direct",
          "DependsOn": [
            "guzzlehttp/psr7@1.8.3"
          ],
@@ -46,13 +48,15 @@
          "ID": "guzzlehttp/psr7@1.8.3",
          "Name": "guzzlehttp/psr7",
          "Identifier": {
-            "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3"
+            "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3",
+            "UID": "1730859e3ff83ab9"
          },
          "Version": "1.8.3",
          "Licenses": [
            "MIT"
          ],
          "Indirect": true,
+          "Relationship": "indirect",
          "Layer": {},
          "Locations": [
            {
@@ -68,7 +72,8 @@
          "PkgID": "guzzlehttp/psr7@1.8.3",
          "PkgName": "guzzlehttp/psr7",
          "PkgIdentifier": {
-            "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3"
+            "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3",
+            "UID": "1730859e3ff83ab9"
          },
          "InstalledVersion": "1.8.3",
          "FixedVersion": "1.8.4",
--- a/integration/testdata/conan.json.golden
+++ b/integration/testdata/conan.json.golden
@@ -21,81 +21,15 @@
      "Class": "lang-pkgs",
      "Type": "conan",
      "Packages": [
-        {
-          "ID": "bzip2/1.0.8",
-          "Name": "bzip2",
-          "Identifier": {
-            "PURL": "pkg:conan/bzip2@1.0.8"
-          },
-          "Version": "1.0.8",
-          "Indirect": true,
-          "Layer": {},
-          "Locations": [
-            {
-              "StartLine": 37,
-              "EndLine": 43
-            }
-          ]
-        },
-        {
-          "ID": "expat/2.4.8",
-          "Name": "expat",
-          "Identifier": {
-            "PURL": "pkg:conan/expat@2.4.8"
-          },
-          "Version": "2.4.8",
-          "Indirect": true,
-          "Layer": {},
-          "Locations": [
-            {
-              "StartLine": 51,
-              "EndLine": 57
-            }
-          ]
-        },
-        {
-          "ID": "openssl/1.1.1q",
-          "Name": "openssl",
-          "Identifier": {
-            "PURL": "pkg:conan/openssl@1.1.1q"
-          },
-          "Version": "1.1.1q",
-          "Indirect": true,
-          "Layer": {},
-          "Locations": [
-            {
-              "StartLine": 65,
-              "EndLine": 71
-            }
-          ]
-        },
-        {
-          "ID": "pcre/8.43",
-          "Name": "pcre",
-          "Identifier": {
-            "PURL": "pkg:conan/pcre@8.43"
-          },
-          "Version": "8.43",
-          "Indirect": true,
-          "DependsOn": [
-            "bzip2/1.0.8",
-            "zlib/1.2.12"
-          ],
-          "Layer": {},
-          "Locations": [
-            {
-              "StartLine": 26,
-              "EndLine": 36
-            }
-          ]
-        },
        {
          "ID": "poco/1.9.4",
          "Name": "poco",
          "Identifier": {
-            "PURL": "pkg:conan/poco@1.9.4"
+            "PURL": "pkg:conan/poco@1.9.4",
+            "UID": "312753cebe80c0eb"
          },
          "Version": "1.9.4",
+          "Relationship": "direct",
          "DependsOn": [
            "pcre/8.43",
            "zlib/1.2.12",
@@ -111,14 +45,92 @@
            }
          ]
        },
+        {
+          "ID": "bzip2/1.0.8",
+          "Name": "bzip2",
+          "Identifier": {
+            "PURL": "pkg:conan/bzip2@1.0.8",
+            "UID": "6e2ff993df2d9107"
+          },
+          "Version": "1.0.8",
+          "Indirect": true,
+          "Relationship": "indirect",
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 37,
+              "EndLine": 43
+            }
+          ]
+        },
+        {
+          "ID": "expat/2.4.8",
+          "Name": "expat",
+          "Identifier": {
+            "PURL": "pkg:conan/expat@2.4.8",
+            "UID": "71c2d92d60f7f21c"
+          },
+          "Version": "2.4.8",
+          "Indirect": true,
+          "Relationship": "indirect",
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 51,
+              "EndLine": 57
+            }
+          ]
+        },
+        {
+          "ID": "openssl/1.1.1q",
+          "Name": "openssl",
+          "Identifier": {
+            "PURL": "pkg:conan/openssl@1.1.1q",
+            "UID": "13c605db6afa69dd"
+          },
+          "Version": "1.1.1q",
+          "Indirect": true,
+          "Relationship": "indirect",
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 65,
+              "EndLine": 71
+            }
+          ]
+        },
+        {
+          "ID": "pcre/8.43",
+          "Name": "pcre",
+          "Identifier": {
+            "PURL": "pkg:conan/pcre@8.43",
+            "UID": "4e01c692a67e12e4"
+          },
+          "Version": "8.43",
+          "Indirect": true,
+          "Relationship": "indirect",
+          "DependsOn": [
+            "bzip2/1.0.8",
+            "zlib/1.2.12"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 26,
+              "EndLine": 36
+            }
+          ]
+        },
        {
          "ID": "sqlite3/3.39.2",
          "Name": "sqlite3",
          "Identifier": {
-            "PURL": "pkg:conan/sqlite3@3.39.2"
+            "PURL": "pkg:conan/sqlite3@3.39.2",
+            "UID": "43bc9c58092c7c9e"
          },
          "Version": "3.39.2",
          "Indirect": true,
+          "Relationship": "indirect",
          "Layer": {},
          "Locations": [
            {
@@ -131,10 +143,12 @@
          "ID": "zlib/1.2.12",
          "Name": "zlib",
          "Identifier": {
-            "PURL": "pkg:conan/zlib@1.2.12"
+            "PURL": "pkg:conan/zlib@1.2.12",
+            "UID": "d6faf8d6dfd1985"
          },
          "Version": "1.2.12",
          "Indirect": true,
+          "Relationship": "indirect",
          "Layer": {},
          "Locations": [
            {
@@ -150,7 +164,8 @@
          "PkgID": "pcre/8.43",
          "PkgName": "pcre",
          "PkgIdentifier": {
-            "PURL": "pkg:conan/pcre@8.43"
+            "PURL": "pkg:conan/pcre@8.43",
+            "UID": "4e01c692a67e12e4"
          },
          "InstalledVersion": "8.43",
          "FixedVersion": "8.45",
--- a/integration/testdata/conda-environment-cyclonedx.json.golden
+++ b/integration/testdata/conda-environment-cyclonedx.json.golden
@@ -0,0 +1,80 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000004",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2021-08-25T12:20:30+00:00",
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
+    "component": {
+      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000001",
+      "type": "application",
+      "name": "testdata/fixtures/repo/conda-environment",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SchemaVersion",
+          "value": "2"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
+      "type": "application",
+      "name": "environment.yaml",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:Class",
+          "value": "lang-pkgs"
+        },
+        {
+          "name": "aquasecurity:trivy:Type",
+          "value": "conda-environment"
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:conda/bzip2@1.0.8",
+      "type": "library",
+      "name": "bzip2",
+      "version": "1.0.8",
+      "purl": "pkg:conda/bzip2@1.0.8",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:PkgType",
+          "value": "conda-environment"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "3ff14136-e09f-4df9-80ea-000000000001",
+      "dependsOn": [
+        "3ff14136-e09f-4df9-80ea-000000000002"
+      ]
+    },
+    {
+      "ref": "3ff14136-e09f-4df9-80ea-000000000002",
+      "dependsOn": [
+        "pkg:conda/bzip2@1.0.8"
+      ]
+    },
+    {
+      "ref": "pkg:conda/bzip2@1.0.8",
+      "dependsOn": []
+    }
+  ],
+  "vulnerabilities": []
+}
--- a/integration/testdata/debian-buster-ignore-unfixed.json.golden
+++ b/integration/testdata/debian-buster-ignore-unfixed.json.golden
@@ -61,7 +61,8 @@
          "PkgID": "libidn2-0@2.0.5-1",
          "PkgName": "libidn2-0",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1"
+            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1",
+            "UID": "473f5eb9e3d4a2f2"
          },
          "InstalledVersion": "2.0.5-1",
          "FixedVersion": "2.0.5-1+deb10u1",
--- a/integration/testdata/debian-buster.json.golden
+++ b/integration/testdata/debian-buster.json.golden
@@ -58,7 +58,8 @@
          "PkgID": "bash@5.0-4",
          "PkgName": "bash",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/bash@5.0-4?arch=amd64\u0026distro=debian-10.1"
+            "PURL": "pkg:deb/debian/bash@5.0-4?arch=amd64\u0026distro=debian-10.1",
+            "UID": "d45ab8ae65ffe67"
          },
          "InstalledVersion": "5.0-4",
          "Status": "affected",
@@ -124,7 +125,8 @@
          "PkgID": "libidn2-0@2.0.5-1",
          "PkgName": "libidn2-0",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1"
+            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1",
+            "UID": "473f5eb9e3d4a2f2"
          },
          "InstalledVersion": "2.0.5-1",
          "FixedVersion": "2.0.5-1+deb10u1",
--- a/integration/testdata/debian-stretch.json.golden
+++ b/integration/testdata/debian-stretch.json.golden
@@ -58,7 +58,8 @@
          "PkgID": "bash@4.4-5",
          "PkgName": "bash",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/bash@4.4-5?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/bash@4.4-5?arch=amd64\u0026distro=debian-9.9",
+            "UID": "6100d09336f565a0"
          },
          "InstalledVersion": "4.4-5",
          "Status": "end_of_life",
@@ -124,7 +125,8 @@
          "PkgID": "e2fslibs@1.43.4-2",
          "PkgName": "e2fslibs",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/e2fslibs@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/e2fslibs@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
+            "UID": "656652ce5818f7b6"
          },
          "InstalledVersion": "1.43.4-2",
          "FixedVersion": "1.43.4-2+deb9u1",
@@ -197,7 +199,8 @@
          "PkgID": "e2fsprogs@1.43.4-2",
          "PkgName": "e2fsprogs",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/e2fsprogs@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/e2fsprogs@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
+            "UID": "3d19fd957338dc06"
          },
          "InstalledVersion": "1.43.4-2",
          "FixedVersion": "1.43.4-2+deb9u1",
@@ -270,7 +273,8 @@
          "PkgID": "libcomerr2@1.43.4-2",
          "PkgName": "libcomerr2",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/libcomerr2@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/libcomerr2@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
+            "UID": "6ba1fac685a0c068"
          },
          "InstalledVersion": "1.43.4-2",
          "FixedVersion": "1.43.4-2+deb9u1",
@@ -343,7 +347,8 @@
          "PkgID": "libss2@1.43.4-2",
          "PkgName": "libss2",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/libss2@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/libss2@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
+            "UID": "e507c185f61cd2e8"
          },
          "InstalledVersion": "1.43.4-2",
          "FixedVersion": "1.43.4-2+deb9u1",
--- a/integration/testdata/distroless-base.json.golden
+++ b/integration/testdata/distroless-base.json.golden
@@ -56,7 +56,8 @@
          "PkgID": "libssl1.1@1.1.0k-1~deb9u1",
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
+            "UID": "96b92444b87304a5"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "Status": "affected",
@@ -140,7 +141,8 @@
          "PkgID": "libssl1.1@1.1.0k-1~deb9u1",
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
+            "UID": "96b92444b87304a5"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "FixedVersion": "1.1.0l-1~deb9u1",
@@ -230,7 +232,8 @@
          "PkgID": "openssl@1.1.0k-1~deb9u1",
          "PkgName": "openssl",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
+            "UID": "ed86402b9a8c2be6"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "Status": "affected",
@@ -314,7 +317,8 @@
          "PkgID": "openssl@1.1.0k-1~deb9u1",
          "PkgName": "openssl",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
+            "UID": "ed86402b9a8c2be6"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "FixedVersion": "1.1.0l-1~deb9u1",
--- a/integration/testdata/distroless-python27.json.golden
+++ b/integration/testdata/distroless-python27.json.golden
@@ -73,7 +73,8 @@
          "PkgID": "libssl1.1@1.1.0k-1~deb9u1",
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
+            "UID": "96b92444b87304a5"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "Status": "affected",
@@ -157,7 +158,8 @@
          "PkgID": "libssl1.1@1.1.0k-1~deb9u1",
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
+            "UID": "96b92444b87304a5"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "FixedVersion": "1.1.0l-1~deb9u1",
@@ -247,7 +249,8 @@
          "PkgID": "openssl@1.1.0k-1~deb9u1",
          "PkgName": "openssl",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
+            "UID": "ed86402b9a8c2be6"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "Status": "affected",
@@ -331,7 +334,8 @@
          "PkgID": "openssl@1.1.0k-1~deb9u1",
          "PkgName": "openssl",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
+            "UID": "ed86402b9a8c2be6"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "FixedVersion": "1.1.0l-1~deb9u1",
--- a/integration/testdata/dotnet.json.golden
+++ b/integration/testdata/dotnet.json.golden
@@ -24,7 +24,8 @@
        {
          "Name": "Newtonsoft.Json",
          "Identifier": {
-            "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
+            "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1",
+            "UID": "19955f480b8a6340"
          },
          "Version": "9.0.1",
          "Layer": {},
@@ -41,7 +42,8 @@
          "VulnerabilityID": "GHSA-5crp-9r3c-p9vr",
          "PkgName": "Newtonsoft.Json",
          "PkgIdentifier": {
-            "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
+            "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1",
+            "UID": "19955f480b8a6340"
          },
          "InstalledVersion": "9.0.1",
          "FixedVersion": "13.0.1",
--- a/integration/testdata/fixtures/repo/conda-environment/environment.yaml
+++ b/integration/testdata/fixtures/repo/conda-environment/environment.yaml
@@ -0,0 +1,6 @@
+name: test-env
+channels:
+  - defaults
+dependencies:
+  - bzip2=1.0.8=h998d150_5
+prefix: /opt/conda/envs/test-env
--- a/integration/testdata/fixtures/sbom/minikube-kbom.json
+++ b/integration/testdata/fixtures/sbom/minikube-kbom.json
@@ -48,6 +48,22 @@
        }
      ]
    },
+    {
+      "bom-ref": "b6f66546-5a5c-4fe8-a30f-acb04013c151",
+      "type": "operating-system",
+      "name": "ubuntu",
+      "version": "22.04.2",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:Class",
+          "value": "os-pkgs"
+        },
+        {
+          "name": "aquasecurity:trivy:Type",
+          "value": "ubuntu"
+        }
+      ]
+    },
    {
      "bom-ref": "a62abb1f-cb38-4fde-90f3-2bda3b87ddb2",
      "type": "application",
@@ -325,6 +341,10 @@
      "ref": "5262e708-f1a3-4fca-a1c3-0a8384f7f4a5",
      "dependsOn": []
    },
+    {
+      "ref": "b6f66546-5a5c-4fe8-a30f-acb04013c151",
+      "dependsOn": []
+    },
    {
      "ref": "a62abb1f-cb38-4fde-90f3-2bda3b87ddb2",
      "dependsOn": [
@@ -336,6 +356,7 @@
      "ref": "a6350ac3-52f6-4c5f-a3e3-184b9a634bef",
      "dependsOn": [
        "5262e708-f1a3-4fca-a1c3-0a8384f7f4a5",
+        "b6f66546-5a5c-4fe8-a30f-acb04013c151",
        "a62abb1f-cb38-4fde-90f3-2bda3b87ddb2"
      ]
    },
--- a/integration/testdata/fluentd-gems.json.golden
+++ b/integration/testdata/fluentd-gems.json.golden
@@ -114,7 +114,8 @@
          "PkgID": "libidn2-0@2.0.5-1",
          "PkgName": "libidn2-0",
          "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.2"
+            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.2",
+            "UID": "14f80a7091a08e71"
          },
          "InstalledVersion": "2.0.5-1",
          "FixedVersion": "2.0.5-1+deb10u1",
@@ -185,7 +186,8 @@
          "PkgName": "activesupport",
          "PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
          "PkgIdentifier": {
-            "PURL": "pkg:gem/activesupport@6.0.2.1"
+            "PURL": "pkg:gem/activesupport@6.0.2.1",
+            "UID": "dedd4bd33ed812a3"
          },
          "InstalledVersion": "6.0.2.1",
          "FixedVersion": "6.0.3.1, 5.2.4.3",
--- a/integration/testdata/fluentd-multiple-lockfiles.json.golden
+++ b/integration/testdata/fluentd-multiple-lockfiles.json.golden
@@ -31,6 +31,7 @@
          "PkgName": "bash",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2",
+            "UID": "8ca99d0ea2f4b0a3",
            "BOMRef": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2"
          },
          "InstalledVersion": "5.0-4",
@@ -95,6 +96,7 @@
          "PkgName": "libidn2-0",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2",
+            "UID": "bd31ad93af9a5d2",
            "BOMRef": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2"
          },
          "InstalledVersion": "2.0.5-1",
@@ -165,6 +167,7 @@
          "PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
          "PkgIdentifier": {
            "PURL": "pkg:gem/activesupport@6.0.2.1",
+            "UID": "66a6de64809697cd",
            "BOMRef": "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec"
          },
          "InstalledVersion": "6.0.2.1",
--- a/integration/testdata/gomod-skip.json.golden
+++ b/integration/testdata/gomod-skip.json.golden
@@ -26,7 +26,8 @@
          "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
          "PkgName": "github.com/docker/distribution",
          "PkgIdentifier": {
-            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
+            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
+            "UID": "de19cd663ca047a8"
          },
          "InstalledVersion": "2.7.1+incompatible",
          "FixedVersion": "v2.8.0",
@@ -52,7 +53,8 @@
          "PkgID": "github.com/open-policy-agent/opa@v0.35.0",
          "PkgName": "github.com/open-policy-agent/opa",
          "PkgIdentifier": {
-            "PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0"
+            "PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0",
+            "UID": "6b685002e082ffc5"
          },
          "InstalledVersion": "0.35.0",
          "FixedVersion": "0.37.0",
@@ -98,7 +100,8 @@
          "PkgID": "golang.org/x/text@v0.3.6",
          "PkgName": "golang.org/x/text",
          "PkgIdentifier": {
-            "PURL": "pkg:golang/golang.org/x/text@0.3.6"
+            "PURL": "pkg:golang/golang.org/x/text@0.3.6",
+            "UID": "825dc613c0f39d45"
          },
          "InstalledVersion": "0.3.6",
          "FixedVersion": "0.3.7",
@@ -130,7 +133,8 @@
          "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
          "PkgName": "github.com/docker/distribution",
          "PkgIdentifier": {
-            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
+            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
+            "UID": "94376dc37054a7e8"
          },
          "InstalledVersion": "2.7.1+incompatible",
          "FixedVersion": "v2.8.0",
--- a/integration/testdata/gomod.json.golden
+++ b/integration/testdata/gomod.json.golden
@@ -26,7 +26,8 @@
          "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
          "PkgName": "github.com/docker/distribution",
          "PkgIdentifier": {
-            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
+            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
+            "UID": "de19cd663ca047a8"
          },
          "InstalledVersion": "2.7.1+incompatible",
          "FixedVersion": "v2.8.0",
@@ -52,7 +53,8 @@
          "PkgID": "github.com/open-policy-agent/opa@v0.35.0",
          "PkgName": "github.com/open-policy-agent/opa",
          "PkgIdentifier": {
-            "PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0"
+            "PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0",
+            "UID": "6b685002e082ffc5"
          },
          "InstalledVersion": "0.35.0",
          "FixedVersion": "0.37.0",
@@ -98,7 +100,8 @@
          "PkgID": "golang.org/x/text@v0.3.6",
          "PkgName": "golang.org/x/text",
          "PkgIdentifier": {
-            "PURL": "pkg:golang/golang.org/x/text@0.3.6"
+            "PURL": "pkg:golang/golang.org/x/text@0.3.6",
+            "UID": "825dc613c0f39d45"
          },
          "InstalledVersion": "0.3.6",
          "FixedVersion": "0.3.7",
@@ -130,7 +133,8 @@
          "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
          "PkgName": "github.com/docker/distribution",
          "PkgIdentifier": {
-            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
+            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
+            "UID": "94376dc37054a7e8"
          },
          "InstalledVersion": "2.7.1+incompatible",
          "FixedVersion": "v2.8.0",
@@ -163,7 +167,8 @@
          "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
          "PkgName": "github.com/docker/distribution",
          "PkgIdentifier": {
-            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
+            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
+            "UID": "94306cdcf85fb50a"
          },
          "InstalledVersion": "2.7.1+incompatible",
          "FixedVersion": "v2.8.0",
--- a/integration/testdata/gradle.json.golden
+++ b/integration/testdata/gradle.json.golden
@@ -26,7 +26,8 @@
          "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
          "PkgName": "com.fasterxml.jackson.core:jackson-databind",
          "PkgIdentifier": {
-            "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
+            "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
+            "UID": "7014f907b756006b"
          },
          "InstalledVersion": "2.9.1",
          "FixedVersion": "2.9.10.4",
@@ -91,7 +92,8 @@
          "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
          "PkgName": "com.fasterxml.jackson.core:jackson-databind",
          "PkgIdentifier": {
-            "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
+            "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
+            "UID": "7014f907b756006b"
          },
          "InstalledVersion": "2.9.1",
          "FixedVersion": "2.9.10.7",
--- a/integration/testdata/mariner-1.0.json.golden
+++ b/integration/testdata/mariner-1.0.json.golden
@@ -42,7 +42,8 @@
          "VulnerabilityID": "CVE-2022-0261",
          "PkgName": "vim",
          "PkgIdentifier": {
-            "PURL": "pkg:cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64"
+            "PURL": "pkg:cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64",
+            "UID": "3f08cd76fa5ba73d"
          },
          "InstalledVersion": "8.2.4081-1.cm1",
          "Status": "affected",
@@ -78,7 +79,8 @@
          "VulnerabilityID": "CVE-2022-0158",
          "PkgName": "vim",
          "PkgIdentifier": {
-            "PURL": "pkg:cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64"
+            "PURL": "pkg:cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64",
+            "UID": "3f08cd76fa5ba73d"
          },
          "InstalledVersion": "8.2.4081-1.cm1",
          "FixedVersion": "8.2.4082-1.cm1",
--- a/integration/testdata/minikube-kbom.json.golden
+++ b/integration/testdata/minikube-kbom.json.golden
@@ -36,6 +36,7 @@
          "PkgName": "k8s.io/kubelet",
          "PkgIdentifier": {
            "PURL": "pkg:k8s/k8s.io%2Fkubelet@1.27.0",
+            "UID": "4cb15d0a98eeae67",
            "BOMRef": "pkg:k8s/k8s.io%2Fkubelet@1.27.0"
          },
          "InstalledVersion": "1.27.0",
--- a/integration/testdata/mix.lock.json.golden
+++ b/integration/testdata/mix.lock.json.golden
@@ -25,7 +25,8 @@
          "ID": "castore@0.1.18",
          "Name": "castore",
          "Identifier": {
-            "PURL": "pkg:hex/castore@0.1.18"
+            "PURL": "pkg:hex/castore@0.1.18",
+            "UID": "92fd0f5d45735c7c"
          },
          "Version": "0.1.18",
          "Layer": {},
@@ -40,7 +41,8 @@
          "ID": "jason@1.4.0",
          "Name": "jason",
          "Identifier": {
-            "PURL": "pkg:hex/jason@1.4.0"
+            "PURL": "pkg:hex/jason@1.4.0",
+            "UID": "b9cff6ce54a65dae"
          },
          "Version": "1.4.0",
          "Layer": {},
@@ -55,7 +57,8 @@
          "ID": "phoenix@1.6.13",
          "Name": "phoenix",
          "Identifier": {
-            "PURL": "pkg:hex/phoenix@1.6.13"
+            "PURL": "pkg:hex/phoenix@1.6.13",
+            "UID": "5b0d3fb75bef47e3"
          },
          "Version": "1.6.13",
          "Layer": {},
@@ -70,7 +73,8 @@
          "ID": "phoenix_html@3.2.0",
          "Name": "phoenix_html",
          "Identifier": {
-            "PURL": "pkg:hex/phoenix_html@3.2.0"
+            "PURL": "pkg:hex/phoenix_html@3.2.0",
+            "UID": "8c18e24394b53ab"
          },
          "Version": "3.2.0",
          "Layer": {},
@@ -85,7 +89,8 @@
          "ID": "phoenix_pubsub@2.1.1",
          "Name": "phoenix_pubsub",
          "Identifier": {
-            "PURL": "pkg:hex/phoenix_pubsub@2.1.1"
+            "PURL": "pkg:hex/phoenix_pubsub@2.1.1",
+            "UID": "89226dc20d54eb50"
          },
          "Version": "2.1.1",
          "Layer": {},
@@ -100,7 +105,8 @@
          "ID": "phoenix_template@1.0.0",
          "Name": "phoenix_template",
          "Identifier": {
-            "PURL": "pkg:hex/phoenix_template@1.0.0"
+            "PURL": "pkg:hex/phoenix_template@1.0.0",
+            "UID": "5cd9afe7111a31b7"
          },
          "Version": "1.0.0",
          "Layer": {},
@@ -115,7 +121,8 @@
          "ID": "phoenix_view@2.0.1",
          "Name": "phoenix_view",
          "Identifier": {
-            "PURL": "pkg:hex/phoenix_view@2.0.1"
+            "PURL": "pkg:hex/phoenix_view@2.0.1",
+            "UID": "2f4485f9653589ad"
          },
          "Version": "2.0.1",
          "Layer": {},
@@ -130,7 +137,8 @@
          "ID": "plug@1.14.0",
          "Name": "plug",
          "Identifier": {
-            "PURL": "pkg:hex/plug@1.14.0"
+            "PURL": "pkg:hex/plug@1.14.0",
+            "UID": "2390188ac1142ded"
          },
          "Version": "1.14.0",
          "Layer": {},
@@ -145,7 +153,8 @@
          "ID": "plug_crypto@1.2.3",
          "Name": "plug_crypto",
          "Identifier": {
-            "PURL": "pkg:hex/plug_crypto@1.2.3"
+            "PURL": "pkg:hex/plug_crypto@1.2.3",
+            "UID": "912b06dac071654"
          },
          "Version": "1.2.3",
          "Layer": {},
@@ -160,7 +169,8 @@
          "ID": "telemetry@1.1.0",
          "Name": "telemetry",
          "Identifier": {
-            "PURL": "pkg:hex/telemetry@1.1.0"
+            "PURL": "pkg:hex/telemetry@1.1.0",
+            "UID": "15879b8627da74b9"
          },
          "Version": "1.1.0",
          "Layer": {},
@@ -178,7 +188,8 @@
          "PkgID": "phoenix@1.6.13",
          "PkgName": "phoenix",
          "PkgIdentifier": {
-            "PURL": "pkg:hex/phoenix@1.6.13"
+            "PURL": "pkg:hex/phoenix@1.6.13",
+            "UID": "5b0d3fb75bef47e3"
          },
          "InstalledVersion": "1.6.13",
          "FixedVersion": "1.6.14",
--- a/integration/testdata/npm-with-dev.json.golden
+++ b/integration/testdata/npm-with-dev.json.golden
@@ -25,10 +25,10 @@
          "ID": "asap@2.0.6",
          "Name": "asap",
          "Identifier": {
-            "PURL": "pkg:npm/asap@2.0.6"
+            "PURL": "pkg:npm/asap@2.0.6",
+            "UID": "199d95f873330bd3"
          },
          "Version": "2.0.6",
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -41,13 +41,13 @@
          "ID": "jquery@3.3.9",
          "Name": "jquery",
          "Identifier": {
-            "PURL": "pkg:npm/jquery@3.3.9"
+            "PURL": "pkg:npm/jquery@3.3.9",
+            "UID": "e19e84d31f72b60c"
          },
          "Version": "3.3.9",
          "Licenses": [
            "MIT"
          ],
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -60,10 +60,10 @@
          "ID": "js-tokens@4.0.0",
          "Name": "js-tokens",
          "Identifier": {
-            "PURL": "pkg:npm/js-tokens@4.0.0"
+            "PURL": "pkg:npm/js-tokens@4.0.0",
+            "UID": "605df7770562762"
          },
          "Version": "4.0.0",
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -76,10 +76,10 @@
          "ID": "loose-envify@1.4.0",
          "Name": "loose-envify",
          "Identifier": {
-            "PURL": "pkg:npm/loose-envify@1.4.0"
+            "PURL": "pkg:npm/loose-envify@1.4.0",
+            "UID": "a40682339e264167"
          },
          "Version": "1.4.0",
-          "Indirect": true,
          "DependsOn": [
            "js-tokens@4.0.0"
          ],
@@ -95,10 +95,10 @@
          "ID": "object-assign@4.1.1",
          "Name": "object-assign",
          "Identifier": {
-            "PURL": "pkg:npm/object-assign@4.1.1"
+            "PURL": "pkg:npm/object-assign@4.1.1",
+            "UID": "ec3b70276c206ac2"
          },
          "Version": "4.1.1",
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -111,13 +111,13 @@
          "ID": "promise@8.0.3",
          "Name": "promise",
          "Identifier": {
-            "PURL": "pkg:npm/promise@8.0.3"
+            "PURL": "pkg:npm/promise@8.0.3",
+            "UID": "b60f9aaa4e3cba8f"
          },
          "Version": "8.0.3",
          "Licenses": [
            "MIT"
          ],
-          "Indirect": true,
          "DependsOn": [
            "asap@2.0.6"
          ],
@@ -133,10 +133,10 @@
          "ID": "prop-types@15.7.2",
          "Name": "prop-types",
          "Identifier": {
-            "PURL": "pkg:npm/prop-types@15.7.2"
+            "PURL": "pkg:npm/prop-types@15.7.2",
+            "UID": "5a0c427e953b2a24"
          },
          "Version": "15.7.2",
-          "Indirect": true,
          "DependsOn": [
            "loose-envify@1.4.0",
            "object-assign@4.1.1",
@@ -154,13 +154,13 @@
          "ID": "react@16.8.6",
          "Name": "react",
          "Identifier": {
-            "PURL": "pkg:npm/react@16.8.6"
+            "PURL": "pkg:npm/react@16.8.6",
+            "UID": "da9140320b70dc57"
          },
          "Version": "16.8.6",
          "Licenses": [
            "MIT"
          ],
-          "Indirect": true,
          "DependsOn": [
            "loose-envify@1.4.0",
            "object-assign@4.1.1",
@@ -179,13 +179,13 @@
          "ID": "react-is@16.8.6",
          "Name": "react-is",
          "Identifier": {
-            "PURL": "pkg:npm/react-is@16.8.6"
+            "PURL": "pkg:npm/react-is@16.8.6",
+            "UID": "f50b67a44460b362"
          },
          "Version": "16.8.6",
          "Licenses": [
            "MIT"
          ],
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -198,13 +198,13 @@
          "ID": "redux@4.0.1",
          "Name": "redux",
          "Identifier": {
-            "PURL": "pkg:npm/redux@4.0.1"
+            "PURL": "pkg:npm/redux@4.0.1",
+            "UID": "fbb7d7c45dbba492"
          },
          "Version": "4.0.1",
          "Licenses": [
            "MIT"
          ],
-          "Indirect": true,
          "DependsOn": [
            "loose-envify@1.4.0",
            "symbol-observable@1.2.0"
@@ -221,10 +221,10 @@
          "ID": "scheduler@0.13.6",
          "Name": "scheduler",
          "Identifier": {
-            "PURL": "pkg:npm/scheduler@0.13.6"
+            "PURL": "pkg:npm/scheduler@0.13.6",
+            "UID": "9738f8ac302a0bb"
          },
          "Version": "0.13.6",
-          "Indirect": true,
          "DependsOn": [
            "loose-envify@1.4.0",
            "object-assign@4.1.1"
@@ -241,10 +241,10 @@
          "ID": "symbol-observable@1.2.0",
          "Name": "symbol-observable",
          "Identifier": {
-            "PURL": "pkg:npm/symbol-observable@1.2.0"
+            "PURL": "pkg:npm/symbol-observable@1.2.0",
+            "UID": "b14a083f8b9e59bc"
          },
          "Version": "1.2.0",
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -257,14 +257,14 @@
          "ID": "z-lock@1.0.0",
          "Name": "z-lock",
          "Identifier": {
-            "PURL": "pkg:npm/z-lock@1.0.0"
+            "PURL": "pkg:npm/z-lock@1.0.0",
+            "UID": "f6ba8a4be50ce713"
          },
          "Version": "1.0.0",
          "Dev": true,
          "Licenses": [
            "MIT"
          ],
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -280,7 +280,8 @@
          "PkgID": "jquery@3.3.9",
          "PkgName": "jquery",
          "PkgIdentifier": {
-            "PURL": "pkg:npm/jquery@3.3.9"
+            "PURL": "pkg:npm/jquery@3.3.9",
+            "UID": "e19e84d31f72b60c"
          },
          "InstalledVersion": "3.3.9",
          "FixedVersion": "3.4.0",
--- a/integration/testdata/npm.json.golden
+++ b/integration/testdata/npm.json.golden
@@ -25,10 +25,10 @@
          "ID": "asap@2.0.6",
          "Name": "asap",
          "Identifier": {
-            "PURL": "pkg:npm/asap@2.0.6"
+            "PURL": "pkg:npm/asap@2.0.6",
+            "UID": "199d95f873330bd3"
          },
          "Version": "2.0.6",
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -41,13 +41,13 @@
          "ID": "jquery@3.3.9",
          "Name": "jquery",
          "Identifier": {
-            "PURL": "pkg:npm/jquery@3.3.9"
+            "PURL": "pkg:npm/jquery@3.3.9",
+            "UID": "e19e84d31f72b60c"
          },
          "Version": "3.3.9",
          "Licenses": [
            "MIT"
          ],
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -60,10 +60,10 @@
          "ID": "js-tokens@4.0.0",
          "Name": "js-tokens",
          "Identifier": {
-            "PURL": "pkg:npm/js-tokens@4.0.0"
+            "PURL": "pkg:npm/js-tokens@4.0.0",
+            "UID": "605df7770562762"
          },
          "Version": "4.0.0",
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -76,10 +76,10 @@
          "ID": "loose-envify@1.4.0",
          "Name": "loose-envify",
          "Identifier": {
-            "PURL": "pkg:npm/loose-envify@1.4.0"
+            "PURL": "pkg:npm/loose-envify@1.4.0",
+            "UID": "a40682339e264167"
          },
          "Version": "1.4.0",
-          "Indirect": true,
          "DependsOn": [
            "js-tokens@4.0.0"
          ],
@@ -95,10 +95,10 @@
          "ID": "object-assign@4.1.1",
          "Name": "object-assign",
          "Identifier": {
-            "PURL": "pkg:npm/object-assign@4.1.1"
+            "PURL": "pkg:npm/object-assign@4.1.1",
+            "UID": "ec3b70276c206ac2"
          },
          "Version": "4.1.1",
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -111,13 +111,13 @@
          "ID": "promise@8.0.3",
          "Name": "promise",
          "Identifier": {
-            "PURL": "pkg:npm/promise@8.0.3"
+            "PURL": "pkg:npm/promise@8.0.3",
+            "UID": "b60f9aaa4e3cba8f"
          },
          "Version": "8.0.3",
          "Licenses": [
            "MIT"
          ],
-          "Indirect": true,
          "DependsOn": [
            "asap@2.0.6"
          ],
@@ -133,10 +133,10 @@
          "ID": "prop-types@15.7.2",
          "Name": "prop-types",
          "Identifier": {
-            "PURL": "pkg:npm/prop-types@15.7.2"
+            "PURL": "pkg:npm/prop-types@15.7.2",
+            "UID": "5a0c427e953b2a24"
          },
          "Version": "15.7.2",
-          "Indirect": true,
          "DependsOn": [
            "loose-envify@1.4.0",
            "object-assign@4.1.1",
@@ -154,13 +154,13 @@
          "ID": "react@16.8.6",
          "Name": "react",
          "Identifier": {
-            "PURL": "pkg:npm/react@16.8.6"
+            "PURL": "pkg:npm/react@16.8.6",
+            "UID": "da9140320b70dc57"
          },
          "Version": "16.8.6",
          "Licenses": [
            "MIT"
          ],
-          "Indirect": true,
          "DependsOn": [
            "loose-envify@1.4.0",
            "object-assign@4.1.1",
@@ -179,13 +179,13 @@
          "ID": "react-is@16.8.6",
          "Name": "react-is",
          "Identifier": {
-            "PURL": "pkg:npm/react-is@16.8.6"
+            "PURL": "pkg:npm/react-is@16.8.6",
+            "UID": "f50b67a44460b362"
          },
          "Version": "16.8.6",
          "Licenses": [
            "MIT"
          ],
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -198,13 +198,13 @@
          "ID": "redux@4.0.1",
          "Name": "redux",
          "Identifier": {
-            "PURL": "pkg:npm/redux@4.0.1"
+            "PURL": "pkg:npm/redux@4.0.1",
+            "UID": "fbb7d7c45dbba492"
          },
          "Version": "4.0.1",
          "Licenses": [
            "MIT"
          ],
-          "Indirect": true,
          "DependsOn": [
            "loose-envify@1.4.0",
            "symbol-observable@1.2.0"
@@ -221,10 +221,10 @@
          "ID": "scheduler@0.13.6",
          "Name": "scheduler",
          "Identifier": {
-            "PURL": "pkg:npm/scheduler@0.13.6"
+            "PURL": "pkg:npm/scheduler@0.13.6",
+            "UID": "9738f8ac302a0bb"
          },
          "Version": "0.13.6",
-          "Indirect": true,
          "DependsOn": [
            "loose-envify@1.4.0",
            "object-assign@4.1.1"
@@ -241,10 +241,10 @@
          "ID": "symbol-observable@1.2.0",
          "Name": "symbol-observable",
          "Identifier": {
-            "PURL": "pkg:npm/symbol-observable@1.2.0"
+            "PURL": "pkg:npm/symbol-observable@1.2.0",
+            "UID": "b14a083f8b9e59bc"
          },
          "Version": "1.2.0",
-          "Indirect": true,
          "Layer": {},
          "Locations": [
            {
@@ -260,7 +260,8 @@
          "PkgID": "jquery@3.3.9",
          "PkgName": "jquery",
          "PkgIdentifier": {
-            "PURL": "pkg:npm/jquery@3.3.9"
+            "PURL": "pkg:npm/jquery@3.3.9",
+            "UID": "e19e84d31f72b60c"
          },
          "InstalledVersion": "3.3.9",
          "FixedVersion": "3.4.0",
--- a/integration/testdata/nuget.json.golden
+++ b/integration/testdata/nuget.json.golden
@@ -25,9 +25,11 @@
          "ID": "Newtonsoft.Json@12.0.3",
          "Name": "Newtonsoft.Json",
          "Identifier": {
-            "PURL": "pkg:nuget/Newtonsoft.Json@12.0.3"
+            "PURL": "pkg:nuget/Newtonsoft.Json@12.0.3",
+            "UID": "d4249b2442e303e9"
          },
          "Version": "12.0.3",
+          "Relationship": "direct",
          "Layer": {},
          "Locations": [
            {
@@ -40,9 +42,11 @@
          "ID": "NuGet.Frameworks@5.7.0",
          "Name": "NuGet.Frameworks",
          "Identifier": {
-            "PURL": "pkg:nuget/NuGet.Frameworks@5.7.0"
+            "PURL": "pkg:nuget/NuGet.Frameworks@5.7.0",
+            "UID": "6fa0c117039de82a"
          },
          "Version": "5.7.0",
+          "Relationship": "direct",
          "DependsOn": [
            "Newtonsoft.Json@12.0.3"
          ],
@@ -61,7 +65,8 @@
          "PkgID": "Newtonsoft.Json@12.0.3",
          "PkgName": "Newtonsoft.Json",
          "PkgIdentifier": {
-            "PURL": "pkg:nuget/Newtonsoft.Json@12.0.3"
+            "PURL": "pkg:nuget/Newtonsoft.Json@12.0.3",
+            "UID": "d4249b2442e303e9"
          },
          "InstalledVersion": "12.0.3",
          "FixedVersion": "13.0.1",
--- a/integration/testdata/opensuse-leap-151.json.golden
+++ b/integration/testdata/opensuse-leap-151.json.golden
@@ -66,7 +66,8 @@
          "PkgID": "libopenssl1_1@1.1.0i-lp151.8.3.1.x86_64",
          "PkgName": "libopenssl1_1",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/opensuse.leap/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1"
+            "PURL": "pkg:rpm/opensuse.leap/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
+            "UID": "898b73ddd0412f57"
          },
          "InstalledVersion": "1.1.0i-lp151.8.3.1",
          "FixedVersion": "1.1.0i-lp151.8.6.1",
@@ -98,7 +99,8 @@
          "PkgID": "openssl-1_1@1.1.0i-lp151.8.3.1.x86_64",
          "PkgName": "openssl-1_1",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/opensuse.leap/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1"
+            "PURL": "pkg:rpm/opensuse.leap/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
+            "UID": "58980d005de43f54"
          },
          "InstalledVersion": "1.1.0i-lp151.8.3.1",
          "FixedVersion": "1.1.0i-lp151.8.6.1",
--- a/integration/testdata/oraclelinux-8.json.golden
+++ b/integration/testdata/oraclelinux-8.json.golden
@@ -67,7 +67,8 @@
          "PkgID": "curl@7.61.1-8.el8.x86_64",
          "PkgName": "curl",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0"
+            "PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0",
+            "UID": "6837a94bd82971ac"
          },
          "InstalledVersion": "7.61.1-8.el8",
          "FixedVersion": "7.61.1-11.el8",
@@ -137,7 +138,8 @@
          "PkgID": "curl@7.61.1-8.el8.x86_64",
          "PkgName": "curl",
          "PkgIdentifier": {
-            "PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0"
+            "PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0",
+            "UID": "6837a94bd82971ac"
          },
          "InstalledVersion": "7.61.1-8.el8",
          "FixedVersion": "7.61.1-12.el8",
--- a/integration/testdata/packagesprops.json.golden
+++ b/integration/testdata/packagesprops.json.golden
@@ -25,7 +25,8 @@
          "ID": "Newtonsoft.Json@9.0.1",
          "Name": "Newtonsoft.Json",
          "Identifier": {
-            "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
+            "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1",
+            "UID": "a391c576ea549d63"
          },
          "Version": "9.0.1",
          "Layer": {}
@@ -37,7 +38,8 @@
          "PkgID": "Newtonsoft.Json@9.0.1",
          "PkgName": "Newtonsoft.Json",
          "PkgIdentifier": {
-            "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
+            "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1",
+            "UID": "a391c576ea549d63"
          },
          "InstalledVersion": "9.0.1",
          "FixedVersion": "13.0.1",
--- a/Show More
+++ b/Show More