test(flag): enhance TestCustomFlagGroups to include environment variable support

- Added a test case to verify the behavior of the `TRIVY_FOO` environment variable in the `TestCustomFlagGroups` function.
- Ensured that the flag system correctly retrieves values from both environment variables and custom flags.
- Improved test coverage for the flag handling functionality.

.github/CODEOWNERS

@@ -15,8 +15,8 @@ pkg/cloud/                           @simar7 @nikpivkin
 pkg/iac/                             @simar7 @nikpivkin
 
 # Helm chart
-helm/trivy/ @chen-keinan
+helm/trivy/ @afdesk @simar7
 
 # Kubernetes scanning
-pkg/k8s/                         @chen-keinan
-docs/docs/target/kubernetes.md   @chen-keinan
+pkg/k8s/                         @afdesk @simar7
+docs/docs/target/kubernetes.md   @afdesk @simar7

.github/DISCUSSION_TEMPLATE/bugs.yml

@@ -10,7 +10,7 @@ body:
         
         **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
         
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
   - type: textarea
     attributes:
       label: Description
@@ -116,8 +116,8 @@ body:
       label: Checklist
       description: Have you tried the following?
       options:
-        - label: Run `trivy image --reset`
-        - label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
+        - label: Run `trivy clean --all`
+        - label: Read [the troubleshooting](https://trivy.dev/latest/docs/references/troubleshooting/)
   - type: markdown
     attributes:
       value: |

.github/DISCUSSION_TEMPLATE/documentation.yml

@@ -7,7 +7,7 @@ body:
         Feel free to create a docs report if something doesn't work as expected or is unclear in the documentation.
         Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
         
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
   - type: textarea
     attributes:
       label: Description

.github/DISCUSSION_TEMPLATE/false-detection.yml

@@ -8,7 +8,7 @@ body:
         
         **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
         
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
   - type: input
     attributes:
       label: IDs
@@ -86,7 +86,7 @@ body:
     attributes:
       label: Checklist
       options:
-        - label: Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection)
+        - label: Read [the documentation regarding wrong detection](https://trivy.dev/dev/community/contribute/discussion/#false-detection)
         - label: Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct
     validations:
       required: true

.github/DISCUSSION_TEMPLATE/ideas.yml

@@ -9,7 +9,7 @@ body:
         
         **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
         
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
   - type: textarea
     attributes:
       label: Description

.github/DISCUSSION_TEMPLATE/q-a.yml

@@ -9,7 +9,7 @@ body:
         
         **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
         
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
   - type: textarea
     attributes:
       label: Question

.github/actions/trivy-triage/Makefile

@@ -0,0 +1,3 @@
+.PHONEY: test
+test: helpers.js helpers.test.js
+	node --test helpers.test.js

.github/actions/trivy-triage/action.yaml

@@ -0,0 +1,29 @@
+name: 'trivy-discussion-triage'
+description: 'automatic triage of Trivy discussions'
+inputs:
+  discussion_num:
+    description: 'Discussion number to triage'
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - name: Conditionally label discussions based on category and content
+      env:
+        GH_TOKEN: ${{ github.token }}
+      uses: actions/github-script@v6
+      with:
+        script: |
+          const {detectDiscussionLabels, fetchDiscussion, labelDiscussion } = require('${{ github.action_path }}/helpers.js');
+          const config = require('${{ github.action_path }}/config.json');
+          discussionNum = parseInt(${{ inputs.discussion_num }});
+          let discussion;
+          if (discussionNum > 0) {
+              discussion = (await fetchDiscussion(github, context.repo.owner, context.repo.repo, discussionNum)).repository.discussion;
+          } else {
+              discussion = context.payload.discussion;
+          }
+          const labels = detectDiscussionLabels(discussion, config.discussionLabels);
+          if (labels.length > 0) {
+              console.log(`Adding labels ${labels} to discussion ${discussion.node_id}`);
+              labelDiscussion(github, discussion.node_id, labels);
+          }

.github/actions/trivy-triage/config.json

@@ -0,0 +1,14 @@
+{
+    "discussionLabels": {
+        "Container Image":"LA_kwDOCsUTCM75TTQU",
+        "Filesystem":"LA_kwDOCsUTCM75TTQX",
+        "Git Repository":"LA_kwDOCsUTCM75TTQk",
+        "Virtual Machine Image":"LA_kwDOCsUTCM8AAAABMpz1bw",
+        "Kubernetes":"LA_kwDOCsUTCM75TTQv",
+        "AWS":"LA_kwDOCsUTCM8AAAABMpz1aA",
+        "Vulnerability":"LA_kwDOCsUTCM75TTPa",
+        "Misconfiguration":"LA_kwDOCsUTCM75TTP8",
+        "License":"LA_kwDOCsUTCM77ztRR",
+        "Secret":"LA_kwDOCsUTCM75TTQL"
+    }
+}

.github/actions/trivy-triage/helpers.js

@@ -0,0 +1,70 @@
+module.exports = {
+    detectDiscussionLabels: (discussion, configDiscussionLabels) => {
+        res = [];
+        const discussionId = discussion.id;
+        const category = discussion.category.name;
+        const body = discussion.body;
+        if (category !== "Ideas") {
+            console.log(`skipping discussion with category ${category} and body ${body}`);
+            return [];
+        }
+        const scannerPattern = /### Scanner\n\n(.+)/;
+        const scannerFound = body.match(scannerPattern);
+        if (scannerFound && scannerFound.length > 1) {
+            res.push(configDiscussionLabels[scannerFound[1]]);
+        }
+        const targetPattern = /### Target\n\n(.+)/;
+        const targetFound = body.match(targetPattern);
+        if (targetFound && targetFound.length > 1) {
+            res.push(configDiscussionLabels[targetFound[1]]);
+        }
+        return res;
+    },
+    fetchDiscussion: async (github, owner, repo, discussionNum) => {
+        const query = `query Discussion ($owner: String!, $repo: String!, $discussion_num: Int!){
+            repository(name: $repo, owner: $owner) {
+                discussion(number: $discussion_num) {
+                    number,
+                    id,
+                    body,
+                    category {
+                        id,
+                        name
+                    },
+                    labels(first: 100) {
+                        edges {
+                            node {
+                                id,
+                                name
+                            }
+                        }
+                    }
+                }
+            }
+        }`;
+        const vars = {
+            owner: owner,
+            repo: repo,
+            discussion_num: discussionNum
+        };
+        return github.graphql(query, vars);
+    },
+    labelDiscussion: async (github, discussionId, labelIds) => {
+        const query = `mutation AddLabels($labelId: ID!, $labelableId:ID!) {
+            addLabelsToLabelable(
+                input: {labelIds: [$labelId], labelableId: $labelableId}
+            ) {
+                clientMutationId
+            }
+        }`;
+        // TODO: add all labels in one call
+        labelIds.forEach((labelId) => {
+            const vars = {
+                labelId: labelId,
+                labelableId: discussionId
+            };
+            github.graphql(query, vars);
+        });
+    }
+};
+

.github/actions/trivy-triage/helpers.test.js

@@ -0,0 +1,87 @@
+const assert = require('node:assert/strict');
+const { describe, it } = require('node:test');
+const {detectDiscussionLabels} = require('./helpers.js');
+
+const configDiscussionLabels = {
+  "Container Image":"ContainerImageLabel",
+  "Filesystem":"FilesystemLabel",
+  "Vulnerability":"VulnerabilityLabel",
+  "Misconfiguration":"MisconfigurationLabel",
+};
+
+describe('trivy-triage', async function() {
+  describe('detectDiscussionLabels', async function() {
+    it('detect scanner label', async function() {
+      const discussion = {
+        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('VulnerabilityLabel'));
+    });
+    it('detect target label', async function() {
+      const discussion = {
+        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+    });
+    it('detect label when it is first', async function() {
+      const discussion = {
+        body: '### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+    });
+    it('detect label when it is last', async function() {
+      const discussion = {
+        body: '### Scanner\n\nVulnerability\n### Target\n\nContainer Image', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+    });
+    it('detect scanner and target labels', async function() {
+      const discussion = {
+        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+      assert(labels.includes('VulnerabilityLabel'));
+    });
+    it('not detect other labels', async function() {
+      const discussion = {
+        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(!labels.includes('FilesystemLabel'));
+      assert(!labels.includes('MisconfigurationLabel'));
+    });
+    it('process only relevant categories', async function() {
+      const discussion = {
+        body: 'hello world', 
+        category: {
+          name: 'Announcements'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.length === 0);
+    });
+  });
+});

.github/actions/trivy-triage/testutils/discussion-payload-sample.json

@@ -0,0 +1,65 @@
+{
+    "active_lock_reason": null,
+    "answer_chosen_at": null,
+    "answer_chosen_by": null,
+    "answer_html_url": null,
+    "author_association": "OWNER",
+    "body": "### Description\n\nlfdjs lfkdj dflsakjfd ';djk \r\nfadfd \r\nasdlkf \r\na;df \r\ndfsal;kfd ;akjl\n\n### Target\n\nContainer Image\n\n### Scanner\n\nMisconfiguration",
+    "category": {
+      "created_at": "2023-07-02T10:14:46.000+03:00",
+      "description": "Share ideas for new features",
+      "emoji": ":bulb:",
+      "id": 39743708,
+      "is_answerable": false,
+      "name": "Ideas",
+      "node_id": "DIC_kwDOE0GiPM4CXnDc",
+      "repository_id": 323068476,
+      "slug": "ideas",
+      "updated_at": "2023-07-02T10:14:46.000+03:00"
+    },
+    "comments": 0,
+    "created_at": "2023-09-11T08:40:11Z",
+    "html_url": "https://github.com/itaysk/testactions/discussions/9",
+    "id": 5614504,
+    "locked": false,
+    "node_id": "D_kwDOE0GiPM4AVauo",
+    "number": 9,
+    "reactions": {
+      "+1": 0,
+      "-1": 0,
+      "confused": 0,
+      "eyes": 0,
+      "heart": 0,
+      "hooray": 0,
+      "laugh": 0,
+      "rocket": 0,
+      "total_count": 0,
+      "url": "https://api.github.com/repos/itaysk/testactions/discussions/9/reactions"
+    },
+    "repository_url": "https://api.github.com/repos/itaysk/testactions",
+    "state": "open",
+    "state_reason": null,
+    "timeline_url": "https://api.github.com/repos/itaysk/testactions/discussions/9/timeline",
+    "title": "Title title",
+    "updated_at": "2023-09-11T08:40:11Z",
+    "user": {
+      "avatar_url": "https://avatars.githubusercontent.com/u/1161307?v=4",
+      "events_url": "https://api.github.com/users/itaysk/events{/privacy}",
+      "followers_url": "https://api.github.com/users/itaysk/followers",
+      "following_url": "https://api.github.com/users/itaysk/following{/other_user}",
+      "gists_url": "https://api.github.com/users/itaysk/gists{/gist_id}",
+      "gravatar_id": "",
+      "html_url": "https://github.com/itaysk",
+      "id": 1161307,
+      "login": "itaysk",
+      "node_id": "MDQ6VXNlcjExNjEzMDc=",
+      "organizations_url": "https://api.github.com/users/itaysk/orgs",
+      "received_events_url": "https://api.github.com/users/itaysk/received_events",
+      "repos_url": "https://api.github.com/users/itaysk/repos",
+      "site_admin": false,
+      "starred_url": "https://api.github.com/users/itaysk/starred{/owner}{/repo}",
+      "subscriptions_url": "https://api.github.com/users/itaysk/subscriptions",
+      "type": "User",
+      "url": "https://api.github.com/users/itaysk"
+    }
+}

.github/actions/trivy-triage/testutils/fetchDiscussion.sh

@@ -0,0 +1,29 @@
+#! /bin/bash
+# fetch discussion by discussion number
+# requires authenticated gh cli, assumes repo but current git repository
+# args:
+#   $1: discussion number, e.g 123, required
+
+discussion_num="$1"
+gh api graphql -F discussion_num="$discussion_num" -F repo="{repo}" -F owner="{owner}" -f query='
+    query Discussion ($owner: String!, $repo: String!, $discussion_num: Int!){
+    repository(name: $repo, owner: $owner) {
+        discussion(number: $discussion_num) {
+        number,
+        id,
+        body,
+        category {
+            id,
+            name
+        },
+        labels(first: 100) {
+            edges {
+            node {
+                id,
+                name
+            }
+            }
+        }
+        }
+    }
+    }'

.github/actions/trivy-triage/testutils/fetchLabels.sh

@@ -0,0 +1,16 @@
+#! /bin/bash
+# fetch labels and their IDs
+# requires authenticated gh cli, assumes repo but current git repository
+
+gh api graphql -F repo="{repo}" -F owner="{owner}" -f query='
+    query GetLabelIds($owner: String!, $repo: String!) {
+    repository(name: $repo, owner: $owner) {
+        id
+        labels(first: 100) {
+        nodes {
+            id
+            name
+        }
+        }
+    }
+    }'

.github/actions/trivy-triage/testutils/labelDiscussion.sh

@@ -0,0 +1,16 @@
+#! /bin/bash
+# add a label to a discussion
+# requires authenticated gh cli, assumes repo but current git repository
+# args:
+#   $1: discussion ID (not number!), e.g DIC_kwDOE0GiPM4CXnDc, required
+#   $2: label ID, e.g. MDU6TGFiZWwzNjIzNjY0MjQ=, required
+discussion_id="$1"
+label_id="$2"
+gh api graphql -F labelableId="$discussion_id" -F labelId="$label_id" -F repo="{repo}" -F owner="{owner}" -f query='
+        mutation AddLabels($labelId: ID!, $labelableId:ID!) {
+            addLabelsToLabelable(
+                input: {labelIds: [$labelId], labelableId: $labelableId}
+            ) {
+                clientMutationId
+            }
+        }'

.github/dependabot.yml

@@ -4,12 +4,38 @@ updates:
     directory: /
     schedule:
       interval: monthly
+    groups:
+      github-actions:
+        patterns:
+          - "*"
   - package-ecosystem: docker
     directory: /
     schedule:
       interval: monthly
+    groups:
+      docker:
+        patterns:
+          - "*"
   - package-ecosystem: gomod
     open-pull-requests-limit: 10
     directory: /
     schedule:
-      interval: monthly
+      interval: weekly
+    ignore:
+      - dependency-name: "github.com/aquasecurity/trivy-*" ## `trivy-*` dependencies are updated manually
+    groups:
+      aws:
+        patterns:
+          - "github.com/aws/*"
+      docker:
+        patterns:
+          - "github.com/docker/*"
+          - "github.com/moby/*"
+      testcontainers:
+        patterns:
+          - "github.com/testcontainers/*"
+      common:
+        exclude-patterns:
+          - "github.com/aquasecurity/trivy-*"
+        patterns:
+          - "*"

.github/pull_request_template.md

@@ -10,8 +10,8 @@
 Remove this section if you don't have related PRs.
 
 ## Checklist
-- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
-- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
+- [ ] I've read the [guidelines for contributing](https://trivy.dev/latest/community/contribute/pr/) to this repository.
+- [ ] I've followed the [conventions](https://trivy.dev/latest/community/contribute/pr/#title) in the PR title.
 - [ ] I've added tests that prove my fix is effective or that my feature works.
 - [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
 - [ ] I've added usage information (if the PR introduces new options)

.github/workflows/auto-close-issue.yaml

@@ -26,7 +26,7 @@ jobs:
             
             // If the user does not have write or admin permissions, leave a comment and close the issue
             if (permission !== 'write' && permission !== 'admin') {
-              const commentBody = "Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/";
+              const commentBody = "Please see https://trivy.dev/latest/community/contribute/issue/";
               await github.rest.issues.createComment({
                 owner: context.repo.owner,
                 repo: context.repo.repo,

.github/workflows/auto-update-labels.yaml

@@ -5,24 +5,22 @@ on:
       - 'misc/triage/labels.yaml'
     branches:
       - main
-
 jobs:
   deploy:
     name: Auto-update labels
     runs-on: ubuntu-latest
     steps:
       - name: Checkout main
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
 
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+          cache: false
 
-      - name: Install aqua tools
-        uses: aquaproj/aqua-installer@v2.2.0
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: update labels
         env:

.github/workflows/backport.yaml

@@ -0,0 +1,60 @@
+name: Automatic Backporting
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  check_permission:
+    name: Check comment author permissions
+    runs-on: ubuntu-latest
+    outputs:
+      is_maintainer: ${{ steps.check_permission.outputs.is_maintainer }}
+    steps:
+      - name: Check permission
+        id: check_permission
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission')
+          if [ "$PERMISSION" == "admin" ] || [ "$PERMISSION" == "write" ]; then
+           echo "is_maintainer=true" >> $GITHUB_OUTPUT
+          else
+           echo "is_maintainer=false" >> $GITHUB_OUTPUT
+          fi
+  
+
+  backport:
+    name: Backport PR
+    needs: check_permission # run this job after checking permissions
+    if: |
+      needs.check_permission.outputs.is_maintainer == 'true' &&      
+      github.event.issue.pull_request &&
+      github.event.issue.pull_request.merged_at != null &&
+      startsWith(github.event.comment.body, '@aqua-bot backport release/')
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Extract branch name
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
+        run: |
+          BRANCH_NAME=$(echo $COMMENT_BODY | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
+          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
+
+      - name: Set up Git user
+        run: |
+          git config --global user.email "actions@github.com"
+          git config --global user.name "GitHub Actions"
+
+      - name: Run backport script
+        run: ./misc/backport/backport.sh ${{ env.BRANCH_NAME }} ${{ github.event.issue.number }}
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows the created PR to trigger tests and other workflows
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}

.github/workflows/bypass-test.yaml

@@ -8,12 +8,16 @@ on:
       - 'docs/**'
       - 'mkdocs.yml'
       - 'LICENSE'
+      - '.release-please-manifest.json'
+      - 'helm/trivy/Chart.yaml'
   pull_request:
     paths:
       - '**.md'
       - 'docs/**'
       - 'mkdocs.yml'
       - 'LICENSE'
+      - '.release-please-manifest.json'
+      - 'helm/trivy/Chart.yaml'
 jobs:
   test:
     name: Test

.github/workflows/cache-test-images.yaml

@@ -0,0 +1,80 @@
+name: Cache test images
+on:
+  schedule:
+    - cron: "0 0 * * *" # Run this workflow every day at 00:00 to avoid cache deletion.
+  workflow_dispatch:
+
+jobs:
+  test-images:
+    name: Cache test images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Generate image list digest
+        if: github.ref_name == 'main'
+        id: image-digest
+        run: |
+          source integration/testimages.ini
+          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      ## We need to work with test image cache only for main branch
+      - name: Restore and save test images cache
+        if: github.ref_name == 'main'
+        uses: actions/cache@v4
+        with:
+          path: integration/testdata/fixtures/images
+          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
+
+      - name: Download test images
+        if: github.ref_name == 'main'
+        run: mage test:fixtureContainerImages
+
+  test-vm-images:
+    name: Cache test VM images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Generate image list digest
+        if: github.ref_name == 'main'
+        id: image-digest
+        run: |
+          source integration/testimages.ini
+          IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags |= sort' | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      ## We need to work with test VM image cache only for main branch
+      - name: Restore and save test VM images cache
+        if: github.ref_name == 'main'
+        uses: actions/cache@v4
+        with:
+          path: integration/testdata/fixtures/vm-images
+          key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
+
+      - name: Download test VM images
+        if: github.ref_name == 'main'
+        run: mage test:fixtureVMImages

.github/workflows/canary.yaml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4.0.0
+        uses: actions/cache@v4
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/mkdocs-dev.yaml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
         with:
           fetch-depth: 0
           persist-credentials: true
@@ -22,7 +22,7 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip setuptools wheel
-          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
+          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git@9.5.44-insiders-4.53.14
           pip install -r docs/build/requirements.txt
         env:
           GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}

.github/workflows/mkdocs-latest.yaml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
         with:
           fetch-depth: 0
           persist-credentials: true
@@ -24,7 +24,7 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip setuptools wheel
-          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
+          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git@9.5.44-insiders-4.53.14
           pip install -r docs/build/requirements.txt
         env:
           GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}

.github/workflows/publish-chart.yaml

@@ -4,6 +4,11 @@ name: Publish Helm chart
 on:
   workflow_dispatch:
   pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - closed
     branches:
       - main
     paths:
@@ -18,26 +23,29 @@ env:
   KIND_VERSION: "v0.14.0"
   KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
 jobs:
+  # `test-chart` job starts if a PR with Helm Chart is created, merged etc.
   test-chart:
-    runs-on: ubuntu-20.04
+    if: github.event_name != 'push'
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112
         with:
-          version: v3.5.0
+          version: v3.14.4
       - name: Set up python
         uses: actions/setup-python@v5
         with:
-          python-version: 3.7
+          python-version: '3.x'
+          check-latest: true
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
       - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}
@@ -48,14 +56,45 @@ jobs:
           sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
           ct lint-and-install --validate-maintainers=false --charts helm/trivy
 
-  publish-chart:
-    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-    needs:
-      - test-chart
-    runs-on: ubuntu-20.04
+  # `update-chart-version` job starts if a new tag is pushed
+  update-chart-version:
+    if: github.event_name == 'push'
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Git user
+        run: |
+          git config --global user.email "actions@github.com"
+          git config --global user.name "GitHub Actions"
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action  
+
+      - name: Create a PR with Trivy version
+        run: mage helm:updateVersion
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows the created PR to trigger tests and other workflows
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
+  # `publish-chart` job starts if a PR with a new Helm Chart is merged or manually
+  publish-chart:
+    if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
+    needs:
+      - test-chart
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.6
         with:
           fetch-depth: 0
       - name: Install chart-releaser

.github/workflows/release-please.yaml

@@ -0,0 +1,111 @@
+name: Release Please
+
+on:
+  push:
+    branches:
+      - main
+      - 'release/v*'
+  workflow_dispatch:
+    inputs:
+      version:
+        required: true
+        description: 'Release version without the "v" prefix (e.g., 0.51.0)'
+        type: string
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    if: ${{ !startsWith(github.event.head_commit.message, 'release:') && !github.event.inputs.version }}
+    steps:
+      - name: Release Please
+        id: release
+        uses: googleapis/release-please-action@v4
+        with:
+          token: ${{ secrets.ORG_REPO_TOKEN }}
+          target-branch: ${{ github.ref_name }}
+
+  manual-release-please:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.inputs.version }}
+    steps:
+      - name: Install Release Please CLI
+        run: npm install release-please -g
+
+      - name: Release Please
+        run: |
+          release-please release-pr --repo-url=${{ github.server_url }}/${{ github.repository }} \
+            --token=${{ secrets.ORG_REPO_TOKEN }} \
+            --release-as=${{ github.event.inputs.version }} \
+            --target-branch=${{ github.ref_name }}
+
+  release-tag:
+    runs-on: ubuntu-latest
+    if: ${{ startsWith(github.event.head_commit.message, 'release:') }}
+    steps:
+      # Since skip-github-release is specified, the outputs of googleapis/release-please-action cannot be used.
+      # Therefore, we need to parse the version ourselves.
+      - name: Extract version and PR number from commit message
+        id: extract_info
+        shell: bash
+        env:
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+        run: |
+          echo "version=$( echo "$COMMIT_MESSAGE" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "pr_number=$( echo "$COMMIT_MESSAGE" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "release_branch=release/v$( echo "$COMMIT_MESSAGE" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
+
+      - name: Tag release
+        if: ${{ steps.extract_info.outputs.version }}
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.ORG_REPO_TOKEN }} # To trigger another workflow
+          script: |
+            await github.rest.git.createRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: `refs/tags/v${{ steps.extract_info.outputs.version }}`,
+              sha: context.sha
+            });
+
+      # When v0.50.0 is released, a release branch "release/v0.50" is created.
+      - name: Create release branch for patch versions
+        if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }} # Should not trigger the workflow again
+          script: |
+            const releaseBranch = '${{ steps.extract_info.outputs.release_branch }}';
+            await github.rest.git.createRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: `refs/heads/${releaseBranch}`,
+              sha: context.sha
+            });
+      
+
+      # Add release branch to rulesets to enable merge queue
+      - name: Add release branch to rulesets
+        if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+        shell: bash
+        run: |
+          RULESET_ID=$(gh api /repos/${{ github.repository }}/rulesets --jq '.[] | select(.name=="release") | .id')
+          gh api /repos/${{ github.repository }}/rulesets/$RULESET_ID | jq '{conditions}' | jq '.conditions.ref_name.include += ["refs/heads/${{ steps.extract_info.outputs.release_branch }}"]' | gh api --method put --input - /repos/${{ github.repository }}/rulesets/$RULESET_ID
+
+      # Since skip-github-release is specified, googleapis/release-please-action doesn't delete the label from PR.
+      # This label prevents the subsequent PRs from being created. Therefore, we need to delete it ourselves.
+      # cf. https://github.com/googleapis/release-please?tab=readme-ov-file#release-please-bot-does-not-create-a-release-pr-why
+      - name: Remove the label from PR
+        if: ${{ steps.extract_info.outputs.pr_number }}
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const prNumber = parseInt('${{ steps.extract_info.outputs.pr_number }}', 10);
+            github.rest.issues.removeLabel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+              name: 'autorelease: pending'
+            });

.github/workflows/release-pr-check.yaml

@@ -0,0 +1,21 @@
+name: Backport PR Check
+
+on:
+  pull_request:
+    branches:
+      - 'release/v*'
+
+jobs:
+  check-pr-author:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check PR author
+        id: check_author
+        env:
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+        run: |
+          if [ "$PR_AUTHOR" != "aqua-bot" ]; then
+            echo "::error::This branch is intended for automated backporting by bot. Please refer to the documentation:"
+            echo "::error::https://trivy.dev/latest/community/maintainer/backporting/"
+            exit 1
+          fi

.github/workflows/release.yaml

@@ -19,12 +19,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
         with:
           fetch-depth: 0
 
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4.0.0
+        uses: actions/cache@v4
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -35,7 +35,7 @@ jobs:
           sudo apt-get -y install rpm reprepro createrepo-c distro-info
 
       - name: Checkout trivy-repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
         with:
           repository: ${{ github.repository_owner }}/trivy-repo
           path: trivy-repo

.github/workflows/reusable-release.yaml

@@ -18,7 +18,7 @@ env:
 jobs:
   release:
     name: Release
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-m
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     permissions:
@@ -26,17 +26,8 @@ jobs:
       packages: write # For GHCR
       contents: read  # Not required for public repositories, but for clarity
     steps:
-      - name: Maximize build space
-        uses: easimon/maximize-build-space@v10
-        with:
-          root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
-          remove-android: 'true'
-          remove-docker-images: 'true'
-          remove-dotnet: 'true'
-          remove-haskell: 'true'
-
       - name: Cosign install
-        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -69,7 +60,7 @@ jobs:
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
         with:
           fetch-depth: 0
 
@@ -77,6 +68,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+          cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
 
       - name: Generate SBOM
         uses: CycloneDX/gh-gomod-generate-sbom@v2
@@ -90,15 +82,21 @@ jobs:
         run: |
           echo "$GPG_KEY" > gpg.key
 
+      # Create tmp dir for GoReleaser
+      - name: "create tmp dir"
+        run: |
+          mkdir tmp    
+
       - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
         with:
-          version: v1.20.0
+          version: v2.1.0
           args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
         env:
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
           NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
           GPG_FILE: "gpg.key"
+          TMPDIR: "tmp"
 
       - name: "remove gpg key"
         run: |
@@ -109,7 +107,7 @@ jobs:
       # because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
       - name: Build and push
         if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           platforms: linux/amd64, linux/arm64
           file: ./Dockerfile.canary # path to Dockerfile
@@ -121,7 +119,7 @@ jobs:
             public.ecr.aws/aquasecurity/trivy:canary
 
       - name: Cache Trivy binaries
-        uses: actions/cache@v4.0.0
+        uses: actions/cache@v4
         with:
           path: dist/
           # use 'github.sha' to create a unique cache folder for each run.

.github/workflows/roadmap.yaml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
-      - uses: actions/add-to-project@v0.4.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -28,7 +28,7 @@ jobs:
           field-values: Backlog
 
       # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
-      - uses: actions/add-to-project@v0.4.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -45,7 +45,7 @@ jobs:
           field-values: Important (long-term)
 
       # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
-      - uses: actions/add-to-project@v0.4.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -62,7 +62,7 @@ jobs:
           field-values: Important (soon)
 
       # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
-      - uses: actions/add-to-project@v0.4.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}

.github/workflows/scan.yaml

@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
 
       - name: Run Trivy vulnerability scanner and create GitHub issues
-        uses: knqyf263/trivy-issue-action@v0.0.5
+        uses: knqyf263/trivy-issue-action@v0.0.6
         with:
           assignee: knqyf263
           severity: CRITICAL

.github/workflows/semantic-pr.yaml

@@ -1,22 +1,23 @@
-name: "Lint PR title"
+name: "Validate PR Title"
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - edited
       - synchronize
 
 jobs:
-  main:
+  validate:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - name: Validate PR title
+        shell: bash
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          types: |
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          # Valid types
+          VALID_TYPES: |
             feat
             fix
             docs
@@ -28,14 +29,16 @@ jobs:
             ci
             chore
             revert
-            BREAKING
-
-          scopes: |
+            release
+          # Valid scopes categorized by area
+          VALID_SCOPES: |
+            # Scanners
             vuln
             misconf
             secret
             license
 
+            # Targets
             image
             fs
             repo
@@ -44,7 +47,9 @@ jobs:
             k8s
             aws
             vm
+            plugin
 
+            # OS
             alpine
             wolfi
             chainguard
@@ -61,6 +66,7 @@ jobs:
             distroless
             windows
 
+            # Languages
             ruby
             php
             python
@@ -70,35 +76,88 @@ jobs:
             java
             go
             c
-            c\+\+
+            c++
             elixir
             dart
             swift
             bitnami
+            conda
+            julia
 
+            # Package types
             os
             lang
 
+            # IaC
             kubernetes
             dockerfile
             terraform
             cloudformation
 
+            # Container
             docker
             podman
             containerd
             oci
 
+            # SBOM
+            sbom
+            spdx
+            cyclonedx
+
+            # Misc
             cli
             flag
-
-            cyclonedx
-            spdx
             purl
             vex
-
             helm
             report
             db
             parser
             deps
+        run: |
+          set -euo pipefail
+
+          # Convert env vars to regex alternatives, excluding comments and empty lines
+          TYPES_REGEX=$(echo "$VALID_TYPES" | grep -v '^$' | paste -sd '|')
+          SCOPES_REGEX=$(echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | paste -sd '|')
+          
+          # Basic format check (should match: type(scope): description or type: description)
+          FORMAT_REGEX="^[a-z]+(\([a-z0-9+]+\))?!?: .+$"
+          if ! echo "$PR_TITLE" | grep -qE "$FORMAT_REGEX"; then
+            echo "Error: Invalid PR title format"
+            echo "Expected format: <type>(<scope>): <description> or <type>: <description>"
+            echo "Examples:"
+            echo "  feat(vuln): add new vulnerability detection"
+            echo "  fix: correct parsing logic"
+            echo "  docs(kubernetes): update installation guide"
+            echo -e "\nCurrent title: $PR_TITLE"
+            exit 1
+          fi
+
+          # Extract type and scope for validation
+          TYPE=$(echo "$PR_TITLE" | sed -E 's/^([a-z]+)(\([a-z0-9+]+\))?!?: .+$/\1/')
+          SCOPE=$(echo "$PR_TITLE" | sed -E 's/^[a-z]+\(([a-z0-9+]+)\)!?: .+$/\1/; t; s/.*//')
+
+          # Validate type
+          if ! echo "$VALID_TYPES" | grep -qx "$TYPE"; then
+            echo "Error: Invalid type '${TYPE}'"
+            echo -e "\nValid types:"
+            echo "$VALID_TYPES" | grep -v '^$' | sed 's/^/- /'
+            echo -e "\nCurrent title: $PR_TITLE"
+            exit 1
+          fi
+
+          # Validate scope if present
+          if [ -n "$SCOPE" ]; then
+            if ! echo "$VALID_SCOPES" | grep -v '^#' | grep -qx "$SCOPE"; then
+              echo "Error: Invalid scope '${SCOPE}'"
+              echo -e "\nValid scopes:"
+              echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | sed 's/^/- /'
+              echo -e "\nCurrent title: $PR_TITLE"
+              exit 1
+            fi
+          fi
+          
+          echo "PR title validation passed ✅"
+          echo "Current title: $PR_TITLE"

.github/workflows/spdx-cron.yaml

@@ -0,0 +1,41 @@
+name: SPDX licenses cron
+on:
+  schedule:
+    - cron: '0 0 * * 0' # every Sunday at 00:00
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Check if SPDX exceptions
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Check if SPDX exceptions are up-to-date
+        run: |
+          mage spdx:updateLicenseExceptions
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'mage spdx:updateLicenseExceptions' and push it"
+            exit 1
+          fi        
+
+      - name: Microsoft Teams Notification
+        ## Until the PR with the fix for the AdaptivCard version is merged yet
+        ## https://github.com/Skitionek/notify-microsoft-teams/pull/96
+        ## Use the aquasecurity fork
+        uses: aquasecurity/notify-microsoft-teams@master
+        if: failure()
+        with:
+          webhook_url: ${{ secrets.TRIVY_MSTEAMS_WEBHOOK }}
+          needs: ${{ toJson(needs) }}
+          job: ${{ toJson(job) }}
+          steps: ${{ toJson(steps) }}

.github/workflows/test-docs.yaml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v4.1.1
+      uses: actions/checkout@v4.1.6
       with:
         fetch-depth: 0
         persist-credentials: true

.github/workflows/test.yaml

@@ -6,7 +6,11 @@ on:
       - 'docs/**'
       - 'mkdocs.yml'
       - 'LICENSE'
+      - '.release-please-manifest.json' ## don't run tests for release-please PRs
+      - 'helm/trivy/Chart.yaml'
   merge_group:
+  workflow_dispatch:
+
 jobs:
   test:
     name: Test
@@ -15,22 +19,13 @@ jobs:
       matrix:
         operating-system: [ubuntu-latest, windows-latest, macos-latest]
     steps:
-      - name: Maximize build space
-        uses: easimon/maximize-build-space@v10
-        with:
-          root-reserve-mb: 32768 # The golangci-lint uses a lot of space.
-          remove-android: "true"
-          remove-docker-images: "true"
-          remove-dotnet: "true"
-          remove-haskell: "true"
-        if: matrix.operating-system == 'ubuntu-latest'
-
-      - uses: actions/checkout@v4.1.1
+      - uses: actions/checkout@v4.1.6
 
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+          cache: false
 
       - name: go mod tidy
         run: |
@@ -43,11 +38,10 @@ jobs:
 
       - name: Lint
         id: lint
-        uses: golangci/golangci-lint-action@v4.0.0
+        uses: golangci/golangci-lint-action@v6.5.0
         with:
-          version: v1.54
-          args: --deadline=30m --out-format=line-number
-          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
+          version: v1.64
+          args: --verbose --out-format=line-number
         if: matrix.operating-system == 'ubuntu-latest'
 
       - name: Check if linter failed
@@ -57,10 +51,7 @@ jobs:
         if: ${{ failure() && steps.lint.conclusion == 'failure' }}
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
-        with:
-          aqua_version: v1.25.0
-          aqua_opts: ""
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Check if CLI references are up-to-date
         run: |
@@ -79,17 +70,30 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
 
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+          cache: false
 
-      - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Generate image list digest
+        id: image-digest
+        run: |
+          source integration/testimages.ini
+          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Restore test images from cache
+        uses: actions/cache/restore@v4
         with:
-          aqua_version: v1.25.0
+          path: integration/testdata/fixtures/images
+          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
 
       - name: Run integration tests
         run: mage test:integration
@@ -98,27 +102,17 @@ jobs:
     name: K8s Integration Test
     runs-on: ubuntu-latest
     steps:
-      - name: Maximize build space
-        uses: easimon/maximize-build-space@v10
-        with:
-          root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
-          remove-android: "true"
-          remove-docker-images: "true"
-          remove-dotnet: "true"
-          remove-haskell: "true"
-
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
 
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+          cache: false
 
-      - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Run k8s integration tests
         run: mage test:k8s
@@ -128,17 +122,30 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
 
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+          cache: false
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Generate image list digest
+        id: image-digest
+        run: |
+          source integration/testimages.ini
+          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Restore test images from cache
+        uses: actions/cache/restore@v4
         with:
-          aqua_version: v1.25.0
+          path: integration/testdata/fixtures/images
+          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
 
       - name: Run module integration tests
         shell: bash
@@ -149,26 +156,32 @@ jobs:
     name: VM Integration Test
     runs-on: ubuntu-latest
     steps:
-      - name: Maximize build space
-        uses: easimon/maximize-build-space@v10
-        with:
-          root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
-          remove-android: 'true'
-          remove-docker-images: 'true'
-          remove-dotnet: 'true'
-          remove-haskell: 'true'
-
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.6
 
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-      - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+          cache: false
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Generate image list digest
+        id: image-digest
+        run: |
+          source integration/testimages.ini
+          IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags |= sort' | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Restore test VM images from cache
+        uses: actions/cache/restore@v4
         with:
-          aqua_version: v1.25.0
+          path: integration/testdata/fixtures/vm-images
+          key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
+
       - name: Run vm integration tests
         run: |
           mage test:vm
@@ -182,23 +195,14 @@ jobs:
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
-    - name: Maximize build space
-      uses: easimon/maximize-build-space@v10
-      with:
-        root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
-        remove-android: 'true'
-        remove-docker-images: 'true'
-        remove-dotnet: 'true'
-        remove-haskell: 'true'
-      if: matrix.operating-system == 'ubuntu-latest'
-
     - name: Checkout
-      uses: actions/checkout@v4.1.1
+      uses: actions/checkout@v4.1.6
 
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
         go-version-file: go.mod
+        cache: false
 
     - name: Determine GoReleaser ID
       id: goreleaser_id
@@ -213,7 +217,7 @@ jobs:
         fi
 
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v5
+      uses: goreleaser/goreleaser-action@v6
       with:
-        version: v1.20.0
+        version: v2.1.0
         args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }}

.github/workflows/triage.yaml

@@ -0,0 +1,16 @@
+name: Triage Discussion
+on:
+  discussion:
+    types: [created]
+  workflow_dispatch:
+    inputs:
+      discussion_num:
+        required: true
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/trivy-triage
+        with:
+          discussion_num: ${{ github.event.inputs.discussion_num }}

.gitignore

@@ -26,6 +26,7 @@ thumbs.db
 coverage.txt
 integration/testdata/fixtures/images
 integration/testdata/fixtures/vm-images
+internal/gittest/testdata/test-repo
 
 # SBOMs generated during CI
 /bom.json
@@ -39,3 +40,6 @@ dist
 # Signing
 gpg.key
 cmd/trivy/trivy
+
+# RPM
+*.rpm

.golangci.yaml

@@ -1,31 +1,19 @@
 linters-settings:
+  depguard:
+    rules:
+      main:
+        list-mode: lax
+        deny:
+          # Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
+          - pkg: "golang.org/x/exp/slices"
+            desc: "Use 'slices' instead"
+          - pkg: "golang.org/x/exp/maps"
+            desc: "Use 'maps' or 'github.com/samber/lo' instead"
+  dupl:
+    threshold: 100
   errcheck:
     check-type-assertions: true
     check-blank: true
-  govet:
-    check-shadowing: false
-  gofmt:
-    simplify: false
-  revive:
-    ignore-generated-header: true
-  gocyclo:
-    min-complexity: 20
-  dupl:
-    threshold: 100
-  goconst:
-    min-len: 3
-    min-occurrences: 3
-  misspell:
-    locale: US
-    ignore-words:
-      - licence
-      - optimise
-  gosec:
-    excludes:
-      - G101
-      - G114
-      - G204
-      - G402
   gci:
     sections:
       - standard
@@ -33,17 +21,9 @@ linters-settings:
       - prefix(github.com/aquasecurity/)
       - blank
       - dot
-  gomodguard:
-    blocked:
-      modules:
-        - github.com/hashicorp/go-version:
-            recommendations:
-              - github.com/aquasecurity/go-version
-            reason: "`aquasecurity/go-version` is designed for our use-cases"
-        - github.com/Masterminds/semver:
-            recommendations:
-              - github.com/aquasecurity/go-version
-            reason: "`aquasecurity/go-version` is designed for our use-cases"
+  goconst:
+    min-len: 3
+    min-occurrences: 3
   gocritic:
     disabled-checks:
       - appendAssign
@@ -66,53 +46,114 @@ linters-settings:
       ruleguard:
         failOn: all
         rules: '${configDir}/misc/lint/rules.go'
-
+  gocyclo:
+    min-complexity: 20
+  gofmt:
+    simplify: false
+    rewrite-rules:
+      - pattern: 'interface{}'
+        replacement: 'any'
+  gomodguard:
+    blocked:
+      modules:
+        - github.com/hashicorp/go-version:
+            recommendations:
+              - github.com/aquasecurity/go-version
+            reason: "`aquasecurity/go-version` is designed for our use-cases"
+        - github.com/Masterminds/semver:
+            recommendations:
+              - github.com/aquasecurity/go-version
+            reason: "`aquasecurity/go-version` is designed for our use-cases"
+  gosec:
+    excludes:
+      - G101
+      - G114
+      - G115
+      - G204
+      - G304
+      - G402
+  govet:
+    disable:
+      - shadow
+  misspell:
+    locale: US
+    ignore-words:
+      - behaviour
+      - licence
+      - optimise
+      - simmilar
+  perfsprint:
+    # Optimizes even if it requires an int or uint type cast.
+    int-conversion: true
+    # Optimizes into `err.Error()` even if it is only equivalent for non-nil errors.
+    err-error: true
+    # Optimizes `fmt.Errorf`.
+    errorf: true
+    # Optimizes `fmt.Sprintf` with only one argument.
+    sprintf1: false
+    # Optimizes into strings concatenation.
+    strconcat: false
+  revive:
+    ignore-generated-header: true
+  testifylint:
+    enable-all: true
 linters:
   disable-all: true
   enable:
-    - unused
-    - ineffassign
-    - typecheck
-    - govet
-    - revive
-    - gosec
-    - unconvert
+    - bodyclose
+    - depguard
+    - gci
     - goconst
+    - gocritic
     - gocyclo
     - gofmt
-    - misspell
-    - bodyclose
-    - gci
     - gomodguard
-    - tenv
-    - gocritic
+    - gosec
+    - govet
+    - ineffassign
+    - misspell
+    - perfsprint
+    - revive
+    - usetesting
+    - testifylint
+    - typecheck
+    - unconvert
+    - unused
+    - usestdlibvars
 
 run:
-  go: '1.21'
-  skip-files:
-    - ".*_mock.go$"
-    - ".*_test.go$"
-    - "integration/*"
-    - "examples/*"
+  go: '1.24'
+  timeout: 30m
 
 issues:
+  exclude-files:
+    - "examples/*"
+  exclude-dirs:
+    - "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
   exclude-rules:
-    - linters:
+    - path: ".*_test.go$"
+      linters:
+        - goconst
         - gosec
-      text: "G304: Potential file inclusion"
+        - unused
+    - path: ".*_test.go$"
+      linters:
+        - govet
+      text: "copylocks:"
+    - path: ".*_test.go$"
+      linters:
+        - gocritic
+      text: "commentFormatting:"
+    - path: ".*_test.go$"
+      linters:
+        - gocritic
+      text: "exitAfterDefer:"
+    - path: ".*_test.go$"
+      linters:
+        - gocritic
+      text: "importShadow:"
     - linters:
-        - gosec
-      text: "Deferring unsafe method"
-    - linters:
-        - errcheck
-      text: "Close` is not checked"
-    - linters:
-        - errcheck
-      text: "os.*` is not checked"
-    - linters:
-        - golint
-      text: "a blank import should be only in a main or test package"
-  exclude:
-    - "should have a package comment, unless it's in another file for this package"
+        - perfsprint
+      text: "fmt.Sprint"
   exclude-use-default: false
   max-same-issues: 0

.release-please-manifest.json

@@ -0,0 +1 @@
+{".":"0.61.0"}

.vex/oci.openvex.json

@@ -0,0 +1,244 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-8e30ed756ae8e4196af93bf43edf68360f396a98c0268787453a3443b26e7d6c",
+  "author": "Aqua Security",
+  "timestamp": "2024-07-10T12:17:44.60495+04:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42363"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42364"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42365"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42366"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2024-4741"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "openssl is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2024-5535"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "openssl is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2024-6119"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "openssl is not used"
+    }
+  ]
+}

.vex/trivy.openvex.json

@@ -0,0 +1,604 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "aquasecurity/trivy:613fd55abbc2857b5ca28b07a26f3cd4c8b0ddc4c8a97c57497a2d4c4880d7fc",
+  "author": "Aqua Security",
+  "timestamp": "2024-07-09T11:38:00.115697+04:00",
+  "version": 1,
+  "tooling": "https://github.com/aquasecurity/trivy/tree/main/magefiles/vex.go",
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2575",
+        "name": "GO-2024-2575",
+        "description": "Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3",
+        "aliases": [
+          "CVE-2024-26147",
+          "GHSA-r53h-jv2g-vpx6"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/helm.sh/helm/v3",
+              "identifiers": {
+                "purl": "pkg:golang/helm.sh/helm/v3"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-1765",
+        "name": "GO-2023-1765",
+        "description": "Leaked shared secret and weak blinding in github.com/cloudflare/circl",
+        "aliases": [
+          "CVE-2023-1732",
+          "GHSA-2q89-485c-9j2x"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/cloudflare/circl",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/cloudflare/circl"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2512",
+        "name": "GO-2024-2512",
+        "description": "Classic builder cache poisoning in github.com/docker/docker",
+        "aliases": [
+          "CVE-2024-24557",
+          "GHSA-xw73-rw38-6vjc"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/docker/docker",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/docker/docker"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2453",
+        "name": "GO-2024-2453",
+        "description": "Timing side channel in github.com/cloudflare/circl",
+        "aliases": [
+          "GHSA-9763-4f94-gfch"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/cloudflare/circl",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/cloudflare/circl"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2048",
+        "name": "GO-2023-2048",
+        "description": "Paths outside of the rootfs could be produced on Windows in github.com/cyphar/filepath-securejoin",
+        "aliases": [
+          "GHSA-6xv5-86q9-7xr8"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/cyphar/filepath-securejoin",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/cyphar/filepath-securejoin"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2497",
+        "name": "GO-2024-2497",
+        "description": "Privilege escalation in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23653",
+          "GHSA-wr6v-9f75-vh2g"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2102",
+        "name": "GO-2023-2102",
+        "description": "HTTP/2 rapid reset can cause excessive work in net/http",
+        "aliases": [
+          "CVE-2023-39325",
+          "GHSA-4374-p667-p6c8"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/net",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/net"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2493",
+        "name": "GO-2024-2493",
+        "description": "Host system file access in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23651",
+          "GHSA-m3r6-h7wv-7xxv"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2491",
+        "name": "GO-2024-2491",
+        "description": "Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc",
+        "aliases": [
+          "CVE-2024-21626",
+          "GHSA-xr7r-f8xq-vfvv"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/opencontainers/runc",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/opencontainers/runc"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2494",
+        "name": "GO-2024-2494",
+        "description": "Host system modification in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23652",
+          "GHSA-4v98-7qmw-rqr8"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2412",
+        "name": "GO-2023-2412",
+        "description": "RAPL accessibility in github.com/containerd/containerd",
+        "aliases": [
+          "GHSA-7ww5-4wqc-m92c"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/containerd/containerd",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/containerd/containerd"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-1988",
+        "name": "GO-2023-1988",
+        "description": "Improper rendering of text nodes in golang.org/x/net/html",
+        "aliases": [
+          "CVE-2023-3978",
+          "GHSA-2wrh-6pvc-2jm9"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/net",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/net"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2492",
+        "name": "GO-2024-2492",
+        "description": "Panic in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23650",
+          "GHSA-9p26-698r-w4hx"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2022-0646",
+        "name": "GO-2022-0646",
+        "description": "Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go",
+        "aliases": [
+          "CVE-2020-8911",
+          "CVE-2020-8912",
+          "GHSA-7f33-f4f5-xwgw",
+          "GHSA-f5pg-7wfw-84q9"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/aws/aws-sdk-go",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/aws/aws-sdk-go"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2153",
+        "name": "GO-2023-2153",
+        "description": "Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc",
+        "aliases": [
+          "GHSA-m425-mq94-257g"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/google.golang.org/grpc",
+              "identifiers": {
+                "purl": "pkg:golang/google.golang.org/grpc"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3105",
+        "name": "GO-2024-3105",
+        "description": "Stack exhaustion in all Parse functions in go/parser",
+        "aliases": [
+          "CVE-2024-34155"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/stdlib",
+              "identifiers": {
+                "purl": "pkg:golang/stdlib"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3106",
+        "name": "GO-2024-3106",
+        "description": "Stack exhaustion in Decoder.Decode in encoding/gob",
+        "aliases": [
+          "CVE-2024-34156"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/stdlib",
+              "identifiers": {
+                "purl": "pkg:golang/stdlib"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck incorrectly marks this vulnerability as affected. The vulnerable code isn't called. See https://github.com/aquasecurity/trivy/issues/7478"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3107",
+        "name": "GO-2024-3107",
+        "description": "Stack exhaustion in Parse in go/build/constraint",
+        "aliases": [
+          "CVE-2024-34158"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/stdlib",
+              "identifiers": {
+                "purl": "pkg:golang/stdlib"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3321",
+        "name": "GO-2024-3321",
+        "description": "Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto",
+        "aliases": [
+          "CVE-2024-45337",
+          "GHSA-v778-237x-gjrc"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/crypto",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/crypto"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3333",
+        "name": "GO-2024-3333",
+        "description": "Non-linear parsing of case-insensitive content in golang.org/x/net/html",
+        "aliases": [
+          "CVE-2024-45338"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/net",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/net"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    }
+  ]
+}

CHANGELOG.md

@@ -0,0 +1,469 @@
+# Changelog
+
+## [0.61.0](https://github.com/aquasecurity/trivy/compare/v0.60.0...v0.61.0) (2025-03-28)
+
+
+### Features
+
+* **fs:** optimize scanning performance by direct file access for known paths ([#8525](https://github.com/aquasecurity/trivy/issues/8525)) ([8bf6caf](https://github.com/aquasecurity/trivy/commit/8bf6caf98e2b1eff7bd16987f6791122d827747c))
+* **k8s:** add support for controllers ([#8614](https://github.com/aquasecurity/trivy/issues/8614)) ([1bf0117](https://github.com/aquasecurity/trivy/commit/1bf0117f776953bbfe67cf32e4231360010fdf33))
+* **misconf:** adapt aws_default_security_group ([#8538](https://github.com/aquasecurity/trivy/issues/8538)) ([b57eccb](https://github.com/aquasecurity/trivy/commit/b57eccb09c33df4ad0423fb148ddeaa292028401))
+* **misconf:** adapt aws_opensearch_domain ([#8550](https://github.com/aquasecurity/trivy/issues/8550)) ([9913465](https://github.com/aquasecurity/trivy/commit/9913465a535c29b377bd2f2563163ccf7cbcd6a4))
+* **misconf:** adapt AWS::DynamoDB::Table ([#8529](https://github.com/aquasecurity/trivy/issues/8529)) ([8112cdf](https://github.com/aquasecurity/trivy/commit/8112cdf8d638fa2bf57e5687e32f54b704c7e6b7))
+* **misconf:** adapt AWS::EC2::VPC ([#8534](https://github.com/aquasecurity/trivy/issues/8534)) ([0d9865f](https://github.com/aquasecurity/trivy/commit/0d9865f48f46e85595af40140faa5ff6f02b9a02))
+* **misconf:** Add support for aws_ami ([#8499](https://github.com/aquasecurity/trivy/issues/8499)) ([573502e](https://github.com/aquasecurity/trivy/commit/573502e2e83ff18020d5e7dcad498468a548733e))
+* replace TinyGo with standard Go for WebAssembly modules ([#8496](https://github.com/aquasecurity/trivy/issues/8496)) ([529957e](https://github.com/aquasecurity/trivy/commit/529957eac1fc790c57fa3d93524a901ce842a9f5))
+
+
+### Bug Fixes
+
+* **debian:** don't include empty licenses for `dpkgs` ([#8623](https://github.com/aquasecurity/trivy/issues/8623)) ([346f5b3](https://github.com/aquasecurity/trivy/commit/346f5b3553b9247f99f89d859d4f835e955d34e9))
+* **fs:** check postAnalyzers for StaticPaths ([#8543](https://github.com/aquasecurity/trivy/issues/8543)) ([c228307](https://github.com/aquasecurity/trivy/commit/c22830766e8cf1532f20198864757161eed6fda4))
+* **k8s:** show report for `--report all` ([#8613](https://github.com/aquasecurity/trivy/issues/8613)) ([dbb6f28](https://github.com/aquasecurity/trivy/commit/dbb6f288712240ef5dec59952e33b73e3a6d5b06))
+* **misconf:** add ephemeral block type to config schema ([#8513](https://github.com/aquasecurity/trivy/issues/8513)) ([41512f8](https://github.com/aquasecurity/trivy/commit/41512f846e75bae73984138ad7b3d03284a53f19))
+* **misconf:** Check values wholly prior to evalution ([#8604](https://github.com/aquasecurity/trivy/issues/8604)) ([ad58cf4](https://github.com/aquasecurity/trivy/commit/ad58cf4457ebef80ff0bc4c113d4ab4c86a9fe56))
+* **misconf:** do not skip loading documents from subdirectories ([#8526](https://github.com/aquasecurity/trivy/issues/8526)) ([de7eb13](https://github.com/aquasecurity/trivy/commit/de7eb13938f2709983a27ab3f59dbfac3fb74651))
+* **misconf:** do not use cty.NilVal for non-nil values ([#8567](https://github.com/aquasecurity/trivy/issues/8567)) ([400a79c](https://github.com/aquasecurity/trivy/commit/400a79c2c693e462ad2e1cfc21305ef13d2ec224))
+* **misconf:** identify the chart file exactly by name ([#8590](https://github.com/aquasecurity/trivy/issues/8590)) ([ba77dbe](https://github.com/aquasecurity/trivy/commit/ba77dbe5f952d67bbbbc0f43543d5f34135bc280))
+* **misconf:** Improve logging for unsupported checks ([#8634](https://github.com/aquasecurity/trivy/issues/8634)) ([5b7704d](https://github.com/aquasecurity/trivy/commit/5b7704d1d091a12822df060ee7a679135185f2ae))
+* **misconf:** set default values for AWS::EKS::Cluster.ResourcesVpcConfig ([#8548](https://github.com/aquasecurity/trivy/issues/8548)) ([1f05b45](https://github.com/aquasecurity/trivy/commit/1f05b4545d8f1de3ee703de66a7b3df2baaa07a7))
+* **misconf:** skip Azure CreateUiDefinition ([#8503](https://github.com/aquasecurity/trivy/issues/8503)) ([c7814f1](https://github.com/aquasecurity/trivy/commit/c7814f1401b0cc66a557292fe07da24d0ea7b5cc))
+* **spdx:** save text licenses into `otherLicenses` without normalize ([#8502](https://github.com/aquasecurity/trivy/issues/8502)) ([e5072f1](https://github.com/aquasecurity/trivy/commit/e5072f1eef8f3a78f4db48b4ac3f7c48aeec5e92))
+* use `--file-patterns` flag for all post analyzers ([#7365](https://github.com/aquasecurity/trivy/issues/7365)) ([8b88238](https://github.com/aquasecurity/trivy/commit/8b88238f07e389cc32e2478f84aceaf860e421ef))
+
+
+### Performance Improvements
+
+* **misconf:** parse input for Rego once ([#8483](https://github.com/aquasecurity/trivy/issues/8483)) ([0e5e909](https://github.com/aquasecurity/trivy/commit/0e5e9097650f60bc54f47a21ecc937a66e66e225))
+* **misconf:** retrieve check metadata from annotations once ([#8478](https://github.com/aquasecurity/trivy/issues/8478)) ([7b96351](https://github.com/aquasecurity/trivy/commit/7b96351c32d264d136978fe8fd9e113ada69bb2b))
+
+## [0.60.0](https://github.com/aquasecurity/trivy/compare/v0.59.0...v0.60.0) (2025-03-05)
+
+
+### Features
+
+* add `--vuln-severity-source` flag ([#8269](https://github.com/aquasecurity/trivy/issues/8269)) ([d464807](https://github.com/aquasecurity/trivy/commit/d4648073211e8451d66e4c0399e9441250b60a76))
+* add report summary table ([#8177](https://github.com/aquasecurity/trivy/issues/8177)) ([dd54f80](https://github.com/aquasecurity/trivy/commit/dd54f80d3fda7821dba13553480e9893ba8b4cb3))
+* **cyclonedx:** Add initial support for loading external VEX files from SBOM references ([#8254](https://github.com/aquasecurity/trivy/issues/8254)) ([4820eb7](https://github.com/aquasecurity/trivy/commit/4820eb70fc926a35d759c373112dbbdca890fd46))
+* **go:** fix parsing main module version for go >= 1.24 ([#8433](https://github.com/aquasecurity/trivy/issues/8433)) ([e58dcfc](https://github.com/aquasecurity/trivy/commit/e58dcfcf9f102c12825d5343ebbcc12a2d6c05c5))
+* **misconf:** render causes for Terraform ([#8360](https://github.com/aquasecurity/trivy/issues/8360)) ([a99498c](https://github.com/aquasecurity/trivy/commit/a99498cdd9b7bdac000140af6654bfe30135242d))
+
+
+### Bug Fixes
+
+* **db:** fix case when 2 trivy-db were copied at the same time ([#8452](https://github.com/aquasecurity/trivy/issues/8452)) ([bb3cca6](https://github.com/aquasecurity/trivy/commit/bb3cca6018551e96fdd357563dc177215ca29bd4))
+* don't use `scope` for `trivy registry login` command ([#8393](https://github.com/aquasecurity/trivy/issues/8393)) ([8715e5d](https://github.com/aquasecurity/trivy/commit/8715e5d14a727667c2e62d6f7a4b5308a0323386))
+* **go:** merge nested flags into string for ldflags for Go binaries ([#8368](https://github.com/aquasecurity/trivy/issues/8368)) ([b675b06](https://github.com/aquasecurity/trivy/commit/b675b06e897aaf374e7b1262d4323060a8a62edb))
+* **image:** disable AVD-DS-0007 for history scanning ([#8366](https://github.com/aquasecurity/trivy/issues/8366)) ([a3cd693](https://github.com/aquasecurity/trivy/commit/a3cd693a5ea88def2f9057df6178b0c0e7a6bdb0))
+* **k8s:** add missed option `PkgRelationships` ([#8442](https://github.com/aquasecurity/trivy/issues/8442)) ([f987e41](https://github.com/aquasecurity/trivy/commit/f987e4157494434f6e4e4566fedfedda92167565))
+* **misconf:** do not log scanners when misconfig scanning is disabled ([#8345](https://github.com/aquasecurity/trivy/issues/8345)) ([5695eb2](https://github.com/aquasecurity/trivy/commit/5695eb22dfed672eafacb64a71da8e9bdfbaab87))
+* **misconf:** ecs include enhanced for container insights ([#8326](https://github.com/aquasecurity/trivy/issues/8326)) ([39789ff](https://github.com/aquasecurity/trivy/commit/39789fff438d11bc6eccd254b3b890beb68c240b))
+* **misconf:** fix incorrect k8s locations due to JSON to YAML conversion ([#8073](https://github.com/aquasecurity/trivy/issues/8073)) ([a994453](https://github.com/aquasecurity/trivy/commit/a994453a7d0f543fe30c4dc8adbc92ad0c21bcbc))
+* **os:** add mapping OS aliases ([#8466](https://github.com/aquasecurity/trivy/issues/8466)) ([6b4cebe](https://github.com/aquasecurity/trivy/commit/6b4cebe9592f3a06bd91aa58ba6d65869afebbee))
+* **python:** add `poetry` v2 support ([#8323](https://github.com/aquasecurity/trivy/issues/8323)) ([10cd98c](https://github.com/aquasecurity/trivy/commit/10cd98cf55263749cb2583063a2e9e9953c7371a))
+* **report:** remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports ([#8344](https://github.com/aquasecurity/trivy/issues/8344)) ([3eb0b03](https://github.com/aquasecurity/trivy/commit/3eb0b03f7c9ee462daccfacb291b2c463d848ff5))
+* **sbom:** add SBOM file's filePath as Application FilePath if we can't detect its path ([#8346](https://github.com/aquasecurity/trivy/issues/8346)) ([ecc01bb](https://github.com/aquasecurity/trivy/commit/ecc01bb3fb876fd0cc503cb38efa23e4fb9484b4))
+* **sbom:** improve logic for binding direct dependency to parent component ([#8489](https://github.com/aquasecurity/trivy/issues/8489)) ([85cca8c](https://github.com/aquasecurity/trivy/commit/85cca8c07affee4ded5c232efb45b05dacf22242))
+* **sbom:** preserve OS packages from multiple SBOMs ([#8325](https://github.com/aquasecurity/trivy/issues/8325)) ([bd5baaf](https://github.com/aquasecurity/trivy/commit/bd5baaf93054d71223e0721c7547a0567dea3b02))
+* **server:** secrets inspectation for the config analyzer in client server mode ([#8418](https://github.com/aquasecurity/trivy/issues/8418)) ([a1c4bd7](https://github.com/aquasecurity/trivy/commit/a1c4bd746f5f901e2a8f09f48f58b973b9103165))
+* **spdx:** init `pkgFilePaths` map for all formats ([#8380](https://github.com/aquasecurity/trivy/issues/8380)) ([72ea4b0](https://github.com/aquasecurity/trivy/commit/72ea4b0632308bd6150aaf2f1549a3f10b60dc23))
+* **terraform:** apply parser options to submodule parsing ([#8377](https://github.com/aquasecurity/trivy/issues/8377)) ([398620b](https://github.com/aquasecurity/trivy/commit/398620b471c25e467018bc23df53a3a1c2aa661c))
+* update all documentation links ([#8045](https://github.com/aquasecurity/trivy/issues/8045)) ([49456ba](https://github.com/aquasecurity/trivy/commit/49456ba8410e0e4cc1756906ccea1fdd60006d2d))
+
+## [0.59.0](https://github.com/aquasecurity/trivy/compare/v0.58.0...v0.59.0) (2025-01-30)
+
+
+### Features
+
+* add `--distro` flag to manually specify OS distribution for vulnerability scanning ([#8070](https://github.com/aquasecurity/trivy/issues/8070)) ([da17dc7](https://github.com/aquasecurity/trivy/commit/da17dc72782cd68b5d2c4314a67936343462b75e))
+* add a examples field to check metadata ([#8068](https://github.com/aquasecurity/trivy/issues/8068)) ([6d84e0c](https://github.com/aquasecurity/trivy/commit/6d84e0cc0d48ae5c490cad868bb4e5e76392241c))
+* add support for registry mirrors ([#8244](https://github.com/aquasecurity/trivy/issues/8244)) ([4316bcb](https://github.com/aquasecurity/trivy/commit/4316bcbc5b9038eed21214a826981c49696bb27f))
+* **fs:** use git commit hash as cache key for clean repositories ([#8278](https://github.com/aquasecurity/trivy/issues/8278)) ([b5062f3](https://github.com/aquasecurity/trivy/commit/b5062f3ae20044d1452bf293f210a24cd1d419b3))
+* **image:** prevent scanning oversized container images ([#8178](https://github.com/aquasecurity/trivy/issues/8178)) ([509e030](https://github.com/aquasecurity/trivy/commit/509e03030c36d17f9427ab50a4e99fb1846ba65a))
+* **image:** return error early if total size of layers exceeds limit ([#8294](https://github.com/aquasecurity/trivy/issues/8294)) ([73bd20d](https://github.com/aquasecurity/trivy/commit/73bd20d6199a777d1ed7eb560e0184d8f1b4b550))
+* **k8s:** improve artifact selections for specific namespaces ([#8248](https://github.com/aquasecurity/trivy/issues/8248)) ([db9e57a](https://github.com/aquasecurity/trivy/commit/db9e57a34e460ac6934ee21dffaa2322db9fd56b))
+* **misconf:** generate placeholders for random provider resources ([#8051](https://github.com/aquasecurity/trivy/issues/8051)) ([ffe24e1](https://github.com/aquasecurity/trivy/commit/ffe24e18dc3dca816ec9ce5ccf66d5d7b5ea70d6))
+* **misconf:** support for ignoring by inline comments for Dockerfile ([#8115](https://github.com/aquasecurity/trivy/issues/8115)) ([c002327](https://github.com/aquasecurity/trivy/commit/c00232720a89df659c6cd0b56d99304d5ffea1a7))
+* **misconf:** support for ignoring by inline comments for Helm ([#8138](https://github.com/aquasecurity/trivy/issues/8138)) ([a0429f7](https://github.com/aquasecurity/trivy/commit/a0429f773b4f696fc613d91f1600cd0da38fb2c8))
+* **nodejs:** respect peer dependencies for dependency tree ([#7989](https://github.com/aquasecurity/trivy/issues/7989)) ([7389961](https://github.com/aquasecurity/trivy/commit/73899610e8eece670d2e5ddc1478fcc0a2a5760d))
+* **python:** add support for poetry dev dependencies ([#8152](https://github.com/aquasecurity/trivy/issues/8152)) ([774e04d](https://github.com/aquasecurity/trivy/commit/774e04d19dc2067725ac2e18ca871872f74082ab))
+* **python:** add support for uv ([#8080](https://github.com/aquasecurity/trivy/issues/8080)) ([c4a4a5f](https://github.com/aquasecurity/trivy/commit/c4a4a5fa971d73ae924afcf2259631f15e96e520))
+* **python:** add support for uv dev and optional dependencies ([#8134](https://github.com/aquasecurity/trivy/issues/8134)) ([49c54b4](https://github.com/aquasecurity/trivy/commit/49c54b49c6563590dd82007d52e425a7a4e07ac0))
+
+
+### Bug Fixes
+
+* CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass ([#8088](https://github.com/aquasecurity/trivy/issues/8088)) ([d7ac286](https://github.com/aquasecurity/trivy/commit/d7ac286085077c969734225a789e6cc056d5c5f5))
+* CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field ([#8207](https://github.com/aquasecurity/trivy/issues/8207)) ([670fbf2](https://github.com/aquasecurity/trivy/commit/670fbf2d81ea20ea691a86e4ed25a7454baf08e5))
+* de-duplicate same `dpkg` packages with different filePaths from different layers ([#8298](https://github.com/aquasecurity/trivy/issues/8298)) ([846498d](https://github.com/aquasecurity/trivy/commit/846498dd23a80531881f803147077eee19004a50))
+* enable err-error and errorf rules from perfsprint linter ([#7859](https://github.com/aquasecurity/trivy/issues/7859)) ([156a2aa](https://github.com/aquasecurity/trivy/commit/156a2aa4c49386828c0446f8978473c8da7a8754))
+* **flag:** skip hidden flags for `--generate-default-config` command ([#8046](https://github.com/aquasecurity/trivy/issues/8046)) ([5e68bdc](https://github.com/aquasecurity/trivy/commit/5e68bdc9d08f96d22451d7b5dd93e79ca576eeb7))
+* **fs:** fix cache key generation to use UUID ([#8275](https://github.com/aquasecurity/trivy/issues/8275)) ([eafd810](https://github.com/aquasecurity/trivy/commit/eafd810d7cb366215efbd0ab3b72c4651d31c6a6))
+* handle `BLOW_UNKNOWN` error to download DBs ([#8060](https://github.com/aquasecurity/trivy/issues/8060)) ([51f2123](https://github.com/aquasecurity/trivy/commit/51f2123c5ccc4f7a37d1068830b6670b4ccf9ac8))
+* improve conversion of image config to Dockerfile ([#8308](https://github.com/aquasecurity/trivy/issues/8308)) ([2e8e38a](https://github.com/aquasecurity/trivy/commit/2e8e38a8c094f3392893693ab15a605ab0d378f9))
+* **java:** correctly overwrite version from depManagement if dependency uses `project.*` props ([#8050](https://github.com/aquasecurity/trivy/issues/8050)) ([9d9f80d](https://github.com/aquasecurity/trivy/commit/9d9f80d9791f38a0b4c727152166ae4d237a83a9))
+* **license:** always trim leading and trailing spaces for licenses ([#8095](https://github.com/aquasecurity/trivy/issues/8095)) ([f5e4291](https://github.com/aquasecurity/trivy/commit/f5e429179df1637de96962ab9c19e4336056bb5d))
+* **misconf:** allow null values only for tf variables ([#8112](https://github.com/aquasecurity/trivy/issues/8112)) ([23dc3a6](https://github.com/aquasecurity/trivy/commit/23dc3a67535b7458728b2939514a96bd3de3aa81))
+* **misconf:** correctly handle all YAML tags in K8S templates ([#8259](https://github.com/aquasecurity/trivy/issues/8259)) ([f12054e](https://github.com/aquasecurity/trivy/commit/f12054e669f9df93c6322ba2755036dbccacaa83))
+* **misconf:** disable git terminal prompt on tf module load ([#8026](https://github.com/aquasecurity/trivy/issues/8026)) ([bbc5a85](https://github.com/aquasecurity/trivy/commit/bbc5a85444ec86b7bb26d6db27803d199431a8e6))
+* **misconf:** handle heredocs in dockerfile instructions ([#8284](https://github.com/aquasecurity/trivy/issues/8284)) ([0a3887c](https://github.com/aquasecurity/trivy/commit/0a3887ca0350d7dabf5db7e08aaf8152201fdf0d))
+* **misconf:** use log instead of fmt for logging ([#8033](https://github.com/aquasecurity/trivy/issues/8033)) ([07b2d7f](https://github.com/aquasecurity/trivy/commit/07b2d7fbd7f8ef5473c2438c560fffc8bdadf913))
+* **oracle:** add architectures support for advisories ([#4809](https://github.com/aquasecurity/trivy/issues/4809)) ([90f1d8d](https://github.com/aquasecurity/trivy/commit/90f1d8d78aa20b47fafab2c8ecb07247f075ef45))
+* **python:** skip dev group's deps for poetry ([#8106](https://github.com/aquasecurity/trivy/issues/8106)) ([a034d26](https://github.com/aquasecurity/trivy/commit/a034d26443704601c1fe330a5cc1f019f6974524))
+* **redhat:** check `usr/share/buildinfo/` dir to detect content sets ([#8222](https://github.com/aquasecurity/trivy/issues/8222)) ([f352f6b](https://github.com/aquasecurity/trivy/commit/f352f6b66355fe3636c9e4e9f3edd089c551a81c))
+* **redhat:** correct rewriting of recommendations for the same vulnerability ([#8063](https://github.com/aquasecurity/trivy/issues/8063)) ([4202c4b](https://github.com/aquasecurity/trivy/commit/4202c4ba0d8fcff4b89499fe03050ef4efd37330))
+* respect GITHUB_TOKEN to download artifacts from GHCR ([#7580](https://github.com/aquasecurity/trivy/issues/7580)) ([21b68e1](https://github.com/aquasecurity/trivy/commit/21b68e18188f91935ac1055a78ee97a7f35a110d))
+* **sbom:** attach nested packages to Application ([#8144](https://github.com/aquasecurity/trivy/issues/8144)) ([735335f](https://github.com/aquasecurity/trivy/commit/735335f08f84936f3928cbbc3eb71af3a3a4918d))
+* **sbom:** fix wrong overwriting of applications obtained from different sbom files but having same app type ([#8052](https://github.com/aquasecurity/trivy/issues/8052)) ([fd07074](https://github.com/aquasecurity/trivy/commit/fd07074e8033530eee2732193b00e59f27c73096))
+* **sbom:** scan results of SBOMs generated from container images are missing layers ([#7635](https://github.com/aquasecurity/trivy/issues/7635)) ([f9fceb5](https://github.com/aquasecurity/trivy/commit/f9fceb58bf64657dee92302df1ed97e597e474c9))
+* **sbom:** use root package for `unknown` dependencies (if exists) ([#8104](https://github.com/aquasecurity/trivy/issues/8104)) ([7558df7](https://github.com/aquasecurity/trivy/commit/7558df7c227c769235e5441fbdd3f9f7efb1ff84))
+* **spdx:** use the `hasExtractedLicensingInfos` field for licenses that are not listed in the SPDX ([#8077](https://github.com/aquasecurity/trivy/issues/8077)) ([aec8885](https://github.com/aquasecurity/trivy/commit/aec8885bc7f7e3c5a2a68214dca9aff28accd122))
+* **suse:** SUSE - update OSType constants and references for compatility ([#8236](https://github.com/aquasecurity/trivy/issues/8236)) ([ae28398](https://github.com/aquasecurity/trivy/commit/ae283985c926ca828b25b69ad0338008be31e5fe))
+* Updated twitter icon ([#7772](https://github.com/aquasecurity/trivy/issues/7772)) ([2c41ac8](https://github.com/aquasecurity/trivy/commit/2c41ac83a95e9347605d36f483171a60ffce0fa2))
+* wasm module test ([#8099](https://github.com/aquasecurity/trivy/issues/8099)) ([2200f38](https://github.com/aquasecurity/trivy/commit/2200f3846d675c64ab9302af43224d663a67c944))
+
+
+### Performance Improvements
+
+* avoid heap allocation in applier findPackage ([#7883](https://github.com/aquasecurity/trivy/issues/7883)) ([9bd6ed7](https://github.com/aquasecurity/trivy/commit/9bd6ed73e5d49d52856c76124e84c268475c5456))
+
+## [0.58.0](https://github.com/aquasecurity/trivy/compare/v0.57.0...v0.58.0) (2024-12-02)
+
+
+### Features
+
+* add `workspaceRelationship` ([#7889](https://github.com/aquasecurity/trivy/issues/7889)) ([d622ca2](https://github.com/aquasecurity/trivy/commit/d622ca2b1fe40a0eb588478ba9e15d3bd8471a78))
+* add cvss v4 score and vector in scan response ([#7968](https://github.com/aquasecurity/trivy/issues/7968)) ([e0f2054](https://github.com/aquasecurity/trivy/commit/e0f2054f9d12dce87e8a0226350f6317f7167195))
+* **go:** construct dependencies in the parser ([#7973](https://github.com/aquasecurity/trivy/issues/7973)) ([bcdc0bb](https://github.com/aquasecurity/trivy/commit/bcdc0bbf1f63777ff79d3ecadb8d4f916f376b7d))
+* **go:** construct dependencies of `go.mod` main module in the parser ([#7977](https://github.com/aquasecurity/trivy/issues/7977)) ([5448ba2](https://github.com/aquasecurity/trivy/commit/5448ba2a5c1ee36cbcf74ee1c2e83409092c5715))
+* **k8s:** add default commands for unknown platform ([#7863](https://github.com/aquasecurity/trivy/issues/7863)) ([b1c7f55](https://github.com/aquasecurity/trivy/commit/b1c7f5516fc39c6cbb76cbeae5c8677ccc9ce5dd))
+* **misconf:** log causes of HCL file parsing errors ([#7634](https://github.com/aquasecurity/trivy/issues/7634)) ([e9a899a](https://github.com/aquasecurity/trivy/commit/e9a899a3cfe41a622202808a0241b7f40b54d338))
+* **oracle:** add `flavors` support ([#7858](https://github.com/aquasecurity/trivy/issues/7858)) ([b9b383e](https://github.com/aquasecurity/trivy/commit/b9b383eb2714e88357af75900c856db2900b83ec))
+* **secret:** Add built-in secrets rules for Private Packagist ([#7826](https://github.com/aquasecurity/trivy/issues/7826)) ([132d9df](https://github.com/aquasecurity/trivy/commit/132d9dfa19a8835c94f332c6939ab7f64641ee5f))
+* **suse:** Align SUSE/OpenSUSE OS Identifiers ([#7965](https://github.com/aquasecurity/trivy/issues/7965)) ([45d3b40](https://github.com/aquasecurity/trivy/commit/45d3b40044202dec91384847ce2b50a7271f5977))
+* Update registry fallbacks ([#7679](https://github.com/aquasecurity/trivy/issues/7679)) ([5ba9a83](https://github.com/aquasecurity/trivy/commit/5ba9a83a447c4f9e577ae6235c315df71f50b452))
+
+
+### Bug Fixes
+
+* **alpine:** add `UID` for removed packages ([#7887](https://github.com/aquasecurity/trivy/issues/7887)) ([07915da](https://github.com/aquasecurity/trivy/commit/07915da4816d4d9ec8a6c5e4cba17be2a0f4ad65))
+* **aws:** change CPU and Memory type of ContainerDefinition to a string ([#7995](https://github.com/aquasecurity/trivy/issues/7995)) ([aeeba70](https://github.com/aquasecurity/trivy/commit/aeeba70d15c11443d9fe7c26f90fc7d9dcc7f92c))
+* **cli:** Handle empty ignore files more gracefully ([#7962](https://github.com/aquasecurity/trivy/issues/7962)) ([4cfb2a9](https://github.com/aquasecurity/trivy/commit/4cfb2a97b27923182ab45c178544542ec65981d4))
+* **debian:** infinite loop ([#7928](https://github.com/aquasecurity/trivy/issues/7928)) ([d982e6a](https://github.com/aquasecurity/trivy/commit/d982e6ab89967629f71ec09100cdc61e30a27c63))
+* **fs:** add missing defered Cleanup() call to post analyzer fs ([#7882](https://github.com/aquasecurity/trivy/issues/7882)) ([ab32297](https://github.com/aquasecurity/trivy/commit/ab32297e0a8220a427fa330025f8625281e02275))
+* Improve version comparisons when build identifiers are present ([#7873](https://github.com/aquasecurity/trivy/issues/7873)) ([eda4d76](https://github.com/aquasecurity/trivy/commit/eda4d7660d8908705bc08a6edc55d8144d02806a))
+* **k8s:** check all results for vulnerabilities ([#7946](https://github.com/aquasecurity/trivy/issues/7946)) ([797b36f](https://github.com/aquasecurity/trivy/commit/797b36fbad90b8e7f04e16e2cf08d6bdc0255ac7))
+* **misconf:** do not erase variable type for child modules ([#7941](https://github.com/aquasecurity/trivy/issues/7941)) ([de3b7ea](https://github.com/aquasecurity/trivy/commit/de3b7ea24c282bce22ce9cacb49a43d8d90e2bde))
+* **misconf:** handle null properties in CloudFormation templates ([#7813](https://github.com/aquasecurity/trivy/issues/7813)) ([99b2db3](https://github.com/aquasecurity/trivy/commit/99b2db3978562689cef956a71281abb84ff0ce47))
+* **misconf:** load full Terraform module ([#7925](https://github.com/aquasecurity/trivy/issues/7925)) ([fbc42a0](https://github.com/aquasecurity/trivy/commit/fbc42a04ea24e2246f81491434a965846d55ed69))
+* **misconf:** properly resolve local Terraform cache ([#7983](https://github.com/aquasecurity/trivy/issues/7983)) ([fe3a897](https://github.com/aquasecurity/trivy/commit/fe3a8971b6697d896c1ec30b5326a10c20349d14))
+* **misconf:** Update trivy-checks default repo to `mirror.gcr.io` ([#7953](https://github.com/aquasecurity/trivy/issues/7953)) ([9988147](https://github.com/aquasecurity/trivy/commit/9988147b8b0e463464fe494122bfcc66ccdf04e0))
+* **misconf:** wrap AWS EnvVar to iac types ([#7407](https://github.com/aquasecurity/trivy/issues/7407)) ([54130dc](https://github.com/aquasecurity/trivy/commit/54130dcc1d775506d34b83a558952176fc549914))
+* **redhat:** don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files ([#7912](https://github.com/aquasecurity/trivy/issues/7912)) ([38775a5](https://github.com/aquasecurity/trivy/commit/38775a5ed985eefe2b410e72407c454cdad3d075))
+* **report:** handle `git@github.com` schema for misconfigs in `sarif` report ([#7898](https://github.com/aquasecurity/trivy/issues/7898)) ([19aea4b](https://github.com/aquasecurity/trivy/commit/19aea4b01f3ce5a3cd05d5a1091da5b0b3ba4af6))
+* **sbom:** Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details ([#7871](https://github.com/aquasecurity/trivy/issues/7871)) ([461a68a](https://github.com/aquasecurity/trivy/commit/461a68afd60b77dd67e91047b3b4d558fa5bd2ec))
+* **terraform:** set null value as fallback for missing variables ([#7669](https://github.com/aquasecurity/trivy/issues/7669)) ([611558e](https://github.com/aquasecurity/trivy/commit/611558e4ce61818330118684274534f26b1fda99))
+
+## [0.57.0](https://github.com/aquasecurity/trivy/compare/v0.56.0...v0.57.0) (2024-10-31)
+
+
+### ⚠ BREAKING CHANGES
+
+* **k8s:** support k8s multi container ([#7444](https://github.com/aquasecurity/trivy/issues/7444))
+
+### Features
+
+* add end of life date for Ubuntu 24.10 ([#7787](https://github.com/aquasecurity/trivy/issues/7787)) ([ad3c09e](https://github.com/aquasecurity/trivy/commit/ad3c09e006e134f3c5b879ffc34ce9895a8c860f))
+* **cli:** add `trivy auth` ([#7664](https://github.com/aquasecurity/trivy/issues/7664)) ([27117f8](https://github.com/aquasecurity/trivy/commit/27117f81d52483c3ceec56fe56ac298e242fbc9a))
+* **cli:** error out when ignore file cannot be found ([#7624](https://github.com/aquasecurity/trivy/issues/7624)) ([cb0b3a9](https://github.com/aquasecurity/trivy/commit/cb0b3a9279b31810ecd686a385e5140e567ce86f))
+* **cli:** rename `trivy auth` to `trivy registry` ([#7727](https://github.com/aquasecurity/trivy/issues/7727)) ([633a7ab](https://github.com/aquasecurity/trivy/commit/633a7abeea4287899392a24f2705f96dfeb7e312))
+* **cyclonedx:** add file checksums to `CycloneDX` reports ([#7507](https://github.com/aquasecurity/trivy/issues/7507)) ([c225883](https://github.com/aquasecurity/trivy/commit/c225883649f58128a99fa2c1cef327d0e57940be))
+* **db:** append errors ([#7843](https://github.com/aquasecurity/trivy/issues/7843)) ([5e78b6c](https://github.com/aquasecurity/trivy/commit/5e78b6c12fb5740c12dedeea3d335d48ec2f752b))
+* **misconf:** export unresolvable field of IaC types to Rego ([#7765](https://github.com/aquasecurity/trivy/issues/7765)) ([9514148](https://github.com/aquasecurity/trivy/commit/9514148767865baddd73a49245385574927f7a74))
+* **misconf:** public network support for Azure Storage Account ([#7601](https://github.com/aquasecurity/trivy/issues/7601)) ([ad91412](https://github.com/aquasecurity/trivy/commit/ad914123c4d203af1e1da6b7e2d3e49d9d3831d8))
+* **misconf:** Show misconfig ID in output ([#7762](https://github.com/aquasecurity/trivy/issues/7762)) ([f75c0d1](https://github.com/aquasecurity/trivy/commit/f75c0d1f0069d4856cb4826d6049f32c5b9409d9))
+* **misconf:** ssl_mode support for GCP SQL DB instance ([#7564](https://github.com/aquasecurity/trivy/issues/7564)) ([2eaa17e](https://github.com/aquasecurity/trivy/commit/2eaa17e0717940b27a79050e2efd9213b71178c9))
+* **parser:** ignore white space in pom.xml files ([#7747](https://github.com/aquasecurity/trivy/issues/7747)) ([a7baa93](https://github.com/aquasecurity/trivy/commit/a7baa93b00b8636aa097e64cdb8eed97dbd68511))
+* **report:** update gitlab template to populate operating_system value ([#7735](https://github.com/aquasecurity/trivy/issues/7735)) ([c0d79fa](https://github.com/aquasecurity/trivy/commit/c0d79fa09e645f3a3dbff878e393b8631fb17b64))
+
+
+### Bug Fixes
+
+* **cli:** `clean --all` deletes only relevant dirs ([#7704](https://github.com/aquasecurity/trivy/issues/7704)) ([672e886](https://github.com/aquasecurity/trivy/commit/672e886aed152ae0f09a16941706746f3053ca94))
+* **cli:** add config name to skip-policy-update alias ([#7820](https://github.com/aquasecurity/trivy/issues/7820)) ([b661d68](https://github.com/aquasecurity/trivy/commit/b661d680ff0372c8e4beea0db13bf69d6a2203a8))
+* **db:** fix javadb downloading error handling ([#7642](https://github.com/aquasecurity/trivy/issues/7642)) ([2c87f0c](https://github.com/aquasecurity/trivy/commit/2c87f0cb794acd77446a273582ba1a45b9f18980))
+* enable usestdlibvars linter ([#7770](https://github.com/aquasecurity/trivy/issues/7770)) ([57e24aa](https://github.com/aquasecurity/trivy/commit/57e24aa85382f749df7f673e241caaf3fcbb45cb))
+* **go:** Do not trim v prefix from versions in Go Mod Analyzer ([#7733](https://github.com/aquasecurity/trivy/issues/7733)) ([e872ec0](https://github.com/aquasecurity/trivy/commit/e872ec006c0745a5a142728af0096c6d6bb9ddf3))
+* **helm:** properly handle multiple archived dependencies ([#7782](https://github.com/aquasecurity/trivy/issues/7782)) ([6fab88d](https://github.com/aquasecurity/trivy/commit/6fab88dd56c257ef2cc63b617c2a5decb1c4cf98))
+* **java:** correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents ([#7541](https://github.com/aquasecurity/trivy/issues/7541)) ([778df82](https://github.com/aquasecurity/trivy/commit/778df828eaad9827cb833c6285058a33aa2b83ca))
+* **k8s:** skip resources without misconfigs ([#7797](https://github.com/aquasecurity/trivy/issues/7797)) ([7882776](https://github.com/aquasecurity/trivy/commit/78827768a612ab305bf9c55409ce76d6774302a5))
+* **k8s:** support k8s multi container ([#7444](https://github.com/aquasecurity/trivy/issues/7444)) ([c434775](https://github.com/aquasecurity/trivy/commit/c4347759234dcb5f372b07f92fb4230ef391d710))
+* **k8s:** support kubernetes v1.31 ([#7810](https://github.com/aquasecurity/trivy/issues/7810)) ([7a4f4d8](https://github.com/aquasecurity/trivy/commit/7a4f4d8b12996687f3095a2042cdf2f5985332c9))
+* **license:** fix license normalization for Universal Permissive License ([#7766](https://github.com/aquasecurity/trivy/issues/7766)) ([f6acdf7](https://github.com/aquasecurity/trivy/commit/f6acdf713991f8ffdbe765178fcb8a9cde433cba))
+* **misconf:** change default ACL of digitalocean_spaces_bucket to private ([#7577](https://github.com/aquasecurity/trivy/issues/7577)) ([9da84f5](https://github.com/aquasecurity/trivy/commit/9da84f54fadbe6ad0d73983952e945ed63b666f3))
+* **misconf:** check if property is not nil before conversion ([#7578](https://github.com/aquasecurity/trivy/issues/7578)) ([c8c14d3](https://github.com/aquasecurity/trivy/commit/c8c14d36245623019f29d258f813d2325f7490f7))
+* **misconf:** fix for Azure Storage Account network acls adaptation ([#7602](https://github.com/aquasecurity/trivy/issues/7602)) ([35fd018](https://github.com/aquasecurity/trivy/commit/35fd018ae7ad86823f114f0ac2f1376726aee444))
+* **misconf:** properly expand dynamic blocks ([#7612](https://github.com/aquasecurity/trivy/issues/7612)) ([8d5dbc9](https://github.com/aquasecurity/trivy/commit/8d5dbc9fec3569b22ed81a03c40eaf732768718b))
+* **redhat:** include arch in PURL qualifiers ([#7654](https://github.com/aquasecurity/trivy/issues/7654)) ([a585e95](https://github.com/aquasecurity/trivy/commit/a585e95f3398631d9ad10505c5ff642fde21aef7))
+* **repo:** `git clone` output to Stderr ([#7561](https://github.com/aquasecurity/trivy/issues/7561)) ([fdf203c](https://github.com/aquasecurity/trivy/commit/fdf203cd209aeb40f454bd12d121a54d6ed7a542))
+* **report:** Fix invalid URI in SARIF report ([#7645](https://github.com/aquasecurity/trivy/issues/7645)) ([015bb88](https://github.com/aquasecurity/trivy/commit/015bb885ac414b91201fa9791eead395d878149c))
+* **sbom:** add options for DBs in private registries ([#7660](https://github.com/aquasecurity/trivy/issues/7660)) ([1f2e91b](https://github.com/aquasecurity/trivy/commit/1f2e91b02b3606dd11963002a8cfac7962f3478f))
+* **sbom:** use `Annotation` instead of `AttributionTexts` for `SPDX` formats ([#7811](https://github.com/aquasecurity/trivy/issues/7811)) ([f2bb9c6](https://github.com/aquasecurity/trivy/commit/f2bb9c6227743dd61f44eb591d4b15192fe110c6))
+
+## [0.56.0](https://github.com/aquasecurity/trivy/compare/v0.55.0...v0.56.0) (2024-10-03)
+
+
+### Features
+
+* **java:** add empty versions if `pom.xml` dependency versions can't be detected ([#7520](https://github.com/aquasecurity/trivy/issues/7520)) ([b836232](https://github.com/aquasecurity/trivy/commit/b8362321adb2af220830c5de31c29978423d47da))
+* **license:** improve license normalization ([#7131](https://github.com/aquasecurity/trivy/issues/7131)) ([6472e3c](https://github.com/aquasecurity/trivy/commit/6472e3c9da2a8e7ba41598a45c80df8f18e57d4c))
+* **misconf:** add ability to disable checks by ID ([#7536](https://github.com/aquasecurity/trivy/issues/7536)) ([ef0a27d](https://github.com/aquasecurity/trivy/commit/ef0a27d515ff80762bf1959d44a8bde017ae06ec))
+* **misconf:** Register checks only when needed ([#7435](https://github.com/aquasecurity/trivy/issues/7435)) ([f768d3a](https://github.com/aquasecurity/trivy/commit/f768d3a767a99a86b0372f19d9f49a2de35dbe59))
+* **misconf:** Support `--skip-*` for all included modules  ([#7579](https://github.com/aquasecurity/trivy/issues/7579)) ([c0e8da3](https://github.com/aquasecurity/trivy/commit/c0e8da3828e9d3a0b30d1f6568037db8dc827765))
+* **secret:** enhance secret scanning for python binary files ([#7223](https://github.com/aquasecurity/trivy/issues/7223)) ([60725f8](https://github.com/aquasecurity/trivy/commit/60725f879ba014c5c57583db6afc290b78facae8))
+* support multiple DB repositories for vulnerability and Java DB ([#7605](https://github.com/aquasecurity/trivy/issues/7605)) ([3562529](https://github.com/aquasecurity/trivy/commit/3562529ddfb26d301311ed450c192e17011353df))
+* support RPM archives ([#7628](https://github.com/aquasecurity/trivy/issues/7628)) ([69bf7e0](https://github.com/aquasecurity/trivy/commit/69bf7e00ea5ab483692db830fdded26a31f03183))
+* **suse:** added SUSE Linux Enterprise Micro support ([#7294](https://github.com/aquasecurity/trivy/issues/7294)) ([efdb68d](https://github.com/aquasecurity/trivy/commit/efdb68d3b9ddf9dfaf45ea5855b31c43a4366bab))
+
+
+### Bug Fixes
+
+* allow access to '..' in mapfs ([#7575](https://github.com/aquasecurity/trivy/issues/7575)) ([a8fbe46](https://github.com/aquasecurity/trivy/commit/a8fbe46119adbd89f827a75c75b9e97d392f1842))
+* **db:** check `DownloadedAt` for `trivy-java-db` ([#7592](https://github.com/aquasecurity/trivy/issues/7592)) ([13ef3e7](https://github.com/aquasecurity/trivy/commit/13ef3e7d62ba2bcb3a04d7b44f79b1299674b480))
+* **java:** use `dependencyManagement` from root/child pom's for dependencies from parents ([#7497](https://github.com/aquasecurity/trivy/issues/7497)) ([5442949](https://github.com/aquasecurity/trivy/commit/54429497e7d6a87eac236771d4efb8a5a7faaac5))
+* **license:** stop spliting a long license text ([#7336](https://github.com/aquasecurity/trivy/issues/7336)) ([4926da7](https://github.com/aquasecurity/trivy/commit/4926da79de901fba73819d71845ec0355b68ae0f))
+* **misconf:** Disable deprecated checks by default ([#7632](https://github.com/aquasecurity/trivy/issues/7632)) ([82e2adc](https://github.com/aquasecurity/trivy/commit/82e2adc6f8e68d0cc0021031170c2adb60d213ba))
+* **misconf:** disable DS016 check for image history analyzer ([#7540](https://github.com/aquasecurity/trivy/issues/7540)) ([de40df9](https://github.com/aquasecurity/trivy/commit/de40df9408d6d856a3ad384ec9f086edce3aa382))
+* **misconf:** escape all special sequences ([#7558](https://github.com/aquasecurity/trivy/issues/7558)) ([ea0cf03](https://github.com/aquasecurity/trivy/commit/ea0cf0379aff0348fde87356dab37947800fc1b6))
+* **misconf:** Fix logging typo ([#7473](https://github.com/aquasecurity/trivy/issues/7473)) ([56db43c](https://github.com/aquasecurity/trivy/commit/56db43c24f4f6be92891be85faaf9492cad516ac))
+* **misconf:** Fixed scope for China Cloud ([#7560](https://github.com/aquasecurity/trivy/issues/7560)) ([37d549e](https://github.com/aquasecurity/trivy/commit/37d549e5b86a1c5dce6710fbfd2310aec9abe949))
+* **misconf:** not to warn about missing selectors of libraries ([#7638](https://github.com/aquasecurity/trivy/issues/7638)) ([fcaea74](https://github.com/aquasecurity/trivy/commit/fcaea740808d5784c120e5c5d65f5f94e1d931d4))
+* **oracle:** Update EOL date for Oracle 7 ([#7480](https://github.com/aquasecurity/trivy/issues/7480)) ([dd0a64a](https://github.com/aquasecurity/trivy/commit/dd0a64a1cf0cd76e6f81e3ff55fa6ccb95ce3c3d))
+* **report:** change a receiver of MarshalJSON ([#7483](https://github.com/aquasecurity/trivy/issues/7483)) ([927c6e0](https://github.com/aquasecurity/trivy/commit/927c6e0c9d4d4a3f1be00f0f661c1d18325d9440))
+* **report:** fix error with unmarshal of `ExperimentalModifiedFindings` ([#7463](https://github.com/aquasecurity/trivy/issues/7463)) ([7ff9aff](https://github.com/aquasecurity/trivy/commit/7ff9aff2739b2eee4a98175b98914795e4077060))
+* **sbom:** export bom-ref when converting a package to a component ([#7340](https://github.com/aquasecurity/trivy/issues/7340)) ([5dd94eb](https://github.com/aquasecurity/trivy/commit/5dd94ebc1ffe3f1df511dee6381f92a5daefadf2))
+* **sbom:** parse type `framework` as `library` when unmarshalling `CycloneDX` files ([#7527](https://github.com/aquasecurity/trivy/issues/7527)) ([aeb7039](https://github.com/aquasecurity/trivy/commit/aeb7039d7ce090e243d29f0bf16c9e4e24252a01))
+* **secret:** change grafana token regex to find them without unquoted ([#7627](https://github.com/aquasecurity/trivy/issues/7627)) ([3e1fa21](https://github.com/aquasecurity/trivy/commit/3e1fa2100074e840bacdd65947425b08750b7d9a))
+
+
+### Performance Improvements
+
+* **misconf:** use port ranges instead of enumeration ([#7549](https://github.com/aquasecurity/trivy/issues/7549)) ([1f9fc13](https://github.com/aquasecurity/trivy/commit/1f9fc13da4a1e7c76c978e4f8e119bfd61a0480e))
+
+
+### Reverts
+
+* **java:** stop supporting of `test` scope for `pom.xml` files ([#7488](https://github.com/aquasecurity/trivy/issues/7488)) ([b0222fe](https://github.com/aquasecurity/trivy/commit/b0222feeb586ec59904bb321fda8f3f22496d07b))
+
+## [0.55.0](https://github.com/aquasecurity/trivy/compare/v0.54.0...v0.55.0) (2024-09-03)
+
+
+### ⚠ BREAKING CHANGES
+
+* **cli:** delete deprecated SBOM flags ([#7266](https://github.com/aquasecurity/trivy/issues/7266))
+
+### Features
+
+* **cli:** delete deprecated SBOM flags ([#7266](https://github.com/aquasecurity/trivy/issues/7266)) ([7024572](https://github.com/aquasecurity/trivy/commit/70245721372720027b7089bd61c693df48add865))
+* **go:** use `toolchain` as `stdlib` version for `go.mod` files ([#7163](https://github.com/aquasecurity/trivy/issues/7163)) ([2d80769](https://github.com/aquasecurity/trivy/commit/2d80769c34b118851640411fff9dac0b3e353e82))
+* **java:** add `test` scope support for `pom.xml` files ([#7414](https://github.com/aquasecurity/trivy/issues/7414)) ([2d97700](https://github.com/aquasecurity/trivy/commit/2d97700d10665142d2f66d7910202bec82116209))
+* **misconf:** Add support for using spec from on-disk bundle ([#7179](https://github.com/aquasecurity/trivy/issues/7179)) ([be86126](https://github.com/aquasecurity/trivy/commit/be861265cafc89787fda09c59b2ef175e3d04204))
+* **misconf:** ignore duplicate checks ([#7317](https://github.com/aquasecurity/trivy/issues/7317)) ([9ef05fc](https://github.com/aquasecurity/trivy/commit/9ef05fc6b171a264516a025b0b0bcbbc8cff10bc))
+* **misconf:** iterator argument support for dynamic blocks ([#7236](https://github.com/aquasecurity/trivy/issues/7236)) ([fe92072](https://github.com/aquasecurity/trivy/commit/fe9207255a4f7f984ec1447f8a9219ae60e560c4))
+* **misconf:** port and protocol support for EC2 networks ([#7146](https://github.com/aquasecurity/trivy/issues/7146)) ([98e136e](https://github.com/aquasecurity/trivy/commit/98e136eb7baa2b66f4233d96875c1490144e1594))
+* **misconf:** scanning support for YAML and JSON ([#7311](https://github.com/aquasecurity/trivy/issues/7311)) ([efdbd8f](https://github.com/aquasecurity/trivy/commit/efdbd8f19ab0ab0c3b48293d43e51c81b7b03b89))
+* **misconf:** support for ignore by nested attributes ([#7205](https://github.com/aquasecurity/trivy/issues/7205)) ([44e4686](https://github.com/aquasecurity/trivy/commit/44e468603d44b077cc4606327fb3e7d7ca435e05))
+* **misconf:** support for policy and bucket grants ([#7284](https://github.com/aquasecurity/trivy/issues/7284)) ([a817fae](https://github.com/aquasecurity/trivy/commit/a817fae85b7272b391b737ec86673a7cab722bae))
+* **misconf:** variable support for Terraform Plan ([#7228](https://github.com/aquasecurity/trivy/issues/7228)) ([db2c955](https://github.com/aquasecurity/trivy/commit/db2c95598da098ca610825089eb4ab63b789b215))
+* **python:** use minimum version for pip packages ([#7348](https://github.com/aquasecurity/trivy/issues/7348)) ([e9b43f8](https://github.com/aquasecurity/trivy/commit/e9b43f81e67789b067352fcb6aa55bc9478bc518))
+* **report:** export modified findings in JSON ([#7383](https://github.com/aquasecurity/trivy/issues/7383)) ([7aea79d](https://github.com/aquasecurity/trivy/commit/7aea79dd93cfb61453766dbbb2e3fc0fbd317852))
+* **sbom:** set User-Agent header on requests to Rekor ([#7396](https://github.com/aquasecurity/trivy/issues/7396)) ([af1d257](https://github.com/aquasecurity/trivy/commit/af1d257730422d238871beb674767f8f83c5d06a))
+* **server:** add internal `--path-prefix` flag for client/server mode ([#7321](https://github.com/aquasecurity/trivy/issues/7321)) ([24a4563](https://github.com/aquasecurity/trivy/commit/24a45636867b893ff54c5ce07197f3b5c6db1d9b))
+* **server:** Make Trivy Server Multiplexer Exported ([#7389](https://github.com/aquasecurity/trivy/issues/7389)) ([4c6e8ca](https://github.com/aquasecurity/trivy/commit/4c6e8ca9cc9591799907cc73075f2d740e303b8f))
+* **vm:** Support direct filesystem ([#7058](https://github.com/aquasecurity/trivy/issues/7058)) ([45b3f34](https://github.com/aquasecurity/trivy/commit/45b3f344042bcd90ca63ab696b69bff0e9ab4e36))
+* **vm:** support the Ext2/Ext3 filesystems ([#6983](https://github.com/aquasecurity/trivy/issues/6983)) ([35c60f0](https://github.com/aquasecurity/trivy/commit/35c60f030fa48de8d8e57958e5ba379814126831))
+* **vuln:** Add `--detection-priority` flag for accuracy tuning ([#7288](https://github.com/aquasecurity/trivy/issues/7288)) ([fd8348d](https://github.com/aquasecurity/trivy/commit/fd8348d610f20c6c33da81cd7b0e7d5504ce26be))
+
+
+### Bug Fixes
+
+* **aws:** handle ECR repositories in different regions ([#6217](https://github.com/aquasecurity/trivy/issues/6217)) ([feaef96](https://github.com/aquasecurity/trivy/commit/feaef9699df5d8ca399770e701a59d7c0ff979a3))
+* **flag:** incorrect behavior for deprected flag `--clear-cache` ([#7281](https://github.com/aquasecurity/trivy/issues/7281)) ([2a0e529](https://github.com/aquasecurity/trivy/commit/2a0e529c36057b572119815af59c28e4790034ca))
+* **helm:** explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element ([#7362](https://github.com/aquasecurity/trivy/issues/7362)) ([da4ebfa](https://github.com/aquasecurity/trivy/commit/da4ebfa1a741f3f8b0b43289b4028afe763f7d43))
+* **java:** Return error when trying to find a remote pom to avoid segfault ([#7275](https://github.com/aquasecurity/trivy/issues/7275)) ([49d5270](https://github.com/aquasecurity/trivy/commit/49d5270163e305f88fedcf50412973736e69dc69))
+* **license:** add license handling to JUnit template ([#7409](https://github.com/aquasecurity/trivy/issues/7409)) ([f80183c](https://github.com/aquasecurity/trivy/commit/f80183c1139b21bb95bc64e216358f4a76001a65))
+* logger initialization before flags parsing ([#7372](https://github.com/aquasecurity/trivy/issues/7372)) ([c929290](https://github.com/aquasecurity/trivy/commit/c929290c3c0e4e91337264d69e75ccb60522bc65))
+* **misconf:** change default TLS values for the Azure storage account ([#7345](https://github.com/aquasecurity/trivy/issues/7345)) ([aadb090](https://github.com/aquasecurity/trivy/commit/aadb09078843250c66087f46db9a2aa48094a118))
+* **misconf:** do not filter Terraform plan JSON by name ([#7406](https://github.com/aquasecurity/trivy/issues/7406)) ([9d7264a](https://github.com/aquasecurity/trivy/commit/9d7264af8e85bcc0dba600b8366d0470d455251c))
+* **misconf:** do not recreate filesystem map ([#7416](https://github.com/aquasecurity/trivy/issues/7416)) ([3a5d091](https://github.com/aquasecurity/trivy/commit/3a5d091759564496992a83fb2015a21c84a22213))
+* **misconf:** do not register Rego libs in checks registry ([#7420](https://github.com/aquasecurity/trivy/issues/7420)) ([a5aa63e](https://github.com/aquasecurity/trivy/commit/a5aa63eff7e229744090f9ad300c1bec3259397e))
+* **misconf:** do not set default value for default_cache_behavior ([#7234](https://github.com/aquasecurity/trivy/issues/7234)) ([f0ed5e4](https://github.com/aquasecurity/trivy/commit/f0ed5e4ced7e60af35c88d5d084aa4b7237f4973))
+* **misconf:** fix infer type for null value ([#7424](https://github.com/aquasecurity/trivy/issues/7424)) ([0cac3ac](https://github.com/aquasecurity/trivy/commit/0cac3ac7075017628a21a7990941df04cbc16dbe))
+* **misconf:** init frameworks before updating them ([#7376](https://github.com/aquasecurity/trivy/issues/7376)) ([b65b32d](https://github.com/aquasecurity/trivy/commit/b65b32ddfa6fc62ac81ad9fa580e1f5a327864f5))
+* **misconf:** load only submodule if it is specified in source ([#7112](https://github.com/aquasecurity/trivy/issues/7112)) ([a4180bd](https://github.com/aquasecurity/trivy/commit/a4180bddd43d86e479edf0afe0c362021d071482))
+* **misconf:** support deprecating for Go checks ([#7377](https://github.com/aquasecurity/trivy/issues/7377)) ([2a6c7ab](https://github.com/aquasecurity/trivy/commit/2a6c7ab3b338ce4a8f99d6ac3508c2531dcbe812))
+* **misconf:** use module to log when metadata retrieval fails ([#7405](https://github.com/aquasecurity/trivy/issues/7405)) ([0799770](https://github.com/aquasecurity/trivy/commit/0799770b8827a8276ad0d6d9ac7e0381c286757c))
+* **misconf:** wrap Azure PortRange in iac types ([#7357](https://github.com/aquasecurity/trivy/issues/7357)) ([c5c62d5](https://github.com/aquasecurity/trivy/commit/c5c62d5ff05420321f9cdbfb93e2591e0866a342))
+* **nodejs:** check all `importers` to detect dev deps from pnpm-lock.yaml file ([#7387](https://github.com/aquasecurity/trivy/issues/7387)) ([fd9ed3a](https://github.com/aquasecurity/trivy/commit/fd9ed3a330bc66e229bcbdc262dc296a3bf01f54))
+* **plugin:** do not call GitHub content API for releases and tags ([#7274](https://github.com/aquasecurity/trivy/issues/7274)) ([b3ee6da](https://github.com/aquasecurity/trivy/commit/b3ee6dac269bd7847674f3ce985a5ff7f8f0ba38))
+* **report:** escape `Message` field in `asff.tpl` template ([#7401](https://github.com/aquasecurity/trivy/issues/7401)) ([dd9733e](https://github.com/aquasecurity/trivy/commit/dd9733e950d3127aa2ac90c45ec7e2b88a2b47ca))
+* safely check if the directory exists ([#7353](https://github.com/aquasecurity/trivy/issues/7353)) ([05a8297](https://github.com/aquasecurity/trivy/commit/05a829715f99cd90b122c64cd2f40157854e467b))
+* **sbom:** use `NOASSERTION` for licenses fields in SPDX formats ([#7403](https://github.com/aquasecurity/trivy/issues/7403)) ([c96dcdd](https://github.com/aquasecurity/trivy/commit/c96dcdd440a14cdd1b01ac473b2c15e4698e387b))
+* **secret:** use `.eyJ` keyword for JWT secret ([#7410](https://github.com/aquasecurity/trivy/issues/7410)) ([bf64003](https://github.com/aquasecurity/trivy/commit/bf64003ac8b209f34b88f228918a96d4f9dac5e0))
+* **secret:** use only line with secret for long secret lines ([#7412](https://github.com/aquasecurity/trivy/issues/7412)) ([391448a](https://github.com/aquasecurity/trivy/commit/391448aba9fcb0a4138225e5ab305e4e6707c603))
+* **terraform:** add aws_region name to presets ([#7184](https://github.com/aquasecurity/trivy/issues/7184)) ([bb2e26a](https://github.com/aquasecurity/trivy/commit/bb2e26a0ab707b718f6a890cbc87e2492298b6e5))
+
+
+### Performance Improvements
+
+* **misconf:** do not convert contents of a YAML file to string ([#7292](https://github.com/aquasecurity/trivy/issues/7292)) ([85dadf5](https://github.com/aquasecurity/trivy/commit/85dadf56265647c000191561db10b08a4948c140))
+* **misconf:** optimize work with context ([#6968](https://github.com/aquasecurity/trivy/issues/6968)) ([2b6d8d9](https://github.com/aquasecurity/trivy/commit/2b6d8d9227fb6ecc9386a14333964c23c0370a52))
+* **misconf:** use json.Valid to check validity of JSON ([#7308](https://github.com/aquasecurity/trivy/issues/7308)) ([c766831](https://github.com/aquasecurity/trivy/commit/c766831069e188226efafeec184e41498685ed85))
+
+## [0.54.0](https://github.com/aquasecurity/trivy/compare/v0.53.0...v0.54.0) (2024-07-30)
+
+
+### Features
+
+* add `log.FilePath()` function for logger ([#7080](https://github.com/aquasecurity/trivy/issues/7080)) ([1f5f348](https://github.com/aquasecurity/trivy/commit/1f5f34895823fae81bf521fc939bee743a50e304))
+* add openSUSE tumbleweed detection and scanning ([#6965](https://github.com/aquasecurity/trivy/issues/6965)) ([17b5dbf](https://github.com/aquasecurity/trivy/commit/17b5dbfa12180414b87859c6c46bfe6cc5ecf7ba))
+* **cli:** rename `--vuln-type` flag to `--pkg-types` flag ([#7104](https://github.com/aquasecurity/trivy/issues/7104)) ([7cbdb0a](https://github.com/aquasecurity/trivy/commit/7cbdb0a0b5dff33e506e1c1f3119951fa241b432))
+* **mariner:** Add support for Azure Linux ([#7186](https://github.com/aquasecurity/trivy/issues/7186)) ([5cbc452](https://github.com/aquasecurity/trivy/commit/5cbc452a09822d1bf300ead88f0d613d4cf0349a))
+* **misconf:** enabled China configuration for ACRs ([#7156](https://github.com/aquasecurity/trivy/issues/7156)) ([d1ec89d](https://github.com/aquasecurity/trivy/commit/d1ec89d1db4b039f0e31076ccd1ca969fb15628e))
+* **nodejs:** add license parser to pnpm analyser ([#7036](https://github.com/aquasecurity/trivy/issues/7036)) ([03ac93d](https://github.com/aquasecurity/trivy/commit/03ac93dc208f1b40896f3fa11fa1d45293176dca))
+* **sbom:** add image labels into `SPDX` and `CycloneDX` reports ([#7257](https://github.com/aquasecurity/trivy/issues/7257)) ([4a2f492](https://github.com/aquasecurity/trivy/commit/4a2f492c6e685ff577fb96a7006cd0c43755baf4))
+* **sbom:** add vulnerability support for SPDX formats ([#7213](https://github.com/aquasecurity/trivy/issues/7213)) ([efb1f69](https://github.com/aquasecurity/trivy/commit/efb1f6938321eec3529ef4fea6608261f6771ae0))
+* share build-in rules ([#7207](https://github.com/aquasecurity/trivy/issues/7207)) ([bff317c](https://github.com/aquasecurity/trivy/commit/bff317c77bf4a5f615a80d9875d129213bd52f6d))
+* **vex:** retrieve VEX attestations from OCI registries ([#7249](https://github.com/aquasecurity/trivy/issues/7249)) ([c2fd2e0](https://github.com/aquasecurity/trivy/commit/c2fd2e0d89567a0ccd996dda8790f3c3305ea6f7))
+* **vex:** VEX Repository support ([#7206](https://github.com/aquasecurity/trivy/issues/7206)) ([88ba460](https://github.com/aquasecurity/trivy/commit/88ba46047c93e6046292523ae701de774dfdc4dc))
+* **vuln:** add `--pkg-relationships` ([#7237](https://github.com/aquasecurity/trivy/issues/7237)) ([5c37361](https://github.com/aquasecurity/trivy/commit/5c37361600d922db27dd594b2a80c010a19b3a6e))
+
+
+### Bug Fixes
+
+* Add dependencyManagement exclusions to the child exclusions ([#6969](https://github.com/aquasecurity/trivy/issues/6969)) ([dc68a66](https://github.com/aquasecurity/trivy/commit/dc68a662a701980d6529f61a65006f1e4728a3e5))
+* add missing platform and type to spec ([#7149](https://github.com/aquasecurity/trivy/issues/7149)) ([c8a7abd](https://github.com/aquasecurity/trivy/commit/c8a7abd3b508975fcf10c254d13d1a2cd42da657))
+* **cli:** error on missing config file ([#7154](https://github.com/aquasecurity/trivy/issues/7154)) ([7fa5e7d](https://github.com/aquasecurity/trivy/commit/7fa5e7d0ab67f20d434b2922725988695e32e6af))
+* close file when failed to open gzip ([#7164](https://github.com/aquasecurity/trivy/issues/7164)) ([2a577a7](https://github.com/aquasecurity/trivy/commit/2a577a7bae37e5731dceaea8740683573b6b70a5))
+* **dotnet:** don't include non-runtime libraries into report for `*.deps.json` files ([#7039](https://github.com/aquasecurity/trivy/issues/7039)) ([5bc662b](https://github.com/aquasecurity/trivy/commit/5bc662be9a8f072599f90abfd3b400c8ab055ed6))
+* **dotnet:** show `nuget package dir not found` log only when checking `nuget` packages ([#7194](https://github.com/aquasecurity/trivy/issues/7194)) ([d76feba](https://github.com/aquasecurity/trivy/commit/d76febaee107c645e864da0f4d74a8f6ae4ad232))
+* ignore nodes when listing permission is not allowed ([#7107](https://github.com/aquasecurity/trivy/issues/7107)) ([25f8143](https://github.com/aquasecurity/trivy/commit/25f8143f120965c636c5ea8386398b211b082398))
+* **java:** avoid panic if deps from `pom` in `it` dir are not found ([#7245](https://github.com/aquasecurity/trivy/issues/7245)) ([4e54a7e](https://github.com/aquasecurity/trivy/commit/4e54a7e84c33c1be80c52c6db78c634bc3911715))
+* **java:** use `go-mvn-version` to remove `Package` duplicates ([#7088](https://github.com/aquasecurity/trivy/issues/7088)) ([a7a304d](https://github.com/aquasecurity/trivy/commit/a7a304d53e1ce230f881c28c4f35885774cf3b9a))
+* **misconf:** do not evaluate TF when a load error occurs ([#7109](https://github.com/aquasecurity/trivy/issues/7109)) ([f27c236](https://github.com/aquasecurity/trivy/commit/f27c236d6e155cb366aeef619b6ea96d20fb93da))
+* **nodejs:** detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` ([#7110](https://github.com/aquasecurity/trivy/issues/7110)) ([54bb8bd](https://github.com/aquasecurity/trivy/commit/54bb8bdfb934d114b5570005853bf4bc0d40c609))
+* **report:** hide empty table when all secrets/license/misconfigs are ignored ([#7171](https://github.com/aquasecurity/trivy/issues/7171)) ([c3036de](https://github.com/aquasecurity/trivy/commit/c3036de6d7719323d306a9666ccc8d928d936f9a))
+* **secret:** skip regular strings contain secret patterns ([#7182](https://github.com/aquasecurity/trivy/issues/7182)) ([174b1e3](https://github.com/aquasecurity/trivy/commit/174b1e3515a6394cf8d523216d6267c1aefb820a))
+* **secret:** trim excessively long lines ([#7192](https://github.com/aquasecurity/trivy/issues/7192)) ([92b13be](https://github.com/aquasecurity/trivy/commit/92b13be668bd20f8e9dac2f0cb8e5a2708b9b3b5))
+* **secret:** update length of `hugging-face-access-token` ([#7216](https://github.com/aquasecurity/trivy/issues/7216)) ([8c87194](https://github.com/aquasecurity/trivy/commit/8c87194f0a6b194bc5d340c8a65bd99a3132d973))
+* **server:** pass license categories to options ([#7203](https://github.com/aquasecurity/trivy/issues/7203)) ([9d52018](https://github.com/aquasecurity/trivy/commit/9d5201808da89607ae43570bdf1f335b482a6b79))
+
+
+### Performance Improvements
+
+* **debian:** use `bytes.Index` in `emptyLineSplit` to cut allocation ([#7065](https://github.com/aquasecurity/trivy/issues/7065)) ([acbec05](https://github.com/aquasecurity/trivy/commit/acbec053c985388a26d899e73b4b7f5a6d1fa210))
+
+## [0.53.0](https://github.com/aquasecurity/trivy/compare/v0.52.0...v0.53.0) (2024-07-01)
+
+
+### ⚠ BREAKING CHANGES
+
+* **k8s:** node-collector dynamic commands support ([#6861](https://github.com/aquasecurity/trivy/issues/6861))
+* add clean subcommand ([#6993](https://github.com/aquasecurity/trivy/issues/6993))
+* **aws:** Remove aws subcommand ([#6995](https://github.com/aquasecurity/trivy/issues/6995))
+
+### Features
+
+* add clean subcommand ([#6993](https://github.com/aquasecurity/trivy/issues/6993)) ([8d0ae1f](https://github.com/aquasecurity/trivy/commit/8d0ae1f5de72d92a043dcd6b7c164d30e51b6047))
+* Add local ImageID to SARIF metadata ([#6522](https://github.com/aquasecurity/trivy/issues/6522)) ([f144e91](https://github.com/aquasecurity/trivy/commit/f144e912d34234f00b5a13b7a11a0019fa978b27))
+* add memory cache backend ([#7048](https://github.com/aquasecurity/trivy/issues/7048)) ([55ccd06](https://github.com/aquasecurity/trivy/commit/55ccd06df43f6ff28685f46d215ccb70f55916d2))
+* **aws:** Remove aws subcommand ([#6995](https://github.com/aquasecurity/trivy/issues/6995)) ([979e118](https://github.com/aquasecurity/trivy/commit/979e118a9e0ca8943bef9143f492d7eb1fd4d863))
+* **conda:** add licenses support for `environment.yml` files ([#6953](https://github.com/aquasecurity/trivy/issues/6953)) ([654217a](https://github.com/aquasecurity/trivy/commit/654217a65485ca0a07771ea61071977894eb4920))
+* **dart:** use first version of constraint for dependencies using SDK version ([#6239](https://github.com/aquasecurity/trivy/issues/6239)) ([042d6b0](https://github.com/aquasecurity/trivy/commit/042d6b08c283105c258a3dda98983b345a5305c3))
+* **image:** Set User-Agent header for Trivy container registry requests ([#6868](https://github.com/aquasecurity/trivy/issues/6868)) ([9b31697](https://github.com/aquasecurity/trivy/commit/9b31697274c8743d6e5a8f7a1a05daf60cd15910))
+* **java:** add support for `maven-metadata.xml` files for remote snapshot repositories. ([#6950](https://github.com/aquasecurity/trivy/issues/6950)) ([1f8fca1](https://github.com/aquasecurity/trivy/commit/1f8fca1fc77b989bb4e3ba820b297464dbdd825f))
+* **java:** add support for sbt projects using sbt-dependency-lock ([#6882](https://github.com/aquasecurity/trivy/issues/6882)) ([f18d035](https://github.com/aquasecurity/trivy/commit/f18d035ae13b281c96aa4ed69ca32e507d336e66))
+* **k8s:** node-collector dynamic commands support ([#6861](https://github.com/aquasecurity/trivy/issues/6861)) ([8d618e4](https://github.com/aquasecurity/trivy/commit/8d618e48a2f1b60c2e4c49cdd9deb8eb45c972b0))
+* **misconf:** add metadata to Cloud schema ([#6831](https://github.com/aquasecurity/trivy/issues/6831)) ([02d5404](https://github.com/aquasecurity/trivy/commit/02d540478d495416b50d7e8b187ff9f5bba41f45))
+* **misconf:** add support for AWS::EC2::SecurityGroupIngress/Egress ([#6755](https://github.com/aquasecurity/trivy/issues/6755)) ([55fa610](https://github.com/aquasecurity/trivy/commit/55fa6109cd0463fd3221aae41ca7b1d8c44ad430))
+* **misconf:** API Gateway V1 support for CloudFormation ([#6874](https://github.com/aquasecurity/trivy/issues/6874)) ([8491469](https://github.com/aquasecurity/trivy/commit/8491469f0b35bd9df706a433669f5b62239d4ef3))
+* **misconf:** support of selectors for all providers for Rego ([#6905](https://github.com/aquasecurity/trivy/issues/6905)) ([bc3741a](https://github.com/aquasecurity/trivy/commit/bc3741ae2c68cdd00fc0aef7e51985568b2eb78a))
+* **php:** add installed.json file support ([#4865](https://github.com/aquasecurity/trivy/issues/4865)) ([edc556b](https://github.com/aquasecurity/trivy/commit/edc556b85e3554c31e19b1ece189effb9ba2be12))
+* **plugin:** add support for nested archives ([#6845](https://github.com/aquasecurity/trivy/issues/6845)) ([622c67b](https://github.com/aquasecurity/trivy/commit/622c67b7647f94d0a0ca3acf711d8f847cdd8d98))
+* **sbom:** migrate to `CycloneDX v1.6` ([#6903](https://github.com/aquasecurity/trivy/issues/6903)) ([09e50ce](https://github.com/aquasecurity/trivy/commit/09e50ce6a82073ba62f1732d5aa0cd2701578693))
+
+
+### Bug Fixes
+
+* **c:** don't skip conan files from `file-patterns` and scan `.conan2` cache dir ([#6949](https://github.com/aquasecurity/trivy/issues/6949)) ([38b35dd](https://github.com/aquasecurity/trivy/commit/38b35dd3c804027e7a6e6a9d3c87b7ac333896c5))
+* **cli:** show info message only when --scanners is available ([#7032](https://github.com/aquasecurity/trivy/issues/7032)) ([e9fc3e3](https://github.com/aquasecurity/trivy/commit/e9fc3e3397564512038ddeca2adce0efcb3f93c5))
+* **cyclonedx:** trim non-URL info for `advisory.url` ([#6952](https://github.com/aquasecurity/trivy/issues/6952)) ([417212e](https://github.com/aquasecurity/trivy/commit/417212e0930aa52a27ebdc1b9370d2943ce0f8fa))
+* **debian:** take installed files from the origin layer ([#6849](https://github.com/aquasecurity/trivy/issues/6849)) ([089b953](https://github.com/aquasecurity/trivy/commit/089b953462260f01c40bdf588b2568ae0ef658bc))
+* **image:** parse `image.inspect.Created` field only for non-empty values ([#6948](https://github.com/aquasecurity/trivy/issues/6948)) ([0af5730](https://github.com/aquasecurity/trivy/commit/0af5730cbe56686417389c2fad643c1bdbb33999))
+* **license:** return license separation using separators  `,`, `or`, etc. ([#6916](https://github.com/aquasecurity/trivy/issues/6916)) ([52f7aa5](https://github.com/aquasecurity/trivy/commit/52f7aa54b520a90a19736703f8ea63cc20fab104))
+* **misconf:** fix caching of modules in subdirectories ([#6814](https://github.com/aquasecurity/trivy/issues/6814)) ([0bcfedb](https://github.com/aquasecurity/trivy/commit/0bcfedbcaa9bbe30ee5ecade5b98e9ce3cc54c9b))
+* **misconf:** fix parsing of engine links and frameworks ([#6937](https://github.com/aquasecurity/trivy/issues/6937)) ([ec68c9a](https://github.com/aquasecurity/trivy/commit/ec68c9ab4580d057720179173d58734402c92af4))
+* **misconf:** handle source prefix to ignore ([#6945](https://github.com/aquasecurity/trivy/issues/6945)) ([c3192f0](https://github.com/aquasecurity/trivy/commit/c3192f061d7e84eaf38df8df7c879dc00b4ca137))
+* **misconf:** parsing numbers without fraction as int ([#6834](https://github.com/aquasecurity/trivy/issues/6834)) ([8141a13](https://github.com/aquasecurity/trivy/commit/8141a137ba50b553a9da877d95c7ccb491d041c6))
+* **nodejs:** fix infinite loop when package link from `package-lock.json` file is broken ([#6858](https://github.com/aquasecurity/trivy/issues/6858)) ([cf5aa33](https://github.com/aquasecurity/trivy/commit/cf5aa336e660e4c98481ebf8d15dd4e54c38581e))
+* **nodejs:** fix infinity loops for `pnpm` with cyclic imports ([#6857](https://github.com/aquasecurity/trivy/issues/6857)) ([7d083bc](https://github.com/aquasecurity/trivy/commit/7d083bc890eccc3bf32765c6d7e922cab2e2ef94))
+* **plugin:** respect `--insecure` ([#7022](https://github.com/aquasecurity/trivy/issues/7022)) ([3d02a31](https://github.com/aquasecurity/trivy/commit/3d02a31b44924f9e2495aae087f7ca9de3314db4))
+* **purl:** add missed os types ([#6955](https://github.com/aquasecurity/trivy/issues/6955)) ([2d85a00](https://github.com/aquasecurity/trivy/commit/2d85a003b22298d1101f84559f7c6b470f2b3909))
+* **python:** compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase ([#6852](https://github.com/aquasecurity/trivy/issues/6852)) ([faa9d92](https://github.com/aquasecurity/trivy/commit/faa9d92cfeb8d924deda2dac583b6c97099c08d9))
+* **sbom:** don't overwrite `srcEpoch` when decoding SBOM files ([#6866](https://github.com/aquasecurity/trivy/issues/6866)) ([04af59c](https://github.com/aquasecurity/trivy/commit/04af59c2906bcfc7f7970b4e8f45a90f04313170))
+* **sbom:** fix panic when scanning SBOM file without root component into SBOM format ([#7051](https://github.com/aquasecurity/trivy/issues/7051)) ([3d4ae8b](https://github.com/aquasecurity/trivy/commit/3d4ae8b5be94cd9b00badeece8d86c2258b2cd90))
+* **sbom:** take pkg name from `purl` for maven pkgs ([#7008](https://github.com/aquasecurity/trivy/issues/7008)) ([a76e328](https://github.com/aquasecurity/trivy/commit/a76e3286c413de3dec55394fb41dd627dfee37ae))
+* **sbom:** use `purl` for `bitnami` pkg names ([#6982](https://github.com/aquasecurity/trivy/issues/6982)) ([7eabb92](https://github.com/aquasecurity/trivy/commit/7eabb92ec2e617300433445718be07ac74956454))
+* **sbom:** use package UIDs for uniqueness ([#7042](https://github.com/aquasecurity/trivy/issues/7042)) ([14d71ba](https://github.com/aquasecurity/trivy/commit/14d71ba63c39e51dd4179ba2d6002b46e1816e90))
+* **secret:** `Asymmetric Private Key` shouldn't start with space ([#6867](https://github.com/aquasecurity/trivy/issues/6867)) ([bb26445](https://github.com/aquasecurity/trivy/commit/bb26445e3df198df77930329f532ac5ab7a67af2))
+* **suse:** Add SLES 15.6 and Leap 15.6 ([#6964](https://github.com/aquasecurity/trivy/issues/6964)) ([5ee4e9d](https://github.com/aquasecurity/trivy/commit/5ee4e9d30ea814f60fd5705361cabf2e83a47a78))
+* use embedded when command path not found ([#7037](https://github.com/aquasecurity/trivy/issues/7037)) ([137c916](https://github.com/aquasecurity/trivy/commit/137c9164238ffd989a0c5ed24f23a55bbf341f6e))
+
+## [0.52.0](https://github.com/aquasecurity/trivy/compare/v0.51.1...v0.52.0) (2024-06-03)
+
+
+### Features
+
+* Add Julia language analyzer support ([#5635](https://github.com/aquasecurity/trivy/issues/5635)) ([fecafb1](https://github.com/aquasecurity/trivy/commit/fecafb1fc5bb129c7485342a0775f0dd8bedd28e))
+* add support for plugin index ([#6674](https://github.com/aquasecurity/trivy/issues/6674)) ([26faf8f](https://github.com/aquasecurity/trivy/commit/26faf8f3f04b1c5f9f81c03ffc6b2008732207e2))
+* **misconf:** Add support for deprecating a check ([#6664](https://github.com/aquasecurity/trivy/issues/6664)) ([88702cf](https://github.com/aquasecurity/trivy/commit/88702cfd5918b093defc5b5580f7cbf16f5f2417))
+* **misconf:** add Terraform 'removed' block to schema ([#6640](https://github.com/aquasecurity/trivy/issues/6640)) ([b7a0a13](https://github.com/aquasecurity/trivy/commit/b7a0a131a03ed49c08d3b0d481bc9284934fd6e1))
+* **misconf:** register builtin Rego funcs from trivy-checks ([#6616](https://github.com/aquasecurity/trivy/issues/6616)) ([7c22ee3](https://github.com/aquasecurity/trivy/commit/7c22ee3df5ee51beb90e44428a99541b3d19ab98))
+* **misconf:** resolve tf module from OpenTofu compatible registry ([#6743](https://github.com/aquasecurity/trivy/issues/6743)) ([ac74520](https://github.com/aquasecurity/trivy/commit/ac7452009bf7ca0fa8ee1de8807c792eabad405a))
+* **misconf:** support for VPC resources for inbound/outbound rules ([#6779](https://github.com/aquasecurity/trivy/issues/6779)) ([349caf9](https://github.com/aquasecurity/trivy/commit/349caf96bc3dd81551d488044f1adfdb947f39fb))
+* **misconf:** support symlinks inside of Helm archives ([#6621](https://github.com/aquasecurity/trivy/issues/6621)) ([4eae37c](https://github.com/aquasecurity/trivy/commit/4eae37c52b035b3576361c12f70d3d9517d0a73c))
+* **nodejs:** add v9 pnpm lock file support ([#6617](https://github.com/aquasecurity/trivy/issues/6617)) ([1e08648](https://github.com/aquasecurity/trivy/commit/1e0864842e32a709941d4b4e8f521602bcee684d))
+* **plugin:** specify plugin version ([#6683](https://github.com/aquasecurity/trivy/issues/6683)) ([d6dc567](https://github.com/aquasecurity/trivy/commit/d6dc56732babbc9d7f788c280a768d8648aa093d))
+* **python:** add license support for `requirement.txt` files ([#6782](https://github.com/aquasecurity/trivy/issues/6782)) ([29615be](https://github.com/aquasecurity/trivy/commit/29615be85e8bfeaf5a0cd51829b1898c55fa4274))
+* **python:** add line number support for `requirement.txt` files ([#6729](https://github.com/aquasecurity/trivy/issues/6729)) ([2bc54ad](https://github.com/aquasecurity/trivy/commit/2bc54ad2752aba5de4380cb92c13b09c0abefd73))
+* **report:** Include licenses and secrets filtered by rego to ModifiedFindings ([#6483](https://github.com/aquasecurity/trivy/issues/6483)) ([fa3cf99](https://github.com/aquasecurity/trivy/commit/fa3cf993eace4be793f85907b42365269c597b91))
+* **vex:** improve relationship support in CSAF VEX ([#6735](https://github.com/aquasecurity/trivy/issues/6735)) ([a447f6b](https://github.com/aquasecurity/trivy/commit/a447f6ba94b6f8b14177dc5e4369a788e2020d90))
+* **vex:** support non-root components for products in OpenVEX ([#6728](https://github.com/aquasecurity/trivy/issues/6728)) ([9515695](https://github.com/aquasecurity/trivy/commit/9515695d45e9b5c20890e27e21e3ab45bfd4ce5f))
+
+
+### Bug Fixes
+
+* clean up golangci lint configuration ([#6797](https://github.com/aquasecurity/trivy/issues/6797)) ([62de6f3](https://github.com/aquasecurity/trivy/commit/62de6f3feba6e4c56ad3922441d5b0f150c3d6b7))
+* **cli:** always output fatal errors to stderr ([#6827](https://github.com/aquasecurity/trivy/issues/6827)) ([c2b9132](https://github.com/aquasecurity/trivy/commit/c2b9132a7e933a68df4cc0eb86aab23719ded1b5))
+* close APKINDEX archive file ([#6672](https://github.com/aquasecurity/trivy/issues/6672)) ([5caf437](https://github.com/aquasecurity/trivy/commit/5caf4377f3a7fcb1f6e1a84c67136ae62d100be3))
+* close settings.xml ([#6768](https://github.com/aquasecurity/trivy/issues/6768)) ([9c3e895](https://github.com/aquasecurity/trivy/commit/9c3e895fcb0852c00ac03ed21338768f76b5273b))
+* close testfile ([#6830](https://github.com/aquasecurity/trivy/issues/6830)) ([aa0c413](https://github.com/aquasecurity/trivy/commit/aa0c413814e8915b38d2285c6a8ba5bc3f0705b4))
+* **conda:** add support `pip` deps for `environment.yml` files ([#6675](https://github.com/aquasecurity/trivy/issues/6675)) ([150a773](https://github.com/aquasecurity/trivy/commit/150a77313e980cd63797a89a03afcbc97b285f38))
+* **go:** add only non-empty root modules for `gobinaries` ([#6710](https://github.com/aquasecurity/trivy/issues/6710)) ([c96f2a5](https://github.com/aquasecurity/trivy/commit/c96f2a5b3de820da37e14594dd537c3b0949ae9c))
+* **go:** include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` ([#6705](https://github.com/aquasecurity/trivy/issues/6705)) ([afb4f9d](https://github.com/aquasecurity/trivy/commit/afb4f9dc4730671ba004e1734fa66422c4c86dad))
+* Golang version parsing from binaries w/GOEXPERIMENT ([#6696](https://github.com/aquasecurity/trivy/issues/6696)) ([696f2ae](https://github.com/aquasecurity/trivy/commit/696f2ae0ecdd4f90303f41249924a09ace70dd78))
+* include packages unless it is not needed ([#6765](https://github.com/aquasecurity/trivy/issues/6765)) ([56dbe1f](https://github.com/aquasecurity/trivy/commit/56dbe1f6768fe67fbc1153b74fde0f83eaa1b281))
+* **misconf:** don't shift ignore rule related to code ([#6708](https://github.com/aquasecurity/trivy/issues/6708)) ([39a746c](https://github.com/aquasecurity/trivy/commit/39a746c77837f873e87b81be40676818030f44c5))
+* **misconf:** skip Rego errors with a nil location ([#6638](https://github.com/aquasecurity/trivy/issues/6638)) ([a2c522d](https://github.com/aquasecurity/trivy/commit/a2c522ddb229f049999c4ce74ef75a0e0f9fdc62))
+* **misconf:** skip Rego errors with a nil location ([#6666](https://github.com/aquasecurity/trivy/issues/6666)) ([a126e10](https://github.com/aquasecurity/trivy/commit/a126e1075a44ef0e40c0dc1e214d1c5955f80242))
+* node-collector high and critical cves ([#6707](https://github.com/aquasecurity/trivy/issues/6707)) ([ff32deb](https://github.com/aquasecurity/trivy/commit/ff32deb7bf9163c06963f557228260b3b8c161ed))
+* **plugin:** initialize logger ([#6836](https://github.com/aquasecurity/trivy/issues/6836)) ([728e77a](https://github.com/aquasecurity/trivy/commit/728e77a7261dc3fcda1e61e79be066c789bbba0c))
+* **python:** add package name and version validation for `requirements.txt` files. ([#6804](https://github.com/aquasecurity/trivy/issues/6804)) ([ea3a124](https://github.com/aquasecurity/trivy/commit/ea3a124fc7162c30c7f1a59bdb28db0b3c8bb86d))
+* **report:** hide empty tables if all vulns has been filtered ([#6352](https://github.com/aquasecurity/trivy/issues/6352)) ([3d388d8](https://github.com/aquasecurity/trivy/commit/3d388d8552ef42d4d54176309a38c1879008527b))
+* **sbom:** fix panic for `convert` mode when scanning json file derived from sbom file ([#6808](https://github.com/aquasecurity/trivy/issues/6808)) ([f92ea09](https://github.com/aquasecurity/trivy/commit/f92ea096856c7c262b05bd4d31c62689ebafac82))
+* use of specified context to obtain cluster name ([#6645](https://github.com/aquasecurity/trivy/issues/6645)) ([39ebed4](https://github.com/aquasecurity/trivy/commit/39ebed45f8c218509d264bd3f3ca548fc33d2b3a))
+
+
+### Performance Improvements
+
+* **misconf:** parse rego input once ([#6615](https://github.com/aquasecurity/trivy/issues/6615)) ([67c6b1d](https://github.com/aquasecurity/trivy/commit/67c6b1d473999003d682bdb42657bbf3a4a69a9c))

CONTRIBUTING.md

@@ -1 +1 @@
-See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)
+See [Issues](https://trivy.dev/latest/community/contribute/issue/) and [Pull Requests](https://trivy.dev/latest/community/contribute/pr/)

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.19.1
+FROM alpine:3.21.3
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.canary

@@ -1,4 +1,4 @@
-FROM alpine:3.19.1
+FROM alpine:3.21.3
 RUN apk --no-cache add ca-certificates git
 
 # binaries were created with GoReleaser

Dockerfile.protoc

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.21
+FROM --platform=linux/amd64 golang:1.24
 
 # Set environment variable for protoc
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
@@ -14,7 +14,7 @@ RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/down
 
 # Install Go tools
 RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
-RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1
-RUN go install github.com/magefile/mage@v1.14.0
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.0
+RUN go install github.com/magefile/mage@v1.15.0
 
 ENV TRIVY_PROTOC_CONTAINER=true

README.md

@@ -21,7 +21,6 @@ Targets (what Trivy can scan):
 - Git Repository (remote)
 - Virtual Machine Image
 - Kubernetes
-- AWS
 
 Scanners (what Trivy can find there):
 
@@ -108,7 +107,7 @@ trivy k8s --report summary cluster
 ## Want more? Check out Aqua
 
 If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
-You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).  
+You can find a high level comparison table specific to Trivy users [here](https://trivy.dev/latest/commercial/compare/).
 In addition check out the <https://aquasec.com> website for more information about our products and services.
 If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>
 
@@ -117,7 +116,6 @@ If you'd like to contact Aqua or request a demo, please use this form: <https://
 Trivy is an [Aqua Security][aquasec] open source project.  
 Learn about our open source work and portfolio [here][oss].  
 Contact us about any matter by opening a GitHub Discussion [here][discussions]
-Join our [Slack community][slack] to stay up to date with community efforts.
 
 Please ensure to abide by our [Code of Conduct][code-of-conduct] during all interactions.
 
@@ -132,14 +130,13 @@ Please ensure to abide by our [Code of Conduct][code-of-conduct] during all inte
 [license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
 [license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
 [homepage]: https://trivy.dev
-[docs]: https://aquasecurity.github.io/trivy
+[docs]: https://trivy.dev/latest/docs/
 [pronunciation]: #how-to-pronounce-the-name-trivy
-[slack]: https://slack.aquasec.com
 [code-of-conduct]: https://github.com/aquasecurity/community/blob/main/CODE_OF_CONDUCT.md
 
-[Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
-[Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
-[Scanning Coverage]: https://aquasecurity.github.io/trivy/latest/docs/coverage/
+[Installation]:https://trivy.dev/latest/getting-started/installation/
+[Ecosystem]: https://trivy.dev/latest/ecosystem/
+[Scanning Coverage]: https://trivy.dev/latest/docs/coverage/
 
 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
 [rego]: https://www.openpolicyagent.org/docs/latest/#rego

aqua.yaml

@@ -1,10 +0,0 @@
----
-# aqua - Declarative CLI Version Manager
-# https://aquaproj.github.io/
-registries:
-- type: standard
-  ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
-packages:
-- name: tinygo-org/tinygo@v0.29.0
-- name: WebAssembly/binaryen@version_112
-- name: magefile/mage@v1.14.0

ci/deploy-deb.sh

@@ -5,14 +5,14 @@ UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-
 
 cd trivy-repo/deb
 
-for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
+for release in generic ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Removing deb package of $release"
   reprepro -A i386 remove $release trivy
   reprepro -A amd64 remove $release trivy
   reprepro -A arm64 remove $release trivy
 done
 
-for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
+for release in generic ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Adding deb package to $release"
   reprepro includedeb $release ../../dist/*Linux-32bit.deb
   reprepro includedeb $release ../../dist/*Linux-64bit.deb

cmd/trivy/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"errors"
 	"os"
 
 	"golang.org/x/xerrors"
@@ -9,23 +10,32 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/plugin"
+	"github.com/aquasecurity/trivy/pkg/types"
 
 	_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB
 )
 
 func main() {
 	if err := run(); err != nil {
-		log.Fatal(err)
+		var exitError *types.ExitError
+		if errors.As(err, &exitError) {
+			os.Exit(exitError.Code)
+		}
+
+		var userErr *types.UserError
+		if errors.As(err, &userErr) {
+			log.Fatal("Error", log.Err(userErr))
+		}
+
+		log.Fatal("Fatal error", log.Err(err))
 	}
 }
 
 func run() error {
 	// Trivy behaves as the specified plugin.
 	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
-		if !plugin.IsPredefined(runAsPlugin) {
-			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
-		}
-		if err := plugin.RunWithURL(context.Background(), runAsPlugin, plugin.RunOptions{Args: os.Args[1:]}); err != nil {
+		log.InitLogger(false, false)
+		if err := plugin.Run(context.Background(), runAsPlugin, plugin.Options{Args: os.Args[1:]}); err != nil {
 			return xerrors.Errorf("plugin error: %w", err)
 		}
 		return nil

contrib/Trivy.gitlab-ci.yml

@@ -12,9 +12,9 @@ Trivy_container_scanning:
   before_script:
     - export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
     - apk add --no-cache curl docker-cli
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
     - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
     - curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/${TRIVY_VERSION}/contrib/gitlab.tpl
+    - trivy registry login --username "$CI_REGISTRY_USER" --password "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
     - trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
   cache:

contrib/asff.tpl

@@ -108,7 +108,7 @@
                     "Region": "{{ env "AWS_REGION" }}",
                     "Details": {
                         "Other": {
-                            "Message": "{{ .Message }}",
+                            "Message": "{{ escapeString .Message }}",
                             "Filename": "{{ $target }}",
                             "StartLine": "{{ .CauseMetadata.StartLine }}",
                             "EndLine": "{{ .CauseMetadata.EndLine }}"

contrib/gitlab.tpl

@@ -24,11 +24,18 @@
     "status": "success",
     "type": "container_scanning"
   },
+  {{- $image := "Unknown" -}}
+  {{- $os := "Unknown" -}}
+  {{- range . }}
+    {{- if eq .Class "os-pkgs" -}}
+      {{- $target := .Target }}
+        {{- $image = $target | regexFind "[^\\s]+" }}
+        {{- $os = $target | splitList "(" | last | trimSuffix ")" }}
+    {{- end }}
+  {{- end }}
   "vulnerabilities": [
   {{- $t_first := true }}
   {{- range . }}
-  {{- $target := .Target }}
-    {{- $image := $target | regexFind "[^\\s]+" }}
     {{- range .Vulnerabilities -}}
     {{- if $t_first -}}
       {{- $t_first = false -}}
@@ -65,7 +72,7 @@
           "version": "{{ .InstalledVersion }}"
         },
         {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
-        "operating_system": "Unknown",
+        "operating_system": "{{ $os }}",
         "image": "{{ $image }}"
       },
       "identifiers": [

contrib/junit.tpl

@@ -16,7 +16,7 @@
     </testsuite>
 
 {{- if .MisconfSummary }}
-    <testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{  .Target }}" errors="0" skipped="{{ .MisconfSummary.Exceptions }}" time="">
+    <testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{  .Target }}" errors="0" time="">
 {{- else }}
     <testsuite tests="0" failures="0" name="{{  .Target }}" errors="0" skipped="0" time="">
 {{- end }}
@@ -33,5 +33,26 @@
         </testcase>
     {{- end }}
     </testsuite>
+
+{{- if .Licenses }}
+    {{- $licenses := len .Licenses }}
+    <testsuite tests="{{ $licenses }}" failures="{{ $licenses }}" name="{{ .Target }}" time="0">{{ range .Licenses }}
+        <testcase classname="{{ .PkgName }}" name="[{{ .Severity }}] {{ .Name }}">
+            <failure/>
+        </testcase>
+    {{- end }}
+    </testsuite>
+{{- end }}
+
+{{- if .Secrets }}
+    {{- $secrets := len .Secrets }}
+    <testsuite tests="{{ $secrets }}" failures="{{ $secrets }}" name="{{ .Target }}" time="0">{{ range .Secrets }}
+        <testcase classname="{{ .RuleID }}" name="[{{ .Severity }}] {{ .Title }}">
+            <failure message="{{ .Title }}" type="description">{{ escapeXML .Match }}</failure>
+        </testcase>
+    {{- end }}
+    </testsuite>
+{{- end }}
+
 {{- end }}
 </testsuites>

docs/assets/css/trivy_v1_homepage.scss

@@ -0,0 +1,693 @@
+/* trivy homepage */
+
+//aqua brand colors
+$aq-royal-blue: #1904da;
+$aq-legacy-blue: #08b1d5;
+$aq-coral-red: #ff445f;
+$aq-starfish-yellow: #ffc900;
+$aq-dark-abyss: #07242d;
+$aq-deep-sea-blue: #183278;
+$aq-ocean-ash: #405a75;
+$aq-sea-foam: #00ffe4;
+
+$aq-neo-background: #ebf3fa;
+$aq-neo-background-hover: #f0f8ff;
+
+
+$aq-royal-blue-dark: #1503ba;
+
+$aq-trivy-dark: #0a0b23;
+
+
+$weight-normal: 400;
+$weight-semibold: 600;
+$weight-bold: 700;
+
+
+
+$gap: 32px;
+// 960, 1152, and 1344 have been chosen because they are divisible by both 12 and 16
+$tablet: 769px;
+
+// 960px container + 4rem
+$desktop: 960px + 2 * $gap;
+
+// 1152px container + 4rem
+$widescreen: 1152px + 2 * $gap;
+$widescreen-enabled: true;
+
+// 1344px container + 4rem
+$fullhd: 1344px + 2 * $gap;
+$fullhd-enabled: true;
+
+
+
+body {
+
+	font-family: "Inter", sans-serif;
+}
+
+.trivy_v1_homepage_wrap {
+	position: relative;
+ 	z-index: 3;
+
+	* {
+		transition: all 0.2s ease !important;
+	}
+
+	.container {
+		width: 100%;
+		margin: 0 auto;
+		max-width: 1440px;
+
+		@media screen and (max-width: $tablet), print { //769
+			padding: 0 24px;
+			max-width: $tablet; //769
+		} //until tablet
+	}
+
+	.button {
+	
+		background-color: #ebf3fa;
+		border: 1px solid #dbdbdb;
+		border-width: 1px;
+		color: #363636;
+		cursor: pointer;
+		justify-content: center;
+		padding-bottom: calc(.5em - 1px);
+		padding-left: 1em;
+		padding-right: 1em;
+		padding-top: calc(.5em - 1px);
+		text-align: center;
+		white-space: nowrap;
+		border-radius: 4px;
+		transition: all .2s ease;
+		font-size: 16px;
+		display: inline-block;
+		font-weight: 700;
+		
+		&.is-seafoam {
+			background-color: $aq-sea-foam;
+			border-color: $aq-sea-foam;
+			color: $aq-dark-abyss;
+
+
+			&.is-outlined {
+				background-color: rgba(0,0,0,0);
+				border-color: $aq-sea-foam;
+				color: $aq-sea-foam;
+				border-width: 2px;
+
+				&:hover {
+					background-color: $aq-sea-foam;
+					color: $aq-dark-abyss;
+				}
+			} //is-outlines
+			
+		} //is-seafoam
+
+		&.large_btn {
+			font-size: 22px;
+			padding: 16px 27px;
+			margin-right: 12px;
+
+			@media screen and (max-width: $tablet), print {
+				font-size: 18px;
+			} //until tablet
+		}
+		
+
+
+		&.solidseafoamarrowbutton {
+			
+			background-color: $aq-sea-foam;
+			font-weight: 700;
+			border: 2px solid $aq-sea-foam;
+			font-size: 22px; //1.375rem; //1.125rem;
+			padding: 16px 27px;
+			color: $aq-dark-abyss;
+
+
+			&:after {
+					content: "";
+					border: solid $aq-dark-abyss;
+					border-width: 0 2px 2px 0;
+					display: inline-block;
+					padding: 4px;
+					transform: rotate(-45deg);
+					margin-left: 30px;
+					vertical-align: middle;
+					transition: all .2s;
+			}
+		} //solidseafoamarrowbutton
+
+	} //button
+
+	.margin-bottom-20 {
+		margin-bottom: 20px;
+	}
+
+	.hero_wrap {
+		background-color: $aq-trivy-dark;
+		background-image: radial-gradient(1600px at 70% 120%, #031145 10%, $aq-trivy-dark 100%);
+		min-height: 1050px;
+		position: relative;
+		z-index: 10;
+
+
+
+		
+
+
+		.homepage_background_image_wrap {
+			position: absolute;
+			left: 0px;
+			top: 0px;
+			width: 100%;
+			height: 100%;
+			z-index: 1;
+			pointer-events: none;
+
+
+			.stars_wrap {
+				position: absolute;
+				left: 0px;
+				top: 0px;
+				width: 100%;
+				height: 100%;
+				z-index: 1;
+				overflow: hidden;
+				
+				.stars_bg {
+					position: absolute;
+					width: 400vw;
+					height: 400vh;
+					top: 50%;
+					left: 50%;
+					margin-top: -200vh;
+					margin-left: -200vw;
+					animation: stars_ani 240s linear infinite;
+					background-size: 240px;
+					backface-visibility: visible;
+					background-image:url(../images/homepage_hero_stars_02.svg);
+					background-repeat: repeat;
+					
+				}
+
+
+				@keyframes stars_ani {
+					0% { transform: rotate(0deg); }
+					100% { transform: rotate(360deg); }
+				}
+
+			} //stars_wrap
+
+			.terrain_wrap {
+				position: absolute;
+				left: 0px;
+				bottom: 0px;
+				width: 100%;
+				height: 680px;
+				background-image:url(../images/homepage_hero_terrain_08.svg);
+				background-repeat: no-repeat;
+				background-position: center top;
+				background-size: cover;
+				z-index: 2;
+			} // terrain_wrap
+
+
+			.beams_wrap {
+				position: absolute;
+				left: 0px;
+				bottom: 0px;
+				width: 100%;
+				height: 100%;
+				z-index: 3;
+				overflow: hidden;
+
+				.beam {
+					position: absolute;
+					right: 200px;
+					top: 270px;
+					width: 3px;
+					height: 350%;
+					background: rgba(#3eabff,0.6);
+					box-shadow: 0px 0px 55px 0px rgba(#3eabff,1);
+					transform-origin: 0 0;
+					animation: beam_ani 10s infinite;
+					
+					&.num2 {animation: beam_ani 11s infinite;}
+					&.num3 {animation: beam_ani 12s infinite;}
+					&.num4 {animation: beam_ani 13s infinite;}
+				} //beam
+							
+				@keyframes beam_ani {
+					0% { transform: rotate(75deg); }
+					50% { transform: rotate(-15deg); }
+					100% { transform: rotate(75deg); }
+				}
+
+				.sphere {
+					z-index:999;
+					position: absolute;
+					top: 60px;
+					right: 50px;
+					width: 280px;
+					height: 280px;
+					background-image:url(../images/homepage_hero_orb_03.png);
+					background-position: center center;
+					background-repeat: no-repeat;
+				}
+
+			} //beams_wrap
+
+
+			.person_wrap {
+				position: absolute;
+				left: 0px;
+				bottom: 0px;
+				width: 100%;
+				height: 595px;
+				background-image:url(../images/homepage_v1_hero_person_01.png);
+				background-repeat: no-repeat;
+				background-position: center bottom;
+				z-index: 4;
+
+			} // person_wrap				
+			
+
+
+		} //hero_background_image_wrap
+	}
+
+
+
+	.hero {
+
+		
+		.hero-body {
+			padding: 80px 0px;
+			// border: 1px solid red;
+
+			.header_title_wrap {
+				.header_title_content_wrap {
+
+					width: 50%;
+					position: relative;
+					z-index: 3;
+
+					.page_title {
+						color: #ffffff;
+						font-weight: $weight-bold;
+						font-size: 48px; //3rem;
+						line-height: 1.3;
+					}//page_title
+			
+					.page_subtitle {
+						color: #ffffff;
+						font-weight: $weight-normal;
+						font-size: 24px; //1.5rem;
+						line-height: 1.3;
+						margin-bottom: 30px;
+					} //page_subtitle
+
+
+					@media screen and (max-width: $widescreen), print {
+						width: 70%;
+					} //until widescreen
+
+					@media screen and (max-width: $tablet), print { //769
+
+						width: 100%;
+
+						.page_title {
+							font-size: 32px; //2rem;
+						}//page_title
+			
+						.page_subtitle {
+							font-size: 18px; //1.125rem;
+						}//page_subtitle
+			
+					} //until tablet
+
+
+				} //header_title_content_wrap
+
+			} //header_title_wrap
+
+			@media screen and (min-width: $tablet), print { //769
+				padding: 48px 24px; //3rem 1.5rem;
+			}
+		}
+
+	} //hero
+
+
+
+
+
+	// } //page-trivy_homepage
+
+
+
+
+	/* homepage_community */
+	.homepage_community_wrap {
+	position: relative;
+	background-color: $aq-trivy-dark;
+	color: #ffffff;
+	z-index: 5;
+	padding-top: 60px;
+	padding-bottom: 20px;
+
+
+	.container.wide_container {
+		max-width: 1640px;
+		padding-left: 20px;
+		padding-right: 20px;
+		display: flex;
+		flex-direction: row;
+		flex-wrap: wrap;
+	}
+
+
+	.community_titles_column {
+		width: 33.3333%;
+		padding-right: 32px;
+
+		@media screen and (max-width: $desktop), print {
+			width: 41.6666666667%;
+		} //until desktop
+
+		@media screen and (max-width: $tablet), print {
+			width: 100%;
+		} //until tablet
+	}
+
+	.community_slider_column {
+		width: 66.6666%;
+
+		@media screen and (max-width: $desktop), print {
+			width: 58.3333333333%;
+		} //until desktop
+
+		@media screen and (max-width: $tablet), print {
+			width: 100%;
+		} //until tablet
+	}
+
+
+	.community_title {
+		color: $aq-sea-foam;
+		font-size: 60px; //3.75rem;
+		font-weight: $weight-bold;
+		margin-bottom: 24px; ////1.5rem;
+		line-height: 1.2;
+		
+
+	}
+
+	.community_subtitle  {
+		color: #ffffff;
+		font-size: 26px; //1.625rem;
+		margin-bottom: 24px; ////1.5rem;
+		
+
+	}
+
+	.community_cta_wrap {
+
+		.button {
+			font-weight: $weight-bold;
+			margin-right: 10px;
+		}
+		
+	}
+
+	.community_quotes_wrap {
+		position: relative;
+		
+
+		.community_quotes {
+			column-count: 3;
+			column-gap: 20px;
+
+			@media screen and (max-width: $widescreen), print { //1216
+				column-count: 2;
+			}
+
+			@media screen and (max-width: $tablet), print { //769
+				column-count: 1;
+			}
+
+			.quote_item_wrap {
+				display: inline-block;
+				margin: 0px 0px 20px 0px;
+				width: 100%;
+			}
+
+			.quote_item {
+
+				display: block;
+				position: relative;
+				color: #ffffff;
+				border: 1px solid rgba($aq-sea-foam,0.2);
+				background-color: rgba($aq-sea-foam,0.05);
+				border-radius: 4px;
+				padding: 25px;
+
+				.quote_name {
+					font-size: 16px; //1rem;
+					font-weight: $weight-semibold;
+				}
+
+				.quote_twitter_handle {
+					opacity: 0.6;
+					font-size: 13px; //0.8125rem;
+				}
+
+				.quote_company {
+					opacity: 0.6;
+					font-size: 13px; //0.8125rem;
+				}
+
+				.quote_text {
+					font-size: 16px; //1rem;
+					font-weight: $weight-normal;
+					line-height: 1.3;
+				}
+
+				.quote_avatar {
+					display: block;
+					position: absolute;
+					top: 25px;
+					left: 25px;
+					width: 40px;
+					height: 40px;
+					border-radius: 50%;
+					background-repeat: no-repeat;
+					background-position: center center;
+					background-size: cover;
+
+				}
+
+				&.is_tweet {
+
+					.quote_text {
+						padding-top: 10px;
+					}
+					
+
+					&.has_avatar {
+						.quote_name,
+						.quote_twitter_handle {
+							padding-left: 50px;
+						}
+					} //has_avatar
+
+				} //&is_tweet
+
+				&.is_quote {
+
+					.quote_text {
+						position: relative;
+						padding-top: 40px;
+						padding-bottom: 10px;
+
+						&:before {
+							content: "";
+							display: block;
+							position: absolute;
+							top: -10px;
+							left: 0px;
+							width: 56px;
+							height: 42px;
+							background-image: url(../images/community_quote.png);
+							background-position: center center;
+							background-repeat: no-repeat;
+						}
+					} //quote_text
+					
+				} //&is_quote
+
+			} //quote_item
+
+		}
+
+	} //community_quotes_wrap
+
+	@media screen and (max-width: $tablet), print { //tablet
+
+		.community_title {
+			font-size: 32px; //2rem;
+		}
+		.community_subtitle {
+			font-size: 18px; //1.125rem;
+		}
+
+	} //until
+
+
+	} //homepage_community_wrap
+
+} //trivy_homepage_wrap
+
+
+
+
+
+/* Slider */
+.slick-slider{position:relative;display:block;box-sizing:border-box;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;-webkit-touch-callout:none;-khtml-user-select:none;-ms-touch-action:pan-y;touch-action:pan-y;-webkit-tap-highlight-color:transparent;}
+.slick-list{position:relative;display:block;overflow:hidden;margin:0;padding:0;}
+.slick-list:focus{outline:none;}
+.slick-list.dragging{cursor:hand;}
+.slick-slider .slick-track,.slick-slider .slick-list{transform:translate3d(0,0,0);}
+.slick-track{position:relative;top:0;left:0;display:block;margin-left:auto;margin-right:auto;}
+.slick-track:before,.slick-track:after{display:table;content:'';}
+.slick-track:after{clear:both;}
+.slick-loading .slick-track{visibility:hidden;}
+.slick-slide{display:none;float:left;height:100%;min-height:1px;}
+.slick-slide:focus{outline:none;}
+.slick-slide img{display:block;}
+.slick-slide.slick-loading img{display:none;}
+.slick-slide.dragging img{pointer-events:none;}
+.slick-initialized .slick-slide{display:block;}
+.slick-loading .slick-slide{visibility:hidden;}
+.slick-vertical .slick-slide{display:block;height:auto;border:1px solid transparent;}
+.slick-arrow.slick-hidden{display:none;}
+
+.slick-arrow {display:block;background-color:transparent;border:none;color:transparent;cursor:pointer;position:absolute;top:0px;height:330px;width:80px;z-index:20;outline:none;}
+.slick-arrow:focus, .slick-arrow:active {outline:none;}
+.slick-arrow.slick-prev {left:0px;background-image:linear-gradient(to right, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
+.slick-arrow.slick-next {right:0px;background-image:linear-gradient(to left, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
+.slick-arrow:before {content:"";display:block;position:absolute;left:0px;top:0px;width:100%;height:100%;z-index:21;background-repeat:no-repeat;}
+.slick-arrow.slick-prev:before {background-image:url(../images/arrow_left.png);background-position:center left;}
+.slick-arrow.slick-next:before {background-image:url(../images/arrow_right.png);background-position:center right;}
+
+
+
+/* dots */
+.slick-dotted.slick-slider
+{
+	margin-bottom: 0px;
+}
+
+
+.slick-dots
+{
+	//position: absolute;
+	//bottom: -25px;
+	position: relative;
+	display: block;
+
+	width: 100%;
+	padding: 0;
+	margin: 0;
+
+	list-style: none;
+
+	text-align: center;
+}
+
+
+.slick-dots li {
+	position: relative;
+	display: inline-block;
+	width: 24px;
+	height: 24px;
+	margin: 0px 4px;
+	padding: 0;
+	cursor: pointer;
+}
+
+.slick-dots li button
+{
+	font-size: 0;
+	line-height: 0;
+
+	display: block;
+
+	width: 24px;
+	height: 24px;
+	padding: 0px;
+
+	cursor: pointer;
+
+	color: transparent;
+	border: 0;
+	outline: none;
+	background: transparent;
+
+	&:before {
+
+		position: relative;
+		top: 0px;
+		left: 0px;
+		width: 20px;
+		height: 20px;
+		content: "";
+		background-color: transparent;
+		border: 2px solid $aq-sea-foam;
+		border-radius: 50%;
+		display: block;
+		opacity: 0.7;
+	}
+
+	&:after {
+
+		position: absolute;
+		top: 7px;
+		left: 5px;
+		width: 10px;
+		height: 10px;
+		content: "";
+		background-color: $aq-sea-foam;
+		//border: 1px solid #666;
+		border-radius: 50%;
+		//box-shadow: inset 1px 1px 1px #888;
+		display: block;
+		opacity: 0;
+		transition: 0.2s ease-out;
+
+	}
+
+
+	
+
+}
+.slick-dots li button:hover,
+.slick-dots li button:focus
+{
+	outline: none;
+	&:after {
+		opacity: 1;
+	}
+}
+
+.slick-dots li.slick-active button:after {
+		opacity: 1;
+}
+
+
+
+

docs/assets/images/homepage_hero_stars_02.svg

@@ -0,0 +1 @@
+<svg version="1.1" id="Layer_2" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 240 240" enable-background="new 0 0 240 240" xml:space="preserve"><rect x="106" y="90" fill="#00ffe4" width="2" height="2"/><rect x="74" y="63" fill="#00ffe4" width="1" height="1"/><rect x="23" y="66" fill="#00ffe4" width="1" height="1"/><rect x="50" y="110" fill="#00ffe4" width="1" height="1"/><rect x="63" y="128" fill="#00ffe4" width="1" height="1"/><rect x="45" y="149" fill="#00ffe4" width="1" height="1"/><rect x="92" y="151" fill="#00ffe4" width="1" height="1"/><rect x="58" y="8" fill="#00ffe4" width="1" height="1"/><rect x="147" y="33" fill="#00ffe4" width="2" height="2"/><rect x="91" y="43" fill="#00ffe4" width="1" height="1"/><rect x="169" y="29" fill="#ffffff" width="1" height="1"/><rect x="182" y="19" fill="#00ffe4" width="1" height="1"/><rect x="161" y="59" fill="#00ffe4" width="1" height="1"/><rect x="138" y="95" fill="#00ffe4" width="1" height="1"/><rect x="199" y="71" fill="#ffffff" width="3" height="3"/><rect x="213" y="153" fill="#00ffe4" width="2" height="2"/><rect x="128" y="163" fill="#ffffff" width="1" height="1"/><rect x="205" y="174" fill="#00ffe4" width="1" height="1"/><rect x="152" y="200" fill="#00ffe4" width="1" height="1"/><rect x="52" y="211" fill="#00ffe4" width="2" height="2"/><rect y="191" fill="#00ffe4" width="1" height="1"/><rect x="110" y="184" fill="#00ffe4" width="1" height="1"/></svg>

docs/assets/images/trivy_logo_horizontal_white.svg

@@ -0,0 +1 @@
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" x="0" y="0" viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891" xml:space="preserve"><style>.st0{fill:#fff}.st1{fill:#50f0ff}</style><path class="st0" d="M1421.86 281.92h-46.97c-25.9 0-46.97-21.07-46.97-46.97s21.07-46.97 46.97-46.97 46.97 21.07 46.97 46.97v46.97zm-46.97-74.87c-15.38 0-27.9 12.52-27.9 27.9 0 15.38 12.52 27.9 27.9 27.9h27.9v-27.9c0-15.38-12.51-27.9-27.9-27.9zM1737.06 281.92h-46.97c-25.9 0-46.97-21.07-46.97-46.97s21.07-46.97 46.97-46.97 46.97 21.07 46.97 46.97v46.97zm-46.97-74.87c-15.38 0-27.9 12.52-27.9 27.9 0 15.38 12.52 27.9 27.9 27.9h27.9v-27.9c-.01-15.38-12.52-27.9-27.9-27.9zM1585.02 281.94c-25.91 0-46.99-21.08-46.99-46.99v-44.08h19.08v44.08c0 15.39 12.52 27.91 27.91 27.91s27.91-12.52 27.91-27.91v-44.08h19.09v44.08c-.01 25.91-21.1 46.99-47 46.99zM1479.94 187.98c-25.9 0-46.97 21.07-46.97 46.97s21.07 46.97 46.97 46.97l19.07-19.07h-19.07c-15.38 0-27.9-12.52-27.9-27.9 0-15.38 12.52-27.9 27.9-27.9 15.38 0 27.9 12.52 27.9 27.9v91.8h19.07v-91.8c0-25.9-21.07-46.97-46.97-46.97zM942.76 588.45v46.29c-31.53 0-59.94-11.34-82.34-30.14-28.15-23.63-46.04-59.08-46.04-98.71V274.06h46.04v105.2h82.34v46.59h-82.34v81.19c.63 45.06 37.13 81.41 82.34 81.41zM1106.82 379.26v45.98c-43.65.1-79.18 34.71-80.78 77.98v131.52h-46.12V379.26h46.12v29.16c21.93-18.18 50.08-29.12 80.78-29.16zM1136.4 353.72v-40.29h46.05v40.29h-46.05zm0 281.02V379.26h46.05v255.48h-46.05zM1464.76 379.26l-127.64 255.48-127.8-255.48h52.33l75.47 150.88 75.31-150.88h52.33zM1740.81 379.26v297.8c0 71.31-58.52 128.26-127.83 128.2-32.47.03-62.55-12.29-85.37-32.76l33.1-33.09c14.13 11.97 32.36 19.22 52.28 19.2 44.86 0 81.17-36.69 81.17-81.55v-71.39c-22.26 18.42-50.67 29.09-81.17 29.06-69.46.06-127.95-56-127.95-127.85V379.24h46.64l.02 127.64c0 44.67 36.39 81.6 81.28 81.55 44.86 0 81.17-36.69 81.17-81.55V379.26h46.66z"/><path class="st1" d="M428.54 364.9h.12c6.56.01 11.98-5.03 11.98-11.58V135.99l-12.23-6.83-12.18 6.8v217.36c0 6.56 5.43 11.61 11.98 11.58h.33z"/><path d="M355.18 463.55 153.55 598.87v15.41l11.49 6.29 203.73-136.73c5.23-3.51 6.53-10.52 3.15-15.84-.14-.23-.29-.45-.43-.68-3.5-5.62-10.81-7.46-16.31-3.77z" style="fill:#0744dd"/><path d="m488.27 483.95 203.55 136.61 11.45-6.28v-15.44L501.86 463.66c-5.51-3.7-12.82-1.87-16.32 3.76-.13.21-.27.43-.4.64-3.41 5.34-2.12 12.37 3.13 15.89z" style="fill:#ffc900"/><path class="st0" d="M727.69 282.29v-13.96l-12.5-6.98-.93-.49-273.93-152.99-11.92-6.64-11.87 6.64-273.98 152.99-.93.49-12.5 6.98v13.96l-.93.54.93.49v345.42l12.69 6.94 266.85 146.2 3.37 1.85 16.41 8.98 16.36-8.98 3.37-1.85 266.85-146.2 12.65-6.94V283.37l.98-.54-.97-.54zM440.95 758.05V511.4c0-6.72-5.5-12.22-12.22-12.21h-.32c-6.72-.01-12.22 5.49-12.22 12.21v246.64L165.04 620.57l-11.49-6.29V294.7l199.98 109.56c5.77 3.16 13.1 1.04 16.28-4.72l.14-.26c3.22-5.83 1.08-13.22-4.76-16.42L167.81 274.72l248.42-138.75 12.18-6.8 12.23 6.83 248.37 138.73-197.54 108.22c-5.81 3.18-7.63 10.45-4.41 16.24.05.1.11.2.16.29 3.16 5.73 10.22 8.01 15.96 4.86L703.27 294.7v319.59l-11.45 6.28-250.87 137.48z"/><circle cx="428.54" cy="432.05" r="35.42" style="fill:#ff0036"/><path class="st1" d="M617.65 262.99 426.32 155.74c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l191.33 107.25c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM533.81 271.27l-107.48-60.25c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l107.48 60.25c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.97-16.62 4.68zM569.02 291c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68 5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM462.29 288.33l-35.7-20.01c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l35.7 20.01c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM516.16 321.21l-20.67-11.58c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l20.67 11.58c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68z"/></svg>

docs/build/Dockerfile

@@ -1,10 +1,6 @@
-FROM squidfunk/mkdocs-material:9.4.6
+FROM squidfunk/mkdocs-material:9.5.44
 
-## If you want to see exactly the same version as is published to GitHub pages
-## use a private image for insiders, which requires authentication.
-
-# docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN} ghcr.io
-# FROM ghcr.io/squidfunk/mkdocs-material-insiders
+# https://squidfunk.github.io/mkdocs-material/getting-started/?h=macros#with-docker-material-for-mkdocs
 
 COPY requirements.txt .
 RUN pip install -r requirements.txt

docs/build/requirements.in

@@ -0,0 +1,3 @@
+mkdocs-material==9.5.44
+mkdocs-macros-plugin
+mike

docs/build/requirements.txt

@@ -1,30 +1,114 @@
-click==8.1.2
-csscompressor==0.9.5
-ghp-import==2.0.2
-htmlmin==0.1.12
-importlib-metadata==4.11.3
-Jinja2==3.1.1
-jsmin==3.0.1
-Markdown==3.3.6
-MarkupSafe==2.1.1
+#
+# This file is autogenerated by pip-compile with Python 3.13
+# by the following command:
+#
+#    pip-compile --output-file=docs/build/requirements.txt docs/build/requirements.in
+#
+babel==2.16.0
+    # via mkdocs-material
+certifi==2024.8.30
+    # via requests
+charset-normalizer==3.4.0
+    # via requests
+click==8.1.7
+    # via mkdocs
+colorama==0.4.6
+    # via mkdocs-material
+ghp-import==2.1.0
+    # via mkdocs
+hjson==3.1.0
+    # via
+    #   mkdocs-macros-plugin
+    #   super-collections
+idna==3.10
+    # via requests
+importlib-metadata==8.5.0
+    # via mike
+importlib-resources==6.4.5
+    # via mike
+jinja2==3.1.4
+    # via
+    #   mike
+    #   mkdocs
+    #   mkdocs-macros-plugin
+    #   mkdocs-material
+markdown==3.7
+    # via
+    #   mkdocs
+    #   mkdocs-material
+    #   pymdown-extensions
+markupsafe==3.0.2
+    # via
+    #   jinja2
+    #   mkdocs
 mergedeep==1.3.4
-mike==1.1.2
-mkdocs==1.3.0
-mkdocs-macros-plugin==0.7.0
-mkdocs-material==8.3.9
-mkdocs-material-extensions==1.0.3
-mkdocs-minify-plugin==0.5.0
-mkdocs-redirects==1.0.4
-packaging==21.3
-Pygments==2.12.0
-pymdown-extensions==9.5
-pyparsing==3.0.8
-python-dateutil==2.8.2
-PyYAML==6.0.1
+    # via
+    #   mkdocs
+    #   mkdocs-get-deps
+mike==2.1.3
+    # via -r docs/build/requirements.in
+mkdocs==1.6.1
+    # via
+    #   mike
+    #   mkdocs-macros-plugin
+    #   mkdocs-material
+mkdocs-get-deps==0.2.0
+    # via mkdocs
+mkdocs-macros-plugin==1.3.7
+    # via -r docs/build/requirements.in
+mkdocs-material==9.5.44
+    # via -r docs/build/requirements.in
+mkdocs-material-extensions==1.3.1
+    # via mkdocs-material
+packaging==24.2
+    # via
+    #   mkdocs
+    #   mkdocs-macros-plugin
+paginate==0.5.7
+    # via mkdocs-material
+pathspec==0.12.1
+    # via
+    #   mkdocs
+    #   mkdocs-macros-plugin
+platformdirs==4.3.6
+    # via mkdocs-get-deps
+pygments==2.18.0
+    # via mkdocs-material
+pymdown-extensions==10.12
+    # via mkdocs-material
+pyparsing==3.2.0
+    # via mike
+python-dateutil==2.9.0.post0
+    # via
+    #   ghp-import
+    #   mkdocs-macros-plugin
+pyyaml==6.0.2
+    # via
+    #   mike
+    #   mkdocs
+    #   mkdocs-get-deps
+    #   mkdocs-macros-plugin
+    #   pymdown-extensions
+    #   pyyaml-env-tag
 pyyaml-env-tag==0.1
+    # via
+    #   mike
+    #   mkdocs
+regex==2024.11.6
+    # via mkdocs-material
+requests==2.32.3
+    # via mkdocs-material
 six==1.16.0
-termcolor==1.1.0
+    # via python-dateutil
+super-collections==0.5.3
+    # via mkdocs-macros-plugin
+termcolor==2.5.0
+    # via mkdocs-macros-plugin
+urllib3==2.2.3
+    # via requests
 verspec==0.1.0
-watchdog==2.1.7
-zipp==3.8.0
-
+    # via mike
+watchdog==6.0.0
+    # via mkdocs
+zipp==3.21.0
+    # via importlib-metadata

docs/commercial/compare.md

@@ -0,0 +1,86 @@
+# Aqua Security is the home of Trivy
+
+Trivy is proudly maintained by [Aqua Security](https://aquasec.com).
+If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
+In this page you can find a high level comparison between Trivy Open Source and Aqua's commercial product.
+If you'd like to learn more or request a demo, [click here to contact us](./contact.md).
+
+## User experience
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Interface | CLI tool | CLI tool <br> Enterprise-grade web application <br> SaaS or on-prem |
+| Search & Discover | - | Easily search for security issues across all workloads and infrastructure in your organization <br> Visually discover risks across your organization |
+| User management | - | Multi account <br> Granular permissions (RBAC) <br> Single Sign On (SSO) |
+| Support | Some skills required for setup and integration <br> Best effort community support | Personal onboarding by Aqua Customer Success <br> SLA backed professional support |
+| Scalability & Availability | Single scan at a time | Centralized scanning service supports concurrent scans efficiently <br> Highly available production grade architecture |
+| Rate limiting | Assets hosted on public free infrastructure and could be rate limited | Assets hosted on Aqua infrastructure and does not have limitations |
+
+## Vulnerability scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Vulnerabilities sources | Based on open source vulnerability feeds | Based on open source and commercial vulnerability feeds |
+| New Vulnerabilities SLA | No SLA | Commercial level SLA |
+| Package managers | Find packages in lock files | Find packages in lock files or reconstructed lock files |
+| Vulnerability management | Manually ignore specific vulnerabilities by ID or property | Advanced vulnerability management solution <br> Vulnerability tracking and suppression <br> Incident lifecycle management |
+| Vulnerability prioritization | Manually triage by severity | Multiple prioritization tools:  <br> Accessibility of the affected resources <br> Exploitability of the vulnerability <br> Open Source packages health and trustworthiness score <br> Affected image layers |
+| Reachability analysis | - | Analyze source code to eliminate vulnerabilities of unused dependencies |
+| Contextual vulnerabilities | - | Reduce irrelevant vulnerabilities based on environmental factors (e.g. Spring4Shell not relevant due to JDK version) |
+| Compiled binaries | Find embedded dependencies in Go and Rust binaries <br> Find SBOM by hash in public Sigstore | In addition, identify popular applications |
+
+## Container scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Windows containers | - | Support scanning windows containers |
+| Scan container registries | - | Connect to any container registries and automatically scan it |
+| Private registries | Standard registry authenticationCloud authentication with ECR, GCR, ACR | Supports registry specific authentication schemes |
+| Layer cache | Local cache directory | Scalable Cloud cache |
+
+## Advanced scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Malware scanning | - | Scan container images for malware |
+| Sandbox scanning | - | Use DTA (Dynamic threat analysis) to run and test container images' behavior to detect sophisticated threats |
+| SAST (code scanning) | - | Analyze source code for security issues and vulnerabilities |
+
+## Policy and enforcement
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Kubernetes admission | - | Validating Kubernetes Admission based on automatic or user defined policy |
+| CI/CD policies | Can fail the entire build on any finding | Granular policies to fail builds based on custom criteria |
+| Container engine | - | Block incompliant images from running at container engine level |
+| Block vulnerable packages | - | vShield – monitor and block usage of vulnerable packages |
+
+## Secrets scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Detected patterns | Basic patterns | Advanced patterns |
+| Leaked secrets validation | - | Automatically checks if leaked secrets are valid and usable |
+
+## IaC/CSPM scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://trivy.dev/latest/docs/scanner/misconfiguration/policy/builtin/) | In addition, Build Pipeline configuration scanning |
+| Checks customization | Create custom checks with Rego | Create custom checks in no-code interface <br> Customize existing checks with organizational preferences |
+| Cloud scanning | AWS (subset of services) | AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud |
+| Compliance frameworks | CIS, NSA, vendor guides | More than 25 compliance programs |
+| Custom compliance | Create in YAML | Create in a web UI |
+| Remediation advice | Basic | AI powered specialized remediation guides |
+
+## Kubernetes scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+Scan initiation | CLI / Kubernetes Operator | Kubernetes Operator / Management web application |
+Results consumption | kubectl / CRD / Prometheus exporter | In addition, Advanced UI dashboards, Automatic notifications and incident management flows |
+Cluster discovery | Kubeconfig | Automatic discovery thorough cloud onboarding |
+Workload image scanning | Scanning in cluster, requires capacity planning | Scanning offloaded to Aqua service, little impact on scanned clusters |
+| Cluster scanning | CIS, NSA, PSS | More than 25 compliance programs |
+| Scope |  Single cluster | Multi cluster, Cloud relationship |
+| Scalability | Reports limited by in-cluster etcd storage (size and number of reports) | Cloud-based storage (unlimited scalability) |

docs/commercial/contact.md

@@ -0,0 +1,17 @@
+<style>
+    .md-content .md-content__inner a, h1 {
+        display:none;
+    }
+    input.hs-input, textarea.hs-input {
+        border: silver solid 1px !important;
+        font-size: 0.8em;
+        padding: 5px;
+    }
+</style>
+<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script>
+<script>
+  hbspt.forms.create({
+    portalId: "1665891",
+    formId: "a1d0c098-3b3a-40d8-afb4-e04ddb697afe"
+  });
+</script>

docs/community/contribute/checks/overview.md

@@ -0,0 +1,130 @@
+# Contribute Rego Checks
+
+The following guide provides an overview of contributing checks to the default checks in Trivy. 
+
+All of the checks in Trivy can be found in the [trivy-checks](https://github.com/aquasecurity/trivy-checks/tree/main) repository on GitHub. Before you begin writing a check, ensure:
+
+1. The check does not already exist as part of the default checks in the [trivy-checks](https://github.com/aquasecurity/trivy-checks/tree/main) repository.
+2. The pull requests in the [trivy-checks](https://github.com/aquasecurity/trivy-checks/pulls) repository to see  whether someone else is already contributing the check that you wanted to add. 
+3. The [issues in Trivy](https://github.com/aquasecurity/trivy/issues) to see whether any specific checks are missing in Trivy that you can contribute.
+
+If anything is unclear, please [start a discussion](https://github.com/aquasecurity/trivy/discussions/new) and we will do our best to help.
+
+## Check structure
+
+Checks are written in Rego and follow a particular structure in Trivy. Below is an example check for AWS:
+
+```rego
+# METADATA
+# title: "RDS IAM Database Authentication Disabled"
+# description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access"
+# scope: package
+# schemas:
+# - input: schema["aws"]
+# related_resources:
+# - https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html
+# custom:
+#   id: AVD-AWS-0176
+#   avd_id: AVD-AWS-0176
+#   provider: aws
+#   service: rds
+#   severity: MEDIUM
+#   short_code: enable-iam-auth
+#   recommended_action: "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication."
+#   input:
+#     selector:
+#     - type: cloud
+#       subtypes:
+#         - service: rds
+#           provider: aws
+
+package builtin.aws.rds.aws0176
+
+deny[res] {
+	instance := input.aws.rds.instances[_]
+	instance.engine.value == ["postgres", "mysql"][_]
+	not instance.iamauthenabled.value
+	res := result.new("Instance does not have IAM Authentication enabled", instance.iamauthenabled)
+}
+```
+
+## Verify the provider and service exists
+
+Every check for a cloud service references a cloud provider. The list of providers are found in the [Trivy](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/providers) repository. 
+
+Before writing a new check for a cloud provider, you need to verify if the cloud provider or resource type that your check targets is supported by Trivy. If it's not, you'll need to add support for it. Additionally, if the provider that you want to target exists, you need to check whether the service your policy will target is supported. As a reference you can take a look at the AWS provider [here](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/providers/aws/aws.go).
+
+???+ note
+    New Kubernetes and Dockerfile checks do not require any additional provider definitions. You can find an example of a Dockerfile check [here](https://github.com/aquasecurity/trivy-checks/blob/main/checks/docker/add_instead_of_copy.rego) and a Kubernetes check [here](https://github.com/aquasecurity/trivy-checks/blob/main/checks/kubernetes/general/CPU_not_limited.rego).
+
+
+### Add Support for a New Service in an existing Provider
+
+[Please reference the documentation on adding Support for a New Service](./service-support.md).
+
+This guide also showcases how to add new properties for an existing Service.
+
+## Create a new .rego file
+
+The following directory in the trivy-checks repository contains all of our custom checks. Depending on what type of check you want to create, you will need to nest a new `.rego` file in either of the [subdirectories](https://github.com/aquasecurity/trivy-checks/tree/main/checks):
+
+* cloud: All checks related to cloud providers and their services
+* docker: Docker specific checks
+* kubernetes: Kubernetes specific checks
+
+## Check Package name
+
+Have a look at the existing package names in the [built in checks](https://github.com/aquasecurity/trivy-checks/tree/main/checks). 
+
+The package name should be in the format `builtin.PROVIDER.SERVICE.ID`, e.g. `builtin.aws.rds.aws0176`.
+
+## Generating an ID
+
+Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribute your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID. 
+
+Running `make id` in the root of the trivy-checks repository will provide you with the next available _ID_ for your rule. 
+
+## Check Schemas
+
+Rego Checks for Trivy can utilise Schemas to map the input to specific objects. The schemas available are listed [here.](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas). 
+
+More information on using the builtin schemas is provided in the [main documentation.](../../../docs/scanner/misconfiguration/custom/schema.md)
+
+## Check Metadata
+
+The metadata is the top section that starts with `# METADATA`, and has to be placed on top of the check. You can copy and paste from another check as a starting point. This format is effectively _yaml_ within a Rego comment, and is [defined as part of Rego itself](https://www.openpolicyagent.org/docs/latest/policy-language/#metadata).
+
+For detailed information on each component of the Check Metadata, please refer to the [main documentation.](../../../docs/scanner/misconfiguration/custom/index.md)
+
+Note that while the Metadata is optional in your own custom checks for Trivy, if you are contributing your check to the Trivy builtin checks, the Metadata section will be required.
+
+
+## Writing Rego Rules
+
+Rules are defined using _OPA Rego_. You can find a number of examples in the `checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). The [OPA documentation](https://www.openpolicyagent.org/docs/latest/policy-language/) is a great place to start learning Rego. You can also check out the [Rego Playground](https://play.openpolicyagent.org/) to experiment with Rego, and [join the OPA Slack](https://slack.openpolicyagent.org/).
+
+
+```rego
+deny[res] {
+	instance := input.aws.rds.instances[_]
+	instance.engine.value == ["postgres", "mysql"][_]
+	not instance.iamauthenabled.value
+	res := result.new("Instance does not have IAM Authentication enabled", instance.iamauthenabled)
+}
+```
+
+The rule should return a result, which can be created using `result.new`. This function does not need to be imported, it is defined internally and provided at runtime. The first argument is the message to display and the second argument is the resource that the issue was detected on.
+
+It is possible to pass any rego variable that references a field of the input document.
+
+## Generate docs
+
+Finally, you'll want to generate documentation for your newly added rule. Please run `make docs` in the [trivy-checks](https://github.com/aquasecurity/trivy-checks) directory to generate the documentation for your new policy and submit a PR for us to take a look at.
+
+## Adding Tests
+
+All Rego checks need to have tests. There are many examples of these in the `checks` directory for each check ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). More information on how to write tests for Rego checks is provided in the [custom misconfiguration](../../../docs/scanner/misconfiguration/custom/testing.md) section of the docs.
+
+## Example PR
+
+You can see a full example PR for a new rule being added here: [https://github.com/aquasecurity/defsec/pull/1000](https://github.com/aquasecurity/defsec/pull/1000).

docs/community/contribute/checks/service-support.md

@@ -0,0 +1,69 @@
+# Add Service Support
+
+A service refers to a service by a cloud provider. This section details how to add a new service to an existing provider. All contributions need to be made to the [trivy repository](https://github.com/aquasecurity/trivy/).
+
+## Prerequisites
+
+Before you begin, verify that the [provider](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/providers) does not already have the service that you plan to add.
+
+## Adding a new service to an existing provider
+
+Adding a new service involves two steps. The service will need a data structure to store information about the required resources that will be scanned. Additionally, the service will require one or more adapters to convert the scan targetes as input(s) into the aforementioned data structure.
+
+### Create a new file in the provider directory
+
+In this example, we are adding the CodeBuild service to the AWS provider.
+
+First, create a new directory and file for your new service under the provider directory: e.g. [aws/codebuild/codebuild.go](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/providers/aws/codebuild/codebuild.go)
+
+The CodeBuild service will require a structure `struct` to hold the information on the input that is scanned. The input is the CodeBuild resource that a user configured and wants to scan for misconfiguration.
+
+```
+type CodeBuild struct {
+	Projects []Project
+}
+```
+
+The CodeBuild service manages `Project` resources. The `Project` struct has been added to hold information about each Project resources; `Project` Resources in turn manage `ArtifactSettings`:
+
+```
+type Project struct {
+	Metadata                  iacTypes.Metadata
+	ArtifactSettings          ArtifactSettings
+	SecondaryArtifactSettings []ArtifactSettings
+}
+
+type ArtifactSettings struct {
+	Metadata          iacTypes.Metadata
+	EncryptionEnabled iacTypes.BoolValue
+}
+```
+
+The `iacTypes.Metadata` struct is embedded in all of the Trivy types and provides a common set of metadata for all resources. This includes the file and line number where the resource was defined and the name of the resource.
+
+A resource in this example `Project` can have a name and can optionally be encrypted. Instead of using raw string and bool types respectively, we use the trivy types `iacTypes.Metadata` and `iacTypes.BoolValue`. These types wrap the raw values and provide additional metadata about the value. For instance, whether it was set by the user and the file and line number where the resource was defined. 
+
+Have a look at the other providers and services in the [`iac/providers`](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/providers) directory in Trivy.
+
+Next you'll need to add a reference to your new service struct in the [provider struct](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/providers/aws/aws.go) at `pkg/iac/providers/aws/aws.go`:
+
+```
+type AWS struct {
+	...
+	CodeBuild      codebuild.CodeBuild
+    ...
+}
+```
+
+### Update Adapters
+
+Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adapter as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
+
+Another example for updating the adapters is provided in the [following PR.](https://github.com/aquasecurity/defsec/pull/1000/files) Additionally, please refer to the respective Terraform documentation on the provider to which you are adding the service. For instance, the Terraform documentation for AWS CodeBuild is provided [here.](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project)
+
+
+## Create a new Schema for your provider
+
+Once the new service has been added to the provider, you need to create the schema for the service as part of the provider schema. 
+
+This process has been automated with mage commands. In the Trivy root directory run `mage schema:generate` to generate the schema for your new service and `mage schema:verify`.

docs/community/contribute/discussion.md

@@ -24,7 +24,7 @@ There are 4 categories:
     If you find any false positives or false negatives, please make sure to report them under the "False Detection" category, not "Bugs".
 
 ## False detection
-Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#data-sources).
+Trivy depends on [multiple data sources](https://trivy.dev/latest/docs/scanner/vulnerability/#data-sources).
 Sometime these databases contain mistakes.
 
 If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
@@ -38,12 +38,12 @@ If the data source is correct and Trivy shows wrong results, please raise an iss
 Visit [here](https://github.com/advisories) and search CVE-ID.
 
 If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
- 
+
 ### GitLab Advisory Database
 Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
 
-If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
- 
+If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues)
+
 ### Red Hat CVE Database
 Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
 

docs/community/contribute/pr.md

@@ -1,7 +1,6 @@
 Thank you for taking interest in contributing to Trivy!
 
-1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
-1. Please add the associated Issue link in the PR description.
+1. Every Pull Request should have an associated GitHub issue link in the PR description. Note that issues are created by Trivy maintainers based on feedback provided in a GitHub discussion. Please refer to the [issue](./issue.md) and [discussion](./discussion.md) pages for explanation about this process. If you think your change is trivial enough, you can skip the issue and instead add justification and explanation in the PR description.
 1. Your PR is more likely to be accepted if it focuses on just one change.
 1. There's no need to add or tag reviewers.
 1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
@@ -114,6 +113,7 @@ mode:
 - server
 - aws
 - vm
+- plugin
 
 os:
 
@@ -121,7 +121,7 @@ os:
 - redhat
 - alma
 - rocky
-- mariner
+- azure
 - oracle
 - debian
 - ubuntu
@@ -142,6 +142,7 @@ language:
 - go
 - elixir
 - dart
+- julia
 
 vuln:
 
@@ -183,12 +184,20 @@ others:
 
 The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
 
+**Breaking changes**
+
+A PR, introducing a breaking API change, needs to append a `!` after the type/scope.
+
 ### Example titles
 
 ```
 feat(alma): add support for AlmaLinux
 ```
 
+```
+feat(vuln)!: delete the existing CLI flag
+```
+
 ```
 fix(oracle): handle advisories with ksplice versions
 ```

docs/community/maintainer/backporting.md

@@ -0,0 +1,59 @@
+# Backporting Process
+
+This document outlines the backporting process for Trivy, including when to create patch releases and how to perform the backporting.
+
+## When to Create Patch Releases
+
+In general, small changes should not be backported and should be included in the next minor release.
+However, patch releases should be made in the following cases:
+
+* Fixes for HIGH or CRITICAL vulnerabilities in Trivy itself or Trivy's dependencies
+* Fixes for bugs that cause panic during Trivy execution or otherwise interfere with normal usage
+
+In these cases, the fixes should be backported using the procedure [described below](#backporting-procedure).
+At the maintainer's discretion, other bug fixes may be included in the patch release containing these hotfixes.
+
+## Versioning
+
+Trivy follows [Semantic Versioning](https://semver.org/), using version numbers in the format MAJOR.MINOR.PATCH.
+When creating a patch release, the PATCH part of the version number is incremented.
+For example, if a fix is being distributed for v0.50.0, the patch release would be v0.50.1.
+
+## Backporting Procedure
+
+1. A release branch (e.g., `release/v0.50`) is automatically created when a new minor version is released.
+1. Create a pull request (PR) against the main branch with the necessary fixes. If the fixes are already merged into the main branch, skip this step.
+1. Once the PR with the fixes is merged, comment `@aqua-bot backport <release-branch>` on the PR (e.g., `@aqua-bot backport release/v0.50`). This will trigger the automated backporting process using GitHub Actions.
+1. The automated process will create a new PR with the backported changes. Ensure that all tests pass for this PR.
+1. Once the tests pass, merge the automatically created PR into the release branch.
+1. Merge [a release PR](release-flow.md) on the release branch and release the patch version.
+
+!!! note
+    Even if a conflict occurs, a PR is created by forceful commit, in which case the conflict should be resolved manually.
+    If you want to re-run a backport of the same PR, close the existing PR, delete the branch and re-run it.
+
+### Example
+To better understand the backporting procedure, let's walk through an example using the releases of v0.50.
+
+```mermaid
+gitGraph:
+  commit id:"Feature 1"
+  commit id:"v0.50.0 release" tag:"v0.50.0"
+
+  branch "release/v0.50"
+  
+  checkout main
+  commit id:"Bugfix 1"
+
+  checkout "release/v0.50"
+  cherry-pick id:"Bugfix 1"
+
+  checkout main
+  commit id:"Feature 2"
+  commit id:"Bugfix 2"
+  commit id:"Feature 3"
+
+  checkout "release/v0.50"
+  cherry-pick id:"Bugfix 2"
+  commit id:"v0.50.1 release" tag:"v0.50.1"
+```

docs/community/maintainer/release-flow.md

@@ -0,0 +1,98 @@
+# Release Flow
+
+## Overview
+Trivy adopts [conventional commit messages][conventional-commits], and [Release Please][release-please] automatically creates a [release PR](https://github.com/googleapis/release-please?tab=readme-ov-file#whats-a-release-pr) based on the messages of the merged commits.
+This release PR is automatically updated every time a new commit is added to the release branch.
+
+If a commit has the prefix `feat:`, a PR is automatically created to increment the minor version, and if a commit has the prefix `fix:`, a PR is created to increment the patch version.
+When the PR is merged, GitHub Actions automatically creates a version tag and the release is performed.
+For detailed behavior, please refer to [the GitHub Actions configuration][workflows].
+
+!!! note
+    Commits with prefixes like `chore` or `build` are not considered releasable, and no release PR is created.
+    To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release-pr-creation).
+
+!!! tip
+    It's a good idea to check if there are any outstanding vulnerability updates created by dependabot waiting for your review.
+    They can be found in the "Security" tab of the repository.
+    If there are any, please review and merge them before creating a release. This will help to ensure that the release includes the latest security patches.
+
+## Flow
+The release flow consists of the following main steps:
+
+1. Creating the release PR (automatically or manually)
+1. Drafting the release notes in GitHub Discussions
+1. Merging the release PR
+1. Updating the release notes in GitHub Discussions
+1. Navigating to the release notes in GitHub Releases page
+
+### Automatic Release PR Creation
+When a releasable commit (a commit with `feat` or `fix` prefix) is merged, a release PR is automatically created.
+These Release PRs are kept up-to-date as additional work is merged.
+When it's ready to tag a release, simply merge the release PR.
+See the [Release Please documentation][release-please] for more information.
+
+The title of the PR will be in the format `release: v${version} [${branch}]` (e.g., `release: v0.51.0 [main]`).
+The format of the PR title is important for identifying the release commit, so it should not be changed.
+
+The `release/vX.Y` release branches are also subject to automatic release PR creation for patch releases.
+The PR title will be like `release: v0.51.1 [release/v0.51]`.
+
+### Manual Release PR Creation
+If you want to release commits like `chore`, a release PR is not automatically created, so you need to manually trigger the creation of a release PR.
+The [Release Please workflow](https://github.com/aquasecurity/trivy/actions/workflows/release-please.yaml) supports `workflow_dispatch` and can be triggered manually.
+Click "Run workflow" in the top right corner and specify the release branch.
+In Trivy, the following branches are the release branches.
+
+- `main`
+- `release/vX.Y` (e.g. `release/v0.51`)
+
+Specify the release version (without the `v` prefix) and click "Run workflow" to create a release PR for the specified version.
+
+### Drafting the Release Notes
+Next, create release notes for this version.
+Draft a new post in GitHub Discussions, and maintainers edit these release notes (e.g., https://github.com/aquasecurity/trivy/discussions/6605).
+Currently, the creation of this draft is done manually.
+For patch version updates, this step can be skipped since they only involve bug fixes.
+
+### Merging the Release PR
+Once the draft of the release notes is complete, merge the release PR.
+When the PR is merged, a tag is automatically created, and [GoReleaser][goreleaser] releases binaries, container images, etc.
+
+### Updating the Release Notes
+If the release completes without errors, a page for the release notes is created in GitHub Discussions (e.g., https://github.com/aquasecurity/trivy/discussions/6622).
+Copy the draft release notes, adjust the formatting, and finalize the release notes.
+
+### Navigating to the Release Notes
+To navigate to the release highlights and summary in GitHub Discussions, place a link in the GitHub Releases page as below:
+
+```
+## ⚡Release highlights and summary⚡
+
+👉 https://github.com/aquasecurity/trivy/discussions/6838
+
+## Changelog
+https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03
+```
+
+Replace URLs with appropriate ones.
+
+Example: https://github.com/aquasecurity/trivy/releases/tag/v0.52.0
+
+### Merging the auto-generated Helm chart update PR
+Once the release PR is merged, there will be an auto-generated PR that bumps the Trivy version for the Trivy Helm Chart. An example can be seen [here](https://github.com/aquasecurity/trivy/pull/8638).
+
+> [!NOTE]  
+> It is possible that the release action takes a while to finish and the Helm chart action runs prior. In such a case the Helm chart action will fail as it will not be able to find the latest Trivy container image.
+> In such a case, it is advised to manually restart the Helm chart action, once the release action is finished.
+
+If things look good, approve and merge this PR to further trigger the publishing of the Helm Chart.
+
+
+The release is now complete 🍻
+
+
+[conventional-commits]: https://www.conventionalcommits.org/en/v1.0.0/
+[release-please]: https://github.com/googleapis/release-please
+[goreleaser]: https://goreleaser.com/
+[workflows]: https://github.com/aquasecurity/trivy/tree/main/.github/workflows

docs/community/maintainer/triage.md

@@ -188,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
 and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
 to identify issues that have been specially groomed for new contributors.
 
-We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
+We have specific [guidelines](./help-wanted.md)
 for how to use these labels. If you see an issue that satisfies these
 guidelines, you can add the `help wanted` label and the `good first issue` label.
 Please note that adding the `good first issue` label must also 

docs/community/principles.md

@@ -48,6 +48,6 @@ As mentioned in [the Core Principles](#detecting-unintended-states), detection o
 ### User Interface
 Trivy primarily operates via CLI for displaying results, with a richer UI available in [the commercial version][aqua].
 
-[trivy-aqua]: https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md
+[trivy-aqua]: ../commercial/compare.md
 [tracee]: https://github.com/aquasecurity/tracee
 [aqua]: https://www.aquasec.com/

docs/docs/advanced/air-gap.md

@@ -1,142 +1,77 @@
-# Air-Gapped Environment
+# Connectivity and Network considerations
 
-Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
+Trivy requires internet connectivity in order to function normally. If your organizations blocks or restricts network traffic, that could prevent Trivy from working correctly.
+This document explains Trivy's network connectivity requirements, and how to configure Trivy to work in restricted networks environments, including completely air-gapped environments.
 
-## Air-Gapped Environment for vulnerabilities
+The following table lists all external resources that are required by Trivy:
 
-### Download the vulnerability database
-At first, you need to download the vulnerability database for use in air-gapped environments.
-
-=== "Trivy"
-
-    ```
-    TRIVY_TEMP_DIR=$(mktemp -d)
-    trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
-    tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
-    rm -rf $TRIVY_TEMP_DIR
-    ```
-
-=== "oras >= v0.13.0"
-    Please follow [oras installation instruction][oras].
-
-    Download `db.tar.gz`:
-
-    ```
-    $ oras pull ghcr.io/aquasecurity/trivy-db:2
-    ```
-
-=== "oras < v0.13.0"
-    Please follow [oras installation instruction][oras].
-
-    Download `db.tar.gz`:
-
-    ```
-    $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
-    ```
-
-### Download the Java index database[^1]
-Java users also need to download the Java index database for use in air-gapped environments.
+External Resource | Feature | Details
+--- | --- | ---
+Vulnerability Database | Vulnerability scanning | [Trivy DB](../scanner/vulnerability.md)
+Java Vulnerability Database | Java vulnerability scanning | [Trivy Java DB](../coverage/language/java.md)
+Checks Bundle | Misconfigurations scanning | [Trivy Checks](../scanner/misconfiguration/check/builtin.md)
+VEX Hub | VEX Hub | [VEX Hub](../supply-chain/vex/repo.md)
+Maven Central / Remote Repositories | Java vulnerability scanning | [Java Scanner/Remote Repositories](../coverage/language/java.md#remote-repositories)
 
 !!! note
-    You container image may contain JAR files even though you don't use Java directly.
-    In that case, you also need to download the Java index database.
+    Trivy is an open source project that relies on public free infrastructure. In case of extreme load, you may encounter rate limiting when Trivy attempts to connect to external resources.
 
-=== "Trivy"
+The rest of this document details each resource's connectivity requirements and network related considerations.
 
-    ```
-    TRIVY_TEMP_DIR=$(mktemp -d)
-    trivy --cache-dir $TRIVY_TEMP_DIR image --download-java-db-only
-    tar -cf ./javadb.tar.gz -C $TRIVY_TEMP_DIR/java-db metadata.json trivy-java.db
-    rm -rf $TRIVY_TEMP_DIR
-    ```
-=== "oras >= v0.13.0"
-    Please follow [oras installation instruction][oras].
+## OCI Databases
 
-    Download `javadb.tar.gz`:
+Trivy's Vulnerability, Java, and Checks Bundle are packaged as OCI images and stored in public container registries.
 
-    ```
-    $ oras pull ghcr.io/aquasecurity/trivy-java-db:1
-    ```
+### Connectivity requirements
 
-=== "oras < v0.13.0"
-    Please follow [oras installation instruction][oras].
+The specific registries and locations are detailed in the [databases document](../configuration/db.md).
 
-    Download `javadb.tar.gz`:
+Communication with OCI Registries follows the [OCI Distribution](https://github.com/opencontainers/distribution-spec) spec.
 
-    ```
-    $ oras pull -a ghcr.io/aquasecurity/trivy-java-db:1
-    ```
+The following hosts are known to be used by the default container registries:
 
+Registry | Hosts | Additional info
+--- | --- | ---
+Google Artifact Registry | <ul><li>`mirror.gcr.io`</li><li>`googlecode.l.googleusercontent.com`</li></ul> | [Google's IP addresses](https://support.google.com/a/answer/10026322?hl=en)
+GitHub Container Registry | <ul><li>`ghcr.io`</li><li>`pkg-containers.githubusercontent.com`</li></ul> | [GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses)
 
-### Transfer the DB files into the air-gapped environment
-The way of transfer depends on the environment.
+### Self-hosting
 
-=== "Vulnerability db"
-    ```
-    $ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
-    ```
+You can host Trivy's databases in your own container registry. Please refer to [Self-hosting document](./self-hosting.md#oci-databases) for a detailed guide.
 
-=== "Java index db[^1]"
-    ```
-    $ rsync -av -e ssh /path/to/javadb.tar.gz [user]@[host]:dst
-    ```
+## Embedded Checks
 
-### Put the DB files in Trivy's cache directory
-You have to know where to put the DB files. The following command shows the default cache directory.
+Checks Bundle is embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the database from the time of the Trivy release you are using.
 
-```
-$ ssh user@host
-$ trivy -h | grep cache
-   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
-```
-=== "Vulnerability db"
-    Put the DB file in the cache directory + `/db`.
-    
-    ```
-    $ mkdir -p /home/myuser/.cache/trivy/db
-    $ cd /home/myuser/.cache/trivy/db
-    $ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
-    x trivy.db
-    x metadata.json
-    $ rm /path/to/db.tar.gz
-    ```
+## VEX Hub
 
-=== "Java index db[^1]"
-    Put the DB file in the cache directory + `/java-db`.
+### Connectivity Requirements
 
-    ```
-    $ mkdir -p /home/myuser/.cache/trivy/java-db
-    $ cd /home/myuser/.cache/trivy/java-db
-    $ tar xvf /path/to/javadb.tar.gz -C /home/myuser/.cache/trivy/java-db
-    x trivy-java.db
-    x metadata.json
-    $ rm /path/to/javadb.tar.gz
-    ```
+VEX Hub is hosted as at <https://github.com/aquasecurity/vexhub>.
 
+Trivy is fetching VEX Hub GitHub Repository directly using simple HTTPS requests.
 
+The following hosts are known to be used by GitHub's services:
 
-In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
+- `api.github.com`
+- `codeload.github.com`
 
-### Run Trivy with the specific flags.
-In an air-gapped environment, you have to specify `--skip-db-update` and `--skip-java-db-update`[^1] so that Trivy doesn't attempt to download the latest database files.
-In addition, if you want to scan `pom.xml` dependencies, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
+For more information about GitHub connectivity (including specific IP addresses), please refer to [GitHub's connectivity troubleshooting guide](https://docs.github.com/en/get-started/using-github/troubleshooting-connectivity-problems).
 
-```
-$ trivy image --skip-db-update --skip-java-db-update --offline-scan alpine:3.12
-```
+### Self-hosting
 
-## Air-Gapped Environment for misconfigurations
+You can host a copy of VEX Hub on your own internal server. Please refer to the [self-hosting document](./self-hosting.md#vex-hub) for a detailed guide.
 
-No special measures are required to detect misconfigurations in an air-gapped environment.
+## Maven Central / Remote Repositories
 
-### Run Trivy with `--skip-policy-update` option
-In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
+Trivy might call out to Maven central or other remote repositories to fetch in order to correctly identify Java packages during a vulnerability scan.
 
-```
-$ trivy conf --skip-policy-update /path/to/conf
-```
+### Connectivity requirements
 
-[allowlist]: ../references/troubleshooting.md
-[oras]: https://oras.land/cli/
+Trivy might attempt to connect (over HTTPS) to the following URLs:
 
-[^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../coverage/language/java.md)
+- `https://repo.maven.apache.org/maven2`
+
+### Offline mode
+
+There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Trivy from trying to connect to it by using the `--offline-scan` flag.

docs/docs/advanced/modules.md

@@ -12,7 +12,7 @@ They provide a way to extend the core feature set of Trivy, but without updating
 
 - They can be added and removed from a Trivy installation without impacting the core Trivy tool.
 - They can be written in any programming language supporting WebAssembly.
-  - It supports only [TinyGo][tinygo] at the moment.
+  - It supports only Go at the moment.
 
 You can write your own detection logic.
 
@@ -94,9 +94,9 @@ $ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
 ```
 
 ## Building Modules
-It supports TinyGo only at the moment.
+It supports Go only at the moment.
 
-### TinyGo
+### Go
 Trivy provides Go SDK including three interfaces.
 Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.
 
@@ -113,7 +113,7 @@ type Analyzer interface {
 
 type PostScanner interface {
     PostScanSpec() serialize.PostScanSpec
-    PostScan(serialize.Results) (serialize.Results, error)
+    PostScan(types.Results) (types.Results, error)
 }
 ```
 
@@ -142,6 +142,9 @@ const (
     name = "wordpress-module"
 )
 
+// main is required for Go to compile the Wasm module
+func main() {}  
+
 type WordpressModule struct{
 	// Cannot define fields as modules can't keep state.
 }
@@ -203,7 +206,7 @@ func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, erro
     }
 	
     return &serialize.AnalysisResult{
-        CustomResources: []serialize.CustomResource{
+        CustomResources: []ftypes.CustomResource{
             {
                 Type:     typeWPVersion,
                 FilePath: filePath,
@@ -246,7 +249,7 @@ func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
     }
 }
 
-func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
+func (WordpressModule) PostScan(results types.Results) (types.Results, error) {
     // e.g. results
     // [
     //   {
@@ -288,7 +291,7 @@ func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, e
 
     if vulnerable {
         // Add CVE-2020-36326
-        results = append(results, serialize.Result{
+        results = append(results, types.Result{
             Target: wpPath,
             Class:  types.ClassLangPkg,
 			Type:   "wordpress",
@@ -318,10 +321,10 @@ In the `Delete` action, `PostScan` needs to return results you want to delete.
 If `PostScan` returns an empty, Trivy will not delete anything.
 
 #### Build
-Follow [the install guide][tinygo-installation] and install TinyGo.
+Follow [the install guide][go-installation] and install Go.
 
 ```bash
-$ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
+$ GOOS=wasip1 GOARCH=wasm go build -o wordpress.wasm -buildmode=c-shared wordpress.go
 ```
 
 Put the built binary to the module directory that is under the home directory by default.
@@ -347,12 +350,11 @@ Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
 
 [regexp]: https://github.com/google/re2/wiki/Syntax
 
-[tinygo]: https://tinygo.org/
 [spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
 [wazero]: https://github.com/tetratelabs/wazero
 
 [trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
 [trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
 
-[tinygo-installation]: https://tinygo.org/getting-started/install/
+[go-installation]: https://go.dev/doc/install
 [oras]: https://oras.land/cli/

docs/docs/advanced/plugins.md

@@ -1,236 +0,0 @@
-# Plugins
-Trivy provides a plugin feature to allow others to extend the Trivy CLI without the need to change the Trivycode base.
-This plugin system was inspired by the plugin system used in [kubectl][kubectl], [Helm][helm], and [Conftest][conftest].
-
-## Overview
-Trivy plugins are add-on tools that integrate seamlessly with Trivy.
-They provide a way to extend the core feature set of Trivy, but without requiring every new feature to be written in Go and added to the core tool.
-
-- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
-- They can be written in any programming language.
-- They integrate with Trivy, and will show up in Trivy help and subcommands.
-
-!!! warning
-    Trivy plugins available in public are not audited for security.
-    You should install and run third-party plugins at your own risk, since they are arbitrary programs running on your machine.
-
-
-## Installing a Plugin
-A plugin can be installed using the `trivy plugin install` command.
-This command takes a url and will download the plugin and install it in the plugin cache.
-
-Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
-Trivy will now search XDG_DATA_HOME for the location of the Trivy plugins cache.
-The preference order is as follows:
-
-- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
-- ~/.trivy/plugins
-
-Under the hood Trivy leverages [go-getter][go-getter] to download plugins.
-This means the following protocols are supported for downloading plugins:
-
-- OCI Registries
-- Local Files
-- Git
-- HTTP/HTTPS
-- Mercurial
-- Amazon S3
-- Google Cloud Storage
-
-For example, to download the Kubernetes Trivy plugin you can execute the following command:
-
-```bash
-$ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
-```
-Also, Trivy plugin can be installed from a local archive:
-```bash
-$ trivy plugin install myplugin.tar.gz
-```
-
-## Using Plugins
-Once the plugin is installed, Trivy will load all available plugins in the cache on the start of the next Trivy execution.
-A plugin will be made in the Trivy CLI based on the plugin name.
-To display all plugins, you can list them by `trivy --help`
-
-```bash
-$ trivy --help
-NAME:
-   trivy - A simple and comprehensive vulnerability scanner for containers
-
-USAGE:
-   trivy [global options] command [command options] target
-
-VERSION:
-   dev
-
-COMMANDS:
-   image, i          scan an image
-   filesystem, fs    scan local filesystem
-   repository, repo  scan remote repository
-   client, c         client mode
-   server, s         server mode
-   plugin, p         manage plugins
-   kubectl           scan kubectl resources
-   help, h           Shows a list of commands or help for one command
-```
-
-As shown above, `kubectl` subcommand exists in the `COMMANDS` section.
-To call the kubectl plugin and scan existing Kubernetes deployments, you can execute the following command:
-
-```
-$ trivy kubectl deployment <deployment-id> -- --ignore-unfixed --severity CRITICAL
-```
-
-Internally the kubectl plugin calls the kubectl binary to fetch information about that deployment and passes the using images to Trivy.
-You can see the detail [here][trivy-plugin-kubectl].
-
-If you want to omit even the subcommand, you can use `TRIVY_RUN_AS_PLUGIN` environment variable.
-
-```bash
-$ TRIVY_RUN_AS_PLUGIN=kubectl trivy job your-job -- --format json
-```
-
-## Installing and Running Plugins on the fly
-`trivy plugin run` installs a plugin and runs it on the fly.
-If the plugin is already present in the cache, the installation is skipped.
-
-```bash
-trivy plugin run github.com/aquasecurity/trivy-plugin-kubectl pod your-pod -- --exit-code 1
-```
-
-## Uninstalling Plugins
-Specify a plugin name with `trivy plugin uninstall` command.
-
-```bash
-$ trivy plugin uninstall kubectl
-```
-
-## Building Plugins
-Each plugin has a top-level directory, and then a plugin.yaml file.
-
-```bash
-your-plugin/
-  |
-  |- plugin.yaml
-  |- your-plugin.sh
-```
-
-In the example above, the plugin is contained inside of a directory named `your-plugin`.
-It has two files: plugin.yaml (required) and an executable script, your-plugin.sh (optional).
-
-The core of a plugin is a simple YAML file named plugin.yaml.
-Here is an example YAML of trivy-plugin-kubectl plugin that adds support for Kubernetes scanning.
-
-```yaml
-name: "kubectl"
-repository: github.com/aquasecurity/trivy-plugin-kubectl
-version: "0.1.0"
-usage: scan kubectl resources
-description: |-
-  A Trivy plugin that scans the images of a kubernetes resource.
-  Usage: trivy kubectl TYPE[.VERSION][.GROUP] NAME
-platforms:
-  - selector: # optional
-      os: darwin
-      arch: amd64
-    uri: ./trivy-kubectl # where the execution file is (local file, http, git, etc.)
-    bin: ./trivy-kubectl # path to the execution file
-  - selector: # optional
-      os: linux
-      arch: amd64
-    uri: https://github.com/aquasecurity/trivy-plugin-kubectl/releases/download/v0.1.0/trivy-kubectl.tar.gz
-    bin: ./trivy-kubectl
-```
-
-The `plugin.yaml` field should contain the following information:
-
-- name: The name of the plugin. This also determines how the plugin will be made available in the Trivy CLI. For example, if the plugin is named kubectl, you can call the plugin with `trivy kubectl`. (required)
-- version: The version of the plugin. (required)
-- usage: A short usage description. (required)
-- description: A long description of the plugin. This is where you could provide a helpful documentation of your plugin. (required)
-- platforms: (required)
-  - selector: The OS/Architecture specific variations of a execution file. (optional)
-    - os: OS information based on GOOS (linux, darwin, etc.) (optional)
-    - arch: The architecture information based on GOARCH (amd64, arm64, etc.) (optional)
-  - uri: Where the executable file is. Relative path from the root directory of the plugin or remote URL such as HTTP and S3. (required)
-  - bin: Which file to call when the plugin is executed. Relative path from the root directory of the plugin. (required)
-
-The following rules will apply in deciding which platform to select:
-
-- If both `os` and `arch` under `selector` match the current platform, search will stop and the platform will be used.
-- If `selector` is not present, the platform will be used.
-- If `os` matches and there is no more specific `arch` match, the platform will be used.
-- If no `platform` match is found, Trivy will exit with an error.
-
-After determining platform, Trivy will download the execution file from `uri` and store it in the plugin cache.
-When the plugin is called via Trivy CLI, `bin` command will be executed.
-
-The plugin is responsible for handling flags and arguments. Any arguments are passed to the plugin from the `trivy` command.
-
-A plugin should be archived `*.tar.gz`.
-
-```bash
-$ tar -czvf myplugin.tar.gz plugin.yaml script.py
-plugin.yaml
-script.py
-
-$ trivy plugin install myplugin.tar.gz
-2023-03-03T19:04:42.026+0600	INFO	Installing the plugin from myplugin.tar.gz...
-2023-03-03T19:04:42.026+0600	INFO	Loading the plugin metadata...
-
-$ trivy myplugin
-Hello from Trivy demo plugin!
-```
-
-## Plugin Types
-Plugins are typically intended to be used as subcommands of Trivy,
-but some plugins can be invoked as part of Trivy's built-in commands.
-Currently, the following type of plugin is experimentally supported:
-
-- Output plugins
-
-### Output Plugins
-
-!!! warning "EXPERIMENTAL"
-    This feature might change without preserving backwards compatibility.
-
-Trivy supports "output plugins" which process Trivy's output, 
-such as by transforming the output format or sending it elsewhere.
-For instance, in the case of image scanning, the output plugin can be called as follows:
-
-```shell
-$ trivy image --format json --output plugin=<plugin_name> [--output-plugin-arg <plugin_flags>] <image_name>
-```
-
-Since scan results are passed to the plugin via standard input, plugins must be capable of handling standard input.
-
-!!! warning
-    To avoid Trivy hanging, you need to read all data from `Stdin` before the plugin exits successfully or stops with an error.
-
-While the example passes JSON to the plugin, other formats like SBOM can also be passed (e.g., `--format cyclonedx`).
-
-If a plugin requires flags or other arguments, they can be passed using `--output-plugin-arg`.
-This is directly forwarded as arguments to the plugin.
-For example, `--output plugin=myplugin --output-plugin-arg "--foo --bar=baz"` translates to `myplugin --foo --bar=baz` in execution.
-
-An example of the output plugin is available [here](https://github.com/aquasecurity/trivy-output-plugin-count).
-It can be used as below:
-
-```shell
-# Install the plugin first
-$ trivy plugin install github.com/aquasecurity/trivy-output-plugin-count
-
-# Call the output plugin in image scanning
-$ trivy image --format json --output plugin=count --output-plugin-arg "--published-after 2023-10-01" debian:12
-```
-
-## Example
-- https://github.com/aquasecurity/trivy-plugin-kubectl
-- https://github.com/aquasecurity/trivy-output-plugin-count 
-
-[kubectl]: https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/
-[helm]: https://helm.sh/docs/topics/plugins/
-[conftest]: https://www.conftest.dev/plugins/
-[go-getter]: https://github.com/hashicorp/go-getter
-[trivy-plugin-kubectl]: https://github.com/aquasecurity/trivy-plugin-kubectl
-

docs/docs/advanced/private-registries/index.md

@@ -1,13 +1,30 @@
 Trivy can download images from a private registry without the need for installing Docker or any other 3rd party tools.
 This makes it easy to run within a CI process.
 
-## Credential
-To use Trivy with private images, simply install it and provide your credentials:
+## Login
+You can log in to a private registry using the `trivy registry login` command.
+It uses the Docker configuration file (`~/.docker/config.json`) to store the credentials under the hood, and the configuration file path can be configured by `DOCKER_CONFIG` environment variable.
+
+```shell
+$ cat ~/my_password.txt | trivy registry login --username foo --password-stdin ghcr.io
+$ trivy image ghcr.io/your/private_image
+```
+
+## Passing Credentials
+You can also provide your credentials when scanning.
 
 ```shell
 $ TRIVY_USERNAME=YOUR_USERNAME TRIVY_PASSWORD=YOUR_PASSWORD trivy image YOUR_PRIVATE_IMAGE
 ```
 
+!!! warning
+    When passing credentials via environment variables or CLI flags, Trivy will attempt to use these credentials for all registries encountered during scanning, regardless of the target registry.
+    This can potentially lead to unintended credential exposure.
+    To mitigate this risk:
+
+    1. Set credentials cautiously and only when necessary.
+    2. Prefer using `trivy registry login` to pre-configure credentials with specific registries, which ensures credentials are only sent to appropriate registries.
+
 Trivy also supports providing credentials through CLI flags:
 
 ```shell
@@ -17,6 +34,7 @@ $ TRIVY_PASSWORD=YOUR_PASSWORD trivy image --username YOUR_USERNAME YOUR_PRIVATE
 !!! warning
     The CLI flag `--password` is available, but its use is not recommended for security reasons.
 
+
 You can also store your credentials in `trivy.yaml`.
 For more information, please refer to [the documentation](../../references/configuration/config-file.md).
 
@@ -35,15 +53,5 @@ In the example above, Trivy attempts to use two pairs of credentials:
 
 Please note that the number of usernames and passwords must be the same.
 
-## docker login
-If you have Docker configured locally and have set up the credentials, Trivy can access them.
-
-```shell
-$ docker login ghcr.io
-Username: 
-Password:
-$ trivy image ghcr.io/your/private_image
-```
-
 !!! note
-    `docker login` can be used with any container runtime, such as Podman.
+    `--password-stdin` doesn't support comma-separated passwords.

docs/docs/advanced/self-hosting.md

@@ -0,0 +1,132 @@
+# Self-Hosting Trivy's Databases
+
+This document explains how to host Trivy's [external dependencies](./air-gap.md) in your own infrastructure to prevent external network access. If you haven't already, please familiarize yourself with the [Databases document](../configuration/db.md) that explains about the different databases used by Trivy and the different configuration options that control them. This guide assumes you are already familiar with the concepts explained there.
+
+## OCI databases
+
+The following [Trivy Databases](../configuration/db.md) are packaged as OCI images:
+
+- `trivy-db`
+- `trivy-java-db`
+- `trivy-checks`
+
+To host these databases in your own infrastructure:
+
+### Make a local copy
+
+Use any container registry manipulation tool (e.g , [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md), [ORAS](https://oras.land), [regclient](https://github.com/regclient/regclient/tree/main)) to copy the images to your destination registry.
+
+!!! note
+    You will need to keep the databases updated in order to maintain relevant scanning results over time.
+
+### Configure Trivy
+
+Use the appropriate [database location flags](../configuration/db.md#database-locations) to change the db-repository location:
+
+- `--db-repository`
+- `--java-db-repository`
+- `--checks-bundle-repository`
+
+### Authentication
+
+If the registry requires authentication, you can configure it as described in the [private registry authentication document](../advanced/private-registries/index.md).
+
+### OCI Media Types
+
+When serving, proxying, or manipulating Trivy's databases, note that the media type of the OCI layer is not a standard container image type:
+
+DB | Media Type | Reference
+--- | --- | ---
+`trivy-db` | `application/vnd.aquasec.trivy.db.layer.v1.tar+gzip` | <https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db>
+`trivy-java-db` | `application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip` | https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db
+`trivy-checks` | `application/vnd.oci.image.manifest.v1+json` | https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks
+
+## Manual cache population
+
+Trivy uses a local cache directory to store the database files, as described in the [cache](../configuration/cache.md) document.
+You can download the databases files and surgically populate the Trivy cache directory with them.
+
+### Downloading the DB files
+
+On a machine with internet access, pull the database container archive from the public registry into your local workspace:
+
+Note that these examples operate in the current working directory.
+
+=== "Using ORAS"
+    This example uses [ORAS](https://oras.land), but you can use any other container registry manipulation tool.
+
+    ```shell
+    oras pull ghcr.io/aquasecurity/trivy-db:2
+    ```
+    
+    You should now have a file called `db.tar.gz`. Next, extract it to reveal the db files:
+    
+    ```shell
+    tar -xzf db.tar.gz
+    ```
+    
+
+=== "Using Trivy"
+    This example uses Trivy to pull the database container archive. The `--cache-dir` flag makes Trivy download the database files into our current working directory. The `--download-db-only` flag tells Trivy to only download the database files, not to scan any images.
+    
+    ```shell
+    trivy image --cache-dir . --download-db-only
+    ```
+
+You should now have 2 new files, `metadata.json` and `trivy.db`. These are the Trivy DB files, copy them over to the air-gapped environment.
+
+### Populating the Trivy Cache
+
+In order to populate the cache, you need to identify the location of the cache directory. If it is under the default location, you can run the following command to find it:
+
+```shell
+trivy -h | grep cache
+```
+
+For the example, we will assume the `TRIVY_CACHE_DIR` variable holds the cache location:
+
+```shell
+TRIVY_CACHE_DIR=/home/user/.cache/trivy
+```
+
+Put the Trivy DB files in the Trivy cache directory under a `db` subdirectory:
+
+```shell
+# ensure cache db directory exists
+mkdir -p ${TRIVY_CACHE_DIR}/db
+# copy the db files
+cp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/
+```
+
+### Java DB adaptations
+
+For Java DB the process is the same, except for the following:
+
+1. Image location is `ghcr.io/aquasecurity/trivy-java-db:1`
+2. Archive file name is `javadb.tar.gz`
+3. DB file name is `trivy-java.db`
+
+## VEX Hub
+
+### Make a local copy
+
+To make a copy of VEX Hub in a location that is accessible to Trivy.
+
+1. Download the [VEX Hub](https://github.com/aquasecurity/vexhub) archive from: <https://github.com/aquasecurity/vexhub/archive/refs/heads/main.zip>.
+1. Download the [VEX Hub Repository Manifest](https://github.com/aquasecurity/vex-repo-spec#2-repository-manifest) file from: <https://github.com/aquasecurity/vexhub/blob/main/vex-repository.json>.
+1. Create or identify an internal HTTP server that can serve the VEX Hub repository in your environment (e.g `https://server.local`).
+1. Make the downloaded archive file available for serving from your server (e.g `https://server.local/main.zip`).
+1. Modify the downloaded manifest file's [Location URL](https://github.com/aquasecurity/vex-repo-spec?tab=readme-ov-file#locations-subfields) field to the URL of the archive file on your server (e.g `url: https://server.local/main.zip`).
+1. Make the manifest file available for serving from your server under the `/.well-known` path  (e.g `https://server.local/.well-known/vex-repository.json`).
+
+### Configure Trivy
+
+To configure Trivy to use the local VEX Repository:
+
+1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo.md#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
+1. Disable the default VEX Hub repo (`enabled: false`)
+1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo.md#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
+
+### Authentication
+
+If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo.md#authentication).

docs/docs/compliance/compliance.md

@@ -1,4 +1,4 @@
-# Compliance Reports
+# Built-in Compliance Reports
 
 !!! warning "EXPERIMENTAL"
     This feature might change without preserving backwards compatibility.
@@ -10,7 +10,6 @@ Trivy’s compliance flag lets you curate a specific set of checks into a report
 Compliance report is currently supported in the following targets (trivy sub-commands):
 
 - `trivy image`
-- `trivy aws`
 - `trivy k8s`
 
 Add the `--compliance` flag to the command line, and set it's value to desired report.
@@ -35,8 +34,229 @@ to specify a built-in compliance report, select it by ID like `trivy --complianc
 For the list of built-in compliance reports, please see the relevant section:
 
 - [Docker compliance](../target/container_image.md#compliance)
-- [Kubernetes compliance](../target/kubernetes.md#compliance) 
-- [AWS compliance](../target/aws.md#compliance)
+- [Kubernetes compliance](../target/kubernetes.md#compliance)
+
+## Contribute a Built-in Compliance Report
+
+### Define a Compliance spec, based on CIS benchmark or other specs
+
+Here is an example for CIS compliance report:
+
+```yaml
+---
+spec:
+  id: k8s-cis-1.23
+  title: CIS Kubernetes Benchmarks v1.23
+  description: CIS Kubernetes Benchmarks
+  platform: k8s
+  type: cis
+  version: '1.23'
+  relatedResources:
+  - https://www.cisecurity.org/benchmark/kubernetes
+  controls:
+  - id: 1.1.1
+    name: Ensure that the API server pod specification file permissions are set to
+      600 or more restrictive
+    description: Ensure that the API server pod specification file has permissions
+      of 600 or more restrictive
+    checks:
+    - id: AVD-KCV-0073
+    commands:
+    - id: CMD-0001
+    severity: HIGH
+
+```
+
+### Compliance ID
+
+ID field is the name used to execute the compliance scan via trivy
+example:
+
+```sh
+trivy k8s --compliance k8s-cis-1.23
+```
+
+ID naming convention: {platform}-{type}-{version}
+
+### Compliance Platform
+
+The platform field specifies the type of platform on which to run this compliance report.
+Supported platforms:
+
+- k8s (native kubernetes cluster)
+- eks (elastic kubernetes service)
+- aks (azure kubernetes service)
+- gke (google kubernetes engine)
+- rke2 (rancher kubernetes engine v2)
+- ocp (OpenShift Container Platform)
+- docker (docker engine)
+- aws (amazon web services)
+
+### Compliance Type
+
+The type field specifies the kind compliance report.
+
+- cis (Center for Internet Security)
+- nsa (National Security Agency)
+- pss (Pod Security Standards)
+
+### Compliance Version
+
+The version field specifies the version of the compliance report.
+
+- 1.23
+
+### Compliance Check ID
+
+Specify the check ID that needs to be evaluated based on the information collected from the command data output to assess the control.
+
+Example of how to define check data under [checks folder](https://github.com/aquasecurity/trivy-checks/tree/main/checks):
+
+```sh
+# METADATA
+# title: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive"
+# description: "Ensure that the kubelet.conf file has permissions of 600 or more restrictive."
+# scope: package
+# schemas:
+# - input: schema["kubernetes"]
+# related_resources:
+# - https://www.cisecurity.org/benchmark/kubernetes
+# custom:
+#   id: KCV0073
+#   avd_id: AVD-KCV-0073
+#   severity: HIGH
+#   short_code: ensure-kubelet.conf-file-permissions-600-or-more-restrictive.
+#   recommended_action: "Change the kubelet.conf file permissions to 600 or more restrictive if exist"
+#   input:
+#     selector:
+#     - type: kubernetes
+package builtin.kubernetes.KCV0073
+
+import data.lib.kubernetes
+
+types := ["master", "worker"]
+
+validate_kubelet_file_permission(sp) := {"kubeletConfFilePermissions": violation} {
+ sp.kind == "NodeInfo"
+ sp.type == types[_]
+ violation := {permission | permission = sp.info.kubeletConfFilePermissions.values[_]; permission > 600}
+ count(violation) > 0
+}
+
+deny[res] {
+ output := validate_kubelet_file_permission(input)
+ msg := "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive"
+ res := result.new(msg, output)
+}
+```
+
+### Compliance Command ID
+
+***Note:*** This field is not mandatory, it is relevant to k8s compliance report when node-collector is in use
+
+Specify the command ID (#ref) that needs to be executed to collect the information required to evaluate the control.
+
+Example of how to define command data under [commands folder](https://github.com/aquasecurity/trivy-checks/tree/main/commands)
+
+```yaml
+---
+- id: CMD-0001
+  key: kubeletConfFilePermissions
+  title: kubelet.conf file permissions
+  nodeType: worker
+  audit: stat -c %a $kubelet.kubeconfig
+  platforms:
+    - k8s
+    - aks
+```
+
+#### Command ID
+
+Find the next command ID by running the command on [trivy-checks project](https://github.com/aquasecurity/trivy-checks).
+
+```sh
+make command-id
+```
+
+#### Command Key
+
+- Re-use an existing key or specify a new one (make sure key name has no spaces)
+
+Note: The key value should match the key name evaluated by the Rego check.
+
+### Command Title
+
+Represent the purpose of the command
+
+### Command NodeType
+
+Specify the node type on which the command is supposed to run.
+
+- worker
+- master
+
+### Command Audit
+
+Specify here the shell command to be used please make sure to add error suppression (2>/dev/null)
+
+### Command Platforms
+
+The list of platforms that support this command. Name should be taken from this list [Platforms](#compliance-platform)
+
+### Command Config Files
+
+The commands use a configuration file that helps obtain the paths to binaries and configuration files based on different platforms (e.g., Rancher, native Kubernetes, etc.).
+
+For example:
+
+```yaml
+kubelet:
+    bins:
+      - kubelet
+      - hyperkube kubelet
+    confs:
+      - /etc/kubernetes/kubelet-config.yaml
+      - /var/lib/kubelet/config.yaml
+```
+
+### Commands Files Location
+
+Currently checks files location are :`https://github.com/aquasecurity/trivy-checks/tree/main/checks`
+
+Command files location: `https://github.com/aquasecurity/trivy-checks/tree/main/commands`
+under command file
+
+Note: command config files will be located under `https://github.com/aquasecurity/trivy-checks/tree/main/commands` as well
+
+### Node-collector output
+
+The node collector will read commands and execute each command, and incorporate the output into the NodeInfo resource.
+
+example:
+
+```json
+{
+  "apiVersion": "v1",
+  "kind": "NodeInfo",
+  "metadata": {
+    "creationTimestamp": "2023-01-04T11:37:11+02:00"
+  },
+  "type": "master",
+  "info": {
+    "adminConfFileOwnership": {
+      "values": [
+        "root:root"
+      ]
+    },
+    "adminConfFilePermissions": {
+      "values": [
+        600
+      ]
+    }
+    ...
+  }
+}
+```
 
 ## Custom compliance
 

docs/docs/compliance/contrib-compliance.md

@@ -0,0 +1,101 @@
+# Custom Compliance Spec
+
+Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md).
+All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)).
+
+New checks are based on the custom compliance report detailed in the [main documentation.](./compliance.md#custom-compliance)
+If you would like to create your custom compliance report, please reference the information in the main documentation. This section details how community members can contribute new Compliance Specs to Trivy.
+
+All compliance specs in Trivy are based on formal compliance reports such as CIS Benchmarks.
+
+## Contributing new Compliance Specs
+
+Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access.
+
+### Create a new Compliance Spec
+
+The existing compliance specs in Trivy are located under the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)).
+
+Create a new file under `trivy-checks/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. Note that if the compliance spec is not specific to a provider, the `provider` field can be ignored.
+
+### Minimum spec structure
+
+The structure of the compliance spec is detailed in the [main documentation](./compliance.md#custom-compliance).
+
+The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report e.g. the CIS Benchmark report.
+
+### Populating the `control` section
+
+Compliance specs detail a set of checks that should pass so that the resource is compliant with the official benchmark specifications. There are two ways in which Trivy compliance checks can enforce the compliance specification:
+
+1. The check is available in Trivy, as part of the `trivy-checks` and can be referenced in the Compliance Spec
+2. The check is not available in Trivy and a manual check has to be added to the Compliance Spec
+
+Additional information is provided below.
+
+#### 1. Referencing a check that is already part of Trivy
+
+Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-checks/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.
+
+Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance) available.
+
+For example, the following check is detailed in the AWS EKS CIS v1.4 Benchmark:
+`3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)`
+
+This check can be found in the general K8s CIS Compliance Benchmark: `k8s-cis-1.23.yaml` ([Link](https://github.com/aquasecurity/trivy-checks/blob/31e779916f3863dd74a28cee869ea24fdc4ca8c2/specs/compliance/k8s-cis-1.23.yaml#L480))
+
+Thus, we can use the information already present:
+
+```
+  - id: 3.1.2
+    name: Ensure that the kubelet service file ownership is set to root:root (Manual)
+    description: Ensure that the kubelet service file ownership is set to root:root
+    checks:
+      - id: AVD-KCV-0070
+    severity: HIGH
+```
+
+- The `ID`, `name`, and `description` is taken directly from the AWS EKS CIS Benchmarks
+- The `check` and `severity` are taken from the existing compliance check in the `k8s-cis-1.23.yaml`
+
+
+#### 2. Referencing a check manually that is not part of the Trivy default checks
+
+If the check does not already exist in the [Aqua Vulnerability Database](https://avd.aquasec.com/) (AVD) and is not part of the trivy-checks, the fields in the compliance spec for the check have to be populated manually. This is done by referencing the information in the official compliance specification.
+
+Below is the beginning of the information of the EKS CIS Benchmarks v1.4.0:
+
+![EKS Benchmarks 2.1.1](../../imgs/eks-benchmarks.png)
+
+The corresponding check in the `control` section will look like this:
+
+```
+  - id: 2.1.1
+    name: Enable audit Logs (Manual)
+    description: |
+      Control plane logs provide visibility into operation of the EKS Control plane components systems. 
+      The API server audit logs record all accepted and rejected requests in the cluster. 
+      When enabled via EKS configuration the control plane logs for a cluster are exported to a CloudWatch 
+      Log Group for persistence.
+    checks: null
+    severity: MEDIUM
+```
+
+- Again, the `id`, `name` and `description` are taken directly from the EKS CIS Benchmarks v1.4.0
+- The `checks` is in this case `null` as the check is not currently present in the AVD and does not have a check in the [trivy policies](https://github.com/aquasecurity/trivy-checks/tree/main/checks) repository
+- Since the check does not exist in Trivy, the `severity` will be `MEDIUM`. However, in some cases, the compliance report e.g. the CIS Benchmark report will specify the severity
+
+#### Contributing new checks to trivy-checks
+
+All of the checks in trivy-policies can be referenced in the compliance specs.
+To write new Rego checks for Trivy, please take a look at the contributing documentation for checks.
+
+### Test the Compliance Spec
+
+To test the compliance check, pass the new path into the Trivy scan through the `--compliance` flag. For instance, to pass the check to the Trivy Kubernetes scan use the following command structure:
+
+```
+trivy k8s cluster --compliance @</path/to/compliance.yaml> --report summary
+```
+
+Note: The `@` is required before the filepath.

docs/docs/configuration/cache.md

@@ -1,60 +1,88 @@
 # Cache
 The cache directory includes 
 
+- Cache of previous scans (Scan cache).
 - [Vulnerability Database][trivy-db][^1]
 - [Java Index Database][trivy-java-db][^2]
-- [Misconfiguration Policies][misconf-policies][^3]
-- Cache of previous scans.
+- [Misconfiguration Checks][misconf-checks][^3]
+- [VEX Repositories](../supply-chain/vex/repo.md)
  
 The cache option is common to all scanners.
 
 ## Clear Caches
-The `--clear-cache` option removes caches.
+`trivy clean` subcommand removes caches.
 
-**The scan is not performed.**
-
-```
-$ trivy image --clear-cache
+```bash
+$ trivy clean --scan-cache
 ```
 
 <details>
 <summary>Result</summary>
 
 ```
-2019-11-15T15:13:26.209+0200    INFO    Reopening vulnerability DB
-2019-11-15T15:13:26.209+0200    INFO    Removing image caches...
+2024-06-21T21:58:21+04:00       INFO    Removing scan cache...
 ```
 
 </details>
 
+If you want to delete cached vulnerability databases, use `--vuln-db`.
+You can also delete all caches with `--all`.
+See `trivy clean --help` for details.
+
 ## Cache Directory
 Specify where the cache is stored with `--cache-dir`.
 
-```
+```bash
 $ trivy --cache-dir /tmp/trivy/ image python:3.4-alpine3.9
 ```
 
-## Cache Backend
+## Scan Cache Backend
 !!! warning "EXPERIMENTAL"
     This feature might change without preserving backwards compatibility.
 
-Trivy supports local filesystem and Redis as the cache backend. This option is useful especially for client/server mode.
+Trivy utilizes a scan cache to store analysis results, such as package lists.
+It supports three types of backends for this cache: 
 
-Two options:
-
-- `fs`
-    - the cache path can be specified by `--cache-dir`
-- `redis://`
+- Local File System (`fs`)
+    - The cache path can be specified by `--cache-dir`
+- Memory (`memory`)
+- Redis (`redis://`)
     - `redis://[HOST]:[PORT]`
     - TTL can be configured via `--cache-ttl`
 
+### Local File System
+The local file system backend is the default choice for container image, VM image and repository scans.
+
+!!! note
+    Internally, this backend uses [BoltDB][boltdb], which has an important limitation: only one process can access the cache at a time.
+    Subsequent processes attempting to access the cache will be locked.
+    For more details on this limitation, refer to the [troubleshooting guide][parallel-run].
+
+### Memory
+The memory backend stores analysis results in memory, which means the cache is discarded when the process ends.
+This makes it useful in scenarios where caching is not required or desired.
+It serves as the default for filesystem and SBOM scans and can also be employed for container image scans when caching is unnecessary.
+
+To use the memory backend for a container image scan, you can use the following command:
+
+```bash
+$ trivy image debian:11 --cache-backend memory
 ```
+
+### Redis
+
+The Redis backend is particularly useful when you need to share the cache across multiple Trivy instances.
+You can set up Trivy to use a Redis backend with a command like this:
+
+```bash
 $ trivy server --cache-backend redis://localhost:6379
 ```
 
+This approach allows for centralized caching, which can be beneficial in distributed or high-concurrency environments.
+
 If you want to use TLS with Redis, you can enable it by specifying the `--redis-tls` flag.
 
-```shell
+```bash
 $ trivy server --cache-backend redis://localhost:6379 --redis-tls
 ```
 
@@ -68,9 +96,11 @@ $ trivy server --cache-backend redis://localhost:6379 \
   --redis-key /path/to/key.pem
 ```
 
-[trivy-db]: ./db.md#vulnerability-database
-[trivy-java-db]: ./db.md#java-index-database
-[misconf-policies]: ../scanner/misconfiguration/policy/builtin.md
+[trivy-db]: ./db.md
+[trivy-java-db]: ./db.md
+[misconf-checks]: ../scanner/misconfiguration/check/builtin.md
+[boltdb]: https://github.com/etcd-io/bbolt
+[parallel-run]: https://trivy.dev/{{ git.tag}}/docs/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run
 
 [^1]: Downloaded when scanning for vulnerabilities
 [^2]: Downloaded when scanning `jar/war/par/ear` files

docs/docs/configuration/db.md

@@ -1,85 +1,129 @@
-# DB
+# Trivy Databases
 
-|     Scanner      | Supported |
-|:----------------:|:---------:|
-|  Vulnerability   |     ✓     |
-| Misconfiguration |           |
-|      Secret      |           |
-|     License      |           |
+When you install Trivy, the installed artifact contains the scanner engine but is lacking relevant security information needed to make security detections and recommendations.
+These so called "databases" are automatically fetched and maintained by Trivy as needed, so normally you shouldn't notice or worry about them.   
+This document elaborates on the database management mechanism and its configuration options.
 
-The vulnerability database and the Java index database are needed only for vulnerability scanning.
-See [here](../scanner/vulnerability.md) for the detail.
+Trivy relies on the following databases:
 
-## Vulnerability Database
+DB | Artifact name | Contents | Purpose
+--- | --- | --- | ---
+Vulnerabilities DB | `trivy-db` | CVE information collected from various feeds | used only for [vulnerability scanning](../scanner/vulnerability.md)
+Java DB | `trivy-java-db` | Index of Java artifacts and their hash digest | used to identify Java artifacts only in [JAR scanning](../coverage/language/java.md)
+Checks Bundle | `trivy-checks` | Logic of misconfiguration checks | used only in [misconfiguration/IaC scanning](../scanner/misconfiguration/check/builtin.md)
 
-### Skip update of vulnerability DB
-If you want to skip downloading the vulnerability database, use the `--skip-db-update` option.
+!!! note
+    This is not an exhaustive list of Trivy's external connectivity requirements.
+    There are additional external resources which may be required by specific Trivy features.
+    To learn about external connectivity requirements, see the [Advanced Network Scenarios](../advanced/air-gap.md).
+
+## Locations
+
+Trivy's databases are published to the following locations:
+
+| Registry | Image Address | Link
+| --- | --- | ---
+| GHCR | `ghcr.io/aquasecurity/trivy-db` | <https://ghcr.io/aquasecurity/trivy-db>
+| | `ghcr.io/aquasecurity/trivy-java-db` | <https://ghcr.io/aquasecurity/trivy-java-db>
+| | `ghcr.io/aquasecurity/trivy-checks` | <https://ghcr.io/aquasecurity/trivy-checks>
+| Docker Hub | `aquasec/trivy-db` | <https://hub.docker.com/r/aquasec/trivy-db>
+| | `aquasec/trivy-java-db` | <https://hub.docker.com/r/aquasec/trivy-java-db>
+| | `aquasec/trivy-checks` | <https://hub.docker.com/r/aquasec/trivy-checks>
+| AWS ECR | `public.ecr.aws/aquasecurity/trivy-db` | <https://gallery.ecr.aws/aquasecurity/trivy-db>
+| | `public.ecr.aws/aquasecurity/trivy-java-db` | <https://gallery.ecr.aws/aquasecurity/trivy-java-db>
+| | `public.ecr.aws/aquasecurity/trivy-checks` | <https://gallery.ecr.aws/aquasecurity/trivy-checks>
+
+In addition, images are also available via pull-through cache registries like [Google Container Registry Mirror](https://cloud.google.com/artifact-registry/docs/pull-cached-dockerhub-images).
+
+## Default Locations
+
+Trivy will attempt to pull images from the following registries in the order specified.
+
+1. `mirror.gcr.io/aquasec`
+2. `ghcr.io/aquasecurity`
+
+You can specify additional alternative repositories as explained in the [configuring database locations section](#database-locations).
+
+## DB Management Configuration
+
+### Database Locations
+
+You can configure Trivy to download databases from alternative locations by using the flags:
+
+- `--db-repository`
+- `--java-db-repository`
+- `--checks-bundle-repository`
+
+The value should be an image address in a container registry.
+
+For example:
 
 ```
-$ trivy image --skip-db-update python:3.4-alpine3.9
+trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine
 ```
 
-<details>
-<summary>Result</summary>
+The flags accepts multiple values, which can be used to specify multiple alternative repository locations. In case of a transient errors (e.g. status 429 or 5xx), Trivy will fall back to alternative registries in the order specified.
+
+For example:
 
 ```
-2019-05-16T12:48:08.703+0900    INFO    Detecting Alpine vulnerabilities...
-
-python:3.4-alpine3.9 (alpine 3.9.2)
-===================================
-Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
-
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
-|         |                  |          |                   |               | with long nonces               |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
+trivy image --db-repository my.registry.local/trivy-db --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine
 ```
 
-</details>
+The Checks Bundle registry location option does not support fallback through multiple options. This is because in case of a failure pulling the Checks Bundle, Trivy will use the embedded checks as a fallback.
 
-### Only download vulnerability database
-You can also ask `Trivy` to simply retrieve the vulnerability database.
-This is useful to initialize workers in Continuous Integration systems.
-
-```
-$ trivy image --download-db-only
-```
-
-### DB Repository
-`Trivy` could also download the vulnerability database from an external OCI registry by using `--db-repository` option.
-
-```
-$ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
-```
+!!! note 
+    Setting the repository location flags override the default values which include the official db locations. In case you want to preserve the default locations, you should include them in the list the you set as repository locations.
 
 !!!note
-    Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used:
+    When pulling `trivy-db` or `trivy-java-db`, if image tag is not specified, Trivy defaults to the db schema number instead of the `latest` tag.
 
-    `trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`.
+### Skip updates
 
-## Java Index Database
-The same options are also available for the Java index DB, which is used for scanning Java applications.
-Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
+You can configure Trivy to not attempt to download any or all database(s), using the flags:
 
-!!! Note
-    In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side.
+- `--skip-db-update`
+- `--skip-java-db-update`
+- `--skip-check-update`
 
-Downloading the Java index DB from an external OCI registry can be done by using the `--java-db-repository` option.
+For example:
 
 ```
-$ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db --download-java-db-only
+trivy image --skip-db-update --skip-java-db-update --skip-check-update alpine
 ```
 
-!!!note
-    Trivy automatically adds the `trivy-java-db` schema version as a tag if the tag is not used:
+### Only update
 
-    `java-db-registry:latest` => `java-db-registry:latest`, but `java-db-registry` => `java-db-registry:1`.
+You can ask `Trivy` to only update the database without performing a scan. This action will ensure Trivy is up to date, and populate Trivy's database cache for subsequent scans.
 
-## Remove DBs
-The `--reset` flag removes all caches and databases.
+- `--download-db-only`
+- `--download-java-db-only`
+
+For example:
 
 ```
-$ trivy image --reset
-```
+trivy image --download-db-only
+```
+
+Note that currently there is no option to download only the Checks Bundle.
+
+### Remove Databases
+
+`trivy clean` command removes caches and databases.
+You can select which cache component to remove:
+
+option | description
+--- | ---
+`-a`/`--all` | remove all caches
+`--checks-bundle` | remove checks bundle
+`--java-db` | remove Java database
+`--scan-cache` | remove scan cache (container and VM image analysis results)
+`--vuln-db` | remove vulnerability database
+
+Example:
+
+```
+$ trivy clean --vuln-db --java-db
+2024-06-24T11:42:31+06:00       INFO    Removing vulnerability database...
+2024-06-24T11:42:31+06:00       INFO    Removing Java database...
+```

docs/docs/configuration/filtering.md

@@ -101,7 +101,7 @@ Total: 1785 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1680, CRITICAL: 105)
 </details>
 
 ```bash
-trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
+trivy config --severity HIGH,CRITICAL examples/misconf/mixed
 ```
 
 <details>
@@ -112,7 +112,7 @@ trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
 
 Dockerfile (dockerfile)
 =======================
-Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
+Tests: 17 (SUCCESSES: 16, FAILURES: 1)
 Failures: 1 (HIGH: 1, CRITICAL: 0)
 
 HIGH: Last USER command in Dockerfile should not be 'root'
@@ -130,13 +130,13 @@ See https://avd.aquasec.com/misconfig/ds002
 
 deployment.yaml (kubernetes)
 ============================
-Tests: 8 (SUCCESSES: 8, FAILURES: 0, EXCEPTIONS: 0)
+Tests: 8 (SUCCESSES: 8, FAILURES: 0)
 Failures: 0 (HIGH: 0, CRITICAL: 0)
 
 
 main.tf (terraform)
 ===================
-Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
+Tests: 1 (SUCCESSES: 0, FAILURES: 1)
 Failures: 1 (HIGH: 0, CRITICAL: 1)
 
 CRITICAL: Classic resources should not be used.
@@ -237,6 +237,9 @@ You can filter the results by
 
 To show the suppressed results, use the `--show-suppressed` flag.
 
+!!! note
+    It's exported as `ExperimentalModifiedFindings` in the JSON output.
+
 ```bash
 $ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11
 ...
@@ -391,7 +394,7 @@ $ trivy image --ignorefile ./.trivyignore.yaml python:3.9.16-alpine3.16
 2023-08-31T11:10:27.155+0600	INFO	Vulnerability scanning is enabled
 2023-08-31T11:10:27.155+0600	INFO	Secret scanning is enabled
 2023-08-31T11:10:27.155+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
-2023-08-31T11:10:27.155+0600	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
+2023-08-31T11:10:27.155+0600	INFO	Please see also https://trivy.dev/dev/docs/scanner/secret/#recommendation for faster secret detection
 2023-08-31T11:10:29.164+0600	INFO	Detected OS: alpine
 2023-08-31T11:10:29.164+0600	INFO	Detecting Alpine vulnerabilities...
 2023-08-31T11:10:29.169+0600	INFO	Number of language-specific files: 1
@@ -474,13 +477,13 @@ ignore {
 ```
 
 ```bash
-trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
+trivy image --ignore-policy examples/ignore-policies/basic.rego centos:7
 ```
 
 For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`.
 More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go).
 
-You can find more example policies [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)
+You can create a whitelist of checks using Rego, see the detailed [example](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/ignore-policies/whitelist.rego). Additional examples are available [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/ignore-policies).
 
 ### By Vulnerability Exploitability Exchange (VEX)
 |     Scanner      | Supported |
@@ -490,7 +493,7 @@ You can find more example policies [here](https://github.com/aquasecurity/trivy/
 |      Secret      |           |
 |     License      |           |
 
-Please refer to the [VEX documentation](../supply-chain/vex.md) for the details.
+Please refer to the [VEX documentation](../supply-chain/vex/index.md) for the details.
 
 
 [^1]: license name is used as id for `.trivyignore.yaml` files.

docs/docs/configuration/index.md

@@ -1,23 +1,21 @@
 # Configuration
-Trivy can be configured using the following ways. Each item takes precedence over the item below it:
+Trivy's settings can be configured in any of the following methods, which will apply in the following precedence:
 
-- CLI flags
-- Environment variables
-- Configuration file
+1. CLI flags (overrides all other settings)
+2. Environment variables (overrides config file settings)
+3. Configuration file
 
 ## CLI Flags
-You can view the list of available flags using the `--help` option.
-For more details, please refer to [the CLI reference](../references/configuration/cli/trivy.md).
+You can view the list of available flags by adding the `--help` flag to a Trivy command, or by exploring the [CLI reference](../references/configuration/cli/trivy.md).
 
 ## Environment Variables
-Trivy can be customized by environment variables.
-The environment variable key is the flag name converted by the following procedure.
+Any CLI option can be set as an environment variable. The environment variable name are similar to the CLI option name, with the following augmentations:
 
 - Add `TRIVY_` prefix
-- Make it all uppercase
+- All uppercase letters
 - Replace `-` with `_`
 
-For example,
+For example:
 
 - `--debug` => `TRIVY_DEBUG`
 - `--cache-dir` => `TRIVY_CACHE_DIR`
@@ -27,5 +25,6 @@ $ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15
 ```
 
 ## Configuration File
-By default, Trivy reads the `trivy.yaml` file.
-For more details, please refer to [the page](../references/configuration/config-file.md).
+Any setting can be set in a YAML file. By default, config file named `trivy.yaml` is read from the current directory where Trivy is run. To load configuration from a different file, use the `--config` flag and specify the config path to load: `trivy --config /etc/trivy/myconfig.yaml`.
+
+The structure and settings of the YAML config file is documented in the [Config file](../references/configuration/config-file.md) document.

docs/docs/configuration/others.md

@@ -117,3 +117,46 @@ The following example will fail when a critical vulnerability is found or the OS
 ```
 $ trivy image --exit-code 1 --exit-on-eol 1 --severity CRITICAL alpine:3.16.3
 ```
+
+## Mirror Registries
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy supports mirrors for [remote container images](../target/container_image.md#container-registry) and [databases](./db.md).
+
+To configure them, add a list of mirrors along with the host to the [trivy config file](../references/configuration/config-file.md#registry-options).
+
+!!! note
+    Use the `index.docker.io` host for images from `Docker Hub`, even if you don't use that prefix.
+
+Example for `index.docker.io`:
+```yaml
+registry:
+  mirrors:
+    index.docker.io:
+     - mirror.gcr.io
+```
+
+### Registry check procedure
+Trivy uses the following registry order to get the image:
+
+- mirrors in the same order as they are specified in the configuration file
+- source registry
+
+In cases where we can't get the image from the mirror registry (e.g. when authentication fails, image doesn't exist, etc.) - Trivy will check other mirrors (or the source registry if all mirrors have already been checked).
+
+Example:
+```yaml
+registry:
+  mirrors:
+    index.docker.io:
+     - mirror.with.bad.auth // We don't have credentials for this registry
+     - mirror.without.image // Registry doesn't have this image
+```
+
+When we want to get the image `alpine` with the settings above. The logic will be as follows:
+
+1. Try to get the image from `mirror.with.bad.auth/library/alpine`, but we get an error because there are no credentials for this registry.
+2. Try to get the image from `mirror.without.image/library/alpine`, but we get an error because this registry doesn't have this image (but most likely it will be an error about authorization).
+3. Get the image from `index.docker.io` (the original registry).

docs/docs/configuration/reporting.md

@@ -5,7 +5,7 @@ Trivy supports the following formats:
 
 - Table
 - JSON
-- [SARIF](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)
+- [SARIF][sarif-home]
 - Template
 - SBOM
 - GitHub dependency snapshot
@@ -19,9 +19,152 @@ Trivy supports the following formats:
 |      Secret      |     ✓     |
 |     License      |     ✓     |
 
+```bash
+$ trivy image -f table golang:1.22.11-alpine3.20
 ```
-$ trivy image -f table golang:1.12-alpine
+
+<details>
+<summary>Result</summary>
+
 ```
+...
+
+Report Summary
+
+┌─────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
+│                   Target                    │   Type   │ Vulnerabilities │ Secrets │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ golang:1.22.11-alpine3.20 (alpine 3.20.5)   │  alpine  │        6        │    -    │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ usr/local/go/bin/go                         │ gobinary │        1        │    -    │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+...
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ usr/local/go/pkg/tool/linux_amd64/vet       │ gobinary │        1        │    -    │
+└─────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+
+
+golang:1.22.11-alpine3.20 (alpine 3.20.5)
+
+Total: 6 (UNKNOWN: 2, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
+
+┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
+├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ libcrypto3 │ CVE-2024-12797 │ HIGH     │ fixed  │ 3.3.2-r1          │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers    │
+│            │                │          │        │                   │               │ don't abort as expected                                     │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                  │
+│            ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r2      │ openssl: Timing side-channel in ECDSA signature computation │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
+├────────────┼────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│ libssl3    │ CVE-2024-12797 │ HIGH     │        │                   │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers    │
+│            │                │          │        │                   │               │ don't abort as expected                                     │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                  │
+│            ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r2      │ openssl: Timing side-channel in ECDSA signature computation │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
+├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2025-26519 │ UNKNOWN  │        │ 1.2.5-r0          │ 1.2.5-r1      │ musl libc 0.9.13 through 1.2.5 before 1.2.6 has an          │
+│            │                │          │        │                   │               │ out-of-bounds write ......                                  │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-26519                  │
+├────────────┤                │          │        │                   │               │                                                             │
+│ musl-utils │                │          │        │                   │               │                                                             │
+│            │                │          │        │                   │               │                                                             │
+│            │                │          │        │                   │               │                                                             │
+└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+
+usr/local/go/bin/go (gobinary)
+
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+
+┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
+│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
+├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ stdlib  │ CVE-2025-22866 │ MEDIUM   │ fixed  │ v1.22.11          │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
+│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
+│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
+└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
+
+...
+```
+
+</details>
+
+#### Table mode
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy supports the following modes for `table` format:
+
+|             Mode             | Enabled by default |
+|:----------------------------:|:-----------------:|
+|  [summary](#summary-table)   |       ✓[^1]       |
+| [detailed](#detailed-tables) |         ✓         |
+
+You can use `--table-mode` flag to enable/disable table mode(s). 
+
+
+##### Summary table
+Summary table contains general information about the scan performed.
+
+Nuances of table contents:
+
+- Table includes columns for enabled [scanners](../references/terminology.md#scanner) only. Use `--scanners` flag to enable/disable scanners.
+- Table includes separate lines for the same targets but different scanners.
+    - `-` means that the scanner didn't scan this target.
+    - `0` means that the scanner scanned this target, but found no security issues.
+
+<details>
+<summary>Report Summary</summary>
+
+```
+┌───────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┬──────────┐
+│        Target         │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │ Licenses │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ test (alpine 3.20.3)  │   alpine   │        2        │         -         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ Java                  │    jar     │        2        │         -         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ app/Dockerfile        │ dockerfile │        -        │         2         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ requirements.txt      │    text    │        0        │         -         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ requirements.txt      │    text    │        -        │         -         │    1    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ OS Packages           │     -      │        -        │         -         │    -    │    1     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ Java                  │     -      │        -        │         -         │    -    │    0     │
+└───────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┴──────────┘
+```
+
+</details>
+
+##### Detailed tables
+Detailed tables contain information about found security issues for each target with more detailed information (CVE-ID, severity, version, etc.).
+
+<details>
+<summary>Detailed tables</summary>
+
+```
+
+usr/local/go/bin/go (gobinary)
+
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+
+┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
+│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
+├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ stdlib  │ CVE-2025-22866 │ MEDIUM   │ fixed  │ v1.22.11          │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
+│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
+│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
+└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
+
+```
+</details>
 
 #### Show origins of vulnerable dependencies
 
@@ -58,12 +201,14 @@ The following languages are currently supported:
 |          | [yarn.lock][yarn-lock]                     |
 | .NET     | [packages.lock.json][dotnet-packages-lock] |
 | Python   | [poetry.lock][poetry-lock]                 |
+|          | [uv.lock][uv-lock]                         |
 | Ruby     | [Gemfile.lock][gemfile-lock]               |
 | Rust     | [cargo-auditable binaries][cargo-binaries] |
 | Go       | [go.mod][go-mod]                           |
 | PHP      | [composer.lock][composer-lock]             |
 | Java     | [pom.xml][pom-xml]                         |
 |          | [*gradle.lockfile][gradle-lockfile]        |
+|          | [*.sbt.lock][sbt-lockfile]                 |
 | Dart     | [pubspec.lock][pubspec-lock]               |
 
 This tree is the reverse of the dependency graph.
@@ -119,124 +264,183 @@ Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to reso
 |     License      |     ✓     |
 
 ```
-$ trivy image -f json -o results.json golang:1.12-alpine
+$ trivy image -f json -o results.json alpine:latest
 ```
 
-<details>
-<summary>Result</summary>
-
-```
-2019-05-16T01:46:31.777+0900    INFO    Updating vulnerability database...
-2019-05-16T01:47:03.007+0900    INFO    Detecting Alpine vulnerabilities...
-```
-
-</details>
-
 <details>
 <summary>JSON</summary>
 
 ```
-[
-  {
-    "Target": "php-app/composer.lock",
-    "Vulnerabilities": null
-  },
-  {
-    "Target": "node-app/package-lock.json",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2018-16487",
-        "PkgName": "lodash",
-        "InstalledVersion": "4.17.4",
-        "FixedVersion": "\u003e=4.17.11",
-        "Title": "lodash: Prototype pollution in utilities function",
-        "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
-        "Severity": "HIGH",
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487",
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2024-12-26T21:58:15.943876+05:30",
+  "ArtifactName": "alpine:latest",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.20.3"
+    },
+    "ImageID": "sha256:511a44083d3a23416fadc62847c45d14c25cbace86e7a72b2b350436978a0450",
+    "DiffIDs": [
+      "sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8"
+    ],
+    "RepoTags": [
+      "alpine:latest"
+    ],
+    "RepoDigests": [
+      "alpine@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a"
+    ],
+    "ImageConfig": {
+      "architecture": "arm64",
+      "created": "2024-09-06T12:05:36Z",
+      "history": [
+        {
+          "created": "2024-09-06T12:05:36Z",
+          "created_by": "ADD alpine-minirootfs-3.20.3-aarch64.tar.gz / # buildkit",
+          "comment": "buildkit.dockerfile.v0"
+        },
+        {
+          "created": "2024-09-06T12:05:36Z",
+          "created_by": "CMD [\"/bin/sh\"]",
+          "comment": "buildkit.dockerfile.v0",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8"
         ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "WorkingDir": "/",
+        "ArgsEscaped": true
       }
-    ]
+    }
   },
-  {
-    "Target": "trivy-ci-test (alpine 3.7.1)",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2018-16840",
-        "PkgName": "curl",
-        "InstalledVersion": "7.61.0-r0",
-        "FixedVersion": "7.61.1-r1",
-        "Title": "curl: Use-after-free when closing \"easy\" handle in Curl_close()",
-        "Description": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. ",
-        "Severity": "HIGH",
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840",
-        ]
-      },
-      {
-        "VulnerabilityID": "CVE-2019-3822",
-        "PkgName": "curl",
-        "InstalledVersion": "7.61.0-r0",
-        "FixedVersion": "7.61.1-r2",
-        "Title": "curl: NTLMv2 type-3 header stack buffer overflow",
-        "Description": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. ",
-        "Severity": "HIGH",
-        "References": [
-          "https://curl.haxx.se/docs/CVE-2019-3822.html",
-          "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E"
-        ]
-      },
-      {
-        "VulnerabilityID": "CVE-2018-16839",
-        "PkgName": "curl",
-        "InstalledVersion": "7.61.0-r0",
-        "FixedVersion": "7.61.1-r1",
-        "Title": "curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()",
-        "Description": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
-        "Severity": "HIGH",
-        "References": [
-          "https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5",
-        ]
-      },
-      {
-        "VulnerabilityID": "CVE-2018-19486",
-        "PkgName": "git",
-        "InstalledVersion": "2.15.2-r0",
-        "FixedVersion": "2.15.3-r0",
-        "Title": "git: Improper handling of PATH allows for commands to be executed from the current directory",
-        "Description": "Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.",
-        "Severity": "HIGH",
-        "References": [
-          "https://usn.ubuntu.com/3829-1/",
-        ]
-      },
-      {
-        "VulnerabilityID": "CVE-2018-17456",
-        "PkgName": "git",
-        "InstalledVersion": "2.15.2-r0",
-        "FixedVersion": "2.15.3-r0",
-        "Title": "git: arbitrary code execution via .gitmodules",
-        "Description": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
-        "Severity": "HIGH",
-        "References": [
-          "http://www.securitytracker.com/id/1041811",
-        ]
-      }
-    ]
-  },
-  {
-    "Target": "python-app/Pipfile.lock",
-    "Vulnerabilities": null
-  },
-  {
-    "Target": "ruby-app/Gemfile.lock",
-    "Vulnerabilities": null
-  },
-  {
-    "Target": "rust-app/Cargo.lock",
-    "Vulnerabilities": null
-  }
-]
+  "Results": [
+    {
+      "Target": "alpine:latest (alpine 3.20.3)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2024-9143",
+          "PkgID": "libcrypto3@3.3.2-r0",
+          "PkgName": "libcrypto3",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libcrypto3@3.3.2-r0?arch=aarch64\u0026distro=3.20.3",
+            "UID": "f705555b49cd2259"
+          },
+          "InstalledVersion": "3.3.2-r0",
+          "FixedVersion": "3.3.2-r1",
+          "Status": "fixed",
+          "Layer": {
+            "DiffID": "sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8"
+          },
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-9143",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access",
+          "Description": "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates.  Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds.  Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "VendorSeverity": {
+            "amazon": 3,
+            "redhat": 1,
+            "ubuntu": 1
+          },
+          "CVSS": {
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2024-9143",
+            "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712",
+            "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700",
+            "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4",
+            "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154",
+            "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a",
+            "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41",
+            "https://nvd.nist.gov/vuln/detail/CVE-2024-9143",
+            "https://openssl-library.org/news/secadv/20241016.txt",
+            "https://www.cve.org/CVERecord?id=CVE-2024-9143"
+          ],
+          "PublishedDate": "2024-10-16T17:15:18.13Z",
+          "LastModifiedDate": "2024-11-08T16:35:21.58Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2024-9143",
+          "PkgID": "libssl3@3.3.2-r0",
+          "PkgName": "libssl3",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libssl3@3.3.2-r0?arch=aarch64\u0026distro=3.20.3",
+            "UID": "c4a39ef718e71832"
+          },
+          "InstalledVersion": "3.3.2-r0",
+          "FixedVersion": "3.3.2-r1",
+          "Status": "fixed",
+          "Layer": {
+            "DiffID": "sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8"
+          },
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-9143",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access",
+          "Description": "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates.  Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds.  Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "VendorSeverity": {
+            "amazon": 3,
+            "redhat": 1,
+            "ubuntu": 1
+          },
+          "CVSS": {
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2024-9143",
+            "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712",
+            "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700",
+            "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4",
+            "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154",
+            "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a",
+            "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41",
+            "https://nvd.nist.gov/vuln/detail/CVE-2024-9143",
+            "https://openssl-library.org/news/secadv/20241016.txt",
+            "https://www.cve.org/CVERecord?id=CVE-2024-9143"
+          ],
+          "PublishedDate": "2024-10-16T17:15:18.13Z",
+          "LastModifiedDate": "2024-11-08T16:35:21.58Z"
+        }
+      ]
+    }
+  ]
+}
+
 ```
 
 </details>
@@ -251,16 +455,19 @@ $ trivy image -f json -o results.json golang:1.12-alpine
 |      Secret      |     ✓     |
 |     License      |     ✓     |
 
-[SARIF][sarif] can be generated with the `--format sarif` flag.
+[SARIF][sarif-home] (Static Analysis Results Interchange Format) complying with [SARIF 2.1.0 OASIS standard][sarif-spec] can be generated with the `--format sarif` flag.
 
 ```
 $ trivy image --format sarif -o report.sarif  golang:1.12-alpine
 ```
 
-This SARIF file can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
+This SARIF file can be uploaded to several platforms, including:
+
+- [GitHub code scanning results][sarif-github], and there is a [Trivy GitHub Action][action] for automating this process
+- [SonarQube][sarif-sonar]
 
 ### GitHub dependency snapshot
-Trivy supports the following packages.
+Trivy supports the following packages:
 
 - [OS packages][os_packages]
 - [Language-specific packages][language_packages]
@@ -335,8 +542,8 @@ If Trivy is installed using rpm then default templates can be found at `/usr/loc
 |:----------------:|:---------:|
 |  Vulnerability   |     ✓     |
 | Misconfiguration |     ✓     |
-|      Secret      |           |
-|     License      |           |
+|      Secret      |     ✓     |
+|     License      |     ✓     |
 
 In the following example using the template `junit.tpl` XML can be generated.
 ```
@@ -399,7 +606,7 @@ $ trivy <target> [--format <format>] --output plugin=<plugin_name> [--output-plu
 ```
 
 This is useful for cases where you want to convert the output into a custom format, or when you want to send the output somewhere.
-For more details, please check [here](../advanced/plugins.md#output-plugins).
+For more details, please check [here](../plugin/user-guide.md#output-mode-support).
 
 ## Converting
 To generate multiple reports, you can generate the JSON report first and convert it to other formats with the `convert` subcommand.
@@ -410,7 +617,7 @@ $ trivy convert --format cyclonedx --output result.cdx result.json
 ```
 
 !!! note
-    Please note that if you want to convert to a format that requires a list of packages, 
+    Please note that if you want to convert to a format that requires a list of packages,
     such as SBOM, you need to add the `--list-all-pkgs` flag when outputting in JSON.
 
 [Filtering options](./filtering.md) such as `--severity` are also available with `convert`.
@@ -424,12 +631,15 @@ $ trivy convert --format table --severity CRITICAL result.json
 ```
 
 !!! note
-    JSON reports from "trivy aws" and "trivy k8s" are not yet supported.
+    JSON reports from "trivy k8s" are not yet supported.
 
 [cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
 [action]: https://github.com/aquasecurity/trivy-action
 [asff]: ../../tutorials/integrations/aws-security-hub.md
-[sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
+[sarif-home]: https://sarifweb.azurewebsites.net
+[sarif-spec]: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
+[sarif-github]: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning
+[sarif-sonar]: https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/importing-external-issues/importing-issues-from-sarif-reports/
 [sprig]: http://masterminds.github.io/sprig/
 [github-sbom]: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#about-dependency-submissions
 [github-sbom-submit]: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#create-a-snapshot-of-dependencies-for-a-repository
@@ -442,10 +652,14 @@ $ trivy convert --format table --severity CRITICAL result.json
 [yarn-lock]: ../coverage/language/nodejs.md#yarn
 [dotnet-packages-lock]: ../coverage/language/dotnet.md#packageslockjson
 [poetry-lock]: ../coverage/language/python.md#poetry
+[uv-lock]: ../coverage/language/python.md#uv
 [gemfile-lock]: ../coverage/language/ruby.md#bundler
-[go-mod]: ../coverage/language/golang.md#go-modules
-[composer-lock]: ../coverage/language/php.md#composer
+[go-mod]: ../coverage/language/golang.md#go-module
+[composer-lock]: ../coverage/language/php.md#composerlock
 [pom-xml]: ../coverage/language/java.md#pomxml
 [gradle-lockfile]: ../coverage/language/java.md#gradlelock
+[sbt-lockfile]: ../coverage/language/java.md#sbt
 [pubspec-lock]: ../coverage/language/dart.md#dart
-[cargo-binaries]: ../coverage/language/rust.md#binaries
+[cargo-binaries]: ../coverage/language/rust.md#binaries
+
+[^1]: To show summary table in `convert` mode - you need to enable the scanners used during JSON report generation.

docs/docs/coverage/iac/cloudformation.md

@@ -21,7 +21,7 @@ It evaluates properties, functions, and other elements within CloudFormation fil
 You can provide `cf-params` with path to [CloudFormation Parameters] file to Trivy to scan your CloudFormation code with parameters.
 
 ```bash
-trivy conf --cf-params params.json ./infrastructure/cf
+trivy config --cf-params params.json ./infrastructure/cf
 ```
 
 You can check a [CloudFormation Parameters Example]

docs/docs/coverage/iac/helm.md

@@ -11,7 +11,7 @@ The following scanners are supported.
 Trivy recursively searches directories and scans all found Helm files.
 
 It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks.
-See [here](../../scanner/misconfiguration/policy/builtin.md) for more details on the built-in policies.
+See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in checks.
 
 ### Value overrides
 There are a number of options for overriding values in Helm charts.
@@ -21,7 +21,7 @@ When override values are passed to the Helm scanner, the values will be used dur
 Overrides can be set inline on the command line
 
 ```bash
-trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
+trivy config --helm-set securityContext.runAsUser=0 ./charts/mySql
 ```
 
 #### Setting value file overrides
@@ -35,7 +35,7 @@ securityContext:
 ```
 
 ```bash
-trivy conf --helm-values overrides.yaml ./charts/mySql
+trivy config --helm-values overrides.yaml ./charts/mySql
 ``` 
 
 #### Setting value as explicit string
@@ -49,7 +49,7 @@ trivy config --helm-set-string name=false ./infrastructure/tf
 Specific override values can come from specific files
 
 ```bash
-trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
+trivy config --helm-set-file environment=dev.values.yaml ./charts/mySql
 ```
 
 ## Secret

docs/docs/coverage/iac/index.md

@@ -8,15 +8,18 @@ Trivy scans Infrastructure as Code (IaC) files for
 
 ## Supported configurations
 
-| Config type                         | File patterns                                 |
-|-------------------------------------|-----------------------------------------------|
-| [Kubernetes](kubernetes.md)         | \*.yml, \*.yaml, \*.json                      |
-| [Docker](docker.md)                 | Dockerfile, Containerfile                     |
-| [Terraform](terraform.md)           | \*.tf, \*.tf.json, \*.tfvars                  |
-| [Terraform Plan](terraform.md)      | tfplan, \*.tfplan, \*.tfplan.json, \*.tf.json |
-| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json                      |
-| [Azure ARM Template](azure-arm.md)  | \*.json                                       |
-| [Helm](helm.md)                     | \*.yaml, \*.tpl, \*.tar.gz, etc.              |
+| Config type                         | File patterns                    |
+|-------------------------------------|----------------------------------|
+| [Kubernetes](kubernetes.md)         | \*.yml, \*.yaml, \*.json         |
+| [Docker](docker.md)                 | Dockerfile, Containerfile        |
+| [Terraform](terraform.md)           | \*.tf, \*.tf.json, \*.tfvars     |
+| [Terraform Plan](terraform.md)      | tfplan, \*.tfplan, \*.json       |
+| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json         |
+| [Azure ARM Template](azure-arm.md)  | \*.json                          |
+| [Helm](helm.md)                     | \*.yaml, \*.tpl, \*.tar.gz, etc. |
+| [YAML][json-and-yaml]               | \*.yaml, \*.yml                  |
+| [JSON][json-and-yaml]               | \*.json                          |
 
 [misconf]: ../../scanner/misconfiguration/index.md
 [secret]: ../../scanner/secret.md
+[json-and-yaml]: ../../scanner/misconfiguration/index.md#scan-arbitrary-json-and-yaml-configurations

docs/docs/coverage/iac/terraform.md

@@ -18,13 +18,13 @@ It supports the following formats:
 Trivy can scan Terraform Plan files (snapshots) or their JSON representations. To create a Terraform Plan and scan it, run the following command:
 ```bash
 terraform plan --out tfplan
-trivy conf tfplan
+trivy config tfplan
 ```
 
 To scan a Terraform Plan representation in JSON format, run the following command:
 ```bash
 terraform show -json tfplan > tfplan.json
-trivy conf tfplan.json
+trivy config tfplan.json
 ```
 
 ## Misconfiguration
@@ -35,7 +35,7 @@ It also evaluates variables, imports, and other elements within Terraform files
 You can provide `tf-vars` files to Trivy to override default values specified in the Terraform HCL code.
 
 ```bash
-trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
+trivy config --tf-vars dev.terraform.tfvars ./infrastructure/tf
 ```
 
 ### Exclude Downloaded Terraform Modules
@@ -43,8 +43,37 @@ By default, downloaded modules are also scanned.
 If you don't want to scan them, you can use the `--tf-exclude-downloaded-modules` flag.
 
 ```bash
-trivy conf --tf-exclude-downloaded-modules ./configs
+trivy config --tf-exclude-downloaded-modules ./configs
 ```
 
 ## Secret
-The secret scan is performed on plain text files, with no special treatment for Terraform.
+The secret scan is performed on plain text files, with no special treatment for Terraform.
+
+## Limitations
+
+### Terraform Plan JSON
+
+#### For each and count objects in expression
+
+The plan created by Terraform does not provide complete information about references in expressions that use `each` or `count` objects. For this reason, in some situations it is not possible to establish references between resources that are needed for checks when detecting misconfigurations. An example of such a configuration is:
+
+```hcl
+locals {
+  buckets = toset(["test"])
+}
+
+resource "aws_s3_bucket" "this" {
+  for_each = local.buckets
+  bucket = each.key
+}
+
+resource "aws_s3_bucket_acl" "this" {
+  for_each = local.buckets
+  bucket = aws_s3_bucket.this[each.key].id
+  acl    = "private"
+}
+```
+
+With this configuration, the plan will not contain information about which attribute of the `aws_s3_bucket` resource is referenced by the `aws_s3_bucket_acl` resource.
+
+See more [here](https://github.com/hashicorp/terraform/issues/30826).

docs/docs/coverage/kubernetes.md

@@ -17,7 +17,7 @@ Container image is scanned for:
 
 Kubernetes resource definition is scanned for:
 
-- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
+- Vulnerabilities - partially supported through [KBOM scanning](../target/kubernetes.md#kbom)
 - Misconfigurations
 - Exposed secrets
 

docs/docs/coverage/language/c.md

@@ -1,23 +1,35 @@
 # C/C++
 
-Trivy supports [Conan][conan] C/C++ Package Manager.
+Trivy supports Conan C/C++ Package Manager ([v1][conanV1] and [v2][conanV2] with limitations).
 
 The following scanners are supported.
 
-| Package manager | SBOM  | Vulnerability | License |
-| --------------- | :---: | :-----------: | :-----: |
-| Conan           |   ✓   |       ✓       |    -    |
+| Package manager | SBOM | Vulnerability | License |
+|-----------------|:----:|:-------------:|:-------:|
+| Conan           |  ✓   |       ✓       |  ✓[^1]  |
 
 The following table provides an outline of the features Trivy offers.
 
-| Package manager | File           | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
-| --------------- | -------------- | :---------------------: | :--------------: | :----------------------------------: | :------: |
-| Conan           | conan.lock[^1] |            ✓            |     Excluded     |                  ✓                   |    ✓     |
+| Package manager       | File           | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
+|-----------------------|----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
+| Conan (lockfile v1)   | conan.lock[^2] |            ✓            |     Excluded     |                  ✓                   |    ✓     |
+| Conan (lockfile v2)   | conan.lock[^2] |            ✓ [^3]       |     Excluded     |                  -                   |    ✓     |
 
 ## Conan
 In order to detect dependencies, Trivy searches for `conan.lock`[^1].
 
-[conan]: https://docs.conan.io/1/index.html
+[conanV1]: https://docs.conan.io/1/index.html
+[conanV2]: https://docs.conan.io/2/
+
+### Licenses
+The Conan lock file doesn't contain any license information.
+To obtain licenses we parse the `conanfile.py` files from the [conan v1 cache directory][conan-v1-cache-dir] and [conan v2 cache directory][conan-v2-cache-dir].
+To correctly detection licenses, ensure that the cache directory contains all dependencies used.
+
+[conan-v1-cache-dir]: https://docs.conan.io/1/mastering/custom_cache.html
+[conan-v2-cache-dir]: https://docs.conan.io/2/reference/environment.html#conan-home
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 
-[^1]: `conan.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns)
+[^1]: The local cache should contain the dependencies used. See [licenses](#licenses).
+[^2]: `conan.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns).
+[^3]: For `conan.lock` in version 2, indirect dependencies are included in analysis but not flagged explicitly in dependency tree

docs/docs/coverage/language/dart.md

@@ -4,16 +4,16 @@ Trivy supports [Dart][dart].
 
 The following scanners are supported.
 
-| Package manager         | SBOM  | Vulnerability | License |
-|-------------------------| :---: | :-----------: |:-------:|
-| [Dart][dart-repository] |   ✓   |       ✓       |    -    |
+| Package manager         | SBOM | Vulnerability | License |
+|-------------------------|:----:|:-------------:|:-------:|
+| [Dart][dart-repository] |  ✓   |       ✓       |    -    |
 
 The following table provides an outline of the features Trivy offers.
 
 
-| Package manager         | File         | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
-|-------------------------|--------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
-| [Dart][dart-repository] | pubspec.lock |            ✓            |     Included     |                  ✓                   |    -     |
+| Package manager         | File         | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
+|-------------------------|--------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
+| [Dart][dart-repository] | pubspec.lock |            ✓            |     Included     |                  ✓                   |    -     |                    ✓                     |
 
 ## Dart
 In order to detect dependencies, Trivy searches for `pubspec.lock`.
@@ -21,7 +21,28 @@ In order to detect dependencies, Trivy searches for `pubspec.lock`.
 Trivy marks indirect dependencies, but `pubspec.lock` file doesn't have options to separate root and dev transitive dependencies.
 So Trivy includes all dependencies in report.
 
+### SDK dependencies
+Dart uses version `0.0.0` for SDK dependencies (e.g. Flutter).
+It is not possible to accurately determine the versions of these dependencies.
+Trivy just treats them as `0.0.0`.
+
+If [--detection-priority comprehensive][detection-priority] is passed, Trivy uses the minimum version of the constraint for the SDK.
+For example, in the following case, the version of `flutter` would be `3.3.0`:
+
+```yaml
+flutter:
+  dependency: "direct main"
+  description: flutter
+  source: sdk
+  version: "0.0.0"
+sdks:
+  dart: ">=2.18.0 <3.0.0"
+  flutter: "^3.3.0"
+```
+
+### Dependency tree
 To build `dependency tree` Trivy parses [cache directory][cache-directory]. Currently supported default directories and `PUB_CACHE` environment (absolute path only).
+
 !!! note
     Make sure the cache directory contains all the dependencies installed in your application. To download missing dependencies, use `dart pub get` command.     
 
@@ -29,3 +50,4 @@ To build `dependency tree` Trivy parses [cache directory][cache-directory]. Curr
 [dart-repository]: https://pub.dev/
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 [cache-directory]: https://dart.dev/tools/pub/glossary#system-cache
+[detection-priority]: ../../scanner/vulnerability.md#detection-priority

docs/docs/coverage/language/dotnet.md

@@ -21,6 +21,9 @@ The following table provides an outline of the features Trivy offers.
 ## *.deps.json
 Trivy parses `*.deps.json` files. Trivy currently excludes dev dependencies from the report.
 
+!!! note
+    Trivy only includes runtime dependencies in the report.
+
 ## packages.config
 Trivy only finds dependency names and versions from `packages.config` files. To build dependency graph, it is better to use `packages.lock.json` files.
 

docs/docs/coverage/language/golang.md

@@ -1,28 +1,31 @@
 # Go
 
-## Features
+## Overview
 Trivy supports two types of Go scanning, Go Modules and binaries built by Go.
 
 The following scanners are supported.
 
-| Artifact | SBOM  | Vulnerability | License |
-| -------- | :---: | :-----------: | :-----: |
-| Modules  |   ✓   |       ✓       |  ✓[^2]  |
-| Binaries |   ✓   |       ✓       |    -    |
+| Artifact | SBOM | Vulnerability |    License    |
+|----------|:----:|:-------------:|:-------------:|
+| Modules  |  ✓   |       ✓       | [✓](#license) |
+| Binaries |  ✓   |       ✓       |       -       |
 
 The table below provides an outline of the features Trivy offers.
 
-| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] |
-|----------|:-----------:|:-----------------|:----------------------------------:|
-| Modules  |      ✅      | Include          |               ✅[^2]                |
-| Binaries |      ✅      | Exclude          |                 -                  |
+| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] |         Stdlib         | [Detection Priority][detection-priority] |
+|----------|:-----------:|:-----------------|:------------------------------------:|:----------------------:|:----------------------------------------:|
+| Modules  |      ✅      | Include          |        [✅](#dependency-graph)        |   [✅](#gomod-stdlib)   |            [✅](#gomod-stdlib)            |
+| Binaries |      ✅      | Exclude          |                  -                   | [✅](#go-binary-stdlib) |                Not needed                |
 
 !!! note
-    Trivy scans only dependencies of the Go project.
-    Let's say you scan the Docker binary, Trivy doesn't detect vulnerabilities of Docker itself.
-    Also, when you scan go.mod in Kubernetes, the Kubernetes vulnerabilities will not be found.
+    When scanning Go projects (go.mod or binaries built with Go), Trivy scans only dependencies of the project, and does not detect vulnerabilities of application itself. 
+    For example, when scanning the Docker project (Docker's source code with go.mod or the Docker binary), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself. Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
 
-### Go Modules
+## Data Sources
+The data sources are listed [here](../../scanner/vulnerability.md#langpkg-data-sources).
+Trivy uses Go Vulnerability Database for [standard library](https://pkg.go.dev/std) and uses GitHub Advisory Database for other Go modules.
+
+## Go Module
 Depending on Go versions, the required files are different.
 
 | Version | Required files | Offline |
@@ -38,7 +41,7 @@ Go 1.17+ holds actually needed indirect dependencies in `go.mod`, and it reduces
 If you want to have better detection, please consider updating the Go version in your project.
 
 !!! note
-    The Go version doesn't mean your CLI version, but the Go version in your go.mod.
+    The Go version doesn't mean your Go tool version, but the Go version in your go.mod.
 
     ```
     module github.com/aquasecurity/trivy
@@ -57,15 +60,37 @@ If you want to have better detection, please consider updating the Go version in
     $ go mod tidy -go=1.18
     ```
 
-To identify licenses and dependency relationships, you need to download modules to local cache beforehand,
-such as `go mod download`, `go mod tidy`, etc.
+### Main Module { #gomod-main }
+Trivy scans only dependencies of the project, and does not detect vulnerabilities of the main module. 
+For example, when scanning the Docker project (Docker's source code with go.mod), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself.
+Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
+
+### Standard Library { #gomod-stdlib }
+Detecting the version of Go used in the project can be tricky.
+The go.mod file include hints that allows Trivy to guess the Go version but it eventually depends on the Go tool version in the build environment.
+Since this strategy is not fully deterministic and accurate, it is enabled only in [--detection-priority comprehensive][detection-priority] mode.
+When enabled, Trivy detects stdlib version as the minimum between the `go` and the `toolchain` directives in the `go.mod` file.
+To obtain reproducible scan results Trivy doesn't check the locally installed version of `Go`.
+
+!!! note
+    Trivy detects `stdlib` only for `Go` 1.21 or higher.
+
+    The version from the `go` line (for `Go` 1.20 or early) is not a minimum required version.
+    For details, see [this](https://go.googlesource.com/proposal/+/master/design/57001-gotoolchain.md).
+
+It possibly produces false positives.
+See [the caveat](#stdlib-vulnerabilities) for details.
+
+### License
+To identify licenses, you need to download modules to local cache beforehand, such as `go mod download`, `go mod tidy`, etc.
 Trivy traverses `$GOPATH/pkg/mod` and collects those extra information.
 
-### Go binaries
-Trivy scans binaries built by Go.
-If there is a Go binary in your container image, Trivy automatically finds and scans it.
+### Dependency Graph
+Same as licenses, you need to download modules to local cache beforehand.
 
-Also, you can scan your local binaries.
+## Go Binary
+Trivy scans Go binaries when it encounters them during scans such as container images or file systems. 
+When scanning binaries built by Go, Trivy finds dependencies and Go version information as [embedded in the binary by Go tool at build time](https://tip.golang.org/doc/go1.18#go-version).
 
 ```
 $ trivy rootfs ./your_binary
@@ -74,7 +99,34 @@ $ trivy rootfs ./your_binary
 !!! note
     It doesn't work with UPX-compressed binaries.
 
-[^1]: It doesn't require the Internet access.
-[^2]: Need to download modules to local cache beforehand
+### Main Module
+Go binaries installed using the `go install` command contains correct (semver) version for the main module and therefore are detected by Trivy.
+In other cases, Go uses the `(devel)` version[^2].
+In this case, Trivy will attempt to parse any `-ldflags` as it's a common practice to pass versions this way.
+If unsuccessful, the version will be empty[^3].
 
-[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+### Standard Library { #go-binary-stdlib }
+Trivy detects the Go version used to compile the binary and detects its vulnerabilities in the standard libraries.
+It possibly produces false positives.
+See [the caveat](#stdlib-vulnerabilities) for details.
+
+## Caveats
+
+### Stdlib Vulnerabilities
+Trivy does not know if or how you use stdlib functions, therefore it is possible that stdlib vulnerabilities are not applicable to your use case.
+There are a few ways to mitigate this:
+
+1. Analyze vulnerability reachability using a tool such as [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck). This will ensure that reported vulnerabilities are applicable to your project.
+2. Suppress non-applicable vulnerabilities using either [ignore file](../../configuration/filtering.md) for self-use or [VEX Hub](../../supply-chain/vex/repo.md) for public use.
+
+### Empty Version
+As described in the [Main Module](#gomod-main) section, the main module of Go binaries might have an empty version.
+Also, dependencies replaced with local ones will have an empty version.
+
+[^1]: It doesn't require the Internet access.
+[^2]: See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477
+[^3]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604
+
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[toolchain]: https://go.dev/doc/toolchain
+[detection-priority]: ../../scanner/vulnerability.md#detection-priority

docs/docs/coverage/language/index.md

@@ -16,17 +16,18 @@ This is because Trivy primarily categorizes targets into two groups:
 If the target is a pre-build project, like a code repository, Trivy will analyze files used for building, such as lock files.
 On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like `.gemspec`, binary files, and so on.
 
-| Language             | File                                                                                       | Image[^5] | Rootfs[^6] | Filesystem[^7] | Repository[^8] |
+| Language             | File                                                                                       | Image[^4] | Rootfs[^5] | Filesystem[^6] | Repository[^7] |
 |----------------------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:--------------:|:--------------:|
 | [Ruby](ruby.md)      | Gemfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | gemspec                                                                                    |     ✅     |     ✅      |       -        |       -        |
 | [Python](python.md)  | Pipfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | poetry.lock                                                                                |     -     |     -      |       ✅        |       ✅        |
+|                      | uv.lock                                                                                    |     -     |     -      |       ✅        |       ✅        |
 |                      | requirements.txt                                                                           |     -     |     -      |       ✅        |       ✅        |
 |                      | egg package[^1]                                                                            |     ✅     |     ✅      |       -        |       -        |
 |                      | wheel package[^2]                                                                          |     ✅     |     ✅      |       -        |       -        |
-|                      | conda package[^3]                                                                          |     ✅     |     ✅      |       -        |       -        |
-| [PHP](php.md)        | composer.lock                                                                              |     ✅     |     ✅      |       ✅        |       ✅        |
+| [PHP](php.md)        | composer.lock                                                                              |     -     |     -      |       ✅        |       ✅        |
+|                      | installed.json                                                                             |     ✅     |     ✅      |       -        |       -        |
 | [Node.js](nodejs.md) | package-lock.json                                                                          |     -     |     -      |       ✅        |       ✅        |
 |                      | yarn.lock                                                                                  |     -     |     -      |       ✅        |       ✅        |
 |                      | pnpm-lock.yaml                                                                             |     -     |     -      |       ✅        |       ✅        |
@@ -34,19 +35,21 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [.NET](dotnet.md)    | packages.lock.json                                                                         |     ✅     |     ✅      |       ✅        |       ✅        |
 |                      | packages.config                                                                            |     ✅     |     ✅      |       ✅        |       ✅        |
 |                      | .deps.json                                                                                 |     ✅     |     ✅      |       ✅        |       ✅        |
-|                      | *Packages.props[^11]                                                                       |     ✅     |     ✅      |       ✅        |       ✅        |
-| [Java](java.md)      | JAR/WAR/PAR/EAR[^4]                                                                        |     ✅     |     ✅      |       -        |       -        |
+|                      | *Packages.props[^9]                                                                        |     ✅     |     ✅      |       ✅        |       ✅        |
+| [Java](java.md)      | JAR/WAR/PAR/EAR[^3]                                                                        |     ✅     |     ✅      |       -        |       -        |
 |                      | pom.xml                                                                                    |     -     |     -      |       ✅        |       ✅        |
 |                      | *gradle.lockfile                                                                           |     -     |     -      |       ✅        |       ✅        |
+|                      | *.sbt.lock                                                                                 |     -     |     -      |       ✅        |       ✅        |
 | [Go](golang.md)      | Binaries built by Go                                                                       |     ✅     |     ✅      |       -        |       -        |
 |                      | go.mod                                                                                     |     -     |     -      |       ✅        |       ✅        |
 | [Rust](rust.md)      | Cargo.lock                                                                                 |     ✅     |     ✅      |       ✅        |       ✅        |
 |                      | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |       -        |       -        |
 | [C/C++](c.md)        | conan.lock                                                                                 |     -     |     -      |       ✅        |       ✅        |
-| [Elixir](elixir.md)  | mix.lock[^10]                                                                              |     -     |     -      |       ✅        |       ✅        |
+| [Elixir](elixir.md)  | mix.lock[^8]                                                                               |     -     |     -      |       ✅        |       ✅        |
 | [Dart](dart.md)      | pubspec.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 | [Swift](swift.md)    | Podfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | Package.resolved                                                                           |     -     |     -      |       ✅        |       ✅        |
+| [Julia](julia.md)    | Manifest.toml                                                                              |     ✅     |     ✅      |       ✅        |       ✅        |
 
 The path of these files does not matter.
 
@@ -58,12 +61,10 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 
 [^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
 [^2]: `.dist-info/META-DATA`
-[^3]: `envs/*/conda-meta/*.json`
-[^4]: `*.jar`, `*.war`, `*.par` and `*.ear`
-[^5]: ✅ means "enabled" and `-` means "disabled" in the image scanning
-[^6]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
-[^7]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
-[^8]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
-[^9]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../../configuration/reporting.md#json) and [sarif](../../configuration/reporting.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
-[^10]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
-[^11]: `Directory.Packages.props` and  legacy `Packages.props` file names are supported
+[^3]: `*.jar`, `*.war`, `*.par` and `*.ear`
+[^4]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^5]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^6]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^7]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^8]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
+[^9]: `Directory.Packages.props` and  legacy `Packages.props` file names are supported

docs/docs/coverage/language/java.md

@@ -1,5 +1,5 @@
 # Java
-Trivy supports three types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml` and `*gradle.lockfile` files.
+Trivy supports four types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml`, `*gradle.lockfile` and `*.sbt.lock` files.
 
 Each artifact supports the following scanners:
 
@@ -8,14 +8,16 @@ Each artifact supports the following scanners:
 | JAR/WAR/PAR/EAR  |  ✓   |       ✓       |    -    |
 | pom.xml          |  ✓   |       ✓       |    ✓    |
 | *gradle.lockfile |  ✓   |       ✓       |    ✓    |
+| *.sbt.lock       |  ✓   |       ✓       |    -    |
 
 The following table provides an outline of the features Trivy offers.
 
-| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] | Position |
-|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|
-| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |
-| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |
-| *gradle.lockfile |           -           |     Exclude      |                  ✓                   |    ✓     |
+| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
+|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
+| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |                Not needed                |
+| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |                    -                     |
+| *gradle.lockfile |           -           |     Exclude      |                  ✓                   |    ✓     |                Not needed                |
+| *.sbt.lock       |           -           |     Exclude      |                  -                   |    ✓     |                Not needed                |
 
 These may be enabled or disabled depending on the target.
 See [here](./index.md) for the detail.
@@ -42,11 +44,23 @@ Trivy parses your `pom.xml` file and tries to find files with dependencies from
 - relativePath field[^5]
 - local repository directory[^6].
 
-If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the [maven repository](https://repo.maven.apache.org/maven2/).
+### remote repositories
+If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the remote repositories:
+
+- [repositories from pom files][maven-pom-repos]
+- [maven central repository][maven-central]
+
+Trivy reproduces Maven's repository selection and priority:
+
+- for snapshot artifacts:
+    - check only snapshot repositories from pom files (if exists)
+- for other artifacts:
+    - check release repositories from pom files (if exists)
+    - check [maven central][maven-central]
 
 !!! Note
     Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
-    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources-1).
+    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#langpkg-data-sources).
 
 You can disable connecting to the maven repository with the `--offline-scan` flag.
 The `--offline-scan` flag does not affect the Trivy database.
@@ -55,6 +69,19 @@ The vulnerability database will be downloaded anyway.
 !!! Warning
     Trivy may skip some dependencies (that were not found on your local machine) when the `--offline-scan` flag is passed.
 
+### supported scopes
+Trivy only scans `import`, `compile`, `runtime` and empty [maven scopes][maven-scopes]. Other scopes and `Optional` dependencies are not currently being analyzed.
+
+### empty dependency version
+There are cases when Trivy cannot determine the version of dependencies:
+
+- Unable to determine the version from the parent because the parent is not reachable;
+- The dependency uses a [hard requirement][version-requirement] with more than one version.
+
+In these cases, Trivy uses an empty version for the dependency.
+
+!!! Warning
+    Trivy doesn't detect child dependencies for dependencies without a version.
 
 ### maven-invoker-plugin
 Typically, the integration tests directory (`**/[src|target]/it/*/pom.xml`) of [maven-invoker-plugin][maven-invoker-plugin] doesn't contain actual `pom.xml` files and should be skipped to avoid noise.
@@ -82,6 +109,15 @@ Trity also can detect licenses for dependencies.
 
 Make sure that you have cache[^8] directory to find licenses from `*.pom` dependency files.
 
+
+## SBT
+
+`build.sbt.lock` files only contain information about used dependencies. This requires a lockfile generated using the
+[sbt-dependency-lock][sbt-dependency-lock] plugin.
+
+!!!note
+    All necessary files are checked locally. SBT file scanning doesn't require internet access.
+
 [^1]: Uses maven repository to get information about dependencies. Internet access required.
 [^2]: It means `*.jar`, `*.war`, `*.par` and `*.ear` file
 [^3]: `ArtifactID`, `GroupID` and `Version`
@@ -92,4 +128,10 @@ Make sure that you have cache[^8] directory to find licenses from `*.pom` depend
 [^8]: The supported directories are `$GRADLE_USER_HOME/caches` and `$HOME/.gradle/caches` (`%HOMEPATH%\.gradle\caches` for Windows).
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
-[maven-invoker-plugin]: https://maven.apache.org/plugins/maven-invoker-plugin/usage.html
+[maven-invoker-plugin]: https://maven.apache.org/plugins/maven-invoker-plugin/usage.html
+[maven-central]: https://repo.maven.apache.org/maven2/
+[maven-pom-repos]: https://maven.apache.org/settings.html#repositories
+[maven-scopes]: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope
+[sbt-dependency-lock]: https://stringbean.github.io/sbt-dependency-lock
+[detection-priority]: ../../scanner/vulnerability.md#detection-priority
+[version-requirement]: https://maven.apache.org/pom.html#dependency-version-requirement-specification