gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-08 22:00:46 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:v0.58.2
Branches Tags
gitea-mirror:main gitea-mirror:release-please--branches--main gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:gh-pages gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
..
compare: gitea-mirror:v0.52.1
Branches Tags
gitea-mirror:release-please--branches--main gitea-mirror:main gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:gh-pages gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

8 Commits
v0.58.2 ... v0.52.1

Author SHA1 Message Date
Aqua Security automated builds
a3caf0658c release: v0.52.1 [release/v0.52] (#6877) 2024-06-10 08:34:00 +00:00
Aqua Security automated builds
01dbb42ae9 fix(nodejs): fix infinite loop when package link from package-lock.json file is broken [backport: release/v0.52] (#6888) 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
 2024-06-10 07:47:58 +00:00
Aqua Security automated builds
f186d22bf2 fix(sbom): don't overwrite srcEpoch when decoding SBOM files [backport: release/v0.52] (#6881) 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
 2024-06-07 11:32:05 +00:00
Aqua Security automated builds
093c0ae020 fix(python): compare pkg names from poetry.lock and pyproject.toml in lowercase [backport: release/v0.52] (#6878) 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
 2024-06-07 11:30:29 +00:00
Teppei Fukuda
6bfda76022 Merge pull request #6879 from aquasecurity/backport-pr-6864-to-release/v0.52 
docs: explain how VEX is applied [backport: release/v0.52]
 2024-06-07 10:12:55 +00:00
Teppei Fukuda
53850c8b20 docs: explain how VEX is applied (#6864) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2024-06-07 10:10:19 +00:00
Teppei Fukuda
221196202c Merge pull request #6875 from aquasecurity/backport-pr-6857-to-release/v0.52 
fix(nodejs): fix infinity loops for `pnpm` with cyclic imports [backport: release/v0.52]
 2024-06-07 08:56:42 +00:00
DmitriyLewen
a614b693d7 fix(nodejs): fix infinity loops for pnpm with cyclic imports (#6857) 2024-06-07 06:22:26 +00:00
1104 changed files with 25109 additions and 49568 deletions
Expand all files Collapse all files

6
.github/CODEOWNERS vendored
View File

@@ -15,8 +15,8 @@ pkg/cloud/ @simar7 @nikpivkin
pkg/iac/ @simar7 @nikpivkin
# Helm chart
helm/trivy/ @afdesk
helm/trivy/ @chen-keinan
# Kubernetes scanning
pkg/k8s/ @afdesk
docs/docs/target/kubernetes.md @afdesk
pkg/k8s/ @chen-keinan
docs/docs/target/kubernetes.md @chen-keinan

2
.github/DISCUSSION_TEMPLATE/bugs.yml vendored
View File

@@ -116,7 +116,7 @@ body:
label: Checklist
description: Have you tried the following?
options:
- label: Run `trivy clean --all`
- label: Run `trivy image --reset`
- label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
- type: markdown
attributes:

3
.github/actions/trivy-triage/Makefile vendored
View File

@@ -1,3 +0,0 @@
.PHONEY: test
test: helpers.js helpers.test.js
node --test helpers.test.js

29
.github/actions/trivy-triage/action.yaml vendored
View File

@@ -1,29 +0,0 @@
name: 'trivy-discussion-triage'
description: 'automatic triage of Trivy discussions'
inputs:
discussion_num:
description: 'Discussion number to triage'
required: false
runs:
using: "composite"
steps:
- name: Conditionally label discussions based on category and content
env:
GH_TOKEN: ${{ github.token }}
uses: actions/github-script@v6
with:
script: |
const {detectDiscussionLabels, fetchDiscussion, labelDiscussion } = require('${{ github.action_path }}/helpers.js');
const config = require('${{ github.action_path }}/config.json');
discussionNum = parseInt(${{ inputs.discussion_num }});
let discussion;
if (discussionNum > 0) {
discussion = (await fetchDiscussion(github, context.repo.owner, context.repo.repo, discussionNum)).repository.discussion;
} else {
discussion = context.payload.discussion;
}
const labels = detectDiscussionLabels(discussion, config.discussionLabels);
if (labels.length > 0) {
console.log(`Adding labels ${labels} to discussion ${discussion.node_id}`);
labelDiscussion(github, discussion.node_id, labels);
}

14
.github/actions/trivy-triage/config.json vendored
View File

@@ -1,14 +0,0 @@
{
"discussionLabels": {
"Container Image":"LA_kwDOCsUTCM75TTQU",
"Filesystem":"LA_kwDOCsUTCM75TTQX",
"Git Repository":"LA_kwDOCsUTCM75TTQk",
"Virtual Machine Image":"LA_kwDOCsUTCM8AAAABMpz1bw",
"Kubernetes":"LA_kwDOCsUTCM75TTQv",
"AWS":"LA_kwDOCsUTCM8AAAABMpz1aA",
"Vulnerability":"LA_kwDOCsUTCM75TTPa",
"Misconfiguration":"LA_kwDOCsUTCM75TTP8",
"License":"LA_kwDOCsUTCM77ztRR",
"Secret":"LA_kwDOCsUTCM75TTQL"
}
}

70
.github/actions/trivy-triage/helpers.js vendored
View File

@@ -1,70 +0,0 @@
module.exports = {
detectDiscussionLabels: (discussion, configDiscussionLabels) => {
res = [];
const discussionId = discussion.id;
const category = discussion.category.name;
const body = discussion.body;
if (category !== "Ideas") {
console.log(`skipping discussion with category ${category} and body ${body}`);
return [];
}
const scannerPattern = /### Scanner\n\n(.+)/;
const scannerFound = body.match(scannerPattern);
if (scannerFound && scannerFound.length > 1) {
res.push(configDiscussionLabels[scannerFound[1]]);
}
const targetPattern = /### Target\n\n(.+)/;
const targetFound = body.match(targetPattern);
if (targetFound && targetFound.length > 1) {
res.push(configDiscussionLabels[targetFound[1]]);
}
return res;
},
fetchDiscussion: async (github, owner, repo, discussionNum) => {
const query = `query Discussion ($owner: String!, $repo: String!, $discussion_num: Int!){
repository(name: $repo, owner: $owner) {
discussion(number: $discussion_num) {
number,
id,
body,
category {
id,
name
},
labels(first: 100) {
edges {
node {
id,
name
}
}
}
}
}
}`;
const vars = {
owner: owner,
repo: repo,
discussion_num: discussionNum
};
return github.graphql(query, vars);
},
labelDiscussion: async (github, discussionId, labelIds) => {
const query = `mutation AddLabels($labelId: ID!, $labelableId:ID!) {
addLabelsToLabelable(
input: {labelIds: [$labelId], labelableId: $labelableId}
) {
clientMutationId
}
}`;
// TODO: add all labels in one call
labelIds.forEach((labelId) => {
const vars = {
labelId: labelId,
labelableId: discussionId
};
github.graphql(query, vars);
});
}
};

87
.github/actions/trivy-triage/helpers.test.js vendored
View File

@@ -1,87 +0,0 @@
const assert = require('node:assert/strict');
const { describe, it } = require('node:test');
const {detectDiscussionLabels} = require('./helpers.js');
const configDiscussionLabels = {
"Container Image":"ContainerImageLabel",
"Filesystem":"FilesystemLabel",
"Vulnerability":"VulnerabilityLabel",
"Misconfiguration":"MisconfigurationLabel",
};
describe('trivy-triage', async function() {
describe('detectDiscussionLabels', async function() {
it('detect scanner label', async function() {
const discussion = {
body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.includes('VulnerabilityLabel'));
});
it('detect target label', async function() {
const discussion = {
body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.includes('ContainerImageLabel'));
});
it('detect label when it is first', async function() {
const discussion = {
body: '### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.includes('ContainerImageLabel'));
});
it('detect label when it is last', async function() {
const discussion = {
body: '### Scanner\n\nVulnerability\n### Target\n\nContainer Image',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.includes('ContainerImageLabel'));
});
it('detect scanner and target labels', async function() {
const discussion = {
body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.includes('ContainerImageLabel'));
assert(labels.includes('VulnerabilityLabel'));
});
it('not detect other labels', async function() {
const discussion = {
body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(!labels.includes('FilesystemLabel'));
assert(!labels.includes('MisconfigurationLabel'));
});
it('process only relevant categories', async function() {
const discussion = {
body: 'hello world',
category: {
name: 'Announcements'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.length === 0);
});
});
});

65
.github/actions/trivy-triage/testutils/discussion-payload-sample.json vendored
View File

@@ -1,65 +0,0 @@
{
"active_lock_reason": null,
"answer_chosen_at": null,
"answer_chosen_by": null,
"answer_html_url": null,
"author_association": "OWNER",
"body": "### Description\n\nlfdjs lfkdj dflsakjfd ';djk \r\nfadfd \r\nasdlkf \r\na;df \r\ndfsal;kfd ;akjl\n\n### Target\n\nContainer Image\n\n### Scanner\n\nMisconfiguration",
"category": {
"created_at": "2023-07-02T10:14:46.000+03:00",
"description": "Share ideas for new features",
"emoji": ":bulb:",
"id": 39743708,
"is_answerable": false,
"name": "Ideas",
"node_id": "DIC_kwDOE0GiPM4CXnDc",
"repository_id": 323068476,
"slug": "ideas",
"updated_at": "2023-07-02T10:14:46.000+03:00"
},
"comments": 0,
"created_at": "2023-09-11T08:40:11Z",
"html_url": "https://github.com/itaysk/testactions/discussions/9",
"id": 5614504,
"locked": false,
"node_id": "D_kwDOE0GiPM4AVauo",
"number": 9,
"reactions": {
"+1": 0,
"-1": 0,
"confused": 0,
"eyes": 0,
"heart": 0,
"hooray": 0,
"laugh": 0,
"rocket": 0,
"total_count": 0,
"url": "https://api.github.com/repos/itaysk/testactions/discussions/9/reactions"
},
"repository_url": "https://api.github.com/repos/itaysk/testactions",
"state": "open",
"state_reason": null,
"timeline_url": "https://api.github.com/repos/itaysk/testactions/discussions/9/timeline",
"title": "Title title",
"updated_at": "2023-09-11T08:40:11Z",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/1161307?v=4",
"events_url": "https://api.github.com/users/itaysk/events{/privacy}",
"followers_url": "https://api.github.com/users/itaysk/followers",
"following_url": "https://api.github.com/users/itaysk/following{/other_user}",
"gists_url": "https://api.github.com/users/itaysk/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/itaysk",
"id": 1161307,
"login": "itaysk",
"node_id": "MDQ6VXNlcjExNjEzMDc=",
"organizations_url": "https://api.github.com/users/itaysk/orgs",
"received_events_url": "https://api.github.com/users/itaysk/received_events",
"repos_url": "https://api.github.com/users/itaysk/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/itaysk/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/itaysk/subscriptions",
"type": "User",
"url": "https://api.github.com/users/itaysk"
}
}

29
.github/actions/trivy-triage/testutils/fetchDiscussion.sh vendored
View File

@@ -1,29 +0,0 @@
#! /bin/bash
# fetch discussion by discussion number
# requires authenticated gh cli, assumes repo but current git repository
# args:
# $1: discussion number, e.g 123, required
discussion_num="$1"
gh api graphql -F discussion_num="$discussion_num" -F repo="{repo}" -F owner="{owner}" -f query='
query Discussion ($owner: String!, $repo: String!, $discussion_num: Int!){
repository(name: $repo, owner: $owner) {
discussion(number: $discussion_num) {
number,
id,
body,
category {
id,
name
},
labels(first: 100) {
edges {
node {
id,
name
}
}
}
}
}
}'

16
.github/actions/trivy-triage/testutils/fetchLabels.sh vendored
View File

@@ -1,16 +0,0 @@
#! /bin/bash
# fetch labels and their IDs
# requires authenticated gh cli, assumes repo but current git repository
gh api graphql -F repo="{repo}" -F owner="{owner}" -f query='
query GetLabelIds($owner: String!, $repo: String!) {
repository(name: $repo, owner: $owner) {
id
labels(first: 100) {
nodes {
id
name
}
}
}
}'

16
.github/actions/trivy-triage/testutils/labelDiscussion.sh vendored
View File

@@ -1,16 +0,0 @@
#! /bin/bash
# add a label to a discussion
# requires authenticated gh cli, assumes repo but current git repository
# args:
# $1: discussion ID (not number!), e.g DIC_kwDOE0GiPM4CXnDc, required
# $2: label ID, e.g. MDU6TGFiZWwzNjIzNjY0MjQ=, required
discussion_id="$1"
label_id="$2"
gh api graphql -F labelableId="$discussion_id" -F labelId="$label_id" -F repo="{repo}" -F owner="{owner}" -f query='
mutation AddLabels($labelId: ID!, $labelableId:ID!) {
addLabelsToLabelable(
input: {labelIds: [$labelId], labelableId: $labelableId}
) {
clientMutationId
}
}'

4
.github/dependabot.yml vendored
View File

@@ -21,8 +21,6 @@ updates:
directory: /
schedule:
interval: weekly
ignore:
- dependency-name: "github.com/aquasecurity/trivy-*" ## `trivy-*` dependencies are updated manually
groups:
aws:
patterns:
@@ -35,7 +33,5 @@ updates:
patterns:
- "github.com/testcontainers/*"
common:
exclude-patterns:
- "github.com/aquasecurity/trivy-*"
patterns:
- "*"

1
.github/workflows/auto-update-labels.yaml vendored
View File

@@ -20,7 +20,6 @@ jobs:
with:
# cf. https://github.com/aquasecurity/trivy/pull/6711
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Install aqua tools
uses: aquaproj/aqua-installer@v3.0.1

58
.github/workflows/backport.yaml vendored
View File

@@ -1,58 +0,0 @@
name: Automatic Backporting
on:
issue_comment:
types: [created]
jobs:
check_permission:
name: Check comment author permissions
runs-on: ubuntu-latest
outputs:
is_maintainer: ${{ steps.check_permission.outputs.is_maintainer }}
steps:
- name: Check permission
id: check_permission
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission')
if [ "$PERMISSION" == "admin" ] || [ "$PERMISSION" == "write" ]; then
echo "is_maintainer=true" >> $GITHUB_OUTPUT
else
echo "is_maintainer=false" >> $GITHUB_OUTPUT
fi
backport:
name: Backport PR
needs: check_permission # run this job after checking permissions
if: |
needs.check_permission.outputs.is_maintainer == 'true' &&
github.event.issue.pull_request &&
github.event.issue.pull_request.merged_at != null &&
startsWith(github.event.comment.body, '@aqua-bot backport release/')
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Extract branch name
run: |
BRANCH_NAME=$(echo ${{ github.event.comment.body }} | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
- name: Set up Git user
run: |
git config --global user.email "actions@github.com"
git config --global user.name "GitHub Actions"
- name: Run backport script
run: ./misc/backport/backport.sh ${{ env.BRANCH_NAME }} ${{ github.event.issue.number }}
env:
# Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
# This allows the created PR to trigger tests and other workflows
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}

4
.github/workflows/bypass-test.yaml vendored
View File

@@ -8,16 +8,12 @@ on:
- 'docs/**'
- 'mkdocs.yml'
- 'LICENSE'
- '.release-please-manifest.json'
- 'helm/trivy/Chart.yaml'
pull_request:
paths:
- '**.md'
- 'docs/**'
- 'mkdocs.yml'
- 'LICENSE'
- '.release-please-manifest.json'
- 'helm/trivy/Chart.yaml'
jobs:
test:
name: Test

88
.github/workflows/cache-test-images.yaml vendored
View File

@@ -1,88 +0,0 @@
name: Cache test images
on:
schedule:
- cron: "0 0 * * *" # Run this workflow every day at 00:00 to avoid cache deletion.
workflow_dispatch:
jobs:
test-images:
name: Cache test images
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
if: github.ref_name == 'main'
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
## We need to work with test image cache only for main branch
- name: Restore and save test images cache
if: github.ref_name == 'main'
uses: actions/cache@v4
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-images-
- name: Download test images
if: github.ref_name == 'main'
run: mage test:fixtureContainerImages
test-vm-images:
name: Cache test VM images
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
if: github.ref_name == 'main'
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags | sort' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
## We need to work with test VM image cache only for main branch
- name: Restore and save test VM images cache
if: github.ref_name == 'main'
uses: actions/cache@v4
with:
path: integration/testdata/fixtures/vm-images
key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-vm-images-
- name: Download test VM images
if: github.ref_name == 'main'
run: mage test:fixtureVMImages

2
.github/workflows/mkdocs-dev.yaml vendored
View File

@@ -22,7 +22,7 @@ jobs:
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git@9.5.44-insiders-4.53.14
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
pip install -r docs/build/requirements.txt
env:
GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}

2
.github/workflows/mkdocs-latest.yaml vendored
View File

@@ -24,7 +24,7 @@ jobs:
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git@9.5.44-insiders-4.53.14
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
pip install -r docs/build/requirements.txt
env:
GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}

46
.github/workflows/publish-chart.yaml vendored
View File

@@ -4,11 +4,6 @@ name: Publish Helm chart
on:
workflow_dispatch:
pull_request:
types:
- opened
- synchronize
- reopened
- closed
branches:
- main
paths:
@@ -23,10 +18,8 @@ env:
KIND_VERSION: "v0.14.0"
KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
jobs:
# `test-chart` job starts if a PR with Helm Chart is created, merged etc.
test-chart:
if: github.event_name != 'push'
runs-on: ubuntu-24.04
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4.1.6
@@ -35,12 +28,11 @@ jobs:
- name: Install Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
with:
version: v3.14.4
version: v3.5.0
- name: Set up python
uses: actions/setup-python@v5
with:
python-version: '3.x'
check-latest: true
python-version: 3.7
- name: Setup Chart Linting
id: lint
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992
@@ -56,39 +48,11 @@ jobs:
sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
ct lint-and-install --validate-maintainers=false --charts helm/trivy
# `update-chart-version` job starts if a new tag is pushed
update-chart-version:
if: github.event_name == 'push'
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
- name: Set up Git user
run: |
git config --global user.email "actions@github.com"
git config --global user.name "GitHub Actions"
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
aqua_opts: ""
- name: Create a PR with Trivy version
run: mage helm:updateVersion
env:
# Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
# This allows the created PR to trigger tests and other workflows
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
# `publish-chart` job starts if a PR with a new Helm Chart is merged or manually
publish-chart:
if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
needs:
- test-chart
runs-on: ubuntu-24.04
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4.1.6

31
.github/workflows/release-please.yaml vendored
View File

@@ -50,13 +50,12 @@ jobs:
run: |
echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
- name: Tag release
if: ${{ steps.extract_info.outputs.version }}
uses: actions/github-script@v7
with:
github-token: ${{ secrets.ORG_REPO_TOKEN }} # To trigger another workflow
github-token: ${{ secrets.ORG_REPO_TOKEN }}
script: |
await github.rest.git.createRef({
owner: context.repo.owner,
@@ -65,32 +64,6 @@ jobs:
sha: context.sha
});
# When v0.50.0 is released, a release branch "release/v0.50" is created.
- name: Create release branch for patch versions
if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }} # Should not trigger the workflow again
script: |
const releaseBranch = '${{ steps.extract_info.outputs.release_branch }}';
await github.rest.git.createRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: `refs/heads/${releaseBranch}`,
sha: context.sha
});
# Add release branch to rulesets to enable merge queue
- name: Add release branch to rulesets
if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
env:
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
shell: bash
run: |
RULESET_ID=$(gh api /repos/${{ github.repository }}/rulesets --jq '.[] | select(.name=="release") | .id')
gh api /repos/${{ github.repository }}/rulesets/$RULESET_ID | jq '{conditions}' | jq '.conditions.ref_name.include += ["refs/heads/${{ steps.extract_info.outputs.release_branch }}"]' | gh api --method put --input - /repos/${{ github.repository }}/rulesets/$RULESET_ID
# Since skip-github-release is specified, googleapis/release-please-action doesn't delete the label from PR.
# This label prevents the subsequent PRs from being created. Therefore, we need to delete it ourselves.
# cf. https://github.com/googleapis/release-please?tab=readme-ov-file#release-please-bot-does-not-create-a-release-pr-why
@@ -98,7 +71,7 @@ jobs:
if: ${{ steps.extract_info.outputs.pr_number }}
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
github-token: ${{ secrets.ORG_REPO_TOKEN }}
script: |
const prNumber = parseInt('${{ steps.extract_info.outputs.pr_number }}', 10);
github.rest.issues.removeLabel({

19
.github/workflows/reusable-release.yaml vendored
View File

@@ -19,7 +19,7 @@ env:
jobs:
release:
name: Release
runs-on: ubuntu-latest-m
runs-on: ubuntu-latest
env:
DOCKER_CLI_EXPERIMENTAL: "enabled"
permissions:
@@ -27,8 +27,17 @@ jobs:
packages: write # For GHCR
contents: read # Not required for public repositories, but for clarity
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@v10
with:
root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
remove-android: 'true'
remove-docker-images: 'true'
remove-dotnet: 'true'
remove-haskell: 'true'
- name: Cosign install
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
@@ -89,9 +98,9 @@ jobs:
mkdir tmp
- name: GoReleaser
uses: goreleaser/goreleaser-action@v6
uses: goreleaser/goreleaser-action@v5
with:
version: v2.1.0
version: v1.20.0
args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
env:
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
@@ -108,7 +117,7 @@ jobs:
# because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
- name: Build and push
if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
uses: docker/build-push-action@v6
uses: docker/build-push-action@v5
with:
platforms: linux/amd64, linux/arm64
file: ./Dockerfile.canary # path to Dockerfile

8
.github/workflows/roadmap.yaml vendored
View File

@@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-latest
steps:
# 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
- uses: actions/add-to-project@v1.0.2 # add new issue to project
- uses: actions/add-to-project@v1.0.1 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -28,7 +28,7 @@ jobs:
field-values: Backlog
# 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
- uses: actions/add-to-project@v1.0.2 # add new issue to project
- uses: actions/add-to-project@v1.0.1 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -45,7 +45,7 @@ jobs:
field-values: Important (long-term)
# 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
- uses: actions/add-to-project@v1.0.2 # add new issue to project
- uses: actions/add-to-project@v1.0.1 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -62,7 +62,7 @@ jobs:
field-values: Important (soon)
# 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
- uses: actions/add-to-project@v1.0.2 # add new issue to project
- uses: actions/add-to-project@v1.0.1 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}

1
.github/workflows/semantic-pr.yaml vendored
View File

@@ -29,6 +29,7 @@ jobs:
chore
revert
release
BREAKING
scopes: |
vuln

107
.github/workflows/test.yaml vendored
View File

@@ -6,11 +6,7 @@ on:
- 'docs/**'
- 'mkdocs.yml'
- 'LICENSE'
- '.release-please-manifest.json' ## don't run tests for release-please PRs
- 'helm/trivy/Chart.yaml'
merge_group:
workflow_dispatch:
env:
GO_VERSION: '1.22'
jobs:
@@ -21,14 +17,22 @@ jobs:
matrix:
operating-system: [ubuntu-latest, windows-latest, macos-latest]
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@v10
with:
root-reserve-mb: 32768 # The golangci-lint uses a lot of space.
remove-android: "true"
remove-docker-images: "true"
remove-dotnet: "true"
remove-haskell: "true"
if: matrix.operating-system == 'ubuntu-latest'
- uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false
- name: go mod tidy
run: |
go mod tidy
@@ -40,9 +44,9 @@ jobs:
- name: Lint
id: lint
uses: golangci/golangci-lint-action@v6.1.1
uses: golangci/golangci-lint-action@v6.0.1
with:
version: v1.61
version: v1.58
args: --verbose --out-format=line-number
if: matrix.operating-system == 'ubuntu-latest'
@@ -81,29 +85,12 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore test images from cache
uses: actions/cache/restore@v4
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-images-
- name: Run integration tests
run: mage test:integration
@@ -111,6 +98,15 @@ jobs:
name: K8s Integration Test
runs-on: ubuntu-latest
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@v10
with:
root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
remove-android: "true"
remove-docker-images: "true"
remove-dotnet: "true"
remove-haskell: "true"
- name: Check out code into the Go module directory
uses: actions/checkout@v4.1.6
@@ -118,7 +114,6 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
@@ -139,29 +134,12 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore test images from cache
uses: actions/cache/restore@v4
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-images-
- name: Run module integration tests
shell: bash
run: |
@@ -171,6 +149,15 @@ jobs:
name: VM Integration Test
runs-on: ubuntu-latest
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@v10
with:
root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
remove-android: 'true'
remove-docker-images: 'true'
remove-dotnet: 'true'
remove-haskell: 'true'
- name: Checkout
uses: actions/checkout@v4.1.6
@@ -178,29 +165,10 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags | sort' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore test VM images from cache
uses: actions/cache/restore@v4
with:
path: integration/testdata/fixtures/vm-images
key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-vm-images-
- name: Run vm integration tests
run: |
mage test:vm
@@ -214,6 +182,16 @@ jobs:
env:
DOCKER_CLI_EXPERIMENTAL: "enabled"
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@v10
with:
root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
remove-android: 'true'
remove-docker-images: 'true'
remove-dotnet: 'true'
remove-haskell: 'true'
if: matrix.operating-system == 'ubuntu-latest'
- name: Checkout
uses: actions/checkout@v4.1.6
@@ -221,7 +199,6 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Determine GoReleaser ID
id: goreleaser_id
@@ -236,7 +213,7 @@ jobs:
fi
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
uses: goreleaser/goreleaser-action@v5
with:
version: v2.1.0
version: v1.20.0
args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }}

16
.github/workflows/triage.yaml vendored
View File

@@ -1,16 +0,0 @@
name: Triage Discussion
on:
discussion:
types: [created]
workflow_dispatch:
inputs:
discussion_num:
required: true
jobs:
label:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/trivy-triage
with:
discussion_num: ${{ github.event.inputs.discussion_num }}

3
.gitignore vendored
View File

@@ -39,6 +39,3 @@ dist
# Signing
gpg.key
cmd/trivy/trivy
# RPM
*.rpm

16
.golangci.yaml
View File

@@ -1,14 +1,4 @@
linters-settings:
depguard:
rules:
main:
list-mode: lax
deny:
# Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
- pkg: "golang.org/x/exp/slices"
desc: "Use 'slices' instead"
- pkg: "golang.org/x/exp/maps"
desc: "Use 'maps' or 'github.com/samber/lo' instead"
dupl:
threshold: 100
errcheck:
@@ -68,7 +58,6 @@ linters-settings:
excludes:
- G101
- G114
- G115
- G204
- G304
- G402
@@ -85,11 +74,13 @@ linters-settings:
ignore-generated-header: true
testifylint:
enable-all: true
disable:
- float-compare
linters:
disable-all: true
enable:
- bodyclose
- depguard
- gci
- goconst
- gocritic
@@ -106,7 +97,6 @@ linters:
- typecheck
- unconvert
- unused
- usestdlibvars
run:
go: '1.22'

2
.release-please-manifest.json
View File

@@ -1 +1 @@
{".":"0.58.2"}
{".":"0.52.1"}

244
.vex/oci.openvex.json
View File

@@ -1,244 +0,0 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-8e30ed756ae8e4196af93bf43edf68360f396a98c0268787453a3443b26e7d6c",
"author": "Aqua Security",
"timestamp": "2024-07-10T12:17:44.60495+04:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2023-42363"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "awk is not used"
},
{
"vulnerability": {
"name": "CVE-2023-42364"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "awk is not used"
},
{
"vulnerability": {
"name": "CVE-2023-42365"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "awk is not used"
},
{
"vulnerability": {
"name": "CVE-2023-42366"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "awk is not used"
},
{
"vulnerability": {
"name": "CVE-2024-4741"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "openssl is not used"
},
{
"vulnerability": {
"name": "CVE-2024-5535"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "openssl is not used"
},
{
"vulnerability": {
"name": "CVE-2024-6119"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "openssl is not used"
}
]
}

545
.vex/trivy.openvex.json
View File

@@ -1,545 +0,0 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "aquasecurity/trivy:613fd55abbc2857b5ca28b07a26f3cd4c8b0ddc4c8a97c57497a2d4c4880d7fc",
"author": "Aqua Security",
"timestamp": "2024-07-09T11:38:00.115697+04:00",
"version": 1,
"tooling": "https://github.com/aquasecurity/trivy/tree/main/magefiles/vex.go",
"statements": [
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2575",
"name": "GO-2024-2575",
"description": "Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3",
"aliases": [
"CVE-2024-26147",
"GHSA-r53h-jv2g-vpx6"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/helm.sh/helm/v3",
"identifiers": {
"purl": "pkg:golang/helm.sh/helm/v3"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-1765",
"name": "GO-2023-1765",
"description": "Leaked shared secret and weak blinding in github.com/cloudflare/circl",
"aliases": [
"CVE-2023-1732",
"GHSA-2q89-485c-9j2x"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/cloudflare/circl",
"identifiers": {
"purl": "pkg:golang/github.com/cloudflare/circl"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2512",
"name": "GO-2024-2512",
"description": "Classic builder cache poisoning in github.com/docker/docker",
"aliases": [
"CVE-2024-24557",
"GHSA-xw73-rw38-6vjc"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/docker/docker",
"identifiers": {
"purl": "pkg:golang/github.com/docker/docker"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2453",
"name": "GO-2024-2453",
"description": "Timing side channel in github.com/cloudflare/circl",
"aliases": [
"GHSA-9763-4f94-gfch"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/cloudflare/circl",
"identifiers": {
"purl": "pkg:golang/github.com/cloudflare/circl"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-2048",
"name": "GO-2023-2048",
"description": "Paths outside of the rootfs could be produced on Windows in github.com/cyphar/filepath-securejoin",
"aliases": [
"GHSA-6xv5-86q9-7xr8"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/cyphar/filepath-securejoin",
"identifiers": {
"purl": "pkg:golang/github.com/cyphar/filepath-securejoin"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2497",
"name": "GO-2024-2497",
"description": "Privilege escalation in github.com/moby/buildkit",
"aliases": [
"CVE-2024-23653",
"GHSA-wr6v-9f75-vh2g"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/moby/buildkit",
"identifiers": {
"purl": "pkg:golang/github.com/moby/buildkit"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-2102",
"name": "GO-2023-2102",
"description": "HTTP/2 rapid reset can cause excessive work in net/http",
"aliases": [
"CVE-2023-39325",
"GHSA-4374-p667-p6c8"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/golang.org/x/net",
"identifiers": {
"purl": "pkg:golang/golang.org/x/net"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2493",
"name": "GO-2024-2493",
"description": "Host system file access in github.com/moby/buildkit",
"aliases": [
"CVE-2024-23651",
"GHSA-m3r6-h7wv-7xxv"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/moby/buildkit",
"identifiers": {
"purl": "pkg:golang/github.com/moby/buildkit"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2491",
"name": "GO-2024-2491",
"description": "Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc",
"aliases": [
"CVE-2024-21626",
"GHSA-xr7r-f8xq-vfvv"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/opencontainers/runc",
"identifiers": {
"purl": "pkg:golang/github.com/opencontainers/runc"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2494",
"name": "GO-2024-2494",
"description": "Host system modification in github.com/moby/buildkit",
"aliases": [
"CVE-2024-23652",
"GHSA-4v98-7qmw-rqr8"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/moby/buildkit",
"identifiers": {
"purl": "pkg:golang/github.com/moby/buildkit"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-2412",
"name": "GO-2023-2412",
"description": "RAPL accessibility in github.com/containerd/containerd",
"aliases": [
"GHSA-7ww5-4wqc-m92c"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/containerd/containerd",
"identifiers": {
"purl": "pkg:golang/github.com/containerd/containerd"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-1988",
"name": "GO-2023-1988",
"description": "Improper rendering of text nodes in golang.org/x/net/html",
"aliases": [
"CVE-2023-3978",
"GHSA-2wrh-6pvc-2jm9"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/golang.org/x/net",
"identifiers": {
"purl": "pkg:golang/golang.org/x/net"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2492",
"name": "GO-2024-2492",
"description": "Panic in github.com/moby/buildkit",
"aliases": [
"CVE-2024-23650",
"GHSA-9p26-698r-w4hx"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/moby/buildkit",
"identifiers": {
"purl": "pkg:golang/github.com/moby/buildkit"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2022-0646",
"name": "GO-2022-0646",
"description": "Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go",
"aliases": [
"CVE-2020-8911",
"CVE-2020-8912",
"GHSA-7f33-f4f5-xwgw",
"GHSA-f5pg-7wfw-84q9"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/aws/aws-sdk-go",
"identifiers": {
"purl": "pkg:golang/github.com/aws/aws-sdk-go"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-2153",
"name": "GO-2023-2153",
"description": "Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc",
"aliases": [
"GHSA-m425-mq94-257g"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/google.golang.org/grpc",
"identifiers": {
"purl": "pkg:golang/google.golang.org/grpc"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-3105",
"name": "GO-2024-3105",
"description": "Stack exhaustion in all Parse functions in go/parser",
"aliases": [
"CVE-2024-34155"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/stdlib",
"identifiers": {
"purl": "pkg:golang/stdlib"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-3106",
"name": "GO-2024-3106",
"description": "Stack exhaustion in Decoder.Decode in encoding/gob",
"aliases": [
"CVE-2024-34156"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/stdlib",
"identifiers": {
"purl": "pkg:golang/stdlib"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck incorrectly marks this vulnerability as affected. The vulnerable code isn't called. See https://github.com/aquasecurity/trivy/issues/7478"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-3107",
"name": "GO-2024-3107",
"description": "Stack exhaustion in Parse in go/build/constraint",
"aliases": [
"CVE-2024-34158"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/stdlib",
"identifiers": {
"purl": "pkg:golang/stdlib"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
}
]
}

315
CHANGELOG.md
View File

@@ -1,319 +1,14 @@
# Changelog
## [0.58.2](https://github.com/aquasecurity/trivy/compare/v0.58.1...v0.58.2) (2025-01-13)
## [0.52.1](https://github.com/aquasecurity/trivy/compare/v0.52.0...v0.52.1) (2024-06-10)
### Bug Fixes
* CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] ([#8215](https://github.com/aquasecurity/trivy/issues/8215)) ([b733ecc](https://github.com/aquasecurity/trivy/commit/b733ecc7bc752d61837d08f2650bd480b645bb1d))
* **misconf:** allow null values only for tf variables [backport: release/v0.58] ([#8238](https://github.com/aquasecurity/trivy/issues/8238)) ([f72d2bc](https://github.com/aquasecurity/trivy/commit/f72d2bce8d3418dbcb670434bc15bb857b421f98))
* **suse:** SUSE - update OSType constants and references for compatility [backport: release/v0.58] ([#8237](https://github.com/aquasecurity/trivy/issues/8237)) ([2896367](https://github.com/aquasecurity/trivy/commit/289636758eccf990f36ea2be34f6db2c02cfab6b))
## [0.58.1](https://github.com/aquasecurity/trivy/compare/v0.58.0...v0.58.1) (2024-12-24)
### Bug Fixes
* handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] ([#8121](https://github.com/aquasecurity/trivy/issues/8121)) ([9a56e7c](https://github.com/aquasecurity/trivy/commit/9a56e7cd6964ffd4187a8e44a36d49b54587db56))
* **java:** correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] ([#8119](https://github.com/aquasecurity/trivy/issues/8119)) ([4278a09](https://github.com/aquasecurity/trivy/commit/4278a09f59590ee16494e0a1ad31fb374f2e243f))
* **oracle:** add architectures support for advisories [backport: release/v0.58] ([#8125](https://github.com/aquasecurity/trivy/issues/8125)) ([89b341f](https://github.com/aquasecurity/trivy/commit/89b341f0c6dc7f24239f9a9e4809524ec289a864))
* **python:** skip dev group's deps for poetry [backport: release/v0.58] ([#8158](https://github.com/aquasecurity/trivy/issues/8158)) ([8b93081](https://github.com/aquasecurity/trivy/commit/8b930816bc527166ced5d57754ad7fccb1cef832))
* **redhat:** correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] ([#8135](https://github.com/aquasecurity/trivy/issues/8135)) ([33818e1](https://github.com/aquasecurity/trivy/commit/33818e121f989fd12c15aa65affd2d01b867db61))
* **sbom:** attach nested packages to Application [backport: release/v0.58] ([#8168](https://github.com/aquasecurity/trivy/issues/8168)) ([03160e4](https://github.com/aquasecurity/trivy/commit/03160e4fd1b0a6aef8c4f3d96529e68fed7e70ee))
* **sbom:** fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] ([#8124](https://github.com/aquasecurity/trivy/issues/8124)) ([f842fe1](https://github.com/aquasecurity/trivy/commit/f842fe1675b434e72a8194628525c42fd3e155af))
* **sbom:** use root package for `unknown` dependencies (if exists) [backport: release/v0.58] ([#8156](https://github.com/aquasecurity/trivy/issues/8156)) ([18cd1a5](https://github.com/aquasecurity/trivy/commit/18cd1a59cbb32d87371fe8ab24497f06855e0c80))
## [0.58.0](https://github.com/aquasecurity/trivy/compare/v0.57.0...v0.58.0) (2024-12-02)
### Features
* add `workspaceRelationship` ([#7889](https://github.com/aquasecurity/trivy/issues/7889)) ([d622ca2](https://github.com/aquasecurity/trivy/commit/d622ca2b1fe40a0eb588478ba9e15d3bd8471a78))
* add cvss v4 score and vector in scan response ([#7968](https://github.com/aquasecurity/trivy/issues/7968)) ([e0f2054](https://github.com/aquasecurity/trivy/commit/e0f2054f9d12dce87e8a0226350f6317f7167195))
* **go:** construct dependencies in the parser ([#7973](https://github.com/aquasecurity/trivy/issues/7973)) ([bcdc0bb](https://github.com/aquasecurity/trivy/commit/bcdc0bbf1f63777ff79d3ecadb8d4f916f376b7d))
* **go:** construct dependencies of `go.mod` main module in the parser ([#7977](https://github.com/aquasecurity/trivy/issues/7977)) ([5448ba2](https://github.com/aquasecurity/trivy/commit/5448ba2a5c1ee36cbcf74ee1c2e83409092c5715))
* **k8s:** add default commands for unknown platform ([#7863](https://github.com/aquasecurity/trivy/issues/7863)) ([b1c7f55](https://github.com/aquasecurity/trivy/commit/b1c7f5516fc39c6cbb76cbeae5c8677ccc9ce5dd))
* **misconf:** log causes of HCL file parsing errors ([#7634](https://github.com/aquasecurity/trivy/issues/7634)) ([e9a899a](https://github.com/aquasecurity/trivy/commit/e9a899a3cfe41a622202808a0241b7f40b54d338))
* **oracle:** add `flavors` support ([#7858](https://github.com/aquasecurity/trivy/issues/7858)) ([b9b383e](https://github.com/aquasecurity/trivy/commit/b9b383eb2714e88357af75900c856db2900b83ec))
* **secret:** Add built-in secrets rules for Private Packagist ([#7826](https://github.com/aquasecurity/trivy/issues/7826)) ([132d9df](https://github.com/aquasecurity/trivy/commit/132d9dfa19a8835c94f332c6939ab7f64641ee5f))
* **suse:** Align SUSE/OpenSUSE OS Identifiers ([#7965](https://github.com/aquasecurity/trivy/issues/7965)) ([45d3b40](https://github.com/aquasecurity/trivy/commit/45d3b40044202dec91384847ce2b50a7271f5977))
* Update registry fallbacks ([#7679](https://github.com/aquasecurity/trivy/issues/7679)) ([5ba9a83](https://github.com/aquasecurity/trivy/commit/5ba9a83a447c4f9e577ae6235c315df71f50b452))
### Bug Fixes
* **alpine:** add `UID` for removed packages ([#7887](https://github.com/aquasecurity/trivy/issues/7887)) ([07915da](https://github.com/aquasecurity/trivy/commit/07915da4816d4d9ec8a6c5e4cba17be2a0f4ad65))
* **aws:** change CPU and Memory type of ContainerDefinition to a string ([#7995](https://github.com/aquasecurity/trivy/issues/7995)) ([aeeba70](https://github.com/aquasecurity/trivy/commit/aeeba70d15c11443d9fe7c26f90fc7d9dcc7f92c))
* **cli:** Handle empty ignore files more gracefully ([#7962](https://github.com/aquasecurity/trivy/issues/7962)) ([4cfb2a9](https://github.com/aquasecurity/trivy/commit/4cfb2a97b27923182ab45c178544542ec65981d4))
* **debian:** infinite loop ([#7928](https://github.com/aquasecurity/trivy/issues/7928)) ([d982e6a](https://github.com/aquasecurity/trivy/commit/d982e6ab89967629f71ec09100cdc61e30a27c63))
* **fs:** add missing defered Cleanup() call to post analyzer fs ([#7882](https://github.com/aquasecurity/trivy/issues/7882)) ([ab32297](https://github.com/aquasecurity/trivy/commit/ab32297e0a8220a427fa330025f8625281e02275))
* Improve version comparisons when build identifiers are present ([#7873](https://github.com/aquasecurity/trivy/issues/7873)) ([eda4d76](https://github.com/aquasecurity/trivy/commit/eda4d7660d8908705bc08a6edc55d8144d02806a))
* **k8s:** check all results for vulnerabilities ([#7946](https://github.com/aquasecurity/trivy/issues/7946)) ([797b36f](https://github.com/aquasecurity/trivy/commit/797b36fbad90b8e7f04e16e2cf08d6bdc0255ac7))
* **misconf:** do not erase variable type for child modules ([#7941](https://github.com/aquasecurity/trivy/issues/7941)) ([de3b7ea](https://github.com/aquasecurity/trivy/commit/de3b7ea24c282bce22ce9cacb49a43d8d90e2bde))
* **misconf:** handle null properties in CloudFormation templates ([#7813](https://github.com/aquasecurity/trivy/issues/7813)) ([99b2db3](https://github.com/aquasecurity/trivy/commit/99b2db3978562689cef956a71281abb84ff0ce47))
* **misconf:** load full Terraform module ([#7925](https://github.com/aquasecurity/trivy/issues/7925)) ([fbc42a0](https://github.com/aquasecurity/trivy/commit/fbc42a04ea24e2246f81491434a965846d55ed69))
* **misconf:** properly resolve local Terraform cache ([#7983](https://github.com/aquasecurity/trivy/issues/7983)) ([fe3a897](https://github.com/aquasecurity/trivy/commit/fe3a8971b6697d896c1ec30b5326a10c20349d14))
* **misconf:** Update trivy-checks default repo to `mirror.gcr.io` ([#7953](https://github.com/aquasecurity/trivy/issues/7953)) ([9988147](https://github.com/aquasecurity/trivy/commit/9988147b8b0e463464fe494122bfcc66ccdf04e0))
* **misconf:** wrap AWS EnvVar to iac types ([#7407](https://github.com/aquasecurity/trivy/issues/7407)) ([54130dc](https://github.com/aquasecurity/trivy/commit/54130dcc1d775506d34b83a558952176fc549914))
* **redhat:** don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files ([#7912](https://github.com/aquasecurity/trivy/issues/7912)) ([38775a5](https://github.com/aquasecurity/trivy/commit/38775a5ed985eefe2b410e72407c454cdad3d075))
* **report:** handle `git@github.com` schema for misconfigs in `sarif` report ([#7898](https://github.com/aquasecurity/trivy/issues/7898)) ([19aea4b](https://github.com/aquasecurity/trivy/commit/19aea4b01f3ce5a3cd05d5a1091da5b0b3ba4af6))
* **sbom:** Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details ([#7871](https://github.com/aquasecurity/trivy/issues/7871)) ([461a68a](https://github.com/aquasecurity/trivy/commit/461a68afd60b77dd67e91047b3b4d558fa5bd2ec))
* **terraform:** set null value as fallback for missing variables ([#7669](https://github.com/aquasecurity/trivy/issues/7669)) ([611558e](https://github.com/aquasecurity/trivy/commit/611558e4ce61818330118684274534f26b1fda99))
## [0.57.0](https://github.com/aquasecurity/trivy/compare/v0.56.0...v0.57.0) (2024-10-31)
### ⚠ BREAKING CHANGES
* **k8s:** support k8s multi container ([#7444](https://github.com/aquasecurity/trivy/issues/7444))
### Features
* add end of life date for Ubuntu 24.10 ([#7787](https://github.com/aquasecurity/trivy/issues/7787)) ([ad3c09e](https://github.com/aquasecurity/trivy/commit/ad3c09e006e134f3c5b879ffc34ce9895a8c860f))
* **cli:** add `trivy auth` ([#7664](https://github.com/aquasecurity/trivy/issues/7664)) ([27117f8](https://github.com/aquasecurity/trivy/commit/27117f81d52483c3ceec56fe56ac298e242fbc9a))
* **cli:** error out when ignore file cannot be found ([#7624](https://github.com/aquasecurity/trivy/issues/7624)) ([cb0b3a9](https://github.com/aquasecurity/trivy/commit/cb0b3a9279b31810ecd686a385e5140e567ce86f))
* **cli:** rename `trivy auth` to `trivy registry` ([#7727](https://github.com/aquasecurity/trivy/issues/7727)) ([633a7ab](https://github.com/aquasecurity/trivy/commit/633a7abeea4287899392a24f2705f96dfeb7e312))
* **cyclonedx:** add file checksums to `CycloneDX` reports ([#7507](https://github.com/aquasecurity/trivy/issues/7507)) ([c225883](https://github.com/aquasecurity/trivy/commit/c225883649f58128a99fa2c1cef327d0e57940be))
* **db:** append errors ([#7843](https://github.com/aquasecurity/trivy/issues/7843)) ([5e78b6c](https://github.com/aquasecurity/trivy/commit/5e78b6c12fb5740c12dedeea3d335d48ec2f752b))
* **misconf:** export unresolvable field of IaC types to Rego ([#7765](https://github.com/aquasecurity/trivy/issues/7765)) ([9514148](https://github.com/aquasecurity/trivy/commit/9514148767865baddd73a49245385574927f7a74))
* **misconf:** public network support for Azure Storage Account ([#7601](https://github.com/aquasecurity/trivy/issues/7601)) ([ad91412](https://github.com/aquasecurity/trivy/commit/ad914123c4d203af1e1da6b7e2d3e49d9d3831d8))
* **misconf:** Show misconfig ID in output ([#7762](https://github.com/aquasecurity/trivy/issues/7762)) ([f75c0d1](https://github.com/aquasecurity/trivy/commit/f75c0d1f0069d4856cb4826d6049f32c5b9409d9))
* **misconf:** ssl_mode support for GCP SQL DB instance ([#7564](https://github.com/aquasecurity/trivy/issues/7564)) ([2eaa17e](https://github.com/aquasecurity/trivy/commit/2eaa17e0717940b27a79050e2efd9213b71178c9))
* **parser:** ignore white space in pom.xml files ([#7747](https://github.com/aquasecurity/trivy/issues/7747)) ([a7baa93](https://github.com/aquasecurity/trivy/commit/a7baa93b00b8636aa097e64cdb8eed97dbd68511))
* **report:** update gitlab template to populate operating_system value ([#7735](https://github.com/aquasecurity/trivy/issues/7735)) ([c0d79fa](https://github.com/aquasecurity/trivy/commit/c0d79fa09e645f3a3dbff878e393b8631fb17b64))
### Bug Fixes
* **cli:** `clean --all` deletes only relevant dirs ([#7704](https://github.com/aquasecurity/trivy/issues/7704)) ([672e886](https://github.com/aquasecurity/trivy/commit/672e886aed152ae0f09a16941706746f3053ca94))
* **cli:** add config name to skip-policy-update alias ([#7820](https://github.com/aquasecurity/trivy/issues/7820)) ([b661d68](https://github.com/aquasecurity/trivy/commit/b661d680ff0372c8e4beea0db13bf69d6a2203a8))
* **db:** fix javadb downloading error handling ([#7642](https://github.com/aquasecurity/trivy/issues/7642)) ([2c87f0c](https://github.com/aquasecurity/trivy/commit/2c87f0cb794acd77446a273582ba1a45b9f18980))
* enable usestdlibvars linter ([#7770](https://github.com/aquasecurity/trivy/issues/7770)) ([57e24aa](https://github.com/aquasecurity/trivy/commit/57e24aa85382f749df7f673e241caaf3fcbb45cb))
* **go:** Do not trim v prefix from versions in Go Mod Analyzer ([#7733](https://github.com/aquasecurity/trivy/issues/7733)) ([e872ec0](https://github.com/aquasecurity/trivy/commit/e872ec006c0745a5a142728af0096c6d6bb9ddf3))
* **helm:** properly handle multiple archived dependencies ([#7782](https://github.com/aquasecurity/trivy/issues/7782)) ([6fab88d](https://github.com/aquasecurity/trivy/commit/6fab88dd56c257ef2cc63b617c2a5decb1c4cf98))
* **java:** correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents ([#7541](https://github.com/aquasecurity/trivy/issues/7541)) ([778df82](https://github.com/aquasecurity/trivy/commit/778df828eaad9827cb833c6285058a33aa2b83ca))
* **k8s:** skip resources without misconfigs ([#7797](https://github.com/aquasecurity/trivy/issues/7797)) ([7882776](https://github.com/aquasecurity/trivy/commit/78827768a612ab305bf9c55409ce76d6774302a5))
* **k8s:** support k8s multi container ([#7444](https://github.com/aquasecurity/trivy/issues/7444)) ([c434775](https://github.com/aquasecurity/trivy/commit/c4347759234dcb5f372b07f92fb4230ef391d710))
* **k8s:** support kubernetes v1.31 ([#7810](https://github.com/aquasecurity/trivy/issues/7810)) ([7a4f4d8](https://github.com/aquasecurity/trivy/commit/7a4f4d8b12996687f3095a2042cdf2f5985332c9))
* **license:** fix license normalization for Universal Permissive License ([#7766](https://github.com/aquasecurity/trivy/issues/7766)) ([f6acdf7](https://github.com/aquasecurity/trivy/commit/f6acdf713991f8ffdbe765178fcb8a9cde433cba))
* **misconf:** change default ACL of digitalocean_spaces_bucket to private ([#7577](https://github.com/aquasecurity/trivy/issues/7577)) ([9da84f5](https://github.com/aquasecurity/trivy/commit/9da84f54fadbe6ad0d73983952e945ed63b666f3))
* **misconf:** check if property is not nil before conversion ([#7578](https://github.com/aquasecurity/trivy/issues/7578)) ([c8c14d3](https://github.com/aquasecurity/trivy/commit/c8c14d36245623019f29d258f813d2325f7490f7))
* **misconf:** fix for Azure Storage Account network acls adaptation ([#7602](https://github.com/aquasecurity/trivy/issues/7602)) ([35fd018](https://github.com/aquasecurity/trivy/commit/35fd018ae7ad86823f114f0ac2f1376726aee444))
* **misconf:** properly expand dynamic blocks ([#7612](https://github.com/aquasecurity/trivy/issues/7612)) ([8d5dbc9](https://github.com/aquasecurity/trivy/commit/8d5dbc9fec3569b22ed81a03c40eaf732768718b))
* **redhat:** include arch in PURL qualifiers ([#7654](https://github.com/aquasecurity/trivy/issues/7654)) ([a585e95](https://github.com/aquasecurity/trivy/commit/a585e95f3398631d9ad10505c5ff642fde21aef7))
* **repo:** `git clone` output to Stderr ([#7561](https://github.com/aquasecurity/trivy/issues/7561)) ([fdf203c](https://github.com/aquasecurity/trivy/commit/fdf203cd209aeb40f454bd12d121a54d6ed7a542))
* **report:** Fix invalid URI in SARIF report ([#7645](https://github.com/aquasecurity/trivy/issues/7645)) ([015bb88](https://github.com/aquasecurity/trivy/commit/015bb885ac414b91201fa9791eead395d878149c))
* **sbom:** add options for DBs in private registries ([#7660](https://github.com/aquasecurity/trivy/issues/7660)) ([1f2e91b](https://github.com/aquasecurity/trivy/commit/1f2e91b02b3606dd11963002a8cfac7962f3478f))
* **sbom:** use `Annotation` instead of `AttributionTexts` for `SPDX` formats ([#7811](https://github.com/aquasecurity/trivy/issues/7811)) ([f2bb9c6](https://github.com/aquasecurity/trivy/commit/f2bb9c6227743dd61f44eb591d4b15192fe110c6))
## [0.56.0](https://github.com/aquasecurity/trivy/compare/v0.55.0...v0.56.0) (2024-10-03)
### Features
* **java:** add empty versions if `pom.xml` dependency versions can't be detected ([#7520](https://github.com/aquasecurity/trivy/issues/7520)) ([b836232](https://github.com/aquasecurity/trivy/commit/b8362321adb2af220830c5de31c29978423d47da))
* **license:** improve license normalization ([#7131](https://github.com/aquasecurity/trivy/issues/7131)) ([6472e3c](https://github.com/aquasecurity/trivy/commit/6472e3c9da2a8e7ba41598a45c80df8f18e57d4c))
* **misconf:** add ability to disable checks by ID ([#7536](https://github.com/aquasecurity/trivy/issues/7536)) ([ef0a27d](https://github.com/aquasecurity/trivy/commit/ef0a27d515ff80762bf1959d44a8bde017ae06ec))
* **misconf:** Register checks only when needed ([#7435](https://github.com/aquasecurity/trivy/issues/7435)) ([f768d3a](https://github.com/aquasecurity/trivy/commit/f768d3a767a99a86b0372f19d9f49a2de35dbe59))
* **misconf:** Support `--skip-*` for all included modules ([#7579](https://github.com/aquasecurity/trivy/issues/7579)) ([c0e8da3](https://github.com/aquasecurity/trivy/commit/c0e8da3828e9d3a0b30d1f6568037db8dc827765))
* **secret:** enhance secret scanning for python binary files ([#7223](https://github.com/aquasecurity/trivy/issues/7223)) ([60725f8](https://github.com/aquasecurity/trivy/commit/60725f879ba014c5c57583db6afc290b78facae8))
* support multiple DB repositories for vulnerability and Java DB ([#7605](https://github.com/aquasecurity/trivy/issues/7605)) ([3562529](https://github.com/aquasecurity/trivy/commit/3562529ddfb26d301311ed450c192e17011353df))
* support RPM archives ([#7628](https://github.com/aquasecurity/trivy/issues/7628)) ([69bf7e0](https://github.com/aquasecurity/trivy/commit/69bf7e00ea5ab483692db830fdded26a31f03183))
* **suse:** added SUSE Linux Enterprise Micro support ([#7294](https://github.com/aquasecurity/trivy/issues/7294)) ([efdb68d](https://github.com/aquasecurity/trivy/commit/efdb68d3b9ddf9dfaf45ea5855b31c43a4366bab))
### Bug Fixes
* allow access to '..' in mapfs ([#7575](https://github.com/aquasecurity/trivy/issues/7575)) ([a8fbe46](https://github.com/aquasecurity/trivy/commit/a8fbe46119adbd89f827a75c75b9e97d392f1842))
* **db:** check `DownloadedAt` for `trivy-java-db` ([#7592](https://github.com/aquasecurity/trivy/issues/7592)) ([13ef3e7](https://github.com/aquasecurity/trivy/commit/13ef3e7d62ba2bcb3a04d7b44f79b1299674b480))
* **java:** use `dependencyManagement` from root/child pom's for dependencies from parents ([#7497](https://github.com/aquasecurity/trivy/issues/7497)) ([5442949](https://github.com/aquasecurity/trivy/commit/54429497e7d6a87eac236771d4efb8a5a7faaac5))
* **license:** stop spliting a long license text ([#7336](https://github.com/aquasecurity/trivy/issues/7336)) ([4926da7](https://github.com/aquasecurity/trivy/commit/4926da79de901fba73819d71845ec0355b68ae0f))
* **misconf:** Disable deprecated checks by default ([#7632](https://github.com/aquasecurity/trivy/issues/7632)) ([82e2adc](https://github.com/aquasecurity/trivy/commit/82e2adc6f8e68d0cc0021031170c2adb60d213ba))
* **misconf:** disable DS016 check for image history analyzer ([#7540](https://github.com/aquasecurity/trivy/issues/7540)) ([de40df9](https://github.com/aquasecurity/trivy/commit/de40df9408d6d856a3ad384ec9f086edce3aa382))
* **misconf:** escape all special sequences ([#7558](https://github.com/aquasecurity/trivy/issues/7558)) ([ea0cf03](https://github.com/aquasecurity/trivy/commit/ea0cf0379aff0348fde87356dab37947800fc1b6))
* **misconf:** Fix logging typo ([#7473](https://github.com/aquasecurity/trivy/issues/7473)) ([56db43c](https://github.com/aquasecurity/trivy/commit/56db43c24f4f6be92891be85faaf9492cad516ac))
* **misconf:** Fixed scope for China Cloud ([#7560](https://github.com/aquasecurity/trivy/issues/7560)) ([37d549e](https://github.com/aquasecurity/trivy/commit/37d549e5b86a1c5dce6710fbfd2310aec9abe949))
* **misconf:** not to warn about missing selectors of libraries ([#7638](https://github.com/aquasecurity/trivy/issues/7638)) ([fcaea74](https://github.com/aquasecurity/trivy/commit/fcaea740808d5784c120e5c5d65f5f94e1d931d4))
* **oracle:** Update EOL date for Oracle 7 ([#7480](https://github.com/aquasecurity/trivy/issues/7480)) ([dd0a64a](https://github.com/aquasecurity/trivy/commit/dd0a64a1cf0cd76e6f81e3ff55fa6ccb95ce3c3d))
* **report:** change a receiver of MarshalJSON ([#7483](https://github.com/aquasecurity/trivy/issues/7483)) ([927c6e0](https://github.com/aquasecurity/trivy/commit/927c6e0c9d4d4a3f1be00f0f661c1d18325d9440))
* **report:** fix error with unmarshal of `ExperimentalModifiedFindings` ([#7463](https://github.com/aquasecurity/trivy/issues/7463)) ([7ff9aff](https://github.com/aquasecurity/trivy/commit/7ff9aff2739b2eee4a98175b98914795e4077060))
* **sbom:** export bom-ref when converting a package to a component ([#7340](https://github.com/aquasecurity/trivy/issues/7340)) ([5dd94eb](https://github.com/aquasecurity/trivy/commit/5dd94ebc1ffe3f1df511dee6381f92a5daefadf2))
* **sbom:** parse type `framework` as `library` when unmarshalling `CycloneDX` files ([#7527](https://github.com/aquasecurity/trivy/issues/7527)) ([aeb7039](https://github.com/aquasecurity/trivy/commit/aeb7039d7ce090e243d29f0bf16c9e4e24252a01))
* **secret:** change grafana token regex to find them without unquoted ([#7627](https://github.com/aquasecurity/trivy/issues/7627)) ([3e1fa21](https://github.com/aquasecurity/trivy/commit/3e1fa2100074e840bacdd65947425b08750b7d9a))
### Performance Improvements
* **misconf:** use port ranges instead of enumeration ([#7549](https://github.com/aquasecurity/trivy/issues/7549)) ([1f9fc13](https://github.com/aquasecurity/trivy/commit/1f9fc13da4a1e7c76c978e4f8e119bfd61a0480e))
### Reverts
* **java:** stop supporting of `test` scope for `pom.xml` files ([#7488](https://github.com/aquasecurity/trivy/issues/7488)) ([b0222fe](https://github.com/aquasecurity/trivy/commit/b0222feeb586ec59904bb321fda8f3f22496d07b))
## [0.55.0](https://github.com/aquasecurity/trivy/compare/v0.54.0...v0.55.0) (2024-09-03)
### ⚠ BREAKING CHANGES
* **cli:** delete deprecated SBOM flags ([#7266](https://github.com/aquasecurity/trivy/issues/7266))
### Features
* **cli:** delete deprecated SBOM flags ([#7266](https://github.com/aquasecurity/trivy/issues/7266)) ([7024572](https://github.com/aquasecurity/trivy/commit/70245721372720027b7089bd61c693df48add865))
* **go:** use `toolchain` as `stdlib` version for `go.mod` files ([#7163](https://github.com/aquasecurity/trivy/issues/7163)) ([2d80769](https://github.com/aquasecurity/trivy/commit/2d80769c34b118851640411fff9dac0b3e353e82))
* **java:** add `test` scope support for `pom.xml` files ([#7414](https://github.com/aquasecurity/trivy/issues/7414)) ([2d97700](https://github.com/aquasecurity/trivy/commit/2d97700d10665142d2f66d7910202bec82116209))
* **misconf:** Add support for using spec from on-disk bundle ([#7179](https://github.com/aquasecurity/trivy/issues/7179)) ([be86126](https://github.com/aquasecurity/trivy/commit/be861265cafc89787fda09c59b2ef175e3d04204))
* **misconf:** ignore duplicate checks ([#7317](https://github.com/aquasecurity/trivy/issues/7317)) ([9ef05fc](https://github.com/aquasecurity/trivy/commit/9ef05fc6b171a264516a025b0b0bcbbc8cff10bc))
* **misconf:** iterator argument support for dynamic blocks ([#7236](https://github.com/aquasecurity/trivy/issues/7236)) ([fe92072](https://github.com/aquasecurity/trivy/commit/fe9207255a4f7f984ec1447f8a9219ae60e560c4))
* **misconf:** port and protocol support for EC2 networks ([#7146](https://github.com/aquasecurity/trivy/issues/7146)) ([98e136e](https://github.com/aquasecurity/trivy/commit/98e136eb7baa2b66f4233d96875c1490144e1594))
* **misconf:** scanning support for YAML and JSON ([#7311](https://github.com/aquasecurity/trivy/issues/7311)) ([efdbd8f](https://github.com/aquasecurity/trivy/commit/efdbd8f19ab0ab0c3b48293d43e51c81b7b03b89))
* **misconf:** support for ignore by nested attributes ([#7205](https://github.com/aquasecurity/trivy/issues/7205)) ([44e4686](https://github.com/aquasecurity/trivy/commit/44e468603d44b077cc4606327fb3e7d7ca435e05))
* **misconf:** support for policy and bucket grants ([#7284](https://github.com/aquasecurity/trivy/issues/7284)) ([a817fae](https://github.com/aquasecurity/trivy/commit/a817fae85b7272b391b737ec86673a7cab722bae))
* **misconf:** variable support for Terraform Plan ([#7228](https://github.com/aquasecurity/trivy/issues/7228)) ([db2c955](https://github.com/aquasecurity/trivy/commit/db2c95598da098ca610825089eb4ab63b789b215))
* **python:** use minimum version for pip packages ([#7348](https://github.com/aquasecurity/trivy/issues/7348)) ([e9b43f8](https://github.com/aquasecurity/trivy/commit/e9b43f81e67789b067352fcb6aa55bc9478bc518))
* **report:** export modified findings in JSON ([#7383](https://github.com/aquasecurity/trivy/issues/7383)) ([7aea79d](https://github.com/aquasecurity/trivy/commit/7aea79dd93cfb61453766dbbb2e3fc0fbd317852))
* **sbom:** set User-Agent header on requests to Rekor ([#7396](https://github.com/aquasecurity/trivy/issues/7396)) ([af1d257](https://github.com/aquasecurity/trivy/commit/af1d257730422d238871beb674767f8f83c5d06a))
* **server:** add internal `--path-prefix` flag for client/server mode ([#7321](https://github.com/aquasecurity/trivy/issues/7321)) ([24a4563](https://github.com/aquasecurity/trivy/commit/24a45636867b893ff54c5ce07197f3b5c6db1d9b))
* **server:** Make Trivy Server Multiplexer Exported ([#7389](https://github.com/aquasecurity/trivy/issues/7389)) ([4c6e8ca](https://github.com/aquasecurity/trivy/commit/4c6e8ca9cc9591799907cc73075f2d740e303b8f))
* **vm:** Support direct filesystem ([#7058](https://github.com/aquasecurity/trivy/issues/7058)) ([45b3f34](https://github.com/aquasecurity/trivy/commit/45b3f344042bcd90ca63ab696b69bff0e9ab4e36))
* **vm:** support the Ext2/Ext3 filesystems ([#6983](https://github.com/aquasecurity/trivy/issues/6983)) ([35c60f0](https://github.com/aquasecurity/trivy/commit/35c60f030fa48de8d8e57958e5ba379814126831))
* **vuln:** Add `--detection-priority` flag for accuracy tuning ([#7288](https://github.com/aquasecurity/trivy/issues/7288)) ([fd8348d](https://github.com/aquasecurity/trivy/commit/fd8348d610f20c6c33da81cd7b0e7d5504ce26be))
### Bug Fixes
* **aws:** handle ECR repositories in different regions ([#6217](https://github.com/aquasecurity/trivy/issues/6217)) ([feaef96](https://github.com/aquasecurity/trivy/commit/feaef9699df5d8ca399770e701a59d7c0ff979a3))
* **flag:** incorrect behavior for deprected flag `--clear-cache` ([#7281](https://github.com/aquasecurity/trivy/issues/7281)) ([2a0e529](https://github.com/aquasecurity/trivy/commit/2a0e529c36057b572119815af59c28e4790034ca))
* **helm:** explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element ([#7362](https://github.com/aquasecurity/trivy/issues/7362)) ([da4ebfa](https://github.com/aquasecurity/trivy/commit/da4ebfa1a741f3f8b0b43289b4028afe763f7d43))
* **java:** Return error when trying to find a remote pom to avoid segfault ([#7275](https://github.com/aquasecurity/trivy/issues/7275)) ([49d5270](https://github.com/aquasecurity/trivy/commit/49d5270163e305f88fedcf50412973736e69dc69))
* **license:** add license handling to JUnit template ([#7409](https://github.com/aquasecurity/trivy/issues/7409)) ([f80183c](https://github.com/aquasecurity/trivy/commit/f80183c1139b21bb95bc64e216358f4a76001a65))
* logger initialization before flags parsing ([#7372](https://github.com/aquasecurity/trivy/issues/7372)) ([c929290](https://github.com/aquasecurity/trivy/commit/c929290c3c0e4e91337264d69e75ccb60522bc65))
* **misconf:** change default TLS values for the Azure storage account ([#7345](https://github.com/aquasecurity/trivy/issues/7345)) ([aadb090](https://github.com/aquasecurity/trivy/commit/aadb09078843250c66087f46db9a2aa48094a118))
* **misconf:** do not filter Terraform plan JSON by name ([#7406](https://github.com/aquasecurity/trivy/issues/7406)) ([9d7264a](https://github.com/aquasecurity/trivy/commit/9d7264af8e85bcc0dba600b8366d0470d455251c))
* **misconf:** do not recreate filesystem map ([#7416](https://github.com/aquasecurity/trivy/issues/7416)) ([3a5d091](https://github.com/aquasecurity/trivy/commit/3a5d091759564496992a83fb2015a21c84a22213))
* **misconf:** do not register Rego libs in checks registry ([#7420](https://github.com/aquasecurity/trivy/issues/7420)) ([a5aa63e](https://github.com/aquasecurity/trivy/commit/a5aa63eff7e229744090f9ad300c1bec3259397e))
* **misconf:** do not set default value for default_cache_behavior ([#7234](https://github.com/aquasecurity/trivy/issues/7234)) ([f0ed5e4](https://github.com/aquasecurity/trivy/commit/f0ed5e4ced7e60af35c88d5d084aa4b7237f4973))
* **misconf:** fix infer type for null value ([#7424](https://github.com/aquasecurity/trivy/issues/7424)) ([0cac3ac](https://github.com/aquasecurity/trivy/commit/0cac3ac7075017628a21a7990941df04cbc16dbe))
* **misconf:** init frameworks before updating them ([#7376](https://github.com/aquasecurity/trivy/issues/7376)) ([b65b32d](https://github.com/aquasecurity/trivy/commit/b65b32ddfa6fc62ac81ad9fa580e1f5a327864f5))
* **misconf:** load only submodule if it is specified in source ([#7112](https://github.com/aquasecurity/trivy/issues/7112)) ([a4180bd](https://github.com/aquasecurity/trivy/commit/a4180bddd43d86e479edf0afe0c362021d071482))
* **misconf:** support deprecating for Go checks ([#7377](https://github.com/aquasecurity/trivy/issues/7377)) ([2a6c7ab](https://github.com/aquasecurity/trivy/commit/2a6c7ab3b338ce4a8f99d6ac3508c2531dcbe812))
* **misconf:** use module to log when metadata retrieval fails ([#7405](https://github.com/aquasecurity/trivy/issues/7405)) ([0799770](https://github.com/aquasecurity/trivy/commit/0799770b8827a8276ad0d6d9ac7e0381c286757c))
* **misconf:** wrap Azure PortRange in iac types ([#7357](https://github.com/aquasecurity/trivy/issues/7357)) ([c5c62d5](https://github.com/aquasecurity/trivy/commit/c5c62d5ff05420321f9cdbfb93e2591e0866a342))
* **nodejs:** check all `importers` to detect dev deps from pnpm-lock.yaml file ([#7387](https://github.com/aquasecurity/trivy/issues/7387)) ([fd9ed3a](https://github.com/aquasecurity/trivy/commit/fd9ed3a330bc66e229bcbdc262dc296a3bf01f54))
* **plugin:** do not call GitHub content API for releases and tags ([#7274](https://github.com/aquasecurity/trivy/issues/7274)) ([b3ee6da](https://github.com/aquasecurity/trivy/commit/b3ee6dac269bd7847674f3ce985a5ff7f8f0ba38))
* **report:** escape `Message` field in `asff.tpl` template ([#7401](https://github.com/aquasecurity/trivy/issues/7401)) ([dd9733e](https://github.com/aquasecurity/trivy/commit/dd9733e950d3127aa2ac90c45ec7e2b88a2b47ca))
* safely check if the directory exists ([#7353](https://github.com/aquasecurity/trivy/issues/7353)) ([05a8297](https://github.com/aquasecurity/trivy/commit/05a829715f99cd90b122c64cd2f40157854e467b))
* **sbom:** use `NOASSERTION` for licenses fields in SPDX formats ([#7403](https://github.com/aquasecurity/trivy/issues/7403)) ([c96dcdd](https://github.com/aquasecurity/trivy/commit/c96dcdd440a14cdd1b01ac473b2c15e4698e387b))
* **secret:** use `.eyJ` keyword for JWT secret ([#7410](https://github.com/aquasecurity/trivy/issues/7410)) ([bf64003](https://github.com/aquasecurity/trivy/commit/bf64003ac8b209f34b88f228918a96d4f9dac5e0))
* **secret:** use only line with secret for long secret lines ([#7412](https://github.com/aquasecurity/trivy/issues/7412)) ([391448a](https://github.com/aquasecurity/trivy/commit/391448aba9fcb0a4138225e5ab305e4e6707c603))
* **terraform:** add aws_region name to presets ([#7184](https://github.com/aquasecurity/trivy/issues/7184)) ([bb2e26a](https://github.com/aquasecurity/trivy/commit/bb2e26a0ab707b718f6a890cbc87e2492298b6e5))
### Performance Improvements
* **misconf:** do not convert contents of a YAML file to string ([#7292](https://github.com/aquasecurity/trivy/issues/7292)) ([85dadf5](https://github.com/aquasecurity/trivy/commit/85dadf56265647c000191561db10b08a4948c140))
* **misconf:** optimize work with context ([#6968](https://github.com/aquasecurity/trivy/issues/6968)) ([2b6d8d9](https://github.com/aquasecurity/trivy/commit/2b6d8d9227fb6ecc9386a14333964c23c0370a52))
* **misconf:** use json.Valid to check validity of JSON ([#7308](https://github.com/aquasecurity/trivy/issues/7308)) ([c766831](https://github.com/aquasecurity/trivy/commit/c766831069e188226efafeec184e41498685ed85))
## [0.54.0](https://github.com/aquasecurity/trivy/compare/v0.53.0...v0.54.0) (2024-07-30)
### Features
* add `log.FilePath()` function for logger ([#7080](https://github.com/aquasecurity/trivy/issues/7080)) ([1f5f348](https://github.com/aquasecurity/trivy/commit/1f5f34895823fae81bf521fc939bee743a50e304))
* add openSUSE tumbleweed detection and scanning ([#6965](https://github.com/aquasecurity/trivy/issues/6965)) ([17b5dbf](https://github.com/aquasecurity/trivy/commit/17b5dbfa12180414b87859c6c46bfe6cc5ecf7ba))
* **cli:** rename `--vuln-type` flag to `--pkg-types` flag ([#7104](https://github.com/aquasecurity/trivy/issues/7104)) ([7cbdb0a](https://github.com/aquasecurity/trivy/commit/7cbdb0a0b5dff33e506e1c1f3119951fa241b432))
* **mariner:** Add support for Azure Linux ([#7186](https://github.com/aquasecurity/trivy/issues/7186)) ([5cbc452](https://github.com/aquasecurity/trivy/commit/5cbc452a09822d1bf300ead88f0d613d4cf0349a))
* **misconf:** enabled China configuration for ACRs ([#7156](https://github.com/aquasecurity/trivy/issues/7156)) ([d1ec89d](https://github.com/aquasecurity/trivy/commit/d1ec89d1db4b039f0e31076ccd1ca969fb15628e))
* **nodejs:** add license parser to pnpm analyser ([#7036](https://github.com/aquasecurity/trivy/issues/7036)) ([03ac93d](https://github.com/aquasecurity/trivy/commit/03ac93dc208f1b40896f3fa11fa1d45293176dca))
* **sbom:** add image labels into `SPDX` and `CycloneDX` reports ([#7257](https://github.com/aquasecurity/trivy/issues/7257)) ([4a2f492](https://github.com/aquasecurity/trivy/commit/4a2f492c6e685ff577fb96a7006cd0c43755baf4))
* **sbom:** add vulnerability support for SPDX formats ([#7213](https://github.com/aquasecurity/trivy/issues/7213)) ([efb1f69](https://github.com/aquasecurity/trivy/commit/efb1f6938321eec3529ef4fea6608261f6771ae0))
* share build-in rules ([#7207](https://github.com/aquasecurity/trivy/issues/7207)) ([bff317c](https://github.com/aquasecurity/trivy/commit/bff317c77bf4a5f615a80d9875d129213bd52f6d))
* **vex:** retrieve VEX attestations from OCI registries ([#7249](https://github.com/aquasecurity/trivy/issues/7249)) ([c2fd2e0](https://github.com/aquasecurity/trivy/commit/c2fd2e0d89567a0ccd996dda8790f3c3305ea6f7))
* **vex:** VEX Repository support ([#7206](https://github.com/aquasecurity/trivy/issues/7206)) ([88ba460](https://github.com/aquasecurity/trivy/commit/88ba46047c93e6046292523ae701de774dfdc4dc))
* **vuln:** add `--pkg-relationships` ([#7237](https://github.com/aquasecurity/trivy/issues/7237)) ([5c37361](https://github.com/aquasecurity/trivy/commit/5c37361600d922db27dd594b2a80c010a19b3a6e))
### Bug Fixes
* Add dependencyManagement exclusions to the child exclusions ([#6969](https://github.com/aquasecurity/trivy/issues/6969)) ([dc68a66](https://github.com/aquasecurity/trivy/commit/dc68a662a701980d6529f61a65006f1e4728a3e5))
* add missing platform and type to spec ([#7149](https://github.com/aquasecurity/trivy/issues/7149)) ([c8a7abd](https://github.com/aquasecurity/trivy/commit/c8a7abd3b508975fcf10c254d13d1a2cd42da657))
* **cli:** error on missing config file ([#7154](https://github.com/aquasecurity/trivy/issues/7154)) ([7fa5e7d](https://github.com/aquasecurity/trivy/commit/7fa5e7d0ab67f20d434b2922725988695e32e6af))
* close file when failed to open gzip ([#7164](https://github.com/aquasecurity/trivy/issues/7164)) ([2a577a7](https://github.com/aquasecurity/trivy/commit/2a577a7bae37e5731dceaea8740683573b6b70a5))
* **dotnet:** don't include non-runtime libraries into report for `*.deps.json` files ([#7039](https://github.com/aquasecurity/trivy/issues/7039)) ([5bc662b](https://github.com/aquasecurity/trivy/commit/5bc662be9a8f072599f90abfd3b400c8ab055ed6))
* **dotnet:** show `nuget package dir not found` log only when checking `nuget` packages ([#7194](https://github.com/aquasecurity/trivy/issues/7194)) ([d76feba](https://github.com/aquasecurity/trivy/commit/d76febaee107c645e864da0f4d74a8f6ae4ad232))
* ignore nodes when listing permission is not allowed ([#7107](https://github.com/aquasecurity/trivy/issues/7107)) ([25f8143](https://github.com/aquasecurity/trivy/commit/25f8143f120965c636c5ea8386398b211b082398))
* **java:** avoid panic if deps from `pom` in `it` dir are not found ([#7245](https://github.com/aquasecurity/trivy/issues/7245)) ([4e54a7e](https://github.com/aquasecurity/trivy/commit/4e54a7e84c33c1be80c52c6db78c634bc3911715))
* **java:** use `go-mvn-version` to remove `Package` duplicates ([#7088](https://github.com/aquasecurity/trivy/issues/7088)) ([a7a304d](https://github.com/aquasecurity/trivy/commit/a7a304d53e1ce230f881c28c4f35885774cf3b9a))
* **misconf:** do not evaluate TF when a load error occurs ([#7109](https://github.com/aquasecurity/trivy/issues/7109)) ([f27c236](https://github.com/aquasecurity/trivy/commit/f27c236d6e155cb366aeef619b6ea96d20fb93da))
* **nodejs:** detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` ([#7110](https://github.com/aquasecurity/trivy/issues/7110)) ([54bb8bd](https://github.com/aquasecurity/trivy/commit/54bb8bdfb934d114b5570005853bf4bc0d40c609))
* **report:** hide empty table when all secrets/license/misconfigs are ignored ([#7171](https://github.com/aquasecurity/trivy/issues/7171)) ([c3036de](https://github.com/aquasecurity/trivy/commit/c3036de6d7719323d306a9666ccc8d928d936f9a))
* **secret:** skip regular strings contain secret patterns ([#7182](https://github.com/aquasecurity/trivy/issues/7182)) ([174b1e3](https://github.com/aquasecurity/trivy/commit/174b1e3515a6394cf8d523216d6267c1aefb820a))
* **secret:** trim excessively long lines ([#7192](https://github.com/aquasecurity/trivy/issues/7192)) ([92b13be](https://github.com/aquasecurity/trivy/commit/92b13be668bd20f8e9dac2f0cb8e5a2708b9b3b5))
* **secret:** update length of `hugging-face-access-token` ([#7216](https://github.com/aquasecurity/trivy/issues/7216)) ([8c87194](https://github.com/aquasecurity/trivy/commit/8c87194f0a6b194bc5d340c8a65bd99a3132d973))
* **server:** pass license categories to options ([#7203](https://github.com/aquasecurity/trivy/issues/7203)) ([9d52018](https://github.com/aquasecurity/trivy/commit/9d5201808da89607ae43570bdf1f335b482a6b79))
### Performance Improvements
* **debian:** use `bytes.Index` in `emptyLineSplit` to cut allocation ([#7065](https://github.com/aquasecurity/trivy/issues/7065)) ([acbec05](https://github.com/aquasecurity/trivy/commit/acbec053c985388a26d899e73b4b7f5a6d1fa210))
## [0.53.0](https://github.com/aquasecurity/trivy/compare/v0.52.0...v0.53.0) (2024-07-01)
### ⚠ BREAKING CHANGES
* **k8s:** node-collector dynamic commands support ([#6861](https://github.com/aquasecurity/trivy/issues/6861))
* add clean subcommand ([#6993](https://github.com/aquasecurity/trivy/issues/6993))
* **aws:** Remove aws subcommand ([#6995](https://github.com/aquasecurity/trivy/issues/6995))
### Features
* add clean subcommand ([#6993](https://github.com/aquasecurity/trivy/issues/6993)) ([8d0ae1f](https://github.com/aquasecurity/trivy/commit/8d0ae1f5de72d92a043dcd6b7c164d30e51b6047))
* Add local ImageID to SARIF metadata ([#6522](https://github.com/aquasecurity/trivy/issues/6522)) ([f144e91](https://github.com/aquasecurity/trivy/commit/f144e912d34234f00b5a13b7a11a0019fa978b27))
* add memory cache backend ([#7048](https://github.com/aquasecurity/trivy/issues/7048)) ([55ccd06](https://github.com/aquasecurity/trivy/commit/55ccd06df43f6ff28685f46d215ccb70f55916d2))
* **aws:** Remove aws subcommand ([#6995](https://github.com/aquasecurity/trivy/issues/6995)) ([979e118](https://github.com/aquasecurity/trivy/commit/979e118a9e0ca8943bef9143f492d7eb1fd4d863))
* **conda:** add licenses support for `environment.yml` files ([#6953](https://github.com/aquasecurity/trivy/issues/6953)) ([654217a](https://github.com/aquasecurity/trivy/commit/654217a65485ca0a07771ea61071977894eb4920))
* **dart:** use first version of constraint for dependencies using SDK version ([#6239](https://github.com/aquasecurity/trivy/issues/6239)) ([042d6b0](https://github.com/aquasecurity/trivy/commit/042d6b08c283105c258a3dda98983b345a5305c3))
* **image:** Set User-Agent header for Trivy container registry requests ([#6868](https://github.com/aquasecurity/trivy/issues/6868)) ([9b31697](https://github.com/aquasecurity/trivy/commit/9b31697274c8743d6e5a8f7a1a05daf60cd15910))
* **java:** add support for `maven-metadata.xml` files for remote snapshot repositories. ([#6950](https://github.com/aquasecurity/trivy/issues/6950)) ([1f8fca1](https://github.com/aquasecurity/trivy/commit/1f8fca1fc77b989bb4e3ba820b297464dbdd825f))
* **java:** add support for sbt projects using sbt-dependency-lock ([#6882](https://github.com/aquasecurity/trivy/issues/6882)) ([f18d035](https://github.com/aquasecurity/trivy/commit/f18d035ae13b281c96aa4ed69ca32e507d336e66))
* **k8s:** node-collector dynamic commands support ([#6861](https://github.com/aquasecurity/trivy/issues/6861)) ([8d618e4](https://github.com/aquasecurity/trivy/commit/8d618e48a2f1b60c2e4c49cdd9deb8eb45c972b0))
* **misconf:** add metadata to Cloud schema ([#6831](https://github.com/aquasecurity/trivy/issues/6831)) ([02d5404](https://github.com/aquasecurity/trivy/commit/02d540478d495416b50d7e8b187ff9f5bba41f45))
* **misconf:** add support for AWS::EC2::SecurityGroupIngress/Egress ([#6755](https://github.com/aquasecurity/trivy/issues/6755)) ([55fa610](https://github.com/aquasecurity/trivy/commit/55fa6109cd0463fd3221aae41ca7b1d8c44ad430))
* **misconf:** API Gateway V1 support for CloudFormation ([#6874](https://github.com/aquasecurity/trivy/issues/6874)) ([8491469](https://github.com/aquasecurity/trivy/commit/8491469f0b35bd9df706a433669f5b62239d4ef3))
* **misconf:** support of selectors for all providers for Rego ([#6905](https://github.com/aquasecurity/trivy/issues/6905)) ([bc3741a](https://github.com/aquasecurity/trivy/commit/bc3741ae2c68cdd00fc0aef7e51985568b2eb78a))
* **php:** add installed.json file support ([#4865](https://github.com/aquasecurity/trivy/issues/4865)) ([edc556b](https://github.com/aquasecurity/trivy/commit/edc556b85e3554c31e19b1ece189effb9ba2be12))
* **plugin:** add support for nested archives ([#6845](https://github.com/aquasecurity/trivy/issues/6845)) ([622c67b](https://github.com/aquasecurity/trivy/commit/622c67b7647f94d0a0ca3acf711d8f847cdd8d98))
* **sbom:** migrate to `CycloneDX v1.6` ([#6903](https://github.com/aquasecurity/trivy/issues/6903)) ([09e50ce](https://github.com/aquasecurity/trivy/commit/09e50ce6a82073ba62f1732d5aa0cd2701578693))
### Bug Fixes
* **c:** don't skip conan files from `file-patterns` and scan `.conan2` cache dir ([#6949](https://github.com/aquasecurity/trivy/issues/6949)) ([38b35dd](https://github.com/aquasecurity/trivy/commit/38b35dd3c804027e7a6e6a9d3c87b7ac333896c5))
* **cli:** show info message only when --scanners is available ([#7032](https://github.com/aquasecurity/trivy/issues/7032)) ([e9fc3e3](https://github.com/aquasecurity/trivy/commit/e9fc3e3397564512038ddeca2adce0efcb3f93c5))
* **cyclonedx:** trim non-URL info for `advisory.url` ([#6952](https://github.com/aquasecurity/trivy/issues/6952)) ([417212e](https://github.com/aquasecurity/trivy/commit/417212e0930aa52a27ebdc1b9370d2943ce0f8fa))
* **debian:** take installed files from the origin layer ([#6849](https://github.com/aquasecurity/trivy/issues/6849)) ([089b953](https://github.com/aquasecurity/trivy/commit/089b953462260f01c40bdf588b2568ae0ef658bc))
* **image:** parse `image.inspect.Created` field only for non-empty values ([#6948](https://github.com/aquasecurity/trivy/issues/6948)) ([0af5730](https://github.com/aquasecurity/trivy/commit/0af5730cbe56686417389c2fad643c1bdbb33999))
* **license:** return license separation using separators `,`, `or`, etc. ([#6916](https://github.com/aquasecurity/trivy/issues/6916)) ([52f7aa5](https://github.com/aquasecurity/trivy/commit/52f7aa54b520a90a19736703f8ea63cc20fab104))
* **misconf:** fix caching of modules in subdirectories ([#6814](https://github.com/aquasecurity/trivy/issues/6814)) ([0bcfedb](https://github.com/aquasecurity/trivy/commit/0bcfedbcaa9bbe30ee5ecade5b98e9ce3cc54c9b))
* **misconf:** fix parsing of engine links and frameworks ([#6937](https://github.com/aquasecurity/trivy/issues/6937)) ([ec68c9a](https://github.com/aquasecurity/trivy/commit/ec68c9ab4580d057720179173d58734402c92af4))
* **misconf:** handle source prefix to ignore ([#6945](https://github.com/aquasecurity/trivy/issues/6945)) ([c3192f0](https://github.com/aquasecurity/trivy/commit/c3192f061d7e84eaf38df8df7c879dc00b4ca137))
* **misconf:** parsing numbers without fraction as int ([#6834](https://github.com/aquasecurity/trivy/issues/6834)) ([8141a13](https://github.com/aquasecurity/trivy/commit/8141a137ba50b553a9da877d95c7ccb491d041c6))
* **nodejs:** fix infinite loop when package link from `package-lock.json` file is broken ([#6858](https://github.com/aquasecurity/trivy/issues/6858)) ([cf5aa33](https://github.com/aquasecurity/trivy/commit/cf5aa336e660e4c98481ebf8d15dd4e54c38581e))
* **nodejs:** fix infinity loops for `pnpm` with cyclic imports ([#6857](https://github.com/aquasecurity/trivy/issues/6857)) ([7d083bc](https://github.com/aquasecurity/trivy/commit/7d083bc890eccc3bf32765c6d7e922cab2e2ef94))
* **plugin:** respect `--insecure` ([#7022](https://github.com/aquasecurity/trivy/issues/7022)) ([3d02a31](https://github.com/aquasecurity/trivy/commit/3d02a31b44924f9e2495aae087f7ca9de3314db4))
* **purl:** add missed os types ([#6955](https://github.com/aquasecurity/trivy/issues/6955)) ([2d85a00](https://github.com/aquasecurity/trivy/commit/2d85a003b22298d1101f84559f7c6b470f2b3909))
* **python:** compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase ([#6852](https://github.com/aquasecurity/trivy/issues/6852)) ([faa9d92](https://github.com/aquasecurity/trivy/commit/faa9d92cfeb8d924deda2dac583b6c97099c08d9))
* **sbom:** don't overwrite `srcEpoch` when decoding SBOM files ([#6866](https://github.com/aquasecurity/trivy/issues/6866)) ([04af59c](https://github.com/aquasecurity/trivy/commit/04af59c2906bcfc7f7970b4e8f45a90f04313170))
* **sbom:** fix panic when scanning SBOM file without root component into SBOM format ([#7051](https://github.com/aquasecurity/trivy/issues/7051)) ([3d4ae8b](https://github.com/aquasecurity/trivy/commit/3d4ae8b5be94cd9b00badeece8d86c2258b2cd90))
* **sbom:** take pkg name from `purl` for maven pkgs ([#7008](https://github.com/aquasecurity/trivy/issues/7008)) ([a76e328](https://github.com/aquasecurity/trivy/commit/a76e3286c413de3dec55394fb41dd627dfee37ae))
* **sbom:** use `purl` for `bitnami` pkg names ([#6982](https://github.com/aquasecurity/trivy/issues/6982)) ([7eabb92](https://github.com/aquasecurity/trivy/commit/7eabb92ec2e617300433445718be07ac74956454))
* **sbom:** use package UIDs for uniqueness ([#7042](https://github.com/aquasecurity/trivy/issues/7042)) ([14d71ba](https://github.com/aquasecurity/trivy/commit/14d71ba63c39e51dd4179ba2d6002b46e1816e90))
* **secret:** `Asymmetric Private Key` shouldn't start with space ([#6867](https://github.com/aquasecurity/trivy/issues/6867)) ([bb26445](https://github.com/aquasecurity/trivy/commit/bb26445e3df198df77930329f532ac5ab7a67af2))
* **suse:** Add SLES 15.6 and Leap 15.6 ([#6964](https://github.com/aquasecurity/trivy/issues/6964)) ([5ee4e9d](https://github.com/aquasecurity/trivy/commit/5ee4e9d30ea814f60fd5705361cabf2e83a47a78))
* use embedded when command path not found ([#7037](https://github.com/aquasecurity/trivy/issues/7037)) ([137c916](https://github.com/aquasecurity/trivy/commit/137c9164238ffd989a0c5ed24f23a55bbf341f6e))
* **nodejs:** fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] ([#6888](https://github.com/aquasecurity/trivy/issues/6888)) ([01dbb42](https://github.com/aquasecurity/trivy/commit/01dbb42ae9ecff21d1c71f095a27f47a6ac9adaa))
* **nodejs:** fix infinity loops for `pnpm` with cyclic imports ([#6857](https://github.com/aquasecurity/trivy/issues/6857)) ([a614b69](https://github.com/aquasecurity/trivy/commit/a614b693d7b948df7d4ed3516e79573cb8424406))
* **python:** compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] ([#6878](https://github.com/aquasecurity/trivy/issues/6878)) ([093c0ae](https://github.com/aquasecurity/trivy/commit/093c0ae020548bf6f3d1896d4d55210eb42c7b0e))
* **sbom:** don't overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] ([#6881](https://github.com/aquasecurity/trivy/issues/6881)) ([f186d22](https://github.com/aquasecurity/trivy/commit/f186d22bf275e872bd664f07131604f6a0216f20))
## [0.52.0](https://github.com/aquasecurity/trivy/compare/v0.51.1...v0.52.0) (2024-06-03)

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM alpine:3.20.3
FROM alpine:3.20.0
RUN apk --no-cache add ca-certificates git
COPY trivy /usr/local/bin/trivy
COPY contrib/*.tpl contrib/

1
README.md
View File

@@ -21,6 +21,7 @@ Targets (what Trivy can scan):
- Git Repository (remote)
- Virtual Machine Image
- Kubernetes
- AWS
Scanners (what Trivy can find there):

2
contrib/Trivy.gitlab-ci.yml
View File

@@ -12,9 +12,9 @@ Trivy_container_scanning:
before_script:
- export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
- apk add --no-cache curl docker-cli
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
- curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/${TRIVY_VERSION}/contrib/gitlab.tpl
- trivy registry login --username "$CI_REGISTRY_USER" --password "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
cache:

2
contrib/asff.tpl
View File

@@ -108,7 +108,7 @@
"Region": "{{ env "AWS_REGION" }}",
"Details": {
"Other": {
"Message": "{{ escapeString .Message }}",
"Message": "{{ .Message }}",
"Filename": "{{ $target }}",
"StartLine": "{{ .CauseMetadata.StartLine }}",
"EndLine": "{{ .CauseMetadata.EndLine }}"

0
examples/ignore-policies/advanced.rego → contrib/example_policy/advanced.rego
View File

0
examples/ignore-policies/basic.rego → contrib/example_policy/basic.rego
View File

13
contrib/gitlab.tpl
View File

@@ -24,18 +24,11 @@
"status": "success",
"type": "container_scanning"
},
{{- $image := "Unknown" -}}
{{- $os := "Unknown" -}}
{{- range . }}
{{- if eq .Class "os-pkgs" -}}
{{- $target := .Target }}
{{- $image = $target | regexFind "[^\\s]+" }}
{{- $os = $target | splitList "(" | last | trimSuffix ")" }}
{{- end }}
{{- end }}
"vulnerabilities": [
{{- $t_first := true }}
{{- range . }}
{{- $target := .Target }}
{{- $image := $target | regexFind "[^\\s]+" }}
{{- range .Vulnerabilities -}}
{{- if $t_first -}}
{{- $t_first = false -}}
@@ -72,7 +65,7 @@
"version": "{{ .InstalledVersion }}"
},
{{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
"operating_system": "{{ $os }}",
"operating_system": "Unknown",
"image": "{{ $image }}"
},
"identifiers": [

13
contrib/junit.tpl
View File

@@ -16,7 +16,7 @@
</testsuite>
{{- if .MisconfSummary }}
<testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{ .Target }}" errors="0" time="">
<testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{ .Target }}" errors="0" skipped="{{ .MisconfSummary.Exceptions }}" time="">
{{- else }}
<testsuite tests="0" failures="0" name="{{ .Target }}" errors="0" skipped="0" time="">
{{- end }}
@@ -33,16 +33,5 @@
</testcase>
{{- end }}
</testsuite>
{{- if .Licenses }}
{{- $licenses := len .Licenses }}
<testsuite tests="{{ $licenses }}" failures="{{ $licenses }}" name="{{ .Target }}" time="0">{{ range .Licenses }}
<testcase classname="{{ .PkgName }}" name="[{{ .Severity }}] {{ .Name }}">
<failure/>
</testcase>
{{- end }}
</testsuite>
{{- end }}
{{- end }}
</testsuites>

1
docs/assets/css/trivy_v1_homepage.min.css vendored
View File

File diff suppressed because one or more lines are too long

693
docs/assets/css/trivy_v1_homepage.scss
View File

@@ -1,693 +0,0 @@
/* trivy homepage */
//aqua brand colors
$aq-royal-blue: #1904da;
$aq-legacy-blue: #08b1d5;
$aq-coral-red: #ff445f;
$aq-starfish-yellow: #ffc900;
$aq-dark-abyss: #07242d;
$aq-deep-sea-blue: #183278;
$aq-ocean-ash: #405a75;
$aq-sea-foam: #00ffe4;
$aq-neo-background: #ebf3fa;
$aq-neo-background-hover: #f0f8ff;
$aq-royal-blue-dark: #1503ba;
$aq-trivy-dark: #0a0b23;
$weight-normal: 400;
$weight-semibold: 600;
$weight-bold: 700;
$gap: 32px;
// 960, 1152, and 1344 have been chosen because they are divisible by both 12 and 16
$tablet: 769px;
// 960px container + 4rem
$desktop: 960px + 2 * $gap;
// 1152px container + 4rem
$widescreen: 1152px + 2 * $gap;
$widescreen-enabled: true;
// 1344px container + 4rem
$fullhd: 1344px + 2 * $gap;
$fullhd-enabled: true;
body {
font-family: "Inter", sans-serif;
}
.trivy_v1_homepage_wrap {
position: relative;
z-index: 3;
* {
transition: all 0.2s ease !important;
}
.container {
width: 100%;
margin: 0 auto;
max-width: 1440px;
@media screen and (max-width: $tablet), print { //769
padding: 0 24px;
max-width: $tablet; //769
} //until tablet
}
.button {
background-color: #ebf3fa;
border: 1px solid #dbdbdb;
border-width: 1px;
color: #363636;
cursor: pointer;
justify-content: center;
padding-bottom: calc(.5em - 1px);
padding-left: 1em;
padding-right: 1em;
padding-top: calc(.5em - 1px);
text-align: center;
white-space: nowrap;
border-radius: 4px;
transition: all .2s ease;
font-size: 16px;
display: inline-block;
font-weight: 700;
&.is-seafoam {
background-color: $aq-sea-foam;
border-color: $aq-sea-foam;
color: $aq-dark-abyss;
&.is-outlined {
background-color: rgba(0,0,0,0);
border-color: $aq-sea-foam;
color: $aq-sea-foam;
border-width: 2px;
&:hover {
background-color: $aq-sea-foam;
color: $aq-dark-abyss;
}
} //is-outlines
} //is-seafoam
&.large_btn {
font-size: 22px;
padding: 16px 27px;
margin-right: 12px;
@media screen and (max-width: $tablet), print {
font-size: 18px;
} //until tablet
}
&.solidseafoamarrowbutton {
background-color: $aq-sea-foam;
font-weight: 700;
border: 2px solid $aq-sea-foam;
font-size: 22px; //1.375rem; //1.125rem;
padding: 16px 27px;
color: $aq-dark-abyss;
&:after {
content: "";
border: solid $aq-dark-abyss;
border-width: 0 2px 2px 0;
display: inline-block;
padding: 4px;
transform: rotate(-45deg);
margin-left: 30px;
vertical-align: middle;
transition: all .2s;
}
} //solidseafoamarrowbutton
} //button
.margin-bottom-20 {
margin-bottom: 20px;
}
.hero_wrap {
background-color: $aq-trivy-dark;
background-image: radial-gradient(1600px at 70% 120%, #031145 10%, $aq-trivy-dark 100%);
min-height: 1050px;
position: relative;
z-index: 10;
.homepage_background_image_wrap {
position: absolute;
left: 0px;
top: 0px;
width: 100%;
height: 100%;
z-index: 1;
pointer-events: none;
.stars_wrap {
position: absolute;
left: 0px;
top: 0px;
width: 100%;
height: 100%;
z-index: 1;
overflow: hidden;
.stars_bg {
position: absolute;
width: 400vw;
height: 400vh;
top: 50%;
left: 50%;
margin-top: -200vh;
margin-left: -200vw;
animation: stars_ani 240s linear infinite;
background-size: 240px;
backface-visibility: visible;
background-image:url(../images/homepage_hero_stars_02.svg);
background-repeat: repeat;
}
@keyframes stars_ani {
0% { transform: rotate(0deg); }
100% { transform: rotate(360deg); }
}
} //stars_wrap
.terrain_wrap {
position: absolute;
left: 0px;
bottom: 0px;
width: 100%;
height: 680px;
background-image:url(../images/homepage_hero_terrain_08.svg);
background-repeat: no-repeat;
background-position: center top;
background-size: cover;
z-index: 2;
} // terrain_wrap
.beams_wrap {
position: absolute;
left: 0px;
bottom: 0px;
width: 100%;
height: 100%;
z-index: 3;
overflow: hidden;
.beam {
position: absolute;
right: 200px;
top: 270px;
width: 3px;
height: 350%;
background: rgba(#3eabff,0.6);
box-shadow: 0px 0px 55px 0px rgba(#3eabff,1);
transform-origin: 0 0;
animation: beam_ani 10s infinite;
&.num2 {animation: beam_ani 11s infinite;}
&.num3 {animation: beam_ani 12s infinite;}
&.num4 {animation: beam_ani 13s infinite;}
} //beam
@keyframes beam_ani {
0% { transform: rotate(75deg); }
50% { transform: rotate(-15deg); }
100% { transform: rotate(75deg); }
}
.sphere {
z-index:999;
position: absolute;
top: 60px;
right: 50px;
width: 280px;
height: 280px;
background-image:url(../images/homepage_hero_orb_03.png);
background-position: center center;
background-repeat: no-repeat;
}
} //beams_wrap
.person_wrap {
position: absolute;
left: 0px;
bottom: 0px;
width: 100%;
height: 595px;
background-image:url(../images/homepage_v1_hero_person_01.png);
background-repeat: no-repeat;
background-position: center bottom;
z-index: 4;
} // person_wrap
} //hero_background_image_wrap
}
.hero {
.hero-body {
padding: 80px 0px;
// border: 1px solid red;
.header_title_wrap {
.header_title_content_wrap {
width: 50%;
position: relative;
z-index: 3;
.page_title {
color: #ffffff;
font-weight: $weight-bold;
font-size: 48px; //3rem;
line-height: 1.3;
}//page_title
.page_subtitle {
color: #ffffff;
font-weight: $weight-normal;
font-size: 24px; //1.5rem;
line-height: 1.3;
margin-bottom: 30px;
} //page_subtitle
@media screen and (max-width: $widescreen), print {
width: 70%;
} //until widescreen
@media screen and (max-width: $tablet), print { //769
width: 100%;
.page_title {
font-size: 32px; //2rem;
}//page_title
.page_subtitle {
font-size: 18px; //1.125rem;
}//page_subtitle
} //until tablet
} //header_title_content_wrap
} //header_title_wrap
@media screen and (min-width: $tablet), print { //769
padding: 48px 24px; //3rem 1.5rem;
}
}
} //hero
// } //page-trivy_homepage
/* homepage_community */
.homepage_community_wrap {
position: relative;
background-color: $aq-trivy-dark;
color: #ffffff;
z-index: 5;
padding-top: 60px;
padding-bottom: 20px;
.container.wide_container {
max-width: 1640px;
padding-left: 20px;
padding-right: 20px;
display: flex;
flex-direction: row;
flex-wrap: wrap;
}
.community_titles_column {
width: 33.3333%;
padding-right: 32px;
@media screen and (max-width: $desktop), print {
width: 41.6666666667%;
} //until desktop
@media screen and (max-width: $tablet), print {
width: 100%;
} //until tablet
}
.community_slider_column {
width: 66.6666%;
@media screen and (max-width: $desktop), print {
width: 58.3333333333%;
} //until desktop
@media screen and (max-width: $tablet), print {
width: 100%;
} //until tablet
}
.community_title {
color: $aq-sea-foam;
font-size: 60px; //3.75rem;
font-weight: $weight-bold;
margin-bottom: 24px; ////1.5rem;
line-height: 1.2;
}
.community_subtitle {
color: #ffffff;
font-size: 26px; //1.625rem;
margin-bottom: 24px; ////1.5rem;
}
.community_cta_wrap {
.button {
font-weight: $weight-bold;
margin-right: 10px;
}
}
.community_quotes_wrap {
position: relative;
.community_quotes {
column-count: 3;
column-gap: 20px;
@media screen and (max-width: $widescreen), print { //1216
column-count: 2;
}
@media screen and (max-width: $tablet), print { //769
column-count: 1;
}
.quote_item_wrap {
display: inline-block;
margin: 0px 0px 20px 0px;
width: 100%;
}
.quote_item {
display: block;
position: relative;
color: #ffffff;
border: 1px solid rgba($aq-sea-foam,0.2);
background-color: rgba($aq-sea-foam,0.05);
border-radius: 4px;
padding: 25px;
.quote_name {
font-size: 16px; //1rem;
font-weight: $weight-semibold;
}
.quote_twitter_handle {
opacity: 0.6;
font-size: 13px; //0.8125rem;
}
.quote_company {
opacity: 0.6;
font-size: 13px; //0.8125rem;
}
.quote_text {
font-size: 16px; //1rem;
font-weight: $weight-normal;
line-height: 1.3;
}
.quote_avatar {
display: block;
position: absolute;
top: 25px;
left: 25px;
width: 40px;
height: 40px;
border-radius: 50%;
background-repeat: no-repeat;
background-position: center center;
background-size: cover;
}
&.is_tweet {
.quote_text {
padding-top: 10px;
}
&.has_avatar {
.quote_name,
.quote_twitter_handle {
padding-left: 50px;
}
} //has_avatar
} //&is_tweet
&.is_quote {
.quote_text {
position: relative;
padding-top: 40px;
padding-bottom: 10px;
&:before {
content: "";
display: block;
position: absolute;
top: -10px;
left: 0px;
width: 56px;
height: 42px;
background-image: url(../images/community_quote.png);
background-position: center center;
background-repeat: no-repeat;
}
} //quote_text
} //&is_quote
} //quote_item
}
} //community_quotes_wrap
@media screen and (max-width: $tablet), print { //tablet
.community_title {
font-size: 32px; //2rem;
}
.community_subtitle {
font-size: 18px; //1.125rem;
}
} //until
} //homepage_community_wrap
} //trivy_homepage_wrap
/* Slider */
.slick-slider{position:relative;display:block;box-sizing:border-box;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;-webkit-touch-callout:none;-khtml-user-select:none;-ms-touch-action:pan-y;touch-action:pan-y;-webkit-tap-highlight-color:transparent;}
.slick-list{position:relative;display:block;overflow:hidden;margin:0;padding:0;}
.slick-list:focus{outline:none;}
.slick-list.dragging{cursor:hand;}
.slick-slider .slick-track,.slick-slider .slick-list{transform:translate3d(0,0,0);}
.slick-track{position:relative;top:0;left:0;display:block;margin-left:auto;margin-right:auto;}
.slick-track:before,.slick-track:after{display:table;content:'';}
.slick-track:after{clear:both;}
.slick-loading .slick-track{visibility:hidden;}
.slick-slide{display:none;float:left;height:100%;min-height:1px;}
.slick-slide:focus{outline:none;}
.slick-slide img{display:block;}
.slick-slide.slick-loading img{display:none;}
.slick-slide.dragging img{pointer-events:none;}
.slick-initialized .slick-slide{display:block;}
.slick-loading .slick-slide{visibility:hidden;}
.slick-vertical .slick-slide{display:block;height:auto;border:1px solid transparent;}
.slick-arrow.slick-hidden{display:none;}
.slick-arrow {display:block;background-color:transparent;border:none;color:transparent;cursor:pointer;position:absolute;top:0px;height:330px;width:80px;z-index:20;outline:none;}
.slick-arrow:focus, .slick-arrow:active {outline:none;}
.slick-arrow.slick-prev {left:0px;background-image:linear-gradient(to right, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
.slick-arrow.slick-next {right:0px;background-image:linear-gradient(to left, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
.slick-arrow:before {content:"";display:block;position:absolute;left:0px;top:0px;width:100%;height:100%;z-index:21;background-repeat:no-repeat;}
.slick-arrow.slick-prev:before {background-image:url(../images/arrow_left.png);background-position:center left;}
.slick-arrow.slick-next:before {background-image:url(../images/arrow_right.png);background-position:center right;}
/* dots */
.slick-dotted.slick-slider
{
margin-bottom: 0px;
}
.slick-dots
{
//position: absolute;
//bottom: -25px;
position: relative;
display: block;
width: 100%;
padding: 0;
margin: 0;
list-style: none;
text-align: center;
}
.slick-dots li {
position: relative;
display: inline-block;
width: 24px;
height: 24px;
margin: 0px 4px;
padding: 0;
cursor: pointer;
}
.slick-dots li button
{
font-size: 0;
line-height: 0;
display: block;
width: 24px;
height: 24px;
padding: 0px;
cursor: pointer;
color: transparent;
border: 0;
outline: none;
background: transparent;
&:before {
position: relative;
top: 0px;
left: 0px;
width: 20px;
height: 20px;
content: "";
background-color: transparent;
border: 2px solid $aq-sea-foam;
border-radius: 50%;
display: block;
opacity: 0.7;
}
&:after {
position: absolute;
top: 7px;
left: 5px;
width: 10px;
height: 10px;
content: "";
background-color: $aq-sea-foam;
//border: 1px solid #666;
border-radius: 50%;
//box-shadow: inset 1px 1px 1px #888;
display: block;
opacity: 0;
transition: 0.2s ease-out;
}
}
.slick-dots li button:hover,
.slick-dots li button:focus
{
outline: none;
&:after {
opacity: 1;
}
}
.slick-dots li.slick-active button:after {
opacity: 1;
}

BIN
docs/assets/images/homepage_hero_orb_03.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 28 KiB

1
docs/assets/images/homepage_hero_stars_02.svg
View File

@@ -1 +0,0 @@
<svg version="1.1" id="Layer_2" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 240 240" enable-background="new 0 0 240 240" xml:space="preserve"><rect x="106" y="90" fill="#00ffe4" width="2" height="2"/><rect x="74" y="63" fill="#00ffe4" width="1" height="1"/><rect x="23" y="66" fill="#00ffe4" width="1" height="1"/><rect x="50" y="110" fill="#00ffe4" width="1" height="1"/><rect x="63" y="128" fill="#00ffe4" width="1" height="1"/><rect x="45" y="149" fill="#00ffe4" width="1" height="1"/><rect x="92" y="151" fill="#00ffe4" width="1" height="1"/><rect x="58" y="8" fill="#00ffe4" width="1" height="1"/><rect x="147" y="33" fill="#00ffe4" width="2" height="2"/><rect x="91" y="43" fill="#00ffe4" width="1" height="1"/><rect x="169" y="29" fill="#ffffff" width="1" height="1"/><rect x="182" y="19" fill="#00ffe4" width="1" height="1"/><rect x="161" y="59" fill="#00ffe4" width="1" height="1"/><rect x="138" y="95" fill="#00ffe4" width="1" height="1"/><rect x="199" y="71" fill="#ffffff" width="3" height="3"/><rect x="213" y="153" fill="#00ffe4" width="2" height="2"/><rect x="128" y="163" fill="#ffffff" width="1" height="1"/><rect x="205" y="174" fill="#00ffe4" width="1" height="1"/><rect x="152" y="200" fill="#00ffe4" width="1" height="1"/><rect x="52" y="211" fill="#00ffe4" width="2" height="2"/><rect y="191" fill="#00ffe4" width="1" height="1"/><rect x="110" y="184" fill="#00ffe4" width="1" height="1"/></svg>
Side by Side

Before

Width:  |  Height:  |  Size: 1.4 KiB

1
docs/assets/images/homepage_hero_terrain_08.svg
View File

File diff suppressed because one or more lines are too long
Side by Side

Before

Width:  |  Height:  |  Size: 336 KiB

BIN
docs/assets/images/homepage_v1_hero_person_01.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 55 KiB

1
docs/assets/images/trivy_logo_horizontal_white.svg
View File

@@ -1 +0,0 @@
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" x="0" y="0" viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891" xml:space="preserve"><style>.st0{fill:#fff}.st1{fill:#50f0ff}</style><path class="st0" d="M1421.86 281.92h-46.97c-25.9 0-46.97-21.07-46.97-46.97s21.07-46.97 46.97-46.97 46.97 21.07 46.97 46.97v46.97zm-46.97-74.87c-15.38 0-27.9 12.52-27.9 27.9 0 15.38 12.52 27.9 27.9 27.9h27.9v-27.9c0-15.38-12.51-27.9-27.9-27.9zM1737.06 281.92h-46.97c-25.9 0-46.97-21.07-46.97-46.97s21.07-46.97 46.97-46.97 46.97 21.07 46.97 46.97v46.97zm-46.97-74.87c-15.38 0-27.9 12.52-27.9 27.9 0 15.38 12.52 27.9 27.9 27.9h27.9v-27.9c-.01-15.38-12.52-27.9-27.9-27.9zM1585.02 281.94c-25.91 0-46.99-21.08-46.99-46.99v-44.08h19.08v44.08c0 15.39 12.52 27.91 27.91 27.91s27.91-12.52 27.91-27.91v-44.08h19.09v44.08c-.01 25.91-21.1 46.99-47 46.99zM1479.94 187.98c-25.9 0-46.97 21.07-46.97 46.97s21.07 46.97 46.97 46.97l19.07-19.07h-19.07c-15.38 0-27.9-12.52-27.9-27.9 0-15.38 12.52-27.9 27.9-27.9 15.38 0 27.9 12.52 27.9 27.9v91.8h19.07v-91.8c0-25.9-21.07-46.97-46.97-46.97zM942.76 588.45v46.29c-31.53 0-59.94-11.34-82.34-30.14-28.15-23.63-46.04-59.08-46.04-98.71V274.06h46.04v105.2h82.34v46.59h-82.34v81.19c.63 45.06 37.13 81.41 82.34 81.41zM1106.82 379.26v45.98c-43.65.1-79.18 34.71-80.78 77.98v131.52h-46.12V379.26h46.12v29.16c21.93-18.18 50.08-29.12 80.78-29.16zM1136.4 353.72v-40.29h46.05v40.29h-46.05zm0 281.02V379.26h46.05v255.48h-46.05zM1464.76 379.26l-127.64 255.48-127.8-255.48h52.33l75.47 150.88 75.31-150.88h52.33zM1740.81 379.26v297.8c0 71.31-58.52 128.26-127.83 128.2-32.47.03-62.55-12.29-85.37-32.76l33.1-33.09c14.13 11.97 32.36 19.22 52.28 19.2 44.86 0 81.17-36.69 81.17-81.55v-71.39c-22.26 18.42-50.67 29.09-81.17 29.06-69.46.06-127.95-56-127.95-127.85V379.24h46.64l.02 127.64c0 44.67 36.39 81.6 81.28 81.55 44.86 0 81.17-36.69 81.17-81.55V379.26h46.66z"/><path class="st1" d="M428.54 364.9h.12c6.56.01 11.98-5.03 11.98-11.58V135.99l-12.23-6.83-12.18 6.8v217.36c0 6.56 5.43 11.61 11.98 11.58h.33z"/><path d="M355.18 463.55 153.55 598.87v15.41l11.49 6.29 203.73-136.73c5.23-3.51 6.53-10.52 3.15-15.84-.14-.23-.29-.45-.43-.68-3.5-5.62-10.81-7.46-16.31-3.77z" style="fill:#0744dd"/><path d="m488.27 483.95 203.55 136.61 11.45-6.28v-15.44L501.86 463.66c-5.51-3.7-12.82-1.87-16.32 3.76-.13.21-.27.43-.4.64-3.41 5.34-2.12 12.37 3.13 15.89z" style="fill:#ffc900"/><path class="st0" d="M727.69 282.29v-13.96l-12.5-6.98-.93-.49-273.93-152.99-11.92-6.64-11.87 6.64-273.98 152.99-.93.49-12.5 6.98v13.96l-.93.54.93.49v345.42l12.69 6.94 266.85 146.2 3.37 1.85 16.41 8.98 16.36-8.98 3.37-1.85 266.85-146.2 12.65-6.94V283.37l.98-.54-.97-.54zM440.95 758.05V511.4c0-6.72-5.5-12.22-12.22-12.21h-.32c-6.72-.01-12.22 5.49-12.22 12.21v246.64L165.04 620.57l-11.49-6.29V294.7l199.98 109.56c5.77 3.16 13.1 1.04 16.28-4.72l.14-.26c3.22-5.83 1.08-13.22-4.76-16.42L167.81 274.72l248.42-138.75 12.18-6.8 12.23 6.83 248.37 138.73-197.54 108.22c-5.81 3.18-7.63 10.45-4.41 16.24.05.1.11.2.16.29 3.16 5.73 10.22 8.01 15.96 4.86L703.27 294.7v319.59l-11.45 6.28-250.87 137.48z"/><circle cx="428.54" cy="432.05" r="35.42" style="fill:#ff0036"/><path class="st1" d="M617.65 262.99 426.32 155.74c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l191.33 107.25c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM533.81 271.27l-107.48-60.25c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l107.48 60.25c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.97-16.62 4.68zM569.02 291c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68 5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM462.29 288.33l-35.7-20.01c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l35.7 20.01c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68zM516.16 321.21l-20.67-11.58c-5.88-3.3-7.98-10.74-4.68-16.62 3.3-5.88 10.74-7.98 16.62-4.68l20.67 11.58c5.88 3.3 7.98 10.74 4.68 16.62-3.3 5.88-10.74 7.98-16.62 4.68z"/></svg>
Side by Side

Before

Width:  |  Height:  |  Size: 3.9 KiB

9
docs/assets/javascripts/trivy_v1_homepage.js
View File

File diff suppressed because one or more lines are too long

8
docs/build/Dockerfile vendored
View File

@@ -1,6 +1,10 @@
FROM squidfunk/mkdocs-material:9.5.44
FROM squidfunk/mkdocs-material:9.4.6
# https://squidfunk.github.io/mkdocs-material/getting-started/?h=macros#with-docker-material-for-mkdocs
## If you want to see exactly the same version as is published to GitHub pages
## use a private image for insiders, which requires authentication.
# docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN} ghcr.io
# FROM ghcr.io/squidfunk/mkdocs-material-insiders
COPY requirements.txt .
RUN pip install -r requirements.txt

3
docs/build/requirements.in vendored
View File

@@ -1,3 +0,0 @@
mkdocs-material==9.5.44
mkdocs-macros-plugin
mike

136
docs/build/requirements.txt vendored
View File

@@ -1,114 +1,30 @@
#
# This file is autogenerated by pip-compile with Python 3.13
# by the following command:
#
# pip-compile --output-file=docs/build/requirements.txt docs/build/requirements.in
#
babel==2.16.0
# via mkdocs-material
certifi==2024.8.30
# via requests
charset-normalizer==3.4.0
# via requests
click==8.1.7
# via mkdocs
colorama==0.4.6
# via mkdocs-material
ghp-import==2.1.0
# via mkdocs
hjson==3.1.0
# via
# mkdocs-macros-plugin
# super-collections
idna==3.10
# via requests
importlib-metadata==8.5.0
# via mike
importlib-resources==6.4.5
# via mike
jinja2==3.1.4
# via
# mike
# mkdocs
# mkdocs-macros-plugin
# mkdocs-material
markdown==3.7
# via
# mkdocs
# mkdocs-material
# pymdown-extensions
markupsafe==3.0.2
# via
# jinja2
# mkdocs
click==8.1.2
csscompressor==0.9.5
ghp-import==2.0.2
htmlmin==0.1.12
importlib-metadata==4.11.3
Jinja2==3.1.1
jsmin==3.0.1
Markdown==3.3.6
MarkupSafe==2.1.1
mergedeep==1.3.4
# via
# mkdocs
# mkdocs-get-deps
mike==2.1.3
# via -r docs/build/requirements.in
mkdocs==1.6.1
# via
# mike
# mkdocs-macros-plugin
# mkdocs-material
mkdocs-get-deps==0.2.0
# via mkdocs
mkdocs-macros-plugin==1.3.7
# via -r docs/build/requirements.in
mkdocs-material==9.5.44
# via -r docs/build/requirements.in
mkdocs-material-extensions==1.3.1
# via mkdocs-material
packaging==24.2
# via
# mkdocs
# mkdocs-macros-plugin
paginate==0.5.7
# via mkdocs-material
pathspec==0.12.1
# via
# mkdocs
# mkdocs-macros-plugin
platformdirs==4.3.6
# via mkdocs-get-deps
pygments==2.18.0
# via mkdocs-material
pymdown-extensions==10.12
# via mkdocs-material
pyparsing==3.2.0
# via mike
python-dateutil==2.9.0.post0
# via
# ghp-import
# mkdocs-macros-plugin
pyyaml==6.0.2
# via
# mike
# mkdocs
# mkdocs-get-deps
# mkdocs-macros-plugin
# pymdown-extensions
# pyyaml-env-tag
mike==1.1.2
mkdocs==1.3.0
mkdocs-macros-plugin==0.7.0
mkdocs-material==8.3.9
mkdocs-material-extensions==1.0.3
mkdocs-minify-plugin==0.5.0
mkdocs-redirects==1.0.4
packaging==21.3
Pygments==2.12.0
pymdown-extensions==9.5
pyparsing==3.0.8
python-dateutil==2.8.2
PyYAML==6.0.1
pyyaml-env-tag==0.1
# via
# mike
# mkdocs
regex==2024.11.6
# via mkdocs-material
requests==2.32.3
# via mkdocs-material
six==1.16.0
# via python-dateutil
super-collections==0.5.3
# via mkdocs-macros-plugin
termcolor==2.5.0
# via mkdocs-macros-plugin
urllib3==2.2.3
# via requests
termcolor==1.1.0
verspec==0.1.0
# via mike
watchdog==6.0.0
# via mkdocs
zipp==3.21.0
# via importlib-metadata
watchdog==2.1.7
zipp==3.8.0

6
docs/community/contribute/discussion.md
View File

@@ -38,12 +38,12 @@ If the data source is correct and Trivy shows wrong results, please raise an iss
Visit [here](https://github.com/advisories) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
### GitLab Advisory Database
Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues)
If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
### Red Hat CVE Database
Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.

13
docs/community/contribute/pr.md
View File

@@ -1,6 +1,7 @@
Thank you for taking interest in contributing to Trivy!
1. Every Pull Request should have an associated GitHub issue link in the PR description. Note that issues are created by Trivy maintainers based on feedback provided in a GitHub discussion. Please refer to the [issue](./issue.md) and [discussion](./discussion.md) pages for explanation about this process. If you think your change is trivial enough, you can skip the issue and instead add justification and explanation in the PR description.
1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
1. Please add the associated Issue link in the PR description.
1. Your PR is more likely to be accepted if it focuses on just one change.
1. There's no need to add or tag reviewers.
1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
@@ -121,7 +122,7 @@ os:
- redhat
- alma
- rocky
- azure
- mariner
- oracle
- debian
- ubuntu
@@ -184,20 +185,12 @@ others:
The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
**Breaking changes**
A PR, introducing a breaking API change, needs to append a `!` after the type/scope.
### Example titles
```
feat(alma): add support for AlmaLinux
```
```
feat(vuln)!: delete the existing CLI flag
```
```
fix(oracle): handle advisories with ksplice versions
```

59
docs/community/maintainer/backporting.md
View File

@@ -1,59 +0,0 @@
# Backporting Process
This document outlines the backporting process for Trivy, including when to create patch releases and how to perform the backporting.
## When to Create Patch Releases
In general, small changes should not be backported and should be included in the next minor release.
However, patch releases should be made in the following cases:
* Fixes for HIGH or CRITICAL vulnerabilities in Trivy itself or Trivy's dependencies
* Fixes for bugs that cause panic during Trivy execution or otherwise interfere with normal usage
In these cases, the fixes should be backported using the procedure [described below](#backporting-procedure).
At the maintainer's discretion, other bug fixes may be included in the patch release containing these hotfixes.
## Versioning
Trivy follows [Semantic Versioning](https://semver.org/), using version numbers in the format MAJOR.MINOR.PATCH.
When creating a patch release, the PATCH part of the version number is incremented.
For example, if a fix is being distributed for v0.50.0, the patch release would be v0.50.1.
## Backporting Procedure
1. A release branch (e.g., `release/v0.50`) is automatically created when a new minor version is released.
1. Create a pull request (PR) against the main branch with the necessary fixes. If the fixes are already merged into the main branch, skip this step.
1. Once the PR with the fixes is merged, comment `@aqua-bot backport <release-branch>` on the PR (e.g., `@aqua-bot backport release/v0.50`). This will trigger the automated backporting process using GitHub Actions.
1. The automated process will create a new PR with the backported changes. Ensure that all tests pass for this PR.
1. Once the tests pass, merge the automatically created PR into the release branch.
1. Merge [a release PR](release-flow.md) on the release branch and release the patch version.
!!! note
Even if a conflict occurs, a PR is created by forceful commit, in which case the conflict should be resolved manually.
If you want to re-run a backport of the same PR, close the existing PR, delete the branch and re-run it.
### Example
To better understand the backporting procedure, let's walk through an example using the releases of v0.50.
```mermaid
gitGraph:
commit id:"Feature 1"
commit id:"v0.50.0 release" tag:"v0.50.0"
branch "release/v0.50"
checkout main
commit id:"Bugfix 1"
checkout "release/v0.50"
cherry-pick id:"Bugfix 1"
checkout main
commit id:"Feature 2"
commit id:"Bugfix 2"
commit id:"Feature 3"
checkout "release/v0.50"
cherry-pick id:"Bugfix 2"
commit id:"v0.50.1 release" tag:"v0.50.1"
```

24
docs/community/maintainer/release-flow.md
View File

@@ -10,16 +10,15 @@ For detailed behavior, please refer to [the GitHub Actions configuration][workfl
!!! note
Commits with prefixes like `chore` or `build` are not considered releasable, and no release PR is created.
To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release-pr-creation).
To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release).
## Flow
The release flow consists of the following main steps:
1. Creating the release PR (automatically or manually)
1. Drafting the release notes in GitHub Discussions
1. Drafting the release notes
1. Merging the release PR
1. Updating the release notes in GitHub Discussions
1. Navigating to the release notes in GitHub Releases page
1. Updating the release notes
### Automatic Release PR Creation
When a releasable commit (a commit with `feat` or `fix` prefix) is merged, a release PR is automatically created.
@@ -58,23 +57,6 @@ When the PR is merged, a tag is automatically created, and [GoReleaser][goreleas
If the release completes without errors, a page for the release notes is created in GitHub Discussions (e.g., https://github.com/aquasecurity/trivy/discussions/6622).
Copy the draft release notes, adjust the formatting, and finalize the release notes.
### Navigating to the Release Notes
To navigate to the release highlights and summary in GitHub Discussions, place a link in the GitHub Releases page as below:
```
## ⚡Release highlights and summary⚡
👉 https://github.com/aquasecurity/trivy/discussions/6838
## Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03
```
Replace URLs with appropriate ones.
Example: https://github.com/aquasecurity/trivy/releases/tag/v0.52.0
The release is now complete.
[conventional-commits]: https://www.conventionalcommits.org/en/v1.0.0/

2
docs/community/maintainer/triage.md
View File

@@ -188,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
to identify issues that have been specially groomed for new contributors.
We have specific [guidelines](./help-wanted.md)
We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
for how to use these labels. If you see an issue that satisfies these
guidelines, you can add the `help wanted` label and the `good first issue` label.
Please note that adding the `good first issue` label must also

157
docs/docs/advanced/air-gap.md
View File

@@ -1,77 +1,142 @@
# Connectivity and Network considerations
# Air-Gapped Environment
Trivy requires internet connectivity in order to function normally. If your organizations blocks or restricts network traffic, that could prevent Trivy from working correctly.
This document explains Trivy's network connectivity requirements, and how to configure Trivy to work in restricted networks environments, including completely air-gapped environments.
Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
The following table lists all external resources that are required by Trivy:
## Air-Gapped Environment for vulnerabilities
External Resource | Feature | Details
--- | --- | ---
Vulnerability Database | Vulnerability scanning | [Trivy DB](../scanner/vulnerability.md)
Java Vulnerability Database | Java vulnerability scanning | [Trivy Java DB](../coverage/language/java.md)
Checks Bundle | Misconfigurations scanning | [Trivy Checks](../scanner/misconfiguration/check/builtin.md)
VEX Hub | VEX Hub | [VEX Hub](../supply-chain/vex/repo/#vex-hub)
Maven Central / Remote Repositories | Java vulnerability scanning | [Java Scanner/Remote Repositories](../coverage/language/java.md#remote-repositories)
### Download the vulnerability database
At first, you need to download the vulnerability database for use in air-gapped environments.
=== "Trivy"
```
TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
rm -rf $TRIVY_TEMP_DIR
```
=== "oras >= v0.13.0"
Please follow [oras installation instruction][oras].
Download `db.tar.gz`:
```
$ oras pull ghcr.io/aquasecurity/trivy-db:2
```
=== "oras < v0.13.0"
Please follow [oras installation instruction][oras].
Download `db.tar.gz`:
```
$ oras pull -a ghcr.io/aquasecurity/trivy-db:2
```
### Download the Java index database[^1]
Java users also need to download the Java index database for use in air-gapped environments.
!!! note
Trivy is an open source project that relies on public free infrastructure. In case of extreme load, you may encounter rate limiting when Trivy attempts to connect to external resources.
You container image may contain JAR files even though you don't use Java directly.
In that case, you also need to download the Java index database.
The rest of this document details each resource's connectivity requirements and network related considerations.
=== "Trivy"
## OCI Databases
```
TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-java-db-only
tar -cf ./javadb.tar.gz -C $TRIVY_TEMP_DIR/java-db metadata.json trivy-java.db
rm -rf $TRIVY_TEMP_DIR
```
=== "oras >= v0.13.0"
Please follow [oras installation instruction][oras].
Trivy's Vulnerability, Java, and Checks Bundle are packaged as OCI images and stored in public container registries.
Download `javadb.tar.gz`:
### Connectivity requirements
```
$ oras pull ghcr.io/aquasecurity/trivy-java-db:1
```
The specific registries and locations are detailed in the [databases document](../configuration/db.md).
=== "oras < v0.13.0"
Please follow [oras installation instruction][oras].
Communication with OCI Registries follows the [OCI Distribution](https://github.com/opencontainers/distribution-spec) spec.
Download `javadb.tar.gz`:
The following hosts are known to be used by the default container registries:
```
$ oras pull -a ghcr.io/aquasecurity/trivy-java-db:1
```
Registry | Hosts | Additional info
--- | --- | ---
Google Artifact Registry | <ul><li>`mirror.gcr.io`</li><li>`googlecode.l.googleusercontent.com`</li></ul> | [Google's IP addresses](https://support.google.com/a/answer/10026322?hl=en)
GitHub Container Registry | <ul><li>`ghcr.io`</li><li>`pkg-containers.githubusercontent.com`</li></ul> | [GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses)
### Self-hosting
### Transfer the DB files into the air-gapped environment
The way of transfer depends on the environment.
You can host Trivy's databases in your own container registry. Please refer to [Self-hosting document](./self-hosting.md#oci-databases) for a detailed guide.
=== "Vulnerability db"
```
$ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
```
## Embedded Checks
=== "Java index db[^1]"
```
$ rsync -av -e ssh /path/to/javadb.tar.gz [user]@[host]:dst
```
Checks Bundle is embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the database from the time of the Trivy release you are using.
### Put the DB files in Trivy's cache directory
You have to know where to put the DB files. The following command shows the default cache directory.
## VEX Hub
```
$ ssh user@host
$ trivy -h | grep cache
--cache-dir value cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
```
=== "Vulnerability db"
Put the DB file in the cache directory + `/db`.
```
$ mkdir -p /home/myuser/.cache/trivy/db
$ cd /home/myuser/.cache/trivy/db
$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
x trivy.db
x metadata.json
$ rm /path/to/db.tar.gz
```
### Connectivity Requirements
=== "Java index db[^1]"
Put the DB file in the cache directory + `/java-db`.
VEX Hub is hosted as at <https://github.com/aquasecurity/vexhub>.
```
$ mkdir -p /home/myuser/.cache/trivy/java-db
$ cd /home/myuser/.cache/trivy/java-db
$ tar xvf /path/to/javadb.tar.gz -C /home/myuser/.cache/trivy/java-db
x trivy-java.db
x metadata.json
$ rm /path/to/javadb.tar.gz
```
Trivy is fetching VEX Hub GitHub Repository directly using simple HTTPS requests.
The following hosts are known to be used by GitHub's services:
- `api.github.com`
- `codeload.github.com`
In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis, so that the scanner can detect recently-identified vulnerabilities.
For more information about GitHub connectivity (including specific IP addresses), please refer to [GitHub's connectivity troubleshooting guide](https://docs.github.com/en/get-started/using-github/troubleshooting-connectivity-problems).
### Run Trivy with the specific flags.
In an air-gapped environment, you have to specify `--skip-db-update` and `--skip-java-db-update`[^1] so that Trivy doesn't attempt to download the latest database files.
In addition, if you want to scan `pom.xml` dependencies, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
### Self-hosting
```
$ trivy image --skip-db-update --skip-java-db-update --offline-scan alpine:3.12
```
You can host a copy of VEX Hub on your own internal server. Please refer to the [self-hosting document](./self-hosting.md#vex-hub) for a detailed guide.
## Air-Gapped Environment for misconfigurations
## Maven Central / Remote Repositories
No special measures are required to detect misconfigurations in an air-gapped environment.
Trivy might call out to Maven central or other remote repositories to fetch in order to correctly identify Java packages during a vulnerability scan.
### Run Trivy with `--skip-check-update` option
In an air-gapped environment, specify `--skip-check-update` so that Trivy doesn't attempt to download the latest misconfiguration checks.
### Connectivity requirements
```
$ trivy conf --skip-policy-update /path/to/conf
```
Trivy might attempt to connect (over HTTPS) to the following URLs:
[allowlist]: ../references/troubleshooting.md
[oras]: https://oras.land/docs/installation
- `https://repo.maven.apache.org/maven2`
### Offline mode
There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Trivy from trying to connect to it by using the `--offline-scan` flag.
[^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../coverage/language/java.md)

34
docs/docs/advanced/private-registries/index.md
View File

@@ -1,30 +1,13 @@
Trivy can download images from a private registry without the need for installing Docker or any other 3rd party tools.
This makes it easy to run within a CI process.
## Login
You can log in to a private registry using the `trivy registry login` command.
It uses the Docker configuration file (`~/.docker/config.json`) to store the credentials under the hood, and the configuration file path can be configured by `DOCKER_CONFIG` environment variable.
```shell
$ cat ~/my_password.txt | trivy registry login --username foo --password-stdin ghcr.io
$ trivy image ghcr.io/your/private_image
```
## Passing Credentials
You can also provide your credentials when scanning.
## Credential
To use Trivy with private images, simply install it and provide your credentials:
```shell
$ TRIVY_USERNAME=YOUR_USERNAME TRIVY_PASSWORD=YOUR_PASSWORD trivy image YOUR_PRIVATE_IMAGE
```
!!! warning
When passing credentials via environment variables or CLI flags, Trivy will attempt to use these credentials for all registries encountered during scanning, regardless of the target registry.
This can potentially lead to unintended credential exposure.
To mitigate this risk:
1. Set credentials cautiously and only when necessary.
2. Prefer using `trivy registry login` to pre-configure credentials with specific registries, which ensures credentials are only sent to appropriate registries.
Trivy also supports providing credentials through CLI flags:
```shell
@@ -34,7 +17,6 @@ $ TRIVY_PASSWORD=YOUR_PASSWORD trivy image --username YOUR_USERNAME YOUR_PRIVATE
!!! warning
The CLI flag `--password` is available, but its use is not recommended for security reasons.
You can also store your credentials in `trivy.yaml`.
For more information, please refer to [the documentation](../../references/configuration/config-file.md).
@@ -53,5 +35,15 @@ In the example above, Trivy attempts to use two pairs of credentials:
Please note that the number of usernames and passwords must be the same.
## docker login
If you have Docker configured locally and have set up the credentials, Trivy can access them.
```shell
$ docker login ghcr.io
Username:
Password:
$ trivy image ghcr.io/your/private_image
```
!!! note
`--password-stdin` doesn't support comma-separated passwords.
`docker login` can be used with any container runtime, such as Podman.

132
docs/docs/advanced/self-hosting.md
View File

@@ -1,132 +0,0 @@
# Self-Hosting Trivy's Databases
This document explains how to host Trivy's [external dependencies](./air-gap.md) in your own infrastructure to prevent external network access. If you haven't already, please familiarize yourself with the [Databases document](../configuration/db.md) that explains about the different databases used by Trivy and the different configuration options that control them. This guide assumes you are already familiar with the concepts explained there.
## OCI databases
The following [Trivy Databases](../configuration/db.md) are packaged as OCI images:
- `trivy-db`
- `trivy-java-db`
- `trivy-checks`
To host these databases in your own infrastructure:
### Make a local copy
Use any container registry manipulation tool (e.g , [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md, [ORAS](https://oras.land), [regclient](https://github.com/regclient/regclient/tree/main)) to copy the images to your destination registry.
!!! note
You will need to keep the databases updated in order to maintain relevant scanning results over time.
### Configure Trivy
Use the appropriate [database location flags](../configuration/db.md#database-locations) to change the db-repository location:
- `--db-repository`
- `--java-db-repository`
- `--checks-bundle-repository`
### Authentication
If the registry requires authentication, you can configure it as described in the [private registry authentication document](../advanced/private-registries/index.md).
### OCI Media Types
When serving, proxying, or manipulating Trivy's databases, note that the media type of the OCI layer is not a standard container image type:
DB | Media Type | Reference
--- | --- | ---
`trivy-db` | `application/vnd.aquasec.trivy.db.layer.v1.tar+gzip` | <https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db>
`trivy-java-db` | `application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip` | https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db
`trivy-checks` | `application/vnd.oci.image.manifest.v1+json` | https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks
## Manual cache population
Trivy uses a local cache directory to store the database files, as described in the [cache](../configuration/cache.md) document.
You can download the databases files and surgically populate the Trivy cache directory with them.
### Downloading the DB files
On a machine with internet access, pull the database container archive from the public registry into your local workspace:
Note that these examples operate in the current working directory.
=== "Using ORAS"
This example uses [ORAS](https://oras.land), but you can use any other container registry manipulation tool.
```shell
oras pull ghcr.io/aquasecurity/trivy-db:2
```
You should now have a file called `db.tar.gz`. Next, extract it to reveal the db files:
```shell
tar -xzf db.tar.gz
```
=== "Using Trivy"
This example uses Trivy to pull the database container archive. The `--cache-dir` flag makes Trivy download the database files into our current working directory. The `--download-db-only` flag tells Trivy to only download the database files, not to scan any images.
```shell
trivy image --cache-dir . --download-db-only
```
You should now have 2 new files, `metadata.json` and `trivy.db`. These are the Trivy DB files, copy them over to the air-gapped environment.
### Populating the Trivy Cache
In order to populate the cache, you need to identify the location of the cache directory. If it is under the default location, you can run the following command to find it:
```shell
trivy -h | grep cache
```
For the example, we will assume the `TRIVY_CACHE_DIR` variable holds the cache location:
```shell
TRIVY_CACHE_DIR=/home/user/.cache/trivy
```
Put the Trivy DB files in the Trivy cache directory under a `db` subdirectory:
```shell
# ensure cache db directory exists
mkdir -p ${TRIVY_CACHE_DIR}/db
# copy the db files
cp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/
```
### Java DB adaptations
For Java DB the process is the same, except for the following:
1. Image location is `ghcr.io/aquasecurity/trivy-java-db:1`
2. Archive file name is `javadb.tar.gz`
3. DB file name is `trivy-java.db`
## VEX Hub
### Make a local copy
To make a copy of VEX Hub in a location that is accessible to Trivy.
1. Download the [VEX Hub](https://github.com/aquasecurity/vexhub) archive from: <https://github.com/aquasecurity/vexhub/archive/refs/heads/main.zip>.
1. Download the [VEX Hub Repository Manifest](https://github.com/aquasecurity/vex-repo-spec#2-repository-manifest) file from: <https://github.com/aquasecurity/vexhub/blob/main/vex-repository.json>.
1. Create or identify an internal HTTP server that can serve the VEX Hub repository in your environment (e.g `https://server.local`).
1. Make the downloaded archive file available for serving from your server (e.g `https://server.local/main.zip`).
1. Modify the downloaded manifest file's [Location URL](https://github.com/aquasecurity/vex-repo-spec?tab=readme-ov-file#locations-subfields) field to the URL of the archive file on your server (e.g `url: https://server.local/main.zip`).
1. Make the manifest file available for serving from your server under the `/.well-known` path (e.g `https://server.local/.well-known/vex-repository.json`).
### Configure Trivy
To configure Trivy to use the local VEX Repository:
1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo/#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
1. Disable the default VEX Hub repo (`enabled: false`)
1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo/#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
### Authentication
If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo/#authentication).

225
docs/docs/compliance/compliance.md
View File

@@ -10,6 +10,7 @@ Trivys compliance flag lets you curate a specific set of checks into a report
Compliance report is currently supported in the following targets (trivy sub-commands):
- `trivy image`
- `trivy aws`
- `trivy k8s`
Add the `--compliance` flag to the command line, and set it's value to desired report.
@@ -34,231 +35,9 @@ to specify a built-in compliance report, select it by ID like `trivy --complianc
For the list of built-in compliance reports, please see the relevant section:
- [Docker compliance](../target/container_image.md#compliance)
- [Kubernetes compliance](../target/kubernetes.md#compliance)
- [Kubernetes compliance](../target/kubernetes.md#compliance)
- [AWS compliance](../target/aws.md#compliance)
## Contribute a Built-in Compliance Report
### Define a Compliance spec, based on CIS benchmark or other specs
Here is an example for CIS compliance report:
```yaml
---
spec:
id: k8s-cis-1.23
title: CIS Kubernetes Benchmarks v1.23
description: CIS Kubernetes Benchmarks
platform: k8s
type: cis
version: '1.23'
relatedResources:
- https://www.cisecurity.org/benchmark/kubernetes
controls:
- id: 1.1.1
name: Ensure that the API server pod specification file permissions are set to
600 or more restrictive
description: Ensure that the API server pod specification file has permissions
of 600 or more restrictive
checks:
- id: AVD-KCV-0073
commands:
- id: CMD-0001
severity: HIGH
```
### Compliance ID
ID field is the name used to execute the compliance scan via trivy
example:
```sh
trivy k8s --compliance k8s-cis-1.23
```
ID naming convention: {platform}-{type}-{version}
### Compliance Platform
The platform field specifies the type of platform on which to run this compliance report.
Supported platforms:
- k8s (native kubernetes cluster)
- eks (elastic kubernetes service)
- aks (azure kubernetes service)
- gke (google kubernetes engine)
- rke2 (rancher kubernetes engine v2)
- ocp (OpenShift Container Platform)
- docker (docker engine)
- aws (amazon web services)
### Compliance Type
The type field specifies the kind compliance report.
- cis (Center for Internet Security)
- nsa (National Security Agency)
- pss (Pod Security Standards)
### Compliance Version
The version field specifies the version of the compliance report.
- 1.23
### Compliance Check ID
Specify the check ID that needs to be evaluated based on the information collected from the command data output to assess the control.
Example of how to define check data under [checks folder](https://github.com/aquasecurity/trivy-checks/tree/main/checks):
```sh
# METADATA
# title: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive"
# description: "Ensure that the kubelet.conf file has permissions of 600 or more restrictive."
# scope: package
# schemas:
# - input: schema["kubernetes"]
# related_resources:
# - https://www.cisecurity.org/benchmark/kubernetes
# custom:
# id: KCV0073
# avd_id: AVD-KCV-0073
# severity: HIGH
# short_code: ensure-kubelet.conf-file-permissions-600-or-more-restrictive.
# recommended_action: "Change the kubelet.conf file permissions to 600 or more restrictive if exist"
# input:
# selector:
# - type: kubernetes
package builtin.kubernetes.KCV0073
import data.lib.kubernetes
types := ["master", "worker"]
validate_kubelet_file_permission(sp) := {"kubeletConfFilePermissions": violation} {
sp.kind == "NodeInfo"
sp.type == types[_]
violation := {permission | permission = sp.info.kubeletConfFilePermissions.values[_]; permission > 600}
count(violation) > 0
}
deny[res] {
output := validate_kubelet_file_permission(input)
msg := "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive"
res := result.new(msg, output)
}
```
### Compliance Command ID
***Note:*** This field is not mandatory, it is relevant to k8s compliance report when node-collector is in use
Specify the command ID (#ref) that needs to be executed to collect the information required to evaluate the control.
Example of how to define command data under [commands folder](https://github.com/aquasecurity/trivy-checks/tree/main/commands)
```yaml
---
- id: CMD-0001
key: kubeletConfFilePermissions
title: kubelet.conf file permissions
nodeType: worker
audit: stat -c %a $kubelet.kubeconfig
platfroms:
- k8s
- aks
```
#### Command ID
Find the next command ID by running the command on [trivy-checks project](https://github.com/aquasecurity/trivy-checks).
```sh
make command-id
```
#### Command Key
- Re-use an existing key or specifiy a new one (make sure key name has no spaces)
Note: The key value should match the key name evaluated by the Rego check.
### Command Title
Represent the purpose of the command
### Command NodeType
Specify the node type on which the command is supposed to run.
- worker
- master
### Command Audit
Specify here the shell command to be used please make sure to add error supression (2>/dev/null)
### Command Platforms
The list of platforms that support this command. Name should be taken from this list [Platforms](#compliance-platform)
### Command Config Files
The commands use a configuration file that helps obtain the paths to binaries and configuration files based on different platforms (e.g., Rancher, native Kubernetes, etc.).
For example:
```yaml
kubelet:
bins:
- kubelet
- hyperkube kubelet
confs:
- /etc/kubernetes/kubelet-config.yaml
- /var/lib/kubelet/config.yaml
```
### Commands Files Location
Currently checks files location are :`https://github.com/aquasecurity/trivy-checks/tree/main/checks`
Command files location: `https://github.com/aquasecurity/trivy-checks/tree/main/commands`
under command file
Note: command config files will be located under `https://github.com/aquasecurity/trivy-checks/tree/main/commands` as well
### Node-collector output
The node collector will read commands and execute each command, and incorporate the output into the NodeInfo resource.
example:
```json
{
"apiVersion": "v1",
"kind": "NodeInfo",
"metadata": {
"creationTimestamp": "2023-01-04T11:37:11+02:00"
},
"type": "master",
"info": {
"adminConfFileOwnership": {
"values": [
"root:root"
]
},
"adminConfFilePermissions": {
"values": [
600
]
}
...
}
}
```
## Custom compliance
You can create your own custom compliance report. A compliance report is a simple YAML document in the following format:

14
docs/docs/compliance/contrib-compliance.md
View File

@@ -1,26 +1,26 @@
# Custom Compliance Spec
Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md).
All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)).
All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance)).
New checks are based on the custom compliance report detailed in the [main documentation.](./compliance.md#custom-compliance)
New checks are based on the custom compliance report detailed in the [main documentation.](../../docs/compliance/compliance/#custom-compliance)
If you would like to create your custom compliance report, please reference the information in the main documentation. This section details how community members can contribute new Compliance Specs to Trivy.
All compliance specs in Trivy are based on formal compliance reports such as CIS Benchmarks.
## Contributing new Compliance Specs
Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access.
Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access.
### Create a new Compliance Spec
The existing compliance specs in Trivy are located under the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)).
The existing compliance specs in Trivy are located under the `trivy-checks/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance)).
Create a new file under `trivy-checks/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. Note that if the compliance spec is not specific to a provider, the `provider` field can be ignored.
### Minimum spec structure
The structure of the compliance spec is detailed in the [main documentation](./compliance.md#custom-compliance).
The structure of the compliance spec is detailed in the [main documentation](./compliance/#custom-compliance).
The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report e.g. the CIS Benchmark report.
@@ -35,9 +35,9 @@ Additional information is provided below.
#### 1. Referencing a check that is already part of Trivy
Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-checks/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.
Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-policies/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.
Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance) available.
Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance) available.
For example, the following check is detailed in the AWS EKS CIS v1.4 Benchmark:
`3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)`

66
docs/docs/configuration/cache.md
View File

@@ -1,90 +1,60 @@
# Cache
The cache directory includes
- Cache of previous scans (Scan cache).
- [Vulnerability Database][trivy-db][^1]
- [Java Index Database][trivy-java-db][^2]
- [Misconfiguration Checks][misconf-checks][^3]
- [VEX Repositories](../supply-chain/vex/repo.md)
- Cache of previous scans.
The cache option is common to all scanners.
## Clear Caches
`trivy clean` subcommand removes caches.
The `--clear-cache` option removes caches.
```bash
$ trivy clean --scan-cache
**The scan is not performed.**
```
$ trivy image --clear-cache
```
<details>
<summary>Result</summary>
```
2024-06-21T21:58:21+04:00 INFO Removing scan cache...
2019-11-15T15:13:26.209+0200 INFO Reopening vulnerability DB
2019-11-15T15:13:26.209+0200 INFO Removing image caches...
```
</details>
If you want to delete cached vulnerability databases, use `--vuln-db`.
You can also delete all caches with `--all`.
See `trivy clean --help` for details.
## Cache Directory
Specify where the cache is stored with `--cache-dir`.
```bash
```
$ trivy --cache-dir /tmp/trivy/ image python:3.4-alpine3.9
```
## Scan Cache Backend
## Cache Backend
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy utilizes a scan cache to store analysis results, such as package lists.
It supports three types of backends for this cache:
Trivy supports local filesystem and Redis as the cache backend. This option is useful especially for client/server mode.
- Local File System (`fs`)
- The cache path can be specified by `--cache-dir`
- Memory (`memory`)
- Redis (`redis://`)
Two options:
- `fs`
- the cache path can be specified by `--cache-dir`
- `redis://`
- `redis://[HOST]:[PORT]`
- TTL can be configured via `--cache-ttl`
### Local File System
The local file system backend is the default choice for container and VM image scans.
When scanning container images, it stores analysis results on a per-layer basis, using layer IDs as keys.
This approach enables faster scans of the same container image or different images that share layers.
!!! note
Internally, this backend uses [BoltDB][boltdb], which has an important limitation: only one process can access the cache at a time.
Subsequent processes attempting to access the cache will be locked.
For more details on this limitation, refer to the [troubleshooting guide][parallel-run].
### Memory
The memory backend stores analysis results in memory, which means the cache is discarded when the process ends.
This makes it useful in scenarios where caching is not required or desired.
It serves as the default for repository, filesystem and SBOM scans and can also be employed for container image scans when caching is unnecessary.
To use the memory backend for a container image scan, you can use the following command:
```bash
$ trivy image debian:11 --cache-backend memory
```
### Redis
The Redis backend is particularly useful when you need to share the cache across multiple Trivy instances.
You can set up Trivy to use a Redis backend with a command like this:
```bash
$ trivy server --cache-backend redis://localhost:6379
```
This approach allows for centralized caching, which can be beneficial in distributed or high-concurrency environments.
If you want to use TLS with Redis, you can enable it by specifying the `--redis-tls` flag.
```bash
```shell
$ trivy server --cache-backend redis://localhost:6379 --redis-tls
```
@@ -101,8 +71,6 @@ $ trivy server --cache-backend redis://localhost:6379 \
[trivy-db]: ./db.md#vulnerability-database
[trivy-java-db]: ./db.md#java-index-database
[misconf-checks]: ../scanner/misconfiguration/check/builtin.md
[boltdb]: https://github.com/etcd-io/bbolt
[parallel-run]: https://aquasecurity.github.io/trivy/v0.52/docs/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run
[^1]: Downloaded when scanning for vulnerabilities
[^2]: Downloaded when scanning `jar/war/par/ear` files

160
docs/docs/configuration/db.md
View File

@@ -1,129 +1,85 @@
# Trivy Databases
# DB
When you install Trivy, the installed artifact contains the scanner engine but is lacking relevant security information needed to make security detections and recommendations.
These so called "databases" are automatically fetched and maintained by Trivy as needed, so normally you shouldn't notice or worry about them.
This document elaborates on the database management mechanism and its configuration options.
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | |
| Secret | |
| License | |
Trivy relies on the following databases:
The vulnerability database and the Java index database are needed only for vulnerability scanning.
See [here](../scanner/vulnerability.md) for the detail.
DB | Artifact name | Contents | Purpose
--- | --- | --- | ---
Vulnerabilities DB | `trivy-db` | CVE information collected from various feeds | used only for [vulnerability scanning](../scanner/vulnerability.md)
Java DB | `trivy-java-db` | Index of Java artifacts and their hash digest | used to identify Java artifacts only in [JAR scanning](../coverage/language/java.md)
Checks Bundle | `trivy-checks` | Logic of misconfiguration checks | used only in [misconfiguration/IaC scanning](../scanner/misconfiguration/check/builtin.md)
## Vulnerability Database
!!! note
This is not an exhaustive list of Trivy's external connectivity requirements.
There are additional external resources which may be required by specific Trivy features.
To learn about external connectivity requirements, see the [Advanced Network Scenarios](../advanced/air-gap.md).
## Locations
Trivy's databases are published to the following locations:
| Registry | Image Address | Link
| --- | --- | ---
| GHCR | `ghcr.io/aquasecurity/trivy-db` | <https://ghcr.io/aquasecurity/trivy-db>
| | `ghcr.io/aquasecurity/trivy-java-db` | <https://ghcr.io/aquasecurity/trivy-java-db>
| | `ghcr.io/aquasecurity/trivy-checks` | <https://ghcr.io/aquasecurity/trivy-checks>
| Docker Hub | `aquasec/trivy-db` | <https://hub.docker.com/r/aquasec/trivy-db>
| | `aquasec/trivy-java-db` | <https://hub.docker.com/r/aquasec/trivy-java-db>
| | `aquasec/trivy-checks` | <https://hub.docker.com/r/aquasec/trivy-checks>
| AWS ECR | `public.ecr.aws/aquasecurity/trivy-db` | <https://gallery.ecr.aws/aquasecurity/trivy-db>
| | `public.ecr.aws/aquasecurity/trivy-java-db` | <https://gallery.ecr.aws/aquasecurity/trivy-java-db>
| | `public.ecr.aws/aquasecurity/trivy-checks` | <https://gallery.ecr.aws/aquasecurity/trivy-checks>
In addition, images are also available via pull-through cache registries like [Google Container Registry Mirror](https://cloud.google.com/artifact-registry/docs/pull-cached-dockerhub-images).
## Default Locations
Trivy will attempt to pull images from the following registries in the order specified.
1. `mirror.gcr.io/aquasec`
2. `ghcr.io/aquasecurity`
You can specify additional alternative repositories as explained in the [configuring database locations section](#database-locations).
## DB Management Configuration
### Database Locations
You can configure Trivy to download databases from alternative locations by using the flags:
- `--db-repository`
- `--java-db-repository`
- `--checks-bundle-repository`
The value should be an image address in a container registry.
For example:
### Skip update of vulnerability DB
If you want to skip downloading the vulnerability database, use the `--skip-db-update` option.
```
trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine
$ trivy image --skip-db-update python:3.4-alpine3.9
```
The flags accepts multiple values, which can be used to specify multiple alternative repository locations. In case of a transient errors (e.g. status 429 or 5xx), Trivy will fall back to alternative registries in the order specified.
For example:
<details>
<summary>Result</summary>
```
trivy image --db-repository my.registry.local/trivy-db --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine
2019-05-16T12:48:08.703+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
```
The Checks Bundle registry location option does not support fallback through multiple options. This is because in case of a failure pulling the Checks Bundle, Trivy will use the embedded checks as a fallback.
</details>
!!! note
Setting the repository location flags override the default values which include the official db locations. In case you want to preserve the default locations, you should include them in the list the you set as repository locations.
### Only download vulnerability database
You can also ask `Trivy` to simply retrieve the vulnerability database.
This is useful to initialize workers in Continuous Integration systems.
```
$ trivy image --download-db-only
```
### DB Repository
`Trivy` could also download the vulnerability database from an external OCI registry by using `--db-repository` option.
```
$ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
```
!!!note
When pulling `trivy-db` or `trivy-java-db`, if image tag is not specified, Trivy defaults to the db schema number instead of the `latest` tag.
Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used:
### Skip updates
`trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`.
You can configure Trivy to not attempt to download any or all database(s), using the flags:
## Java Index Database
The same options are also available for the Java index DB, which is used for scanning Java applications.
Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
- `--skip-db-update`
- `--skip-java-db-update`
- `--skip-check-update`
!!! Note
In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side.
For example:
Downloading the Java index DB from an external OCI registry can be done by using the `--java-db-repository` option.
```
trivy image --skip-db-update --skip-java-db-update --skip-check-update alpine
$ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db --download-java-db-only
```
### Only update
!!!note
Trivy automatically adds the `trivy-java-db` schema version as a tag if the tag is not used:
You can ask `Trivy` to only update the database without performing a scan. This action will ensure Trivy is up to date, and populate Trivy's database cache for subsequent scans.
`java-db-registry:latest` => `java-db-registry:latest`, but `java-db-registry` => `java-db-registry:1`.
- `--download-db-only`
- `--download-java-db-only`
For example:
## Remove DBs
The `--reset` flag removes all caches and databases.
```
trivy image --download-db-only
```
Note that currently there is no option to download only the Checks Bundle.
### Remove Databases
`trivy clean` command removes caches and databases.
You can select which cache component to remove:
option | description
--- | ---
`-a`/`--all` | remove all caches
`--checks-bundle` | remove checks bundle
`--java-db` | remove Java database
`--scan-cache` | remove scan cache (container and VM image analysis results)
`--vuln-db` | remove vulnerability database
Example:
```
$ trivy clean --vuln-db --java-db
2024-06-24T11:42:31+06:00 INFO Removing vulnerability database...
2024-06-24T11:42:31+06:00 INFO Removing Java database...
```
$ trivy image --reset
```

16
docs/docs/configuration/filtering.md
View File

@@ -101,7 +101,7 @@ Total: 1785 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1680, CRITICAL: 105)
</details>
```bash
trivy config --severity HIGH,CRITICAL examples/misconf/mixed
trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
```
<details>
@@ -112,7 +112,7 @@ trivy config --severity HIGH,CRITICAL examples/misconf/mixed
Dockerfile (dockerfile)
=======================
Tests: 17 (SUCCESSES: 16, FAILURES: 1)
Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
HIGH: Last USER command in Dockerfile should not be 'root'
@@ -130,13 +130,13 @@ See https://avd.aquasec.com/misconfig/ds002
deployment.yaml (kubernetes)
============================
Tests: 8 (SUCCESSES: 8, FAILURES: 0)
Tests: 8 (SUCCESSES: 8, FAILURES: 0, EXCEPTIONS: 0)
Failures: 0 (HIGH: 0, CRITICAL: 0)
main.tf (terraform)
===================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)
CRITICAL: Classic resources should not be used.
@@ -238,7 +238,7 @@ You can filter the results by
To show the suppressed results, use the `--show-suppressed` flag.
!!! note
It's exported as `ExperimentalModifiedFindings` in the JSON output.
This flag is currently available only in the table format.
```bash
$ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11
@@ -477,13 +477,13 @@ ignore {
```
```bash
trivy image --ignore-policy examples/ignore-policies/basic.rego centos:7
trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
```
For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`.
More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go).
You can create a whitelist of checks using Rego, see the detailed [example](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/ignore-policies/whitelist.rego). Additional examples are available [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/ignore-policies).
You can find more example checks [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)
### By Vulnerability Exploitability Exchange (VEX)
| Scanner | Supported |
@@ -493,7 +493,7 @@ You can create a whitelist of checks using Rego, see the detailed [example](http
| Secret | |
| License | |
Please refer to the [VEX documentation](../supply-chain/vex/index.md) for the details.
Please refer to the [VEX documentation](../supply-chain/vex.md) for the details.
[^1]: license name is used as id for `.trivyignore.yaml` files.

23
docs/docs/configuration/index.md
View File

@@ -1,21 +1,23 @@
# Configuration
Trivy's settings can be configured in any of the following methods, which will apply in the following precedence:
Trivy can be configured using the following ways. Each item takes precedence over the item below it:
1. CLI flags (overrides all other settings)
2. Environment variables (overrides config file settings)
3. Configuration file
- CLI flags
- Environment variables
- Configuration file
## CLI Flags
You can view the list of available flags by adding the `--help` flag to a Trivy command, or by exploring the [CLI reference](../references/configuration/cli/trivy.md).
You can view the list of available flags using the `--help` option.
For more details, please refer to [the CLI reference](../references/configuration/cli/trivy.md).
## Environment Variables
Any CLI option can be set as an environment variable. The environment variable name are similar to the CLI option name, with the following augmentations:
Trivy can be customized by environment variables.
The environment variable key is the flag name converted by the following procedure.
- Add `TRIVY_` prefix
- All uppercase letters
- Make it all uppercase
- Replace `-` with `_`
For example:
For example,
- `--debug` => `TRIVY_DEBUG`
- `--cache-dir` => `TRIVY_CACHE_DIR`
@@ -25,6 +27,5 @@ $ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15
```
## Configuration File
Any setting can be set in a YAML file. By default, config file named `trivy.yaml` is read from the current directory where Trivy is run. To load configuration from a different file, use the `--config` flag and specify the config path to load: `trivy --config /etc/trivy/myconfig.yaml`.
The structure and settings of the YAML config file is documented in the [Config file](../references/configuration/config-file.md) document.
By default, Trivy reads the `trivy.yaml` file.
For more details, please refer to [the page](../references/configuration/config-file.md).

26
docs/docs/configuration/reporting.md
View File

@@ -5,7 +5,7 @@ Trivy supports the following formats:
- Table
- JSON
- [SARIF][sarif-home]
- [SARIF](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)
- Template
- SBOM
- GitHub dependency snapshot
@@ -64,7 +64,6 @@ The following languages are currently supported:
| PHP | [composer.lock][composer-lock] |
| Java | [pom.xml][pom-xml] |
| | [*gradle.lockfile][gradle-lockfile] |
| | [*.sbt.lock][sbt-lockfile] |
| Dart | [pubspec.lock][pubspec-lock] |
This tree is the reverse of the dependency graph.
@@ -252,19 +251,16 @@ $ trivy image -f json -o results.json golang:1.12-alpine
| Secret | ✓ |
| License | ✓ |
[SARIF][sarif-home] (Static Analysis Results Interchange Format) complying with [SARIF 2.1.0 OASIS standard][sarif-spec] can be generated with the `--format sarif` flag.
[SARIF][sarif] can be generated with the `--format sarif` flag.
```
$ trivy image --format sarif -o report.sarif golang:1.12-alpine
```
This SARIF file can be uploaded to several platforms, including:
- [GitHub code scanning results][sarif-github], and there is a [Trivy GitHub Action][action] for automating this process
- [SonarQube][sarif-sonar]
This SARIF file can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
### GitHub dependency snapshot
Trivy supports the following packages:
Trivy supports the following packages.
- [OS packages][os_packages]
- [Language-specific packages][language_packages]
@@ -428,15 +424,12 @@ $ trivy convert --format table --severity CRITICAL result.json
```
!!! note
JSON reports from "trivy k8s" are not yet supported.
JSON reports from "trivy aws" and "trivy k8s" are not yet supported.
[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
[action]: https://github.com/aquasecurity/trivy-action
[asff]: ../../tutorials/integrations/aws-security-hub.md
[sarif-home]: https://sarifweb.azurewebsites.net
[sarif-spec]: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
[sarif-github]: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning
[sarif-sonar]: https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/importing-external-issues/importing-issues-from-sarif-reports/
[sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
[sprig]: http://masterminds.github.io/sprig/
[github-sbom]: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#about-dependency-submissions
[github-sbom-submit]: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#create-a-snapshot-of-dependencies-for-a-repository
@@ -450,10 +443,9 @@ $ trivy convert --format table --severity CRITICAL result.json
[dotnet-packages-lock]: ../coverage/language/dotnet.md#packageslockjson
[poetry-lock]: ../coverage/language/python.md#poetry
[gemfile-lock]: ../coverage/language/ruby.md#bundler
[go-mod]: ../coverage/language/golang.md#go-module
[composer-lock]: ../coverage/language/php.md#composerlock
[go-mod]: ../coverage/language/golang.md#go-modules
[composer-lock]: ../coverage/language/php.md#composer
[pom-xml]: ../coverage/language/java.md#pomxml
[gradle-lockfile]: ../coverage/language/java.md#gradlelock
[sbt-lockfile]: ../coverage/language/java.md#sbt
[pubspec-lock]: ../coverage/language/dart.md#dart
[cargo-binaries]: ../coverage/language/rust.md#binaries
[cargo-binaries]: ../coverage/language/rust.md#binaries

2
docs/docs/coverage/iac/cloudformation.md
View File

@@ -21,7 +21,7 @@ It evaluates properties, functions, and other elements within CloudFormation fil
You can provide `cf-params` with path to [CloudFormation Parameters] file to Trivy to scan your CloudFormation code with parameters.
```bash
trivy config --cf-params params.json ./infrastructure/cf
trivy conf --cf-params params.json ./infrastructure/cf
```
You can check a [CloudFormation Parameters Example]

6
docs/docs/coverage/iac/helm.md
View File

@@ -21,7 +21,7 @@ When override values are passed to the Helm scanner, the values will be used dur
Overrides can be set inline on the command line
```bash
trivy config --helm-set securityContext.runAsUser=0 ./charts/mySql
trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
```
#### Setting value file overrides
@@ -35,7 +35,7 @@ securityContext:
```
```bash
trivy config --helm-values overrides.yaml ./charts/mySql
trivy conf --helm-values overrides.yaml ./charts/mySql
```
#### Setting value as explicit string
@@ -49,7 +49,7 @@ trivy config --helm-set-string name=false ./infrastructure/tf
Specific override values can come from specific files
```bash
trivy config --helm-set-file environment=dev.values.yaml ./charts/mySql
trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
```
## Secret

21
docs/docs/coverage/iac/index.md
View File

@@ -8,18 +8,15 @@ Trivy scans Infrastructure as Code (IaC) files for
## Supported configurations
| Config type | File patterns |
|-------------------------------------|----------------------------------|
| [Kubernetes](kubernetes.md) | \*.yml, \*.yaml, \*.json |
| [Docker](docker.md) | Dockerfile, Containerfile |
| [Terraform](terraform.md) | \*.tf, \*.tf.json, \*.tfvars |
| [Terraform Plan](terraform.md) | tfplan, \*.tfplan, \*.json |
| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json |
| [Azure ARM Template](azure-arm.md) | \*.json |
| [Helm](helm.md) | \*.yaml, \*.tpl, \*.tar.gz, etc. |
| [YAML][json-and-yaml] | \*.yaml, \*.yml |
| [JSON][json-and-yaml] | \*.json |
| Config type | File patterns |
|-------------------------------------|-----------------------------------------------|
| [Kubernetes](kubernetes.md) | \*.yml, \*.yaml, \*.json |
| [Docker](docker.md) | Dockerfile, Containerfile |
| [Terraform](terraform.md) | \*.tf, \*.tf.json, \*.tfvars |
| [Terraform Plan](terraform.md) | tfplan, \*.tfplan, \*.tfplan.json, \*.tf.json |
| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json |
| [Azure ARM Template](azure-arm.md) | \*.json |
| [Helm](helm.md) | \*.yaml, \*.tpl, \*.tar.gz, etc. |
[misconf]: ../../scanner/misconfiguration/index.md
[secret]: ../../scanner/secret.md
[json-and-yaml]: ../../scanner/misconfiguration/index.md#scan-arbitrary-json-and-yaml-configurations

39
docs/docs/coverage/iac/terraform.md
View File

@@ -18,13 +18,13 @@ It supports the following formats:
Trivy can scan Terraform Plan files (snapshots) or their JSON representations. To create a Terraform Plan and scan it, run the following command:
```bash
terraform plan --out tfplan
trivy config tfplan
trivy conf tfplan
```
To scan a Terraform Plan representation in JSON format, run the following command:
```bash
terraform show -json tfplan > tfplan.json
trivy config tfplan.json
trivy conf tfplan.json
```
## Misconfiguration
@@ -35,7 +35,7 @@ It also evaluates variables, imports, and other elements within Terraform files
You can provide `tf-vars` files to Trivy to override default values specified in the Terraform HCL code.
```bash
trivy config --tf-vars dev.terraform.tfvars ./infrastructure/tf
trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
```
### Exclude Downloaded Terraform Modules
@@ -43,37 +43,8 @@ By default, downloaded modules are also scanned.
If you don't want to scan them, you can use the `--tf-exclude-downloaded-modules` flag.
```bash
trivy config --tf-exclude-downloaded-modules ./configs
trivy conf --tf-exclude-downloaded-modules ./configs
```
## Secret
The secret scan is performed on plain text files, with no special treatment for Terraform.
## Limitations
### Terraform Plan JSON
#### For each and count objects in expression
The plan created by Terraform does not provide complete information about references in expressions that use `each` or `count` objects. For this reason, in some situations it is not possible to establish references between resources that are needed for checks when detecting misconfigurations. An example of such a configuration is:
```hcl
locals {
buckets = toset(["test"])
}
resource "aws_s3_bucket" "this" {
for_each = local.buckets
bucket = each.key
}
resource "aws_s3_bucket_acl" "this" {
for_each = local.buckets
bucket = aws_s3_bucket.this[each.key].id
acl = "private"
}
```
With this configuration, the plan will not contain information about which attribute of the `aws_s3_bucket` resource is referenced by the `aws_s3_bucket_acl` resource.
See more [here](https://github.com/hashicorp/terraform/issues/30826).
The secret scan is performed on plain text files, with no special treatment for Terraform.

2
docs/docs/coverage/kubernetes.md
View File

@@ -17,7 +17,7 @@ Container image is scanned for:
Kubernetes resource definition is scanned for:
- Vulnerabilities - partially supported through [KBOM scanning](../target/kubernetes.md#kbom)
- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
- Misconfigurations
- Exposed secrets

5
docs/docs/coverage/language/c.md
View File

@@ -23,11 +23,10 @@ In order to detect dependencies, Trivy searches for `conan.lock`[^1].
### Licenses
The Conan lock file doesn't contain any license information.
To obtain licenses we parse the `conanfile.py` files from the [conan v1 cache directory][conan-v1-cache-dir] and [conan v2 cache directory][conan-v2-cache-dir].
To obtain licenses we parse the `conanfile.py` files from the [conan cache directory][conan-cache-dir].
To correctly detection licenses, ensure that the cache directory contains all dependencies used.
[conan-v1-cache-dir]: https://docs.conan.io/1/mastering/custom_cache.html
[conan-v2-cache-dir]: https://docs.conan.io/2/reference/environment.html#conan-home
[conan-cache-dir]: https://docs.conan.io/1/mastering/custom_cache.html
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[^1]: The local cache should contain the dependencies used. See [licenses](#licenses).

34
docs/docs/coverage/language/dart.md
View File

@@ -4,16 +4,16 @@ Trivy supports [Dart][dart].
The following scanners are supported.
| Package manager | SBOM | Vulnerability | License |
|-------------------------|:----:|:-------------:|:-------:|
| [Dart][dart-repository] | ✓ | ✓ | - |
| Package manager | SBOM | Vulnerability | License |
|-------------------------| :---: | :-----------: |:-------:|
| [Dart][dart-repository] | ✓ | ✓ | - |
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
|-------------------------|--------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
| [Dart][dart-repository] | pubspec.lock | ✓ | Included | ✓ | - | ✓ |
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-------------------------|--------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
| [Dart][dart-repository] | pubspec.lock | ✓ | Included | ✓ | - |
## Dart
In order to detect dependencies, Trivy searches for `pubspec.lock`.
@@ -21,28 +21,7 @@ In order to detect dependencies, Trivy searches for `pubspec.lock`.
Trivy marks indirect dependencies, but `pubspec.lock` file doesn't have options to separate root and dev transitive dependencies.
So Trivy includes all dependencies in report.
### SDK dependencies
Dart uses version `0.0.0` for SDK dependencies (e.g. Flutter).
It is not possible to accurately determine the versions of these dependencies.
Trivy just treats them as `0.0.0`.
If [--detection-priority comprehensive][detection-priority] is passed, Trivy uses the minimum version of the constraint for the SDK.
For example, in the following case, the version of `flutter` would be `3.3.0`:
```yaml
flutter:
dependency: "direct main"
description: flutter
source: sdk
version: "0.0.0"
sdks:
dart: ">=2.18.0 <3.0.0"
flutter: "^3.3.0"
```
### Dependency tree
To build `dependency tree` Trivy parses [cache directory][cache-directory]. Currently supported default directories and `PUB_CACHE` environment (absolute path only).
!!! note
Make sure the cache directory contains all the dependencies installed in your application. To download missing dependencies, use `dart pub get` command.
@@ -50,4 +29,3 @@ To build `dependency tree` Trivy parses [cache directory][cache-directory]. Curr
[dart-repository]: https://pub.dev/
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[cache-directory]: https://dart.dev/tools/pub/glossary#system-cache
[detection-priority]: ../../scanner/vulnerability.md#detection-priority

3
docs/docs/coverage/language/dotnet.md
View File

@@ -21,9 +21,6 @@ The following table provides an outline of the features Trivy offers.
## *.deps.json
Trivy parses `*.deps.json` files. Trivy currently excludes dev dependencies from the report.
!!! note
Trivy only includes runtime dependencies in the report.
## packages.config
Trivy only finds dependency names and versions from `packages.config` files. To build dependency graph, it is better to use `packages.lock.json` files.

105
docs/docs/coverage/language/golang.md
View File

@@ -1,31 +1,32 @@
# Go
## Overview
## Data Sources
The data sources are listed [here](../../scanner/vulnerability.md#data-sources-1).
Trivy uses Go Vulnerability Database for standard packages, such as `net/http`, and uses GitHub Advisory Database for third-party packages.
## Features
Trivy supports two types of Go scanning, Go Modules and binaries built by Go.
The following scanners are supported.
| Artifact | SBOM | Vulnerability | License |
|----------|:----:|:-------------:|:-------------:|
| Modules | ✓ | ✓ | [](#license) |
| Binaries | ✓ | ✓ | - |
| Artifact | SBOM | Vulnerability | License |
| -------- | :---: | :-----------: | :-----: |
| Modules | ✓ | ✓ | ✓[^2] |
| Binaries | ✓ | ✓ | - |
The table below provides an outline of the features Trivy offers.
| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib | [Detection Priority][detection-priority] |
|----------|:-----------:|:-----------------|:------------------------------------:|:----------------------:|:----------------------------------------:|
| Modules | ✅ | Include | [](#dependency-graph) | [](#gomod-stdlib) | [](#gomod-stdlib) |
| Binaries | ✅ | Exclude | - | [](#go-binary-stdlib) | Not needed |
| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib |
|----------|:-----------:|:-----------------|:------------------------------------:|:------:|
| Modules | ✅ | Include | ✅[^2] | - |
| Binaries | ✅ | Exclude | - | ✅[^4] |
!!! note
When scanning Go projects (go.mod or binaries built with Go), Trivy scans only dependencies of the project, and does not detect vulnerabilities of application itself.
For example, when scanning the Docker project (Docker's source code with go.mod or the Docker binary), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself. Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
Trivy scans only dependencies of the Go project.
Let's say you scan the Docker binary, Trivy doesn't detect vulnerabilities of Docker itself.
Also, when you scan go.mod in Kubernetes, the Kubernetes vulnerabilities will not be found.
## Data Sources
The data sources are listed [here](../../scanner/vulnerability.md#langpkg-data-sources).
Trivy uses Go Vulnerability Database for [standard library](https://pkg.go.dev/std) and uses GitHub Advisory Database for other Go modules.
## Go Module
### Go Modules
Depending on Go versions, the required files are different.
| Version | Required files | Offline |
@@ -41,7 +42,7 @@ Go 1.17+ holds actually needed indirect dependencies in `go.mod`, and it reduces
If you want to have better detection, please consider updating the Go version in your project.
!!! note
The Go version doesn't mean your Go tool version, but the Go version in your go.mod.
The Go version doesn't mean your CLI version, but the Go version in your go.mod.
```
module github.com/aquasecurity/trivy
@@ -60,37 +61,15 @@ If you want to have better detection, please consider updating the Go version in
$ go mod tidy -go=1.18
```
### Main Module { #gomod-main }
Trivy scans only dependencies of the project, and does not detect vulnerabilities of the main module.
For example, when scanning the Docker project (Docker's source code with go.mod), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself.
Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
### Standard Library { #gomod-stdlib }
Detecting the version of Go used in the project can be tricky.
The go.mod file include hints that allows Trivy to guess the Go version but it eventually depends on the Go tool version in the build environment.
Since this strategy is not fully deterministic and accurate, it is enabled only in [--detection-priority comprehensive][detection-priority] mode.
When enabled, Trivy detects stdlib version as the minimum between the `go` and the `toolchain` directives in the `go.mod` file.
To obtain reproducible scan results Trivy doesn't check the locally installed version of `Go`.
!!! note
Trivy detects `stdlib` only for `Go` 1.21 or higher.
The version from the `go` line (for `Go` 1.20 or early) is not a minimum required version.
For details, see [this](https://go.googlesource.com/proposal/+/master/design/57001-gotoolchain.md).
It possibly produces false positives.
See [the caveat](#stdlib-vulnerabilities) for details.
### License
To identify licenses, you need to download modules to local cache beforehand, such as `go mod download`, `go mod tidy`, etc.
To identify licenses and dependency relationships, you need to download modules to local cache beforehand,
such as `go mod download`, `go mod tidy`, etc.
Trivy traverses `$GOPATH/pkg/mod` and collects those extra information.
### Dependency Graph
Same as licenses, you need to download modules to local cache beforehand.
### Go binaries
Trivy scans binaries built by Go.
If there is a Go binary in your container image, Trivy automatically finds and scans it.
## Go Binary
Trivy scans Go binaries when it encounters them during scans such as container images or file systems.
When scanning binaries built by Go, Trivy finds dependencies and Go version information as [embedded in the binary by Go tool at build time](https://tip.golang.org/doc/go1.18#go-version).
Also, you can scan your local binaries.
```
$ trivy rootfs ./your_binary
@@ -99,34 +78,20 @@ $ trivy rootfs ./your_binary
!!! note
It doesn't work with UPX-compressed binaries.
### Main Module
Go binaries installed using the `go install` command contains correct (semver) version for the main module and therefor are detected by Trivy.
In other cases, Go uses the `(devel)` version[^2].
In this case, Trivy will attempt to parse any `-ldflags` as it's a common practice to pass versions this way.
If unsuccessful, the version will be empty[^3].
#### Empty versions
There are times when Go uses the `(devel)` version for modules/dependencies.
### Standard Library { #go-binary-stdlib }
Trivy detects the Go version used to compile the binary and detects its vulnerabilities in the standard libraries.
It possibly produces false positives.
See [the caveat](#stdlib-vulnerabilities) for details.
- Only Go binaries installed using the `go install` command contain correct (semver) version for the main module.
In other cases, Go uses the `(devel)` version[^3].
- Dependencies replaced with local ones use the `(devel)` versions.
## Caveats
### Stdlib Vulnerabilities
Trivy does not know if or how you use stdlib functions, therefore it is possible that stdlib vulnerabilities are not applicable to your use case.
There are a few ways to mitigate this:
1. Analyze vulnerability reachability using a tool such as [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck). This will ensure that reported vulnerabilities are applicable to your project.
2. Suppress non-applicable vulnerabilities using either [ignore file](../../configuration/filtering.md) for self-use or [VEX Hub](../../supply-chain/vex/repo.md) for public use.
### Empty Version
As described in the [Main Module](#gomod-main) section, the main module of Go binaries might have an empty version.
Also, dependencies replaced with local ones will have an empty version.
In the first case, Trivy will attempt to parse any `-ldflags` as a secondary source, and will leave the version
empty if it cannot do so[^5]. For the second case, the version of such packages is empty.
[^1]: It doesn't require the Internet access.
[^2]: See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477
[^3]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604
[^2]: Need to download modules to local cache beforehand
[^3]: See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477
[^4]: Identify the Go version used to compile the binary and detect its vulnerabilities
[^5]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[toolchain]: https://go.dev/doc/toolchain
[detection-priority]: ../../scanner/vulnerability.md#detection-priority

29
docs/docs/coverage/language/index.md
View File

@@ -16,7 +16,7 @@ This is because Trivy primarily categorizes targets into two groups:
If the target is a pre-build project, like a code repository, Trivy will analyze files used for building, such as lock files.
On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like `.gemspec`, binary files, and so on.
| Language | File | Image[^4] | Rootfs[^5] | Filesystem[^6] | Repository[^7] |
| Language | File | Image[^5] | Rootfs[^6] | Filesystem[^7] | Repository[^8] |
|----------------------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:--------------:|:--------------:|
| [Ruby](ruby.md) | Gemfile.lock | - | - | ✅ | ✅ |
| | gemspec | ✅ | ✅ | - | - |
@@ -25,8 +25,8 @@ On the other hand, when the target is a post-build artifact, like a container im
| | requirements.txt | - | - | ✅ | ✅ |
| | egg package[^1] | ✅ | ✅ | - | - |
| | wheel package[^2] | ✅ | ✅ | - | - |
| [PHP](php.md) | composer.lock | - | - | | |
| | installed.json | ✅ | ✅ | - | - |
| | conda package[^3] | | | - | - |
| [PHP](php.md) | composer.lock | ✅ | ✅ | | |
| [Node.js](nodejs.md) | package-lock.json | - | - | ✅ | ✅ |
| | yarn.lock | - | - | ✅ | ✅ |
| | pnpm-lock.yaml | - | - | ✅ | ✅ |
@@ -34,17 +34,16 @@ On the other hand, when the target is a post-build artifact, like a container im
| [.NET](dotnet.md) | packages.lock.json | ✅ | ✅ | ✅ | ✅ |
| | packages.config | ✅ | ✅ | ✅ | ✅ |
| | .deps.json | ✅ | ✅ | ✅ | ✅ |
| | *Packages.props[^9] | ✅ | ✅ | ✅ | ✅ |
| [Java](java.md) | JAR/WAR/PAR/EAR[^3] | ✅ | ✅ | - | - |
| | *Packages.props[^11] | ✅ | ✅ | ✅ | ✅ |
| [Java](java.md) | JAR/WAR/PAR/EAR[^4] | ✅ | ✅ | - | - |
| | pom.xml | - | - | ✅ | ✅ |
| | *gradle.lockfile | - | - | ✅ | ✅ |
| | *.sbt.lock | - | - | ✅ | ✅ |
| [Go](golang.md) | Binaries built by Go | ✅ | ✅ | - | - |
| | go.mod | - | - | ✅ | ✅ |
| [Rust](rust.md) | Cargo.lock | ✅ | ✅ | ✅ | ✅ |
| | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) | ✅ | ✅ | - | - |
| [C/C++](c.md) | conan.lock | - | - | ✅ | ✅ |
| [Elixir](elixir.md) | mix.lock[^8] | - | - | ✅ | ✅ |
| [Elixir](elixir.md) | mix.lock[^10] | - | - | ✅ | ✅ |
| [Dart](dart.md) | pubspec.lock | - | - | ✅ | ✅ |
| [Swift](swift.md) | Podfile.lock | - | - | ✅ | ✅ |
| | Package.resolved | - | - | ✅ | ✅ |
@@ -60,10 +59,12 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
[^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
[^2]: `.dist-info/META-DATA`
[^3]: `*.jar`, `*.war`, `*.par` and `*.ear`
[^4]: ✅ means "enabled" and `-` means "disabled" in the image scanning
[^5]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
[^6]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^7]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
[^8]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
[^9]: `Directory.Packages.props` and legacy `Packages.props` file names are supported
[^3]: `envs/*/conda-meta/*.json`
[^4]: `*.jar`, `*.war`, `*.par` and `*.ear`
[^5]: ✅ means "enabled" and `-` means "disabled" in the image scanning
[^6]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
[^7]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^8]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
[^9]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../../configuration/reporting.md#json) and [sarif](../../configuration/reporting.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
[^10]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
[^11]: `Directory.Packages.props` and legacy `Packages.props` file names are supported

44
docs/docs/coverage/language/java.md
View File

@@ -1,5 +1,5 @@
# Java
Trivy supports four types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml`, `*gradle.lockfile` and `*.sbt.lock` files.
Trivy supports three types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml` and `*gradle.lockfile` files.
Each artifact supports the following scanners:
@@ -8,16 +8,14 @@ Each artifact supports the following scanners:
| JAR/WAR/PAR/EAR | ✓ | ✓ | - |
| pom.xml | ✓ | ✓ | ✓ |
| *gradle.lockfile | ✓ | ✓ | ✓ |
| *.sbt.lock | ✓ | ✓ | - |
The following table provides an outline of the features Trivy offers.
| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed |
| pom.xml | Maven repository [^1] | Exclude | ✓ | ✓[^7] | - |
| *gradle.lockfile | - | Exclude | ✓ | ✓ | Not needed |
| *.sbt.lock | - | Exclude | - | ✓ | Not needed |
| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - |
| pom.xml | Maven repository [^1] | Exclude | ✓ | ✓[^7] |
| *gradle.lockfile | - | Exclude | ✓ | ✓ |
These may be enabled or disabled depending on the target.
See [here](./index.md) for the detail.
@@ -60,7 +58,7 @@ Trivy reproduces Maven's repository selection and priority:
!!! Note
Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
Information about data sources for Java you can see [here](../../scanner/vulnerability.md#langpkg-data-sources).
Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources-1).
You can disable connecting to the maven repository with the `--offline-scan` flag.
The `--offline-scan` flag does not affect the Trivy database.
@@ -69,19 +67,6 @@ The vulnerability database will be downloaded anyway.
!!! Warning
Trivy may skip some dependencies (that were not found on your local machine) when the `--offline-scan` flag is passed.
### supported scopes
Trivy only scans `import`, `compile`, `runtime` and empty [maven scopes][maven-scopes]. Other scopes and `Optional` dependencies are not currently being analyzed.
### empty dependency version
There are cases when Trivy cannot determine the version of dependencies:
- Unable to determine the version from the parent because the parent is not reachable;
- The dependency uses a [hard requirement][version-requirement] with more than one version.
In these cases, Trivy uses an empty version for the dependency.
!!! Warning
Trivy doesn't detect child dependencies for dependencies without a version.
### maven-invoker-plugin
Typically, the integration tests directory (`**/[src|target]/it/*/pom.xml`) of [maven-invoker-plugin][maven-invoker-plugin] doesn't contain actual `pom.xml` files and should be skipped to avoid noise.
@@ -109,15 +94,6 @@ Trity also can detect licenses for dependencies.
Make sure that you have cache[^8] directory to find licenses from `*.pom` dependency files.
## SBT
`build.sbt.lock` files only contain information about used dependencies. This requires a lockfile generated using the
[sbt-dependency-lock][sbt-dependency-lock] plugin.
!!!note
All necessary files are checked locally. SBT file scanning doesn't require internet access.
[^1]: Uses maven repository to get information about dependencies. Internet access required.
[^2]: It means `*.jar`, `*.war`, `*.par` and `*.ear` file
[^3]: `ArtifactID`, `GroupID` and `Version`
@@ -130,8 +106,4 @@ Make sure that you have cache[^8] directory to find licenses from `*.pom` depend
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[maven-invoker-plugin]: https://maven.apache.org/plugins/maven-invoker-plugin/usage.html
[maven-central]: https://repo.maven.apache.org/maven2/
[maven-pom-repos]: https://maven.apache.org/settings.html#repositories
[maven-scopes]: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope
[sbt-dependency-lock]: https://stringbean.github.io/sbt-dependency-lock
[detection-priority]: ../../scanner/vulnerability.md#detection-priority
[version-requirement]: https://maven.apache.org/pom.html#dependency-version-requirement-specification
[maven-pom-repos]: https://maven.apache.org/settings.html#repositories

3
docs/docs/coverage/language/nodejs.md
View File

@@ -8,7 +8,7 @@ The following scanners are supported.
|----------|:----:|:-------------:|:-------:|
| npm | ✓ | ✓ | ✓ |
| Yarn | ✓ | ✓ | ✓ |
| pnpm | ✓ | ✓ | |
| pnpm | ✓ | ✓ | - |
| Bun | ✓ | ✓ | ✓ |
The following table provides an outline of the features Trivy offers.
@@ -54,7 +54,6 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
### pnpm
Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
To identify licenses, you need to download dependencies to `node_modules` beforehand. Trivy analyzes `node_modules` for licenses.
#### lock file v9 version
Trivy supports `Dev` field for `pnpm-lock.yaml` v9 or later. Use the `--include-dev-deps` flag to include the developer's dependencies in the result.

18
docs/docs/coverage/language/php.md
View File

@@ -4,27 +4,23 @@ Trivy supports [Composer][composer], which is a tool for dependency management i
The following scanners are supported.
| Package manager | SBOM | Vulnerability | License |
|-----------------|:----:|:-------------:|:-------:|
| Composer | ✓ | ✓ | ✓ |
| Package manager | SBOM | Vulnerability | License |
| --------------- | :---: | :-----------: | :-----: |
| Composer | ✓ | ✓ | ✓ |
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-----------------|----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
| Composer | composer.lock | ✓ | Excluded | ✓ | ✓ |
| Composer | installed.json | ✓ | Excluded | - | ✓ |
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-----------------|---------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
| Composer | composer.lock | ✓ | Excluded | ✓ | ✓ |
## composer.lock
## Composer
In order to detect dependencies, Trivy searches for `composer.lock`.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`.
If you want to see the dependency tree, please ensure that `composer.json` is present.
## installed.json
Trivy also supports dependency detection for `installed.json` files. By default, you can find this file at `path_to_app/vendor/composer/installed.json`.
[composer]: https://getcomposer.org/
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies

26
docs/docs/coverage/language/python.md
View File

@@ -21,11 +21,11 @@ The following scanners are supported for Python packages.
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
|-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
| pip | requirements.txt | - | Include | - | ✓ | ✓ |
| Pipenv | Pipfile.lock | ✓ | Include | - | ✓ | Not needed |
| Poetry | poetry.lock | ✓ | Exclude | ✓ | - | Not needed |
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
| pip | requirements.txt | - | Include | - | ✓ |
| Pipenv | Pipfile.lock | ✓ | Include | - | ✓ |
| Poetry | poetry.lock | ✓ | Exclude | ✓ | - |
| Packaging | Dependency graph |
@@ -42,17 +42,8 @@ Trivy parses your files generated by package managers in filesystem/repository s
### pip
#### Dependency detection
By default, Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id5) with `==` comparison operator and without `.*`.
Using the [--detection-priority comprehensive][detection-priority] option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging.
In such case Trivy parses specifiers `>=`,`~=` and a trailing `.*`.
```
keyring >= 4.1.1 # Minimum version 4.1.1
Mopidy-Dirble ~= 1.1 # Minimum version 1.1
python-gitlab==2.0.* # Minimum version 2.0.0
```
Also, there is a way to convert unsupported version specifiers - use the `pip freeze` command.
Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id4) with `==` comparison operator and without `.*`.
To convert unsupported version specifiers - use the `pip freeze` command.
```bash
$ cat requirements.txt
@@ -128,7 +119,7 @@ License detection is not supported for `Poetry`.
## Packaging
Trivy parses the manifest files of installed packages in container image scanning and so on.
See [here](https://packaging.python.org/en/latest/discussions/package-formats/) for the detail.
See [here](https://packaging.python.org/en/latest/discussions/wheel-vs-egg/) for the detail.
### Egg
Trivy looks for `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO` to identify Python packages.
@@ -139,4 +130,3 @@ Trivy looks for `.dist-info/META-DATA` to identify Python packages.
[^1]: Trivy checks `python`, `python3`, `python2` and `python.exe` file names.
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[detection-priority]: ../../scanner/vulnerability.md#detection-priority

4
docs/docs/coverage/others/bitnami.md → docs/docs/coverage/os/bitnami.md
View File

@@ -4,8 +4,8 @@
Scanning results may be inaccurate.
While it is not an OS, this page describes the details of the [container images provided by Bitnami](https://github.com/bitnami/containers).
Bitnami images are based on [Debian](../os/debian.md).
Please see [the Debian page](../os/debian.md) for OS packages.
Bitnami images are based on [Debian](debian.md).
Please see [the Debian page](debian.md) for OS packages.
Trivy supports the following scanners for Bitnami packages.

23
docs/docs/coverage/os/azure.md → docs/docs/coverage/os/cbl-mariner.md
View File

@@ -1,7 +1,4 @@
# Azure Linux (CBL-Mariner)
*CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.*
# CBL-Mariner
Trivy supports the following scanners for OS packages.
| Version | SBOM | Vulnerability | License |
@@ -10,8 +7,6 @@ Trivy supports the following scanners for OS packages.
| 1.0 (Distroless) | ✔ | ✔ | |
| 2.0 | ✔ | ✔ | ✔ |
| 2.0 (Distroless) | ✔ | ✔ | |
| 3.0 | ✔ | ✔ | ✔ |
| 3.0 (Distroless) | ✔ | ✔ | |
The following table provides an outline of the targets Trivy supports.
@@ -20,7 +15,6 @@ The following table provides an outline of the targets Trivy supports.
| ------- | :-------------: | :-------------: | :----------: |
| 1.0 | ✔ | ✔ | amd64, arm64 |
| 2.0 | ✔ | ✔ | amd64, arm64 |
| 3.0 | ✔ | ✔ | amd64, arm64 |
The table below outlines the features offered by Trivy.
@@ -30,22 +24,22 @@ The table below outlines the features offered by Trivy.
| [Dependency graph][dependency-graph] | ✓ |
## SBOM
Trivy detects packages that have been installed through package managers such as `tdnf`, `dnf` and `yum`.
Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
## Vulnerability
Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities.
CBL-Mariner offers its own security advisories, and these are utilized when scanning CBL-Mariner for vulnerabilities.
### Data Source
See [here](../../scanner/vulnerability.md#data-sources).
### Fixed Version
Trivy takes fixed versions from [Azure Linux OVAL][oval].
Trivy takes fixed versions from [CBL-Mariner OVAL][oval].
### Severity
Trivy calculates the severity of an issue based on the severity provided in [Azure Linux OVAL][oval].
Trivy calculates the severity of an issue based on the severity provided in [CBL-Mariner OVAL][oval].
### Status
Trivy supports the following [vulnerability statuses] for Azure Linux.
Trivy supports the following [vulnerability statuses] for CBL-Mariner.
| Status | Supported |
| :-----------------: | :-------: |
@@ -61,11 +55,12 @@ Trivy supports the following [vulnerability statuses] for Azure Linux.
Trivy identifies licenses by examining the metadata of RPM packages.
!!! note
License detection is not supported for Azure Linux Distroless images.
License detection is not supported for CBL-Mariner Distroless.
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[cbl-mariner]: https://github.com/microsoft/CBL-Mariner
[oval]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
[oval]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
[vulnerability statuses]: ../../configuration/filtering.md#by-status

36
docs/docs/coverage/os/conda.md Normal file
View File

@@ -0,0 +1,36 @@
# Conda
Trivy supports the following scanners for Conda packages.
| Scanner | Supported |
|:-------------:|:---------:|
| SBOM | ✓ |
| Vulnerability | - |
| License | ✓[^1] |
## SBOM
Trivy detects packages that have been installed with `Conda`.
### `<package>.json`
Trivy parses `<conda-root>/envs/<env>/conda-meta/<package>.json` files to find the version and license for the dependencies installed in your env.
### `environment.yml`[^2]
Trivy supports parsing [environment.yml][environment.yml][^2] files to find dependency list.
!!! note
License detection is currently not supported.
`environment.yml`[^2] files supports [version range][env-version-range]. We can't be sure about versions for these dependencies.
Therefore, you need to use `conda env export` command to get dependency list in `Conda` default format before scanning `environment.yml`[^2] file.
!!! note
For dependencies in a non-Conda format, Trivy doesn't include a version of them.
[^1]: License detection is only supported for `<package>.json` files
[^2]: Trivy supports both `yaml` and `yml` extensions.
[environment.yml]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#sharing-an-environment
[env-version-range]: https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#examples-of-package-specs

40
docs/docs/coverage/os/index.md
View File

@@ -9,33 +9,31 @@ Trivy supports operating systems for
## Supported OS
| OS | Supported Versions | Package Managers |
|---------------------------------------|-------------------------------------|------------------|
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0 | tdnf/dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
| [SUSE Linux Enterprise](suse.md) | 11, 12, 15 | zypper/rpm |
| [SUSE Linux Enterprise Micro](suse.md)| 5, 6 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [OSs with installed Conda](../others/conda.md) | - | conda |
| OS | Supported Versions | Package Managers |
|--------------------------------------|-------------------------------------|------------------|
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
| [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [OSs with installed Conda](conda.md) | - | conda |
## Supported container images
| Container image | Supported Versions | Package Managers |
|-----------------------------------------------|-------------------------------------|------------------|
| [Google Distroless](google-distroless.md)[^2] | Any | apt/dpkg |
| [Bitnami](../others/bitnami.md) | Any | - |
| [Bitnami](bitnami.md) | Any | - |
Each page gives more details.

13
docs/docs/coverage/os/oracle.md
View File

@@ -28,19 +28,6 @@ See [here](../../scanner/vulnerability.md#data-sources).
### Fixed Version
Trivy takes fixed versions from [Oracle security advisories][alerts].
#### Flavors
Trivy detects the flavor for version of the found package and finds vulnerabilities only for that flavor.
| Flavor | Format | Example |
|:-------:|:------------------------------------:|------------------------------------------------------|
| normal | version without `fips` and `ksplice` | 3.6.16-4.el8 |
| fips | `*_fips` | 10:3.6.16-4.0.1.el8_fips |
| ksplice | `*.ksplice*.*` | 2:2.34-60.0.3.ksplice1.el9_2.7, 151.0.1.ksplice2.el8 |
For example Trivy finds [CVE-2021-33560](https://linux.oracle.com/cve/CVE-2021-33560.html) only for the `normal` and `fips` flavors.
For the `ksplice` flavor, [CVE-2021-33560](https://linux.oracle.com/cve/CVE-2021-33560.html) will be skipped.
### Severity
Trivy determines vulnerability severity based on the severity metric provided in [Oracle security advisories][alerts].
For example, the security patch for [CVE-2023-0464][CVE-2023-0464] is provided as [ELSA-2023-2645][ELSA-2023-2645].

8
docs/docs/coverage/os/suse.md
View File

@@ -2,9 +2,7 @@
Trivy supports the following distributions:
- openSUSE Leap
- openSUSE Tumbleweed
- SUSE Linux Enterprise (SLE)
- SUSE Linux Enterprise Micro
- SUSE Enterprise Linux (SLE)
Please see [here](index.md#supported-os) for supported versions.
@@ -37,6 +35,6 @@ Trivy identifies licenses by examining the metadata of RPM packages.
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[cvrf]: https://ftp.suse.com/pub/projects/security/cvrf/
[cvrf]: http://ftp.suse.com/pub/projects/security/cvrf/
[vulnerability statuses]: ../../configuration/filtering.md#by-status
[vulnerability statuses]: ../../configuration/filtering.md#by-status

48
docs/docs/coverage/others/conda.md
View File

@@ -1,48 +0,0 @@
# Conda
Trivy supports the following scanners for Conda packages.
| Scanner | Supported |
|:-------------:|:---------:|
| SBOM | ✓ |
| Vulnerability | - |
| License | ✓ |
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
|-----------------|-----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
| Conda | environment.yml | - | Include | - | ✓ | - |
## `<package>.json`
### SBOM
Trivy parses `<conda-root>/envs/<env>/conda-meta/<package>.json` files to find the dependencies installed in your env.
### License
The `<package>.json` files contain package license information.
Trivy includes licenses for the packages it finds without having to parse additional files.
## `environment.yml`[^1]
### SBOM
Trivy supports parsing [environment.yml][environment.yml][^1] files to find dependency list.
`environment.yml`[^1] files supports [version range][env-version-range]. We can't be sure about versions for these dependencies.
Therefore, you need to use `conda env export` command to get dependency list in `Conda` default format before scanning `environment.yml`[^1] file.
!!! note
For dependencies in a non-Conda format, Trivy doesn't include a version of them.
### License
Trivy parses `conda-meta/<package>.json` files at the [prefix] path.
To correctly define licenses, make sure your `environment.yml`[^1] contains `prefix` field and `prefix` directory contains `package.json` files.
!!! note
To get correct `environment.yml`[^1] file and fill `prefix` directory - use `conda env export` command.
[^1]: Trivy supports both `yaml` and `yml` extensions.
[environment.yml]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#sharing-an-environment
[env-version-range]: https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#examples-of-package-specs
[prefix]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#specifying-a-location-for-an-environment
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[detection-priority]: ../../scanner/vulnerability.md#detection-priority

28
docs/docs/coverage/others/index.md
View File

@@ -1,28 +0,0 @@
# Others
In this section we have placed images, package managers and files that we can't assign to existing sections.
Trivy supports them for
- [SBOM][sbom]
- [Vulnerabilities][vuln]
- [Licenses][license]
## Supported elements
| Element | File | Image[^1] | Rootfs[^2] | Filesystem[^3] | Repository[^4] |
|--------------------------------|-----------------------------------------------------|:---------:|:----------:|:--------------:|:--------------:|
| [Bitnami packages](bitnami.md) | `/opt/bitnami/<component>/.spdx-<component>.spdx` | ✅ | ✅ | - | - |
| [Conda](conda.md) | `<conda-root>/envs/<env>/conda-meta/<package>.json` | ✅ | ✅ | - | - |
| | `environment.yml` | - | - | ✅ | ✅ |
| [RPM Archives](rpm.md) | `*.rpm` | ✅[^5] | ✅[^5] | ✅[^5] | ✅[^5] |
[sbom]: ../../supply-chain/sbom.md
[vuln]: ../../scanner/vulnerability.md
[license]: ../../scanner/license.md
[^1]: ✅ means "enabled" and `-` means "disabled" in the image scanning
[^2]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
[^3]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^4]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
[^5]: Only if the `TRIVY_EXPERIMENTAL_RPM_ARCHIVE` env is set.

42
docs/docs/coverage/others/rpm.md
View File

@@ -1,42 +0,0 @@
# RPM Archives
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy supports the following scanners for RPM archives.
| Scanner | Supported |
|:-------------:|:---------:|
| SBOM | ✓ |
| Vulnerability | ✓[^1] |
| License | ✓ |
The table below outlines the features offered by Trivy.
## SBOM
Trivy analyzes RPM archives matching `*.rpm`.
This feature is currently disabled by default but can be enabled with an environment variable, `TRIVY_EXPERIMENTAL_RPM_ARCHIVE`.
```shell
TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms --format cyclonedx --output rpms.cdx.json
```
!!! note
Currently, it works with `--format cyclonedx`, `--format spdx` or `--format spdx-json`.
## Vulnerability
Since RPM files don't have OS information, you need to generate SBOM, fill in the OS information manually and then scan the SBOM for vulnerabilities.
For example:
```shell
$ TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms -f cyclonedx -o rpms.cdx.json
$ jq '(.components[] | select(.type == "operating-system")) |= (.name = "redhat" | .version = "7.9")' rpms.cdx.json > rpms-res.cdx.json
$ trivy sbom ./rpms-res.cdx.json
```
## License
If licenses are included in the RPM archive, Trivy extracts it.
[^1]: Need to generate SBOM first and add OS information to that SBOM

5
docs/docs/index.md
View File

@@ -1,6 +1,5 @@
# Docs
Welcome to the Trivy documentation!
Here you can find complete and thorough information about every aspect of Trivy, how to use it, features available, and configuration options.
In this section you can find the complete reference documentation for all the different features and settings that Trivy has to offer.
👈 Please use the left side navigation browse the different topics.
👈 Please use the side-navigation on the left in order to browse the different topics.

8
docs/docs/plugin/user-guide.md
View File

@@ -40,6 +40,8 @@ $ trivy plugin install referrer
This command will download the plugin and install it in the plugin cache.
Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
Trivy will now search XDG_DATA_HOME for the location of the Trivy plugins cache.
The preference order is as follows:
@@ -53,10 +55,7 @@ Furthermore, it is possible to download plugins that are not registered in the i
$ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
```
```bash
$ trivy plugin install https://github.com/aquasecurity/trivy-plugin-kubectl/archive/refs/heads/main.zip
```
```bash
$ trivy plugin install ./myplugin.tar.gz
$ trivy plugin install myplugin.tar.gz
```
If the plugin's Git repository is [properly tagged](./developer-guide.md#tagging-plugin-repositories), you can specify the version to install like this:
@@ -103,6 +102,7 @@ VERSION:
dev
Scanning Commands
aws [EXPERIMENTAL] Scan AWS account
config Scan config files for misconfigurations
filesystem Scan local filesystem
image Scan a container image

4
docs/docs/references/configuration/cli/trivy.md
View File

@@ -43,7 +43,7 @@ trivy [global flags] command [flags] target
### SEE ALSO
* [trivy clean](trivy_clean.md) - Remove cached files
* [trivy aws](trivy_aws.md) - [EXPERIMENTAL] Scan AWS account
* [trivy config](trivy_config.md) - Scan config files for misconfigurations
* [trivy convert](trivy_convert.md) - Convert Trivy JSON report into a different format
* [trivy filesystem](trivy_filesystem.md) - Scan local filesystem
@@ -51,12 +51,10 @@ trivy [global flags] command [flags] target
* [trivy kubernetes](trivy_kubernetes.md) - [EXPERIMENTAL] Scan kubernetes cluster
* [trivy module](trivy_module.md) - Manage modules
* [trivy plugin](trivy_plugin.md) - Manage plugins
* [trivy registry](trivy_registry.md) - Manage registry authentication
* [trivy repository](trivy_repository.md) - Scan a repository
* [trivy rootfs](trivy_rootfs.md) - Scan rootfs
* [trivy sbom](trivy_sbom.md) - Scan SBOM for vulnerabilities and licenses
* [trivy server](trivy_server.md) - Server mode
* [trivy version](trivy_version.md) - Print the version
* [trivy vex](trivy_vex.md) - [EXPERIMENTAL] VEX utilities
* [trivy vm](trivy_vm.md) - [EXPERIMENTAL] Scan a virtual machine image

127
docs/docs/references/configuration/cli/trivy_aws.md Normal file
View File

@@ -0,0 +1,127 @@
## trivy aws
[EXPERIMENTAL] Scan AWS account
### Synopsis
Scan an AWS account for misconfigurations. Trivy uses the same authentication methods as the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
The following services are supported:
- accessanalyzer
- api-gateway
- athena
- cloudfront
- cloudtrail
- cloudwatch
- codebuild
- documentdb
- dynamodb
- ec2
- ecr
- ecs
- efs
- eks
- elasticache
- elasticsearch
- elb
- emr
- iam
- kinesis
- kms
- lambda
- mq
- msk
- neptune
- rds
- redshift
- s3
- sns
- sqs
- ssm
- workspaces
```
trivy aws [flags]
```
### Examples
```
# basic scanning
$ trivy aws --region us-east-1
# limit scan to a single service:
$ trivy aws --region us-east-1 --service s3
# limit scan to multiple services:
$ trivy aws --region us-east-1 --service s3 --service ec2
# force refresh of cache for fresh results
$ trivy aws --region us-east-1 --update-cache
```
### Options
```
--account string The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
--arn string The AWS ARN to show results for. Useful to filter results once a scan is cached.
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--compliance string compliance report to generate (aws-cis-1.2,aws-cis-1.4)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--endpoint string AWS Endpoint override
--exit-code int specify exit code when any security issues are found
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for aws
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--max-cache-age duration The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--region string AWS Region to scan
--report string specify a report format for the output (all,summary) (default "all")
--reset-checks-bundle remove checks bundle
--service strings Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--skip-check-update skip fetching rego check updates
--skip-service strings Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc.
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tf-vars strings specify paths to override the Terraform tfvars files
--trace enable more verbose trace output for custom queries
--update-cache Update the cache for the applicable cloud provider instead of using cached results.
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

51
docs/docs/references/configuration/cli/trivy_clean.md
View File

@@ -1,51 +0,0 @@
## trivy clean
Remove cached files
```
trivy clean [flags]
```
### Examples
```
# Remove all caches
$ trivy clean --all
# Remove scan cache
$ trivy clean --scan-cache
# Remove vulnerability database
$ trivy clean --vuln-db
```
### Options
```
-a, --all remove all caches
--checks-bundle remove checks bundle
-h, --help help for clean
--java-db remove Java database
--scan-cache remove scan cache (container and VM image analysis results)
--vex-repo remove VEX repositories
--vuln-db remove vulnerability database
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner

10
docs/docs/references/configuration/cli/trivy_config.md
View File

@@ -9,15 +9,15 @@ trivy config [flags] DIR
### Options
```
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
@@ -32,20 +32,20 @@ trivy config [flags] DIR
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-non-failures include successes, available with '--scanners misconfig'
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--report string specify a compliance report format for the output (all,summary) (default "all")
--reset-checks-bundle remove checks bundle
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--skip-check-update skip fetching rego check updates
--skip-dirs strings specify the directories or glob patterns to skip

25
docs/docs/references/configuration/cli/trivy_filesystem.md
View File

@@ -19,22 +19,18 @@ trivy filesystem [flags] PATH
### Options
```
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
@@ -55,8 +51,8 @@ trivy filesystem [flags] PATH
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
@@ -68,9 +64,6 @@ trivy filesystem [flags] PATH
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
@@ -78,6 +71,8 @@ trivy filesystem [flags] PATH
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a compliance report format for the output (all,summary) (default "all")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -89,7 +84,6 @@ trivy filesystem [flags] PATH
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tf-vars strings specify paths to override the Terraform tfvars files
@@ -97,7 +91,8 @@ trivy filesystem [flags] PATH
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vex string [EXPERIMENTAL] file path to VEX
--vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library])
```
### Options inherited from parent commands

27
docs/docs/references/configuration/cli/trivy_image.md
View File

@@ -34,21 +34,17 @@ trivy image [flags] IMAGE_NAME
### Options
```
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate (docker-cis-1.6.0)
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate (docker-cis)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--docker-host string unix domain socket path to use for docker scanning
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
@@ -72,9 +68,9 @@ trivy image [flags] IMAGE_NAME
--image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (misconfig,secret)
--image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--include-deprecated-checks include deprecated checks
--include-non-failures include successes, available with '--scanners misconfig'
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--input string input file path instead of image name
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
@@ -86,9 +82,6 @@ trivy image [flags] IMAGE_NAME
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--platform string set platform in the form os/arch if image is multi-platform capable
--podman-host string unix podman socket path to use for podman scanning
--redis-ca string redis ca file location, if using redis as cache backend
@@ -99,6 +92,8 @@ trivy image [flags] IMAGE_NAME
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
--report string specify a format for the compliance report. (all,summary) (default "summary")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -110,14 +105,14 @@ trivy image [flags] IMAGE_NAME
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vex string [EXPERIMENTAL] file path to VEX
--vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library])
```
### Options inherited from parent commands

29
docs/docs/references/configuration/cli/trivy_kubernetes.md
View File

@@ -30,20 +30,16 @@ trivy kubernetes [flags] [CONTEXT]
```
--burst int specify the maximum burst for throttle (default 10)
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate (k8s-nsa-1.0,k8s-cis-1.23,eks-cis-1.4,rke2-cis-1.24,k8s-pss-baseline-0.1,k8s-pss-restricted-0.1)
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate (k8s-nsa,k8s-cis,k8s-pss-baseline,k8s-pss-restricted)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
@@ -69,23 +65,20 @@ trivy kubernetes [flags] [CONTEXT]
--include-deprecated-checks include deprecated checks
--include-kinds strings indicate the kinds included in scanning (example: node)
--include-namespaces strings indicate the namespaces included in scanning (example: kube-system)
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--kubeconfig string specify the kubeconfig file path to use
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--no-progress suppress progress bar
--node-collector-imageref string indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1")
--node-collector-imageref string indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.2.1")
--node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--qps float specify the maximum QPS to the master from this client (default 5)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
@@ -94,6 +87,8 @@ trivy kubernetes [flags] [CONTEXT]
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a report format for the output (all,summary) (default "all")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -105,13 +100,13 @@ trivy kubernetes [flags] [CONTEXT]
--skip-files strings specify the files or glob patterns to skip
--skip-images skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
--skip-java-db-update skip updating Java index database
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tolerations strings specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vex string [EXPERIMENTAL] file path to VEX
--vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library])
```
### Options inherited from parent commands

29
docs/docs/references/configuration/cli/trivy_registry.md
View File

@@ -1,29 +0,0 @@
## trivy registry
Manage registry authentication
### Options
```
-h, --help help for registry
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy](trivy.md) - Unified security scanner
* [trivy registry login](trivy_registry_login.md) - Log in to a registry
* [trivy registry logout](trivy_registry_logout.md) - Log out of a registry

41
docs/docs/references/configuration/cli/trivy_registry_login.md
View File

@@ -1,41 +0,0 @@
## trivy registry login
Log in to a registry
```
trivy registry login SERVER [flags]
```
### Examples
```
# Log in to reg.example.com
cat ~/my_password.txt | trivy registry login --username foo --password-stdin reg.example.com
```
### Options
```
-h, --help help for login
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--username strings username. Comma-separated usernames allowed.
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy registry](trivy_registry.md) - Manage registry authentication

38
docs/docs/references/configuration/cli/trivy_registry_logout.md
View File

@@ -1,38 +0,0 @@
## trivy registry logout
Log out of a registry
```
trivy registry logout SERVER [flags]
```
### Examples
```
# Log out of reg.example.com
trivy registry logout reg.example.com
```
### Options
```
-h, --help help for logout
```
### Options inherited from parent commands
```
--cache-dir string cache directory (default "/path/to/cache")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--generate-default-config write the default config to trivy-default.yaml
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
### SEE ALSO
* [trivy registry](trivy_registry.md) - Manage registry authentication

Some files were not shown because too many files have changed in this diff Show More